Skip to Content

Proposed Rule

Transferred OTS Regulations Regarding Fair Credit Reporting and Amendments; Amendment to the “Creditor” Definition in Identity Theft Red Flags Rule; Removal of FDIC Regulations Regarding Fair Credit Reporting Transferred to the Consumer Financial Protection Bureau

Document Details

Information about this document as published in the Federal Register.

Published Document

This document has been published in the Federal Register. Use the PDF linked in the document sidebar for the official electronic format.

Start Preamble

AGENCY:

Federal Deposit Insurance Corporation.

ACTION:

Notice of proposed rulemaking.

SUMMARY:

In this notice of proposed rulemaking (Proposed Rule), the Federal Deposit Insurance Corporation (FDIC) proposes to make several amendments to its regulations covering “Fair Credit Reporting.”

First, the FDIC proposes to rescind and remove from the Code of Federal Regulations 12 CFR part 391, subpart C (part 391, subpart C), entitled “Fair Credit Reporting.” This subpart was included in the regulations that were transferred to the FDIC from the Office of Thrift Supervision (OTS) in connection with the implementation of applicable provisions of title III of the Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act). The requirements for State savings associations in part 391, subpart C are substantively similar to those in the Start Printed Page 5070FDIC's 12 CFR part 334 (part 334), also entitled “Fair Credit Reporting,” and is applicable for all insured depository institutions (“IDIs”) for which the FDIC has been designated the appropriate Federal banking agency.

The FDIC proposes to modify the scope of 12 CFRs 334.1(b), 334.90(a), and 334.91(a) to include State savings associations and their subsidiaries to conform to the scope of the FDIC's current supervisory responsibilities as the appropriate Federal banking agency. The FDIC also proposes to add new subsections to define “State savings association” as having the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act (FDI Act).

Second, the FDIC proposes to amend the definitional portion of its Identity Theft Red Flags regulations to be in conformance with the Red Flag Program Clarification Act of 2010.

Third, the FDIC proposes to rescind and remove from the Code of Federal Regulations those portions of the FDIC's “Fair Credit Reporting” regulations where the rule writing authority was provided to the Consumer Financial Protection Bureau (“CFPB”) in the Dodd-Frank Act. The FDIC will continue to examine for and enforce violations of these regulations for all IDIs for which the FDIC has been designated the appropriate Federal banking agency.

Consistent with this part of the proposal, the FDIC also proposes to make a technical change in one provision in its version of the Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation.

DATES:

Comments must be received on or before March 31, 2015.

ADDRESSES:

You may submit comments by any of the following methods:

  • FDIC Web site: http://www.fdic.gov/​regulations/​laws/​federal. Follow instructions for submitting comments on the agency Web site.
  • FDIC Email: Comments@fdic.gov. Include RIN #3064-AE29 on the subject line of the message.
  • FDIC Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, Federal Deposit Insurance Corporation, 550 17th Street NW., Washington, DC 20429.
  • Hand Delivery to FDIC: Comments may be hand-delivered to the guard station at the rear of the 550 17th Street building (located on F Street) on business days between 7 a.m. and 5 p.m.

Please include your name, affiliation, address, email address, and telephone number(s) in your comment. Where appropriate, comments should include a short Executive Summary consisting of no more than five single-spaced pages. All statements received, including attachments and other supporting materials, are part of the public record and are subject to public disclosure. You should submit only information that you wish to make publicly available.

Please note:

All comments received will be posted generally without change to http://www.fdic.gov/​regulations/​laws/​federal/​, including any personal information provided. Paper copies of public comments may be requested from the Public Information Center by telephone at 1-877-275-3342 or 1-703-562-2200.

Start Further Info

FOR FURTHER INFORMATION CONTACT:

Sandra Barker, Senior Policy Analyst, Division of Depositor and Consumer Protection, (202) 898-3615; Jeffrey Kopchik, Senior Policy Analyst, Division of Risk Management Supervision, (703) 254-0459; Richard M. Schwartz, Counsel, Legal Division, (202) 898-7424.

End Further Info End Preamble Start Supplemental Information

SUPPLEMENTARY INFORMATION:

I. Proposed Removal of Transferred OTS Regulations Regarding Fair Credit Reporting and Amendments to 12 CFR Part 334 of FDIC's Rules and Regulations

A. Background

The Dodd-Frank Act

The Dodd-Frank Act [1] provided for a substantial reorganization of the regulation of State and Federal savings associations and their holding companies. Beginning July 21, 2011, the transfer date established by section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the powers, duties, and functions formerly performed by the OTS were divided among the FDIC, as to State savings associations, the Office of the Comptroller of the Currency (OCC), as to Federal savings associations, and the Board of Governors of the Federal Reserve System (FRB), as to savings and loan holding companies.[2] Section 316(b) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provided the manner of treatment for all orders, resolutions, determinations, regulations, and advisory materials that had been issued, made, prescribed, or allowed to become effective by the OTS. The section provided that if such materials were in effect on the day before the transfer date, they continue to be in effect and are enforceable by or against the appropriate successor agency until they are modified, terminated, set aside, or superseded in accordance with applicable law by such successor agency, by any court of competent jurisdiction, or by operation of law.

Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(c), further directed the FDIC and the OCC to consult with one another and to publish a list of the continued OTS regulations that would be enforced by the FDIC and the OCC, respectively. On June 14, 2011, the FDIC's Board of Directors approved a “List of OTS Regulations to be Enforced by the OCC and the FDIC Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act.” This list was published by the FDIC and the OCC as a Joint Notice in the Federal Register on July 6, 2011.[3]

Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking authority relating to both State and Federal savings associations, nothing in the Dodd-Frank Act affected the FDIC's existing authority to issue regulations under the FDI Act and other laws as the “appropriate Federal banking agency” or under similar statutory terminology. Section 312(c) of the Dodd-Frank Act amended the definition of “appropriate Federal banking agency” contained in section 3(q) of the FDI Act, 12 U.S.C. 1813(q), to add State savings associations whose deposits are insured by the FDIC (“State savings associations”) to the list of entities for which the FDIC is designated as the “appropriate Federal banking agency.” As a result, when the FDIC acts as the designated “appropriate Federal banking agency” (or under similar terminology) for State savings associations, as it does here, the FDIC is authorized to issue, modify and rescind regulations involving such associations, as well as for State nonmember banks and insured branches of foreign banks.

As noted, on June 14, 2011, pursuant to this authority, the FDIC's Board of Directors reissued and redesignated certain transferring regulations of the former OTS. These transferred OTS regulations were published as new FDIC regulations in the Federal Register on August 5, 2011.[4] When it republished the transferred OTS regulations as new FDIC regulations, the FDIC specifically noted that its staff would evaluate the transferred OTS rules and might later recommend incorporating the transferred OTS regulations into other Start Printed Page 5071FDIC rules, amending them, or rescinding them, as appropriate.

One of the OTS rules transferred to the FDIC governed OTS oversight of the Fair Credit Reporting regulations, which implemented the Fair Credit Reporting Act (FCRA),[5] in the context of State savings associations. The OTS rule, formerly found at 12 CFR part 571, was transferred to the FDIC [6] and is now found in the FDIC's rules at part 391, subpart C, entitled “Fair Credit Reporting.” Before the transfer of the OTS rules and continuing today, the FDIC's rules contained part 334, also entitled “Fair Credit Reporting,” a rule governing FDIC regulation with respect to IDIs for which the FDIC has been designated the appropriate Federal banking agency. After careful review and comparison of part 391, subpart C and part 334, the FDIC proposes to rescind part 391, subpart C, because, as discussed below, it is substantively redundant to existing part 334 and simultaneously we propose to make technical conforming edits to our existing rule.

B. FDIC's Existing 12 CFR Section 334.2 and Former OTS's 12 CFR Section 571.2 (Transferred to FDIC's Part 391, Subpart C, as 12 CFR Section 391.20)

On November 22, 2005, the FDIC, OTS, OCC, FRB and NCUA (“the Agencies”) jointly published rules in the Federal Register[7] to implement section 411 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act),[8] which amended section 604 of the FCRA.[9] Section 411 of the FACT Act generally limited the ability of creditors to obtain and use medical information in connection with credit eligibility determinations and the ability of consumer reporting agencies to disclose medical information, as well as restricting the sharing of medical information and other medically related information with affiliates.[10] That section required the Agencies to issue regulations on several aspects related to the medical privacy amendment.

Although Dodd-Frank Act transferred the 2005 medical privacy regulations to the CFPB, as discussed below, the Agencies issued a regulation in the “General Provisions” portion of the Fair Credit Reporting regulations that remains in effect in the Agencies' regulations today.

That regulation related to “examples” issued in any regulation in the Fair Credit Reporting part. The OTS regulation, stated: “The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part.” [11] The concurrently issued FDIC regulation contains identical language.[12]

The OTS regulation issued at section 391.20 was amended slightly because it was placed in a subpart of section 391: The word “part” was replace by “subpart.” Nevertheless, the portion of the OTS regulation that applied to State savings associations and their subsidiaries, originally codified at 12 CFR part 571 and subsequently transferred to FDIC's part 391, subpart C, is substantively similar to the current FDIC regulations codified at 12 CFR part 334. Therefore, to eliminate redundancy and streamline its regulations, the FDIC will rescind section 391.20.

C. FDIC's Existing 12 CFR Section 334.83 and Former OTS's 12 CFR Section 571.83 (Transferred to FDIC's Part 391, Subpart C, as 12 CFR Section 391.21)

Section 216 of the FACT Act added a new section 628 to the FCRA that, in general was designed to protect a consumer against the risks associated with the unauthorized access to information about a consumer contained in a consumer report, such as fraud and related crimes including identity theft.[13] Specifically, section 216 required each of the Agencies, including the Federal Trade Commission (FTC), to adopt a regulation with respect to the entities subject to its enforcement authority “requiring any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from a consumer report for a business purpose to properly dispose of any such information or compilation.” [14] The FDIC, OCC, FRB and OTS jointly published their rules in the Federal Register on December 28, 2004.[15] The FDIC and OTS regulations were identical.[16] Neither regulation contained a scope provision, because each regulation referred to the respective agency's version of the Interagency Guidelines Establishing Information Security Standards, which itself contained a scope provision.[17]

In 2007, the Agencies jointly issued rules pursuant to section 114 of the FACT Act, which dealt with identity theft “red flag” rules and rules on the duties of credit card issuers to validate notifications of changes of address under certain circumstances,[18] as discussed in more detail below. Although those regulations were nearly identical from agency to agency, the OTS unilaterally amended its disposal regulation, as part of that rulemaking, to include a scope provision.[19] The OTS explained that that amendment was nonsubstantive and technical in nature, caused by the placement of the address discrepancy regulation in the same subpart as the disposal regulation.[20] No other Agency amended its disposal regulation.

After careful comparison of the FDIC's disposal regulation with the transferred OTS rule in part 391, subpart C, the FDIC has concluded that, with the exception of the scope provision, which now includes “State savings associations whose deposits are insured by the Federal Deposit Insurance Corporation,” [21] the transferred OTS rule is substantively redundant. Therefore, based on the foregoing, the Start Printed Page 5072FDIC proposes to rescind and remove from the Code of Federal Regulations the rule located at part 391, subpart C and to make minor conforming changes to incorporate State savings associations.

There are several ways to deal with this technical difference between the FDIC and the OTS disposal regulations, including adding a scope provision to the FDIC's disposal regulation at section 334.83, an idea that was not proposed back in 2007. Instead, because of the direct reference in the disposal regulation to the Interagency Guidelines Establishing Information Security Standards, the FDIC is proposing, through a separate notice of proposed rulemaking relating to the FDIC's Safety and Soundness regulations, 12 CFR part 364, to be issued shortly, a change in the scope provision of the FDIC's version to cover State savings associations.

As a backstop for this and any future fair credit regulations, the FDIC is also proposing a change to section 334.1(b), the general scope provision of the FDIC's Fair Credit Reporting regulations, to cover State savings associations. The FDIC also proposes to add a definition of “State savings association” to section 334.3. That definition would have the same meaning as in section 3(b)(3) of the FDI Act, 12 U.S.C. 1813(b)(3).[22]

D. FDIC's Existing 12 CFR Sections 334.90 and 334.91 and Part 334, Appendix J, and Former OTS's 12 CFR Sections 571.82 and 571.90 and Part 571, Appendix J (Transferred to FDIC's Part 391, Subpart C, as 12 CFR Sections 391.22 and 391.23 and Part 391, Subpart C, Appendix)

As discussed above (and in some detail below), the Agencies, in 2007, jointly issued rules pursuant to section 114 of the FACT Act, which dealt with identity theft “red flag” rules and rules on the duties of credit card issuers to validate notifications of changes of address under certain circumstances.[23] In addition to the rules required in section 114, the Agencies also jointly issued Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation.

The FDIC's “red flag” rule, styled as “duties regarding the detection, prevention, and mitigation of identity theft,” was issued as section 334.90. The concurrently issued OTS rule was issued as section 571.90. That rule was later transferred to the FDIC rules as section 391.22. Apart from their scope provisions, the FDIC and the OTS “red flag” rules are substantively identical. As with the disposal rule, the scope of the transferred OTS rule covers “a State savings association whose deposits are insured by the Federal Deposit Insurance Corporation.” [24]

The FDIC's “duties of card issuers regarding changes of address” regulation was issued as section 334.91. The concurrently issued OTS rule was issued as section 571.91. That rule was later transferred to the FDIC rules as section 391.23. As with the “red flag” rules, apart from their scope provisions, the FDIC and OTS change of address rules are substantively identical. The OTS rule covers “an issuer of a debit or credit card (card issuer) that is a State savings association whose deposits are insured by the Federal Deposit Insurance Corporation.” [25]

Finally, the FDIC's Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation was issued as part 334, appendix J. The concurrently issued OTS guidelines were issued as part 571, appendix J. Those guidelines were later transferred to the FDIC rules as part 391, subpart C, appendix. The FDIC and the OTS guidelines are substantively identical.

After careful comparison of the FDIC's rules and guidelines with the transferred OTS rules and guidelines in part 391, subpart C, the FDIC has concluded that, with the exception of the scope provisions, as set out above, the transferred OTS rules and guidelines are substantively redundant. Therefore, based on the foregoing, the FDIC proposes to rescind and remove from the Code of Federal Regulations the rules located at sections 391.22 and 391.23 and guidelines located at part 391, subpart C, appendix, and to make minor conforming changes to incorporate State savings associations.

II. Proposed Amendments to Fair Credit Red Flag Identity Theft Rule and Guidelines

As discussed above, on November 9, 2007, the FDIC, OCC, FRB, NCUA, OTS, and FTC published final rules and guidelines [26] to implement the identity theft red flags provisions of section 114 of the FACT Act.[27] In addition to these agencies, the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC) obtained rulemaking authority for these regulations under section 615 of the FCRA, as amended by section 1088 of the Dodd-Frank Act.

Section 615 directed the covered Agencies to issue joint regulations and guidelines requiring “financial institutions” and “creditors” to develop and implement a written identity theft program to identify, detect, and respond to possible risks of identity theft relevant to them.

The 2007 final interagency rule (the Red Flags Rule) [28] included a definition of “financial institution,” as set forth in in section 603(t) of the FCRA, as amended in section 111 of the FACT Act.[29] That term includes “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer.” [30]

The Red Flags Rule [31] also included a definition of “creditor,” as set forth in section 603(r)(5) of the FCRA, as amended in section 111 of the FACT Act.[32] That definition referenced the definition of “creditor” in section 702 of the Equal Credit Opportunity Act (“ECOA”). The ECOA defines the term “creditor” broadly as “any person who regularly extends, renews, or continues credit; any person who regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.” [33] The ECOA further defines “credit” as “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.” [34] Regulation B, promulgated under the ECOA, defines “credit” in similar terms: “the right granted by a creditor to an applicant to defer payment of a debt, incur debt and defer its payment, or purchase property or services and defer payment therefor.” [35]

The current FDIC definition of “creditor” also expressly includes “lenders such as banks, finance companies, automobile dealers, Start Printed Page 5073mortgage brokers, utility companies, and telecommunications companies,” [36] the same definition as the joint rules issued by the OCC, FRB, OTS and FTC.

Since the scope of the FDIC's red flag regulation covers “an insured state nonmember bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisors),” [37] the vast majority, but not all, of the entities covered by the FDIC regulation fall under the “financial institutions” definition.[38]

In contrast, the vast majority of the entities supervised by the FTC's rule would be covered by the statutory “creditor” definition. As such, the FTC had issued guidance on the scope of that definition. For example, in a set of answers to frequently asked questions issued in June, 2009, the FTC stated: “Under the [Red Flags Rule], the definition of `creditor' is broad and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. . . . Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies.” [39] The FTC had also stated in the preamble to the final Red Flags Rule that a “broad scope of entities” was covered.[40] Similar guidance was provided in policy statements issued in 2008 and early 2009.[41] This guidance led to a law suit brought by the American Bar Association against the FTC alleging that the application of the rules to attorneys exceeded FTC's authority. Similar complaints were brought by the American Medical Association and other professionals.

In December 2010, Congress enacted the Red Flag Program Clarification Act (Clarification Act), 15 U.S.C. 1681m(e)(4), which narrowed the scope of entities covered as “creditors” under the Red Flags Rule.[42] The Clarification Act retained the ECOA definition of “creditor,” but generally limited the application of the Red Flags Rule to those ECOA creditors that “regularly and in the ordinary course of business” engaged in at least one of the following three types of conduct:

1. Obtaining or using consumer reports, directly or indirectly, in connection with a credit transaction; [43]

2. Furnishing information to consumer reporting agencies in connection with a credit transaction; [44] or

3. Advancing funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.[45]

The Clarification Act also expressly excluded creditors that advanced funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.[46]

Finally, in addition to limiting the scope of coverage for “creditors” by creating these specified categories, the Clarification Act empowered the Agencies to determine through a future rulemaking whether to include any other type of creditor that offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.[47]

When amending its Red Flag “creditor” definition in 2012, the FTC choose not to use its discretionary rulemaking to extend coverage of the Red Flags Rule to additional creditors and merely cited to the Clarification Act statutory definition.[48] The FDIC is now proposing a similar result, to amend the “creditor” definition in its Red Flags Rule to expressly cite to the Clarification Act statutory provision, 15 U.S.C. 1681m(e)(4).

The FDIC has conferred with staff from the other Federal banking agencies, who do not object to the issuance of this notice of proposed rulemaking to amend the Red Flags Rule to conform it to the Clarification Act. In May, 2014, both the OCC and the Federal Reserve Board issued final rules making the conforming change.[49] The SEC and CFTC have previously issued final rules under section 615 of FCRA that included a definition of “creditor” as set forth in the Clarification Act.[50]

The FDIC is also proposing a technical amendment to supplement A to the guidelines that accompanied the Red Flags Rule consistent with the proposal, discussed below, to vacate the FDIC Fair Credit Reporting regulations with rule writing authority transferred to the CFPB.[51] In supplement A, the Agencies provided a list of red flags to be considered by the entities covered by the rule. One of those red flags was “[a] consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) of this part.” [52] Since the FDIC is proposing to vacate its regulation at 12 CFR 334.82, the FDIC is proposing to change the citation in that red flag to the CFPB regulation: § 1022.82(b).

III. Proposed Removal of FDIC Fair Credit Regulations Transferred to the Consumer Financial Protection Bureau

In amending the FCRA, the FACT Act gave the FDIC, along with the other Federal banking regulators (and, in some cases, the FTC and the SEC), rule writing authority for a variety of Fair Credit Reporting regulations. Since 2004, those regulations have been promulgated on an inter-agency basis as follows:

  • 2007: Address Discrepancy, 12 CFR 334.82, implementing FACT Act section 315 (FCRA section 605(h) (15 U.S.C. 1681c(h)); and
  • 2009: Duties of Furnishers of Information, 12 CFR part 334, subpart E and appendix E, implementing FACT Act section 312 (FCRA section 623(e) (15 U.S.C. 1681S-2(e)).

Title X of the Dodd-Frank Act amended a number of consumer financial protection laws, including provisions of the FCRA. In addition to substantive amendments, the Dodd-Start Printed Page 5074Frank Act transferred rulemaking authority from the FDIC, FRB, OCC, FTC, NCUA, and OTS for several provisions of the “Fair Credit Reporting” regulations to the CFPB, effective July 21, 2011.[54] These include the following regulations listed above: Medical information; affiliate marketing; address discrepancy; and duties of furnishers of information. Those regulations were covered under 12 CFR part 334 parts C, D, and E, as well as 12 CFR 334.82 in subpart I. The transfer also included the related Appendices, 12 CFR part 334, Appendices C and E. On December 21, 2011, the CFPB published in the Federal Register an interim final rule Regulation V, which implemented the Dodd-Frank Act amendments to the FCRA with regard to those regulations and appendices.

As discussed above, the Dodd-Frank Act did not transfer all rulemaking authority under the FCRA. Specifically, the Act did not transfer to the CFPB the authority to promulgate: Rules on the disposal of consumer information; [55] rules on identity theft red flags and corresponding interagency guidelines on identity theft detection, prevention, and mitigation; [56] and rules on the duties of card issuers regarding changes of address.[57] These existing provisions are not included in the Bureau's new Regulation V.[58]

As a result of the of rule writing authority transferred to the CFPB, the FDIC is proposing to rescind and remove those regulations and appendices covered under the CFPB's Regulation V. In addition to the specific citations set out above, the FDIC is also proposing rescinding and removing those parts of the Purpose and Definition provisions of the “Fair Credit Reporting” regulations that related to the substantive regulations transferred to the CFPB.[59]

Even though there is no longer rule writing authority for those “Fair Credit Reporting” rules, the FDIC will continue to examine for compliance with the rules and take enforcement action when warranted.

Request for Comments

The FDIC invites comments on all aspects of this proposed rulemaking. Written comments must be received by the FDIC no later than March 31, 2015.

IV. Regulatory Analysis and Procedure

A. The Paperwork Reduction Act

In accordance with the requirements of the Paperwork Reduction Act (PRA) of 1995, 44 U.S.C. 3501-3521, the FDIC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (“OMB”) control number.

Part of the Proposed Rule would rescind and remove from FDIC regulations part 391, subpart C. This rule was transferred with only nominal changes to the FDIC from the OTS when the OTS was abolished by title III of the Dodd-Frank Act. Part 391, subpart C is largely redundant of the FDIC's existing part 334 regarding “Fair Credit Reporting” regulations, including appendix J to the part. The FDIC reviewed its burden estimates for the collection at the time it assumed responsibility for supervision of State savings associations transferred from the OTS and determined that no changes to the burden estimates were necessary. This Proposed Rule will not modify the FDIC's existing collection and does not involve any new collections of information pursuant to the PRA.

The Proposed Rule would also amend sections 334.83, 334.90 and 334.91 to include State savings associations and their subsidiaries within the scope of part 334. The Proposed Rule would also amend those provisions to define “State savings association.” These measures clarify that State savings associations, as well as State nonmember banks are subject to part 334. Thus, these provisions of the Proposed Rule will not involve any new collections of information under the PRA or impact current burden estimates.

Part of the Proposed Rule would amend the “creditor” definition in the FDIC's Identity Theft Red Flag regulation in conformance with the Clarification Act. The vast majority of entities regulated by the FDIC under the Identity Theft Red Flag regulation fall under the “financial institution” definition, and, therefore, would be covered under the rule regardless of the change in the “creditor” definition. For any subsidiary of a covered financial institution not covered under the “financial institution” definition, the proposed change to the “creditor” definition would, arguably, cover fewer, rather than more, entities. Thus, this provision of the Proposed Rule will not involve any new collections of information under the PRA or substantively impact current burden estimates.

Finally, part of the Proposed Rule would rescind and remove those portions of 12 CFR part 334 where rule writing authority was transferred to the CFPB. This portion of the Proposed Rule will also not involve any new collections of information under the PRA or impact current burden estimates. Based on the foregoing, no information collection request has been submitted to the OMB for review.

B. The Regulatory Flexibility Act

The Regulatory Flexibility Act (“RFA”), requires that, in connection with a notice of proposed rulemaking, an agency prepare and make available for public comment an initial regulatory flexibility analysis that describes the impact of the proposed rule on small entities (defined in regulations promulgated by the Small Business Administration to include banking organizations with total assets of less than or equal to $550 million).[60] However, a regulatory flexibility analysis is not required if the agency certifies that the rule will not have a significant economic impact on a substantial number of small entities, and publishes its certification and a short explanatory statement in the Federal Register together with the rule. For the reasons provided below, the FDIC certifies that the Proposed Rule, if adopted in final form, would not have a significant economic impact on a substantial number of small entities. A final regulatory flexibility analysis will be conducted after consideration of comments received during the public comment period.

As discussed in this notice of proposed rulemaking, part 391, subpart C was transferred from OTS part 571, which governed Fair Credit Reporting. OTS part 571 had been in effect beginning in 2004, and all State savings associations were required to comply with it. Because it is redundant of existing part 334 of the FDIC's rules, the FDIC proposes rescinding and removing part 391, subpart C. As a result, all FDIC-supervised institutions—including State savings associations and their subsidiaries—would be required to comply with part 334. Because all State savings associations and their Start Printed Page 5075subsidiaries have been required to comply with substantially the same rules beginning in 2004, today's Proposed Rule would have no significant economic impact on any State savings association.

In a similar way, portions of part 334 of the FDIC's rules were transferred to the CFPB Regulation V effective 2011. Because all FDIC supervised institutions—including State savings associations and their subsidiaries—have been required to comply with part 334 beginning in 2004, today's Proposed Rule would have no significant economic impact on those institutions.[61]

With regard to the portion of the Proposed Rule amending the Red Flags Rule and appendix:

1. Statement of the need for, and objectives of, the proposed rule. As noted above, the Clarification Act amended the definition of “creditor” in the FCRA for purposes of the red flags provisions. The FDIC is proposing to amend the definition of “creditor” in its Red Flags Rule to reflect the revised definition of that term in the Clarification Act. As also noted above, the FDIC is proposing to update a cross-reference in the Red Flags Rule to reflect the CFPB's rulemaking authority for the notice of address discrepancy provisions in the FCRA.

2. Small entities affected by the proposed rule. The Proposed Rule would amend the definition of “creditor” in 12 CFR 334.90 to conform to the revised definition of that term in the Clarification Act. The proposed definition continues to refer to the FCRA definition of “creditor,” which references the ECOA definition of “creditor,” but limits the application of the red flags provisions to only those creditors that regularly and in the ordinary course of business: (a) Obtain or use consumer reports in connection with a credit transaction; (b) furnish information to consumer reporting agencies in connection with a credit transaction; or (c) advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person. 12 U.S.C. 1681m(e)(4)(A). Creditors that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person are excluded from the definition. Small entity creditors that do not meet this more limited definition would no longer be covered by the rule. However, small entities that are financial institutions would still be covered by the rule, regardless of whether they meet the revised definition of creditor.

The Proposed Rule would also update a cross-reference in the Red Flags Rule to reflect the CFPB's rulemaking authority for the notice of address discrepancy provisions in the FCRA. This revision would have no effect on small entities because there was no substantive difference between the FDIC definition of a “notice of address discrepancy” and the CFPB's definition.

3. Recordkeeping, reporting, and compliance requirements. The Proposed Rule does not impose any new recordkeeping, reporting, or compliance requirements on small entities. Small entities that no longer meet the narrower definition of “creditor” would not have to comply with the requirements of the Red Flags Rule. However, small entity financial institutions would still be required to comply with the Red Flags Rule, regardless of whether they meet the revised definition of creditor.

4. Other federal rules. The FDIC has not identified any federal statutes or regulations that would duplicate, overlap, or conflict with the proposed revision.

5. Significant alternatives to the proposed revisions. The proposed revisions to the definition of “creditor” and the cross-reference to the definition of a “notice of address discrepancy” reflect statutory changes. The FDIC does not believe there are significant alternatives to these revisions. Although the FDIC has authority to determine through a rulemaking that any other creditor that offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft is subject to the Red Flags Rule, the FDIC does not believe it is appropriate to use its discretionary rulemaking authority at this time.

C. Plain Language

Section 722 of the GLB Act, codified at 12 U.S.C. 4809, requires each Federal banking agency to use plain language in all of its proposed and final rules published after January 1, 2000. The FDIC invites comments on whether the Proposed Rule is clearly stated and effectively organized, and how the FDIC might make it easier to understand. For example:

  • Has the FDIC organized the material to suit your needs? If not, how could it present the rule more clearly?
  • Have we clearly stated the requirements of the rule? If not, how could the rule be more clearly stated?
  • Does the rule contain technical jargon that is not clear? If so, which language requires clarification?
  • Would a different format (grouping and order of sections, use of headings, paragraphing) make the regulation easier to understand? If so, what changes would make the regulation easier to understand?
  • What else could we do to make the regulation easier to understand?

D. The Economic Growth and Regulatory Paperwork Reduction Act

Under section 2222 of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (“EGRPRA”), the FDIC is required to review all of its regulations, at least once every 10 years, in order to identify any outdated or otherwise unnecessary regulations imposed on insured institutions.[62] The FDIC completed the last comprehensive review of its regulations under EGRPRA in 2006 and is commencing the next decennial review. The action taken on this rule will be included as part of the EGRPRA review that is currently in progress. As part of that review, the FDIC invites comments concerning whether the Proposed Rule would impose any outdated or unnecessary regulatory requirements on insured depository institutions. If you provide such comments, please be specific and provide alternatives whenever appropriate.

Start List of Subjects

List of Subjects

12 CFR part 334

  • Fair credit reporting

12 CFR part 391

  • Fair credit reporting
End List of Subjects

Authority and Issuance

For the reasons stated in the preamble, the Board of Directors of the Federal Deposit Insurance Corporation proposes to amend part 334 and part 391 of title 12 of the Code of Federal Regulations as set forth below:

Start Part

PART 334—FAIR CREDIT REPORTING

End Part Start Amendment Part

1. The authority citation continues to read as follows:

End Amendment Part Start Authority

Authority: 12 U.S.C. 1818, 1819 (Tenth), and 1831p-1; 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s-2, 1681s-3, 1681t, 1681w, 6801 et seq., Pub. L. 108-159, 117 Stat. 1952.

End Authority Start Printed Page 5076

Subpart A—General Provisions

Start Amendment Part

2. Revise § 334.1 to read as follows:

End Amendment Part
Purpose and scope.

(a) Purpose The purpose of this part is to implement the Fair Credit Reporting Act.

(b) Scope Except as otherwise provided in this part, the regulations in this part apply to insured state nonmember banks, state savings associations whose deposits are insured by the Federal Deposit Insurance Corporation, insured state licensed branches of foreign banks, and subsidiaries of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

Start Amendment Part

3. Amend § 334.3 by removing and reserving paragraphs (a), (b), (d), and (i) through (k), and adding paragraph (m) to read as follows:

End Amendment Part
Definitions.
* * * * *

(m) State savings association has the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).

Subparts C through E [Reserved]

Start Amendment Part

4. Remove and reserve subparts C, D and E consisting of §§ 334.20 through 334.43.

End Amendment Part

Subpart I—Records Disposal

Start Amendment Part

5. Rename header for subpart I as shown above.

End Amendment Part
[Removed and reserved]
Start Amendment Part

6. Remove and reserve § 334.82.

End Amendment Part

Subpart J—Identity Theft Red Flags

Start Amendment Part

7. Amend § 334.90 by revising paragraphs (a) and (b)(5) and adding paragraph (b)(11) to read as follows:

End Amendment Part
Duties regarding the detection, prevention, and mitigation of identity theft.

(a) Scope. This section applies to a financial institution or creditor that is an insured state nonmember bank, State savings association whose deposits are insured by the Federal Deposit Insurance Corporation, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

(b) * * *

(5) Creditor has the same meaning as in 15 U.S.C. 1681m(e)(4).

* * * * *

(11) State savings association has the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).

* * * * *
Start Amendment Part

8. Amend § 334.91 by revising paragraph (a) and adding paragraph (b)(3) to read as follows:

End Amendment Part
Duties of card issuers regarding change of address.

(a) Scope This section applies to an issuer of a debit or credit card (card issuer) that is an insured state nonmember bank, state savings association whose deposits are insured by the Federal Deposit Insurance Corporation, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, or investment advisers).

(b) * * *

(3) State savings association has the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).

Start Amendment Part

9. Amend supplement A to appendix J by revising example 3 to read as follows:

End Amendment Part

Appendix J to Part 334—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

* * * * *

3. A consumer reporting agency provides a notice of address discrepancy, as defined in 12 CFR 1022.82(b).

* * * * *
Start Part

PART 391—FORMER OFFICE OF THRIFT SUPERVISION REGULATIONS

End Part Start Amendment Part

10. The authority citation for part 391 is revised to read as follows:

End Amendment Part Start Authority

Authority: 12 U.S.C. 1819.

End Authority

Subpart A also issued under 12 U.S.C. 1462a; 1463; 1464; 1828; 1831p-1; 1881-1884; 15 U.S.C. 1681w; 15 U.S.C. 6801; 6805.

Subpart B also issued under 12 U.S.C. 1462a; 1463; 1464; 1828; 1831p-1; 1881-1884; 15 U.S.C.1681w; 15 U.S.C. 6801; 6805.

Subpart E also issued under 12 U.S.C. 1467a; 1468; 1817; 1831i.

Subpart C—[Removed and Reserved]

Start Amendment Part

11. Remove and reserve subpart C consisting of §§ 391.20 through 391.23 and appendix to subpart C of part 391.

End Amendment Part Start Signature

Dated at Washington, DC, this 21st day of January, 2015.

By order of the Board of Directors.

Federal Deposit Insurance Corporation.

Robert E. Feldman,

Executive Secretary.

End Signature End Supplemental Information

Footnotes

1.  Dodd-Frank Wall Street Reform and Consumer Protection Act, Public Law 111-203, 124 Stat. 1376 (2010).

Back to Citation

2.  Section 312 of the Dodd-Frank Act, codified at 12 U.S.C. 5412.

Back to Citation

3.  76 FR 39247 (July 6, 2011).

Back to Citation

4.  76 FR 47652 (Aug. 5, 2011).

Back to Citation

6.  The Dodd-Frank Act transferred the rule-writing authority of several parts of the “Fair Credit Reporting” regulations contained in parts 334 and 571, as well as the regulations of the OCC, FRB, and National Credit Union Administration (“NCUA”), to the newly created CFPB. See sections 1061 and 1088, codified at 12 U.S.C. 5581, 15 U.S.C. 1666. When the OTS regulations for state savings associations were transferred to part 391, only those portions of the regulation that were retained by the FDIC were included.

Back to Citation

7.  70 FR 70664 (Nov. 22, 2005).

Back to Citation

8.  Public Law 108-159, 117 Stat. 1952, 1999-2002 (2003).

Back to Citation

10.  70 FR 70664 (Nov. 22, 2005).

Back to Citation

13.  Public Law 108-159, 117 Stat. at 1985-86; 15 U.S.C. 1681w.

Back to Citation

15.  69 FR 77610 (Dec. 28, 2004).

Back to Citation

16.  12 CFR 334.83, 571.83 (2004).

Back to Citation

17.  Id. (both regulations stated, in relevant part, “You must properly dispose of any consumer information that you maintain or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards . . . to the extent the Guidelines are applicable to you.”). Both the FDIC's and the OTS's Interagency Guidelines were placed in the Safety and Soundness regulations, parts 364 and 570, respectively.

Back to Citation

18.  72 FR 63718 (Nov. 9, 2007). That rulemaking also included rules issued pursuant to section 315 of the FACT Act, which required the Agencies to issue joint regulations that provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of an address discrepancy. The rule-writing authority for that rule was given to the CFPB in the Dodd-Frank Act.

Back to Citation

19.  See 12 CFR 571.83(a) (2007).

Back to Citation

20.  72 FR at 63739.

Back to Citation

21.  The scope provision of the original 2007 amendment covered all savings associations with deposits insured by the FDIC and Federal savings associations' operating subsidiaries. When the OTS disposal regulation was transferred to section 391.21, it was amended to state that the scope provision applies to “State savings associations whose deposits are insured by the Federal Deposit Insurance Corporation,” consistent with the authority given to the FDIC in the Dodd-Frank Act.

Back to Citation

22.  “The term `State savings association' means— (A) any building and loan association, savings and loan association, or homestead association; or (B) any cooperative bank (other than a cooperative bank which is a State bank as defined in subsection (a)(2) of this section), which is organized and operating according to the laws of the State (as defined in subsection (a)(3) of this section) in which it is chartered or organized.” 12 U.S.C. 1813(b)(3).

Back to Citation

23.  72 FR 63718 (Nov. 9, 2007).

Back to Citation

26.  72 FR 63718 (Nov. 9, 2007).

Back to Citation

38.  This result would be the same if the new scope provision of the Red Flags Rule as proposed in this notice of proposed rulemaking—which would add “a State savings association whose deposits are insured by the Federal Deposit Insurance Corporation”—is finalized.

Back to Citation

39.  See American Bar Ass'n v. Federal Trade Comm'n (“ABA v. FTC”), 671 F. Supp. 2d 64, 70 (D.D.C. 2009) (quoting Red Flags Rule: Frequently Asked Questions, http://www.ftc.gov/​bcp/​edu/​microsites/​redflagsrule/​faqs.shtm (since amended)), vacated as moot, 636 F.3d 641 (D.C. Cir. 2011).

Back to Citation

40.  72 FR at 63741.

Back to Citation

41.  See ABA v. FTC, 671 F. Supp. 2d at 69-70.

Back to Citation

42.  Pub. L. 111-319, 124 Stat. 3457 (2010).

Back to Citation

43.  15 U.S.C. 1681m(e)(4)(A)(i).

Back to Citation

44.  15 U.S.C. 1681m(e)(4)(A)(ii).

Back to Citation

45.  15 U.S.C. 1681m(e)(4)(A)(iii).

Back to Citation

48.  See 77 FR 72712 (Dec. 6, 2012).

Back to Citation

49.  See 79 FR 28393, 28400 (May 16, 2014) (OCC); 79 FR 30709, 30711 (May 29, 2014) (Federal Reserve Board).

Back to Citation

50.  See 78 FR 23638 (Apr. 19, 2013) (SEC and CFTC joint final rules; the CFTC “creditor” definition cited the Clarification Act provision, but also specifically listed the covered entities).

Back to Citation

51.  12 CFR part 334, supplement A to appendix J.

Back to Citation

52.  Id. at 3.

Back to Citation

53.  As amended by the Clarification Act. See discussion above.

Back to Citation

54.  See sections 1061 and 1088 of the Dodd-Frank Act.

Back to Citation

55.  See 15 U.S.C. 1681m(e); section 1088 of the Dodd-Frank Act.

Back to Citation

56.  See 15 U.S.C. 1681w; section 1088 of the Dodd-Frank Act.

Back to Citation

57.  See 15 U.S.C. 1681m(e); section 1088 of the Dodd-Frank Act.

Back to Citation

58.  The Act also did not transfer rulemaking authority under the FCRA over any motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both, subject to certain exceptions. See section 1029 of the Dodd-Frank Act.

Back to Citation

59.  Those provisions include part of 12 CFR 334.1 and the definitions set out at 12 CFR 334.3(a), (b), (d), (i), and (k).

Back to Citation

61.  When propounding its new Regulation V, the CFPB made the following representation in its Regulatory Flexibility Act discussion: [T]his rule has only a minor impact on entities subject to Regulation V. Accordingly, the undersigned certifies that this interim final rule will not have a significant economic impact on a substantial number of small entities. The rule imposes no new, substantive obligations on covered entities and will require only minor, one-time adjustments to certain model form. . . . 76 FR at 79312.

Back to Citation

62.  Public Law 104-208 (Sept. 30, 1996).

Back to Citation

[FR Doc. 2015-01499 Filed 1-29-15; 8:45 am]

BILLING CODE 6714-01-P