Identity Theft Red Flags and Address Discrepancies under the FACT Act of 2003

NEW, Supporting Statement for Red Flags, 09-2006.doc

Identity Theft Red Flags and Address Discrepancies under the FACT Act of 2003

Identity Theft Red Flags and Address Discrepancies under the FACT Act of 2003

OMB: 3133-0175

Document [doc]
Download: doc | pdf

SUPPORTING STATEMENT

Identity Theft Red Flags and Address Discrepancies

Under the FACT Act of 2003

(New Collection)

September 2006


  1. JUSTIFICATION


  1. Circumstances that make the collection necessary

The NCUA requests OMB approval for the collections of information contained in the attached joint proposed rulemaking, which implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Pub. L. No. 108-159 (2003).

FACT Act Section 114

Section 114 amends section 615 of the Fair Credit Reporting Act (FCRA) to require the NCUA, OCC, FRB, FDIC, OTS, and FTC (Agencies) to issue jointly:


  • Guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary, and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l).

  • Regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or creditor (Red Flag Regulations).

  • Regulations generally requiring credit and debit card issuers to assess the validity of change of address requests.

FACT Act Section 315

Section 315 amends section 605 of the FCRA to require the Agencies to issue regulations providing guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency (CRA). These regulations must describe reasonable policies and procedures for users of consumer reports to:

  • Enable a user to form a reasonable belief that it knows the identity of the person for whom it has obtained a consumer report, and

  • Reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.


  1. Use of the Information Collected


FACT Act Section 114


As required by section 114, the Agencies are jointly proposing guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. In addition, the Agencies are proposing joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures to address the risk of identity theft that incorporate the guidelines. Credit card and debit card issuers must develop policies and procedures to assess the validity of a request for a change of address under certain circumstances.


The information collections pursuant to section 114 would require each financial institution and creditor to create an Identity Theft Prevention Program (Program) and report to the board of directors, a committee thereof, or senior management at least annually on compliance with the proposed regulations. In addition, staff must be trained to carry out the Program. Each credit and debit card issuer would be required to establish policies and procedures to assess the validity of a change of address request. The card issuer must notify the cardholder or use another means to assess the validity of the change of address.


FACT Act Section 315


The joint proposed regulations would provide guidance on reasonable policies and procedures that a user of consumer reports must follow when a user receives a notice of address discrepancy from a CRA.


The information collections in the proposed regulations implementing section 315 would require each user of consumer reports to develop reasonable policies and procedures that it will follow when it receives a notice of address discrepancy from a consumer reporting agency. A user of consumer reports must furnish an address that the user has reasonably confirmed to be accurate to the CRA from which it receives a notice of address discrepancy.


  1. Consideration of the use of improved information technology


The supplementary information issued in connection with the proposed Red Flag Regulations explains that the Agencies attempted to draft the Red Flag Regulations in a flexible, technologically neutral manner that would not require financial institutions or creditors to acquire expensive new technology to comply with the Red Flag Regulations, and also would not prevent financial institutions and creditors from continuing to use their own or a third party’s computer-based products.


A respondent may use any effective information technology it chooses to reduce any burden associated with the proposed regulations implementing sections 114 and 315 of the FACT Act.


  1. Efforts to identify duplication


There is no duplication.


  1. Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities


The collection applies to all federal credit unions including those under $10 million in assets, which NCUA has determined as small for purposes of SBREFA, however, the impact on small entities will vary depending on the level of their activities and breadth of operations. Thus, the burden on smaller entities is expected to be relatively less than on larger credit unions based on the assumption that the nature of their activities and operations will be smaller and simpler in scope and, therefore, the compliance burden will be relatively less.



  1. Consequences to the federal program if the collection were conducted less frequently


The burden associated with this proposed rulemaking is largely attributable to the policies and procedures that a respondent must develop to create a Program, to assess the validity of a change of address request, and to respond to notices of address discrepancy. Once they are developed, these policies and procedures will only need to be adjusted if they become ineffective. Similarly, staff will need to be trained only once, unless policies and procedures change.

The Agencies believe that the board, a committee of the board, or senior management should monitor the respondent’s compliance with the Red Flag Regulations through the review of annual reports that assess the effectiveness of the respondent’s Program. Therefore, the proposed rulemaking requires annual reports to the board or senior management. The Agencies have requested comment on the frequency with which reports should be prepared.


  1. Special circumstances necessitating collection inconsistent with 5 CFR part 1320


No special circumstances exist.


  1. Consultation with persons outside the agency

Six agencies (NCUA, Board, FDIC, FTC, OCC, OTS) collaborated to draft this proposed rulemaking.


  1. Payment to respondents


Not applicable as there is no payment to respondents.


  1. Confidentiality


Not applicable as the collection does not require collection or retention of confidential information.


  1. Information of a Sensitive Nature


Not applicable as the collection does not require the collection or retention of sensitive information.


  1. Burden estimate

Section 114 of the FACT Act: The NCUA estimates that it will initially take the respondents 25 hours to create the Program outlined in the proposed rule, 4 hours to prepare an annual report, and 2 hours to train staff to implement the Program.


NCUA estimates that it will take the respondents 4 hours to develop policies and procedures to assess the validity of a change of address request.


NCUA believes that most of the respondents already employ a variety of measures to detect and address identity theft that are required by the proposed regulation because these are usual and customary business practices that they engage in to minimize losses due to fraud. In addition, the NCUA believes respondents already have implemented some of the requirements of the proposed regulation implementing section 114 as a result of having to comply with other existing regulations and guidance issued by the Federal Financial Institutions Examination Council regarding information security, authentication, identity theft, and response programs.


The NCUA also believes respondents already assess the validity of change of address requests, and for the most part, have automated the process of notifying the cardholder or using other means to assess the validity of changes of address. Therefore implementation of this requirement will pose no further burden. Accordingly, these estimates represent the incremental amount of time the NCUA believes it will take respondents to create a written Program that incorporates the policies and procedures that covered entities are likely to already have in place, the incremental time to train staff to implement the Program, to establish policies and procedures to assess the validity of changes of address, and to notify cardholders, as appropriate.


Section 315: NCUA estimates it will take respondents 4 hours to develop policies and procedures that they will employ when they receive a notice of address discrepancy and believes respondents already are furnishing this information to CRAs because it is a usual and customary business practice. Therefore, NCUA estimates that there will be no implementation burden. Thus the burden associated with this collection of information may be summarized as follows:


Number of respondents: 5,245

Estimated time per response: 39

Developing program: 25

Preparing annual report: 4

Training: 2

Developing policies and procedures to assess validity of changes of address: 4


Developing policies and procedures to respond to notices of address discrepancy: 4


Total estimated annual burden: 204,555



  1. Estimate of annualized costs to respondents


No cost to respondents.


  1. Estimate of annualized costs to the government


No cost to government.


  1. Changes to burden


This is a new collection.

  1. Information regarding collections whose results are planned to be

published for statistical use


The results of these collections will not be published for statistical use.

17. Display of expiration date


Not applicable.


18. Exceptions to certification statement


None.


  1. STATISTICAL METHODS


Not applicable.

5


File Typeapplication/msword
File TitlePAPERWORK REDUCTION ACT SUBMISSION
AuthorFDIC
Last Modified ByBasicXP
File Modified2006-09-20
File Created2006-09-20

© 2024 OMB.report | Privacy Policy