§ 1041.11 Registered information systems.
(a) Definitions.
(1) Consumer report has the same meaning as in section 603(d) of the Fair Credit Reporting Act, 15 U.S.C. 1681a(d).
(2) Federal consumer financial law has the same meaning as in section 1002(14) of the Dodd-Frank Wall Street Reform and Consumer Protection Act, 12 U.S.C. 5481(14).
(b) Eligibility criteria for information systems. An entity is eligible to be a provisionally registered information system pursuant to paragraph (d)(1) of this section or a registered information system pursuant to paragraph (c)(2) or (d)(2) of this section only if the Bureau determines that the following conditions are satisfied:
(1) Receiving capability. The entity possesses the technical capability to receive information lenders must furnish pursuant to § 1041.10 immediately upon the furnishing of such information and uses reasonable data standards that facilitate the timely and accurate transmission and processing of information in a manner that does not impose unreasonable costs or burdens on lenders.
(2) Reporting capability. The entity possesses the technical capability to generate a consumer report containing, as applicable for each unique consumer, all information described in § 1041.10 substantially simultaneous to receiving the information from a lender.
(3) Performance. The entity will perform or performs in a manner that facilitates compliance with and furthers the purposes of this part.
(4) Federal consumer financial law compliance program. The entity has developed, implemented, and maintains a program reasonably designed to ensure compliance with all applicable Federal consumer financial laws, which includes written policies and procedures, comprehensive training, and monitoring to detect and to promptly correct compliance weaknesses.
(5) Independent assessment of Federal consumer financial law compliance program. The entity provides to the Bureau in its application for provisional registration or registration a written assessment of the Federal consumer financial law compliance program described in paragraph (b)(4) of this section and such assessment:
(i) Sets forth a detailed summary of the Federal consumer financial law compliance program that the entity has implemented and maintains;
(ii) Explains how the Federal consumer financial law compliance program is appropriate for the entity's size and complexity, the nature and scope of its activities, and risks to consumers presented by such activities;
(iii) Certifies that, in the opinion of the assessor, the Federal consumer financial law compliance program is operating with sufficient effectiveness to provide reasonable assurance that the entity is fulfilling its obligations under all Federal consumer financial laws; and
(iv) Certifies that the assessment has been conducted by a qualified, objective, independent third-party individual or entity that uses procedures and standards generally accepted in the profession, adheres to professional and business ethics, performs all duties objectively, and is free from any conflicts of interest that might compromise the assessor's independent judgment in performing assessments.
(6) Information security program. The entity has developed, implemented, and maintains a comprehensive information security program that complies with the Standards for Safeguarding Customer Information, 16 CFR part 314.
(7) Independent assessment of information security program.
(i) The entity provides to the Bureau in its application for provisional registration or registration and on at least a biennial basis thereafter, a written assessment of the information security program described in paragraph (b)(6) of this section and such assessment:
(A) Sets forth the administrative, technical, and physical safeguards that the entity has implemented and maintains;
(B) Explains how such safeguards are appropriate to the entity's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue;
(C) Explains how the safeguards that have been implemented meet or exceed the protections required by the Standards for Safeguarding Customer Information, 16 CFR part 314;
(D) Certifies that, in the opinion of the assessor, the information security program is operating with sufficient effectiveness to provide reasonable assurance that the entity is fulfilling its obligations under the Standards for Safeguarding Customer Information, 16 CFR part 314; and
(E) Certifies that the assessment has been conducted by a qualified, objective, independent third-party individual or entity that uses procedures and standards generally accepted in the profession, adheres to professional and business ethics, performs all duties objectively, and is free from any conflicts of interest that might compromise the assessor's independent judgment in performing assessments.
(ii) Each written assessment obtained and provided to the Bureau on at least a biennial basis pursuant to paragraph (b)(7)(i) of this section must be completed and provided to the Bureau within 60 days after the end of the period to which the assessment applies.
(8) Bureau supervisory authority. The entity acknowledges it is, or consents to being, subject to the Bureau's supervisory authority.
(c) Registration of information systems prior to November 19, 2020 —
(1) Preliminary approval. Prior to November 19, 2020, the Bureau may preliminarily approve an entity for registration only if the entity submits an application for preliminary approval to the Bureau by the deadline set forth in paragraph (c)(3)(i) of this section containing information sufficient for the Bureau to determine that the entity is reasonably likely to satisfy the conditions set forth in paragraph (b) of this section by the deadline set forth in paragraph (c)(3)(ii) of this section. The assessments described in paragraphs (b)(5) and (7) of this section need not be included with an application for preliminary approval for registration or completed prior to the submission of the application. The Bureau may require additional information and documentation to facilitate this determination.
(2) Registration. Prior to November 19, 2020, the Bureau may approve the application of an entity to be a registered information system only if:
(i) The entity received preliminary approval pursuant to paragraph (c)(1) of this section; and
(ii) The entity submits an application to the Bureau by the deadline set forth in paragraph (c)(3)(ii) of this section that contains information and documentation sufficient for the Bureau to determine that the entity satisfies the conditions set forth in paragraph (b) of this section. The Bureau may require additional information and documentation to facilitate this determination or otherwise to assess whether registration of the entity would pose an unreasonable risk to consumers.
(3) Deadlines.
(i) The deadline to submit an application for preliminary approval for registration pursuant to paragraph (c)(1) of this section is April 16, 2018.
(ii) The deadline to submit an application to be a registered information system pursuant to paragraph (c)(2) of this section is 120 days from the date preliminary approval for registration is granted.
(iii) The Bureau may waive the deadlines set forth in this paragraph (c).
(d) Registration of information systems on or after November 19, 2020 —
(1) Provisional registration. On or after November 19, 2020, the Bureau may approve an entity to be a provisionally registered information system only if the entity submits an application to the Bureau that contains information and documentation sufficient for the Bureau to determine that the entity satisfies the conditions set forth in paragraph (b) of this section. The Bureau may require additional information and documentation to facilitate this determination or otherwise to assess whether provisional registration of the entity would pose an unreasonable risk to consumers.
(2) Registration. An information system that is provisionally registered pursuant to paragraph (d)(1) of this section shall automatically become a registered information system pursuant to this paragraph (d)(2) upon the expiration of the 240-day period commencing on the date the information system is provisionally registered. For purposes of this paragraph (d)(2), an information system is provisionally registered on the date that the Bureau publishes notice of the provisional registration on the Bureau's Web site.
(e) Applications. Applications for preliminary approval, registration, and provisional registration shall be submitted in the form required by the Bureau and shall include, in addition to the information described in paragraph (c) or (d) of this section, as applicable, the following information:
(1) The name under which the applicant conducts business, including any “doing business as” or other trade name;
(2) The applicant's main business address, mailing address if it is different from the main business address, telephone number, electronic mail address, and Internet Web site; and
(3) The name and contact information (including telephone number and electronic mail address) of the person authorized to communicate with the Bureau on the applicant's behalf concerning the application.
(f) Denial of application. The Bureau will deny the application of an entity seeking preliminary approval for registration under paragraph (c)(1) of this section, registration under paragraph (c)(2) of this section, or provisional registration under paragraph (d)(1) of this section, if the Bureau determines, as applicable, that:
(1) The entity does not satisfy the conditions set forth in paragraph (b) of this section, or, in the case of an entity seeking preliminary approval for registration, is not reasonably likely to satisfy the conditions as of the deadline set forth in paragraph (c)(3)(ii) of this section;
(2) The entity's application is untimely or materially inaccurate or incomplete; or
(3) Preliminary approval, provisional registration, or registration of the entity would pose an unreasonable risk to consumers.
(g) Notice of material change. An entity that is a provisionally registered or registered information system must provide to the Bureau in writing a description of any material change to information contained in its application for registration submitted pursuant to paragraph (c)(2) of this section or provisional registration submitted pursuant to paragraph (d)(1) of this section, or to information previously provided to the Bureau pursuant to this paragraph (g), within 14 days of such change.
(h) Suspension and revocation.
(1) The Bureau will suspend or revoke an entity's preliminary approval for registration pursuant to paragraph (c)(1) of this section, provisional registration pursuant to paragraph (d)(1) of this section, or registration pursuant to paragraph (c)(2) or (d)(2) of this section if the Bureau determines:
(i) That the entity has not satisfied or no longer satisfies the conditions described in paragraph (b) of this section or has not complied with the requirement described in paragraph (g) of this section; or
(ii) That preliminary approval, provisional registration, or registration of the entity poses an unreasonable risk to consumers.
(2) The Bureau may require additional information and documentation from an entity if it has reason to believe suspension or revocation under paragraph (h)(1) of this section may be warranted.
(3) Except in cases of willfulness or those in which the public interest requires otherwise, prior to suspension or revocation under paragraph (h)(1) of this section, the Bureau will provide written notice of the facts or conduct that may warrant the suspension or revocation and an opportunity for the entity or information system to demonstrate or achieve compliance with this section or otherwise address the Bureau's concerns.
(4) The Bureau will revoke an entity's preliminary approval for registration, provisional registration, or registration if the entity submits a written request to the Bureau that its preliminary approval, provisional registration, or registration be revoked.
(5) For purposes of §§ 1041.5 and 1041.6, suspension or revocation of an information system's registration is effective five days after the date that the Bureau publishes notice of the suspension or revocation on the Bureau's Web site. For purposes of § 1041.10(b)(1), suspension or revocation of an information system's provisional registration or registration is effective on the date that the Bureau publishes notice of the suspension or revocation on the Bureau's Web site. The Bureau will also publish notice of a suspension or revocation in the Federal Register.
(6) In the event that a provisional registration or registration of an information system is suspended, the Bureau will provide instructions concerning the scope and terms of the suspension on its Web site and in the notice of suspension published in the Federal Register.
(i) Administrative appeals —
(1) Grounds for administrative appeals. An entity may appeal a determination of the Bureau that:
(i) Denies the application of an entity seeking preliminary approval for registration under paragraph (c)(1) of this section, registration under paragraph (c)(2) of this section, or provisional registration under paragraph (d)(1) of this section; or
(ii) Suspends or revokes the entity's preliminary approval for registration pursuant to paragraph (c)(1) of this section, provisional registration pursuant to paragraph (d)(1) of this section, or registration pursuant to paragraph (c)(2) or (d)(2) of this section.
(2) Time limits for filing administrative appeals. An appeal must be submitted on a date that is within 30 business days of the date of the determination. The Bureau may extend this time for good cause.
(3) Form and content of administrative appeals. An appeal shall be made by electronic means as follows:
(i) The appeal shall be submitted as set forth on the Bureau's Web site. The appeal shall be labeled “Information System Registration Appeal;”
(ii) The appeal shall set forth contact information for the appellant including, to the extent available, a mailing address, telephone number, or email address at which the Bureau may contact the appellant regarding the appeal;
(iii) The appeal shall specify the date of the letter of determination, and enclose a copy of the determination being appealed; and
(iv) The appeal shall include a description of the issues in dispute, specify the legal and factual basis for appealing the determination, and include appropriate supporting information.
(4) Appeals process. The filing and pendency of an appeal does not by itself suspend the determination that is the subject of the appeal during the appeals process. Notwithstanding the foregoing, the Bureau may, in its discretion, suspend the determination that is the subject of the appeal during the appeals process.
(5) Decisions to grant or deny administrative appeals. The Bureau shall decide whether to affirm the determination (in whole or in part) or to reverse the determination (in whole or in part) and shall notify the appellant of this decision in writing.