SUPPORTING STATEMENT
Identity Theft Red Flags and Address Discrepancies
Under the FACT Act of 2003
(New Collection)
JUSTIFICATION
The OCC issued a notice of proposed rulemaking together with the FRB, FDIC, OTS, NCUA, and FTC to implement sections 114 and 315 of the FACT Act, which require that the agencies issue guidelines and regulations regarding identity theft. 71 FR 40786 (July 18, 2006). The OCC filed an ICR for the new collection using ROCIS on July 18, 2006.
The OCC received a Notice of Action on September 7, 2006 indicating that a comment was filed on the proposed rule. The OTS received approval on September 13, 2006 and was assigned OMB Control No. 1557-0113 and an expiration date of September 30, 2009. As the OTS and OCC rules were proposed jointly and are identical, the OCC requests that a control number be assigned and an expiration date identical to OTS's be given prior to issuance of the joint final rule.
Circumstances that make the collection necessary
The OCC requests OMB approval for the collections of information contained in the attached joint proposed rulemaking, which implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Pub. L. No. 108-159 (2003).
FACT Act Section 114
Section 114 amends section 615 of the Fair Credit Reporting Act (FCRA) to require the OCC, FRB, FDIC, OTS, NCUA, and FTC (Agencies) to issue jointly:
Guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary, and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l).
Regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or creditor (Red Flag Regulations).
Regulations generally requiring credit and debit card issuers to assess the validity of change of address requests.
FACT Act Section 315
Section 315 amends section 605 of the FCRA to require the Agencies to issue regulations providing guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency (CRA). These regulations must describe reasonable policies and procedures for users of consumer reports to:
Enable a user to form a reasonable belief that it knows the identity of the person for whom it has obtained a consumer report, and
Reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.
Use of the Information Collected
FACT Act Section 114
As required by section 114, the Agencies are jointly proposing guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. In addition, the Agencies are proposing joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures to address the risk of identity theft that incorporate the guidelines. Credit card and debit card issuers must develop policies and procedures to assess the validity of a request for a change of address under certain circumstances.
The information collections pursuant to section 114 would require each financial institution and creditor to create an Identity Theft Prevention Program (Program) and report to the board of directors, a committee thereof, or senior management at least annually on compliance with the proposed regulations. In addition, staff must be trained to carry out the Program. Each credit and debit card issuer would be required to establish policies and procedures to assess the validity of a change of address request. The card issuer must notify the cardholder or use another means to assess the validity of the change of address.
FACT Act Section 315
The joint proposed regulations would provide guidance on reasonable policies and procedures that a user of consumer reports must follow when a user receives a notice of address discrepancy from a CRA.
The information collections in the proposed regulations implementing section 315 would require each user of consumer reports to develop reasonable policies and procedures that it will follow when it receives a notice of address discrepancy from a consumer reporting agency. A user of consumer reports must furnish an address that the user has reasonably confirmed to be accurate to the CRA from which it receives a notice of address discrepancy.
Consideration of the use of improved information technology
The supplementary information issued in connection with the proposed Red Flag Regulations explains that the Agencies attempted to draft the Red Flag Regulations in a flexible, technologically neutral manner that would not require financial institutions or creditors to acquire expensive new technology to comply with the Red Flag Regulations, and also would not prevent financial institutions and creditors from continuing to use their own or a third party’s computer-based products.
A respondent may use any effective information technology it chooses to reduce any burden associated with the proposed regulations implementing sections 114 and 315 of the FACT Act.
Efforts to identify duplication
There is no duplication.
Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities
The collection applies to all national banks, federal branches and agencies and their subsidiaries that are not functionally regulated, regardless of size. Further, this information collection does not have a significant impact on a substantial number of small entities.
Consequences to the Federal program if the collection were conducted less frequently
The burden associated with this proposed rulemaking is largely attributable to the policies and procedures that a respondent must develop to create a Program, to assess the validity of a change of address request, and to respond to notices of address discrepancy. Once they are developed, these policies and procedures will only need to be adjusted if they become ineffective. Similarly, staff will need to be trained only once, unless policies and procedures change.
The Agencies believe that the board, a committee of the board, or senior management should monitor the respondent’s compliance with the Red Flag Regulations through the review of annual reports that assess the effectiveness of the respondent’s Program. Hence, the proposed rulemaking requires annual reports to the board or senior management. However, the Agencies have requested comment on the frequency with which reports should be prepared.
Special circumstances necessitating collection inconsistent with 5 CFR part 1320
No special circumstances exist.
Consultation with persons outside the agency
Payment to respondents
Not applicable.
Confidentiality
Not applicable.
Information of a Sensitive Nature
Not applicable
Burden estimate
Section 114 of the FACT Act: The OCC estimates that it will initially take the respondents 25 hours to create the Program outlined in the proposed rule, 4 hours to prepare an annual report, and 2 hours to train staff to implement the Program.
The OCC estimates that it will take the respondents 4 hours to develop policies and procedures to assess the validity of a change of address request.
The OCC believes that most of the respondents already employ a variety of measures to detect and address identity theft that are required by the proposed regulation because these are usual and customary business practices that they engage in to minimize losses due to fraud. In addition, the OCC believes that respondents already have implemented some of the requirements of the proposed regulation implementing section 114 as a result of having to comply with other existing regulations and guidance issued by the OCC or the Federal Financial Institutions Examination Council regarding information security, authentication, identity theft, and response programs.
The OCC also believes that the respondents already assess the validity of change of address requests, and for the most part, have automated the process of notifying the cardholder or using other means to assess the validity of changes of address. Therefore implementation of this requirement will pose no further burden. Accordingly, these estimates represent the incremental amount of time the OCC believes it will take respondents to create a written Program that incorporates the policies and procedures that covered entities are likely to already have in place, the incremental time to train staff to implement the Program, to establish policies and procedures to assess the validity of changes of address, and to notify cardholders, as appropriate.
Section 315: The OCC estimates that it will take respondents 4 hours to develop policies and procedures that they will employ when they receive a notice of address discrepancy. The OCC believes that respondents already are furnishing this information to CRAs because it is a usual and customary business practice. Therefore, the OCC estimates that there will be no implementation burden. Thus the burden associated with this collection of information may be summarized as follows:
Number of respondents: 2,100
Developing program: 25
Preparing annual report: 4
Training: 2
Developing policies and procedures to assess validity of changes of address: 4
Developing policies and procedures to respond to notices of address discrepancy: 4
Total estimated annual burden: 81,900
Estimate of annualized costs to respondents
Not applicable.
Estimate of annualized costs to the government
Not applicable.
Changes to burden
This is a new collection, therefore, there will be a program change increase of 2,100 respondents and 81,900 burden hours to OCC’s information collection budget.
Information regarding collections whose results are planned to be
published for statistical use
The results of these collections will not be published for statistical use.
17. Display of expiration date
Not applicable.
18. Exceptions to certification statement
None.
STATISTICAL METHODS
Not applicable.
| File Type | application/msword |
| File Title | PAPERWORK REDUCTION ACT SUBMISSION |
| Author | FDIC |
| Last Modified By | Mary.Gottlieb |
| File Modified | 2007-09-11 |
| File Created | 2007-09-11 |