Comment for 1041.11 - Registered Information Systems
11(b) Eligibility Criteria for Registered Information Systems
11(b)(2) Reporting Capability
1. Timing. To be eligible for provisional registration or registration, an entity must possess the technical capability to generate a consumer report containing, as applicable for each unique consumer, all information described in § 1041.10 substantially simultaneous to receiving the information from a lender. Technological limitations may cause some slight delay in the appearance on a consumer report of the information furnished pursuant to § 1041.10, but any delay must reasonable.
11(b)(3) Performance
1. Relationship with other law. To be eligible for provisional registration or registration, an entity must perform in a manner that facilitates compliance with and furthers the purposes of this part. However, this requirement does not supersede consumer protection obligations imposed upon a provisionally registered or registered information system by other Federal law or regulation. For example, the Fair Credit Reporting Act requires that, whenever a consumer reporting agency prepares a consumer report it, shall follow reasonable procedures to assure maximum possible accuracy of the information concerning the individual about whom the report relates. See 15 U.S.C. 1681e(b). If including information furnished pursuant to § 1041.10 in a consumer report would cause a provisionally registered or registered information system to violate this requirement, § 1041.11(b)(3) would not require that the information be included in a consumer report.
2. Evidence of ability to perform in a manner that facilitates compliance with and furthers the purposes of this part. Section 1041.11(c)(1) requires that an entity seeking preliminary approval to be a registered information system must submit an application to the Bureau containing information sufficient for the Bureau to determine that the entity is reasonably likely to satisfy the conditions set forth in § 1041.11(b). Section 1041.11(c)(2) and (d)(1) requires that an entity seeking to be a registered information system or a provisionally registered information system must submit an application that contains information and documentation sufficient for the Bureau to determine that the entity satisfies the conditions set forth in § 1041.11(b). In evaluating whether an applicant is reasonably likely to satisfy or satisfies the requirement set forth in § 1041.11(b)(3), the Bureau will consider the extent to which an applicant has experience functioning as a consumer reporting agency.
11(b)(4) Federal Consumer Financial Law Compliance Program
1. Policies and procedures. To be eligible for provisional registration or registration, an entity must have policies and procedures that are documented in sufficient detail to implement effectively and maintain its Federal consumer financial law compliance program. The policies and procedures must address compliance with applicable Federal consumer financial laws in a manner reasonably designed to prevent violations and to detect and prevent associated risks of harm to consumers. The entity must also maintain and modify, as needed, the policies and procedures so that all relevant personnel can reference them in their day-to-day activities.
2. Training. To be eligible for provisional registration or registration, an entity must provide specific, comprehensive training to all relevant personnel that reinforces and helps implement written policies and procedures. Requirements for compliance with Federal consumer financial laws must be incorporated into training for all relevant officers and employees. Compliance training must be current, complete, directed to appropriate individuals based on their roles, effective, and commensurate with the size of the entity and nature and risks to consumers presented by its activity. Compliance training also must be consistent with written policies and procedures and designed to enforce those policies and procedures.
3. Monitoring. To be eligible for provisional registration or registration, an entity must implement an organized and risk-focused monitoring program to promptly identify and correct procedural or training weaknesses so as to provide for a high level of compliance with Federal consumer financial laws. Monitoring must be scheduled and completed so that timely corrective actions are taken where appropriate.
11(b)(5) Independent Assessment of Federal Consumer Financial Law Compliance Program
1. Assessor qualifications. An objective and independent third-party individual or entity is qualified to perform the assessment required by § 1041.11(b)(5) if the individual or entity has substantial experience in performing assessments of a similar size, scope, or subject matter; has substantial expertise in both the applicable Federal consumer financial laws and in the entity's or information system's business; and has the appropriate professional qualifications necessary to perform the required assessment adequately.
2. Written assessment. A written assessment described in § 1041.11(b)(5) need not conform to any particular format or style as long as it succinctly and accurately conveys the required information.
11(b)(7) Independent Assessment of Information Security Program
1. Periodic assessments. Section 1041.11(b)(7) requires that, to maintain its registration, an information system must obtain and provide to the Bureau, on at least a biennial basis, a written assessment of the information security program described in § 1041.11(b)(6). The period covered by each assessment obtained and provided to the Bureau to satisfy this requirement must commence on the day after the last day of the period covered by the previous assessment obtained and provided to the Bureau.
2. Assessor qualifications. Professionals qualified to conduct assessments required under § 1041.11(b)(7) include: A person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; and an individual or entity with a similar qualification or certification.
3. Written assessment. A written assessment described in § 1041.11(b)(7) need not conform to any particular format or style as long as it succinctly and accurately conveys the required information.
11(c) Registration of Information Systems Prior to November 19, 2020
11(c)(1) Preliminary Approval
1. In general. An entity seeking to become preliminarily approved for registration pursuant to § 1041.11(c)(1) must submit an application to the Bureau containing information sufficient for the Bureau to determine that the entity is reasonably likely to satisfy the conditions set forth in § 1041.11(b) as of the deadline set forth in § 1041.11(c)(3)(ii). The application must describe the steps the entity plans to take to satisfy the conditions set forth in § 1041.11(b) by the deadline and the entity's anticipated timeline for such steps. The entity's plan must be reasonable and achievable.
11(c)(2) Registration
1. In general. An entity seeking to become a registered information system pursuant to § 1041.11(c)(2) must submit an application to the Bureau by the deadline set forth in § 1041.11(c)(3)(ii) containing information and documentation adequate for the Bureau to determine that the conditions described in § 1041.11(b) are satisfied. The application must succinctly and accurately convey the required information, and must include the written assessments described in § 1041.11(b)(5) and (7).
11(d) Registration of Information Systems on or After November 19, 2020
11(d)(1) Provisional Registration
1. In general. An entity seeking to become a provisionally registered information system pursuant to § 1041.11(d)(1) must submit an application to the Bureau containing information and documentation adequate for the Bureau to determine that the conditions described in § 1041.11(b) are satisfied. The application must succinctly and accurately convey the required information, and must include the written assessments described in § 1041.11(b)(5) and (7).