Federal Trade Commission (“FTC” or “Commission”).
The information collection requirements described below will be submitted to the Office of Management and Budget (“OMB”) for review, as required by the Paperwork Reduction Act (“PRA”). The FTC is seeking public comments on its proposal to extend through September 30, 2012, the current PRA clearance requirements contained in the FTC Red Flags/Card Issuers/Address Discrepancies Rules (“Red Flags Rule” or “Rule”). The current clearance expires on September 30, 2009.
Comments must be submitted on or before September 21, 2009.
Interested parties are invited to submit written comments electronically or in paper form. Comments should refer to “Red Flags Rule, PRA Comment, P095406” to facilitate the organization of comments. Please note that comments—including your name and your state—will be placed on the public record of this proceeding—including on the publicly accessible FTC website, at (http://www.ftc.gov/os/publiccoments/shtm).
Because comments will be made public, they should not include any sensitive personal information, such as an individual’s Social Security number; date of birth; driver’s license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. Comments also should not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, comments should not include any “[t]rade secrets and commercial or financial information obtained from a person and privileged or confidential . . .,” as provided in section 6(f) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c), 16 CFR 4.9(c).
Because paper mail addressed to the FTC is subject to delay due to heightened security screening, please consider submitting your comments in electronic form. Comments filed in electronic form should be submitted by using the following weblink: (http://secure.commentworks.com/ftc-RedFlagsPRA) (and following the instructions on the web-based form). To ensure that the Commission considers an electronic comment, you must file it on the web-based form at the weblink (http://secure.commentworks.com/ftc-RedFlagsPRA). If this Notice appears at (http://www.regulations.gov/search/index.jsp), you may also file an electronic comment through that website. The Commission will consider all comments that regulations.gov forwards to it. You may also visit the FTC website at http://www.ftc.gov to read the Notice and the news release describing it.
A comment filed in paper form should include the “Red Flags Rule, PRA Comment, P095406” reference both in the text and on the envelope, and should be mailed or delivered to the following address: Federal Trade Commission, Office of the Secretary, Room H-135 (Annex J), 600 Pennsylvania Avenue, NW, Washington, DC 20580. The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible, because U.S. postal mail in the Washington area and at the Commission is subject to delay due to heightened security precautions.
All comments should additionally be submitted to: Office of Information and Regulatory Affairs, Office of Management and Budget, Attention: Desk Officer for Federal Trade Commission. Comments should be submitted via facsimile to (202) 395-5167 because U.S. postal mail at the OMB is subject to delays due to heightened security precautions.Start Further Info
FOR FURTHER INFORMATION CONTACT:
Steven Toporoff, Attorney, Bureau of Consumer Protection, (202) 326-2252, Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, DC 20580.End Further Info End Preamble Start Supplemental Information
On April 24 2009, the FTC sought comment on the information collection requirements associated with the Red Flags Rule, 16 CFR Part 681 (Control Number: 3084-0137). 74 FR 18709. No comments were received. Pursuant to the OMB regulations, 5 CFR Part 1320, that implement the PRA, 44 U.S.C. 3501-3521, the FTC is providing this second opportunity for public comment while seeking OMB approval to extend the existing paperwork clearance for the Rule. All comments should be filed as prescribed in the ADDRESSES section above, and must be received on or before September 21, 2009.Start Printed Page 42304
I. Overview of the Rule
The Rule implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”). These sections amend the Fair Credit Reporting Act of 1970 (“FCRA”), 15 U.S.C. 1681 et seq., to require businesses to undertake measures to prevent identity theft and to increase the accuracy of consumer reports.
Specifically, section 114 amends section 615 of the FCRA to require creditors and financial institutions to develop and implement written Identity Theft Prevention Programs. Section 114 also mandates specific regulations that require credit and debit card issuers to assess the validity of notifications of changes of address under certain circumstances. Section 315 of FACT Act adds section 605(h) to the FCRA and requires regulations that provide guidance on what users of consumer reports must do when they receive a notice of address discrepancy from a nationwide consumer reporting agency (“CRA”).
II. Description of Collections of Information
A. Section 114
The Rule requires financial institutions and creditors to develop and implement a written Identity Theft Prevention Program (“Program”) to detect, prevent, and mitigate identity theft in connection with existing accounts or the opening of new accounts. Under the Rule, creditors and financial institutions must conduct a periodic risk assessment to determine if they maintain “covered accounts.” The Rule defines that term as either (1) a consumer account that is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk of identity theft. Each financial institution and creditor that has covered accounts must create a written Program that contains reasonable policies and procedures to identify relevant indicators of the possible existence of identity theft (“Red Flags”); detect Red Flags that have been incorporated into the Program; respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and update the Program periodically to ensure it reflects changes in risks to customers.
The Rule also requires financial institutions and creditors to: (1) obtain approval of the initial written Program by the board of directors, a committee thereof or, if there is no board, an appropriate senior employee; (2) ensure oversight of the development, implementation, and administration of the Program; (3) train staff, as needed, to implement the Program; and (4) exercise appropriate and effective oversight of service provider arrangements. In addition, the Rule implements the section 114 requirement that financial institutions or creditors that issue debit or credit cards (“card issuers”) generally must assess the validity of change of address notifications. Specifically, if the card issuer receives a notice of change of address for an existing account and, within a short period of time (during at least the first 30 days), receives a request for an additional or replacement card for the same account, the issuer must follow reasonable policies and procedures to assess the validity of the change of address through one of three methods.
B. Section 315
The Rule also implements section 315 of the FACT Act and requires each user of consumer reports to have reasonable policies and procedures in place to employ when the user receives a notice of address discrepancy from a CRA. Specifically, each user of consumer reports must develop and implement reasonable policies and procedures to: (1) enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy; and (2) furnish an address for the consumer that the user has reasonably confirmed is accurate to the CRA from which it received a notice of address discrepancy if certain conditions are met.
III. Burden Estimates
Rounded to the nearest thousand, overall estimated burden hours for sections 114 and 315, combined, total 6,151,000 and the associated estimated labor cost is $169,000,000. Staff assumes that affected entities will already have in place, independent of the Rule, equipment and supplies necessary to carry out the tasks necessary to comply with it.
A. Section 114
1. Estimated Hours Burden - Red Flags Rule
As noted above, the Rule requires financial institutions and creditors with covered accounts to develop and implement a written Program. Under the Rule, a “financial institution” is “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer.” Under the Rule, “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA). Section 702 defines “creditor” as any person who “regularly extends, renews or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of any original creditor who participates in the decision to extend, renew, of continue credit.” “Credit” means an arrangement by which you defer payment of debts or accept deferred payment for the purchase of property or services.
Given the broad scope of entities covered, it is difficult to determine precisely the number of financial institutions and creditors that are subject to the FTC’s jurisdiction. There are numerous small businesses under the FTC’s jurisdiction, and there is no formal way to track them; moreover, as a whole, the entities under the FTC’s jurisdiction are so varied that there are no general sources that provide a record of their existence.
Nonetheless, FTC staff estimates that the Rule’s requirement to have a written Program affects over 57,000 financial institutions and almost 2 million creditors. This is a revised estimate of the number of covered financial institutions within the FTC’s jurisdiction. In the PRA burden Start Printed Page 42305estimates set forth in the preamble to the Final Rule, the Commission stated that there were 3,664 financial institutions within the FTC’s jurisdiction, namely 3,664 state-chartered credit unions. See 72 FR 63718, 63741 n.61 and accompanying text (Nov. 9, 2007). This estimate misstated the scope of the FTC’s jurisdiction. Under the FCRA, the financial institutions over which the FTC has jurisdiction include not only state-chartered credit unions, but other entities that hold consumer transaction accounts, excluding banks, savings and loan associations, and federal credit unions, which are subject to oversight by the federal bank regulatory agencies and the National Credit Union Administration. In fact, the financial institutions within the FTC’s jurisdiction include, but are not limited to, certain insurance companies, investment companies, broker-dealers, and money service businesses.
To estimate burden hours for the Red Flags Rule under section 114, FTC staff divided affected entities into three categories, based on the nature of their businesses: (1) entities that are subject to a high risk of identity theft; (2) entities that are subject to a low risk of identity theft, but have covered accounts that will require them to have a written Program; and (3) entities that are subject to a low risk of identity theft, but do not have covered accounts.
a. High-Risk Entities
FTC staff estimates that high-risk entities will each require 25 hours to create and implement a written Program, with an annual recurring burden of one hour. FTC staff anticipates that these entities will incorporate into their Programs policies and procedures that they likely already have in place. Further, FTC staff estimates that preparation of an annual report will require each high-risk entity four hours initially, with an annual recurring burden of one hour. Finally, FTC staff believes that many of the high-risk entities, as part of their usual and customary business practices, already take steps to minimize losses due to fraud, including conducting employee training. Accordingly, only relevant staff need be trained to implement the Program: for example, staff already trained as part of a covered entity’s anti-fraud prevention efforts do not need to be re-trained except as incrementally needed. FTC staff estimates that training in connection with the implementation of a Program of a high-risk entity will require four hours, and recurring annual training thereafter will require one hour.
Thus, estimated hours burden for high-risk entities is as follows:
- 20,217 high-risk entities subject to the FTC’s jurisdiction at an average annual burden of 13 hours per entity [average annual burden over 3-year clearance period for creation and implementation of Program ((25+1+1)/3), plus average annual burden over 3-year clearance period for staff training ((4+1+1)/3), plus average annual burden over 3-year clearance period for preparing annual report ((4+1+1)/3)], for a total of 4,162,821 hours.
b. Low-Risk Entities
Entities that have a minimal risk of identity theft, but that have covered accounts, must develop a Program; however, they likely will only need a streamlined Program. FTC staff estimates that such entities will require one hour to create such a Program, with an annual recurring burden of five minutes. Training staff of low-risk entities to be attentive to future risks of identity theft should require no more than 10 minutes in an initial year, with an annual recurring burden of five minutes. FTC staff further estimates that these entities will require, initially, 10 minutes to prepare an annual report, with an annual recurring burden of five minutes.
The Rule does not require entities that determine that they do not have any covered accounts to create a written Program. Thus, such entities will not incur PRA burden.
Thus, the estimated hours burden for low-risk entities is as follows:
- ,622,029 low-risk entities that have covered accounts subject to the FTC’s jurisdiction at an average annual burden of approximately 37 minutes per entity [average annual burden over 3-year clearance period for creation and implementation of streamlined Program ((60+5+5)/3), plus average annual burden over 3-year clearance period for staff training ((10+5+5)/3), plus average annual burden over 3-year clearance period for preparing annual report ((10+5+5)/3)], for a total of 1,000,251 hours.
2. Estimated Hours Burden - Card Issuers Rule
As noted above, section 114 also requires financial institutions and creditors that issue credit or debit cards to establish policies and procedures to assess the validity of a change of address request, including notifying the cardholder or using another means of assessing the validity of the change of address. FTC staff estimates that the Rule affects as many as 52,914 card issuers. This is a revised estimate of the number of card issuers within the FTC’s jurisdiction. In the PRA burden estimates set forth in the preamble to the Final Rule, the Commission stated that there were as many as 3,764 card issuers (consisting of state-chartered credit unions and retailers) within the FTC’s jurisdiction. See 72 FR at 63742. This estimate understated the scope of the FTC’s jurisdiction. The FTC has jurisdiction over additional categories of card issuers, including certain universities, money service businesses, and telecommunication companies. -FTC staff believes that most of these card issuers already have automated the process of notifying the cardholder or are using another means to assess the validity of the change of address, such that implementation will pose no further burden. Nevertheless, taking a conservative approach, FTC staff estimates that it will take each card issuer 4 hours to develop and implement policy and procedures to assess the validity of a change of address request for a total burden of 211,656 hours.Start Printed Page 42306
Thus, the total average annual estimated burden for Section 114 is 5,377,328 hours.
3. Estimated Cost Burden - Red Flags and Card Issuers Rules
FTC staff estimates labor costs by applying appropriate estimated hourly cost figures to the burden hours described above. It is difficult to calculate with precision the labor costs associated with compliance with the Rule, as they entail varying compensation levels of management (e.g., administrative services, computer and information systems, training and development) and/or technical staff (e.g., computer support specialists, systems analysts, network and computer systems administrators) among companies of different sizes. FTC staff assumes that for all entities, professional technical personnel and/or management personnel will create and implement the Program, prepare the annual report, and train employees, at an hourly rate of $35.00.
Based on the above estimates and assumptions, the total annual labor cost for all categories of covered entities under the Red Flags and Card Issuers Rules for Section 114 is $156,615,480 [4,162,821 hours + 1,000,251 hours + 211,656 hours) x $35.00)].
B. Section 315 - The Address Discrepancy Rule
As discussed above, the Rule’s implementation of section 315 provides guidance on reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a CRA. Given the broad scope of users of consumer reports, it is difficult to determine with precision the number of users of consumer reports that are subject to the FTC’s jurisdiction. As noted above, there are numerous small businesses under the FTC’s jurisdiction, and there is no formal way to track them; moreover, as a whole, the entities under the FTC’s jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the Rule’s implementation of section 315 affects approximately 1.66 million users of consumer reports subject to the FTC’s jurisdiction. Approximately 10,000 of these users will, in the course of their usual and customary business practices, have to furnish to CRAs an address confirmation upon notice of a discrepancy.
FTC staff estimates that the average annual information collection burden during the three-year period for which OMB clearance is sought will be 776,334 hours. The estimated burden is $12,421,344.
1. Estimated Hours Burden
Although section 315 created a new obligation for CRAs to provide a notice of address discrepancy to users of consumer reports, prior to the FACT Act enactment, users of consumer reports could compare the address on the consumer report to the address provided by the consumer and discern for themselves any discrepancy. As a result, FTC staff believes that many users of consumer reports have developed methods of reconciling address discrepancies, and the following estimates represent the incremental amount of time users of consumer reports may require to develop and comply with the policies and procedures for when they receive a notice of address discrepancy.
Due to the varied nature of the entities under the FTC’s jurisdiction, it is difficult to determine precisely the appropriate burden estimates. Nonetheless, FTC staff estimates that it would require an infrequent user of consumer reports no more than 16 minutes to develop and comply with the policies and procedures that it will employ when it receives a notice of address discrepancy, while a frequent user might require one hour. Similarly, FTC staff estimates that, during the remaining two years of clearance, it may take an infrequent user no more than one minute to comply with the policies and procedures it will employ when it receives a notice of address discrepancy, while a frequent user might require 45 minutes. Taking into account these extremes, FTC staff estimates that, during the first year, it will take users of consumer reports under the jurisdiction of the FTC an average of 38 minutes [the midrange between 16 minutes and 60 minutes] to develop and comply with the policies and procedures that they will employ when they receive a notice of address discrepancy. FTC staff also estimates that the average recurring burden for users of consumer reports to comply with the Rule will be 23 minutes [the midrange between one minute and 45 minutes].
Thus, for these 1.66 million entities, the average annual burden for each of them to perform these collective tasks will be 28 minutes [(38 + 23 + 23) ÷ 3]; cumulatively, 774,667 hours.
For the estimated 10,000 users of consumer reports that will additionally have to furnish to CRAs an address confirmation upon notice of a discrepancy, staff estimates that these entities will require 30 minutes to develop related policies and procedures. But, these 10,000 affected entities likely will have automated the process of furnishing the correct address in the first year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes in the first year, with no annual recurring burden in the second and third years of clearance, yields an average annual burden of 10 minutes per entity to furnish a correct address to a CRA, for a total of 1,667 hours.
2. Estimated Cost Burden
FTC staff assumes that the policies and procedures for compliance with the address discrepancy part of the Rule will be set up by administrative support personnel at an hourly rate of $16. Based on the above estimates and assumptions, the total annual labor cost for the two categories of burden under section 315 is $12,421,344 [(774,667 hours + 1,667 hours) x $16.00].
C. Burden Totals for Sections 114 and 315
Cumulatively, then, estimated burden is 6,151,062 hours (5,374,728 hours for section 114 and 776,334 hours for section 315) and $169,036,824 Start Printed Page 42307($156,615,480 and $12,421,344, respectively) in associated labor cost.Start Signature
1. The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission’s General Counsel, consistent with applicable law and the public interest. See FTC Rule 4.9(c), 16 CFR 4.9(c).Back to Citation
2. The Rule refers to the definition of “financial institution” that is found in the FCRA, 15 U.S.C. § 1681a(t).Back to Citation
3. The Rule defines “credit” and “creditor” by referring to the definition found in the FCRA, 15 U.S.C. § 1681a(r)(5) which, in turn, refers to section 702 of the ECOA.Back to Citation
4. As of December 31, 2005, there were 3,302 state-chartered federally-insured credit unions and 362 state-chartered nonfederally insured credit unions. See (www.ncua.gov/news/quick_facts/quick_facts.html) and “Disclosures for Non-Federally Insured Depository Institutions under the Federal Deposit Insurance Corporation Improvement Act (FDICIA),” 70 FR 12823 (Ma. 16, 2005). As of 2007, there were 3,913 property, casualty and life, and health insurance companies. See Insurance Department Resources Report 2007, published by the National Association of Insurance Commissioners (NAIC). As of September 2007, there were 4,733 registered investment companies. See Securities and Exchange Commission, Proposed Regulation S-P, at 13709 (March 13, 2008). As of December 31, 2007, there were 5,561 broker-dealers. See Securities and Exchange Commission, Amendments to Regulation SHO, Release No. 34-58773, at 45 (Oct. 14, 2008) (available at www.sec.gov/rules/final/2008/34-58773.pdf). As of November 2008, there were 39,408 money service businesses. See Department of the Treasury Financial Crimes Enforcement Network MSB Registration List (available at (www.msb.gov/pdf/msb_registration_list.pdf)).Back to Citation
5. See infra notes 7 and 8 accounting for this sum total.Back to Citation
6. In general, high-risk entities may provide consumer financial services or other goods or services of value to identity thieves such as telecommunication services or goods that are easily convertible to cash, whereas low-risk entities may do business primarily with other businesses or provide non-financial services or goods that are not easily convertible in cash, such as healthcare providers.Back to Citation
7. This is the number of high-risk entities implementing section 114 as previously reported (266,602) in the preamble to the Rule, 72 FR at 63742, increased by the additional institutions (including insurance and investment companies, broker-dealers, and money service businesses) accounted for herein at note 4 and the accompanying text.Back to Citation
8. This figure is derived from an analysis of a database of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers or other businesses, reduced to the number of creditors subject to the FTC’s jurisdiction (10,813,525), and reduced further by an estimated subset of which comprise anticipated low-risk entities not having covered accounts under the final rule (9,191,496).Back to Citation
9. In addition to the 3,664 state-chartered credit unions and 100 retailers under the FTC’s jurisdiction, as of 2007, there were 4,314 colleges and universities. See Digest of Education Statistics published by the National Center for Education Statistics (available at (http://nces.ed.gov/programs/digest/d07/tables/dt07_255.asp)). As of November 2008, there were 39,408 money service businesses. See Department of the Treasury Financial Crimes Enforcement Network MSB Registration List (available at (http://www.msb.gov/pdf/msb_registration_list.pdf)). Finally, as of November 2006, there were 5,428 telecommunication companies. See Federal Communications Commission, Industry Analysis and Technology Division, Wireline Competition Bureau, Trends in Telephone Service, August 2008, Table 5.3 (available at (http://hraunfoss.fcc.gov/edocs_public/attachmatch/DOC-284932A1.pdf)).Back to Citation
10. This estimate is based on (http://www.bls.gov/ncs/ncswage2007.htm) (National Compensation Survey: Occupational Earnings in the United States 2007, US Department of Labor released August 2008, Bulletin 2704, Table 3 (“Full-time civilian workers,” mean and median hourly wages) for the various managerial and technical staff support exemplified above.Back to Citation
11. This estimate is derived from an analysis of a database of U.S. businesses based on NAICS codes for businesses in industries that typically use consumer reports from CRAs described in the Rule, which total 1,658,758 users of consumer reports subject to the FTC’s jurisdiction.Back to Citation
12. Report to Congress Under Sections 318 and 319 of the Fair and Accurate Credit Transactions of 2003, Federal Trade Commission, 80 (Dec. 2004) available at (http://www.ftc.gov/reports/facta/041209factarpt.pdf).Back to Citation
13. Staff further assumes that this estimate is representative of new entrants in any given three-year PRA clearance cycle.Back to Citation
14. Based generally on the National Compensation Survey: Occupational Earnings in the United States, 2007, U.S. Department of Labor, Bureau of Labor Statistics released August 2008, Bulletin 2704, Table 3 (“Full-time civilian workers,” mean and median hourly wages), available at (http://www.bls.gov/ncs/ocs/sp/nctb0300.pdf). Clerical estimates are derived from the above source data, applying roughly a mid-range of mean hourly rates for potentially applicable clerical types, e.g., computer operators, data entry and information processing workers.Back to Citation
15. These figures correct mathematical errors that appeared in the related preceding Federal Register notice. 74 FR at 18712.Back to Citation
[FR Doc. E9-20141 Filed 8-20-09: 8:45 am]
BILLING CODE 6750-01-S