SUPPORTING STATEMENT
Identity Theft Red Flags and Address Discrepancies
Under the FACT Act of 2003
(OMB Control No. 1557-0237)
JUSTIFICATION
The OCC issued a notice of proposed rulemaking and final rule together with the FRB, FDIC, OTS, NCUA, and FTC to implement sections 114 and 315 of the FACT Act, which require that the agencies issue guidelines and regulations regarding identity theft. 71 FR 40786 (July 18, 2006). 72 FR 63718 (November 9, 2007).
This submission is a request for a nonmaterial change to the collection. While the information collection requirements approved at the proposed rule stage remain unchanged at the final rule stage, the agencies have adjusted the burden estimates to respond to comments received.
1. Circumstances that make the collection necessary:
The OCC requests OMB approval for the collections of information contained in the attached joint proposed rulemaking, which implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Pub. L. No. 108-159 (2003).
FACT Act Section 114
Section 114 amends section 615 of the Fair Credit Reporting Act (FCRA) to require the OCC, FRB, FDIC, OTS, NCUA, and FTC (Agencies) to issue jointly:
Guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary, and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l).
Regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or creditor (Red Flag Regulations).
Regulations generally requiring credit and debit card issuers to assess the validity of change of address requests.
FACT Act Section 315
Section 315 amends section 605 of the FCRA to require the Agencies to issue regulations providing guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency (CRA). These regulations must describe reasonable policies and procedures for users of consumer reports to:
Enable a user to form a reasonable belief that it knows the identity of the person for whom it has obtained a consumer report, and
Reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.
2. Use of the Information Collected:
FACT Act Section 114
As required by section 114, the Agencies are jointly proposing guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. In addition, the Agencies are proposing joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures to address the risk of identity theft that incorporate the guidelines. Credit card and debit card issuers must develop policies and procedures to assess the validity of a request for a change of address under certain circumstances.
The information collections pursuant to section 114 would require each financial institution and creditor to create an Identity Theft Prevention Program (Program) and report to the board of directors, a committee thereof, or senior management at least annually on compliance with the proposed regulations. In addition, staff must be trained to carry out the Program. Each credit and debit card issuer would be required to establish policies and procedures to assess the validity of a change of address request. The card issuer must notify the cardholder or use another means to assess the validity of the change of address.
FACT Act Section 315
The joint proposed regulations would provide guidance on reasonable policies and procedures that a user of consumer reports must follow when a user receives a notice of address discrepancy from a CRA.
The information collections in the proposed regulations implementing section 315 would require each user of consumer reports to develop reasonable policies and procedures that it will follow when it receives a notice of address discrepancy from a consumer reporting agency. A user of consumer reports must furnish an address that the user has reasonably confirmed to be accurate to the CRA from which it receives a notice of address discrepancy.
3. Consideration of the use of improved information technology:
The supplementary information issued in connection with the proposed Red Flag Regulations explains that the Agencies attempted to draft the Red Flag Regulations in a flexible, technologically neutral manner that would not require financial institutions or creditors to acquire expensive new technology to comply with the Red Flag Regulations, and also would not prevent financial institutions and creditors from continuing to use their own or a third party’s computer-based products.
A respondent may use any effective information technology it chooses to reduce any burden associated with the proposed regulations implementing sections 114 and 315 of the FACT Act.
4. Efforts to identify duplication:
There is no duplication.
5. Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities:
The collection applies to all national banks, federal branches and agencies and their subsidiaries that are not functionally regulated, regardless of size. Further, this information collection does not have a significant impact on a substantial number of small entities.
6. Consequences to the Federal program if the collection were conducted less frequently:
The burden associated with this proposed rulemaking is largely attributable to the policies and procedures that a respondent must develop to create a Program, to assess the validity of a change of address request, and to respond to notices of address discrepancy. Once they are developed, these policies and procedures will only need to be adjusted if they become ineffective. Similarly, staff will need to be trained only once, unless policies and procedures change.
The Agencies believe that the board, a committee of the board, or senior management should monitor the respondent’s compliance with the Red Flag Regulations through the review of annual reports that assess the effectiveness of the respondent’s Program. Hence, the proposed rulemaking requires annual reports to the board or senior management. However, the Agencies have requested comment on the frequency with which reports should be prepared.
7. Special circumstances necessitating collection inconsistent with 5 CFR part 1320:
No special circumstances exist.
8. Consultation with persons outside the agency:
Several commenters specifically addressed PRA burden, however, they did not provide specific estimates of additional burden hours that would result from the proposal. Some of these commenters stated that staff training estimates were significantly underestimated. Other commenters stated that the costs of compliance failed to consider the cost to third-party service providers that the commenters characterized as being required to implement the Program.
The Agencies believe that many of the comments received regarding burden stemmed from commenters’ misreading of the requirements of the proposed rulemaking. The final rulemaking clarifies these requirements, including those that relate to the information collections.
9. Payment to respondents:
Not applicable.
10. Confidentiality:
Not applicable.
11. Information of a Sensitive Nature:
Not applicable.
12. Burden estimate:
The Agencies continue to believe that most covered entities already employ a variety of measures to detect and address identity theft that are required by section 114 of the final rulemaking because these are usual and customary business practices that they employ to minimize losses due to fraud. In addition, the Agencies believe that many financial institutions and creditors already have implemented some of the requirements of the final rules implementing section 114 as a result of having to comply with other existing regulations and guidance, such as the CIP regulations implementing section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l) that require verification of the identity of persons opening new accounts),1 the Information Security Standards that implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801, and section 216 of the FACT Act, 15 U.S.C. 1681w,2 and guidance issued by the Agencies or the Federal Financial Institutions Examination Council regarding information security, authentication, identity theft, and response programs.3
The final rulemaking underscores the ability of a financial institution or creditor to incorporate into its Program its existing processes that control reasonably foreseeable risks to customers or to its own safety and soundness from identity theft, such as those already developed in connection with the covered entity’s fraud prevention program. Thus, the burden estimate attributable to the creation of a Program is unchanged.
The final rulemaking also clarifies that only relevant staff need be trained to implement the Program, as necessary -- meaning that staff already trained, for example, as a part of a covered entity’s anti-fraud prevention efforts do not need to be re-trained except as necessary. Despite this clarification, in response to comments received, the Agencies are increasing the burden estimates attributable to training from two to four hours.
The Agencies’ estimates attribute all burden to covered entities, which are entities directly subject to the requirements of the final rulemaking. A covered entity that outsources activities to a third-party service provider is, in effect, reallocating to that service provider the burden that it would otherwise have carried itself. Under these circumstances, burden is, by contract, shifted from the covered entity to the service provider, but the total amount of burden is not increased. Thus, third-party service provider burden is already included in the burden estimates provided for covered entities.
The Agencies continue to believe that card issuers already assess the validity of change of address requests and, for the most part, have automated the process of notifying the cardholder or using other means to assess the validity of changes of address. Further, as commenters requested, the final rulemaking clarifies that card issuers may satisfy the requirements of this section by verifying the address at the time the address change notification is received, before a request for an additional or replacement card. Therefore, the estimates attributable to this portion of the rulemaking are unchanged.
Regarding the final rules implementing section 315, the Agencies recognize that users of consumer reports will need to develop policies and procedures to employ upon receiving a notice of address discrepancy in order to: (1) ensure that the user has obtained the correct consumer report for the consumer; and (2) confirm the accuracy of the address the user furnishes to the CRA. However, under the final rules, a user only must furnish a confirmed address to a CRA for new relationships. Thus, the required policies and procedures will no longer need to address the furnishing of confirmed addresses for existing relationships, and users will not need to furnish to the CRA in connection with existing relationships an address the user reasonably confirmed is accurate.
The Agencies believe that users of credit reports covered by the final rules, on a regular basis, already furnish information to CRAs in response to notices of address discrepancy because it is a usual and customary business practice -- except in connection with new deposit relationships. For the proposed rulemaking, the Agencies had estimated that there would be no implementation burden associated with furnishing confirmed addresses to CRAs. However, as the result of additional research, the Agencies now believe that some burden should be attributable to this collection, to account for information furnished to CRAs for new deposit relationships. Because this burden is offset by the reduction in burden described above, the estimates for the collections attributable to the final rules implementing section 315 remain unchanged.
The Agencies continue to believe that 25 hours to develop a Program, four hours to prepare an annual report, four hours to develop policies and procedures to assess the validity of changes of address, and four hours to develop policies and procedures to respond to notices of address discrepancy, are reasonable estimates.
Number of respondents: 1,806
Developing program: 25
Preparing annual report: 4
Training: 4
Developing policies and procedures to assess validity of changes of address: 4
Developing policies and procedures to respond to notices of address discrepancy: 4
Total estimated annual burden: 74,046
13. Estimate of annualized costs to respondents:
Not applicable.
14. Estimate of annualized costs to the government:
Not applicable.
15. Changes to burden:
Adjustment of - 294 respondents; + 2 burden hours per respondent; - 7,854 total burden hours.
16. Information regarding collections whose results are planned to be
published for statistical use:
The results of these collections will not be published for statistical use.
17. Display of expiration date:
Not applicable.
18. Exceptions to certification statement:
None.
STATISTICAL METHODS
Not applicable.
1 See, e.g., 31 CFR 103.121 (banks, savings associations, credit unions, and certain non-federally regulated banks); 31 CFR 103.122 (broker-dealers); 31 CFR 103.123 (futures commission merchants).
2 12 CFR part 30, app. B (national banks); 12 CFR part 208, app. D-2 and part 225, app. F (state member banks and holding companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR part 570, app. B (savings associations); 12 CFR part 748, app. A and B, and 12 CFR 717 (credit unions);16 CFR part 314 (financial institutions that are not regulated by the Board, FDIC, NCUA, OCC and OTS).
3 See, e.g., 12 CFR part 30, supp. A to app. B (national banks); 12 CFR part 208, supp. A to app. D-2 and part 225, supp. A to app. F (state member banks and holding companies); 12 CFR part 364, supp. A to app. B (state non-member banks); 12 CFR part 570, supp. A to app. B (savings associations); 12 CFR 748, app. A and B (credit unions); Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook’s Information Security Booklet (the “IS Booklet”) available at http://www.ffiec.gov/guides.htm; FFIEC “Authentication in an Internet Banking Environment” available at http://www.ffiec.gov/pdf/authentication_guidance.pdf; Board SR 01-11 (Supp) (Apr. 26, 2001) available at: http://www.federalreserve.gov/boarddocs/srletters/2001/sr0111.htm; “Guidance on Identity Theft and Pretext Calling,” OCC AL 2001-4 (April 30, 2001); “Identity Theft and Pretext Calling,” OTS CEO Letter #139 (May 4, 2001); NCUA Letter to Credit Unions 01-CU-09, “Identity Theft and Pretext Calling” (Sept. 2001); OCC 2005-24, “Threats from Fraudulent Bank Web Sites: Risk Mitigation and Response Guidance for Web Site Spoofing Incidents,” (July 1, 2005); “Phishing and E-mail Scams,” OTS CEO Letter #193 (Mar. 8, 2004); NCUA Letter to Credit Unions 04-CU-12, “Phishing Guidance for Credit Unions” (Sept. 2004).
| File Type | application/msword |
| File Title | PAPERWORK REDUCTION ACT SUBMISSION |
| Author | FDIC |
| Last Modified By | Mary.Gottlieb |
| File Modified | 2007-11-09 |
| File Created | 2007-11-08 |