Title: FINAL RULE--Releasing Information; General Provisions; Accounting and Reporting Requirements; Reports of Accounts and Exposures--12 CFR Parts 602, 618, and 621
Issue Date: 12/24/2013
Agency: FCA
Federal Register Cite: 78 FR 77557
___________________________________________________________________________
[6705-01-P]

FARM CREDIT ADMINISTRATION

12 CFR Parts 602, 618, and 621

RIN 3052-AC76

Releasing Information; General Provisions; Accounting and Reporting Requirements; Reports of Accounts and Exposures

AGENCY: Farm Credit Administration.

ACTION: Final rule.

SUMMARY: The Farm Credit Administration (FCA, we, or our) issues this final rule to establish a regulatory framework for the reliable, timely, accurate, and complete reporting of Farm Credit System (System) accounts and exposures for examination activities and risk evaluation. The final rule specifies the reporting requirements and performance responsibilities, including, but not limited to, establishing uniform and standard data fields to be collected from all System institutions and a disciplined and secure delivery of information. The final rule authorizes a Reporting Entity (defined as the Federal Farm Credit Banks Funding Corporation (Funding Corporation) or an entity approved by FCA), to collect data from all banks and associations and serve as the central data repository manager. Additionally, the final rule requires all banks and associations to provide data to the Reporting Entity to facilitate the collection, enhancement, and reporting of data to FCA.

DATES:

Effective Date: This regulation will become effective 30 days after publication in the Federal Register during which either or both Houses of Congress are in session. We will publish a notice of effective date in the Federal Register.

Compliance Date: All provisions of this regulation require compliance on the effective date, except the Reporting Entity’s requirements under 621.15(b)(1) through (b)(6). We are delaying compliance with these requirements to allow for the development of and transition to the System’s central data repository. We will publish the compliance date for these requirements in the Federal Register.

FOR FURTHER INFORMATION CONTACT:

Susan Coleman, Senior Policy Analyst, Office of Regulatory Policy, Farm Credit Administration, McLean, VA 22102-5090, (703) 883-4491, TTY (703) 883-4056,

or

Jane Virga, Senior Counsel, Office of General Counsel, Farm Credit Administration, McLean, VA 22102-5090,
(703) 883-4020, TTY (703) 883-4056.

SUPPLEMENTARY INFORMATION:

I. Objectives

The objectives of this final rule are to:

II. Background

The Farm Credit Act of 1971, as amended (Act),1 in pertinent part, confers authority on FCA to examine and supervise the institutions of the System and authorizes FCA to issue regulations implementing the Act’s provisions.2 Our regulations, including this final rule, are intended to ensure the safe and sound operations of System institutions. In order to meet FCA’s responsibility to ensure the safety and soundness of System institutions, we must have reliable, timely, accurate, and complete information about each banks’ and associations’ assets and liabilities.

Section 4.12(b)(5) of the Act confirms FCA’s authority to request information from a System institution for examination and supervision and the concurrent obligation of a System institution to provide FCA with access to the records of the System institution. This statute makes it clear that FCA must have access to all records of a System institution and provides that concealment or refusal to provide access to such records is the basis for the appointment of a receiver or conservator.

In addition to that statutory authority, another section of the Act provides authority to FCA to require the production of System institution records. Section 5.9(4) of the Act provides FCA the power to require such reports as it deems necessary from System institutions.3 Additionally, section 5.22A of the Act and 621.12(a) of FCA regulations require each System institution to prepare and file such reports of condition and performance as may be required by FCA. Further clarification is provided in 621.12(b) of FCA regulations, which states that these reports of condition and performance must be filed four times a year and may include such additional reports as may be necessary to ensure timely, complete, and accurate monitoring and evaluation of the affairs, condition, and performance of System institutions as determined by the Chief Examiner. In addition, 621.12(c) of FCA regulations requires all reports of condition and performance to be submitted electronically in accordance with the instructions prescribed by FCA.

For over a decade, FCA has collected detailed asset reports through loan data extracts from System institutions to facilitate examination activities and risk evaluation, and shared this data with the Farm Credit System Insurance Corporation (FCSIC) on a confidential basis subject to an interagency agreement. The need for consistent, comprehensive, and comparable data across all System institutions has evolved, as the complexity and volume of assets has increased. The availability of quality and timely data on accounts and exposures, including any loan, lease, letter of credit, derivative, or, any other asset, liability, other balance sheet account, or off-balance-sheet exposure, has become critical to efficient and effective examination activities and risk evaluation. Accordingly, we continue to work with the System to collect more comprehensive data submissions and enhance the reporting to facilitate the evaluation of changing lending risks and conditions.

An integral component of FCA’s and FCSIC’s ability to quickly and accurately identify and respond to risk is the collection of data on, and identification of, shared assets. Shared assets are any account or exposure where two or more System institutions have assumed a portion of the asset’s benefits or risks. On October 3, 2012, the FCA Board approved Bookletter BL-065, which describes FCA’s expectations that each System institution and its board of directors establish and implement an automated mechanism to consistently identify shared asset exposures. Bookletter BL-065 continues to contain pertinent guidance for System institutions. After the central data repository is completed by the Reporting Entity, including the implementation of an automated mechanism to accurately identify the System’s shared asset exposures, FCA will evaluate whether to rescind Bookletter BL-065.

In addition to other objectives, and in order to facilitate the identification of shared asset exposures and enable System risk assessment, System banks and associations are working with the Funding Corporation to create a central data repository to collect and store data from all System banks and associations, establish an automated mechanism to timely and accurately identify the System’s shared asset exposures, and report Systemwide accounts and exposures on behalf of the System banks and associations to FCA. The Funding Corporation, in coordination with the banks and associations, is in the process of developing and deploying the central data repository and plans to assume the role of the Reporting Entity for the banks’ and associations’ reports of accounts and exposures by yearend 2014.

We believe the final rule provides a uniform system and process for the reporting of accounts and exposures. The final rule reaffirms FCA’s authority to collect data from the System and communicates the authority for, and responsibilities of, the Reporting Entity to collect data on behalf of the System banks and associations for delivery to FCA. The final rule also confirms FCA’s authority to share examination reports or other information on System institutions prepared or held by FCA with FCSIC, subject to appropriate security and controls.

The final rule requires the banks, associations, and Reporting Entity to establish a system of internal controls over the data. Additionally, the banks and associations must establish a data governance structure with the Reporting Entity to document the responsibilities and accountabilities for the conveyance, storage, and uses of the information stored in the central data repository. This data governance structure should establish agreement among the banks, associations, and Reporting Entity and must be in place prior to the first transfer of data to the Reporting Entity.

During the System’s data repository development phase, the banks and associations will continue to prepare and submit the reports of accounts and exposures to FCA in accordance with the instructions prescribed by FCA under 621.15(a) of this final rule. Upon satisfactory demonstration by the Reporting Entity of the ability to prepare reliable, timely, complete and accurate reporting of accounts and exposures, FCA will accept report(s) of all banks’ and associations’ accounts and exposures from the Reporting Entity, acting on behalf of the banks and associations. FCA will establish a delayed compliance date for the Reporting Entity’s responsibilities under 621.15(b)(1) through (b)(6) during the data repository development phase.

FCA understands that the development of the central data repository is a necessary precursor to the automated identification and reporting of shared exposures. However, FCA expects timely implementation of the System’s mechanism to identify shared asset exposures as required in 621.15(b)(3) once the data repository is complete. Since the identification of shared asset and customer exposures at the System level through an automated mechanism is not yet implemented, we will establish a delayed compliance date as previously discussed.

The System’s ultimate success of implementing a process for reporting shared exposures is dependent upon the cooperation and collaboration of the banks, associations, and Reporting Entity. We also understand that identification, management, and control of shared assets will primarily rest at the bank and association level and will be reported by the banks and associations in their quarterly reports. However, the responsibility of accumulating the shared assets to the shared customer level will primarily rest with the Reporting Entity. As such, the Reporting Entity is not only a conduit to submit the banks and associations reports of accounts and exposures, but is also necessary to establish and report accurate System shared exposures. Due to this interdependency, we expect continual and thorough collaboration and cooperation to ensure the mechanism to identify shared exposures is timely, accurate and complete. The data dictionary and instructions will specify the various components of the shared asset identifiers such as the shared asset number, the shared customer number and the System customer lead. FCA will continue to collaborate with the System on the specifics for identifying shared exposures through the data dictionary and instructions published on the FCA Web site.

The final regulation requires the Reporting Entity to notify FCA immediately in writing of the following events: (1) If there is a breach of information; (2) if there is a request for data from the reports of accounts and exposures from non-System entities; or, (3) if it is unable to prepare and submit the report(s) of accounts and exposures in compliance with the regulation. Additionally, in the event of a breach of information, the Reporting Entity must provide immediate written notice of the breach to each bank and association concerned.

The Reporting Entity may request that the banks and associations appoint a replacement Reporting Entity to assume the authorities and reporting obligations of the Reporting Entity. Additionally, the banks and associations at their discretion, and with the approval of the FCA, may elect to select a replacement Reporting Entity to assume the authorities and reporting obligations of the Reporting Entity.

The proposed rule, which was published for public comment for 30 days, generated five comment letters, four of which were generally supportive. One comment letter opposed the proposed regulation in its entirety. After considering the comments, we now finalize the proposed provisions as discussed below.

III. Discussion of Comment Letters and Section-by-Section Analysis of Final Rule

The five comment letters we received came from one Farm Credit Bank (AgriBank, FCB); three System agricultural credit associations (Farm Credit East, ACA, Greenstone Farm Credit Services, ACA, and River Valley AgCredit, ACA); and the Farm Credit Council (Council) acting on behalf of its membership. These letters contained a number of constructive comments that resulted in changes to a number of provisions in the proposed rule.

General Issues

Four commenters support our efforts to set up a regulatory framework, but ask that we continue to cooperate with System institutions regarding changes to data submission requirements so that an appropriate balance remains between the need to evaluate changing lending risks and the cost of regulatory burden to the System. The concept of a central data repository has been a collaborative and cooperative approach between the System and FCA to ensure all parties’ needs are adequately met and addressed. We intend to continue to collaborate and to provide the banks, associations, and Reporting Entity with ample opportunity to provide input on any anticipated changes to the data submission requirements or instructions. In our response below to comments on certain provisions of the proposed rule, we have made some changes to further clarify our intended process for changes to data submission requirements and to limit the regulatory burden on the System.

The commenter that opposed the rule in its entirety was concerned with sending confidential borrower information to the Reporting Entity. We understand and share this concern and believe we have included requirements in the regulation to address it. Specifically, the final rule requires the Reporting Entity to develop and implement an effective system of internal controls over the central data repository to ensure the confidentiality of borrower information. In addition, we expect the banks and associations to establish a data governance structure that documents agreement among the banks, associations, and Reporting Entity on the responsibilities and accountabilities for information stored in the central data repository. Finally, we also require the immediate reporting of any breach of information to FCA and each bank and association concerned.

This commenter is also concerned with the increased cost due to the regulation. We believe that the availability of quality and timely data on accounts and exposures is paramount to efficient and effective examination activities and risk evaluation, as well as the System’s own risk-management practices. We believe that establishing a central data repository, including an automated mechanism to accurately identify shared asset exposures, is a prudent expense that provides both FCA and the System (including this commenter) with the ability to timely evaluate risks and conditions, and respond appropriately.

1. Authority to Promulgate the Regulation

FCA cited section 5.22A of the Act as the basis to require a System institution to submit loan data. A commenter questioned whether section 5.22A was the proper authority to promulgate this regulation. Although the commenter acknowledged FCA’s inherent authority to access System institution accounts and exposure data for examination activities and support the overall process outlined in the proposed regulation, the commenter was concerned that we cited an incorrect authority for the collection of the data.

The commenter stated that the proposed rule provides a consolidated and efficient approach for submitting data from the System to FCA. However, the commenter stated that it is a “stretch” to call the submission of loan and other similar data at the record level a uniform financial report as contemplated in section 5.22A of the Act. The commenter asserts that financial reporting means balance sheet, income statements, and related supporting schedules, even though FCA has the authority to interpret the statute.

Section 5.22A of the Act requires System institutions to comply with FCA’s uniform financial reporting instructions. Section 5.22A was cited in Bookletter BL-065, which was the genesis for the proposed regulation. The Bookletter provides FCA’s expectations for System institutions to establish and implement an automated mechanism to identify and report shared asset exposures. Section 5.22A of the Act provides, in pertinent part, that each System institution shall comply with uniform financial reporting instructions required by the Farm Credit Administration to standardize and facilitate the reporting of System data.

The commenter suggests section 4.12(b)(5) of the Act as authority for the regulation. Although we continue to believe that section 5.22A of the Act authorizes the regulation, we have included section 4.12(b)(5) as additional authority. Section 4.12(b)(5) of the Act provides that the FCA Board may appoint a conservator or receiver for any System institution that does not provide FCA with access to the “books, papers, records, or assets of the institution.

Including this additional authority source should provide the balance that the commenter desired and reassurance concerning the types of information retained by System institutions. Also, as a technical matter, we added section 5.22A of the Act as authority for this regulation. We had included a discussion of this section in the preamble to the proposed rule but inadvertently omitted it from the authority citations.

2. Notice and Comment on Instructions

The proposed regulation provides that the banks and associations submit the reports of accounts and exposures in accordance with the instructions provided by FCA. The Council recommended that the rule be revised to provide for notice and comment when FCA changes any of its instructions on the reports of accounts and exposures. The Council asserts that the Administrative Procedure Act, 5 U.S.C. 553 (APA), requires that new instructions be subject to the notice and comment requirements. Another commenter asserted that the open-ended nature of the information collection process in the instructions is inappropriate in that it lacks balance and could be burdensome. As discussed below, we believe that the APA does not require notice and comment on the instructions for the submission of the accounts and exposure data and that the instructions will be appropriate.

The APA establishes, in pertinent part, that an agency must publish a proposed rule for notice and comment. By definition, a rule is an agency statement of general or particular applicability. A rule does not include an agency’s “housekeeping provisions.”

We do not believe that the instructions for the submission of accounts and exposures data are a regulation. The instructions are not an agency statement of general or particular applicability. Rather, we believe that the instructions are procedural on their face and do not change substantive standards for the submission of the data by the System institutions. The instructions do not alter the rights or interests of the System institutions, although the instructions may alter the information and how it is provided to FCA. A procedural rule does not become a substantive one for notice and comment purposes simply because it arguably imposes a “burden” on the System.

We do, however, intend to continue to engage in comprehensive collaboration and communication with the banks, associations, and Reporting Entity. We will provide all parties with sufficient time to review any proposed changes to the data dictionary and instructions and respond to us with any concerns, including the appropriateness of the data requirements and any burden.

In the future, FCA may amend the instructions, including the data dictionary, as the System and FCA continue to assess data needs. FCA intends to initiate an annual collaborative review of the data dictionary and corresponding instructions and provide any details on recommended changes to all parties in order to receive their comments and input prior to initiating any changes. This will ensure the System has the opportunity to provide adequate input to changes in the data submission requirements and in developing instructions on System data collection and storage. FCA plans to inform System institutions of proposed changes to the instructions and allow System institutions ample time to respond to any changes on the content of information to be provided or on the appropriate method of delivering information to the Reporting Entity or FCA. We believe that this process provides adequate balance to ensure that the information collected is appropriate for examination activities and risk analysis. However, exigent circumstances could mandate more frequent changes to the instructions, with or without System input.

The process we have discussed is consistent with the existing process for issuing instructions for providing “Uniform Call Reports.” We continue to believe, as first stated in Bookletter BL-065 that “[c]ollaboration by the System will improve the mechanisms and disciplines necessary to effectively assess and report shared-asset risks in a timely, complete and accurate manner.” We have confidence that this approach balances the needs of FCA to collect uniform and standardized data for examination and risk analysis with the needs of System institutions to collect the data needed and used for business or risk management purposes. Additionally, to clarify an additional comment on this topic, FCA’s instructions on the data submission requirements apply uniformly to all banks and associations.

3. Effective Date

Several of the commenters requested that we carefully consider the effective date of this regulation to ensure the System institutions have sufficient time to comply with the requirements. This regulation will become effective 30 days after publication in the Federal Register during which either or both Houses of Congress are in session. FCA will establish a delayed compliance date for the Reporting Entity’s requirements under 621.15(b)(1) through (b)(6) of the rule to allow for the development of and transition to the System’s central data repository. Accordingly, the compliance date for 621.15(b)(1) through (b)(6) requirements will be published separately in the Federal Register. All other sections and requirements of the regulation require compliance on the effective date of the regulation.

As discussed in the preamble, we expect the banks and associations to continue preparing and submitting the reports of accounts and exposures to FCA under the current established data dictionary and instructions prescribed by FCA. This current submission of data will continue until such time as the Reporting Entity completes the development and implementation of the central data repository and satisfactorily demonstrates the ability to prepare and deliver to FCA reliable, timely, complete and accurate reporting of accounts and exposures, including the identification of shared asset exposures. When this occurs, FCA will accept report(s) of all banks’ and associations’ accounts and exposures from the Reporting Entity, acting on behalf of the banks and associations. FCA understands that the identification of shared asset and customer exposures at the System level is not yet implemented and therefore, as stated previously, a delayed compliance date will be established for these requirements of the rule.

Specific Issues

1. Sharing Data on Third-Party Systems or with Contractors [new 602.2(c)]

The proposed rule would establish a confidentiality and data security agreement requirement between FCA and FCSIC when accounts and exposures data is shared between the two agencies.4

The Council and another commenter stated they were extremely concerned over: (1) The security of FCA or FCSIC storing accounts and exposures data on third-party systems; and (2) FCSIC providing the data to third-party contractors or vendors. They recommended we update the regulatory language to ensure that FCSIC cannot release the data to a vendor or any other third party and that the data must remain on FCA or FCSIC systems at all times.

We understand and share the commenters’ concerns with data security. However, we believe that the 602.2(c) requirement for a confidentiality and data security agreement between FCA and FCSIC adequately ensures the integrity, confidentiality, and security of the data. Safeguarding borrower information is of paramount importance to the System and FCA.

As to the comment concerning providing access to contractors, the interagency agreement between FCA and FCSIC governs and protects borrower data in any form and includes restrictions on sharing the data with contractors. These safeguards are appropriate for this type of data and provide FCA and FCISC the necessary access to the information while protecting it from unauthorized access and use. We also note that pursuant to Federal statute, FCA does not waive any privilege by sharing information with FCSIC. See 12 U.S.C. 1821(t).

2. Bank and Association Certification Requirement [new 621.15(a)(2)]

The proposed rule would require each bank and association to provide a written certification that the data submitted “has been prepared in accordance with all applicable regulations and instructions, and is a true and accurate record of the data maintained in the bank’s or association’s database, to the best of its knowledge and belief.”

The Council and other commenters suggested revising the certification requirement of the banks and associations to avoid the possible interpretation that FCA is prescribing what data a System institution maintains in its database. The Council asked for clarification that the term “complete” apply only to data that a bank and association has available electronically. In addition, one commenter stated that they are unable to certify that all of the actual information in their records, regarding any particular borrower, is fully accurate at any point in time because it is borrower provided.

In order to address these concerns, we have modified the language in the final rule as requested to require that System institutions certify that their submissions are a “true and accurate record of the data maintained by the bank or association, to the best of its knowledge and belief.” Furthermore, we intended that each bank’s and association’s certification apply to the data submitted in its report(s) of accounts and exposures and available in its databases.

3. Reporting Entity Certification Requirement [new 621.15(b)(4)]

The proposed rule provides, in pertinent part, that the Reporting Entity must certify “that the information provided in the report of each bank’s and association’s accounts and exposures has been prepared in accordance with all applicable regulations and instructions and accurately represents the information provided to it by the banks and associations.”

The Council suggested revising the Reporting Entity’s certification requirement. It believes the certification by the banks and associations is sufficient to ensure that the information in the report complies with the instructions.

While we agree that the Reporting Entity does not need to certify that the banks and associations have complied with the instructions, the Reporting Entity is responsible for certifying its compliance with the instructions, particularly as they relate to the establishment and implementation of an automated mechanism to identify shared asset exposures. To address these comments, we have modified the language in the final rule to clarify that the Reporting Entity needs to certify that the report accurately represents the information provided to it by the banks and associations and that the Reporting Entity has complied with the requirements of 621.15(b).

4. Reporting Entity Notification if Unable to Prepare and Submit Report [new 621.15(b)(6)]

The proposed rule provides, in pertinent part, that the Reporting Entity must “[n]otify the Farm Credit Administration if it is unable to prepare and submit the quarterly report of accounts and exposures in compliance with the requirements of this section.”

The Council requests that this provision be deleted. It believes that it is inappropriate to require the Reporting Entity to notify FCA when an individual institution fails to comply with the data submission requirements.

FCA did not intend to hold the Reporting Entity responsible for notifying FCA of institution compliance or noncompliance with reporting responsibilities. Rather, FCA wants to be notified if the Reporting Entity is unable to submit the quarterly report to FCA for any reason, such as technical difficulties or if the accounts and exposures report to FCA from the Reporting Entity does not contain all banks’ and associations’ reports. In order to address the Council’s concern, we have modified the language in the final rule to clarify that the Reporting Entity needs to notify FCA if it is unable to submit the quarterly report in compliance with the Reporting Entity’s responsibilities as set forth in 621.15(b)(1) through (b)(3).

5. Information Breach [new 621.15(b)(7)]
The proposed rule provides, in pertinent part, that the Reporting Entity would be required to immediately notify FCA and each concerned bank and association if there is a breach of information. Each bank and association would then determine whether any notice of the breach to any of its borrowers was required under applicable laws and regulations. The bank and association would be responsible for providing such notification to its borrowers. We defined "breach of information" to mean “unauthorized acquisition of or access to the central data repository, any quarterly reports of accounts and exposures or any other information received pursuant to 621.15(a)(1).”

Commenters raised several issues regarding these proposed requirements. They were concerned with the Reporting Entity providing written notice “immediately to FCA and each bank and association concerned, if there is an information breach. Commenters asked that the term “immediately” be revised to allow a greater time to report, such as 3 business days. Also, commenters requested that we delete the language in 621.15(b)(7)(ii) that the concerned bank and association determine whether any notice of the breach to any of its borrowers is required under applicable laws and regulations and, if so, that they are responsible for providing such notification. Commenters believe the language is not needed because the banks and associations are already required to comply with applicable laws and regulations. The commenters also requested that FCA clarify that the definition of “breach” refers only to situations in which data has been actually accessed by an unauthorized person.

FCA does not believe it appropriate to allow more time to report a security breach. FCA continues to believe that the report must be made “immediately” because the extreme sensitivity of the data maintained in the central data repository makes it urgent to communicate an information breach. The term “immediately” in this context means without delay or at once. As to the deletion of the language in 621.15(b)(7)(ii), we agree with the comment and have not included the specific language in this provision of the final rule. As noted in the proposed rule, the Reporting Entity is only responsible for notifying FCA and the bank and association concerned of any information breach. The bank or association concerned must comply with applicable laws and regulations regarding information security and should consider and follow best practices.

Finally, in order to address the concern about the definition of “breach,” we have modified 621.15(b)(7)(iii). In doing so, we do not believe “breach” should be limited to the occasion where data has actually been accessed by an unauthorized person. Instead, the modified definition is intended to capture attempts by unauthorized persons to access data and unauthorized possession of data.

IV. Regulatory Flexibility Act

Pursuant to section 605(b) of the Regulatory Flexibility Act (5 U.S.C. 601 et seq.), FCA hereby certifies that the final rule would not have a significant economic impact on a substantial number of small entities. Each of the banks in the Farm Credit System, considered together with its affiliated associations, has assets and annual income in excess of the amounts that would qualify them as small entities. Therefore, Farm Credit System institutions are not "small entities" as defined in the Regulatory Flexibility Act.




_______________________________
1Pub. L. 92-181, 85 Stat. 583 (1971), 12 U.S.C. 2001 et seq.

212 U.S.C. 2252(a)(8), (9), and (10).

3Further, under section 5.17(a)(11) of the Act, FCA may "[e]xercise such incidental powers as may be necessary or appropriate to fulfill its duties and carry out the purposes of {the} Act."

4Section 5.59(a)(5) of the Act provides that FCSIC, to the extent practicable, shall use the personnel and resources of FCA to minimize duplication of effort and to reduce costs. Under section 5.59(b), if the FCSIC Board considers it necessary to examine an insured System bank or a System association or any System institution in receivership, it may use FCA examiners to conduct the examination using reports and other information on the System institution prepared or held by FCA. If the FCSIC Board determines that such reports or information are not adequate to enable FCSIC to carry out the duties of FCSIC under section 5.59(b), it may request FCA to examine or to obtain other information from or about the System institution and provide FCSIC the resulting examination report or such other information. See also section 5.19(d) of the Act.

List of Subjects

12 CFR Part 602
Courts, Freedom of information, Government employees.

12 CFR Part 618
Agriculture, Archives and records, Banks, banking, Insurance, Reporting and recordkeeping requirements, Rural areas, Technical assistance.

12 CFR Part 621
Accounting, Agriculture, Banks, banking, Penalties, Reporting and recordkeeping requirements, Rural areas.

For the reasons stated in the preamble, parts 602, 618 and 621 of chapter VI, title 12 of the Code of Federal Regulations, are amended as follows:

PART 602—RELEASING INFORMATION

1. The authority citation for part 602 is revised to read as follows:

Authority: Secs. 5.9, 5.17, 5.59 of the Farm Credit Act (12 U.S.C. 2243, 2252, 2277a-8); 5 U.S.C 301, 552; 12 U.S.C. 1821(t); 52 FR 10012; E.O. 12600; 52 FR 23781, 3 CFR 1987, p. 235.

2. Section 602.2 is amended by:
a. Revising the heading;
b. Redesignating existing paragraph (c) as paragraph (d); and
c. Adding new paragraph (c) to read as follows:

602.2 Disclosing reports of examination and other non-public information.
* * * * *
(c) Disclosure to the Farm Credit System Insurance Corporation. Without waiving any privilege or limiting any of the requirements of section 5.59 of the Farm Credit Act of 1971, as amended, we may disclose reports of examination and other examination and non-public information, including data from reports of System accounts and exposures received pursuant to 621.15 of this chapter, to the Farm Credit System Insurance Corporation pursuant to confidentiality and data security agreements executed between the agencies.
* * * * *

PART 618—GENERAL PROVISIONS

3. The authority citation for part 618 continues to read as follows:

Authority: Secs. 1.5, 1.11, 1.12, 2.2, 2.4, 2.5, 2.12, 3.1, 3.7, 4.12, 4.13A, 4.25, 4.29, 5.9, 5.10, 5.17, of the Farm Credit Act (12 U.S.C. 2013, 2019, 2020, 2073, 2075, 2076, 2093, 2122, 2128, 2183, 2200, 2211, 2218, 2243, 2244, 2252.

618.8300 [Amended]

4. Section 618.8300 is amended by removing the words "as authorized in the following paragraphs" and adding in their place, the words "as authorized by Farm Credit Administration regulations ( 618.8300 through 618.8330)".

5. Section 618.8310 is amended by adding a new paragraph (c) to read as follows:

618.8310 Lists of borrowers and stockholders.
* * * * *
(c) In connection with preparing and submitting an electronic report of all System accounts and exposures to the Farm Credit Administration in accordance with the requirements of 621.15 of this chapter, each bank and association may provide information from its lists of borrowers and stockholders to the Reporting Entity as defined in 621.2 of this chapter.

6. Section 618.8320 is amended by adding a new paragraph (b)(10) to read as follows:

618.8320 Data regarding borrowers and loan applicants.
* * * * *
(b) * * *
(10) In connection with preparing and submitting an electronic report of all System accounts and exposures to the Farm Credit Administration in accordance with the requirements of 621.15 of this chapter, each bank and association may provide data on its accounts and exposures to the Reporting Entity as defined in 621.2 of this chapter.
* * * * *

PART 621—ACCOUNTING AND REPORTING REQUIREMENTS

7. The authority citation for part 621 is revised to read as follows:

Authority: Secs. 4.12(b)(5), 5.17, 5.22A, 8.11 of the Farm Credit Act (12 U.S.C. 2183, 2252, 2257a, 2279aa-11); sec. 514 of Pub. L. 102-552.

8. Section 621.2 is amended by:
a. Redesignating paragraph (a) as paragraph (b), paragraph (b) as paragraph (d), and paragraphs (c) through (i) as paragraphs (f) through (l), respectively; and
b. Adding new paragraphs (a), (c), (e), (m) and (n) to read as follows:

621.2 Definitions.
(a) Accounts and exposures means data related to any loan, lease, letter of credit, derivative, or, any other asset, liability, other balance sheet account, or off-balance-sheet exposure of a System institution.
* * * * *
(c) Banks and associations mean all Farm Credit Banks, Agricultural credit banks, and associations.
* * * * *
(e) Central data repository means a central data warehouse that electronically collects and stores current and historical data and is created by integrating data from one or more disparate sources.
* * * * *
(m) Reporting entity means the Federal Farm Credit Banks Funding Corporation, or other entity approved by the Farm Credit Administration.
(n) Shared asset means any account or exposure where two or more Farm Credit institutions have assumed a portion of the asset’s benefits or risks. An institution’s share in the asset may be established through means such as syndications, participation agreements, assignments, or other arrangements with System entities.

9. Revise the heading of subpart D to read as follows:

Subpart D–-Reports of Condition and Performance and Accounts and Exposures

10. Section 621.12 is amended by revising the heading to read as follows:

621.12 Reports of condition and performance.
* * * * *

11. Add a new 621.15 to subpart D to read as follows:

621.15 Reports of accounts and exposures.
(a) Responsibilities of banks and associations for preparing and submitting reports. The banks and associations must prepare and submit an accurate and complete report of all bank and association accounts and exposures electronically to the Farm Credit Administration pursuant to the requirements of this part. In order to accomplish such submission, each bank and association must:
(1) Prepare and submit an accurate and complete report of its accounts and exposures electronically to the Reporting Entity:
(i) In accordance with the instructions prescribed by the Farm Credit Administration, or as may be required by the Farm Credit Administration; and
(ii) Within 20 calendar days after each quarter-end date, and at such other times as the Farm Credit Administration may require.
(2) Submit to the Farm Credit Administration and the Reporting Entity a written certification that the information provided in the report of accounts and exposures has been prepared in accordance with all applicable regulations and instructions, and is a true and accurate record of the data maintained by the bank or association, to the best of its knowledge and belief. The reports shall be certified by the officer of the reporting bank or association named for that purpose by action of the reporting bank’s or association’s board of directors. If the board of directors of the bank or association has not acted to name an officer to certify to the accuracy of its reports of accounts and exposures, then the reports shall be certified by the president or chief executive officer of the reporting bank or association. In the event the bank or association learns of a material error or misstatement in the information submitted to the Reporting Entity, it must notify the Reporting Entity and the Farm Credit Administration immediately of the error or misstatement and prepare and submit corrected information as soon as practicable.
(3) Respond promptly to any questions by the Reporting Entity related to information provided under this section in connection with the preparation of a report of accounts and exposures, including any data required to establish, implement and maintain consistent, accurate, and complete shared asset identification and reporting of shared asset exposures to the Farm Credit Administration.
(4) Develop, implement, and maintain an effective system of internal controls over the data included in the report of accounts and exposures, including controls for maintaining the confidentiality of borrower information. The system of internal controls, at a minimum, must comply with the requirements of applicable Farm Credit Administration regulations, including 618.8430 of this chapter.
(b) Responsibilities of the Reporting Entity for preparing and submitting reports. The Reporting Entity must:
(1) Collect, store, and manage the information submitted to it by each bank and association under the requirements of this section in a central data repository in accordance with Farm Credit Administration regulations and prescribed instructions.
(2) Prepare and submit an electronic quarterly report of the accounts and exposures of all banks and associations to the Farm Credit Administration in accordance with the instructions prescribed by the Farm Credit Administration or as may be required by the Farm Credit Administration.
(3) Establish, implement, and maintain an automated mechanism to ensure the reliable, timely, accurate and consistent identification of the banks’ and associations’ shared asset exposures, and report these exposures and the shared asset identifiers in the electronic quarterly report of accounts and exposures to the Farm Credit Administration. In connection with establishing and implementing the automated shared asset identification mechanism, the Reporting Entity may provide the banks and associations information from the central data repository to identify and report shared asset exposures.
(4) Submit to the Farm Credit Administration a written certification that the information provided to the Farm Credit Administration in the report of accounts and exposures of all banks and associations accurately represents the information provided to it by the banks and associations and that the Reporting Entity has complied with the requirements of 621.15(b). The reports shall be certified by the president or chief executive officer of the Reporting Entity. In the event the Reporting Entity learns of a material error or misstatement in the information submitted to the Farm Credit Administration, it must notify the Farm Credit Administration immediately of the error or misstatement and prepare and submit corrected information as soon as practicable.
(5) Develop, implement, and maintain an effective system of internal controls over the central data repository, including controls for maintaining the confidentiality of borrower information. The system of internal controls, at a minimum, must comply with the requirements of applicable Farm Credit Administration regulations, including 618.8430 of this chapter and require that the Reporting Entity:
(i) Develop policies and procedures to ensure that the information submitted in the report of accounts and exposures to the Farm Credit Administration is complete and consistent with the information submitted to the Reporting Entity from the banks and associations under 621.15(a); and
(ii) Specify procedures for monitoring any material corrections or adjustments, in a timely manner, and provide timely notification and resubmission of the report of accounts and exposures to the Farm Credit Administration.
(6) Notify the Farm Credit Administration if it is unable to prepare and submit the quarterly report of accounts and exposures in compliance with the requirements of 621.15(b)(1) through (b)(3). The notification:
(i) Must be signed by the chief executive officer, or person in an equivalent position, and submitted to the Farm Credit Administration as soon as the Reporting Entity becomes aware of its inability to comply;
(ii) Must explain the reasons for its inability to prepare and submit the report; and
(iii) May include a request that the Farm Credit Administration extend the due date for the quarterly report of accounts and exposures.
(7) In the event there is a breach of information, immediately provide written notice of the breach to:
(i) The Farm Credit Administration; and
(ii) Each bank and association concerned;
(iii) For the purposes of this section, "breach of information" means any actual or attempted unauthorized access, possession, use, disclosure, disruption, modification, or destruction of information in the central data repository, any reports of accounts and exposures, or any other information received pursuant to 621.15(a)(1).
(8) Notify the Farm Credit Administration in writing of any request for data contained in the reports of accounts and exposures that are not explicitly allowed for in 618.8320(b) of this chapter.

Dated: December 18, 2013

Dale L. Aultman,
Secretary,
Farm Credit Administration Board.