Commodity Futures Trading Commission.
The Commodity Futures Trading Commission (“CFTC” or “Commission”) is announcing an opportunity for public comment on the proposed renewal of a collection of certain information by the agency. Under the Paperwork Reduction Act (“PRA”), Federal agencies are required to publish notice in the Federal Register concerning each proposed collection of information, including each proposed extension of an existing collection of information, and to allow 60 days for public comment. This notice solicits comments on the duties of CFTC registrants to design, develop and implement reasonable policies and procedures to identify relevant red flags (the “Identity Theft Red Flags Rules”), and potentially to notify cardholders of identity theft risks. Regulations in part 162 subpart C—Identify Theft Red Flags, including the information collection requirements thereunder, are designed to better protect investors from the risks of identity theft, and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding, address changes.
Comments must be submitted on or before August 1, 2016.
You may submit comments, identified by “Part 162 Subpart C—Identify Theft Red Flags; OMB Control No. 3038-0067,” by any of the following methods:
- The Agency's Web site, at http://comments.cftc.gov/. Follow the instructions for submitting comments through the Web site.
Mail: Christopher Kirkpatrick, Secretary of the Commission, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW., Washington, DC 20581.
Hand Delivery/Courier: Same as Mail above.
Federal eRulemaking Portal:
http://www.regulations.gov/. Follow the instructions for submitting comments through the Portal.
Please submit your comments using only one method.
All comments must be submitted in English, or if not, accompanied by an English translation. Comments will be posted as received to http://www.cftc.gov.
Start Further Info
FOR FURTHER INFORMATION CONTACT:
Sue McDonough, Office of General Counsel, Commodity Futures Trading Commission, 1155 21st Street NW., Washington, DC 20581; (202) 418-5132, email: email@example.com.
End Further Info
Start Supplemental Information
Under the PRA, Federal agencies must obtain approval from the Office of Management and Budget (OMB) for each collection of information they conduct or sponsor. “Collection of Information” is defined in 44 U.S.C. 3502(3) and 5 CFR 1320.3 and includes agency requests or requirements that members of the public submit reports, keep records, or provide information to a third party. Section 3506(c)(2)(A) of the PRA, 44 U.S.C. 3506(c)(2)(A), requires Federal agencies to provide a 60-day notice in the Federal Register concerning each proposed collection of information before submitting the collection to OMB for approval. To comply with this requirement, the CFTC is publishing notice of the proposed collection of information listed below.
Title: Part 162 Subpart C—Identify Theft Red Flags (OMB Control No. 3038-0067). This is a request for extension of a currently approved information collection.
Abstract: This collection of information is needed because under part 162 subpart C—Identify Theft, CFTC-regulated entities are required to develop and implement reasonable policies and procedures to identify, Start Printed Page 35002detect, and respond to relevant red flags (the Identity Theft Red Flags Rules) and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding, address changes. Section 162.30 includes the following information collection requirements for each CFTC-regulated entity that qualifies as a “financial institution” or “creditor” under and that offers or maintains covered accounts: (i) Creation and periodic updating of an identity theft prevention program (“Program”) that is approved by the board of directors, an appropriate committee thereof, or a designated senior management employee; (ii) periodic staff reporting to the board of directors on compliance with the Identity Theft Red Flags Rules and related guidelines; and (iii) training of staff to implement the Program. Section 162.32 includes the following information collection requirements for each CFTC-regulated entity that is a credit or debit card issuer: (i) Establishment of policies and procedures that assess the validity of a change of address notification if a request for an additional or replacement card on the account follows soon after the address change; and (ii) notification of a cardholder, before issuance of an additional or replacement card, at the previous address or through some other previously agreed-upon form of communication, or alternatively, assessment of the validity of the address change request through the entity's established policies and procedures. The Commission uses the collection of information to discharge its regulatory responsibilities to protect investors from the risks of identity theft.
With respect to the collection of information, the CFTC invites comments on:
- Whether the proposed collection of information is necessary for the proper performance of the functions of the CFTC, including whether the information will have a practical use;
- The accuracy of the CFTC's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used;
- Ways to enhance the quality, usefulness, and clarity of the information to be collected; and
- Ways to minimize the burden of collection of information on those who are to respond, including through the use of appropriate automated electronic, mechanical, or other technological collection techniques or other forms of information technology; e.g., permitting electronic submission of responses.
You should submit only information that you wish to make available publicly. If you wish the CFTC to consider information that you believe is exempt from disclosure under the Freedom of Information Act, a petition for confidential treatment of the exempt information may be submitted according to the procedures established in § 145.9 of the CFTC's regulations.
The CFTC reserves the right, but shall have no obligation, to review, pre-screen, filter, redact, refuse or remove any or all of your submission from http://www.cftc.gov that it may deem to be inappropriate for publication, such as obscene language. All submissions that have been redacted or removed that contain comments on the merits of the ICR will be retained in the public comment file and will be considered as required under the Administrative Procedure Act and other applicable laws, and may be accessible under the Freedom of Information Act.
Burden Statement: CFTC staff estimates of the hour burdens associated with section 162.30 include the one-time burden of complying with this section for newly-formed CFTC-regulated entities, as well as the ongoing costs of compliance for all CFTC-regulated entities. With respect to the one-time burden hours, staff estimates that each newly-formed financial institution or creditor would incur a burden of 2 hours to conduct an initial assessment of covered accounts. Staff estimates that approximately 572 CFTC-regulated financial institutions and creditors are newly formed each year, and the total estimated one-time burden to initially assess covered accounts is therefore 1,144 hours. Staff also estimates that each financial institution or creditor that maintains covered accounts would incur an additional initial burden of 29 hours to develop and obtain board approval of a Program and hours to train the staff of the financial institution or creditor. Staff estimates that approximately 47 
CFTC-regulated financial institutions and creditors that maintain covered accounts are newly formed each year, and thus the total estimated one-time burden to develop and obtain board approval of a Program and train staff is 1,363 hours. Thus, the total initial estimated burden for all newly-formed CFTC-regulated entities is 2,507 hours (1,144 hours + 1,363 hours).
With respect to ongoing annual burden hours, CFTC staff estimates that each financial institution or creditor would incur a burden of 2 hours to periodically assess whether it offers or maintains covered accounts. Staff estimates that there are approximately 3,956 CFTC-regulated entities that are either financial institutions or creditors, and the total estimated annual burden to periodically assess covered accounts is therefore 7,912 hours. Staff also estimates that each financial institution or creditor that maintains covered accounts would incur an additional annual burden of 4 hours to prepare and present an annual report to the board and 2 hours to periodically review and update the Program. Staff estimates that there are approximately 47 CFTC-regulated entities that are financial institutions or creditors that offer or maintain covered accounts, and thus the total estimated additional annual burden for these entities is 282 hours. Thus, the total ongoing annual estimated burden for all CFTC-regulated entities is 8,194 hours (7912 hours + 282 hours).
The collections of information required by section 162.32 will apply only to CFTC-regulated entities that issue credit or debit cards. CFTC staff understands that CFTC-regulated entities generally do not issue credit or debit cards, but instead may partner with other entities, such as banks, that issue cards on their behalf. These other entities, which are not regulated by the CFTC, are already subject to substantially similar change of address obligations pursuant to other federal regulators' identity theft red flags rules. Therefore, staff does not expect that any CFTC-regulated entities will be subject to the information collection requirements of section 163.32, and Start Printed Page 35003accordingly, staff estimates that there is no hour burden related to section 162.32 for CFTC-regulated entities.
In total, CFTC staff estimates that the aggregate annual information collection burden of part 162 subpart C—Identity Theft is 10,701 hours (2,507 hours + 8,194 hours). Compliance with part 162 subpart C—Identity Theft, including compliance with the information collection requirements thereunder, is mandatory for each CFTC regulated entity that qualifies as a “financial institution” or “creditor” under Part 162 Subpart C—Identity Theft (as discussed above, certain collections of information under Part 162 Subpart C—Identity Theft are mandatory only for financial institutions or creditors that offer or maintain covered accounts).
Frequency of collection: Ongoing. There are no capital costs or operating and maintenance costs associated with this collection.
End Supplemental Information
Dated: May 26, 2016.
Robert N. Sidman,
Deputy Secretary of the Commission.
[FR Doc. 2016-12858 Filed 5-31-16; 8:45 am]
BILLING CODE 6351-01-P