Download: doc | pdf

SUPPORTING STATEMENT

Identity Theft Red Flags and Address Discrepancies

Under the FACT Act of 2003

12 C.F.R. Part 41

(OMB Control No. 1557-0237)

1. JUSTIFICATION

1. Circumstances that make the collection necessary:

The OCC requests that OMB extend its approval for the collections of information contained in 12 C.F.R. Part 41, which implemented sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Pub. L. No. 108-159 (2003).¹

FACT Act Section 114

Section 114 amended section 615 of the Fair Credit Reporting Act (FCRA) to require the OCC, FRB, FDIC, OTS, NCUA, and FTC (Agencies) to issue jointly:

• Guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies were required to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary, and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l).

• Regulations requiring each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or creditor.

• Regulations generally requiring credit and debit card issuers to assess the validity of change of address requests under certain circumstances.

FACT Act Section 315

Section 315 amended section 605 of the FCRA to require the Agencies to issue regulations providing guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency (CRA). These regulations were required to describe reasonable policies and procedures for users of consumer reports to:

• Enable a user to form a reasonable belief that it knows the identity of the person for whom it has obtained a consumer report, and

• Reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.

2. Use of the Information Collected:

FACT Act Section 114

As required by section 114, Appendix J to 12 C.F.R. Part 41 contains guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. In addition, 12 C.F.R. § 41.90 requires each financial institution or creditor that is a national bank, Federal branch or agency of a foreign bank, and any of their operating subsidiaries that are not functionally regulated (bank), to establish reasonable policies and procedures to address the risk of identity theft that incorporate the guidelines. Pursuant to 12 C.F.R. § 41.91, credit card and debit card issuers must implement reasonable policies and procedures to assess the validity of a request for a change of address under certain circumstances.

12 C.F.R. § 41.90 requires each OCC regulated financial institution or creditor that offers or maintains one or more covered accounts to develop and implement a written Identity Theft Prevention Program (Program). In developing the Program, financial institutions and creditors are required to consider the guidelines in Appendix J to 12 C.F.R. Part 41 and include those that are appropriate. The initial Program must be approved by the board of directors or an appropriate committee thereof. The board, an appropriate committee thereof, or a designated employee at the level of senior management must be involved in the oversight of the Program. In addition, staff must be trained to carry out the Program. Pursuant to 12 C.F.R. § 41.91, each credit and debit card issuer is required to establish and implement policies and procedures to assess the validity of a change of address request under certain circumstances. Before issuing an additional or replacement card, the card issuer must notify the cardholder or use another means to assess the validity of the change of address.

FACT Act Section 315

As required by section 315, 12 C.F.R. § 41.82 requires users of consumer reports to have reasonable policies and procedures that must be followed when a user receives a notice of address discrepancy from a credit reporting agency (CRA).

12 C.F.R. § 41.82 requires each user of consumer reports to develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it requested the report when it receives a notice of address discrepancy from a CRA. A user of consumer reports must also develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed to be accurate to the CRA from which it receives a notice of address discrepancy when the user can: (1) form a reasonable belief that the consumer report relates to the consumer about whom the user has requested the report; (2) the user establishes a continuing relationship with the consumer and; (3) the user regularly and in the ordinary course of business furnishes information to the CRA from which it received the notice of address discrepancy.

3. Consideration of the use of improved information technology:

A respondent may use any effective information technology it chooses to reduce any burden associated with 12 C.F.R. §§ 41.82, 41.90 and 41.91.

4. Efforts to identify duplication:

There is no duplication.

5. Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities:

The collection applies to all national banks, federal branches and agencies and their subsidiaries that are not functionally regulated, regardless of size. Further, this information collection does not have a significant impact on a substantial number of small entities.

6. Consequences to the Federal program if the collection were conducted less frequently:

The burden associated with these regulations is attributable to the policies and procedures that a respondent must develop to create a Program (and update as necessary), training, pursuant to 12 C.F.R. § 41.90; preparing an annual report pursuant to section VI.(b) of Appendix J to 12 C.F.R. Part 41, to assess the validity of change of address requests pursuant to 12 C.F.R. § 41.91, and to developing policies and procedures to respond to notices of address discrepancy pursuant to 12 C.F.R. § 41.82. Once they are developed, these policies and procedures may need to be modified or adjusted to prevent them from becoming ineffective.

7. Special circumstances necessitating collection inconsistent with 5 CFR Part 1320:

The collection is consistent with the requirements of 5 CFR Part 1320.

8. Consultation with persons outside the agency:

The OCC issued a 60-day Federal Register notice on May 8, 2009 (74 FR 21740). Two comments were received, one from a state-chartered commercial bank and one from a financial service industry trade group.

The industry trade group stated they surveyed their member financial institutions in June 2009 and asked for their estimates of the amount of time they spent implementing their program. Eleven financial institutions responded, and the majority of institutions indicated that they spent between 500 and 5,000 hours. The lowest amount of time reported was 250 hours.

The industry trade group represents a variety of large financial institutions including some of largest bank holding companies, of which large banks regulated by the OCC are members. The OCC supervises 42 banks and five Federal branches or agencies of a foreign bank with assets greater than or equal to $10 billion. Therefore, the institutions surveyed by respondent represent a small portion of the respondents covered by this collection. In particular, the new respondents included in the collection are unlikely to be of the size and complexity of the banks represented in the commenter’s survey. As a result, the OCC has concluded that 250 hours (the lowest amount reported by a financial institution surveyed by the commenter) is a reasonable allowance for the amount required to develop a new program.

In addition, the commenter indicated that some banks may need to spend time reviewing and interpreting the Frequently Asked Questions document of June 11, 2009. The OCC has taken this into consideration in formulating its estimates and believes that they are sufficient to cover it.

In its comment, the commercial bank acknowledged that most of the activities required by the rule are not new and that bank personnel have "long been taught to look for certain characteristics that might indicate fraud and forgery." The 250 hour allowance for new respondents is responsive to the documentation burden required for examiner review referenced in the letter received from this commenter.

Lastly, we have revised the estimates for training, based on the number of employees per bank. We looked at the percentage of employees and the length of time spent in training.² The average came to 80 hours per bank.

9. Payment to respondents:

Not applicable.

10. Confidentiality:

Not applicable.

11. Information of a Sensitive Nature:

Not applicable.

12. Burden estimate:

The OCC believes that national banks have already developed the policies and procedures required to comply with 12 C.F.R. §41.90 as the mandatory compliance date has passed. Additionally, a variety of measures to detect and address identity theft required by 12 C.F.R. § 41.90 were usual and customary business practices used to minimize losses due to fraud prior to the compliance date. The OCC also believes that banks may have implemented some of the requirements of 12 C.F.R. § 41.90 prior to its compliance date as a result of having to comply with other existing regulations and guidance, such as the CIP regulations implementing section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l) (that require verification of the identity of persons opening new accounts),³ the Information Security Standards that implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801, and section 216 of the FACT Act, 15 U.S.C. 1681w,⁴ and guidance issued by the Agencies or the Federal Financial Institutions Examination Council regarding information security, authentication, identity theft, and response programs.⁵

12 C.F.R. § 41.90 and Appendix J to 12 C.F.R. Part 41 underscore the ability of a financial institution or creditor to incorporate into its Program its existing processes that control reasonably foreseeable risks to customers or to its own safety and soundness from identity theft, such as those already developed in connection with the covered entity’s fraud prevention program.

12 C.F.R. § 41.90 also clarifies that only relevant staff need be trained to implement the Program, as necessary -- meaning that staff already trained, for example, as a part of a covered entity’s anti-fraud prevention efforts do not need to be re-trained except as necessary.

The OCC’s estimates attribute all burden to covered entities, which are entities directly subject to the requirements of 12 C.F.R. §§ 41.82, 41.90, 41.91 and Appendix J to Part 41. A covered entity that outsources activities to a third-party service provider is, in effect, reallocating to that service provider the burden that it would otherwise have carried itself. Under these circumstances, burden is, by contract, shifted from the covered entity to the service provider, but the total amount of burden is not increased. Thus, third-party service provider burden is already included in the burden estimates provided for covered entities.

The OCC believes that card issuers already assessed the validity of change of address requests prior to the compliance date and, for the most part, had automated the process of notifying the cardholder or using other means to assess the validity of changes of address. Further, 12 C.F.R. § 41.91 clarifies that card issuers may satisfy the requirements of this section by verifying the address at the time the address change notification is received, before a request for an additional or replacement card.

12 C.F.R. § 41.82 requires users of consumer reports to develop policies and procedures to employ upon receiving a notice of address discrepancy in order to: (1) ensure that the user has obtained the correct consumer report for the consumer; and (2) confirm the accuracy of the address the user furnishes to the CRA. However, under 12 C.F.R. § 41.82, a user only must furnish a confirmed address to a CRA for new relationships. Thus, the required policies and procedures will no longer need to address the furnishing of confirmed addresses for existing relationships, and users will not need to furnish to the CRA in connection with existing relationships an address the user reasonably confirmed is accurate.

Prior to the compliance date, users of credit reports covered by 12 C.F.R. § 41.82, on a regular basis, already furnished information to CRAs in response to notices of address discrepancy because it is a usual and customary business practice -- except in connection with new deposit relationships, therefore some burden is attributable to information furnished to CRAs for new deposit relationships.

Number of existing respondents: 1,625 (1,574 banks & uninsured trust companies; 51 foreign branches & agencies).

Estimated burden per existing respondent: 111 hours.

Updating program: 8 hours.

Preparing annual report –

Effectiveness: 4 hours.

Significant incidents of identity theft and management’s response: 4 hours.

Service provider arrangements: 1 hour.

Recommendations for material changes to the program:⁶ 6 hours.

Oversight of services providers: 8 hours.

Annual training: 80 hours.

Number of new respondents: 10.

Estimated burden per new respondent: 361 hours (111 hours + 250 hours).

Developing new program:⁷ 250 hours.

Total burden for existing respondents: 180,375 hours.

Total burden for new respondents: 3,610 hours.

Total estimated annual burden: 183,985 hours.

13. Estimate of annualized costs to respondents:

Not applicable.

14. Estimate of annualized costs to the government:

Not applicable.

15. Changes to burden:

Prior Burden: 1,806 respondents; 74,046 total hours

Current Burden: 1,635 respondents; 183,985 total hours

Difference: - 171 respondents; + 109,939 total burden hours.

The changes in burden are due to the calculation of more accurate estimates of the time required to implement the program and the time devoted to training.

16. Information regarding collections whose results are planned to be

published for statistical use:

The results of these collections will not be published for statistical use.

17. Display of expiration date:

Not applicable.

18. Exceptions to certification statement:

None.

2. STATISTICAL METHODS

Not applicable.

File Type	application/msword
File Title	PAPERWORK REDUCTION ACT SUBMISSION
Author	FDIC
Last Modified By	OCC
File Modified	2009-07-15
File Created	2009-07-15