On July 21, 2010, President Obama
signed into law the Dodd-Frank Wall Street Reform and Consumer
Protection Act (“Dodd-Frank Act”). Title X of the Dodd-Frank Act,
which is titled the Consumer Financial Protection Act of 2010 (“CFP
Act”), amends a number of federal consumer protection laws enacted
prior to the Dodd-Frank Act including, in relevant part, the Fair
Credit Reporting Act (“FCRA”) and the Fair and Accurate Credit
Transactions Act of 2003 (“FACT Act”). Specifically, Section 1088
of the CFP Act sets out certain amendments to the FCRA and the FACT
Act directing the Commission to promulgate regulations that are
intended to provide privacy protections to certain consumer
information held by an entity that is subject to the jurisdiction
of the Commission. Section 1088 amends section 214(b) of the FACT
Act—which added section 624 to the FCRA in 2003—and directs the
Commission to implement the provisions of section 624 of the FCRA
with respect to persons that are subject to the Commission’s
enforcement jurisdiction. Section 624 of the FCRA gives a consumer
the right to block affiliates of an entity subject to the
Commission’s jurisdiction from using certain information obtained
from such entity to make solicitations to that consumer
(hereinafter referred to as the “affiliate marketing rules”). Under
the affiliate marketing rules, the entities covered by the
regulations are expected to prepare and provide clear, conspicuous
and concise opt-out notices to any consumers with whom such
entities have a pre-existing business relationship. A covered
entity only has to provide an opt-out notice to the extent that an
affiliate of the covered entity plans to make a solicitation to any
of the covered entity’s consumers. A covered entity is required to
send opt-out notices at the maximum of once every five years.
Section 1088 of the CFP Act also amends section 628 of the FCRA and
mandates that the Commission implement regulations requiring
persons subject to the Commission’s jurisdiction who possess or
maintain consumer report information in connection with their
business activities to properly dispose of that information
(hereinafter referred to as the “disposal rules”). Under the
disposal rules, the entities covered by the regulations are
expected to develop and implement a written disposal plan with
respect to any consumer information within such entities’
possession. The regulations provide that a covered entity develop a
written disposal plan that is tailored to the size and complexity
of such entity’s business. The purpose of the written disposal plan
is to establish a formal plan for the disposal of nonpublic,
consumer information, which otherwise could be illegally
confiscated and used by unauthorized third parties. Under the
rules, a covered entity is required to develop a written disposal
plan only once, but may subsequently amend such plan from time to
time. In addition, Section 1088 of the CFP Act amended the FCRA by
adding the CFTC and the Securities and Exchange Commission (“SEC,”
together with the CFTC, the “Commissions”) to the list of federal
agencies required to jointly prescribe and enforce identity theft
red flags rules and guidelines and card issuer rules. Under the
identity theft rules, entities covered by the regulation are
required to develop and implement reasonable policies and
procedures to identify, detect, and respond to relevant red flags
for identity theft that are appropriate to the size and complexity
of such entity’s business and, in the case of entities that issue
credit or debit cards, to assess the validity of, and communicate
with cardholders regarding address changes. They are also required
to provide for the continued administration of identity theft
policies and procedures.
The estimated total annual
burden has increased to 59,459 hours to reflect the Commission’s
current estimate of the number of respondents subject to the
requirements of Part 162. In addition, this burden estimate
reflects the total burden hours from the affiliate marketing rules
(Subpart A), the disposal rules (Subpart B), and the identity theft
rules (Subpart C) –the first two categories of which were
inadvertently omitted from previous renewals. Thus the current
renewal aims to correct past omissions by including burden
calculations from all three categories under Part 162.
On behalf of this Federal agency, I certify that
the collection of information encompassed by this request complies
with 5 CFR 1320.9 and the related provisions of 5 CFR
1320.8(b)(3).
The following is a summary of the topics, regarding
the proposed collection of information, that the certification
covers:
(i) Why the information is being collected;
(ii) Use of information;
(iii) Burden estimate;
(iv) Nature of response (voluntary, required for a
benefit, or mandatory);
(v) Nature and extent of confidentiality; and
(vi) Need to display currently valid OMB control
number;
If you are unable to certify compliance with any of
these provisions, identify the item by leaving the box unchecked
and explain the reason in the Supporting Statement.
(2019) 30-day Federal Register Notice 3038-0067.pdf
(2019) Supporting Statement - 3038-0067.docx
Collection 3038–0067, Part 162: Protection of Consumer Information under the Fair Credit Reporting Act