SUPPORTING STATEMENT
Identity Theft Red Flags and Address Discrepancies
Under the FACT Act of 2003
(New Collection)
September 2006
JUSTIFICATION
Circumstances that make the collection necessary
The NCUA requests OMB approval for the collections of information contained in the attached joint proposed rulemaking, which implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Pub. L. No. 108-159 (2003).
FACT Act Section 114
Section 114 amends section 615 of the Fair Credit Reporting Act (FCRA) to require the NCUA, OCC, FRB, FDIC, OTS, and FTC (Agencies) to issue jointly:
Guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary, and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l).
Regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or creditor (Red Flag Regulations).
Regulations generally requiring credit and debit card issuers to assess the validity of change of address requests.
FACT Act Section 315
Section 315 amends section 605 of the FCRA to require the Agencies to issue regulations providing guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency (CRA). These regulations must describe reasonable policies and procedures for users of consumer reports to:
Enable a user to form a reasonable belief that it knows the identity of the person for whom it has obtained a consumer report, and
Reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.
Use of the Information Collected
FACT Act Section 114
As required by section 114, the Agencies are jointly proposing guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. In addition, the Agencies are proposing joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures to address the risk of identity theft that incorporate the guidelines. Credit card and debit card issuers must develop policies and procedures to assess the validity of a request for a change of address under certain circumstances.
The information collections pursuant to section 114 would require each financial institution and creditor to create an Identity Theft Prevention Program (Program) and report to the board of directors, a committee thereof, or senior management at least annually on compliance with the proposed regulations. In addition, staff must be trained to carry out the Program. Each credit and debit card issuer would be required to establish policies and procedures to assess the validity of a change of address request. The card issuer must notify the cardholder or use another means to assess the validity of the change of address.
FACT Act Section 315
The joint proposed regulations would provide guidance on reasonable policies and procedures that a user of consumer reports must follow when a user receives a notice of address discrepancy from a CRA.
The information collections in the proposed regulations implementing section 315 would require each user of consumer reports to develop reasonable policies and procedures that it will follow when it receives a notice of address discrepancy from a consumer reporting agency. A user of consumer reports must furnish an address that the user has reasonably confirmed to be accurate to the CRA from which it receives a notice of address discrepancy.
Consideration of the use of improved information technology
The supplementary information issued in connection with the proposed Red Flag Regulations explains that the Agencies attempted to draft the Red Flag Regulations in a flexible, technologically neutral manner that would not require financial institutions or creditors to acquire expensive new technology to comply with the Red Flag Regulations, and also would not prevent financial institutions and creditors from continuing to use their own or a third party’s computer-based products.
A respondent may use any effective information technology it chooses to reduce any burden associated with the proposed regulations implementing sections 114 and 315 of the FACT Act.
Efforts to identify duplication
There is no duplication.
Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities
The collection applies to all federal credit unions including those under $10 million in assets, which NCUA has determined as small for purposes of SBREFA, however, the impact on small entities will vary depending on the level of their activities and breadth of operations. Thus, the burden on smaller entities is expected to be relatively less than on larger credit unions based on the assumption that the nature of their activities and operations will be smaller and simpler in scope and, therefore, the compliance burden will be relatively less.
Consequences to the federal program if the collection were conducted less frequently
The burden associated with this proposed rulemaking is largely attributable to the policies and procedures that a respondent must develop to create a Program, to assess the validity of a change of address request, and to respond to notices of address discrepancy. Once they are developed, these policies and procedures will only need to be adjusted if they become ineffective. Similarly, staff will need to be trained only once, unless policies and procedures change.
The Agencies believe that the board, a committee of the board, or senior management should monitor the respondent’s compliance with the Red Flag Regulations through the review of annual reports that assess the effectiveness of the respondent’s Program. Therefore, the proposed rulemaking requires annual reports to the board or senior management. The Agencies have requested comment on the frequency with which reports should be prepared.
Special circumstances necessitating collection inconsistent with 5 CFR part 1320
No special circumstances exist.
Consultation with persons outside the agency
Payment to respondents
Not applicable as there is no payment to respondents.
Confidentiality
Not applicable as the collection does not require collection or retention of confidential information.
Information of a Sensitive Nature
Not applicable as the collection does not require the collection or retention of sensitive information.
Burden estimate
Section 114 of the FACT Act: The NCUA estimates that it will initially take the respondents 25 hours to create the Program outlined in the proposed rule, 4 hours to prepare an annual report, and 2 hours to train staff to implement the Program.
NCUA estimates that it will take the respondents 4 hours to develop policies and procedures to assess the validity of a change of address request.
NCUA believes that most of the respondents already employ a variety of measures to detect and address identity theft that are required by the proposed regulation because these are usual and customary business practices that they engage in to minimize losses due to fraud. In addition, the NCUA believes respondents already have implemented some of the requirements of the proposed regulation implementing section 114 as a result of having to comply with other existing regulations and guidance issued by the Federal Financial Institutions Examination Council regarding information security, authentication, identity theft, and response programs.
The NCUA also believes respondents already assess the validity of change of address requests, and for the most part, have automated the process of notifying the cardholder or using other means to assess the validity of changes of address. Therefore implementation of this requirement will pose no further burden. Accordingly, these estimates represent the incremental amount of time the NCUA believes it will take respondents to create a written Program that incorporates the policies and procedures that covered entities are likely to already have in place, the incremental time to train staff to implement the Program, to establish policies and procedures to assess the validity of changes of address, and to notify cardholders, as appropriate.
Section 315: NCUA estimates it will take respondents 4 hours to develop policies and procedures that they will employ when they receive a notice of address discrepancy and believes respondents already are furnishing this information to CRAs because it is a usual and customary business practice. Therefore, NCUA estimates that there will be no implementation burden. Thus the burden associated with this collection of information may be summarized as follows:
Number of respondents: 5,245
Developing program: 25
Preparing annual report: 4
Training: 2
Developing policies and procedures to assess validity of changes of address: 4
Developing policies and procedures to respond to notices of address discrepancy: 4
Total estimated annual burden: 204,555
Estimate of annualized costs to respondents
No cost to respondents.
Estimate of annualized costs to the government
No cost to government.
Changes to burden
This is a new collection.
Information regarding collections whose results are planned to be
published for statistical use
The results of these collections will not be published for statistical use.
17. Display of expiration date
Not applicable.
18. Exceptions to certification statement
None.
STATISTICAL METHODS
Not applicable.
| File Type | application/msword |
| File Title | PAPERWORK REDUCTION ACT SUBMISSION |
| Author | FDIC |
| Last Modified By | BasicXP |
| File Modified | 2006-09-20 |
| File Created | 2006-09-20 |