FACTA & the FDIC Guidelines for Proper Disposal of Consumer Data for Financial Institutions

Nov 23, 2020 Blog Article

Farah Mithani A tech-focused writer and editor, Farah covered topics related to cloud security, software, and hardware while working at a Fortune 500 company. She then joined Blancco as content marketing specialist. In that role, she authored data management, data erasure, and IT asset lifecycle content while supporting Blancco’s social media and email channels.

Financial institutions handle large volumes of consumer data in their day-to-day operations. Consumer data varies from social security numbers, addresses, driver’s licenses, credit scores to other personally identifiable data. This data may be vulnerable to identify theft. To protect consumer information handled by financial organizations the Federal Deposit Insurance Corporation (FDIC) has mandated how this data must be handled and disposed. 

The FDIC has mandated that financial institutions be compliant with the Fair and Accurate Credit Transactions Act (FACTA) of 2003 section 216 as the guidelines require the proper disposal of consumer information. These guidelines have been in effect for financial institutions since 2005.

The FDIC is an independent agency created by the U.S. Congress to maintain stability and public confidence in the nation’s financial system. To accomplish this mission, the FDIC insures deposits; examines and supervises financial institutions for safety, soundness, and consumer protection; makes large and complex financial institutions resolvable; and man-ages receiverships.

Obligations of Financial Institutions

FACTA guidelines require each financial institution to develop and maintain, as part of its information security program, appropriate controls designed to ensure that it properly disposes of consumer information originating from a consumer report.

Consumer information is any record about an individual, whether in paper, electronic, or other form that is a consumer report or is derived from a consumer report and that is maintained or otherwise possessed by or on behalf of the institution for a business purpose.

Consumer information is also a compilation of such records. However, a record that does not identify an individual is not considered consumer information. Therefore, the guidelines do not apply to aggregate information.

In the performance of their business functions, financial organizations will process records that identify an individual. Under FACTA, and required by the FDIC, these institutions must perform the following:

Failure to meet these directives will make an organization liable to statutory enforcement actions by the FDIC’s Enforcement Decisions and Orders (EDO) division. The statutory penalties assessed may include civil money penalty, removal/prohibition order, cease and desist or voluntary termination.

Third-Party Service Providers

Frequently, financial institutions will outsource functions of their data disposal process to third party service providers. A service provider is an entity that maintains, processes or otherwise is permitted access to customer information or consumer information through its performance of services to the bank. The guidelines direct financial institutions to require service providers by contract to implement appropriate measures designed to meet the FACTA obligations for the proper disposal of consumer information.


The FDIC and FACTA require that any business that handles consumer information must take ‘reasonable measures’ to protect against unauthorized access or use of the consumer information. This includes and is not limited to:

The FDIC guidelines do not recommend any specific form of data erasure but due to technological advances in data storage we recommend all erasure to be in compliance with NIST 800-88.

Complying with FDIC guidelines when managing and disposing of consumer data will limit your organization’s exposure to fines, data breaches and other regulatory issues. Blancco Drive Eraser is a proven software-based erasure tool that meets FDIC requirements for disposing of consumer data.

For more information on data security, please visit our Supported Standards page.