SUPPORTING STATEMENT
Identity Theft Red Flags and Address Discrepancies
Under the FACT Act of 2003
12 C.F.R. Part 41
(OMB Control No. 1557-0237)
A. Justification.
1. Circumstances that make the collection necessary:
Section 114 of the FACT Act amended section 615 of the Fair Credit Reporting Act (FCRA) to require the Agencies1 to issue jointly:
Guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers (in developing the guidelines, the Agencies are required to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l).);
Regulations that require each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or creditor; and
Regulations generally requiring credit and debit card issuers to assess the validity of change of address requests under certain circumstances.
Section 315 of the FACT Act amended section 605 of the FCRA to require the Agencies to issue regulations providing guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency (CRA).2 These regulations were required to describe reasonable policies and procedures for users of consumer reports to:
Enable a user to form a reasonable belief that it knows the identity of the person for whom it has obtained a consumer report; and
Reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA.
2. Use of the information:
As required by section 114 of the FACT Act, appendix J to 12 CFR part 41 contains guidelines for financial institutions and creditors to use in identifying patterns, practices, and specific forms of activity that may indicate the existence of identity theft. In addition, 12 CFR 41.90 requires each financial institution or creditor that is a national bank, Federal savings association, Federal branch or agency of a foreign bank, and any of their operating subsidiaries that are not functionally regulated (bank), to establish an Identity Theft Prevention Program (Program) designed to detect, prevent, and mitigate identity theft in connection with accounts. Pursuant to § 41.91, credit card and debit card issuers must implement reasonable policies and procedures to assess the validity of a request for a change of address under certain circumstances.
Section 41.90 requires each OCC regulated financial institution or creditor that offers or maintains one or more covered accounts to develop and implement a Program. In developing the Program, financial institutions and creditors are required to consider the guidelines in appendix J and include those that are appropriate. The initial Program must be approved by the board of directors or by an appropriate committee thereof. The board, an appropriate committee thereof, or a designated employee at the level of senior management must be involved in the oversight of the Program. In addition, staff members must be trained to carry out the Program. Pursuant to § 41.91, each credit card and debit card issuer is required to establish and implement policies and procedures to assess the validity of a change of address request under certain circumstances. Before issuing an additional or replacement card, the card issuer must notify the cardholder or use another means to assess the validity of the change of address.
As required by section 315 of the FACT Act, § 1022.82 requires users of consumer reports to have reasonable policies and procedures that must be followed when a user receives a notice of address discrepancy from a CRA.
Section 1022.82 requires each user of consumer reports to develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it requested the report when it receives a notice of address discrepancy from a CRA. A user of consumer reports also must develop and implement reasonable policies and procedures for furnishing a customer address that the user has reasonably confirmed to be accurate to the CRA from which it receives a notice of address discrepancy when the user can: (1) form a reasonable belief that the consumer report relates to the consumer about whom the user has requested the report; (2) establish a continuing relationship with the consumer and; (3) establish that it regularly and in the ordinary course of business furnishes information to the CRA from which it received the notice of address discrepancy.
3. Consideration of the use of improved information technology:
A respondent may use any effective information technology it chooses to meet the requirements of the collection.
4. Efforts to identify duplication:
The information collected is not available elsewhere.
5. Methods used to minimize burden if the collection has a significant impact on a substantial number of small entities:
Not applicable.
6. Consequences to the Federal program if the collection were conducted less frequently:
Less frequent collection would cause Identity Theft Prevention Programs to become ineffective.
7. Special circumstances that would cause an information collection to be conducted in a manner inconsistent with 5 CFR Part 1320:
The collection is conducted consistent with the requirements of 5 CFR part 1320.
8. Efforts to consult with persons outside the agency:
The collection was published for 60 days of comment on November 20, 2015, 80 FR 72783. No comments were received.
9. Payment or gift to respondents:
Not applicable.
10. Any assurance of confidentiality:
The information collected is kept private to the extent permitted by law.
11. Justification for questions of a sensitive nature:
There are no questions of a sensitive nature.
12. Burden estimate:
Number of existing respondents: 1,441 (1,354 banks and thrifts; 37 trust companies; 50 Federal branches & agencies of foreign banks).
Updating program: 8 hours.
Preparing annual report –
Effectiveness: 4 hours.
Significant incidents of identity theft and management’s response: 4 hours.
Service provider arrangements: 1 hour.
Recommendations for material changes to the program:3 6 hours.
Oversight of services providers: 8 hours.
Annual training: 80 hours.
Number of new respondents (new charters): 3.
Estimated burden per new respondent: 361 hours (111 hours + 250 hours).
Developing new program:4 250 hours.
Total burden for existing respondents: 159,951 hours.
Total burden for new respondents: 1,083 hours.
Total estimated annual burden: 161,034 hours.
Cost of Hour Burden:
161,034 x 101 = $ 16,264,434.
To estimate average hourly wages we reviewed data from May 2014 for wages (by industry and occupation) from the U.S. Bureau of Labor Statistics (BLS) for depository credit intermediation (NAICS 522100). To estimate compensation costs associated with the rule, we use $101 per hour, which is based on the average of the 90th percentile for seven occupations adjusted for inflation (2 percent), plus an additional 30 percent to cover private sector benefits. Thirty percent represents the average private sector costs of employee benefits.
13. Estimate of total annual costs to respondents (excluding cost of hour burden in Item #12):
Not applicable.
14. Estimate of annualized costs to the Federal government:
Not applicable.
15. Change in burden:
Prior Burden: 2,010 respondents; 223,860 burden hours.
Current Burden: 1,444 respondents; 161,034 burden hours.
Difference: - 566 respondents; - 62,826 burden hours.
The changes in burden are due to the availability of more accurate estimates.
16. Information regarding collections whose results are to be published for statistical use:
The results of these collections will not be published for statistical use.
17. Reasons for not displaying OMB approval expiration date:
Not applicable.
18. Exceptions to the certification statement in Item 19 of OMB Form 83-I:
None.
B. Collections of Information Employing Statistical Methods
Not applicable.
1 Section 114 required the guidelines and regulations to be issued jointly by the Federal banking agencies (OCC, Board of Governors of the Federal Reserve System, and Federal Deposit Insurance Corporation), the National Credit Union Administration and the Federal Trade Commission. Therefore, for purposes of this filing, “Agencies” refers to these entities. Note that section 1088(a)(8) of the Dodd-Frank Act further amended section 615 of FCRA to also require the Securities and Exchange Commission and the Commodity Futures Trading Commission to issue Red Flags guidelines and regulations.
2 These regulations have been transferred to the Consumer Financial Protection Bureau.
3 Includes board approval of material changes and, if required, modifying procedures.
4 In addition to the requirements of 12 C.F.R. 41.90 this includes developing policies and procedures to assess validity of changes of address pursuant to 12 C.F.R. 41.91 and developing policies and procedures to respond to notices of address discrepancy pursuant to 12 C.F.R. 1022.88.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | PAPERWORK REDUCTION ACT SUBMISSION |
| Author | FDIC |
| File Modified | 0000-00-00 |
| File Created | 2021-01-24 |