Download:
pdf |
pdfFederal Trade Commission
Supporting Statement for Information Collection Provisions in the Identity Theft
Red Flags, Card Issuers, and Address Discrepancies Rules
(OMB Control #: 3084-0137)
The Federal Trade Commission (“FTC” or “Commission”) requests renewed
Office of Management and Budget (“OMB”) clearance for the collections of information
in the rules implementing sections 114 and 315 of the Fair and Accurate Credit
Transactions Act of 2003 (“FACT Act”), as amended by the Dodd-Frank Wall Street
Reform and Consumer Protection Act (“Dodd-Frank Act”)1 and the Red Flags Program
Clarification Act of 2010 (“Clarification Act”).2 These rules3 enhance the ability of
consumers to resolve problems caused by identity theft and increase the accuracy of
consumer reports.
1.
Necessity for Collecting and Retaining the Information
FACT Act Section 114
Section 114 of the FACT Act, 15 U.S.C. § 1681m(e), amended section 615 of the
Fair Credit Reporting Act (“FCRA”) to require the Commission, among other things, to
issue:
A regulation requiring each financial institution and creditor to develop and implement
a written Identity Theft Prevention Program (“Program”) to detect, prevent, and
mitigate identity theft in connection with existing accounts or the opening of new
accounts (“Red Flags Rule”); and
A regulation generally requiring credit and debit card issuers to assess the validity of
change of address requests (“Card Issuers Rule”).
FACT Act Section 315
Section 315 of the FACT Act, 15 U.S.C. § 1681c(h), amended section 605 of the
FCRA to require the Federal Trade Commission to issue regulations providing guidance
regarding reasonable policies and procedures that a user of consumer reports must employ
when a user receives a notice of address discrepancy from a consumer reporting agency
(“Address Discrepancies Rule”). On July 21, 2010, the Dodd-Frank Wall Street Reform
and Consumer Protection Act (“Dodd-Frank Act”) was enacted. The Dodd-Frank Act
1
Pub. L. 111-203 (2010).
2
Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4).
Red Flags Rule (16 C.F.R. 681.1); Card Issuers Rule (16 C.F.R. 681.2); and Address Discrepancies
Rule (16 C.F.R. 641) (collectively, “Rules”).
3
�substantially changed the federal legal framework for financial services providers.
Among the changes, the Dodd-Frank Act transferred to the Bureau of Consumer Financial
Protection the Commission's rulemaking authority under portions of the FCRA. The FTC
retained rulemaking and enforcement authority for the Address Discrepancy Rule to the
extent the rule applies to motor vehicle dealers described in section 1029(a) of the
Dodd-Frank Act that are predominantly engaged in the sale and servicing of motor
vehicles, the leasing and servicing of them, or both. See 77 Fed. Reg. 22200, 22201 (Apr.
13, 2012). The Commission is authorized to maintain the Address Discrepancy Rule
pursuant to section 1029(c) of the Dodd-Frank Act and section 504(a) of the
Gramm-Leach-Bliley Act, and the rule remains in effect to the extent that it applies to
motor vehicle dealers. Id. The FTC also retains its authority to bring law enforcement
actions to enforce both its Address Discrepancy Rule and the Bureau of Consumer
Financial Protection’s corresponding rule. Id.
The rule requires covered motor vehicle dealers that use consumer reports (“users”)
to develop and implement reasonable policies and procedures to:
Enable a user to form a reasonable belief that it knows the identity of the person for
whom it has obtained a consumer report, and
Reconcile the address of the consumer with the consumer reporting agency, if the user
establishes a continuing relationship with the consumer and regularly and in the
ordinary course of business furnishes information to the consumer reporting agency.
2.
Use of the Information
FACT Act Section 114
As required by section 114, the Red Flags Rule requires financial institutions and
covered creditors within the FTC’s jurisdiction to identify patterns, practices, and specific
forms of activity that indicate the possible existence of identity theft. The Red Flags Rule
also requires each covered entity to establish reasonable policies and procedures to address
the risk of identity theft. In addition, each covered entity must create a Program and
report to the board of directors, a committee thereof, or senior management at least
annually on compliance with the Red Flags Rule. In addition, staff of covered entities
must be trained to carry out the Program.
Further, the Card Issuers Rule requires credit card and debit card issuers to develop
policies and procedures to assess the validity of a request for a change of address under
certain circumstances. Each credit and debit card issuer must establish policies and
procedures to assess the validity of a change of address request. The card issuer must
notify the cardholder or use another means to assess the validity of the change of address.
2
�FACT Act Section 315
As required by section 315, the Address Discrepancies Rule provides guidance on
reasonable policies and procedures that a covered motor vehicle dealer that is a user of
consumer reports must follow when the user receives a notice of address discrepancy from
a consumer reporting agency. Each user of consumer reports that is a motor vehicle
dealer described in section 1029(a) of the Dodd-Frank Act that is predominantly engaged
in the sale and servicing of motor vehicles, the leasing and servicing of them, or both,
must develop and implement reasonable policies and procedures that it will follow when it
receives a notice of address discrepancy from a consumer reporting agency. In certain
instances, the user must furnish an address that the user has reasonably confirmed to be
accurate to the consumer reporting agency from which it receives a notice of address
discrepancy.
3. Consideration of Using Improved Information Technology to Reduce Burden
Consistent with the aims of the Government Paperwork Elimination Act, 44 U.S.C.
§3504 note, the Rules permit covered financial institutions (including motor vehicle
dealers), creditors, and credit card users great latitude in using new technologies to reduce
compliance costs. Nothing in the Rules precludes the use of electronic methods for
compliance purposes. For example, the Red Flags Rule was drafted to be flexible and in
a technologically neutral manner so that covered entities would not be forced to acquire
expensive new technology in order to comply with that rule.
4.
Efforts to Identify Duplication/Availability of Similar Information
FTC staff has not identified any other federal or state statutes, rules, or policies that
duplicate, overlap, or conflict with the Rules. To the extent that there exist any such state
laws, sections 114 and 314 of the FACT Act preempt them.
5.
Efforts to Minimize Burdens on Small Businesses
Although the reach of the Red Flags Rule is broad, the Rule nonetheless permits
maximum flexibility, enabling each covered entity to prepare a Program tailored to its
particular size, sophistication, and prior experience with identity theft. Moreover, since
promulgation of the original Rule, President Obama signed the Clarification Act, which
narrowed the definition of “creditor” for purposes of section 114 of the FCRA.
Specifically, only those creditors using consumer reports, furnishing information to
consumer reporting agencies, or advancing funds are now covered by the Red Flags Rule.
As a practical matter, this means that many small businesses no longer fall within the
scope of the Rule.
3
�The Address Discrepancies Rule and Card Issuers Rule minimize the burden on
covered businesses – including small businesses – by building upon standard business
practices, many of which were in use before these two rules were promulgated. As noted
above, only users of consumer reports that are motor vehicle dealers described in section
1029(a) of the Dodd-Frank Act and that are predominantly engaged in the sale and
servicing of motor vehicles, the leasing and servicing of them, or both, are covered under
the Address Discrepancies Rule. It is the usual and customary business practice for users
covered by the Address Discrepancies Rule to furnish information to consumer reporting
agencies in response to notices of address discrepancies. Similarly, many entities covered
by the Card Issuers Rule routinely assess the validity of change of address requests and, for
the most part, have automated the process for doing so. Accordingly, the burden on
businesses covered by the Address Discrepancies Rule and Card Issuers Rule is minimal.
6.
Consequences of Conducting Collection Less Frequently
The burden associated with the Rules is largely attributable to the policies and
procedures that a covered entity must develop to create a Program, to assess the validity of
a change of address request, or to respond to notices of address discrepancy. Once they are
developed, these policies and procedures will only need to be adjusted if they become
ineffective. Similarly, staff of covered entities will need to be trained only once, unless
policies and procedures change.
The Red Flags Rule requires annual reports to the board or senior management of
covered entities. The Commission believes that the board, a committee of the board, or
senior management should monitor compliance through the review of annual reports that
assess the effectiveness of the entity’s Program.
7.
Circumstances Requiring Disclosures Inconsistent with Guidelines
The collection of information required by the Rules is consistent with all applicable
guidelines contained in 5 C.F.R. § 1320.5(d)(2).
8.
Consultation Outside the Agency/Public Comments
In addition to past consultations and public comments sought for the Rule when it
was proposed, the Commission more recently sought public comment regarding its latest
PRA clearance request for this Rule. See 83 Fed. Reg. 39,096 (August 8, 2018). No
relevant comments were received. Pursuant to PRA implementing regulations under 5
C.F.R. Part 1320, the Commission is providing a second opportunity for public comment
on the instant burden analysis, contemporaneous with this submission.
4
�9.
Payments/Gifts to Respondents
Not applicable.
10. & 11. Assurances of Confidentiality/Matters of a Sensitive Nature
No assurance of confidentiality is necessary because the Rules do not require
financial institutions or creditors to register or file any documents with the Commission.
To the extent that information covered by a recordkeeping requirement is collected by the
Commission for law enforcement purposes, the confidentiality protections of sections 6(f)
and 21 of the FTC Act, 15 U.S.C. §§ 46(f), 57b-2 will apply.
12. Estimated Annual Hours Burden and Associated Labor Costs
1,385,290 total burden hours (1,328,823 hours for section 114 + 56,467 hours for
section 315); $66,185,200, labor costs ($65,112,327 for section 114 and $1,072,873
for section 315)4
Section 114: Red Flags and Card Issuers Rules
A.
Red Flags Rule
Affected Public: Utilities; motor vehicle dealerships; telecommunications firms;
colleges and universities; hospitals; nursing homes; public warehouse and storage
firms; fuel dealers; financial transaction processing firms; other persons satisfying the
definition of “creditor,” as modified by the Clarification Act.
Estimated Hours Burden: 1,261,855 hours
The Red Flags Rule requires financial institutions and certain creditors with
covered accounts to develop and implement a written Program and report to the board
of directors, a committee thereof or senior management at least annually on
compliance with the Rule. Under the Rule, a “financial institution” is “a State or
National bank, a State or Federal saving and loan association, a mutual savings bank, a
State or Federal credit union, or any other person that, directly or indirectly, holds a
These figures correct the summarized totals that appeared in the FTC’s August 8, 2018 Federal
Register Notice, 83 Fed. Reg. 39,096, at Part II. (p. 39,097) and Part III. C. (p. 39,099). They are
reflected correctly in the FTC’s ensuing Federal Register Notice that coincides with this document’s
submission to OMB.
4
5
�transaction account (as defined in section 19(b) of the Federal Reserve Act, 12 U.S.C.
ch. 3) belonging to a consumer.”5
Under the Rule, “creditor” has the same meaning as in section 702 of the Equal
Credit Opportunity Act (ECOA).6 The Clarification Act, however, narrows the
definition to those creditors that use consumer reports, furnish information to
consumer reporting agencies, or advance funds. As a result, many small businesses,
service providers, and other persons that would ordinarily satisfy the ECOA definition
of “creditor” will nonetheless be excluded from the definition of “creditor” for
purposes of the Red Flags Rule.
Nonetheless, the scope of entities covered by the Red Flags Rule within the
FTC’s jurisdiction is broad, making it difficult to determine precisely the number of
financial institutions and creditors that are subject to the FTC’s jurisdiction. There are
numerous businesses under the FTC’s jurisdiction and there is no formal way to track
them; moreover, as a whole, the entities under the FTC’s jurisdiction are so varied that
there are no general sources that provide a record of their existence. Nonetheless,
FTC staff estimates that the Red Flag Rule’s requirement to have a written Program
affects over 6,278 financial7 institutions and almost 151,307 creditors.8
To estimate burden hours for the Red Flags Rule under section 114, FTC staff
has divided affected entities into two categories, based on the nature of their
businesses: (1) entities that are subject to a high risk of identity theft;9 and (2) entities
that are subject to a low risk of identity theft.10
The Rule refers to the definition of “financial institution” that is found in FCRA, 15 U.S.C.
§ 1681a(t).
5
6
15 U.S.C. §1681a(r)(5).
The total number of financial institutions is derived from an analysis of state credit unions and
insurers within the FTC’s jurisdiction using 2015 Census data (“County Business Patterns,” U.S.) and
other online industry data.
7
The total number of creditors draws from FTC staff analysis of 2015 Census data and industry data
for businesses or organizations that market goods and services to consumers or other businesses or
organizations subject to the FTC’s jurisdiction, reduced by entities not likely to: (1) obtain credit
reports, report credit transactions, or advance loans; and (2) entities not likely to have covered
accounts under the Rule.
8
In general, high-risk entities include, for example, financial institutions within the FTC’s
jurisdiction and utilities, motor vehicle dealerships, telecommunications firms, colleges and
universities, and hospitals.
9
Low-risk entities have a minimal risk of identity theft, but have covered accounts. These include,
for example, public warehouse and storage firms, nursing and residential care facilities, automotive
equipment rental and leasing firms, office supplies and stationery stores, fuel dealers, and financial
transaction processing firms.
10
6
�1.
High-Risk Entities
FTC staff estimates that high-risk entities will each require 25 hours to create
and implement a written Program, with an annual recurring burden of one hour. FTC
staff anticipates that these entities will incorporate into their Programs policies and
procedures that they likely already have in place. Further, FTC staff estimates that
preparation of an annual report will require each high-risk entity four hours initially,
with an annual recurring burden of one hour. Finally, FTC staff believes that many of
the high-risk entities, as part of their usual and customary business practices, already
take steps to minimize losses due to fraud, including conducting employee training.
Accordingly, only relevant staff need to be trained to implement the Program: for
example, staff already trained as part of a covered entity’s anti-fraud prevention efforts
do not need to be re-trained except as incrementally needed. FTC staff estimates that
training in connection with the implementation of a Program of a high-risk entity will
require four hours, and recurring annual training thereafter will require one hour.
Thus, the estimated hours burden for high-risk entities is as follows:
• 94,052 high-risk entities subject to the FTC’s jurisdiction at an average
annual burden of 13 hours per entity [average annual burden over 3-year clearance
period for creation and implementation of Program ((25+1+1) ÷3), plus average annual
burden over 3-year clearance period for staff training ((4+1+1) ÷3), plus average
annual burden over 3-year clearance period for preparing annual report ((4+1+1) ÷3),
for a total of 1,222,676 hours.
2.
Low-Risk Entities
FTC staff believes that the burden on low-risk entities to comply with the rules
is minimal. Entities that have a low risk of identity theft, but that have covered
accounts, likely will only need a streamlined Program. FTC staff estimates that such
entities will require one hour to create such a Program, with an annual recurring
burden of 5 minutes. Training staff of low-risk entities to be attentive to future risks
of identity theft should require no more than 10 minutes in an initial year, with an
annual recurring burden of 5 minutes. Thus, the estimated hours burden for low-risk
entities is as follows:
• 63,533 low-risk entities11 that have covered accounts subject to the FTC’s
jurisdiction at an average annual burden of approximately 37 minutes per entity
[average annual burden over 3-year clearance period for creation and
This figure is derived from an analysis of a database of U.S. businesses based on NAICS codes for
businesses that market goods or services to consumers or other businesses within the FTC’s
jurisdiction, reduced further by: (1) those that satisfy the Clarification Act’s definition of “creditor”
and (2) those that are likely to have covered accounts.
11
7
�implementation of streamlined Program ((60+5+5) ÷3), plus average annual burden
over 3-year clearance period for staff training ((10+5+5) ÷3), plus average annual
burden over 3-year clearance period for preparing annual report ((10+5+5) ÷3], for
a total of 39,179 hours.
B.
Card Issuers Rule
Affected Public: State-chartered credit unions; general merchandise stores; colleges
and universities; telecommunications firms; and other persons satisfying the definition
of “creditor,” as modified by the Clarification Act.
Estimated Hours Burden: 66,968 hours
The Card Issuers Rule requires credit and debit card issuers to establish policies
and procedures to assess the validity of a change of address request, including
notifying the cardholder or using another means of assessing the validity of the change
of address. FTC staff believes that there may be as many as 16,742 credit or debit
card issuers under the FTC’s jurisdiction, including state-chartered credit unions,
retailers, and certain universities, businesses, and telecommunications companies.
FTC staff estimates that most of these card issuers already have automated the process
of notifying the cardholder or are using other means to assess the validity of the change
of address, such that implementation will pose no further burden. Nevertheless, in
order to be conservative, FTC staff estimates that it will take the 16,742 card issuers
four hours to develop and implement policies and procedures to assess the validity of a
change of address request for a total burden of 66,968 hours.
Section 315 - Address Discrepancies Rule:
Affected Public: Users of consumer reports that are motor vehicle dealers described
in section 1029(a) of the Dodd-Frank Act and that are predominantly engaged in the
sale and servicing of motor vehicles, the leasing and servicing of them, or both (below,
referenced as “users”).
Estimated Hours Burden:
As discussed above, the Address Discrepancies Rule provides guidance on
reasonable policies and procedures that a user of consumer reports must employ when
a user receives a notice of address discrepancy from a consumer reporting agency.
Assuming that every covered motor vehicle dealer is a user of consumer reports, FTC
staff estimates that the Rule affects approximately 121,000 entities.12
See 82 Fed. Reg. 12,452 (March 3, 2017). This represents a substantial reduction of FTC staff’s
stated estimate (1,967,167 entities) in the August 8, 2018 Federal Register Notice published as part of
12
8
�FTC staff estimates that it would take an infrequent user of consumer reports
no more than 16 minutes to develop and follow the policies and procedures that it will
employ when it receives a notice of address discrepancy, whereas a frequent user may
take one hour. Similarly, FTC staff estimates that, during the remaining two years of
the clearance, it may take an infrequent user no more than one minute to comply with
the policies and procedures that it will employ when it receives a notice of address
discrepancy, whereas a frequent user may take 45 minutes. Taking into account these
extremes, FTC staff estimates that, during the first year of the clearance, it will take
users of consumer reports an average of 38 minutes [the midrange between 16 minutes
and 60 minutes] to develop and comply with the policies and procedures that they will
employ when they receive a notice of address discrepancy. FTC staff also estimates
that the average recurring burden during the remaining two years of the clearance
period will be 23 minutes [the midrange between one minute and 45 minutes].
Thus, for these 121,000 entities, the average annual burden for each of them to
perform these collective tasks will be 28 minutes [(38+23+23) ÷3]; cumulatively,
56,467 hours.13
Estimated Labor Cost: $66,187,157 ($65,112,327 for section 114 and $1,072,873 for section 315):
Section 114: Red Flags and Card Issuers Rules
FTC staff derived labor costs by applying appropriate estimated hourly cost
figures to the burden hours described above. It is difficult to calculate with precision
the labor costs associated with the Rules, as they entail varying compensation levels of
management and/or technical staff among companies of different sizes. In calculating
the current pursuit of renewed OMB clearance. The prior estimate did not reflect a statutory change
pursuant to the Dodd-Frank Act that significantly reduced the scope of the Rule. The FTC Address
Discrepancy Rule covers only users of consumer reports that are motor vehicle dealers described in
section 1029(a) of that Act and that are predominantly engaged in the sale and servicing of motor
vehicles, the leasing and servicing of them, or both.
The above-noted customer verification requirements and the estimate of 56,467 hours concern 16
C.F.R. 641.1(c). In addition, 16 C.F.R. 641.1(d) requires users that (a) furnish a consumer’s address to
a consumer reporting agency, and (b) have established a continuing relationship with the consumer, to
develop and implement reasonable policies and procedures for furnishing an address for the consumer
that the user has reasonably confirmed is accurate. Staff previously estimated that of almost 2 million
users of consumer reports covered by 16 C.F.R. 641.1(c), 10,000 would also be required to comply
with 16 C.F.R. 641.1(d). 83 Fed. Reg. 39,099. However, given the Rule’s significantly reduced
scope (see supra note 12), a correlating reduced estimated number of entities (121,000) covered under
16 C.F.R. 641.1(c), a still lower number of entities to which 16 C.F.R. 641.1(d) and its address
verification requirements applies, at an estimated 10 minutes, annualized, per entity to comply, the
cumulative burden hours associated with 16 C.F.R. 641.1(d) would be de minimis. Thus, the estimate
above concerns solely 16 C.F.R. 641.1(c).
13
9
�the cost figures, staff assumes that entities, professional technical personnel and/or
managerial personnel will create and implement the Program, prepare the annual
report, train employees, and assess the validity of a change of address request at an
hourly rate of $49.14
Based on the above estimates and assumptions, the total annual labor costs for
all categories of covered entities under the Red Flags and Card Issuers Rules for
section 114 is $65,112,327 (1,328,823 hours x $49).
Section 315 - Address Discrepancies Rule
FTC staff assumes that the policies and procedures for compliance with the
Address Discrepancies Rule will be set up by administrative support personnel at an
hourly rate of $19.15 Based on the above estimates and assumptions, the total annual
labor cost for the two categories of burden under section 315 is $1,072,873 [(56,467
hours x $19)].
13. Estimated Capital and Other Non-Labor Costs
The FTC staff believes that the Rules impose negligible capital or other non-labor
costs, as the affected entities are likely to have the necessary supplies and/or equipment
already (e.g., offices and computers) for the information collections described herein.
14.
Estimated Cost to the Federal Government
FTC staff estimates that a representative year’s cost to the FTC of administering
the Rules requirements during the 3-year clearance period sought will be approximately
$65,516. This represents three-tenths of an attorney work year, including employee
benefits.
This estimate is based on mean hourly wages found at
http://www.bls.gov/news.release/ocwage.t01.htm (“Bureau of Labor Statistics, Economic News
Release,” March 30, 2018, Table 1, “National employment and wage data from the Occupational
Employment Statistics survey by occupation, May 2017”) for the various managerial and technical
staff support exemplified above (administrative service managers, computer & information systems
managers, training & development managers, computer systems analysts, network & computer
systems analysts, computer support specialists) (hereinafter “BLS Table 1”).
14
This estimate – rounded to the nearest dollar – is based on mean hourly wages for various
administrative personnel (computer operators; data entry and information processing workers; word
processors and typists) found within BLS Table 1 (see supra note 14).
15
10
�15.
Program Changes or Adjustments
The chief change is a corrective adjustment to the estimated population subject to
section 315 of the FACT Act, which previously had been greatly overstated. The prior
estimate failed to recognize that, pursuant to the Dodd-Frank Act, the FTC Address
Discrepancy Rule covers only users of consumer reports that are motor vehicle dealers
described in section 1029(a) of that Act and that are predominantly engaged in the sale and
servicing of motor vehicles, the leasing and servicing of them, or both. Separately, prior
estimated labor costs for FACT Act section 114 were overstated due to an averaging error
in calculating an hourly wage for “professional technical personnel and/or managerial
personnel.” (Hence, the current reduction from $54 to $49 per hour for that
classification.)
16.
Publishing Results of the Collection of Information
There are no plans to publish any information for statistical use.
17.
Display of Expiration Date for OMB Approval
Not applicable.
18.
Exceptions to the Certifications for PRA Submissions
Not applicable.
11
�
| File Type | application/pdf |
| File Modified | 2018-11-05 |
| File Created | 2018-11-05 |