FDIC Modifies Financial Institution Ownership Records Under Privacy Act

Notice

Privacy Act of 1974; System of Records

A Notice by the Federal Deposit Insurance Corporation on 04/10/2026

• This document has a comment period that ends in 31 days.
  (05/11/2026) View Comment Instructions

• PDF

• Document Details

• Document Dates

- Table of Contents

• Public Comments
• Regulations.gov Data

- Sharing

• Print
• Other Formats
• Public Inspection Published Document: 2026-06904 (91 FR 18456) Document Headings ###### Federal Deposit Insurance Corporation

AGENCY:

Federal Deposit Insurance Corporation.

ACTION:

Notice of a modified system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended, the Federal Deposit Insurance Corporation (FDIC) is modifying an existing system of records titled FDIC-004, “Changes in Financial Institution Control Ownership Records.” The information in this system of records is used in support of the FDIC's regulatory and supervisory functions. This modified system of records notice combines FDIC-004 with FDIC-008, “Chain Banking Organizations Identification Records” and rescinds FDIC-008. The FDIC is updating this system of records to retitle it as “Financial Institution Ownership Records,” to modify several sections of this notice, and to seek public comment on four proposed routine uses. Additionally, this notice includes non-substantive changes to simplify the formatting and text of the previously published notice and improve consistency across system of records notices.

DATES:

This action will become effective on April 10, 2026. The routine uses in this action will become effective May 11, 2026, unless the FDIC makes changes based on comments received. Written comments should be submitted on or before May 11, 2026.

ADDRESSES:

Interested parties are invited to submit written comments identified by Privacy Act Systems of Records (FDIC-004) by any of the following methods:

• Agency Website: https://www.fdic.gov/​resources/​regulations/​federal-register-publications/. Follow the instructions for submitting comments on the FDIC website.
• Email: comments@fdic.gov. Include “Comments-SORN (FDIC-004)” in the subject line of communication.
• Mail: Jennifer M. Jones, Deputy Executive Secretary, Attention: Comments SORN (FDIC-004), Legal Division, Office of the Executive ( printed page 18457) Secretary, Federal Deposit Insurance Corporation, 550 17th Street NW, Washington, DC 20429.
• Hand Delivery/Courier: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street NW building (located on F Street NW) on business days between 7:00 a.m. and 5:00 p.m. Public Inspection: Comments received, including any personal information provided, may be posted without change to https://www.fdic.gov/​resources/​regulations/​federal-register-publications/. Commenters should submit only information that the commenter wishes to make available publicly. The FDIC may review, redact, or refrain from posting all or any portion of any comment that it may deem to be inappropriate for publication, such as irrelevant or obscene material. The FDIC may post only a single representative example of identical or substantially identical comments and in such cases will generally identify the number of identical or substantially identical comments represented by the posted example. All comments that have been redacted, as well as those that have not been posted, that contain comments on the merits of this document will be retained in the public comment file and will be considered as required under all applicable laws. All comments may be accessible under the Freedom of Information Act (FOIA).

FOR FURTHER INFORMATION CONTACT:

Shannon Dahn, Assistant Director, Privacy, 703-516-5500, privacy@fdic.gov.

SUPPLEMENTARY INFORMATION:

Pursuant to the Privacy Act of 1974, 5 U.S.C. 552a, FDIC is modifying an existing system of records, FDIC-004, “Changes in Financial Institution Control Ownership Records.” This modification combines and renames two existing systems of records notices (SORNs), FDIC-004, “Changes in Financial Institution Control Ownership Records” and FDIC-008, “Chain Banking Organizations Identification Records” into a single SORN titled FDIC-004, “Financial Institution Ownership Records” and rescinds FDIC-008. Both systems of records rely on the same authority, cover the same individuals, and have similar purposes of tracking ownership of financial institutions. As modified, FDIC-004 maintains information about (1) individuals who acquire or dispose of ownership stakes in a FDIC-insured financial institution and (2) individuals who have ownership stakes in more than one financial institution or bank holding companies which, due to their common ownership, present a concentration of resources that could be susceptible to common risks. The FDIC uses information in this system of records to support its regulatory and supervisory functions.

In this notice, the FDIC proposes to update various sections of the SORN to, among other things, cover all individuals who have ownership stakes in financial institutions. The System Title section is being updated to better reflect the types of records covered. The System Location section is updated to reflect that the records may be maintained at various FDIC locations including authorized cloud environments. The Purpose(s) of the System section is being modified to combine the purposes of FDIC-004 and FDIC-008 and to clarify existing language.

The Routine Uses section is being renumbered and modified to list FDIC's standard routine uses (routine uses 1-10) first and to propose four new routine uses. Proposed standard Routine Use 2 supports disclosures as it relates to litigation. Proposed standard routine use 8 supports the disclosure of information from the system of records as may be required by Federal statute or treaty. Proposed standard routine use 9 supports the disclosure of information as may be needed to support the comparison of FDIC's records to another agency's system of records or to non-Federal records, in coordination with an Office of Inspector General in conducting an audit, investigation, inspection, evaluation, or other review. Proposed routine use 11 will permit sharing with other Federal or State financial institution supervisory authorities.

The FDIC is modifying the Policies and Practices for Storage, and Retention and Disposal sections to provide detail on the storage of electronic records and to include language on the disposal of records in accordance with approved FDIC record retention schedules. The FDIC is also modifying the Administrative, Technical, and Physical Safeguards section to provide additional detail on the safeguards used to protect this information. The FDIC is also modifying the sections containing the Procedures for Notification, Access, Contesting Records to improve the clarity of the instructions to the public and to direct the public to the appropriate FDIC website for information on how to request notification of, access to, or to contest the contents of records in FDIC-004.

This modified system will be included in FDIC's inventory of record systems.

SYSTEM NAME AND NUMBER:

Financial Institution Ownership Records, FDIC-004.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The Federal Deposit Insurance Corporation (FDIC) located at 550 17th Street NW, Washington, DC 20429, and other FDIC office locations. Information may also be stored within an appropriately authorized cloud environments or in other secure locations.

SYSTEM MANAGER(S):

Chief, Risk Management Applications, Division of Risk Management Supervision, FDIC, 550 17th Street NW, Washington, DC 20429.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Sections 7(j) and 9 of the Federal Deposit Insurance Act (12 U.S.C. 1817(j) and 1819).

PURPOSE(S) OF THE SYSTEM:

This system:

(1) collects, tracks, and assesses information about individuals who have direct or indirect ownership stakes in an FDIC-insured financial institution, and

(2) tracks ownership of possible linked financial institutions and bank holding companies which present a concentration of resources that could be susceptible to common risks, otherwise known as chain banking. Chain banking organizations generally involve a group of financial institutions or holding companies that are controlled by one individual or company. The FDIC is responsible for maintaining a record system for chain banking organizations and for developing an overall supervisory strategy for these organizations. The information in this system is used to support the FDIC's regulatory and supervisory functions.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

(1) Individuals who acquire or dispose of voting stock in an FDIC-insured financial institution; and

(2) Individuals who directly, indirectly, or in concert with others, own or control two or more financial institutions and bank holding companies.

CATEGORIES OF RECORDS IN THE SYSTEM:

For individuals identified in the paragraph (1) above, records include the name of the individual who is the proposed acquirer and their statement of assets and liabilities; statement of income and sources of income; name ( printed page 18458) and location of the financial institution; number of shares to be acquired and outstanding; dates ownership forms were filed; name and location of the newspaper in which the notice was published and date of publication. For disposal transactions, names of sellers/transferors; names of purchasers/transferees and number of shares owned after transaction; date of transaction on financial institution's books, number of shares acquired and outstanding. If stock of a bank holding company is involved, the name and location of the bank holding company and the institution(s) it controls.

For individuals identified in the paragraph (2) above, records include the names of and contact information for individuals who, either alone or in concert with others, own or control two or more financial institutions, the names of those financial institutions, locations, stock certificate numbers, total asset size, and percentage of outstanding stock owned by the controlling individual or group of individuals; charter types and, if applicable, name of intermediate bank holding entity and percentage of bank holding company held by controlling individual or group.

RECORD SOURCE CATEGORIES:

Information contained in this system is obtained from individuals listed in the Categories of Individuals; the financial institution or bank holding company in which control changed; filed ownership forms; federal and state financial institution supervisory authorities; examination reports and related materials; and regulatory filings.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside the FDIC as a routine use as follows:

(1) To appropriate Federal, State, local, tribal, territorial, and foreign agencies responsible for investigating or prosecuting a violation of, or for enforcing or implementing a statute, rule, regulation, or order issued, when the information, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto.

(2) To a court or adjudicative body before which the FDIC is authorized to appear when, (a) the FDIC or any component thereof; or (b) any employee of the FDIC in his or her official capacity; or (c) any employee of the FDIC in his or her individual capacity where the FDIC has agreed to represent the employee; or (d) the United States; where the FDIC determines that litigation is likely to affect the FDIC or any of its components, is a party to litigation or has an interest in such litigation, and the FDIC determines that use of such records is relevant and necessary to the litigation, provided, however, that in each case, the FDIC determines that disclosure of the records is a use of the information contained in the records which is compatible with the purpose for which the records were collected.

(3) To a congressional office in response to an inquiry made by the congressional office at the request of the individual who is the subject of the record.

(4) To appropriate agencies, entities, and persons when (a) the FDIC suspects or has confirmed that there has been a breach of the system of records; (b) the FDIC has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the FDIC (including its information systems, programs, and operations), the Federal Government, or national security; and (c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the FDIC's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(5) To another Federal agency or Federal entity when the FDIC determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (a) responding to a suspected or confirmed breach; or (b) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

(6) To appropriate Federal, State, local, tribal, and territorial agencies in connection with hiring or retaining an individual; conducting a background security or suitability investigation; adjudication of liability; or eligibility for a license, contract, grant, or other benefit, to the extent that the information shared is relevant and necessary to the requesting agency's decision on the matter.

(7) To contractors, grantees, experts, consultants, students, volunteers, and others performing or working on a contract, service, grant, cooperative agreement, or project for the FDIC or the Office of Inspector General for use in carrying out their obligations under such contract, grant, agreement or project.

(8) To such recipients and under such circumstances and procedures as are mandated by Federal statute or treaty.

(9) To a Federal, State, local, tribal, or territorial agency for the purpose of comparing to the agency's system of records or to non-Federal records, in coordination with an Office of Inspector General in conducting an audit, investigation, inspection, evaluation, or other review as authorized by the Inspector General Act of 1978, as amended.

(10) To Federal agencies, and to those Federal employees designated by the President or Agency Heads pursuant to Executive Order 14243, for the purposes of identifying and eliminating waste, fraud, and abuse, including the elimination of bureaucratic duplication and inefficiency and the enhancement of the Government's ability to detect overpayments and fraud.

(11) To other Federal or State financial institution supervisory authorities for: (a) coordination of examining resources when the chain banking organization is composed of financial institutions subject to multiple supervisory jurisdictions; (b) coordination of evaluations and analysis of the condition of the consolidated chain organization; and (c) coordination of supervisory, corrective or enforcement actions.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored electronically or in paper format in secure facilities. Electronic records may be stored locally on digital media, in FDIC-owned cloud environments, or in vendor cloud service offerings that are appropriately authorized and/or certified.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by: Individual name or Financial Institution

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Financial institution ownership records are maintained for 10 years and then dispositioned in accordance with approved records retention schedules.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Records are protected from unauthorized access and improper use through administrative, technical, and ( printed page 18459) physical security measures. Administrative safeguards include written guidelines on handling personal information including agency-wide procedures for safeguarding personally identifiable information. In addition, all FDIC staff are required to take annual privacy and security training. Technical security measures within FDIC include restrictions on computer access to authorized individuals who have a legitimate need to know the information; multi-factor authentication for remote access and access to many FDIC systems; strong passwords when multi-factor authentication is not available; use of encryption for certain data types and transfers; firewalls and intrusion detection applications; and regular review of security procedures and best practices to enhance security. Physical safeguards include restrictions on building access to authorized individuals, security guard service, and maintenance of records in lockable offices and filing cabinets.

RECORD ACCESS PROCEDURES:

Individuals requesting access to records about them in this system of records should submit their request online through the FDIC FOIA Service Center at fdic.gov/foia. Alternatively, individuals can send a request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. Individuals will be required to provide a detailed description of the records they seek including time period when the records were created and other supporting information where possible. Individuals will be required to provide proof of identity in accordance with FDIC regulations at 12 CFR part 310.

CONTESTING RECORD PROCEDURES:

Individuals contesting the content of or requesting an amendment to their records in this system of records should submit their request online through the FDIC FOIA Service Center at fdic.gov/foia. Alternatively, individuals can send a request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. The request should contain the individual's reason for requesting the amendment and a description of the record (including the name of the appropriate designated system and category thereof) sufficient to enable the FDIC to identify the particular record or portion thereof with respect to which amendment is sought. Requests must specify which information is being contested, the reasons for contesting it, and the proposed amendment to such information in accordance with FDIC regulations at 12 CFR part 310. Individuals will be required to provide proof of identity in accordance with FDIC regulations at 12 CFR part 310.

NOTIFICATION PROCEDURES:

Individuals seeking to know whether this system contains information about them should submit their request online through the FDIC FOIA Service Center at fdic.gov/foia. Alternatively, individuals can send a request in writing to the FDIC FOIA & Privacy Act Group, 550 17th Street NW, Washington, DC 20429, or email efoia@fdic.gov. Individuals will be required to provide proof of identity in accordance with FDIC regulations at 12 CFR part 310.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

90 FR 51316 (Nov 17, 2025)

Federal Deposit Insurance Corporation.

Dated at Washington, DC, on April 7, 2026.

Jennifer M. Jones,

Deputy Executive Secretary.

[FR Doc. 2026-06904 Filed 4-9-26; 8:45 am]

BILLING CODE 6714-01-P

Published Document: 2026-06904 (91 FR 18456)