Download:
pdf |
pdfFederal Trade Commission
Supporting Statement for Information Collection Provisions in the Identity Theft
Red Flags, Card Issuers, and Address Discrepancy Rules
(OMB Control #: 3084-0137)
The Federal Trade Commission (“FTC” or “Commission”) requests renewed
Office of Management and Budget (“OMB”) clearance for the collections of information
in the rules implementing sections 114 and 315 of the Fair and Accurate Credit
Transactions Act of 2003 (“FACT Act”), as amended by the Dodd-Frank Wall Street
Reform and Consumer Protection Act (“Dodd-Frank Act”)1 and the Red Flags Program
Clarification Act of 2010 (“Clarification Act”).2 These rules3 enhance the ability of
consumers to resolve problems caused by identity theft and increase the accuracy of
consumer reports.
1.
Necessity for Collecting and Retaining the Information
FACT Act Section 114
Section 114 of the FACT Act, 15 U.S.C. § 1681m(e), amended section 615 of the
Fair Credit Reporting Act (“FCRA”) to require the Commission, among other things, to
issue:
A regulation requiring each financial institution and creditor to develop and implement
a written Identity Theft Prevention Program (“Program”) to detect, prevent, and
mitigate identity theft in connection with existing accounts or the opening of new
accounts (“Red Flags Rule”); and
A regulation generally requiring credit and debit card issuers to assess the validity of
change of address requests (“Card Issuers Rule”).
FACT Act Section 315
Section 315 of the FACT Act, 15 U.S.C. § 1681c(h), amended section 605 of the
FCRA to require the Federal Trade Commission to issue regulations providing guidance
regarding reasonable policies and procedures that a user of consumer reports must employ
when a user receives a notice of address discrepancy from a consumer reporting agency
(“Address Discrepancy Rule”). On July 21, 2010, the Dodd-Frank Wall Street Reform
and Consumer Protection Act (“Dodd-Frank Act”) was enacted. The Dodd-Frank Act
substantially changed the federal legal framework for financial services providers.
Among the changes, the Dodd-Frank Act transferred to the Bureau of Consumer Financial
1
Pub. L. 111-203 (2010).
Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4).
3
Red Flags Rule (16 C.F.R. 681.1); Card Issuers Rule (16 C.F.R. 681.2); and Address
Discrepancy Rule (16 C.F.R. 641) (collectively, “Rules”).
2
Protection the Commission's rulemaking authority under portions of the FCRA. The FTC
retained rulemaking and enforcement authority for the Address Discrepancy Rule to the
extent the rule applies to motor vehicle dealers described in section 1029(a) of the DoddFrank Act that are predominantly engaged in the sale and servicing of motor vehicles, the
leasing and servicing of them, or both. See 77 Fed. Reg. 22200, 22201 (Apr. 13, 2012).
The Commission is authorized to maintain the Address Discrepancy Rule pursuant to
section 1029(c) of the Dodd-Frank Act and section 504(a) of the Gramm-Leach-Bliley
Act, and the rule remains in effect to the extent that it applies to motor vehicle dealers.
Id. The FTC also retains its authority to bring law enforcement actions to enforce both its
Address Discrepancy Rule and the Bureau of Consumer Financial Protection’s
corresponding rule. Id.
The rule requires covered motor vehicle dealers that use consumer reports
(“users”) to develop and implement reasonable policies and procedures to:
Enable a user to form a reasonable belief that it knows the identity of the person for
whom it has obtained a consumer report, and
Reconcile the address of the consumer with the consumer reporting agency, if the user
establishes a continuing relationship with the consumer and regularly and in the
ordinary course of business furnishes information to the consumer reporting agency.
2.
Use of the Information
FACT Act Section 114
As required by section 114, the Red Flags Rule requires financial institutions and
covered creditors within the FTC’s jurisdiction to identify patterns, practices, and specific
forms of activity that indicate the possible existence of identity theft. The Red Flags Rule
also requires each covered entity to establish reasonable policies and procedures to
address the risk of identity theft. In addition, each covered entity must create a Program
and report to the board of directors, a committee thereof, or senior management at least
annually on compliance with the Red Flags Rule. In addition, staff of covered entities
must be trained to carry out the Program.
Further, the Card Issuers Rule requires credit card and debit card issuers to develop
policies and procedures to assess the validity of a request for a change of address under
certain circumstances. Each credit and debit card issuer must establish policies and
procedures to assess the validity of a change of address request. The card issuer must
notify the cardholder or use another means to assess the validity of the change of address.
2
FACT Act Section 315
As required by section 315, the Address Discrepancy Rule provides guidance on
reasonable policies and procedures that a covered motor vehicle dealer that is a user of
consumer reports must follow when the user receives a notice of address discrepancy from
a consumer reporting agency. Each user of consumer reports that is a motor vehicle
dealer described in section 1029(a) of the Dodd-Frank Act that is predominantly engaged
in the sale and servicing of motor vehicles, the leasing and servicing of them, or both,
must develop and implement reasonable policies and procedures that it will follow when it
receives a notice of address discrepancy from a consumer reporting agency. In certain
instances, the user must furnish an address that the user has reasonably confirmed to be
accurate to the consumer reporting agency from which it receives a notice of address
discrepancy.
3. Consideration of Using Improved Information Technology to Reduce Burden
Consistent with the aims of the Government Paperwork Elimination Act, 44 U.S.C.
§3504 note, the Rules permit covered financial institutions (including motor vehicle
dealers), creditors, and credit card users great latitude in using new technologies to reduce
compliance costs. Nothing in the Rules precludes the use of electronic methods for
compliance purposes. For example, the Red Flags Rule was drafted to be flexible and in
a technologically neutral manner so that covered entities would not be forced to acquire
expensive new technology in order to comply with that rule.
4.
Efforts to Identify Duplication/Availability of Similar Information
FTC staff has not identified any other federal or state statutes, rules, or policies
that duplicate, overlap, or conflict with the Rules. To the extent that there exist any such
state laws, sections 114 and 314 of the FACT Act preempt them.
5.
Efforts to Minimize Burdens on Small Businesses
Although the reach of the Red Flags Rule is broad, the Rule nonetheless permits
maximum flexibility, enabling each covered entity to prepare a Program tailored to its
particular size, sophistication, and prior experience with identity theft. Moreover, since
promulgation of the original Rule, President Obama signed the Clarification Act, which
narrowed the definition of “creditor” for purposes of section 114 of the FCRA.
Specifically, only those creditors using consumer reports, furnishing information to
consumer reporting agencies, or advancing funds are now covered by the Red Flags Rule.
As a practical matter, this means that many small businesses no longer fall within the
scope of the Rule.
3
The Address Discrepancy Rule and Card Issuers Rule minimize the burden on
covered businesses – including small businesses – by building upon standard business
practices, many of which were in use before these two rules were promulgated. As noted
above, only users of consumer reports that are motor vehicle dealers described in section
1029(a) of the Dodd-Frank Act and that are predominantly engaged in the sale and
servicing of motor vehicles, the leasing and servicing of them, or both, are covered under
the Address Discrepancy Rule. It is the usual and customary business practice for users
covered by the Address Discrepancy Rule to furnish information to consumer reporting
agencies in response to notices of address discrepancies. Similarly, many entities covered
by the Card Issuers Rule routinely assess the validity of change of address requests and,
for the most part, have automated the process for doing so. Accordingly, the burden on
businesses covered by the Address Discrepancy Rule and Card Issuers Rule is minimal.
6.
Consequences of Conducting Collection Less Frequently
The burden associated with the Rules is largely attributable to the policies and
procedures that a covered entity must develop to create a Program, to assess the validity of
a change of address request, or to respond to notices of address discrepancy. Once they
are developed, these policies and procedures will only need to be adjusted if they become
ineffective. Similarly, staff of covered entities will need to be trained only once, unless
policies and procedures change.
The Red Flags Rule requires annual reports to the board or senior management of
covered entities. The Commission believes that the board, a committee of the board, or
senior management should monitor compliance through the review of annual reports that
assess the effectiveness of the entity’s Program.
7.
Circumstances Requiring Disclosures Inconsistent with Guidelines
The collection of information required by the Rules is consistent with all
applicable guidelines contained in 5 C.F.R. § 1320.5(d)(2).
8.
Consultation Outside the Agency/Public Comments
In addition to past consultations and public comments sought for the Rule when it
was proposed, the Commission more recently sought public comment regarding its latest
PRA clearance request for this Rule. See 86 Fed. Reg. 57,425 (October 15, 2021). No
germane comments were received. Pursuant to PRA implementing regulations under 5
C.F.R. Part 1320, the Commission is providing a second opportunity for public comment
on the instant burden analysis, contemporaneous with this submission.
4
9.
Payments/Gifts to Respondents
Not applicable.
10. & 11. Assurances of Confidentiality/Matters of a Sensitive Nature
No assurance of confidentiality is necessary because the Rules do not require
financial institutions or creditors to register or file any documents with the Commission.
To the extent that information covered by a recordkeeping requirement is collected by the
Commission for law enforcement purposes, the confidentiality protections of sections 6(f)
and 21 of the FTC Act, 15 U.S.C. §§ 46(f), 57b-2 will apply.
12. Estimated Annual Hours Burden and Associated Labor Costs
A. Estimated Annual Hours of Burden
Section 114 – (1) Red Flags Rule and (2) Card Issuers Rule
Red Flags Rule
Affected Public: Utilities; motor vehicle dealerships; telecommunications firms; colleges
and universities; hospitals; nursing homes; public warehouse and storage firms; fuel
dealers; financial transaction processing firms; other persons satisfying the definition of
“creditor,” as modified by the Red Flags Program Clarification Act of 2010 (the
“Clarification Act”);4 and other categories of persons that qualify as financial institutions.5
Estimated Hours Burden (Red Flags): 359,423 hours
The Red Flags Rule requires financial institutions and certain creditors with covered
accounts to develop and implement a written Program and report to the board of directors,
a committee thereof, or senior management at least annually on compliance with the Rule.
Under the Rule, a “financial institution” is “a State or National bank, a State or Federal
saving and loan association, a mutual savings bank, a State or Federal credit union, or any
4
The Clarification Act narrowed the Fair Credit Report Act’s definition to those creditors that use
consumer reports, furnish information to consumer reporting agencies, or advance funds. 15
U.S.C. 1681(e)(4). As a result, many small businesses, service providers, and other persons that
would ordinarily satisfy the ECOA definition of “creditor” are excluded from the definition of
“creditor” for purposes of the Red Flags Rule.
5
We have focused our analysis on the categories described in this notice, but welcome comments
on whether there are other categories of creditors or financial institutions that we should be
including in the burden analysis.
5
other person that, directly or indirectly, holds a transaction account (as defined in section
19(b) of the Federal Reserve Act, 12 U.S.C. ch. 3) belonging to a consumer.”6
Under the Rule, “creditor” has the same meaning as in section 702 of the Equal
Credit Opportunity Act (ECOA).7 The Clarification Act, however, narrows the definition
to those creditors that use consumer reports, furnish information to consumer reporting
agencies, or advance funds. As a result, many small businesses, service providers, and
other persons that would ordinarily satisfy the ECOA definition of “creditor” will
nonetheless be excluded from the definition of “creditor” for purposes of the Red Flags
Rule.
Nonetheless, the scope of entities covered by the Red Flags Rule within the FTC’s
jurisdiction is broad, making it difficult to determine precisely the number of financial
institutions and creditors that are subject to the FTC’s jurisdiction. There are numerous
businesses under the FTC’s jurisdiction and there is no formal way to track them;
moreover, as a whole, the entities under the FTC’s jurisdiction are so varied that there are
no general sources that provide a record of their existence. Nonetheless, FTC staff
estimates that the Red Flag Rule’s requirement to have a written Program affects over
5,666 financial institutions8 and 157,181 creditors.9
To estimate burden hours for the Red Flags Rule under section 114, FTC staff has
divided affected entities into two categories, based on the nature of their businesses: (1)
6
The Rule refers to the definition of “financial institution” that is found in the Fair Credit
Reporting Act, 15 U.S.C. 1681a(t).
7
15 U.S.C. 1681a(r)(5).
8
The total number of financial institutions is derived from an analysis of state credit unions and
insurers within the FTC’s jurisdiction using 2018 Census data (“County Business Patterns,” U.S.)
and other online industry data.
9
This figure comprises 5,666 financial institutions and 157,181 creditors (92,727 high-risk
entities, excluding financial institutions + 64,454 low-risk creditors). The total number of
financial institutions draws from FTC staff analysis of state credit unions and insurers within the
FTC’s jurisdiction using 2018 Census Bureau data (“Statistics of U.S. Businesses”) and other
online industry data. The total number of creditors draws from FTC staff analysis of 2018 Census
data and industry data for businesses or organizations that market goods and services to consumers
or other businesses or organizations subject to the FTC’s jurisdiction, reduced by entities not likely
to: (1) obtain credit reports, report credit transactions, or advance loans; and (2) entities not likely
to have covered accounts under the Rule. Currently, no further updated Census data is available
online to inform revised estimates.
6
entities that are subject to a high risk of identity theft;10 and (2) entities that are subject to
a low risk of identity theft.11
1. High-Risk Entities
FTC staff estimates that there are approximately 98,383 existing high-risk entities
and that, on an annual basis, there are around 1,447 new high-risk entities.12 FTC staff
estimates that new high-risk entities will each require 25 hours to create and implement a
written Program. FTC staff estimates that existing high-risk entities have likely already
created and implemented a written Program, but will require an annual recurring burden of
one hour. Further, FTC staff estimates that existing entities have already prepared an
annual report and will have an annual recurring burden of one hour to update the report for
each year, but that preparation of an annual report will require four hours initially for each
new high-risk entity. Finally, FTC staff believes that many of the high-risk entities, as
part of their usual and customary business practices, already take steps to minimize losses
due to fraud, including employee training. Accordingly, only relevant staff need to be
trained to implement the Program: for example, staff already trained as part of a covered
entity’s anti-fraud prevention efforts do not need to be re-trained except as incrementally
needed. FTC staff estimates that recurring annual training in connection with the
implementation of a Program of an existing high-risk entity will require one hour each
year, and for new entities will require four hours initially. Thus, the estimated hours of
burden for high-risk entities is as follows:
1,447 new high-risk entities subject to the FTC’s jurisdiction at an average annual
burden of 33 hours per entity [including 25 hours to create and implement the
Program, plus four hours for staff training, plus four hours for preparing the annual
report], for a total of 47,751 hours.
98,383 existing high-risk entities subject to the FTC’s jurisdiction at an average annual
burden of 3 hours per entity [including one hour to update the Program, plus one hour
for staff training, plus one hour for preparing the annual report], for a total of 295,149
annual hours.
10
In general, high risk entities include, for example, financial institutions within the FTC’s
jurisdiction and utilities, motor vehicle dealerships, telecommunications firms, colleges and
universities, and hospitals.
11
Low-risk entities have a minimal risk of identity theft, but have covered accounts. These
include, for example, public warehouse and storage firms, nursing and residential care facilities,
automotive equipment rental and leasing firms, office supplies and stationery stores, fuel dealers,
and financial transaction processing firms.
12
This number was derived from the average annual number of existing high-risk entities, taking
into account that the new entities from year one will become existing entities in year two and the
new entities from year two will become existing entities in year three.
7
In total, 99,830 high-risk entities subject to the FTC’s jurisdiction for a total of
342,900 hours.
2. Low-Risk Entities
FTC staff believes that the burden on low-risk entities to comply with the rules is
minimal. Entities that have a low risk of identity theft, but that have covered accounts,
likely will only need a streamlined Program. FTC staff estimates that any new such
entities will require one hour to create such a Program. Existing entities will only have
an annual recurring burden of 5 minutes. Training staff of low-risk entities to be attentive
to future risks of identity theft and preparing an annual report should require no more than
10 minutes each in an initial year for new entities. Existing entities will only have an
annual recurring burden of 5 minutes each. Thus, the estimated hours of burden for lowrisk entities is as follows:
307 new low-risk entities13 that have covered accounts subject to the FTC’s
jurisdiction at an average annual burden of approximately 80 minutes per entity
[including 60 minutes to create and implement a streamlined Program, plus ten
minutes for staff training and ten minutes for preparing the annual report], for a total
of 409 hours.
64,454 existing low-risk entities14 that have covered accounts subject to the FTC’s
jurisdiction at an average annual burden of approximately 15 minutes per entity
[including five minutes for updating of streamlined Program, plus five minutes for
staff training, and five minutes for preparing annual report], for a total of 16,114
hours.
In total, 64,761 low-risk entities subject to the FTC’s jurisdiction for a total of 16,523
hours.
Card Issuers Rule
Affected Public: State-chartered credit unions; general merchandise stores; colleges and
universities; telecommunications firms; and other persons satisfying the definition of
“creditor,” as modified by the Clarification Act.
Estimated Hours Burden (Card Issuers): 20,508 hours
13
Estimates of new and existing low-risk entities are derived from an analysis of a database of
U.S. businesses based on NAICS codes for businesses that market goods or services to consumers
or other businesses within the FTC’s jurisdiction, reduced further to: (1) those that satisfy the
Clarification Act’s definition of “creditor” and (2) those that are likely to have covered accounts.
14
This number was derived from the average annual number of existing low-risk entities, taking
into account that the new entities from year one will become existing entities in year two and the
new entities from year two will become existing entities in year three.
8
The Card Issuers Rule requires credit and debit card issuers to establish policies and
procedures to assess the validity of a change of address request, including notifying the
cardholder or using another means of assessing the validity of the change of address.
FTC staff believes that there may be as many as 18,894 credit or debit card issuers under
the FTC’s jurisdiction, including state-chartered credit unions, retailers, and certain
universities, businesses, and telecommunications companies. FTC staff estimates that on
an annual basis, approximately 538 of these card issuers may be new entrants that will
need to develop and implement policies and procedures to assess the validity of a change
of address request. FTC staff estimates that process will take approximately four hours
for a total burden of 2,152 hours. FTC staff estimates that the remaining 18,356 card
issuers likely already have automated the process of notifying the cardholder or are using
other means to assess the validity of the change of address, such that implementation will
pose no further burden. Nevertheless, in order to be conservative, FTC staff estimates
that it will take the 18,356 card issuers one hour to review and maintain policies and
procedures to assess the validity of a change of address request for a total burden of
18,356 hours. Collectively, the total burden for the 18,894 card issuers is 20,508 hours.
Section 315 - Address Discrepancy Rule
Affected Public: Users of consumer reports that are motor vehicle dealers described in
section 1029(a) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the
Dodd-Frank Act), 12 U.S.C. 5519, and that are predominantly engaged in the sale and
servicing of motor vehicles, the leasing and servicing of them, or both (below, referenced
as “users”).
Estimated Hours Burden:
As discussed above, the Address Discrepancy Rule provides guidance on reasonable
policies and procedures that a user of consumer reports must employ when a user receives
a notice of address discrepancy from a consumer reporting agency. The FTC Address
Discrepancy Rule covers only users of consumer reports that are motor vehicle dealers
described in section 1029(a) of the Dodd-Frank Act and that are predominantly engaged in
the sale and servicing of motor vehicles, the leasing and servicing of them, or both.
Assuming that every covered motor vehicle dealer is a user of consumer reports, FTC staff
estimates that the Rule affects approximately 44,000 entities. FTC staff also estimates
that approximately 2,000 of those motor vehicle dealers may be new entrants who have
not previously implemented procedures to comply with this rule.
For the 2,000 new entrants, FTC staff estimates that it would take an infrequent
user of consumer reports no more than 16 minutes to develop and follow the policies and
procedures that it will employ when it receives a notice of address discrepancy, whereas a
frequent user may take one hour. Taking into account these extremes, FTC staff
estimates that, during the first year of the clearance, for the 2,000 new entrants, it will take
users of consumer reports an average of 38 minutes [the midpoint between 16 minutes and
9
60 minutes] to develop and comply with the policies and procedures that they will employ
when they receive a notice of address discrepancy.
For the 42,000 existing motor vehicle dealers, FTC staff expects that the policies
and procedures that they will employ when they receive a notice of address discrepancy
will have already been developed. Accordingly, during the three years of the clearance, it
may take an infrequent user of consumer reports no more than one minute to comply with
the policies and procedures that it will employ when it receives a notice of address
discrepancy, whereas a frequent user of consumer reports may take 45 minutes. FTC
staff estimates that the average annual burden for the 42,000 existing motor vehicle
dealers will be 23 minutes [the midpoint between one minute and 45 minutes].
Thus, for the 2,000 new entrants, the average annual burden for each of them to
perform these collective tasks will be 38 minutes; cumulatively, 1,267 hours. For the
42,000 existing motor vehicle dealers, the average annual burden for each of them to
perform these collective tasks will be 23 minutes; cumulatively, 16,100 hours.
Collectively, the total burden for the 44,000 motor vehicle dealers will be 17,367 hours.15
B. Estimated Labor Cost: $20,103,752 ($19,756,412 for section 114 and $347,340 for
section 315)
Section 114 - Red Flags and Card Issuers Rules
FTC staff derived labor costs by applying appropriate estimated hourly cost figures
to the burden hours described above. It is difficult to calculate with precision the labor
costs associated with the Rules, as they entail varying compensation levels of management
and/or technical staff among companies of different sizes. In calculating the cost figures,
staff assumes that entities’ professional technical personnel and/or managerial personnel
will create and implement the Program, prepare the annual report, train employees, and
assess the validity of a change of address request at an hourly rate of $52.16
15
The above-noted customer verification requirements and the estimate of 17,367 hours concern
16 CFR 641.1(c). In addition, 16 CFR 641.1(d) requires users that (a) furnish a consumer’s
address to a consumer reporting agency, and (b) have established a continuing relationship with
the consumer, to develop and implement reasonable policies and procedures for furnishing an
address for the consumer that the user has reasonably confirmed is accurate. The FTC previously
estimated that the cumulative burden hours associated with 16 CFR 641.1(d) would be de minimis.
Thus, the estimate above concerns solely 16 CFR 641.1(c).
16
This estimate is based on mean wages (hourly) found at
https://www.bls.gov/news.release/pdf/ocwage.pdf (“Bureau of Labor Statistics, Occupational
Employment and Wages – May 2020,” March 31, 2021, Table 1, “National employment and
wage data from the Occupational Employment and Wage Statistics survey by occupation,
May 2020”) for the various managerial and technical staff support exemplified above
(administrative service managers, computer & information systems managers, training &
10
Based on the above estimates and assumptions, the total annual labor costs for all
categories of covered entities under the Red Flags and Card Issuers Rules for section 114
is $19,756,412 (379,931 hours x $52).
Section 315 - Address Discrepancy Rule
FTC staff assumes that the policies and procedures for compliance with the
Address Discrepancy Rule will be set up by administrative support personnel at an hourly
rate of $20.17 Based on the above estimates and assumptions, the total annual labor cost
for the two categories of burden under section 315 is $347,340 [(17,367 hours x $20)].
13. Estimated Capital and Other Non-Labor Costs
The FTC staff believes that the Rules impose negligible capital or other non-labor
costs, as the affected entities are likely to have the necessary supplies and/or equipment
already (e.g., offices and computers) for the information collections described herein.
14.
Estimated Cost to the Federal Government
FTC staff estimates that a representative year’s cost to the FTC of administering
the Rules requirements during the 3-year clearance period sought will be approximately
$65,516. This represents three-tenths of an attorney work year, including employee
benefits.
15.
Program Changes or Adjustments
The estimates for 2018-2019 greatly overstated the number of businesses that
would be required to comply with the Address Discrepancy Rule. The Rule covers only
users of consumer reports that are motor vehicle dealers described in section 1029(a) of
the Dodd-Frank Act and that are predominantly engaged in the sale and servicing of motor
vehicles, the leasing and servicing of them, or both. Thus, the annual burden hours and
labor costs were significantly adjusted downward for 2021-2022.
16.
Publishing Results of the Collection of Information
There are no plans to publish any information for statistical use.
development managers, computer systems analysts, network & computer systems analysts,
computer support specialists) (hereinafter “BLS Table 1”).
17
This estimate is based on mean wages (hourly) for office and administrative support
occupations found within BLS Table 1 (see supra note 16).
11
17.
Display of Expiration Date for OMB Approval
Not applicable.
18.
Exceptions to the Certifications for PRA Submissions
Not applicable.
12
File Type | application/pdf |
File Modified | 0000-00-00 |
File Created | 0000-00-00 |