Download:
pdf |
pdfSupporting Statement for Information Collection Provisions in the Identity Theft
Red Flags, Card Issuers, and Address Discrepancies Rules
(OMB Control #: 3084-0137)
The Federal Trade Commission (“FTC” or “Commission”) requests renewed
Office of Management and Budget (“OMB”) clearance for the collections of information
in the rules implementing sections 114 and 315 of the Fair and Accurate Credit
Transactions Act of 2003 (“FACT Act”), as amended by the Red Flags Program
Clarification Act of 2010 (“Clarification Act”).1 These rules2 enhance the ability of
consumers to resolve problems caused by identity theft and increase the accuracy of
consumer reports.
1.
Necessity for Collecting and Retaining the Information
FACT Act Section 114
Section 114 of the FACT Act, 15 U.S.C. § 1681m(e), amended section 615 of the
Fair Credit Reporting Act (“FCRA”) to require the Commission, among other things, to
issue:
A regulation requiring each financial institution and creditor to develop and implement
a written Identity Theft Prevention Program (“Program”) to detect, prevent, and
mitigate identity theft in connection with existing accounts or the opening of new
accounts (“Red Flags Rule”); and
A regulation generally requiring credit and debit card issuers to assess the validity of
change of address requests (“Card Issuers Rule”).
FACT Act Section 315
Section 315 of the FACT Act, 15 U.S.C. § 1681c(h), amended section 605 of the
FCRA to require the Federal Trade Commission to issue regulations providing guidance
regarding reasonable policies and procedures that a user of consumer reports must employ
when a user receives a notice of address discrepancy from a consumer reporting agency
(“Address Discrepancies Rule”). This rule must describe reasonable policies and
procedures for users of consumer reports to:
1
2
Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4).
The three rules – Red Flags Rule (16 C.F.R. 681.1); Card Issuers Rule (16 C.F.R. 681.2); and
Address Discrepancies Rule (16 C.F.R. 641), (collectively, “Rules”) – were issued jointly with Office
of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal
Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union
Administration.
Enable a user to form a reasonable belief that it knows the identity of the person for
whom it has obtained a consumer report, and
Reconcile the address of the consumer with the consumer reporting agency, if the user
establishes a continuing relationship with the consumer and regularly and in the
ordinary course of business furnishes information to the consumer reporting agency.
2.
Use of the Information
FACT Act Section 114
As required by section 114, the Red Flags Rule requires financial institutions and
covered creditors within the FTC’s jurisdiction to identify patterns, practices, and specific
forms of activity that indicate the possible existence of identity theft. The Red Flags Rule
also requires each covered entity to establish reasonable policies and procedures to address
the risk of identity theft. In addition, each covered entity must create a Program and
report to the board of directors, a committee thereof, or senior management at least
annually on compliance with the Red Flags Rule. In addition, staff of covered entities
must be trained to carry out the Program.
Further, the Address Discrepancies Rule requires credit card and debit card issuers
to develop policies and procedures to assess the validity of a request for a change of
address under certain circumstances. Each credit and debit card issuer must establish
policies and procedures to assess the validity of a change of address request. The card
issuer must notify the cardholder or use another means to assess the validity of the change
of address.
FACT Act Section 315
As required by section 315, the Address Discrepancies Rule provides guidance on
reasonable policies and procedures that a user of consumer reports must follow when a
user receives a notice of address discrepancy from a consumer reporting agency. Each
user of consumer reports within the FTC’s jurisdiction must develop reasonable policies
and procedures that it will follow when it receives a notice of address discrepancy from a
consumer reporting agency. In certain instances, a user of consumer reports must furnish
an address that the user has reasonably confirmed to be accurate to the consumer reporting
agency from which it receives a notice of address discrepancy.
3. Consideration of Using Improved Information Technology to Reduce Burden
Consistent with the aims of the Government Paperwork Elimination Act, 44 U.S.C.
§3504 note, the Rules permit covered financial institutions, creditors, and credit card users
great latitude in using new technologies to reduce compliance costs. Nothing in the Rules
2
precludes the use of electronic methods for compliance purposes. For example, the Red
Flags Rule was drafted to be flexible and in a technologically neutral manner so that
covered entities would not be forced to acquire expensive new technology in order to
comply with that rule.
4.
Efforts to Identify Duplication/Availability of Similar Information
FTC staff has not identified any other federal or state statutes, rules, or policies that
duplicate, overlap, or conflict with the Rules. To the extent that there exist any such state
laws, sections 114 and 314 of the FACT Act preempt them.
5.
Efforts to Minimize Burdens on Small Businesses
Although the reach of the Red Flags Rule is broad, the Rule nonetheless permits
maximum flexibility, enabling each covered entity to prepare a Program tailored to its
particular size, sophistication, and prior experience with identity theft. Moreover, since
promulgation of the original Rule, President Obama signed the Clarification Act, which
narrowed the definition of “creditor” for purposes of section 114 of the FCRA.
Specifically, only those creditors using consumer reports, furnishing information to
consumer reporting agencies, or advancing funds are now covered by the Red Flags Rule.
As a practical matter, this means that many small businesses no longer fall within the
scope of the Rule.
The Address Discrepancies Rule and Card Issuers Rule minimize the burden on all
covered business – including small businesses – by building upon standard business
practices, many of which were in use before these two rules were promulgated. For
example, it is the usual and customary business practice (except in connection with new
deposit relationships) for users of consumer reports covered by the Address Discrepancies
Rule to furnish information to consumer reporting agencies in response to notices of
address discrepancies. Similarly, many entities covered by the Card Issuers Rule
routinely assess the validity of change of address requests and, for the most part, have
automated the process for doing so. Accordingly, the burden on all businesses covered by
the Address Discrepancies Rule and Card Issuers Rule is minimal.
6.
Consequences of Conducting Collection Less Frequently
The burden associated with the Rules is largely attributable to the policies and
procedures that a covered entity must develop to create a Program, to assess the validity of
a change of address request, or to respond to notices of address discrepancy. Once they are
developed, these policies and procedures will only need to be adjusted if they become
ineffective. Similarly, staff of covered entities will need to be trained only once, unless
policies and procedures change.
3
The Red Flags Rule requires annual reports to the board or senior management of
covered entities. The Commission believes that the board, a committee of the board, or
senior management should monitor compliance through the review of annual reports that
assess the effectiveness of the entity’s Program.
7.
Circumstances Requiring Disclosures Inconsistent with Guidelines
The collection of information required by the Rules is consistent with all applicable
guidelines contained in 5 C.F.R. § 1320.5(d)(2).
8.
Consultation Outside the Agency/Public Comments
In addition to past consultations and public comments sought for the Rule when it
was proposed, the Commission more recently sought public comment regarding its latest
PRA clearance request for this Rule. See 80 Fed. Reg. 42,806 (July 20, 2015). No
relevant comments were received. Pursuant to PRA implementing regulations under 5
C.F.R. Part 1320, the Commission is providing a second opportunity for public comment
on the instant burden analysis, contemporaneous with this submission.
9. Payments/Gifts to Respondents
Not applicable.
10. & 11. Assurances of Confidentiality/Matters of a Sensitive Nature
No assurance of confidentiality is necessary because the Rules do not require
financial institutions or creditors to register or file any documents with the Commission.
To the extent that information covered by a recordkeeping requirement is collected by the
Commission for law enforcement purposes, the confidentiality protections of sections 6(f)
and 21 of the FTC Act, 15 U.S.C. §§ 46(f), 57b-2 will apply.
12. Estimated Annual Hours Burden and Associated Labor Costs
2,296,864 total burden hours (1,420,069 hours for section 114 + 876,795 hours for
section 315); $92,466,036, labor costs ($76,683,726 for section 114 and $15,782,310
for section 315)
4
Section 114: Red Flags and Card Issuers Rules
A.
Red Flags Rule
Affected Public: Utilities; motor vehicle dealerships; telecommunications firms;
colleges and universities; hospitals; nursing homes; public warehouse and storage
firms; fuel dealers; financial transaction processing firms; other persons satisfying the
definition of “creditor,” as modified by the Clarification Act.
Estimated Hours Burden: 1,420,069 hours
The Red Flags Rule requires financial institutions and certain creditors with
covered accounts to develop and implement a written Program and report to the board
of directors, a committee thereof or senior management at least annually on
compliance with the Rule. Under the Rule, a “financial institution” is “a State or
National bank, a State or Federal saving and loan association, a mutual savings bank, a
State or Federal credit union, or any other person that, directly or indirectly, holds a
transaction account (as defined in section 19(b) of the Federal Reserve Act, 12 U.S.C.
ch. 3) belonging to a consumer.”3
Under the Rule, “creditor” has the same meaning as in section 702 of the Equal
Credit Opportunity Act (ECOA).4 The Clarification Act, however, narrows the
definition to those creditors that use consumer reports, furnish information to
consumer reporting agencies, or advance funds. As a result, many small businesses,
service providers, and other persons that would ordinarily satisfy the ECOA definition
of “creditor” will nonetheless be excluded from the definition of “creditor” for
purposes of the Red Flags Rule.
Nonetheless, the scope of entities covered by the Red Flags Rule within the
FTC’s jurisdiction is broad, making it difficult to determine precisely the number of
financial institutions and creditors that are subject to the FTC’s jurisdiction. There are
numerous businesses under the FTC’s jurisdiction and there is no formal way to track
them; moreover, as a whole, the entities under the FTC’s jurisdiction are so varied that
there are no general sources that provide a record of their existence. Nonetheless,
3
The Rule refers to the definition of “financial institution” that is found in FCRA, 15 U.S.C.
§ 1681a(t).
4
15 U.S.C. §1681a(r)(5).
5
FTC staff estimates that the Red Flag Rule’s requirement to have a written Program
affects over 6,298 financial5 institutions and almost 156,004 creditors.6
To estimate burden hours for the Red Flags Rule under section 114, FTC staff
has divided affected entities into two categories, based on the nature of their
businesses: (1) entities that are subject to a high risk of identity theft;7 and (2) entities
that are subject to a low risk of identity theft.8
1.
High-Risk Entities
FTC staff estimates that high-risk entities will each require 25 hours to create
and implement a written Program, with an annual recurring burden of one hour. FTC
staff anticipates that these entities will incorporate into their Programs policies and
procedures that they likely already have in place. Further, FTC staff estimates that
preparation of an annual report will require each high-risk entity four hours initially,
with an annual recurring burden of one hour. Finally, FTC staff believes that many of
the high-risk entities, as part of their usual and customary business practices, already
take steps to minimize losses due to fraud, including conducting employee training.
Accordingly, only relevant staff need to be trained to implement the Program: for
example, staff already trained as part of a covered entity’s anti-fraud prevention efforts
do not need to be re-trained except as incrementally needed. FTC staff estimates that
training in connection with the implementation of a Program of a high-risk entity will
require four hours, and recurring annual training thereafter will require one hour.
Thus, the estimated hours burden for high-risk entities is as follows:
• 101,328 high-risk entities subject to the FTC’s jurisdiction at an average
annual burden of 13 hours per entity [average annual burden over 3-year clearance
5
The total number of financial institutions is derived from an analysis of state credit unions and
insurers within the FTC’s jurisdiction using 2012 Census data (“County Business Patterns,” U.S.) and
other online industry data.
6
The total number of creditors (156,004) draws from FTC staff analysis of 2012 Census data and
industry data for businesses or organizations that market goods and services to consumers or other
businesses or organizations subject to the FTC’s jurisdiction, reduced by entities not likely to: (1)
obtain credit reports, report credit transactions, or advance loans; and (2) entities not likely to have
covered accounts under the Rule.
7
In general, high-risk entities include, for example, financial institutions within the FTC’s
jurisdiction and utilities, motor vehicle dealerships, telecommunications firms, colleges and
universities, and hospitals.
8
Low-risk entities have a minimal risk of identity theft, but have covered accounts. These include,
for example, public warehouse and storage firms, nursing and residential care facilities, automotive
equipment rental and leasing firms, office supplies and stationery stores, fuel dealers, and financial
transaction processing firms.
6
period for creation and implementation of Program ((25+1+1) ÷3), plus average annual
burden over 3-year clearance period for staff training ((4+1+1) ÷3), plus average
annual burden over 3-year clearance period for preparing annual report ((4+1+1) ÷3),
for a total of 1,317,264 hours.
2.
Low-Risk Entities
FTC staff believes that the burden on low-risk entities to comply with the rules
is minimal. Entities that have a low risk of identity theft, but that have covered
accounts, likely will only need a streamlined Program. FTC staff estimates that such
entities will require one hour to create such a Program, with an annual recurring
burden of 5 minutes. Training staff of low-risk entities to be attentive to future risks
of identity theft should require no more than 10 minutes in an initial year, with an
annual recurring burden of 5 minutes. Thus, the estimated hours burden for low-risk
entities is as follows:
• 60,974 low-risk entities9 that have covered accounts subject to the FTC’s
jurisdiction at an average annual burden of approximately 37 minutes per entity
[average annual burden over 3-year clearance period for creation and
implementation of streamlined Program ((60+5+5) ÷3), plus average annual burden
over 3-year clearance period for staff training ((10+5+5) ÷3), plus average annual
burden over 3-year clearance period for preparing annual report ((10+5+5) ÷3], for
a total of 37,601 hours.
B.
Card Issuers Rule
Affected Public: State-chartered credit unions; general merchandise stores; colleges
and universities; telecommunications firms; and other persons satisfying the definition
of “creditor,” as modified by the Clarification Act.
Estimated Hours Burden: 65,204 hours
The Card Issuers Rule requires credit and debit card issuers to establish policies
and procedures to assess the validity of a change of address request, including
notifying the cardholder or using another means of assessing the validity of the change
of address. FTC staff believes that there may be as many as 16,301 credit or debit
card issuers under the FTC’s jurisdiction, including state-chartered credit unions,
retailers, and certain universities, businesses, and telecommunications companies.
9
This figure is derived from an analysis of a database of U.S. businesses based on NAICS codes for
businesses that market goods or services to consumers or other businesses within the FTC’s
jurisdiction, reduced further by: (1) those that satisfy the Clarification Act’s definition of “creditor”
and (2) those that are likely to have covered accounts.
7
FTC staff estimates that most of these card issuers already have automated the process
of notifying the cardholder or are using other means to assess the validity of the change
of address, such that implementation will pose no further burden. Nevertheless, in
order to be conservative, FTC staff estimates that it will take the 16,301 card issuers
four hours to develop and implement policies and procedures to assess the validity of a
change of address request for a total burden of 65,204 hours.
Section 315 - Address Discrepancies Rule:
Affected Public: State-chartered credit unions, non-bank lenders, insurers, landlords,
employers, mortgage brokers, motor vehicle dealers, collection agencies, and any other
person who requests a consumer report from a nationwide consumer reporting agencies
as described in section 603(p) of the FCRA.
Estimated Hours Burden:
As discussed above, the Address Discrepancies Rule provides guidance on
reasonable policies and procedures that a user of consumer reports must employ when
a user receives a notice of address discrepancy from a consumer reporting agency.
Given the broad scope of users of consumer reports, it is difficult to determine with
precision the number of users of consumer reports that are subject to the FTC’s
jurisdiction. As previously noted, there are numerous small businesses under the
FTC’s jurisdiction, and there is no formal way to track them; moreover, as a whole, the
entities under the FTC’s jurisdiction are so varied that there are no general sources that
provide a record of their existence. Nonetheless, Commission staff estimates that the
Rule affects approximately 1,875,275 users of consumer reports subject to its
jurisdiction.10 Approximately 10,000 of these users will, in the course of their usual
and customary business practices, have to furnish to consumer reporting agencies an
address confirmation upon notice of a discrepancy.11
Although section 315 created a new obligation for consumer reporting agencies
to provide a notice of address discrepancy to users of consumer reports, prior to
FACTA’s enactment, users of consumer reports could compare the address on the
consumer report to the address provided by the consumer, and discern for themselves
any discrepancy. As a result, FTC staff believes that many users of consumer reports
10
This estimate is derived from an analysis of Census databases of U.S. businesses based on NAICS
codes for businesses in industries that typically use consumer reports from CRAs described in the
Rule, which total 1,875,275 users of consumer reports subject to the FTC’s jurisdiction.
11
Report to Congress Under Sections 318 and 319 of the Fair and Accurate Credit Transactions of
2003, Federal Trade Commission, 80 (Dec. 2004) available at
http://www.ftc.gov/reports/facta/041209factarpt.pdf.
8
have developed methods of reconciling address discrepancies so that the following
estimates represent the incremental amount of time it will take users of consumer
reports to develop and comply with the policies and procedures for when they receive a
notice of address discrepancy.
Due to the varied nature of the entities under the jurisdiction of the FTC, it is
difficult to determine the appropriate burden estimates. Nonetheless, FTC staff
estimates that it would take an infrequent user no more than 16 minutes to develop and
follow the policies and procedures that it will employ when it receives a notice of
address discrepancy, whereas a frequent user may take one hour. Similarly, FTC staff
estimates that, during the remaining two years of the clearance, it may take an
infrequent user no more than one minute to comply with the policies and procedures
that it will employ when it receives a notice of address discrepancy, whereas a frequent
user may take 45 minutes. Taking into account these extremes, FTC staff estimates
that, during the first year of the clearance, it will take users of consumer reports under
the jurisdiction of the FTC an average of 38 minutes [the midrange between 16
minutes and 60 minutes] to develop and comply with the policies and procedures that
they will employ when they receive a notice of address discrepancy. FTC staff also
estimates that the average recurring burden during the remaining two years of the
clearance period will be 23 minutes [the midrange between one minute and 45
minutes].
Thus, for these 1,875,275 entities, the average annual burden for each of them
to perform these collective tasks will be 28 minutes [(38+23+23) ÷3]; cumulatively,
875,128 hours. For the estimated 10,000 users of consumer reports that will
additionally have to furnish to consumer reporting agencies an address confirmation
upon notice of a discrepancy, staff estimates that these entities will require 30 minutes
to develop related policies and procedures. But these 10,000 affected entities likely
will have automated the process of furnishing the correct address in the first year of a
three-year PRA clearance cycle. Thus, allowing for 30 minutes in the first year, with
no annual recurring burden in the second and third year of clearance, yields an average
annual burden of 10 minutes per entity to furnish a correct address to a consumer
reporting agency, for a total of 1,667. Accordingly, the total estimated burden for
Section 315 is revised to 876,795 hours.
Estimated Labor Cost: $92,466,036 ($76,683,726 for section 114 and $15,782,310
for section 315)
Section 114: Red Flags and Card Issuers Rules
FTC staff derived labor costs by applying appropriate estimated hourly cost
figures to the burden hours described above. It is difficult to calculate with precision
9
the labor costs associated with the Rules, as they entail varying compensation levels of
management and/or technical staff among companies of different sizes. In calculating
the cost figures, staff assumes that entities, professional technical personnel and/or
managerial personnel will create and implement the Program, prepare the annual
report, train employees, and assess the validity of a change of address request at an
hourly rate of $54.12
Based on the above estimates and assumptions, the total annual labor costs for
all categories of covered entities under the Red Flags and Card Issuers Rules for
section 114 is $76,683,726 (1,420,069 hours x $54).
Section 315 - Address Discrepancies Rule
FTC staff assumes that the policies and procedures for compliance with the
Address Discrepancies Rule will be set up by administrative support personnel at an
hourly rate of $18.13 Based on the above estimates and assumptions, the total annual
labor cost for the two categories of burden under section 315 is $15,782,310 [(875,128
hours +1,667 hours) x $18].
13.
Estimated Capital and Other Non-Labor Costs
The FTC staff believes that the Rules impose negligible capital or other non-labor
costs, as the affected entities are likely to have the necessary supplies and/or equipment
already (e.g., offices and computers) for the information collections described herein.
14.
Estimated Cost to the Federal Government
FTC staff estimates that a representative year’s cost to the FTC of administering
the Rules requirements during the 3-year clearance period sought will be approximately
$63,321. This represents three-tenths of an attorney work year, including employee
benefits.
12
This estimate is based on mean hourly wages found at
http://www.bls.gov/news.release/ocwage.t01.htm (“Bureau of Labor Statistics, Economic News
Release,” March 25, 2015, Table 1, “National employment and wage data from the Occupational
Employment Statistics survey by occupation, May 2014”) for the various managerial and technical
staff support exemplified above (administrative service managers, computer & information systems
managers, training & development managers, computer systems analysts, network & computer
systems analysts, computer support specialists) (hereinafter “BLS Table 1”).
13
This estimate – rounded to the nearest dollar --is based on mean hourly wages for all management
occupations found within BLS Table 1 (see supra note 12).
10
15.
Program Changes or Adjustments
Prior cleared burden hours totaled 2,306,904 hours, comprising 1,485,124 hours
for section 114 of the FACT Act and 821,780 hours for section 315 of the FACT Act, and
labor costs of $62,375,208 for section 114 and $13,970,260 for section 315. The instant
revised burden totals, 2,296,864 hours, consist of 1,420,069 hours for section 114 and
876,795 hours for section 315, and labor costs of $76,683,726 for section 114 and
$15,782,310 for section 315.
The changes in estimated burden hours regarding sections 114 and 315 compliance are
attributable to varying population estimates tied to the sources of data noted above.
Offsetting that were higher estimated hourly wages currently assigned to the labor
categories used ($54 versus $42 for “professional technical personnel and/or managerial
personnel” and $18 versus $17 for “administrative support personnel”).
16.
Publishing Results of the Collection of Information
There are no plans to publish any information for statistical use.
17.
Display of Expiration Date for OMB Approval
Not applicable.
18.
Exceptions to the Certifications for PRA Submissions
Not applicable.
11
File Type | application/pdf |
File Modified | 2015-09-29 |
File Created | 2015-09-29 |