The information collection requirements described below will be submitted to the Office of Management and Budget (“OMB”) for review, as required by the Paperwork Reduction Act (“PRA”). The FTC is seeking public comments on its proposal to extend through November 30, 2015, the current PRA clearance requirements contained in the FTC Red Flags/Card Issuers/Address Discrepancies Rules 
(“Red Flags Rule” or “Rule”). The current clearance expires on November 30, 2012.
Comments must be submitted on or before September 10, 2012.
Interested parties may file a comment online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “Red Flags Rule, PRA Comment, Project No. P095406” on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/RedFlagPRA by following the instructions on the web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue NW., Washington, DC 20580.
FOR FURTHER INFORMATION CONTACT:
Steven Toporoff, Attorney, Bureau of Consumer Protection, (202) 326-2252, Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580.
I. Overview of the Rule
The Rule implements sections 114 and 315 of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. 1681 et seq., to require businesses to undertake measures to prevent identity theft and to increase the accuracy of consumer reports.
Specifically, section 114 requires financial institutions and some creditors to develop and implement written Identity Theft Prevention Programs. Section 114 also mandates specific regulations that require credit and debit card issuers to assess the validity of notifications of changes of address under certain circumstances. Section 315 requires regulations that provide guidance on what users of consumer reports must do when they receive a notice of address discrepancy from a nationwide consumer reporting agency (“CRA”).
Since promulgation of the original Rule, President Obama signed the Red Flag Program Clarification Act of 2010 (“Clarification Act”), which narrowed the definition of “creditor” for purposes of section 114 of the FCRA. Specifically, the Clarification Act limits application of the Red Flags Rule to creditors that regularly and in the ordinary course of business: (1) Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on a person's obligation to repay the funds or on repayment from specific property pledged by or on the person's behalf. This third prong does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.
II. Description of Collection of Information
A. FCRA Section 114
The Rule requires financial institutions and covered creditors to develop and implement a written Identity Theft Prevention Program (“Program”) to detect, prevent, and mitigate identity theft in connection with existing accounts or the opening of new accounts. Under the Rule, financial institutions and certain creditors must conduct a periodic risk assessment to determine if they maintain “covered accounts.” The Rule defines that term “covered account” as either: (1) A consumer account that is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk of identity theft. Each financial institution and covered creditor that has covered accounts must create a written Program that contains reasonable policies and procedures to identity relevant indicators of the possible existence of identity theft (“Red Flags”); detect Red Flags that have been incorporated into the Program; respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and update the Program periodically to ensure it reflects change in risks to customers.
The Rule also requires financial institutions and covered creditors to: (1) Obtain approval of the initial written Program by the board of directors; a committee thereof or, if there is no board, an appropriate senior employee; (2) ensure oversight of the development, implementation, and administration of the Program; and (3) train staff, as needed, to implement the Program; and (4) exercise appropriate and effective oversight of service provider arrangements.
In addition, the Rule implements the section 114 requirement that financial institutions or covered creditors that issue debit or credit cards (“card issuers”) generally must assess the validity of change of address notifications. Specifically, if the card issuer receives a notice of change of address for an existing account and, within a short period of time (during at least the first 30 days), receives a request for an additional or replacement card for the same account, the issuer must follow reasonable policies and procedures to assess the validity of the change of address.
B. FCRA Section 315
The Rule also implements section 315 of the FCRA, requiring each user of consumer reports to have reasonable policies and procedures in place to employ when the user receives a notice of address discrepancy from a CRA. Specifically, each user of consumer reports must develop and implement reasonable policies and procedures to: (1) Enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy; and (2) furnish an address for the consumer that the user has reasonably confirmed is accurate to the CRA from which it receives a notice of address discrepancy, if certain conditions are met.
III. Burden Estimates
Overall estimated burden hours regarding sections 114 and 315, combined, total 2,629,940 hours and the associated estimated labor costs are $81,837,080. Staff assumes that affected entities will already have in place, independent of the Rule, equipment and supplies necessary to carry out the tasks necessary to comply with it.
A. FCRA Section 114
1. Estimated Hours Burden—Red Flags Rule
As noted above, the Rule requires financial institutions and certain creditors with covered accounts to develop and implement a written Program. Under the FCRA, financial institutions over which the FTC has jurisdiction include state chartered credit unions and certain insurance companies.
Although narrowed by the Clarification Act, the definition of “creditor” still covers a broad array of entities. Moreover, the Clarification Act does not set forth any exemptions from Rule coverage. Rather, application of the Rule depends upon an entity's course of conduct, not its status as a particular type of business. For these reasons, it is difficult to determine precisely the number of creditors subject to the FTC's jurisdiction. There are numerous small businesses under the FTC's jurisdiction that may qualify as “creditors,” and there is no formal way to track them. Nonetheless, FTC staff estimates that the Rule's requirement to have a written Program affects over 7,025 financial institutions 
and 160,614 creditors.
To estimate burden hours for the Red Flags Rule under section 114, FTC staff divided affected entities into two categories, based on the nature of their business: (1) Entities that are subject to high risk of identity theft and (2) entities that are subject to a low risk of identity theft, but have covered accounts that will require them to have a written Program.
a. High-Risk Entities
FTC staff estimates that high-risk entities 
will each require 25 hours to create and implement a written Program, with an annual recurring burden of one hour. FTC staff anticipates that these entities will incorporate into their Program policies and procedures that they likely already have in place. Further, FTC staff estimates that preparation for an annual report will require each high-risk entity four hours initially, with an annual recurring burden of one hour. Finally, FTC staff believes that many of the high-risk entities, as part of their usual and customary business practice, already take steps to minimize losses due to fraud, including conducting employee training. Accordingly, only relevant staff need be trained to implement the Program: For example, staff already trained as part of a covered entity's anti-fraud prevention efforts do not need to be re-trained as incrementally needed. FTC staff estimates that training connected with the implementation of a Program of a high-risk entity will require four hours, and annual training thereafter will require one hour.
Thus, estimated hours for high-risk entities are as follows:
- 105,774 high-risk entities subject to the FTC's jurisdiction at an average annual burden of 13 hours per entity [average annual burden over 3-year clearance period for creation and implementation of a Program ((25+1+1)/3), plus average annual burden over 3-year clearance period for staff training ((4+1+1)/3), plus average annual burden over 3-year clearance period for preparing an annual report ((4+1+1)/3)], for a total of 1,375,062 hours.
b. Low-Risk Entities
Entities that have a minimal risk of identity theft,
but that have covered accounts, must develop a Program; however, they likely will only need a streamlined Program. FTC staff estimates that such entities will require one hour to create such a Program, with an annual recurring burden of five minutes. Training staff of low-risk entities to be attentive to future risks of identity theft should require no more than 10 minutes in an initial year, with an annual recurring burden of five minutes. FTC staff further estimates that these entities will require, initially, 10 minutes to prepare an annual report, with an annual recurring burden of five minutes.
Thus, the estimated hours burden for low-risk entities is as follows:
- 61,865 low risk entities that have covered account subject to the FTC's jurisdiction at an average annual burden of approximately 37 minutes per entity [average annual burden over 3-year clearance period for creation and implementation of streamlined Program ((60+5+5)/3), plus average annual burden over 3-year clearance period for staff training ((10+5+5)/3), plus average annual burden over 3-year clearance period for preparing annual report ((10+5+5)/3], for a total of 38,150 hours.
2. Estimated Hours Burden—Card Issuers Rule
As noted above, section 114 also requires financial institutions and covered creditors that issue credit or debit cards to establish policies and procedures to assess the validity of a change of address request, including notifying the cardholder or using another means of assessing the validity of the change of address. FTC staff estimates that the Rule affects as many as 17,978
card issues within the FTC's jurisdiction. FTC staff believes that most of these card issuers already have automated the process of notifying the cardholder or are using another means to assess the validity of the change of address, such that implementation will pose no further burden. Nevertheless, taking a conservative approach, FTC staff estimates that it will take each card issuer 4 hours to develop and implement policy and procedures to assess the validity of a change of address request for a total burden of 71,912 hours.
Thus, the total average annual estimated burden for Section 114 is 1,485,124 hours.
3. Estimated Cost Burden—Red Flags and Card Issuers Rules
The FTC staff estimates labor costs by applying appropriate estimated hourly cost figures to the burden hours described above. It is difficult to calculate with precision the labor costs associated with compliance with the Rule, as they entail varying compensation levels of management (e.g., administrative services, computer and information systems, training and development) and/or technical staff (e.g., computer support specialists, systems analysts, network and computer systems administrators) among companies of different sizes. FTC staff assumes that for all entities, professional technical personnel and/or management personnel will create and implement the Program, prepare the annual report, and train employees, at an hourly rate of $42.
Based on the above estimates and assumptions, the total annual labor costs for all categories of covered entities under the Red Flags and Card Issuers Rules for Section 114 is $62,375,208 (1,485,124 hours × $42).
B. FCRA Section 315—The Address Discrepancy Rule
As discussed above, the Rule's implementation of Section 315 provides guidance on reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a CRA. Given the broad scope of users of consumer reports, it is difficult to determine with precision the number of users of consumer reports that are subject to the FTC's jurisdiction. As noted above, there are numerous small businesses under the FTC's jurisdiction, and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the Rule's implementation of section 315 affects approximately 2,449,605 users of consumer reports subject to the FTC's jurisdiction.
Commission staff estimates that approximately 10,000 of these users will receive notice of a discrepancy, in the course of their usual and customary business practices, and thereby have to furnish to CRAs an address confirmation.
For section 315, FTC staff estimates that the average annual information collection burden during the three-year period for which OMB clearance is sought will be 1,144,816 hours. The estimated associated labor cost is $19,461.872.
1. Estimated Hours Burden
Prior to enactment of the Address Discrepancy Rule, users of consumer reports could compare the address on a consumer report to the address provided by the consumer and discern for themselves any discrepancy. As a result, FTC staff believes that many users of consumer reports have developed methods of reconciling address discrepancies, and the following estimates represent the incremental amount of time users of consumer reports may require to develop and comply with the policies and procedures for when they receive a notice of address discrepancy.
a. Customer Verification
Given the varied nature of the entities under the FTC's jurisdiction, it is difficult to determine precisely the appropriate burden estimates. Nonetheless, FTC staff estimates that it would require an infrequent user of consumer reports no more than 16 minutes to develop and comply with the policies and procedures that it will employ when it receives a notice of address discrepancy, while a frequent user might require one hour. Similarly, FTC staff estimates that, during the remaining two years of clearance, it may take an infrequent user no more than one minute to comply with the policies and procedures it will employ when it receives a notice of address discrepancy, while a frequent user might require 45 minutes. Taking into account these extremes, FTC staff estimates that, during the first year, it will take users of consumer reports under the FTC's jurisdiction an average of 38 minutes [the midrange between 16 minutes and 60 minutes] to develop and comply with the policies and procedures that they will employ when they receive a notice of address discrepancy. FTC staff also estimates that the average recurring burden for users of consumer reports to comply with the Rule will be 23 minutes [the midrange between one minute and 45 minutes].
Thus, for these 2,449,605 entities, the average annual burden for each of them to perform these collective tasks will be 28 minutes [(38 + 23 + 23) ÷ 3]; cumulatively, 1,143,149 hours.
b. Address Verification
For the estimated 10,000 users of consumer reports that will additionally have to furnish to CRAs an address confirmation upon notice of a discrepancy, staff estimates that these entities will require, initially, 30 minutes to develop related policies and procedures. But, these 10,000 affected entities likely will have automated the process of furnishing the correct address in the first year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes in the first year, with no annual recurring burden in the second and third years of clearance, yields an average annual burden of 10 minutes per entity to furnish a correct address to a CRA, for a total of 1,667 hours.
2. Estimated Cost Burden
FTC staff assumes that the policies and procedures for compliance with the address discrepancy part of the Rule will be set up by administrative support personnel at an hourly rate of $17.
Based on the above estimates and assumptions, the total annual labor cost for the two categories of burden under section 315 is $19,461,872.
C. Burden Totals for FCRA Sections 114 and 315
Cumulatively, then, estimated burden is 2,629,940 hours (1,485,124 hours for section 114 and 1,144,816 hours for section 315) and $81,837,080 ($62,375,208 and $19,461,872) in associated labor costs.
IV. Request for Comment
You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before September 10, 2012. Write “Red Flags Rule, PRA Comment, Project No. P095406” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals' home contact information from comments before placing them on the Commission Web site.
Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone's Social Security number, date of birth, driver's license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any “[t]rade secret or any commercial or financial information which is obtained from any person and which is privileged or confidential” as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c).
Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest.
Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/RedFlagPRA, by following the instructions on the web-based form. If this Notice appears at http://www.regulations.gov/#!home, you also may file a comment through that Web site.
If you file your comment on paper, write “Red Flags Rule, PRA Comment, Project No. P095406” on your comment and on the envelope, and mail or deliver it to the following address: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue NW., Washington, DC 20580. If possible, submit your paper comment to the Commission by courier or overnight service.
Willard K. Tom,
[FR Doc. 2012-16730 Filed 7-9-12; 8:45 am]
BILLING CODE 6750-01-P