Supporting statement

4-4-13 Red Flag SUPPORTING STATEMENT FINAL 04 09 13.docx

Part 162 - Protection of Consumer Information under the Fair Credit Reporting Act

Supporting statement

OMB: 3038-0067

Document [docx]
Download: docx | pdf

SUPPORTING STATEMENT FOR NEW AND REVISED INFORMATION COLLECTIONS


OMB CONTROL NUMBER 3038-0067

Red Flag Rule


Justification


  1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.


On July 21, 2010, President Obama signed into law the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”). Title X of the Dodd-Frank Act, which is titled the Consumer Financial Protection Act of 2010 (“CFP Act”), established a Bureau of Consumer Financial Protection within the Federal Reserve System and gave this new agency certain rulemaking, enforcement, and supervisory powers over many consumer financial products and services, as well as the entities that sell them. In addition, Title X amended a number of other federal consumer protection laws enacted prior to the Dodd-Frank Act, including the Fair Credit Reporting Act (“FCRA”).


Within Title X, section 1088(a)(8),(10) of the Dodd-Frank Act amended the FCRA by adding the Commodity Futures Trading Commission (“CFTC”) and the Securities and Exchange Commission (“SEC,” together with the CFTC, the “Commissions”) to the list of federal agencies required to jointly prescribe and enforce identity theft red flags rules and guidelines and card issuer rules. Thus, the Dodd‑Frank Act provides for the transfer of rulemaking responsibility and enforcement authority to the CFTC and SEC with respect to the entities under their respective jurisdiction


Accordingly, the Commissions are now jointly issuing final rules and guidelines to implement new statutory provisions enacted by Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act. These provisions amend section 615(e) of the FCRA and direct the Commissions to prescribe rules requiring entities that are subject to the Commissions’ jurisdiction to address identity theft in two ways. First, the final rules and guidelines require financial institutions and creditors to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The Commissions also are issuing guidelines to assist entities in the formulation and maintenance of a program that would satisfy the requirements of the final rules. Second, the final rules establish special requirements for any credit and debit card issuers that are subject to the Commissions’ jurisdiction, to assess the validity of notifications of changes of address under certain circumstances.

2. Indicate how, by whom, and for what purpose the data would be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

Under part 162, subpart C, CFTC regulated entities – which presently would include approximately 260 CFTC registrants plus 125 new CFTC registrants pursuant to Title VII of the Dodd-Frank Act – may be required to design, develop and implement reasonable policies and procedures to identify relevant red flags, and potentially notifying cardholders of identity theft risks. In addition, CFTC-regulated entities are required to: (i) collect information and keep records for the purpose of ensuring that their Programs met requirements to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account; (ii) develop and implement reasonable policies and procedures to identify, detect and respond to relevant red flags, as well as periodic reports related to the Program; and (iii) from time to time, notify cardholders of possible identity theft with respect to their accounts, as well as assess the validity of those accounts.


The OMB Notice of Action dated September 25, 2012, requested that the CFTC itemize what information will be collected and maintained for purposes of detecting, preventing, and mitigating identity theft for established and new covered accounts. The final rule does not delineate lists of required items that must be maintained for an identity theft program, but rather offers guidelines on developing appropriate industry-specific programs. The final rule leaves to each financial institution or creditor that offers or maintains one or more covered accounts, the flexibility to develop and implement appropriate programs that are designed to detect, prevent, and mitigate identity theft. Each program must adhere to the requirements of final rule 162.30(d)1 in meeting the complexity and scope of its coverage. Moreover, the burden estimates assume that CFTC-regulated entities already comply with the identity theft red flags rules and guidelines jointly adopted by the FTC with the Agencies, as of December 31, 2010.2 Consequently, these entities may already have in place many of the customary protections addressing identity theft and changes of address required by these regulations. The burden hours and costs are being transferred from the Agencies’ PRA allotment to the CFTC and the CFTC has submitted new Collection Number 3038-0067 to account for the transferred burden hours and costs to the CFTC. However, any initial or one-time burdens associated with compliance with proposed part 162 would apply only to newly formed entities, and the ongoing burden to all CFTC-regulated entities. These existing costs related to proposed § 162.30 would include, for newly formed CFTC-regulated entities, the one-time cost for financial institutions and creditors to conduct initial assessments of covered accounts, create a Program, obtain board approval of the Program, and train staff. The existing costs would also include the ongoing cost to periodically review and update the program, report periodically on the Program, and conduct periodic assessments of covered accounts.



3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g. permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.


Electronic filing or submission is acceptable for the information collections required by this rule.


4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.


The rules apply to entities over which the Commission has been granted enforcement authority under the FCRA.


The Commission’s final rules will not duplicate requirements imposed by other agencies, such as substantially similar FTC and the “Agencies” regulations issued in 2007. These final rules may be merged into existing identity theft prevention or privacy programs already in existence with regulated entities.


These burden estimates assume that CFTC-regulated entities already comply with the identity theft red flags rules and guidelines jointly adopted by the FTC with the Agencies, as of December 31, 2010. Consequently, these entities may already have in place many of the customary protections addressing identity theft and changes of address required by these regulations.


5. If the collection of information involves small business or other small entities (Item 5 of OMB From 83-I), describe the methods used to minimize burden.


The information collection requirements of the new Identity Theft Red Flags rule apply to all CFTC-covered entities, including small entities. However, because the Commission believes that the new rules impose minimal burdens, no significant burden would be imposed on small entities.


6. Describe the consequence to the Federal Program or policy activities if the collection were conducted less frequently as well as any technical or legal obstacles to reducing burden.


Less frequent collection would not be consistent with the intent of the rules, which is to require financial institutions and creditors to have reasonable policies and procedures to respond appropriately to any red flags that are detected. The final rule would require financial institutions and creditors to have reasonable policies and procedures to ensure that the program is updated periodically, to reflect changes in risks to customers, and assure the safety and soundness of the financial institutions and creditors.


7. Explain any special circumstances that require the collection to be conducted in a manner:


- requiring respondents to report information to the agency more often than quarterly;


See response to Question 6, above.


- requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it:


This question does not apply.


- requiring respondents to submit more that an original and two copies of any document;


There is no such requirement.


- requiring respondents to retain records other than health, medical, government contract, grant-in-aid, or tax records, for more than three years;


For enforcement purposes, Commission Rule 1.31 requires that:


“All books and records required to be kept by the (Commodity Exchange) Act or by these regulations shall be kept for a period of five years from the date thereof and shall be readily accessible during the first two years of the five year period. All such books and records shall be open to inspection by any representative of the Commission or the U.S. Department of Justice.”


- in connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study;


The rule does not involve statistical surveys.


- requiring the use of a statistical data classification that has not been reviewed and approved by OMB;


The rule does not involve the use of statistical data.


- that includes a pledge of confidentiality that is not supported by authority established in statue or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or


The rule does not involve pledges of confidentiality.


- requiring respondents to submit proprietary trade secrets, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.


The rule does not involve submission of proprietary trade secrets or other such information to the Commission.


8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice required by 5 C.F.R. 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.


The proposed rule was published at 77 FR 13450, 03/06/12.


The CFTC received 10 comment letters on the proposed rule. Only two comments, directed at both agencies, questioned the estimated costs and benefits of the proposed rule. These comments were from the Options Clearing Corporation (“OCC”), and joint comments from the Financial Services Roundtable and Securities Industry and Financial Markets Association (“FSR/SIFMA).


FSR/SIFMA maintained that the Commissions initial and ongoing compliance costs of the proposal were low and unrealistic. It argued that an average of 2,000 hours of initial compliance burden was appropriate for large, complex financial institutions, that at least 400 hours of ongoing compliance costs annually was appropriate, and that those hours would likely increase for institutions that conduct multiple lines of business, and that the proposal’s estimated compliance costs fail to consider the cost to third-party service providers that may be affected by the rule.


The OCC maintained that an entity that maintains no accounts that carry a reasonable foreseeable risk of identity theft, would still incur compliance costs that exceed any consumer or supervisory benefit because it must periodically reassess whether it maintains any such accounts.


The CFTC has concluded that adjustments to the burden are not warranted. The burden estimates assume that CFTC-regulated entities already comply with the identity theft red flags rules jointly adopted by the FTC with the Agencies, as of December 31, 2010. Consequently, these entities may already have in place many of the customary protections for assessing and addressing identity theft as required by these regulations. Also, any outsourcing to affiliate or third-party service providers is merely shifting burden from an entity that is directly subject to the rules to the service provider, but the total burden remains unchanged.


The final rules would also not have an effect on the OCC’s costs. To the extent that OCC should be complying with the identity theft red flags rules, the final rules do not contain any new requirements, nor expand the scope of the rules, thus the OCC should not incur any additional costs other than the costs incurred under the previous regulatory framework



Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping disclosure, or reporting format (if any, and on the data elements to be recorded, disclosed, or reported.


The Commission’s new rule was adopted jointly with the SEC, following considerable consultation. The Agencies were also consulted regarding their substantially similar rules. In addition, the Commission maintains ongoing, informal dialogue with the industry concerning various matters including paperwork burdens.

Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every three years—even if the collection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.


No such circumstances are anticipated.


9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.


The question does not apply.


10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulations, or agency policy.

The Commission will protect proprietary information according to the Freedom of Information Act and the regulations that the Commission has promulgated to protect the confidentiality of collected information contained in 17 CFR 145, “Commission Records and Information.” In addition, section 8(a) of the CEA provides for the confidentiality of data and information except under the limited circumstances delineated therein. The Commission also is required to protect certain information pursuant to the Privacy Act of 1974.


11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

The question does not apply.


12. Provide estimates of the hour burden of the collection of information. The Statement should:


- Indicate the number of respondents, frequency of response, annual hour burden and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than ten) of potential respondents is desirable. If the hour burden on respondents is expected to vary widely because of differences in activity, size or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.


- If the request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB Form 83-I.


- Provide estimates of annualized cost to respondents for the hours burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 13.


These burden estimates assume that CFTC-regulated entities already comply with the identity theft red flags rules and guidelines jointly adopted by the FTC with the Agencies, as of December 31, 2010. Consequently, these entities may already have in place many of the customary protections addressing identity theft and changes of address required by these regulations. While existing and newly formed entities would need to conduct an initial assessment to determine whether they have covered accounts for which they would need to develop a Program, existing entities may already have in place many of the customary protections for assessing and addressing identity theft and would not incur an initial burden. Any initial or one-time burdens associated with compliance with proposed part 162 would apply only to newly formed entities, and the ongoing burden to all CFTC-regulated entities. These existing costs related to proposed § 162.30 would include, for newly formed CFTC-regulated entities, the one-time cost for financial institutions and creditors to conduct initial assessments of covered accounts, create a Program, obtain board approval of the Program, and train staff. The existing costs would also include the ongoing cost to periodically review and update the program, report periodically on the Program, and conduct periodic assessments of covered accounts.



Initial Burden


The CFTC estimates that the one-time burden of compliance with part 162 for its regulated entities with covered accounts would be: (i) 25 hours to develop and obtain board approval of a Program, (ii) 4 hours for staff training, and (iii) 2 hours to conduct an initial assessment of covered accounts, totaling 31 hours. Of the 31 hours, the CFTC estimates that 15 hours would involve internal counsel, 14 hours expended by administrative assistants, and 2 hours by the board of directors in total, for those newly-regulated entities.


The CFTC estimates that approximately 702 newly formed FCMs, IBs, CTAs and CPOs 3 would need to conduct an initial assessment of covered accounts. Also, as noted above, the CFTC estimates that approximately 125 newly registered SDs and MSPs would need to conduct an initial assessment of covered accounts. The total number of newly registered CFTC registrants would be 827 entities. Each of these 827 entities would need to conduct an initial assessment of covered accounts, for a total of 1,654 hours.4 Of these 827 entities, CFTC staff estimates that approximately 179 of these entities may maintain covered accounts. Accordingly, the CFTC estimates the one-time burden for these 179 entities to be 5,191 hours,5 for a total burden among newly registered entities of 6,845 hours.6


The CFTC estimates that approximately 3,071 entities may maintain covered accounts, and that they would be required to periodically review their accounts to determine if they comply with these rules, for a total of 6,142 hours for these entities.7 Of these 3,071 entities, the CFTC estimates that approximately 385 would maintain covered accounts, and thus would need to incur the additional burdens related to complying with the rule, for a total of 2,310 hours.8 The total ongoing burden for all CFTC registrants is 8,452 hours.9


Initial Recordkeeping Burden:


Initial assessment:

Total number of entities: 827

Average number of annual responses by each entity: 1

Estimated average hours per response: 2

Frequency of collection: Annually

Total annual burden: 827 entities x 1 response x 2 hours = 1,654 burden hours


Estimate for covered accounts:

Total number of entities with covered accounts: 179

Average number of annual responses by each entity: 1

Estimated average hours per response: 2910

Frequency of collection: Annually

Annual burden of entities with covered accounts: 179 entities x 1 response x 29 hours = 5,191 burden hours

Total annual burden for newly registered entities: 6,845.


Ongoing Recordkeeping Burden:


Total number of entities: 3,071

Average number of annual responses by each entity: 1

Estimated average hours per response: 2

Frequency of collection: Periodically

Total annual burden: 3,071 entities x 1 response x 2 hours = 6,142 burden hours


Total number of entities with covered accounts: 385

Average number of annual responses by each entity: 1

Estimated average hours per response: 6

Frequency of collection: Periodically

Annual burden of entities with covered accounts: 385 entities x 1 response x 6 hours = 2,310 burden hours

Total annual burden for newly registered entities: 6,142 hours + 2,310 hours = 8,452








13. Provide an estimate of the total annual cost burden to respondents or recordkeepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14).


- The cost estimate should be split into two components; (a) a total capital and start-up cost component (annualized over its expected useful life) and (b) a total operation and maintenance and purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major costs factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software, monitoring, sampling, drilling and testing equipment, and record storage facilities.


- If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collection services should be a part of this cost burden estimate, agencies may consult with a sample of respondents (fewer than ten), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection, as appropriate.


- Generally, estimates should not include purchases of equipment or services, or portions thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information or keep records for the government, or (4) as part of customary and usual business or private practices.


The information collection required by the regulations would not involve any capital or start-up capital, operations or maintenance costs as the Commission anticipates that the CFTC-regulated entities already comply with the identity theft red flags rules and guidelines jointly adopted by the FTC with the Agencies, as of December 31, 2010. Consequently, these entities may already have in place many of the customary protections addressing identity theft and changes of address required by these regulations.


14. Provide estimates of the annualized costs to the Federal Government. Also provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would not have been incurred without this collection of information. Agencies may also aggregate cost estimates from Items 12, 13, and 14 in a single table.


The regulation does not impose any regular reporting requirements; only periodic reports are required. Accordingly, it does not anticipate that the requirements would impose any additional costs to the Federal Government.


15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I.


The program changes or adjustments are required by the Dodd-Frank Wall Street Reform and Consumer Protection Act, which established a new regulatory scheme.

16. For collection of information whose results are planned to be published for statistical use, outline plans for tabulation, statistical analysis, and publication. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.


This question does not apply.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.


This question does not apply.

18. Explain each exception to the certification statement identified in Item 19, "Certification for Paperwork Reduction Act Submissions," of OMB Form 83-I.


This question does not apply.


1 Section 162.30(d) provides,”Establishment of an Identity Theft Prevention Program–(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Identity Theft Prevention Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.”

2 The FCRA required several federal agencies to issue joint rules and guidelines regarding the detection, prevention, and mitigation of identity theft for entities that are subject to their respective enforcement authorities (also known as the “identity theft red flags rules”). Those agencies are the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation (“FDIC”), the Office of Thrift Supervision, the National Credit Union Administration (“NCUA”), and the Federal Trade Commission (“FTC”) (together, the “Agencies”). See Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007)(“2007 Adopting Release”).


3 Based on a review of new registrations typically filed with the CFTC each year, CFTC staff estimates that approximately, 7 FCMs, 225 IBs, 400 CTAs, and 140 CPOs are newly formed each year, for a total of 772 entities. CFTC staff also has observed that approximately 50 percent—or 70—of all CPOs are duly registered as CTAs. Based on this observation, CFTC has determined that the total number of newly formed financial institutions and creditors is 702 (772 – 70 CPOs that are also registered as CTAs). With respect to RFEDs, CFTC staff has observed that all entities registering as RFEDs also register as FCMs. Each of these 702 financial institutions or creditors would bear the initial one-time burden of compliance with the final identity theft rules and guidelines and final card issuer rules.

[ Of the total 702 newly formed entities, staff estimates that all of the FCMs are likely to carry covered accounts, 10 percent of CTAs and CPOs are likely to carry covered accounts, and none of the IBs are likely to carry covered accounts, for a total of 54 newly formed financial institutions or creditors carrying covered accounts that would be required to conduct an initial one-time burden of compliance with subpart C or Part 162.

4 This estimate is based on the following calculation: 827 entities x 2 hours = 1,654 hours.

5 This estimate is based on the following calculation: 179 entities x 29 hours = 5,191 hours.

6 This estimate is based on the following calculation: 1,654 hours for all newly registered CFTC registrants + 5,191 hours for the one-time burden of newly registered entities with covered accounts, for a total of 6,845 hours.

7 This estimate is based on the following calculation: 3,071 entities x 2 hours = 6,142 hours. (The Proposing Release contained an arithmetic error in the calculation for the total ongoing burden for all CFTC registrants. The total number of hours was erroneously calculated to total 76,498 hours rather than 6,498. See 77 FR 13450, 13467.)

8 This estimate is based on the following calculation: 385 entities x 6 hours = 2,310 hours.

9 This estimate is based on the following calculation: 6,142 hours + 2,310 hours = 8,452 hours.

10 The total burden—5,191—is divided by the 179 estimated entities, to equal 29.

File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
AuthorGSCOTT
File Modified0000-00-00
File Created2021-01-29

© 2024 OMB.report | Privacy Policy