SUPPORTING STATEMENT
Identity Theft Red Flags and Address Discrepancies
Under the FACT Act of 2003
12 CFR part 717
3133-0175
September 2013
1. Circumstances That Make the Collection Necessary
The NCUA requests OMB approval for reinstatement, with change, of the collections of information contained in the rule 12 CFR part 717 , which implements sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act), Pub. L. No. 108-159 (2003).
FACT Act Section 114
Section 114 of the FACT Act amended section 615 of the Fair Credit Reporting Act (FCRA) to require the NCUA and other agencies to issue jointly:
Guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. In developing the guidelines, the Agencies were required to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary, and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l).
Regulations requiring each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or creditor.
Regulations generally requiring credit and debit card issuers to assess the validity of change of address requests under certain circumstances.
Section 315 of the FACT Act amended section 605 of the FCRA to require the Agencies to issue regulations providing guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency (CRA). These regulations were required to describe reasonable policies and procedures for users of consumer reports to:
Enable a user to form a reasonable belief that it knows the identity of the person for whom it has obtained a consumer report, and
Reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.
2. Use of the Information Collected
FACT Act Section 114
As required by section 114 of the FACT Act, appendix J to 12 CFR part 717 contains guidelines for financial institutions and creditors to use in identifying patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. In addition, 12 CFR 717.90 requires each financial institution or creditor to establish reasonable policies and procedures to address the risk of identity theft that incorporate the guidelines. Pursuant to section 717.91, credit card and debit card issuers must implement reasonable policies and procedures to assess the validity of a request for a change of address under certain circumstances.
Section 717.90 requires each NCUA regulated FCU that offers or maintains one or more covered accounts to develop and implement a written Identity Theft Prevention Program (Program). In developing the Program, financial institutions and creditors are required to consider the guidelines in appendix J and include those that are appropriate. The initial Program must be approved by the board of directors or an appropriate committee thereof. The board, an appropriate committee thereof, or a designated employee at the level of senior management must be involved in the oversight of the Program. In addition, staff members must be trained to carry out the Program. Pursuant to section 717.91, each credit and debit card issuer is required to establish and implement policies and procedures to assess the validity of a change of address request under certain circumstances. Before issuing an additional or replacement card, the card issuer must notify the cardholder or use another means to assess the validity of the change of address.
FACT Act Section 315
As required by section 315 of the FACT Act, section 1022.82 requires users of consumer reports to have reasonable policies and procedures that must be followed when a user receives a notice of address discrepancy from a credit reporting agency (CRA).
Section 1022.82 requires each user of consumer reports to develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it requested the report when it receives a notice of address discrepancy from a CRA. A user of consumer reports also must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed to be accurate to the CRA from which it receives a notice of address discrepancy when the user can: (1) form a reasonable belief that the consumer report relates to the consumer about whom the user has requested the report; (2) establish a continuing relationship with the consumer and; (3) establish that it regularly and in the ordinary course of business furnishes information to the CRA from which it received the notice of address discrepancy.
3. Consideration of the Use of Improved Information Technology
A respondent may use any effective information technology it chooses to reduce any burden associated with 12 C.F.R. §§ 1022.82, 717.90 and 717.91.
4. Efforts to Identify Duplication
There is no duplication.
5. Methods Used to Minimize Burden if the Collection Has a Significant Impact on a Substantial Number of Small Entities
The collection applies to all federal credit unions including those considered small entities, however, the impact on small entities will vary depending on the level of their activities and breadth of operations. Thus, the burden on smaller entities is expected to be relatively less than on larger credit unions based on the assumption that the nature of their activities and operations will be smaller and simpler in scope and, therefore, the compliance burden will be relatively less.
6. Consequences to the Federal Program if the Collection Were Conducted Less Frequently
The burden associated with these regulations is attributable to the policies and procedures that a respondent must develop to create a Program (and update as necessary), training, pursuant to 12 C.F.R. § 717.90; preparing an annual report pursuant to section VI.(b) of Appendix J to 12 C.F.R. Part 717, to assess the validity of change of address requests pursuant to 12 C.F.R. § 717.91, and to developing policies and procedures to respond to notices of address discrepancy pursuant to 12 C.F.R. § 1022.82. Once developed, these policies and procedures may require modification or adjustment to prevent them from becoming ineffective.
7. Special Circumstances Necessitating Collection Inconsistent with 5 CFR part 1320
No special circumstances exist.
8. Consultation with Persons Outside the Agency
9. Payment to Respondents
There is no payment to respondents.
10. Confidentiality
The collection does not require the collection or retention of confidential information.
11. Information of a Sensitive Nature
The collection does not require the collection or retention of sensitive information.
12. Burden Estimate
The NCUA estimates that it will initially take the respondents 250 hours to create a new Program as outlined in the rule, 8 hours to update the program, 4 hours to prepare an annual report, 4 hours for management’s response to significant incidents of identity theft, and 80 hours to train staff to implement the Program. In addition, NCUA estimates 1 hour for service provider arrangements, 6 hours for material changes to the program, and 8 hours for oversight of service providers.
Number of respondents: 4,206 – Estimate 2 of these as new FCUs.
(4,204 existing respondents x 111 hours per respondent) = 466,644 hours
(2 new respondents x 361 hours per respondent) = 722 hours
Total estimated annual burden: 467,366
13. Estimate of Annualized Costs to Respondents
There is no cost to respondents.
14. Estimate of Annualized Costs to the Government
There is no cost to the government.
15. Changes to Burden
This is a reinstatement, with change, of a previously approved collection.
16. Information Regarding Collections Whose Results Are Planned to be
Published for Statistical Use
The results of this collection will not be published for statistical use.
17. Display of Expiration Date
Not applicable.
18. Exceptions to certification statement
There are no exceptions to the certification statement.
| File Type | application/msword |
| File Title | PAPERWORK REDUCTION ACT SUBMISSION |
| Author | FDIC |
| Last Modified By | Jerilynn Walker |
| File Modified | 2013-10-22 |
| File Created | 2013-10-18 |