National Credit Union Administration
SUPPORTING STATEMENT
Fair Credit Reporting Act Recordkeeping and Disclosure Requirements
under 15 U.S.C. 1681 et seq.,
12 CFR 1022, and by 12 CFR 717
OMB No. 3133-0165
Summary of Action:
The National Credit Union Administration (NCUA) is requesting approval from the Office of Management and Budget (OMB) for renewal on information collection associated with the recordkeeping and disclosure requirements under the Fair Credit Reporting Act, 15 U.S.C. 1681 et seq. and 12 CFR 1022 and 12 CFR 717.
JUSTIFICATION
Circumstances that make the collection of information necessary:
The Fair Credit Reporting Act (FCRA)1 sets standards for the collection, communication, and use of information bearing on a consumer’s creditworthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living. FCRA has been revised numerous times since it took effect, notably by passage of the Consumer Credit Reporting Reform Act of 1996, the Gramm-Leach-Bliley Act of 1999, and the Fair and Accurate Credit Transactions Act of 2003. Historically, rulemaking authority for FCRA has been divided among the Board of Governors of the Federal Reserve System (FRB), the Federal Deposit Insurance Corporation (FDIC), the Federal Trade Commission (FTC), NCUA, the Office of the Comptroller of the Currency (OCC), and the Office of Thrift Supervision.
The Dodd-Frank Wall Street Reform and Consumer Protection Act (DFA) amended a number of consumer financial protection laws, including most provisions of FCRA. In addition to substantive amendments, the DFA transferred rulemaking authority for most provisions of FCRA to the Consumer Financial Protection Bureau (CFPB). Pursuant to the DFA and FCRA, as amended, CFPB promulgated Regulation V, 12 CFR 1022, to implement those provisions of FCRA for which CFPB has rulemaking authority.
Regulation V contains several requirements that impose information collection requirements on federal credit unions:
The negative information notice;
Risk-based pricing;
The procedures to enhance the accuracy and integrity of information furnished to consumer reporting agencies;
The duties upon notice of dispute from a consumer;
The affiliate marketing opt-out notice; and
The prescreened consumer reports opt-out notice.
The DFA did not transfer certain rulemaking authority under FCRA. Specifically, the DFA did not transfer to CFPB the authority to promulgate:2
The requirement to properly dispose of consumer information;
The rules on identity theft red flags and corresponding interagency guidelines on identity theft detection, prevention, and mitigation; and
The rules on the duties of card issuers regarding changes of address.
These provisions are promulgated in NCUA’s Fair Credit Reporting regulation, 12 CFR 717, which applies to federal credit unions.
The collection of information pursuant to Parts 1022 and 717 is triggered by specific events and disclosures and must be provided to consumers within the time periods established under the regulation. Regulation V and 12 CFR 717 includes model notices and/or model forms that can be used to comply with the disclosure requirements of FCRA and the regulation, although the use of the model notices and forms is not required. See Appendices B, C, D, E, and H of Regulation V, Appendix C to 12 CFR 717.
Purpose and use of the information collected:
Regulation V, 12 CFR 1022: The consumer disclosures included in Regulation V are designed to alert consumers: (1) that a financial institution has furnished negative information about them to a consumer reporting agency; (2) that they have a right to opt out of receiving marketing materials and credit or insurance offers; (3) that their credit report was used in setting the material terms of credit that may be less favorable than the terms offered to consumers with better credit histories; (4) that they maintain rights with respect to knowing what is in their consumer reporting agency file; and (5) that they can request a free credit report. Consumers then can use the information provided to consider how and when to check and use their credit reports.
The negative information notice, 15 U.S.C. 1681s-2(a)(7); 12 CFR 1022.1(b)(2)(ii): FCRA requires a financial institution, including a credit union, that regularly extends credit to consumers, to provide consumers with a notice either before it provides negative information to a nationwide consumer reporting agency, or within 30 days after reporting the negative information. Financial institutions may provide this disclosure on or with any notice of default, any billing statement, or any other materials provided to the consumer, if the notice is clear and conspicuous.
Although not required, financial institutions may use the model text, provided in Appendix B to Part 1022, to provide consumers with a notice either before it provides negative information to a nationwide consumer reporting agency, see Model B-1, or within 30 days after reporting the negative information, see Model B-2.
The risk-based pricing notice, 15 U.S.C. 1681m(h); 12 CFR 1022, Subpart H: FCRA generally requires a user of consumer reports, such as a credit union, to provide a risk-based pricing notice to a consumer when the user, based on a consumer report, extends credit on terms that are “materially less favorable” than the terms the person has extended to other consumers. Exceptions to the risk-based pricing notice requirement include:
When a consumer applies for specific terms of credit, and receives them, unless those terms were specified by the creditor using a consumer report after the consumer applied for the credit and after the creditor obtained the consumer report;
When a person such as a creditor provides a notice of adverse action;
When a person makes a firm offer of credit in a prescreened solicitation even if the person makes other firm offers of credit to other consumers on more favorable material terms;
When a person generally provides a credit score disclosure to each consumer that requests a loan that is or will be secured by residential real property;
When a person generally provides a credit score disclosure to each consumer that requests a loan that is not or will not be secured by residential real property; and
When a person who otherwise provides credit score disclosures to consumers that request loans, provides a disclosure about credit scores when no credit is available.
Appendix H to Part 1022 contains optional model forms that may be used to comply with the regulatory requirements.
The procedures to enhance the accuracy and integrity of information furnished to consumer reporting agencies, 15 U.S.C. 1681s-2(e)(1); 12 CFR 1022.42: Each furnisher must establish written policies and procedures regarding the accuracy and integrity of consumer information that it furnishes to a consumer reporting agency. The policies and procedures must be appropriate to the nature, size, complexity, and scope of the furnisher’s activities. In developing its policies and procedures, a furnisher must consider the Interagency Guidelines Concerning the Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies, Appendix E to Part 1022, and may include its existing policies and procedures that are relevant and appropriate. Each furnisher must also review its policies and procedures periodically and update them as necessary to ensure their continued effectiveness.
The duties upon notice of dispute from a consumer, 15 U.S.C. 1681s-2(a)(8); 12 CFR 1022.43: A furnisher must conduct a reasonable investigation of a direct dispute (unless an exception applies) if the dispute relates to:
The consumer’s liability for a credit account or other debt with the furnisher, such as direct disputes about identity theft or fraud against the consumer, whether there is individual or joint liability on an account, or whether the consumer is an authorized user of a credit account;
The terms of a credit account or other debt with the furnisher, such as direct disputes relating to the type of account, principal balance, scheduled payment amount, or the amount of the credit limit;
The consumer’s performance or other conduct concerning an account or other relationship with the furnisher such as, direct disputes relating to the current payment status, high balance, payment date, the payment amount, or the date an account was opened or closed; or
Any other information contained in a consumer report regarding an account or other relationship with the furnisher that bears on the consumer’s creditworthiness, credit standing credit capacity, character, general reputation, personal characteristics, or mode of living.
Exceptions to the reasonable investigation requirements apply to:
The consumer’s identifying information such as name, date of birth, Social Security number, telephone number(s), or address(es);
The identity of past or present employers;
Inquiries or requests for a consumer report;
Information derived from public records, such as judgments, bankruptcies, liens, and other legal matters (unless the information was provided by a furnisher with an account or other relationship with the consumer);
Information related to fraud alerts or active duty alerts;
Information provided to a consumer reporting agency by another furnisher; or
If the furnisher has a reasonable belief that the direct dispute is submitted by a credit repair organization; is prepared on behalf of the consumer by a credit repair organization; or is submitted on a form supplied to the consumer by a credit repair organization.
A furnisher is not required to investigate a direct dispute if the furnisher has reasonably determined that the dispute is frivolous or irrelevant. A dispute qualifies as frivolous or irrelevant if: the consumer did not provide sufficient information to investigate the disputed information; the direct dispute is substantially the same as a dispute previously submitted by or on behalf of the consumer and the dispute is one with respect to which the furnisher has already complied with the statutory or regulatory requirements; or the furnisher is not required to investigate the direct dispute because one or more of the exceptions listed in 12 CFR 1022.43(b) applies. Upon a determination that a dispute is frivolous or irrelevant, the furnisher must notify the consumer not later than five business days after making the determination, by mail or, if authorized by the consumer for that purpose, by any other means available to the furnisher.
The affiliate marketing opt-out requirement, 15 U.S.C. 1681s-3; 12 CFR 1022, Subpart C: FCRA generally prohibits a person from using certain consumer eligibility information received from an affiliate to make a solicitation to the consumer about its products or services, unless the consumer is given notice and an opportunity to opt out, and the consumer does not opt out. Exceptions include a person using eligibility information:
To make solicitations to a consumer with whom the person has a pre-existing business relationship;
To perform services for another affiliate subject to certain conditions;
In response to a communication initiated by the consumer; or
To make a solicitation that has been authorized or requested by the consumer.
A consumer’s affiliate marketing opt-out election must be effective for a period of at least five years. Upon expiration of the opt-out period, the consumer must be given a renewal notice and an opportunity to renew the opt-out before information received from an affiliate may be used to make solicitations to the consumer.
Appendix C to Part 1022 contains optional model forms that may be used to comply with the regulatory requirements.
The prescreened consumer reports opt-out notice, 15 U.S.C. 1681b(c) and 15 U.S.C. 1681m(d); 12 CFR 1022.54: FCRA allows persons, including credit unions, to obtain and use consumer reports in connection with any credit or insurance transaction that the consumer does not initiate, to make firm offers of credit or insurance. This prescreening process occurs when a person obtains from a consumer reporting agency a list of consumers who meet predetermined creditworthiness criteria and who have not elected to be excluded from prescreened lists. FCRA contains consumer protections and technical notice requirements concerning prescreened offers of credit or insurance. FCRA requires nationwide consumer reporting agencies to jointly operate an opt-out system, whereby consumers can elect to be excluded from prescreened lists by calling a toll-free number. When a person, such a credit union, obtains and uses these lists, it must provide consumers with a Prescreened Opt-Out Notice with the offer of credit or insurance. The notice must also provide the toll-free telephone number operated by the nationwide consumer reporting agencies for consumers to call to opt out of prescreened lists.
Appendix D to Part 1022 contains optional model forms that may be used to comply with the regulatory requirements.
NCUA Fair Credit Reporting Regulation, 12 CFR 717:
The requirement to properly dispose of consumer information, 15 U.S.C. 1681w; 12 CFR 717.83: Under Part 717.83(a)-(c), a credit union or other entity must properly dispose of any consumer information that it maintains or possesses. This must be done consistent with NCUA’s Guidelines for Safeguarding Member Information, in Appendix A to 12 CFR 748. Examples of how to properly dispose of consumer information include burning, pulverizing, or shredding papers; or destroying or erasing electronic media. Regardless of form, the process must ensure that the information cannot practically be read or reconstructed.
The rules on identity theft red flags and corresponding interagency guidelines on identity theft detection, prevention, and mitigation, 15 U.S.C. 1681m(e), 12 CFR 717.90: Each federal credit union must determine periodically whether it offers or maintains “covered accounts” as defined in Part 717.90(b)(3). As part of this determination, the federal credit union must conduct a risk assessment to determine whether it offers or maintains covered accounts taking into consideration: (1) the methods it provides to open its accounts; (2) the methods it provides to access its accounts; and (3) its previous experiences with identity theft.
A federal credit union that offers or maintains one or more “covered accounts” must develop and implement a written program designed to detect, prevent, and mitigate identity theft in connection with the opening of a “covered account” or any existing “covered account.” The program must be tailored to the federal credit union’s size and complexity and the nature and scope of its operations and must contain “reasonable policies and procedures” to:
Identify red flags for the “covered accounts” the federal credit union offers or maintains and incorporate those red flags into the program;
Detect red flags that have been incorporated into the program;
Respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and
Ensure that the program, including the red flags determined to be relevant, is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the federal credit union from identity theft.
A federal credit union must provide for the continued administration of the program by: (1) obtaining approval of the initial written program by the board of directors or an appropriate committee of the board; (2) involving the board of directors, a committee of the board, or an employee at the level of senior management, in the oversight, development, implementation, and administration of the program; (3) training staff, as necessary, to implement the program effective; and (4) exercising appropriate and effective oversight of service-provider arrangements.
Each federal credit union that is required to implement a program also must consider the Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation, available in Appendix J to Part 717, and include in its program those guidelines that are appropriate. The guidelines are intended to assist federal credit unions in the formation and maintenance of a program that satisfies the regulatory requirements. A federal credit union may determine that a particular guideline is not appropriate for its program; however, the federal credit union must have policies and procedures that meet the specific requirements of the rules.
The rules on the duties of card issuers regarding changes of address, 15 U.S.C. 1681m(e); 12 CFR 717.91: A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer’s debit or credit card account and, within a short period of time afterwards, at least the first 30 days after it receives such notification, the card issuer receives a request for an additional or replacement card for the same account. In such situations, the card issuer must not issue an additional or replacement card until it assesses the validity of the change of address in accordance with its policies and procedures.
The policies and procedures must provide that the card issuer will:
Notify the cardholder of the request for an additional or replacement card at the cardholder’s former address or by any other means of communication that the card issuer and the cardholder have previously agreed to use; and provide to the cardholder a reasonable means of promptly reporting incorrect address change; or
Assess the validity of the change of address according to the procedures the card issuer has established as part of its Identity Theft Prevention Program (12 CFR 717.90).
A card issuer may satisfy the requirements of these rules prior to receiving any request for an additional or replacement card by validating an address when it receives an address change notification.
Any written or electronic notice that a card issuer provides to satisfy these rules must be clear and conspicuous and provided separately from its regular correspondence with the cardholder.
Use of information technology:
Credit unions may adopt any existing technology relevant to producing the notices, obtaining the consumer opt-out determinations, and maintaining records of the notices and opt-out determinations.
Duplication of information:
There is no duplication. The information is not available from any other source.
Efforts to reduce burden on small entities:
The collection imposes on credit unions, regardless of size, only the minimum burden necessary for compliance with FCRA. Regulation V and Part 717 include model notices that credit unions may use to comply with the regulations. Although the use of the model notices is not required, the use of the model notices should minimize the burden of this collection.
Consequences of not conducting the collection:
The frequency of the disclosure requirements contained in the regulations are transaction based. Less frequent disclosures would reduce the protections to consumers that were contemplated by FCRA.
Inconsistencies with guidelines in 5 CFR 1320.5(d)(2):
There are no special circumstances. This collection is consistent with the guidelines in 5 CFR 1320.5(d)(2).
Efforts to Consult with persons outside the agency:
A 60-day notice was published in the Federal Register on December 22, 2020, at 85 FR 83625. No public comments were received.
Payment or gifts to respondents:
There is no intent by NCUA to provide payment or gifts for information collected.
Assurance of confidentiality:
There is no assurance of confidentiality other than provided by law.
Questions of a sensitive nature:
No questions of a sensitive nature are asked. The information collection does not collect any Personally Identifiable Information (PII).
Burden of information collection:
The annual burden is estimated to be 248,827 hours for the 3,232 federal credit unions that are deemed to be respondents for purposes of PRA. The burden for consumers is estimated to be 23,859 hours. These estimated burdens arise exclusively from the regulations and is shown in the table below.
|
Federal Credit Union Burden |
|||
Information Collection Requirement 12 CFR 1022 or 12 CFR 717 |
Estimated # of Respondents or Responses |
Estimated Annual Frequency |
Estimated Avg. Hours per Response |
Estimated Annual Burden Hours |
Negative Information Notice (1022.1(b)(2)) |
3,232 |
1 |
15 minutes |
808 |
Risk-Based Pricing (1022, Subpart H) |
2,398 |
12 |
5 |
143,880 |
Procedures to Enhance Accuracy & Integrity of Information Furnished to Consumer Reporting Agencies (1022.42): |
|
|
|
|
(1) Develop policies and procedures |
8 |
1 |
32 |
256 |
(2) Amend policies and procedures and training |
3,232 |
1 |
8 |
25,856 |
Notice of Dispute from Consumer (1022.43) |
3,232 |
1 |
14 minutes |
754 |
Prescreened Consumer Reports Opt-Out Notice (1022.54) |
1,925 |
1 |
15 minutes |
481 |
Affiliate Marketing Opt-Out Notice (1022, Subpart C) |
238 |
1 |
18 |
4,284 |
Requirement to Properly Dispose of Consumer Information (717.83) |
3,232 |
1 |
4 |
12,928 |
Identity Theft Red Flags (717.90): |
|
|
|
|
(1) Develop program and policies and procedures |
8 |
1 |
21 |
168 |
(2) Update program, prepare annual report and training |
3,232 |
1 |
16 |
51,712 |
Card Issuers’ Duties Regarding Changes of Address (717.91) |
1,925 |
1 |
4 |
7,700 |
Total |
|
|
|
248,827 |
|
Consumer Burden |
|||
Prescreened Consumer Reports Opt-Out Notice |
143,000 |
1 |
5 minutes |
11,917 |
Affiliate Marketing Opt-Out Notice |
143,300 |
1 |
5 minutes |
11,942 |
Total |
|
|
|
23,859 |
The annual cost for the 3,232 federal credit union respondents is estimated to be $8,708,945 (at $35 hourly cost) and is shown in the table below; the annual cost for consumers is estimated to be $875,625.30 (at $36.70 hourly cost) and is also shown in the table below.
|
Cost to Federal Credit Unions |
||
Information Collection Activity |
Annual Hourly Burden |
Hourly $ Rate per Response |
Total $ Amount |
Negative Information Notice |
808 |
$35 |
$28,280 |
Risk-Based Pricing |
143,880 |
$35 |
$5,035,800 |
Procedures to Enhance Accuracy and Integrity of Information Furnished to Consumer Reporting Agencies |
|
|
|
(1) Develop policies and procedures |
256 |
$35 |
$8,960 |
(2) Amend policies and procedures and training |
25,856 |
$35 |
$904,960 |
Notice of Dispute from Consumer |
754 |
$35 |
$26,390 |
Prescreened Consumer Reports Opt-Out Notice |
481 |
$35 |
$16,835 |
Affiliate Marketing Opt-Out Notice |
4,284 |
$35 |
$149,940 |
Requirement to Properly Dispose of Consumer Information |
12,928 |
$35 |
$452,480 |
Identity Theft Red Flags: |
|
|
|
(1) Develop program and policies and procedures |
168 |
$35 |
$5,880 |
(2) Prepare annual report and training |
51,712 |
$35 |
$1,809,920 |
Card Issuers’ Duties Regarding Changes of Address |
7,700 |
$35 |
$229,500 |
Total |
228,827 |
|
$8,708,945 |
|
Cost to Consumers |
||
Prescreened Consumer Reports Opt-Out Notice |
11,917 |
$36.70 |
$437,353.90 |
Affiliate Marketing Opt-Out Notice |
11,942 |
$36.70 |
$438,271.40 |
Total |
23,859 |
|
$875,625.30 |
Capital start-up or ongoing maintenance costs:
Other than the costs to respondents that are associated with the usual customary and business practice, there are not capital/start-up or ongoing operations/maintenance costs associated with this information collection.
Annualized costs to Federal Government
There are no costs to the Federal Government.
Changes in Burden
The information collection burden has changed due to adjustments in the estimate of respondents.
Information collection planned for statistical purposes:
The information is not planned for publication.
Request non-display the expiration date of the OMB control number:
The OMB control number and expiration date associated with this PRA submission will be displayed on the Federal government’s electronic PRA docket website at www.reginfo.gov.
Exceptions to certification for Paperwork Reduction Act submissions:
There are no exceptions to the certification statement.
Collections of Information Employing Statistical Methods
This collection does not involve statistical methods.
1 15 U.S.C. 1681 et seq.
2 The DFA did not transfer rulemaking authority under FCRA over any motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both, subject to certain exceptions. See section 1029 of the DFA.
OMB No. 3133-0165; Feb.
2021
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| Author | Lee, Grace H |
| File Modified | 0000-00-00 |
| File Created | 2021-03-02 |