Skip to main content
An official website of the United States government
(855) 411-2372
Submit a Complaint
Search

§ 1041.11 Registered information systems.

This version is not the current regulation.

You are viewing a previous version of this regulation with amendments that went into effect on Aug. 16, 2019. View all versions of this regulation

(a) Definitions.

(1) Consumer report has the same meaning as in section 603(d) of the Fair Credit Reporting Act, 15 U.S.C. 1681a(d).

(2) Federal consumer financial law has the same meaning as in section 1002(14) of the Dodd-Frank Wall Street Reform and Consumer Protection Act, 12 U.S.C. 5481(14).

(b) Eligibility criteria for information systems. An entity is eligible to be a provisionally registered information system pursuant to paragraph (d)(1) of this section or a registered information system pursuant to paragraph (c)(2) or (d)(2) of this section only if the Bureau determines that the following conditions are satisfied:

See interpretation of 11(b) Eligibility Criteria for Registered Information Systems in Supplement I

(1) Receiving capability. The entity possesses the technical capability to receive information lenders must furnish pursuant to § 1041.10 immediately upon the furnishing of such information and uses reasonable data standards that facilitate the timely and accurate transmission and processing of information in a manner that does not impose unreasonable costs or burdens on lenders.

(2) Reporting capability. The entity possesses the technical capability to generate a consumer report containing, as applicable for each unique consumer, all information described in § 1041.10 substantially simultaneous to receiving the information from a lender.

1. Timing. To be eligible for provisional registration or registration, an entity must possess the technical capability to generate a consumer report containing, as applicable for each unique consumer, all information described in § 1041.10 substantially simultaneous to receiving the information from a lender. Technological limitations may cause some slight delay in the appearance on a consumer report of the information furnished pursuant to § 1041.10, but any delay must reasonable.

See interpretation of 11(b)(2) Reporting Capability in Supplement I

(3) Performance. The entity will perform or performs in a manner that facilitates compliance with and furthers the purposes of this part.

1. Relationship with other law. To be eligible for provisional registration or registration, an entity must perform in a manner that facilitates compliance with and furthers the purposes of this part. However, this requirement does not supersede consumer protection obligations imposed upon a provisionally registered or registered information system by other Federal law or regulation. For example, the Fair Credit Reporting Act requires that, whenever a consumer reporting agency prepares a consumer report it, shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates. See 15 U.S.C. 1681e(b). If including information furnished pursuant to § 1041.10 in a consumer report would cause a provisionally registered or registered information system to violate this requirement, § 1041.11(b)(3) would not require that the information be included in a consumer report.

2. Evidence of ability to perform in a manner that facilitates compliance with and furthers the purposes of this part. Section 1041.11(c)(1) requires that an entity seeking preliminary approval to be a registered information system must submit an application to the Bureau containing information sufficient for the Bureau to determine that the entity is reasonably likely to satisfy the conditions set forth in § 1041.11(b). Section 1041.11(c)(2) and (d)(1) requires that an entity seeking to be a registered information system or a provisionally registered information system must submit an application that contains information and documentation sufficient for the Bureau to determine that the entity satisfies the conditions set forth in § 1041.11(b). In evaluating whether an applicant is reasonably likely to satisfy or satisfies the requirement set forth in § 1041.11(b)(3), the Bureau will consider the extent to which an applicant has experience functioning as a consumer reporting agency.

See interpretation of 11(b)(3) Performance in Supplement I

(4) Federal consumer financial law compliance program. The entity has developed, implemented, and maintains a program reasonably designed to ensure compliance with all applicable Federal consumer financial laws, which includes written policies and procedures, comprehensive training, and monitoring to detect and to promptly correct compliance weaknesses.

1. Policies and procedures. To be eligible for provisional registration or registration, an entity must have policies and procedures that are documented in sufficient detail to implement effectively and maintain its Federal consumer financial law compliance program. The policies and procedures must address compliance with applicable Federal consumer financial laws in a manner reasonably designed to prevent violations and to detect and prevent associated risks of harm to consumers. The entity must also maintain and modify, as needed, the policies and procedures so that all relevant personnel can reference them in their day-to-day activities.

2. Training. To be eligible for provisional registration or registration, an entity must provide specific, comprehensive training to all relevant personnel that reinforces and helps implement written policies and procedures. Requirements for compliance with Federal consumer financial laws must be incorporated into training for all relevant officers and employees. Compliance training must be current, complete, directed to appropriate individuals based on their roles, effective, and commensurate with the size of the entity and nature and risks to consumers presented by its activity. Compliance training also must be consistent with written policies and procedures and designed to enforce those policies and procedures.

3. Monitoring. To be eligible for provisional registration or registration, an entity must implement an organized and risk-focused monitoring program to promptly identify and correct procedural or training weaknesses so as to provide for a high level of compliance with Federal consumer financial laws. Monitoring must be scheduled and completed so that timely corrective actions are taken where appropriate.

See interpretation of 11(b)(4) Federal Consumer Financial Law Compliance Program in Supplement I

(5) Independent assessment of Federal consumer financial law compliance program. The entity provides to the Bureau in its application for provisional registration or registration a written assessment of the Federal consumer financial law compliance program described in paragraph (b)(4) of this section and such assessment:

1. Assessor qualifications. An objective and independent third-party individual or entity is qualified to perform the assessment required by § 1041.11(b)(5) if the individual or entity has substantial experience in performing assessments of a similar size, scope, or subject matter; has substantial expertise in both the applicable Federal consumer financial laws and in the entity's or information system's business; and has the appropriate professional qualifications necessary to perform the required assessment adequately.

2. Written assessment. A written assessment described in § 1041.11(b)(5) need not conform to any particular format or style as long as it succinctly and accurately conveys the required information.

See interpretation of 11(b)(5) Independent Assessment of Federal Consumer Financial Law Compliance Program in Supplement I

(i) Sets forth a detailed summary of the Federal consumer financial law compliance program that the entity has implemented and maintains;

(ii) Explains how the Federal consumer financial law compliance program is appropriate for the entity's size and complexity, the nature and scope of its activities, and risks to consumers presented by such activities;

(iii) Certifies that, in the opinion of the assessor, the Federal consumer financial law compliance program is operating with sufficient effectiveness to provide reasonable assurance that the entity is fulfilling its obligations under all Federal consumer financial laws; and

(iv) Certifies that the assessment has been conducted by a qualified, objective, independent third-party individual or entity that uses procedures and standards generally accepted in the profession, adheres to professional and business ethics, performs all duties objectively, and is free from any conflicts of interest that might compromise the assessor's independent judgment in performing assessments.

(6) Information security program. The entity has developed, implemented, and maintains a comprehensive information security program that complies with the Standards for Safeguarding Customer Information, 16 CFR part 314.

(7) Independent assessment of information security program.

1. Periodic assessments. Section 1041.11(b)(7) requires that, to maintain its registration, an information system must obtain and provide to the Bureau, on at least a biennial basis, a written assessment of the information security program described in § 1041.11(b)(6). The period covered by each assessment obtained and provided to the Bureau to satisfy this requirement must commence on the day after the last day of the period covered by the previous assessment obtained and provided to the Bureau.

2. Assessor qualifications. Professionals qualified to conduct assessments required under § 1041.11(b)(7) include: A person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; and an individual or entity with a similar qualification or certification.

3. Written assessment. A written assessment described in § 1041.11(b)(7) need not conform to any particular format or style as long as it succinctly and accurately conveys the required information.

See interpretation of 11(b)(7) Independent Assessment of Information Security Program in Supplement I

(i) The entity provides to the Bureau in its application for provisional registration or registration and on at least a biennial basis thereafter, a written assessment of the information security program described in paragraph (b)(6) of this section and such assessment:

(A) Sets forth the administrative, technical, and physical safeguards that the entity has implemented and maintains;

(B) Explains how such safeguards are appropriate to the entity's size and complexity, the nature and scope of its activities, and the sensitivity of the customer information at issue;

(C) Explains how the safeguards that have been implemented meet or exceed the protections required by the Standards for Safeguarding Customer Information, 16 CFR part 314;

(D) Certifies that, in the opinion of the assessor, the information security program is operating with sufficient effectiveness to provide reasonable assurance that the entity is fulfilling its obligations under the Standards for Safeguarding Customer Information, 16 CFR part 314; and

(E) Certifies that the assessment has been conducted by a qualified, objective, independent third-party individual or entity that uses procedures and standards generally accepted in the profession, adheres to professional and business ethics, performs all duties objectively, and is free from any conflicts of interest that might compromise the assessor's independent judgment in performing assessments.

(ii) Each written assessment obtained and provided to the Bureau on at least a biennial basis pursuant to paragraph (b)(7)(i) of this section must be completed and provided to the Bureau within 60 days after the end of the period to which the assessment applies.

(8) Bureau supervisory authority. The entity acknowledges it is, or consents to being, subject to the Bureau's supervisory authority.

(c) Registration of information systems prior to November 19, 2020

See interpretation of 11(c) Registration of Information Systems Prior to November 19, 2020 in Supplement I

(1) Preliminary approval. Prior to November 19, 2020, the Bureau may preliminarily approve an entity for registration only if the entity submits an application for preliminary approval to the Bureau by the deadline set forth in paragraph (c)(3)(i) of this section containing information sufficient for the Bureau to determine that the entity is reasonably likely to satisfy the conditions set forth in paragraph (b) of this section by the deadline set forth in paragraph (c)(3)(ii) of this section. The assessments described in paragraphs (b)(5) and (7) of this section need not be included with an application for preliminary approval for registration or completed prior to the submission of the application. The Bureau may require additional information and documentation to facilitate this determination.

1. In general. An entity seeking to become preliminarily approved for registration pursuant to § 1041.11(c)(1) must submit an application to the Bureau containing information sufficient for the Bureau to determine that the entity is reasonably likely to satisfy the conditions set forth in § 1041.11(b) as of the deadline set forth in § 1041.11(c)(3)(ii). The application must describe the steps the entity plans to take to satisfy the conditions set forth in § 1041.11(b) by the deadline and the entity's anticipated timeline for such steps. The entity's plan must be reasonable and achievable.

See interpretation of 11(c)(1) Preliminary Approval in Supplement I

(2) Registration. Prior to November 19, 2020, the Bureau may approve the application of an entity to be a registered information system only if:

1. In general. An entity seeking to become a registered information system pursuant to § 1041.11(c)(2) must submit an application to the Bureau by the deadline set forth in § 1041.11(c)(3)(ii) containing information and documentation adequate for the Bureau to determine that the conditions described in § 1041.11(b) are satisfied. The application must succinctly and accurately convey the required information, and must include the written assessments described in § 1041.11(b)(5) and (7).

See interpretation of 11(c)(2) Registration in Supplement I

(i) The entity received preliminary approval pursuant to paragraph (c)(1) of this section; and

(ii) The entity submits an application to the Bureau by the deadline set forth in paragraph (c)(3)(ii) of this section that contains information and documentation sufficient for the Bureau to determine that the entity satisfies the conditions set forth in paragraph (b) of this section. The Bureau may require additional information and documentation to facilitate this determination or otherwise to assess whether registration of the entity would pose an unreasonable risk to consumers.

(3) Deadlines.

(i) The deadline to submit an application for preliminary approval for registration pursuant to paragraph (c)(1) of this section is April 16, 2018.

(ii) The deadline to submit an application to be a registered information system pursuant to paragraph (c)(2) of this section is 120 days from the date preliminary approval for registration is granted.

(iii) The Bureau may waive the deadlines set forth in this paragraph (c).

(d) Registration of information systems on or after November 19, 2020

See interpretation of 11(d) Registration of Information Systems on or After November 19, 2020 in Supplement I

(1) Provisional registration. On or after November 19, 2020, the Bureau may approve an entity to be a provisionally registered information system only if the entity submits an application to the Bureau that contains information and documentation sufficient for the Bureau to determine that the entity satisfies the conditions set forth in paragraph (b) of this section. The Bureau may require additional information and documentation to facilitate this determination or otherwise to assess whether provisional registration of the entity would pose an unreasonable risk to consumers.

1. In general. An entity seeking to become a provisionally registered information system pursuant to § 1041.11(d)(1) must submit an application to the Bureau containing information and documentation adequate for the Bureau to determine that the conditions described in § 1041.11(b) are satisfied. The application must succinctly and accurately convey the required information, and must include the written assessments described in § 1041.11(b)(5) and (7).

See interpretation of 11(d)(1) Provisional Registration in Supplement I

(2) Registration. An information system that is provisionally registered pursuant to paragraph (d)(1) of this section shall automatically become a registered information system pursuant to this paragraph (d)(2) upon the expiration of the 240-day period commencing on the date the information system is provisionally registered. For purposes of this paragraph (d)(2), an information system is provisionally registered on the date that the Bureau publishes notice of the provisional registration on the Bureau's Web site.

(e) Applications. Applications for preliminary approval, registration, and provisional registration shall be submitted in the form required by the Bureau and shall include, in addition to the information described in paragraph (c) or (d) of this section, as applicable, the following information:

(1) The name under which the applicant conducts business, including any “doing business as” or other trade name;

(2) The applicant's main business address, mailing address if it is different from the main business address, telephone number, electronic mail address, and Internet Web site; and

(3) The name and contact information (including telephone number and electronic mail address) of the person authorized to communicate with the Bureau on the applicant's behalf concerning the application.

(f) Denial of application. The Bureau will deny the application of an entity seeking preliminary approval for registration under paragraph (c)(1) of this section, registration under paragraph (c)(2) of this section, or provisional registration under paragraph (d)(1) of this section, if the Bureau determines, as applicable, that:

(1) The entity does not satisfy the conditions set forth in paragraph (b) of this section, or, in the case of an entity seeking preliminary approval for registration, is not reasonably likely to satisfy the conditions as of the deadline set forth in paragraph (c)(3)(ii) of this section;

(2) The entity's application is untimely or materially inaccurate or incomplete; or

(3) Preliminary approval, provisional registration, or registration of the entity would pose an unreasonable risk to consumers.

(g) Notice of material change. An entity that is a provisionally registered or registered information system must provide to the Bureau in writing a description of any material change to information contained in its application for registration submitted pursuant to paragraph (c)(2) of this section or provisional registration submitted pursuant to paragraph (d)(1) of this section, or to information previously provided to the Bureau pursuant to this paragraph (g), within 14 days of such change.

(h) Suspension and revocation.

(1) The Bureau will suspend or revoke an entity's preliminary approval for registration pursuant to paragraph (c)(1) of this section, provisional registration pursuant to paragraph (d)(1) of this section, or registration pursuant to paragraph (c)(2) or (d)(2) of this section if the Bureau determines:

(i) That the entity has not satisfied or no longer satisfies the conditions described in paragraph (b) of this section or has not complied with the requirement described in paragraph (g) of this section; or

(ii) That preliminary approval, provisional registration, or registration of the entity poses an unreasonable risk to consumers.

(2) The Bureau may require additional information and documentation from an entity if it has reason to believe suspension or revocation under paragraph (h)(1) of this section may be warranted.

(3) Except in cases of willfulness or those in which the public interest requires otherwise, prior to suspension or revocation under paragraph (h)(1) of this section, the Bureau will provide written notice of the facts or conduct that may warrant the suspension or revocation and an opportunity for the entity or information system to demonstrate or achieve compliance with this section or otherwise address the Bureau's concerns.

(4) The Bureau will revoke an entity's preliminary approval for registration, provisional registration, or registration if the entity submits a written request to the Bureau that its preliminary approval, provisional registration, or registration be revoked.

(5) For purposes of §§ 1041.5 and 1041.6, suspension or revocation of an information system's registration is effective five days after the date that the Bureau publishes notice of the suspension or revocation on the Bureau's Web site. For purposes of § 1041.10(b)(1), suspension or revocation of an information system's provisional registration or registration is effective on the date that the Bureau publishes notice of the suspension or revocation on the Bureau's Web site. The Bureau will also publish notice of a suspension or revocation in the Federal Register.

(6) In the event that a provisional registration or registration of an information system is suspended, the Bureau will provide instructions concerning the scope and terms of the suspension on its Web site and in the notice of suspension published in the Federal Register.

(i) Administrative appeals

(1) Grounds for administrative appeals. An entity may appeal a determination of the Bureau that:

(i) Denies the application of an entity seeking preliminary approval for registration under paragraph (c)(1) of this section, registration under paragraph (c)(2) of this section, or provisional registration under paragraph (d)(1) of this section; or

(ii) Suspends or revokes the entity's preliminary approval for registration pursuant to paragraph (c)(1) of this section, provisional registration pursuant to paragraph (d)(1) of this section, or registration pursuant to paragraph (c)(2) or (d)(2) of this section.

(2) Time limits for filing administrative appeals. An appeal must be submitted on a date that is within 30 business days of the date of the determination. The Bureau may extend this time for good cause.

(3) Form and content of administrative appeals. An appeal shall be made by electronic means as follows:

(i) The appeal shall be submitted as set forth on the Bureau's Web site. The appeal shall be labeled “Information System Registration Appeal;”

(ii) The appeal shall set forth contact information for the appellant including, to the extent available, a mailing address, telephone number, or email address at which the Bureau may contact the appellant regarding the appeal;

(iii) The appeal shall specify the date of the letter of determination, and enclose a copy of the determination being appealed; and

(iv) The appeal shall include a description of the issues in dispute, specify the legal and factual basis for appealing the determination, and include appropriate supporting information.

(4) Appeals process. The filing and pendency of an appeal does not by itself suspend the determination that is the subject of the appeal during the appeals process. Notwithstanding the foregoing, the Bureau may, in its discretion, suspend the determination that is the subject of the appeal during the appeals process.

(5) Decisions to grant or deny administrative appeals. The Bureau shall decide whether to affirm the determination (in whole or in part) or to reverse the determination (in whole or in part) and shall notify the appellant of this decision in writing.