Red Flag SUPPORTING STATEMENT GBS 04 02 12

Download: docx | pdf

SUPPORTING STATEMENT FOR NEW AND REVISED INFORMATION COLLECTIONS

OMB CONTROL NUMBER 3038-0067

Proposed Red Flag Rule

Justification

1. Explain the circumstances that make the collection of information necessary . Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.

On July 21, 2010, President Obama signed into law the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”). Title X of the Dodd-Frank Act, which is titled the Consumer Financial Protection Act of 2010 (“CFP Act”), established a Bureau of Consumer Financial Protection within the Federal Reserve System and gave this new agency certain rulemaking, enforcement, and supervisory powers over many consumer financial products and services, as well as the entities that sell them. In addition, Title X amended a number of other federal consumer protection laws enacted prior to the Dodd-Frank Act, including the FCRA.

Within Title X, section 1088(a)(8),(10) of the Dodd-Frank Act amended the FCRA by adding the Commissions (CFTC and SEC) to the list of federal agencies required to jointly prescribe and enforce identity theft red flags rules and guidelines and card issuer rules. Thus, the Dodd‑Frank Act provides for the transfer of rulemaking responsibility and enforcement authority to the CFTC and SEC with respect to the entities under their respective jurisdiction. Accordingly, the Commissions are now jointly proposing for public notice and comment identity theft rules and guidelines and card issuer rules.

The Commodity Futures Trading Commission (“CFTC”) and the Securities and Exchange Commission (“SEC,” together with the CFTC, the “Commissions”) are jointly issuing proposed rules and guidelines to implement new statutory provisions enacted by Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act. These provisions amend section 615(e) of the Fair Credit Reporting Act and direct the Commissions to prescribe rules requiring entities that are subject to the Commissions’ jurisdiction to address identity theft in two ways. First, the proposed rules and guidelines would require financial institutions and creditors to develop and implement a written identity theft prevention program that is designed to detect, prevent, and mitigate identity theft in connection with certain existing accounts or the opening of new accounts. The Commissions also are proposing guidelines to assist entities in the formulation and maintenance of a program that would satisfy the requirements of the proposed rules. Second, the proposed rules would establish special requirements for any credit and debit card issuers that are subject to the Commissions’ jurisdiction, to assess the validity of notifications of changes of address under certain circumstances.

2. Indicate how, by whom, and for what purpose the date would be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.

Under proposed part 162, subpart C, CFTC regulated entities – which presently would include approximately 268 CFTC registrants plus 125 new CFTC registrants pursuant to Title VII of the Dodd-Frank Act – may be required to design, develop and implement reasonable policies and procedures to identify relevant red flags, and potentially notifying cardholders of identity theft risks. In addition, CFTC-regulated entities would be required to: (i) collect information and keep records for the purpose of ensuring that their Programs met requirements to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account; (ii) develop and implement reasonable policies and procedures to identify, detect and respond to relevant red flags, as well as periodic reports related to the Program; and (iii) from time to time, notify cardholders of possible identity theft with respect to their accounts, as well as assess the validity of those accounts.

3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological collection techniques or other forms of information technology, e.g. permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also describe any consideration of using information technology to reduce burden.

Electronic filing or submission is acceptable for the information collections required by this rule.

4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Item 2 above.

The rules would apply to entities over which the Commission has been granted enforcement authority under the FCRA. Duplication is avoided by the provisions of section 621(b) of the FCRA, which specifically limits the enforcement of the requirements imposed under the FACA “to consumer reporting agencies, persons who furnish information to such agencies, and users of [certain information] . . . under . . . the Commodity Exchange Act . . . .”

The Commission’s proposal will not duplicate requirements imposed by other agencies, such as substantially similar FTC and federal banking agencies (collectively, the “Agencies”) regulations issued in 2007.¹ These proposed rules may be merged into existing identity theft prevention or privacy programs already in existence with regulated entities.

These burden estimates assume that CFTC-regulated entities already comply with the identity theft red flags rules and guidelines jointly adopted by the FTC with the Agencies, as of December 31, 2010. Consequently, these entities may already have in place many of the customary protections addressing identity theft and changes of address proposed by these regulations.

5. If the collection of information involves small business or other small entities (Item 5 of OMB From 83-I), describe the methods used to minimize burden.

The information collection requirements of the new Identity Theft Red Flags rule apply to all CFTC-covered entities, including small entities. However, because the Commission believes that the new rules impose minimal burdens, no significant burden would be imposed on small entities.

6. Describe the consequence to the Federal Program or policy activities if the collection were conducted less frequently as well as any technical or legal obstacles to reducing burden.

Less frequent collection would not be consistent with the intent of the rules, which is to require financial institutions and creditors to have reasonable policies and procedures to respond appropriately to any red flags that are detected. The proposed rule would require financial institutions and creditors to have reasonable policies and procedures to ensure that the program is updated periodically, to reflect changes in risks to customers, and assure the safety and soundness of the financial institutions and creditors.

7. Explain any special circumstances that require the collection to be conducted in a manner:

- requiring respondents to report information to the agency more often than quarterly;

See response to Question 6, above.

- requiring respondents to prepare a written response to a collection of information in fewer than 30 days after receipt of it:

This question does not apply.

- requiring respondents to submit more that an original and two copies of any document;

There is no such requirement.

- requiring respondents to retain records other than health, medical, government contract, grant-in-aid, or tax records, for more than three years;

For enforcement purposes, Commission Rule 1.31 requires that:

“All books and records required to be kept by the (Commodity Exchange) Act or by these regulations shall be kept for a period of five years from the date thereof and shall be readily accessible during the first two years of the five year period. All such books and records shall be open to inspection by any representative of the Commission or the U.S. Department of Justice.”

- in connection with a statistical survey, that is not designed to produce valid and reliable results that can be generalized to the universe of study;

The rule does not involve statistical surveys.

- requiring the use of a statistical data classification that has not been reviewed and approved by OMB;

The rule does not involve the use of statistical data.

- that includes a pledge of confidentiality that is not supported by authority established in statue or regulation, that is not supported by disclosure and data security policies that are consistent with the pledge, or which unnecessarily impedes sharing of data with other agencies for compatible confidential use; or

The rule does not involve pledges of confidentiality.

- requiring respondents to submit proprietary trade secrets, or other confidential information unless the agency can demonstrate that it has instituted procedures to protect the information's confidentiality to the extent permitted by law.

The rule does not involve submission of proprietary trade secrets or other such information to the Commission.

8. If applicable, provide a copy and identify the date and page number of publication in the Federal Register of the agency's notice required by 5 C.F.R. 1320.8(d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.

The proposed rule was published at 77 FR 13450, 03/06/12.

Describe efforts to consult with persons outside the agency to obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping disclosure, or reporting format (if any, and on the data elements to be recorded, disclosed, or reported.

The Commission’s new rule was proposed jointly with the SEC, involving considerable consultation. The Agencies were also consulted regarding their substantially similar rules. In addition, the Commission maintains ongoing, informal dialogue with the industry concerning various matters including paperwork burdens.

Consultation with representatives of those from whom information is to be obtained or those who must compile records should occur at least once every three years—even if the collection of information activity is the same as in prior periods. There may be circumstances that may preclude consultation in a specific situation. These circumstances should be explained.

No such circumstances are anticipated.

9. Explain any decision to provide any payment or gift to respondents, other than remuneration of contractors or grantees.

The question does not apply.

10. Describe any assurance of confidentiality provided to respondents and the basis for the assurance in statute, regulations, or agency policy.

The Commission will protect proprietary information according to the Freedom of Information Act and the regulations that the Commission has promulgated to protect the confidentiality of collected information contained in 17 CFR 145, “Commission Records and Information.” In addition, section 8(a) of the CEA provides for the confidentiality of data and information except under the limited circumstances delineated therein. The Commission also is required to protect certain information pursuant to the Privacy Act of 1974.

11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.

The question does not apply.

12. Provide estimates of the hour burden of the collection of information. The Statement should:

- Indicate the number of respondents, frequency of response, annual hour burden and an explanation of how the burden was estimated. Unless directed to do so, agencies should not conduct special surveys to obtain information on which to base hour burden estimates. Consultation with a sample (fewer than ten) of potential respondents is desirable. If the hour burden on respondents is expected to vary widely because of differences in activity, size or complexity, show the range of estimated hour burden, and explain the reasons for the variance. Generally, estimates should not include burden hours for customary and usual business practices.

- If the request for approval covers more than one form, provide separate hour burden estimates for each form and aggregate the hour burdens in Item 13 of OMB Form 83-I.

- Provide estimates of annualized cost to respondents for the hours burdens for collections of information, identifying and using appropriate wage rate categories. The cost of contracting out or paying outside parties for information collection activities should not be included here. Instead, this cost should be included in Item 13.

These burden estimates assume that CFTC-regulated entities already comply with the identity theft red flags rules and guidelines jointly adopted by the FTC with the Agencies, as of December 31, 2010. Consequently, these entities may already have in place many of the customary protections addressing identity theft and changes of address proposed by these regulations.

Initial Burden

The CFTC estimates that the one-time burden of compliance with proposed part 162 for its regulated entities with covered accounts would be: (i) 25 hours to develop and obtain board approval of a Program, (ii) 4 hours for staff training, and (iii) 2 hours to conduct an initial assessment of covered accounts, totaling 31 hours. Of the 31 hours, the CFTC estimates that 15 hours would involve internal counsel, 14 hours expended by administrative assistants, and 2 hours by the board of directors in total, for those newly-regulated entities.

The CFTC estimates that approximately 702 FCMs, CTAs and CPOs ² would need to conduct an initial assessment of covered accounts. As noted above, the CFTC estimates that approximately 125 newly registered SDs and MSPs would need to conduct an initial assessment of covered accounts. The total number of newly registered CFTC registrants would be 827 entities. Each of these 827 entities would need to conduct an initial assessment of covered accounts, for a total of 1,654 hours.³ Of these 827 entities, CFTC staff estimates that approximately 179 of these entities may maintain covered accounts. Accordingly, the CFTC estimates the one-time burden for these 179 entities to be 5,549 hours,⁴ for a total burden among newly registered entities of 7,203 hours.⁵

Initial Recordkeeping Burden:

Total number of entities: 827

Average number of annual responses by each entity: 1

Estimated average hours per response: 2

Frequency of collection: Annually

Total annual burden: 827 entities x 1 response x 2 hours = 1,654 burden hours

Total number of entities with covered accounts: 179

Average number of annual responses by each entity: 1

Estimated average hours per response: 31

Frequency of collection: Annually

Annual burden of entities with covered accounts: 179 entities x 1 response x 31 hours = 5,549 burden hours

Total annual burden for newly registered entities: 7,203.

Ongoing Recordkeeping Burden:

Total number of entities: 3,249

Average number of annual responses by each entity: 1

Estimated average hours per response: 2

Frequency of collection: Periodically

Total annual burden: 3,249 entities x 1 response x 2 hours = 6,498 burden hours

Total number of entities with covered accounts: 393

Average number of annual responses by each entity: 1

Estimated average hours per response: 6

Frequency of collection: Periodically

Annual burden of entities with covered accounts: 393 entities x 1 response x 6 hours = 2,358 burden hours

Total annual burden for newly registered entities: 6,498 hours + 2,358 hours = 8,856

13. Provide an estimate of the total annual cost burden to respondents or recordkeepers resulting from the collection of information. (Do not include the cost of any hour burden shown in Items 12 and 14).

- The cost estimate should be split into two components; (a) a total capital and start-up cost component (annualized over its expected useful life) and (b) a total operation and maintenance and purchase of services component. The estimates should take into account costs associated with generating, maintaining, and disclosing or providing the information. Include descriptions of methods used to estimate major costs factors including system and technology acquisition, expected useful life of capital equipment, the discount rate(s), and the time period over which costs will be incurred. Capital and start-up costs include, among other items, preparations for collecting information such as purchasing computers and software, monitoring, sampling, drilling and testing equipment, and record storage facilities.

- If cost estimates are expected to vary widely, agencies should present ranges of cost burdens and explain the reasons for the variance. The cost of purchasing or contracting out information collection services should be a part of this cost burden estimate, agencies may consult with a sample of respondents (fewer than ten), utilize the 60-day pre-OMB submission public comment process and use existing economic or regulatory impact analysis associated with the rulemaking containing the information collection, as appropriate.

- Generally, estimates should not include purchases of equipment or services, or portions thereof, made: (1) prior to October 1, 1995, (2) to achieve regulatory compliance with requirements not associated with the information collection, (3) for reasons other than to provide information or keep records for the government, or (4) as part of customary and usual business or private practices.

The information collection required by the regulations would not involve any capital or start-up capital, operations or maintenance costs as the Commission anticipates that the CFTC-regulated entities already comply with the identity theft red flags rules and guidelines jointly adopted by the FTC with the Agencies, as of December 31, 2010. Consequently, these entities may already have in place many of the customary protections addressing identity theft and changes of address proposed by these regulations.

14. Provide estimates of the annualized costs to the Federal Government. Also provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing and support staff), and any other expense that would not have been incurred without this collection of information. Agencies may also aggregate cost estimates from Items 12, 13, and 14 in a single table.

The regulation does not impose any regular reporting requirements. Accordingly, it does not anticipate that the requirements would impose any additional costs to the Federal Government.

15. Explain the reasons for any program changes or adjustments reported in Items 13 or 14 of the OMB Form 83-I.

The program changes or adjustments are required by the Dodd-Frank Wall Street Reform and Consumer Protection Act, which established a new regulatory scheme.

16. For collection of information whose results are planned to be published for statistical use, outline plans for tabulation, statistical analysis, and publication. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.

This question does not apply.

17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons that display would be inappropriate.

This question does not apply.

18. Explain each exception to the certification statement identified in Item 19, "Certification for Paperwork Reduction Act Submissions," of OMB Form 83-I.

This question does not apply.

File Type	application/vnd.openxmlformats-officedocument.wordprocessingml.document
Author	GSCOTT
File Modified	0000-00-00
File Created	2021-01-30