Supporting Statement for 30-Day Notice for ID Theft Red Flag Rules 7-27-16 Edits 11-21-16

Supporting Statement for 30-Day Notice for ID Theft Red Flag Rules 7-27-16 Edits 11-21-16.doc

Part 162 - Protection of Consumer Information under the Fair Credit Reporting Act

OMB: 3038-0067

Document [doc]
Download: doc | pdf



SUPPORTING STATEMENT FOR NEW AND

REVISED INFORMATION COLLECTIONS

OMB CONTROL NUMBER 3038 - 0067

Justification


1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

Under part 162 subpart C-Identity Theft Red Flags (“part 162”),1 CFTC-regulated entities are required to develop and implement reasonable policies and procedures to identify, detect, and respond to relevant red flags (the “Identity Theft Red Flags Rules”) and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding, address changes. Section 162.30 includes the following “collection of information” requirements for each CFTC-regulated entity that qualifies as a “financial institution” or “creditor” under part 162 and that offers or maintains covered accounts: (1) creation and periodic updating of an identity theft prevention program (“Program”) that is approved by the board of directors, an appropriate committee thereof, or a designated senior management employee; (2) periodic staff reporting to the board of directors on compliance with the Identity Theft Red Flags Rules and related Guidelines (this reporting requirement is set forth in the Guidelines and thus is required to be considered by an entity subject to the Program requirement);2 and (3) training of staff to implement the Program. This collection of information is necessary because the Commission uses the collection of information to discharge its regulatory responsibilities to protect investors from the risks of identity theft.


Section 162.32 includes the following “collection of information” requirements for each CFTC-regulated entity that is a credit or debit card issuer: (1) establishment of policies and procedures that assess the validity of a change of address notification if a request for an additional or replacement card on the account follows soon after the address change; and (2) notification of a cardholder, before issuance of an additional or replacement card, at the previous address or through some other previously agreed‑upon form of communication, or alternatively, assessment of the validity of the address change request through the entity’s established policies and procedures. The collections of information required by section 162.32 will apply only to CFTC regulated entities that issue credit or debit cards. CFTC staff understands that CFTC regulated entities generally do not issue credit or debit cards, but instead may partner with other entities, such as banks, that issue cards on their behalf. These other entities, which are not regulated by the CFTC, are already subject to substantially similar change of address obligations pursuant to other federal regulators’ identity theft red flags rules. Therefore, staff does not expect that any CFTC-regulated entities will be subject to the information collection requirements of section 163.32, and accordingly, staff estimates that there is no hour burden related to section 162.32 for CFTC-regulated entities.


2. Indicate how, by whom, and for what purpose the data would be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.


The regulations in part 162, including the information collection requirements thereunder, are designed to better protect investors from the risks of identity theft. The regulations require entities that are subject to the Commission’s jurisdiction to address identity theft in two ways. First, the Identity Theft Red Flags Rules and related Guidelines require financial institutions and creditors that offer or maintain certain accounts to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with existing accounts or the opening of new accounts. Second, part 162 establishes special requirements for credit and debit card issuers that are subject to the Commission’s jurisdiction, to assess the validity of notifications of changes of address under certain circumstances. During the course of audits by the Division of Swap Dealers and Intermediary Operations or investigations by the Division of Enforcement of each CFTC-regulated entity, CFTC auditors or investigators check to ensure whether the regulated entity has an identity theft prevention program approved by the board of directors. The subject collection of information is also used to ensure that there is periodic staff reporting to the board of directors on compliance with the Identity Theft Red Flag Rules and related Guidelines, and that staff of the regulated entities have been adequately trained to implement the Program.


3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g., permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

Commission regulations permit persons subject to recordkeeping requirements to keep their records electronically.


4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.

In adopting the regulations in part 162, the Commission sought to avoid duplication of requirements imposed under other agencies’ rules. For example, the regulations in part 162 are limited to entities under the Commission’s jurisdiction. Although substantially similar to regulations issued in 2007 by the Federal Trade Commission, the federal banking agencies, and the National Credit Union Association (collectively, the “Agencies”), the regulations in part 162 do not apply to entities regulated by other agencies.3 In addition, the Program required under part 162 may be integrated into other identity theft prevention or privacy programs that the financial institution or creditor may already have.



5. If the collection of information involves small business or other small entities (Item 5 of OMB From 83-I), describe the methods used to minimize burden.

The information collection requirements of part 162 apply to all covered entities subject to the CFTC’s jurisdiction, including those that are small entities. The information collection requirements of part 162 are necessary to help further the investor protection goals of this regulation, and the Commission therefore believes that imposing different requirements on smaller entities would not be consistent with investor protection and the purposes of part 162.


6. Describe the consequence to the Federal Program or policy activities if the collection were conducted less frequently as well as any technical or legal obstacles to reducing burden.

Less frequent collection would not be consistent with the intent of the rules, which is to require financial institutions and creditors to have reasonable policies and procedures to respond appropriately to any red flags that are detected. The final rule would require financial institutions and creditors to have reasonable policies and procedures to ensure that the program is updated periodically, to reflect changes in risks to customers, and assure the safety and soundness of the financial institutions and creditors.


7. Explain any special circumstances that require the collection to be conducted in a manner:

  • requiring respondents to report information to the agency more often than quarterly;

This question does not apply.

  • requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it:

This question does not apply.

  • requiring respondents to submit more that an original and two copies of any document;

This question does not apply.

  • requiring respondents to retain records other than health, medical, government contract, grant-in-aid, or tax records, for more than three years;

For enforcement purposes, Commission Rule 1.31 requires that:


“All books and records required to be kept by the (Commodity Exchange) Act or by these regulations shall be kept for a period of five years from the date thereof and shall be readily accessible during the first two years of the five year period. All such books and records shall be open to inspection by any representative of the Commission or the U.S. Department of Justice.”


  • in connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study;

This question does not apply.

  • requiring the use of a statistical data classification that has not been reviewed and approved by OMB;

This question does not apply.

  • that includes a pledge of confidentiality that is not supported by authority established in statute or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or

This question does not apply.

  • requiring respondents to submit proprietary trade secrets, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.

The rule does not involve submission of proprietary trade secrets or other such information to the Commission.

8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

The agency’s notice required by 5 CFR 1320.8(d), soliciting comments on the information collection prior to submission to OMB was published at 81 FR 35001 (June 1, 2016). The Commission received no comments in response to its request.



Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping disclosure, or reporting format (if any, and on the data elements to be recorded, disclosed, or reported).

The Commission consulted with the Agencies, which earlier adopted substantially similar rules, in crafting part 162. In addition, the Commission and its staff participate in an ongoing dialogue with representatives of the industry through public conferences, meetings, and informal exchanges. These various forums provide the Commission and the staff with a means of ascertaining and acting upon paperwork burdens confronting the industry.



Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every 3 years - even if the collection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.

No such circumstances are anticipated.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

This question does not apply. The Commission has neither considered nor made any payment or gift to a respondent.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulations, or agency policy.

The Commission does not provide respondents with an assurance of confidentiality. The Commission fully complies with section 8(a)(1) of the Commodity Exchange Act, which strictly prohibits the Commission, unless specifically authorized by the Commodity Exchange Act, from making public “data and information that would separately disclose the business transactions or market positions of any person and trade secrets or names of customers.” The Commission has procedures to protect the confidentiality of an applicant’s or registrant’s data. These are set forth in the Commission’s regulations at parts 145 and 147 of title 17 of the Code of Federal Regulations.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

This question does not apply.

12. Provide estimates of the hour burden of the collection of information. The Statement should:

  • Indicate the number of respondents, frequency of response, annual hour burden and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than ten) of potential respondents is desirable. If the hour burden on respondents is expected to vary widely because of differences in activity, size or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.

  • If the request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB Form 83-I.

  • Provide estimates of annualized cost to respondents for the hours burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 13.

CFTC staff estimates of time and cost burdens represent the one‑time burden of complying with part 162 for newly‑formed CFTC-regulated entities and the ongoing costs of compliance for all CFTC-regulated entities. Staff estimates also attribute all burdens to entities that are directly subject to the requirements of the rulemaking. An entity directly subject to the part 162 rules that outsources activities to a service provider is, in effect, shifting to that service provider the burden that it would otherwise have carried itself. Under these circumstances, the burden is, by contract, shifted from the entity that is directly subject to part 162 rules to the service provider, but the total amount of burden is not increased. Thus, service provider burdens are already included in the burden estimates provided for entities that are directly subject to the part 162 rules. The time and cost estimates made here are based on conversations with industry representatives and on a review of comments received on the part 162 rules when they were proposed, as well as updated estimates made in the regulatory analyses of the identity theft red flags rules previously issued by the Agencies.


CFTC staff estimates of the hour burdens associated with section 162.30 include the one time burden of complying with this section for newly formed CFTC-regulated entities, as well as the ongoing costs of compliance for all CFTC regulated entities. With respect to the one-time burden hours, staff estimates that each newly-formed financial institution or creditor would incur a burden of 2 hours to conduct an initial assessment of covered accounts. Staff estimates that this burden would result in a cost of $760 to each newly-formed financial institution or creditor.4 Staff also estimates that each financial institution or creditor that maintains covered accounts would incur an additional initial burden of 29 hours to develop and obtain board approval of a Program and to train the staff of the financial institution or creditor.5 Staff estimates that these burdens would result in additional costs of $13,858 for each financial institution or creditor that offers or maintains covered accounts.

Staff estimates that approximately 572 CFTC regulated financial institutions and creditors are newly formed each year.6 Each of these 572 entities will need to conduct an initial assessment of covered accounts, for a total of 1,144 hours at a total cost of $ 434,720.7 Of these 572 entities, staff estimates that approximately 47 CFTC regulated financial institutions and creditors that maintain covered accounts are newly formed each year, and thus the total estimated one time burden to develop and obtain board approval of a Program and train staff is 1,410 hours at an additional cost of $651,326.8 Thus, the total initial estimated burden for all newly formed CFTC regulated entities is 2,507 hours at a total estimated cost of $1,086,046.9


With respect to ongoing annual burden hours, CFTC staff estimates that each financial institution or creditor would incur a burden of 2 hours to periodically assess whether it offers or maintains covered accounts. Staff estimates that this burden would result in an annual cost of $760 to each financial institution or creditor.10 To the extent a financial institution or creditor offers or maintains covered accounts, staff estimates that each financial institution or creditor that maintains covered accounts would incur an annual burden of 4 hours to prepare and present an annual report to the board, and an annual burden of 2 hours to periodically review and update the Program (including review and preservation of contracts with service providers, as well as review and preservation of any documentation received from service providers). Staff estimates that these burdens would result in additional annual costs of $5,540 for each financial institution or creditor that offers or maintains covered accounts.11


CFTC staff estimates that there are 3,956 CFTC-regulated entities that are either financial institutions or creditors, and that all of these will be required to periodically review their accounts to determine if they offer or maintain covered accounts, for a total of 7,912 hours for these entities at a total cost of $3,006,560.12 CFTC staff estimates that there are approximately 47 CFTC regulated entities that are financial institutions or creditors that offer or maintain covered accounts, and thus the total estimated additional annual burden for these entities is 282 hours at an additional cost of $260,380.13 Thus, the total ongoing annual estimated burden for all CFTC regulated entities is 8,194 hours at a total estimated annual cost of $3,266,940.14

13. Provide an estimate of the total annual cost burden to respondents or recordkeepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14).

  • The cost estimate should be split into two components; (a) a total capital and start-up cost component (annualized over its expected useful life) and (b) a total operation and maintenance and purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major costs factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software, monitoring, sampling, drilling and testing equipment, and record storage facilities.

  • If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collection services should be a part of this cost burden estimate, agencies may consult with a sample of respondents (fewer than ten), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection, as appropriate.

  • Generally, estimates should not include purchases of equipment or services, or portions thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information or keep records for the government, or (4) as part of customary and usual business or private practices.

The rule involves no new start-up or operations and maintenance costs.

14. Provide estimates of the annualized costs to the Federal Government. Also provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would not have been incurred without this collection of information. Agencies may also aggregate cost estimates from Items 12, 13, and 14 in a single table.

It is not anticipated that the final regulations will impose any additional costs to the Federal Government.

15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I.

The estimated total annual burden decreased to 10,723 hours.15 The decrease in burden is primarily attributable to fewer newly formed CFTC- regulated entities.

16. For collection of information whose results are planned to be published for statistical use, outline plans for tabulation, statistical analysis, and publication. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.

Not applicable.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.

Not applicable.

18. Explain each exception to the certification statement identified in Item 19, “Certification for Paperwork Reduction Act Submissions,” of OMB Form 83-I.

Not applicable.

Attachment A


OMB Control Number 3038-0067 – Part 162, Subpart C-Identity Theft

Recordkeeping Burden


1.

Regulation(s)

2.

Estimated Number of Respondents


3.

Estimated Number of Reports

by Each Respondent

4.

Estimated Average Number of Burden Hours per Response

5.

Annual Number of Burden Hours per Respondent

(3 x 4)

6.

Estimated Average Burden Hour Cost16


7.

Total Average Hour Burden Cost Per Respondent

(5 x 6)

8.

Total Annual

Responses

(2 x 3)

9.

Total Annual Number of Burden Hours

(2 x 5)

10.

Total Annual Burden Hour Cost of All Responses

(2 x 7)

162.30

4,622

1

2.32

2.32

$405.95

$941.80

4,622

10,72317

$4,353,000


1 Identity Theft Red Flags Rules, 78 FR 23638 (Apr. 19, 2013) (“Adopting Release”); Identity Theft Red Flags Rules, 77 FR 13450 (Mar. 6. 2012) (“Proposing Release”). The regulations in part 162, 17 CFR part 162 subpart C include section 162.30 (“Duties regarding the detection, prevention, and mitigation of identity theft”), section 162.32 (“Duties of card issuers regarding change of address”), and Appendix A (“Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation”) (the “Guidelines”).

2 Under section 162.30(f), 17 CFR part 162 subpart C, each entity that is required to implement an identity theft red flags program under section 162.30 must consider the Guidelines and incorporate them into its program, as appropriate.

3 See Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007) (“2007 Adopting Release”). In addition, the Securities and Exchange Commission (“SEC”) adopted rules for the entities it regulates at the same time the Commission adopted the part 162 Subpart C-Identity Theft Red Flags Rules. See Adopting Release, supra note Error: Reference source not found.

4 This estimate is based on the following calculation: 2 hours x $380 (hourly rate for internal counsel) = $760. See infra note 5 (discussing the methodology for estimating the hourly rate for internal counsel.

5 CFTC staff estimates that, of the 29 hours incurred to develop and obtain board approval of a Program and train the financial institution’s or creditor’s staff, 10 hours will be spent by internal counsel at an hourly rate of $380, 17 hours will be spent by administrative assistants at an hourly rate of $74, and 2 hours will be spent by the board of directors as a whole at an hourly rate of $4,400. Thus, the estimated $13,858 in additional costs is based on the following calculation: (10 hours x $380 = $3,800), + (17 hours x $74 = $1,258) + (2 hours x $4,400 = $8,800) = $13,858.

The cost estimate for internal counsel is derived from SIFMA’s Management & Professional Earning in the Securities Industry 2013, modified to account or an 1800-hour work-year and multiplied by 5.35 to account from bonuses, entity size, employee benefits, and overhead. The cost estimate for administrative assistants is derived from SIFMA’s Office Salaries in the Securities Industry 2013, modified to account for an 1800-hour work-year and multiplied by 2.93 to account for bonuses, entity size, employee benefits, and overhead. The cost estimate for the board of directors is derived from estimates made by CFTC staff regarding typical board size and compensation that is based on information from industry representatives and publicly-available sources.

6 Based on a review of new registrations typically filed with the CFTC each year, CFTC staff estimates that approximately 6 futures commission merchants (“FCMs”), 83 introducing brokers (“IBs”), 282 commodity trading advisors (“CTAs”), 198 commodity pool operators (“CPOs”), and 3 swap dealers (“SDs”) are newly formed each year, for a total of 572 entities. CFTC staff also has observed that approximately 50 percent of all CPOs are dually registered as CTAs, thus half of the 198 CPOs or 99 CPOs are excluded from the calculation. With respect to retail forex dealers (“RFEDs”), CFTC staff has observed that all entities registering as RFEDs also register as FCMs. Based on these observations, CFTC has determined that the total number of newly-formed financial institutions and creditors is 473 (572-99 CPOs that are also registered as CTAs). There were no newly registered RFEDs or MSPs. Each of these 473 financial institutions or creditors would bear the initial one-time burden of compliance.


Of the total 473 newly-formed entities, staff estimates that all of the FCMs are likely to carry covered accounts, 10 percent of CTAs and CPOs are likely to carry covered accounts, and none of the IBs are likely to carry covered accounts, for a total of 47 newly-formed financial institutions or creditors (6 FCMs, 38 CPOS and CTAs, and 3 SDs) carrying covered accounts that would be required to conduct an initial one-time burden of compliance with part 162.

7 These estimates are based on the following calculations: 572 entities x 2 hours = 1,144 hours; 572 x $760 = $434,720.

8 These estimates are based on the following calculations: 47 financial institutions and creditors that maintain covered accounts x 29 hours = 1,363 hours; 47 financial institutions and creditors that maintain covered accounts x $13,858 = $651,326.

9 These estimates are based on the following calculations: 1,144 hours + 1,363 = 2,507 hours; $1,085,506.

10 This estimate is based on the following calculation: 2 hours x $380 (hourly rate for internal counsel) = $760. See supra note 5.

11 Staff estimates that, of the 4 hours to prepare and present the annual report to the board and periodically review and update the Program, 3 hours will be spent by internal counsel at an hourly rate of $380, and 1 hour will be spent by the board of directors as a whole at an hourly rate of $4,400. Thus, the estimated $5,540 in additional annual costs is based on the following calculation: (3 hours x $380 = $1,140) + (1 hour x $4,400 = $4,400) = $5,540 See supra note 5 (discussing the methodology for estimating the hourly rate for internal counsel and the board of directors.)

12 The estimates of 7,912 hours and $3,006,560 are based on the following calculations: 3,956 financial institutions and creditors x 2 hours = 7,912 hours; 3,956 financial institutions and creditors x $760 = $3,006,560.

13 These estimates are based on the following calculations: 47 financial institutions and creditors that maintain covered accounts x 6 hours = 282 hours; 47 financial institutions and creditors x $5,540 = $260,380.

14 These estimates are based on the following calculations: 7,912 hours + 282 hours = 8,194 hours; $3,006,560 + 260,380 = $3,266,940.

15 This estimate is based on the estimated average of 2.32 burden hours per respondent obtained from the estimated aggregate total burden hours for all respondents divided by the total number of respondents.

16 Average salary for a risk management specialist is $144,000 per year according to the Sifma Report on Management and Professional Earnings in the Securities Industry. Divide $144,000 per year by 80 hours per 2 weeks for 26 pay periods yields $70 per hour.

17 This estimate is based on the estimated average of 2.32 burden hours per respondent obtained from the estimated aggregate total burden hours for all respondents divided by the total number of respondents.

11


File Typeapplication/msword
File TitleSupporting Statement for New and Revised Information Collections
SubjectSupporting Statement required by OMB justifying any proposed collection of information subject to the PRA.
AuthorOffice of General Counsel (OGC)
Last Modified ByHCastro
File Modified2016-11-21
File Created2016-11-21

© 2024 OMB.report | Privacy Policy