Download:
pdf |
pdfSupporting Statement for Information Collection Provisions in the
Identity Theft Red Flags, Card Issuers, and Address Discrepancies Rules
(OMB Control #: 3084-0137)
The Federal Trade Commission (“FTC” or “Commission”) requests renewed Office of
Management and Budget (“OMB”) clearance for the collections of information in the rules
implementing sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003
(“FACT Act”), as amended by the Red Flags Program Clarification Act of 2010 (“Clarification
Act”).1 These rules2 enhance the ability of consumers to resolve problems caused by identity
theft and increase the accuracy of consumer reports.
1.
Necessity for Collecting and Retaining the Information
FACT Act Section 114
Section 114 of the FACT Act, 15 U.S.C. § 1681m(e), amended section 615 of the Fair
Credit Reporting Act (“FCRA”) to require the Commission, among other things, to issue:
q
A regulation requiring each financial institution and creditor to develop and
implement a written Identity Theft Prevention Program (“Program”) to detect,
prevent, and mitigate identity theft in connection with existing accounts or the
opening of new accounts (“Red Flags Rule”); and
q
A regulation generally requiring credit and debit card issuers to assess the validity of
change of address requests (“Card Issuers Rule”).
FACT Act Section 315
Section 315 of the FACT Act, 15 U.S.C. § 1681c(h), amended section 605 of the FCRA
to require the Federal Trade Commission to issue regulations providing guidance regarding
reasonable policies and procedures that a user of consumer reports must employ when a user
receives a notice of address discrepancy from a consumer reporting agency (“Address
Discrepancies Rule”). This rule must describe reasonable policies and procedures for users of
consumer reports to:
q
1
2
Enable a user to form a reasonable belief that it knows the identity of the person for
whom it has obtained a consumer report, and
Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4).
The three rules – Red Flags Rule (16 C.F.R. 681.1); Card Issuers Rule (16 C.F.R. 681.2); and Address
Discrepancies Rule (16 C.F.R. 641), (collectively, “Rules”) – were issued jointly with Office of the
Comptroller of the Currency , the Board of Governors of the Federal Reserve System, the Federal Deposit
Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration.
q
2.
Reconcile the address of the consumer with the consumer reporting agency, if the
user establishes a continuing relationship with the consumer and regularly and in the
ordinary course of business furnishes information to the consumer reporting agency.
Use of the Information
FACT Act Section 114
As required by section 114, the Red Flags Rule requires financial institutions and covered
creditors within the FTC’s jurisdiction to identify patterns, practices, and specific forms of
activity that indicate the possible existence of identity theft. The Red Flags Rule also requires
each covered entity to establish reasonable policies and procedures to address the risk of identity
theft. In addition, each covered entity must create a Program and report to the board of directors,
a committee thereof, or senior management at least annually on compliance with the Red Flags
Rule. In addition, staff of covered entities must be trained to carry out the Program.
Further, the Address Discrepancies Rule requires credit card and debit card issuers to
develop policies and procedures to assess the validity of a request for a change of address under
certain circumstances. Each credit and debit card issuer must establish policies and procedures
to assess the validity of a change of address request. The card issuer must notify the cardholder
or use another means to assess the validity of the change of address.
FACT Act Section 315
As required by section 315, the Address Discrepancies Rule provides guidance on
reasonable policies and procedures that a user of consumer reports must follow when a user
receives a notice of address discrepancy from a consumer reporting agency. Each user of
consumer reports within the FTC’s jurisdiction must develop reasonable policies and procedures
that it will follow when it receives a notice of address discrepancy from a consumer reporting
agency. In certain instances, a user of consumer reports must furnish an address that the user has
reasonably confirmed to be accurate to the consumer reporting agency from which it receives a
notice of address discrepancy.
3.
Consideration of Using Improved Information Technology to Reduce Burden
Consistent with the aims of the Government Paperwork Elimination Act, 44 U.S.C.
§ 3504 note, the Rules permit covered financial institutions, creditors, and credit card users great
latitude in using new technologies to reduce compliance costs. Nothing in the Rules preclude
the use of electronic methods for compliance purposes. For example, the Red Flags Rule was
drafted to be flexible and in a technologically neutral manner so that covered entities would not
be forced to acquire expensive new technology in order to comply with that rule.
2
4.
Efforts to Identify Duplication/Availability of Similar Information
FTC staff has not identified any other federal or state statutes, rules, or policies that
duplicate, overlap, or conflict with the Rules. To the extent that there exist any such state laws,
sections 114 and 314 of the FACT Act preempt them.
5.
Efforts to Minimize Burdens on Small Businesses
Although the reach of the Red Flags Rule is broad, the Rule nonetheless permits
maximum flexibility, enabling each covered entity to prepare a Program tailored to its particular
size, sophistication, and prior experience with identity theft. Moreover, since promulgation of
the original Rule, President Obama signed the Clarification Act, which narrowed the definition
of “creditor” for purposes of section 114 of the FCRA. Specifically, only those creditors using
consumer reports, furnishing information to consumer reporting agencies, or advancing funds are
now covered by the Red Flags Rule. As a practical matter, this means that many small
businesses no longer fall within the scope of the Rule.
The Address Discrepancies Rule and Card Issuers Rule minimize the burden on all
covered business – including small businesses – by building upon standard business practices,
many of which were in use before these two rules were promulgated. For example, it is the usual
and customary business practice (except in connection with new deposit relationships) for users
of consumer reports covered by the Address Discrepancies Rule to furnish information to
consumer reporting agencies in response to notices of address discrepancies. Similarly, many
entities covered by the Card Issuers Rule routinely assess the validity of change of address
requests and, for the most part, have automated the process for doing so. Accordingly, the
burden on all businesses covered by the Address Discrepancies Rule and Card Issuers Rule is
minimal.
6.
Consequences of Conducting Collection Less Frequently
The burden associated with the Rules is largely attributable to the policies and procedures
that a covered entity must develop to create a Program, to assess the validity of a change of
address request, or to respond to notices of address discrepancy. Once they are developed, these
policies and procedures will only need to be adjusted if they become ineffective. Similarly, staff
of covered entities will need to be trained only once, unless policies and procedures change.
The Red Flags Rule requires annual reports to the board or senior management of covered
entities. The Commission believes that the board, a committee of the board, or senior
management should monitor compliance through the review of annual reports that assess the
effectiveness of the entity’s Program.
3
7.
Circumstances Requiring Disclosures Inconsistent with Guidelines
The collection of information required by the Rules is consistent with all applicable
guidelines contained in 5 C.F.R. § 1320.5(d)(2).
8.
Consultation Outside the Agency/Public Comments
In addition to past consultations and public comments sought for the Rule when it was
proposed, the Commission more recently sought public comment regarding its latest PRA
clearance request for this Rule. See 77 Fed. Reg. 40,614 (July 10, 2012). No comments were
received. Pursuant to PRA implementing regulations under 5 C.F.R. Part 1320, the Commission
is providing a second opportunity for public comment on the instant burden analysis,
contemporaneous with this submission.
9.
Payments/Gifts to Respondents
Not applicable.
10. & 11.
Assurances of Confidentiality/Matters of a Sensitive Nature
No assurance of confidentiality is necessary because the Rules do not require financial
institutions or creditors to register or file any documents with the Commission. To the extent that
information covered by a recordkeeping requirement is collected by the Commission for law
enforcement purposes, the confidentiality protections of sections 6(f) and 21 of the FTC Act, 15
U.S.C. §§ 46(f), 57b-2 will apply.
12.
Estimated Annual Hours Burden and Associated Labor Costs
2,306,904 total burden hours (1,485,124 hours for section 114 + 821,780 hours for
section 315); $76,345,468, labor costs ($62,375,208 for section 114 and $13,970,260 for
section 315)
Section 114: Red Flags and Card Issuers Rules
A.
Red Flags Rule
Affected Public: Utilities; motor vehicle dealerships; telecommunications firms; colleges
and universities; hospitals; nursing homes; public warehouse and storage firms; fuel
dealers; financial transaction processing firms; other persons satisfying the definition of
“creditor,” as modified by the Clarification Act.
4
Estimated Hours Burden: 1,413,212 hours
The Red Flags Rule requires financial institutions and certain creditors with covered
accounts to develop and implement a written Program and report to the board of directors, a
committee thereof or senior management at least annually on compliance with the Rule. Under
the Rule, a “financial institution” is “a State or National bank, a State or Federal saving and loan
association, a mutual savings bank, a State or Federal credit union, or any other person that,
directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal
Reserve Act, 12 U.S.C. ch. 3) belonging to a consumer.”3
Under the Rule, “creditor” has the same meaning as in section 702 of the Equal Credit
Opportunity Act (ECOA).4 The Clarification Act, however, narrows the definition to those
creditors that use consumer reports, furnish information to consumer reporting agencies, or
advance funds. As a result, many small businesses, service providers, and other persons that
would ordinarily satisfy the ECOA definition of “creditor” will nonetheless be excluded from the
definition of “creditor” for purposes of the Red Flags Rule.
Nonetheless, the scope of entities covered by the Red Flags Rule within the FTC’s
jurisdiction is broad, making it difficult to determine precisely the number of financial institutions
and creditors that are subject to the FTC’s jurisdiction. There are numerous businesses under the
FTC’s jurisdiction and there is no formal way to track them; moreover, as a whole, the entities
under the FTC’s jurisdiction are so varied that there are no general sources that provide a record
of their existence. Nonetheless, FTC staff estimates that the Red Flag Rule’s requirement to have
a written Program affects over 7,025 financial5 institutions and almost 160,614 creditors.6
To estimate burden hours for the Red Flags Rule under section 114, FTC staff has divided
affected entities into two categories, based on the nature of their businesses: (1) entities that are
subject to a high risk of identity theft;7 and (2) entities that are subject to a low risk of identity
theft.8
3
The Rule refers to the definition of “financial institution” that is found in FCRA, 15 U.S.C. § 1681a(t).
4
15 U.S.C. §1681a(r)(5).
5
The total number of financial institutions (7,025) is derived from an analysis of state credit unions, insurers,
and other institutions within the FTC’s jurisdiction. See 77 Fed. Reg. at 40,615 n. 2.
6
See the discussion of creditors at 77 Fed. Reg. at 40,615 - 40,616.
7
In general, high-risk entities include, for example, financial institutions within the FTC’s jurisdiction and
utilities, motor vehicle dealerships, telecommunications firms, colleges and universities, and hospitals.
8
Low-risk entities have a minimal risk of identity theft, but have covered accounts. These include, for
example, public warehouse and storage firms, nursing and residential care facilities, automotive equipment
rental and leasing firms, office supplies and stationery stores, fuel dealers, and financial transaction processing
firms.
5
1.
High-Risk Entities
FTC staff estimates that high-risk entities will each require 25 hours to create and
implement a written Program, with an annual recurring burden of one hour. FTC staff anticipates
that these entities will incorporate into their Programs policies and procedures that they likely
already have in place. Further, FTC staff estimates that preparation of an annual report will
require each high-risk entity four hours initially, with an annual recurring burden of one hour.
Finally, FTC staff believes that many of the high-risk entities, as part of their usual and customary
business practices, already take steps to minimize losses due to fraud, including conducting
employee training. Accordingly, only relevant staff need to be trained to implement the Program:
for example, staff already trained as part of a covered entity’s anti-fraud prevention efforts do not
need to be re-trained except as incrementally needed. FTC staff estimates that training in
connection with the implementation of a Program of a high-risk entity will require four hours, and
recurring annual training thereafter will require one hour. Thus, the estimated hours burden for
high-risk entities is as follows:
! 105,774 high-risk entities subject to the FTC’s jurisdiction at an average annual burden
of 13 hours per entity [average annual burden over 3-year clearance period for creation and
implementation of Program ((25+1+1) ÷3), plus average annual burden over 3-year clearance
period for staff training ((4+1+1) ÷3), plus average annual burden over 3-year clearance period
for preparing annual report ((4+1+1) ÷3), for a total of 1,375,062 hours.
2.
Low-Risk Entities
FTC staff believes that the burden on low-risk entities to comply with the rules is
minimal. Entities that have a low risk of identity theft, but that have covered accounts, likely will
only need a streamlined Program. FTC staff estimates that such entities will require one hour to
create such a Program, with an annual recurring burden of 5 minutes. Training staff of low-risk
entities to be attentive to future risks of identity theft should require no more than 10 minutes in
an initial year, with an annual recurring burden of 5 minutes. Thus, the estimated hours burden
for low-risk entities is as follows:
!
61,865 low-risk entities9 that have covered accounts subject to the FTC’s
jurisdiction at an average annual burden of approximately 37 minutes per entity
[average annual burden over 3-year clearance period for creation and
implementation of streamlined Program ((60+5+5) ÷3), plus average annual
burden over 3-year clearance period for staff training ((10+5+5) ÷3), plus average
annual burden over 3-year clearance period for preparing annual report ((10+5+5)
÷3], for a total of 38,150 hours.
9
This figure is derived from an analysis of a database of U.S. businesses based on NAICS codes for
businesses that market goods or services to consumers or other businesses within the FTC’ jurisdiction,
reduced further by: (1) those that satisfy the Clarification Act’s definition of “creditor” and (2) those that are
likely to have covered accounts.
6
B.
Card Issuers Rule
Affected Public: State-chartered credit unions; general merchandise stores; colleges and
universities; telecommunications firms; and other persons satisfying the definition of
“creditor,” as modified by the Clarification Act.
Estimated Hours Burden: 71,912 hours
The Card Issuers Rule requires credit and debit card issuers to establish policies and
procedures to assess the validity of a change of address request, including notifying the
cardholder or using another means of assessing the validity of the change of address. FTC staff
believes that there may be as many as 17,978 credit or debit card issuers under the FTC’s
jurisdiction, including state-chartered credit unions, retailers, and certain universities, businesses,
and telecommunications companies. FTC staff estimates that most of these card issuers already
have automated the process of notifying the cardholder or are using other means to assess the
validity of the change of address, such that implementation will pose no further burden.
Nevertheless, in order to be conservative, FTC staff estimates that it will take the 17,978 card
issuers four hours to develop and implement policies and procedures to assess the validity of a
change of address request for a total burden of 71,912 hours.
Section 315 - Address Discrepancies Rule:
Affected Public: State-chartered credit unions, non-bank lenders, insurers, landlords,
employers, mortgage brokers, motor vehicle dealers, collection agencies, and any other person
who requests a consumer report from a nationwide consumer reporting agencies as described in
section 603(p) of the FCRA.
Estimated Hours Burden:
As discussed above, the Address Discrepancies Rule provides guidance on reasonable
policies and procedures that a user of consumer reports must employ when a user receives a
notice of address discrepancy from a consumer reporting agency.. Given the broad scope of users
of consumer reports, it is difficult to determine with precision the number of users of consumer
reports that are subject to the FTC’s jurisdiction. As previously noted, there are numerous small
businesses under the FTC’s jurisdiction, and there is no formal way to track them; moreover, as a
whole, the entities under the FTC’s jurisdiction are so varied that there are no general sources that
provide a record of their existence. Nonetheless, Commission staff estimates that the Rule affects
approximately 1,757,385 users of consumer reports subject to its jurisdiction.10 Approximately
10
This estimate is derived from an analysis of Census database of U.S. businesses based on NAICS codes for
businesses in industries that typically use consumer reports from consumer reporting agencies as described in
the Rule, but as further narrowed by sectors subject to the FTC’s jurisdiction.
7
10,000 of these users will, in the course of their usual and customary business practices, have to
furnish to consumer reporting agencies an address confirmation upon notice of a discrepancy.11
Although section 315 created a new obligation for consumer reporting agencies to provide
a notice of address discrepancy to users of consumer reports, prior to FACTA’s enactment, users
of consumer reports could compare the address on the consumer report to the address provided by
the consumer, and discern for themselves any discrepancy. As a result, FTC staff believes that
many users of consumer reports have developed methods of reconciling address discrepancies so
that the following estimates represent the incremental amount of time it will take users of
consumer reports to develop and comply with the policies and procedures for when they receive a
notice of address discrepancy.
Due to the varied nature of the entities under the jurisdiction of the FTC, it is difficult to
determine the appropriate burden estimates. Nonetheless, FTC staff estimates that it would take
an infrequent user no more than 16 minutes to develop and follow the policies and procedures
that it will employ when it receives a notice of address discrepancy, whereas a frequent user may
take one hour. Similarly, FTC staff estimates that, during the remaining two years of the
clearance, it may take an infrequent user no more than one minute to comply with the policies and
procedures that it will employ when it receives a notice of address discrepancy, whereas a
frequent user may take 45 minutes. Taking into account these extremes, FTC staff estimates that,
during the first year of the clearance, it will take users of consumer reports under the jurisdiction
of the FTC an average of 38 minutes [the midrange between 16 minutes and 60 minutes] to
develop and comply with the policies and procedures that they will employ when they receive a
notice of address discrepancy. FTC staff also estimates that the average recurring burden during
the remaining two years of the clearance period will be 23 minutes [the midrange between one
minute and 45 minutes].
Thus, for these 1,757,385 entities, the average annual burden for each of them to perform
these collective tasks will be 28 minutes [(38+23+23) ÷3]; cumulatively, 820,113 hours. For the
estimated 10,000 users of consumer reports that will additionally have to furnish to consumer
reporting agencies an address confirmation upon notice of a discrepancy, staff estimates that these
entities will require 30 minutes to develop related policies and procedures. But these 10,000
affected entities likely will have automated the process of furnishing the correct address in the
first year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes in the first year,
with no annual recurring burden in the second and third year of clearance, yields an average
annual burden of 10 minutes per entity to furnish a correct address to a consumer reporting
agency, for a total of 1,667. Accordingly, the total estimated burden for Section 315 is revised to
821,780 hours.
11
Report to Congress Under Sections 318 and 319 of the Fair and Accurate Credit Transactions of 2003,
Federal Trade Commission, at 80 (Dec. 2004), available at
http://www.ftc.gov/reports/facta/041209factarpt.pdf.
8
Estimated Labor Cost: $76,345,468 ($62,375,208 for section 114 and $13,970,260
for section 315)
Section 114: Red Flags and Card Issuers Rules
FTC staff derived labor costs by applying appropriate estimated hourly cost figures to the
burden hours described above. It is difficult to calculate with precision the labor costs associated
with the Rules, as they entail varying compensation levels of management and/or technical staff
among companies of different sizes. In calculating the cost figures, staff assumes that entities,
professional technical personnel and/or managerial personnel will create and implement the
Program, prepare the annual report, train employees, and assess the validity of a change of
address request at an hourly rate of $42.12
Based on the above estimates and assumptions, the total annual labor costs for all
categories of covered entities under the Red Flags and Card Issuers Rules for section 114 is
$62,375,208 (1,485,124 hours x $42).
Section 315 - Address Discrepancies Rule
FTC staff assumes that the policies and procedures for compliance with the Address
Discrepancies Rule will be set up by administrative support personnel at an hourly rate of $17.13
Based on the above estimates and assumptions, the total annual labor cost for the two categories
of burden under section 315 is $13,970,260 [(820,113 hours +1,667 hours) x $17].
13.
Estimated Capital and Other Non-Labor Costs
The FTC staff believes that the Rules impose negligible capital or other non-labor costs,
as the affected entities are likely to have the necessary supplies and/or equipment already (e.g.,
offices and computers) for the information collections described herein.
14.
Estimated Cost to the Federal Government
FTC staff estimates that a representative year’s cost to the FTC of administering the Rules
requirements during the 3-year clearance period sought will be approximately $56,385. This
represents three-tenths of an attorney work year, including employee benefits.
12
This estimate is based on mean hourly wages found at “Occupational Employment and Wages - May
2011,” Bureau of Labor Statistics, U.S. Department of Labor, Table 1, released March 2012, for the various
managerial and technical staff support exemplified above.
http://www.bls.gov/news.release/archives/ocwage_03272012.pdf (“BLS Table 1”).
13
This estimate is based on hourly wages for administrative support staff (computer operators, data entry,
word processors, and typists) found at BLS Table 1. See supra note 12.
9
15.
Program Changes or Adjustments
Prior cleared burden hours totaled 6,151,062 hours, comprising 5,374,728 hours for
section 114 of the FACT Act + 776,334 hours for section 315 of the FACT Act. The instant
revised burden totals, 2,306,904 hours, consist of 1,485,124 hours for section 114 and 821,780
hours for section 315. These variances are explained below.
FACT Act Section 114
The reduced totals are largely attributable to two statutory changes since the last
clearance. First, since the FTC’s preceding clearance request of 2009, President Obama signed
the Dodd-Frank Wall Street Reform and Consumer Protection Act, which, among other things,
transferred rulemaking responsibility to and established enforcement authority for the CFTC and
the SEC with respect to their respective jurisdiction. Entities within the jurisdiction of the CFTC
and SEC include certain brokers, dealers, investment companies, investment advisors futures
commission merchants, retail foreign exchange dealers, commodity trading advisors, commodity
pool operators, introducing brokers, swap dealers, and major swap participants. The CFTC and
SEC are now accounting for these entities in their Paperwork Reduction Act estimated burdens.14
Second, in 2010, President Obama signed the Clarification Act, which reduced the number
of creditors covered by the Red Flags Rule. While the Clarification Act does not set forth
specific industry exemptions, it provides that, to be covered by the Red Flags Rule, creditors must
use consumer reports, furnish information to consumer reporting agencies, or advance funds to
consumers. As a result, the number of creditors – especially small businesses and service
providers – has been greatly reduced. Commission staff estimates that, as a result of the
Clarification Act, the number of covered creditors within the FTC’s jurisdiction has been reduced
from nearly 2 million15 to 160,614.16
14
CFTC and SEC, Identity Theft Red Flags Rules, 77 Fed. Reg. 13,450, 13,452, 13,463 - 13464, 13,66613,669 (Mar. 6, 2012) (Joint Proposed Rules and Guidelines).
15
This was the sum of an estimated 1,622,029 low-risk entities and 320,217 high-risk entities previously
explained in the FTC’s 2009 clearance request. See 74 Fed. Reg. 42,303, 42,405 nn. 7 and 8 (Aug. 21, 2009).
16
http://www.census.gov/econ/susb/ (Statistics of U.S. Businesses, “U.S., All industries”: 2009 “County
Business Patterns” spreadsheet); http://www.nascus.org/facts-figures/index.php (National Association of State
Credit Union Supervisors, “State Credit Union Facts & Figures”);
http://nces.ed.gov/programs/digest/d11/tables/dt11_005.asp (National Center for Education Statistics, “Digest
of Education Statistics”).
10
FACT Act Section 315
For the Address Discrepancy Rule, FTC staff estimates that the number of covered entities
(users of consumer reports) has increased from 1.66 million17 estimated in the FTC’s 2006 and
2009 clearance requests to 1,757,385 users of consumer reports, based on more recent data.18
These estimates are based upon an analysis of Census databases of U.S. businesses based on
NAICS codes for industries subject to the FTC’s jurisdiction that typically use consumer reports
from consumer reporting agencies.
16.
Publishing Results of the Collection of Information
There are no plans to publish any information for statistical use.
17.
Display of Expiration Date for OMB Approval
Not applicable.
18.
Exceptions to the Certifications for PRA Submissions
Not applicable.
17
Based on the U.S. Census Bureau’s 2003 “County Business Patterns” (issued September 2005) and 2002
Economic Census. The actual tally of covered entities was 1,658,758, but the FTC rounded that figure to 1.66
million in its 2006 and 2009 Federal Register notices.
18
Based on data drawn from sources cited to in footnote 16 above and, in addition:
http://www.census.gov/econ/smallbus.html (Statistics about Business Size, including Small Business, Table
2a: “Employment Size of Employer and Nonemployer Firms, 2008”);
http://www.census.gov/econ/industry/hierarchy/i5311.htm (Census Industry Statistics Sampler,
“Nonemployers: 2007”).
11
File Type | application/pdf |
File Title | H:\Red Flags\Red Flags '12 SS fin_mtd.wpd |
Author | ggreenfield |
File Modified | 2012-09-25 |
File Created | 2012-09-25 |