Federal Trade Commission (“FTC” or “Commission”).
The FTC intends to ask the Office of Management and Budget (“OMB”) to extend through November 30, 2018, the current Paperwork Reduction Act (“PRA”) clearance for the information collection requirements in the FTC Red Flags, Card Issuers, and Address Discrepancies Rules 
(“Rules”). That clearance expires on November 30, 2015.
Comments must be submitted by September 18, 2015.
Interested parties may file a comment online or on paper by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write “Red Flags Rule, PRA Comment, Project No. P095406” on your comment, and file your comment online at https://ftcpublic.commentworks.com/ftc/RedFlagsPRA by following the instructions on the web-based form. If you prefer to file your comment on paper, mail or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex J), Washington, DC 20024.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Requests for additional information should be addressed to Steven Toporoff, Attorney, Bureau of Consumer Protection, (202) 326-2252, Federal Trade Commission, 600 Pennsylvania Avenue, Washington, DC 20580.
End Further Info
Start Supplemental Information
I. Overview of the Rules
The Red Flags Rule requires financial institutions and certain creditors to develop and implement written Identity Start Printed Page 42807Theft Prevention Programs (“Program”). The Card Issuers Rule requires credit and debit card issuers (“card issuers”) to assess the validity of notifications of address changes under certain circumstances. The Address Discrepancy Rule provides guidance on what users of consumer reports must do when they receive a notice of address discrepancy from a nationwide consumer reporting agency (“CRA”). Collectively, these three anti-identity theft provisions are intended to prevent impostures from misusing another person's personal information for a fraudulent purpose.
The Rules implement sections 114 and 315 of the Fair Credit Reporting Act (“FCRA”), 15 U.S.C. 1681 et seq., to require businesses to undertake measures to prevent identity theft and increase the accuracy of consumer reports.
Since promulgation of the original Rule, President Obama signed the Red Flag Program Clarification Act of 2010 (“Clarification Act”), which narrowed the definition of “creditor” for purposes of the Red Flags Rule. Specifically, the Clarification Act limits application of the Red Flags Rule to creditors that regularly and in the ordinary course of business: (1) Obtain or use consumer reports, directly or indirectly, in connection with a credit transaction; (2) furnish information to consumer reporting agencies in connection with a credit transaction; or (3) advance funds to or on behalf of a person, based on a person's obligation to repay the funds to or on behalf of a person, based on a person's obligation to repay the funds or on repayment from specific property pledged by or on the person's behalf. This third prong does not include a creditor that advances funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.
II. Description of Collection of Information
A. FCRA Section 114
The Red Flags Rule requires financial institutions and covered creditors to develop and implement a written Program to detect, prevent, and mitigate identity theft in connection with existing accounts or the opening of new accounts. Under the Rule, financial institutions and certain creditors must conduct a periodic risk assessment to determine if they maintain “covered accounts.” The Rule defines the term “covered account” as either: (1) A consumer account that is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk of identity theft. Each financial institution and covered creditor that has covered accounts must create a written Program that contains reasonable policies and procedures to identify relevant indicators of the possible existence of identity theft (“red flags”); detect red flags that have been incorporated into the Program; respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and update the Program periodically to ensure it reflects change in risks to customers.
The Red Flags Rule also requires financial institutions and covered creditors to: (1) Obtain approval of the initial written Program by the board of directors; a committee thereof or, if there is no board, an appropriate senior employee; (2) ensure oversight of the development, implementation, and administration of the Program; and (4) exercise appropriate and effective oversight of service provider arrangements.
In addition, the Rules implement the section 114 requirement that card issuers generally must assess the validity of change of address notifications. Specifically, if the card issuer receives a notice of change of address for an existing account and, within a short period of time (during at least the first 30 days), receives a request for an additional or replacement card for the same account, the issuer must follow reasonable policies and procedures to assess the validity of the change of address.
B. FCRA Section 315
In implementing section 315 of the FCRA, the Rules require each user of consumer reports to have reasonable policies and procedures in place to employ when the user receives a notice of address discrepancy from a CRA. Specifically, each user of consumer reports must develop reasonable policies and procedures to: (1) Enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy; and (2) furnish an address for the consumer that the user has reasonably confirmed is accurate to the CRA from which it receives a notice of address discrepancy, if certain conditions are met.
III. Burden Estimates
Under the PRA, 44 U.S.C. 3501-3521, Federal agencies must get OMB approval for each collection of information they conduct or sponsor. “Collection of information” includes agency requests or requirements to submit reports, keep records, or provide information to a third party. 44 U.S.C. 3502(3); 5 CFR 1320.3(c). The figures below reflect FTC staff's estimates of the hours burden and labor costs to complete the tasks described above that fall within reporting, disclosure, or recordkeeping requirements. FTC staff believes that the Rules impose negligible capital or other non-labor costs, as the affected entities are likely to have the necessary supplies and/or equipment already (e.g., offices and computers) for the information collection described herein.
Overall estimated burden hours regarding sections 114 and 315, combined, total 2,296,863 hours and the associated estimated labor costs are $92,465,982. Staff assumes that affected entities will already have in place, independent of the Rule, equipment and supplies necessary to carry out the tasks necessary to comply with it.
A. FCRA Section 114
1. Estimated Hours Burden—Red Flags Rule
As noted above, the Rule requires financial institutions and certain creditors with covered accounts to develop and implement a written Program. Under the FCRA, financial institutions over which the FTC has jurisdiction include state chartered credit unions and certain insurance companies.
Although narrowed by the Clarification Act, the definition of “creditor” still covers a broad array of entities. Moreover, the Clarification Act does not set forth any exemptions from Rule coverage. Rather, application of the Rule depends upon an entity's course of conduct, not its status as a particular type of business. For these reasons, it is difficult to determine precisely the number of creditors subject to the FTC's jurisdiction. There are numerous small businesses under the FTC's jurisdiction that may qualify as “creditors,” and there is no formal way to track them. Nonetheless, FTC staff estimates that the Rule's requirement to have a written Program affects 6,298 financial institutions 
and 162,295 creditors.
Start Printed Page 42808
To estimate burden hours for the Red Flags Rule under section 114, FTC staff divided affected entities into two categories, based on the nature of their business: (1) Entities that are subject to high risk of identity theft and (2) entities that are subject to a low risk of identity theft, but have covered accounts that will require them to have a written Program.
a. High-Risk Entities
FTC staff estimates that high-risk entities 
will each require 25 hours to create and implement a written Program, with an annual recurring burden of one hour. FTC staff anticipates that these entities will incorporate into their Program policies and procedures that they likely already have in place. Further, FTC staff estimates that preparation for an annual report will require each high-risk entity four hours initially, with an annual recurring burden of one hour. Finally, FTC staff believes that many of the high-risk entities, as part of their usual and customary business practice, already take steps to minimize losses due to fraud, including conducting employee training. Accordingly, only relevant staff need be trained to implement the Program: For example, staff already trained as part of a covered entity's anti-fraud prevention efforts do not need to be re-trained as incrementally needed. FTC staff estimates that training connected with the implementation of a Program of a high-risk entity will require four hours, and annual training thereafter will require one hour.
Thus, estimated hours for high-risk entities are as follows:
- 101,328 high-risk entities subject to the FTC's jurisdiction at an average annual burden of 13 hours per entity [average annual burden over 3-year clearance period for creation and implementation of a Program ((25+1+1)/3), plus average annual burden over 3-year clearance period for staff training ((4+1+1)/3), plus average annual burden over 3-year clearance period for preparing an annual report ((4+1+1)/3)], for a total of 1,317,264 hours.
b. Low-Risk Entities
Entities that have a minimal risk of identity theft,
but that have covered accounts, must develop a Program; however, they likely will only need a streamlined Program. FTC staff estimates that such entities will require one hour to create such a Program, with an annual recurring burden of five minutes. Training staff of low-risk entities to be attentive to future risks of identity theft should require no more than 10 minutes in an initial year, with an annual recurring burden of five minutes. FTC staff further estimates that these entities will require, initially, 10 minutes to prepare an annual report, with an annual recurring burden of five minutes.
Thus, the estimated hours burden for low-risk entities is as follows:
- 60,974 low risk entities that have covered account subject to the FTC's jurisdiction at an average annual burden of approximately 37 minutes per entity [average annual burden over 3-year clearance period for creation and implementation of streamlined Program ((60+5+5)/3), plus average annual burden over 3-year clearance period for staff training ((10+5+5)/3), plus average annual burden over 3-year clearance period for preparing annual report ((10+5+5)/3], for a total of 37,600 hours.
2. Estimated Hours Burden—Card Issuers Rule
As noted above, section 114 also requires financial institutions and covered creditors that issue credit or debit cards to establish policies and procedures to assess the validity of a change of address request, including notifying the cardholder or using another means of assessing the validity of the change of address.
- FTC staff estimates that the Rule affects as many as 16,301 
card issues within the FTC's jurisdiction. FTC staff believes that most of these card issuers already have automated the process of notifying the cardholder or are using another means to assess the validity of the change of address, such that implementation will pose no further burden. Nevertheless, taking a conservative approach, FTC staff estimates that it will take each card issuer 4 hours to develop and implement policy and procedures to assess the validity of a change of address request for a total burden of 65,204 hours.
Thus, the total average annual estimated burden for Section 114 is 1,420,068 hours.
3. Estimated Cost Burden—Red Flags and Card Issuers Rules
The FTC staff estimates labor costs by applying appropriate estimated hourly cost figures to the burden hours described above. It is difficult to calculate with precision the labor costs associated with compliance with the Rule, as they entail varying compensation levels of management (e.g., administrative services, computer and information systems, training and development) and/or technical staff (e.g., computer support specialists, systems analysts, network and computer systems administrators) among companies of different sizes. FTC staff assumes that for all entities, professional technical personnel and/or management personnel will create and implement the Program, prepare the annual report, and train employees, at an hourly rate of $54.
Based on the above estimates and assumptions, the total annual labor costs for all categories of covered entities under the Red Flags and Card Issuers Rules for Section 114 is $76,683,672 (1,420,068 hours x $54).
B. FCRA Section 315—The Address Discrepancy Rule
As discussed above, the Rule's implementation of Section 315 provides guidance on reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a CRA. Given the broad scope of users of consumer reports, it is difficult to determine with precision the number of users of consumer reports that are subject to the FTC's jurisdiction. As noted above, there are numerous small businesses under the FTC's jurisdiction, and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the Rule's implementation of section 315 affects approximately 1,875,275 users of Start Printed Page 42809consumer reports subject to the FTC's jurisdiction.
Commission staff estimates that approximately 10,000 of these users will receive notice of a discrepancy, in the course of their usual and customary business practices, and thereby have to furnish to CRAs an address confirmation.
For section 315, as detailed below, FTC staff estimates that the average annual burden during the three-year period for which OMB clearance is sought will be 876,795 hours with an associated labor cost of $15,782,310.
1. Estimated Hours Burden
Prior to enactment of the Address Discrepancy Rule, users of consumer reports could compare the address on a consumer report to the address provided by the consumer and discern for themselves any discrepancy. As a result, FTC staff believes that many users of consumer reports have developed methods of reconciling address discrepancies, and the following estimates represent the incremental amount of time users of consumer reports may require to develop and comply with the policies and procedures for when they receive a notice of address discrepancy.
a. Customer Verification
Given the varied nature of the entities under the FTC's jurisdiction, it is difficult to determine precisely the appropriate burden estimates. Nonetheless, FTC staff estimates that it would require an infrequent user of consumer reports no more than 16 minutes to develop and comply with the policies and procedures that it will employ when it receives a notice of address discrepancy, while a frequent user might require one hour. Similarly, FTC staff estimates that, during the remaining two years of clearance, it may take an infrequent user no more than one minute to comply with the policies and procedures it will employ when it receives a notice of address discrepancy, while a frequent user might require 45 minutes. Taking into account these extremes, FTC staff estimates that, during the first year, it will take users of consumer reports under the FTC's jurisdiction an average of 38 minutes [the midrange between 16 minutes and 60 minutes] to develop and comply with the policies and procedures that they will employ when they receive a notice of address discrepancy. FTC staff also estimates that the average recurring burden for users of consumer reports to comply with the Rule will be 23 minutes [the midrange between one minute and 45 minutes].
Thus, for these 1,875,275 entities, the average annual burden for each of them to perform these collective tasks will be 28 minutes [(38 + 23 + 23) ÷ 3]; cumulatively, 875,128 hours.
b. Address Verification
For the estimated 10,000 users of consumer reports that will additionally have to furnish to CRAs an address confirmation upon notice of a discrepancy, staff estimates that these entities will require, initially, 30 minutes to develop related policies and procedures. But, these 10,000 affected entities likely will have automated the process of furnishing the correct address in the first year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes in the first year, with no annual recurring burden in the second and third years of clearance, yields an average annual burden of 10 minutes per entity to furnish a correct address to a CRA, for a total of 1,667 hours.
2. Estimated Cost Burden
FTC staff assumes that the policies and procedures for compliance with the address discrepancy part of the Rule will be set up by administrative support personnel at an hourly rate of $18.
Based on the above estimates and assumptions, the total annual labor cost for the two categories of burden under section 315 is $15,782,310.
C. Burden Totals for FCRA Sections 114 and 315
Cumulatively, then, estimated burden is 2,296,863 hours (1,420,068 hours for section 114 and 876,795 hours for section 315) and $92,465,982 ($76,683,672 and $15,782,310) in associated labor costs.
IV. Request for Comment
You can file a comment online or on paper. For the FTC to consider your comment, we must receive it on or before [60 days after publication]. Write: “Red Flags Rule, PRA Comment, Project No. P095406” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to remove individual's home contact information from comments before placing them on the Commission Web site.
Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone's Social Security number, date of birth, driver's license number, or other state identification number of foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any “[t]rade secret or any commercial or financial information . . . which is privileged or confidential]” as provided in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, don't include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns devices, manufacturing processes, or customer names.
If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).
Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest.
Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https://ftcpublic.commentworks.com/ftc/RedFlagsPRA, by following the instructions on the web-based form. When this Notice appears at http://www.regulations.gov/#!home, you also Start Printed Page 42810may file a comment through that Web site.
If you file your comment on paper, write “Red Flags Rule PRA, Project No. P095406” on your comment and on the envelope, and mail or deliver it to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite CC-5610 (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.
End Supplemental Information
David C. Shonka,
Principal Deputy General Counsel.
[FR Doc. 2015-17764 Filed 7-17-15; 8:45 am]
BILLING CODE 6750-01-P