SUPPORTING STATEMENT
Identity Theft Red Flags and Address Discrepancies
Under the FACT Act of 2003
12 CFR Part 41
OMB Control No. 1557-0237
A. Justification.
1. Circumstances that make the collection necessary:
Section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act)1 amended section 615 of the Fair Credit Reporting Act (FCRA)2 to require the Agencies3 to issue jointly:
Guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers (in developing the guidelines, the Agencies are required to identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary and cannot be inconsistent with the policies and procedures required under section 326 of the USA PATRIOT Act, (31 U.S.C. 5318(l));
Regulations that require each financial institution and each creditor to establish reasonable policies and procedures for implementing the guidelines to identify possible risks to account holders or customers or to the safety and soundness of the institution or creditor; and
Regulations generally requiring credit and debit card issuers to assess the validity of change of address requests under certain circumstances.
Section 315 of the FACT Act4 amended section 605 of FCRA to require the Agencies to issue regulations providing guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency (CRA).5 These regulations were required to describe reasonable policies and procedures for users of consumer reports to:
Enable a user to form a reasonable belief that it knows the identity of the person for whom it has obtained a consumer report; and
Reconcile the address of the consumer with the CRA if the user establishes a continuing relationship with the consumer and regularly and, in the ordinary course of business, furnishes information to the CRA.
2. Use of the information:
As required by section 114 of the FACT Act, appendix J to 12 CFR part 41 contains guidelines for financial institutions and creditors to use in identifying patterns, practices, and specific forms of activity that may indicate the existence of identity theft. In addition, 12 CFR 41.90 requires each financial institution or creditor that is a national bank, federal savings association, federal branch or agency of a foreign bank, and any of their operating subsidiaries that are not functionally regulated (bank), to establish an Identity Theft Prevention Program (Program) designed to detect, prevent, and mitigate identity theft in connection with accounts. Pursuant to § 41.91, credit card and debit card issuers must implement reasonable policies and procedures to assess the validity of a request for a change of address under certain circumstances.
Section 41.90 requires each OCC regulated financial institution or creditor that offers or maintains one or more covered accounts to develop and implement a Program. In developing a Program, financial institutions and creditors are required to consider the guidelines in appendix J and include those that are appropriate. The initial Program must be approved by the board of directors or by an appropriate committee thereof. The board, an appropriate committee thereof, or a designated employee at the level of senior management must be involved in the oversight of the Program. In addition, staff members must be trained to carry out the Program. Pursuant to § 41.91, each credit card and debit card issuer is required to establish and implement policies and procedures to assess the validity of a change of address request under certain circumstances. Before issuing an additional or replacement card, the card issuer must notify the cardholder of the request and provide the cardholder a reasonable means to report incorrect address changes or use another means to assess the validity of the change of address.
As required by section 315 of the FACT Act, § 1022.826 requires users of consumer reports to have reasonable policies and procedures that must be followed when a user receives a notice of address discrepancy from a CRA.
Section 1022.82 requires each user of consumer reports to develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it requested the report when it receives a notice of address discrepancy from a CRA. A user of consumer reports also must develop and implement reasonable policies and procedures for furnishing a customer address that the user has reasonably confirmed to be accurate to the CRA from which it receives a notice of address discrepancy when the user can: (1) form a reasonable belief that the consumer report relates to the consumer about whom the user has requested the report; (2) establish a continuing relationship with the consumer; and (3) establish that it regularly and in the ordinary course of business furnishes information to the CRA from which it received the notice of address discrepancy.
3. Consideration of the use of improved information technology:
A respondent may use any effective information technology it chooses to meet the requirements of the collection.
4. Efforts to identify duplication:
The information collected is not available elsewhere.
5. If the collection of information impacts small businesses or other small entities, describe any methods used to minimize burden.
There are no alternatives that would result in lowering the burden on small institutions, while still accomplishing the purpose of the rule.
6. Consequences to the federal program if the collection were conducted less frequently:
Less frequent collection would cause Identity Theft Prevention Programs to become less effective.
7. Special circumstances that would cause an information collection to be conducted in a manner inconsistent with 5 CFR part 1320:
The collection is conducted consistent with the requirements of 5 CFR part 1320.
8. Efforts to consult with persons outside the agency:
The collection was published for 60 days of comment on March 29, 2022, 87 FR 18071. No comments were received.
9. Payment or gift to respondents:
Not applicable.
10. Any assurance of confidentiality:
The information collected is kept private to the extent permitted by law.
11. Justification for questions of a sensitive nature:
There are no questions of a sensitive nature.
12. Burden estimate:
Number of existing respondents: 1,171 (1,065 banks and thrifts; 54 trust companies; 52 federal branches and agencies of foreign banks).
Updating program: 8 hours.
Preparing annual report –
Effectiveness: 4 hours.
Significant incidents of identity theft and management’s response: 4 hours.
Service provider arrangements: 1 hour.
Recommendations for material changes to the program:7 6 hours.
Oversight of services providers: 8 hours.
Annual training: 80 hours.
Number of new respondents (new charters): 1.
Estimated burden per new respondent: 361 hours (111 hours + 250 hours).
Developing new program:8 250 hours.
Total burden for existing respondents: 129,981 hours.
Total burden for new respondents: 361 hours.
Total estimated annual burden: 130,342 hours.
Cost of Hour Burden:
130,342 x 114.17 = $ 14,881,146.14
To estimate wages, the OCC reviewed May 2020 data for wages (by industry and occupation) from the U.S. Bureau of Labor Statistics (BLS) for credit intermediation and related activities (NAICS 5220A1). To estimate compensation costs associated with the rule, the OCC uses $114.17 per hour, which is based on the average of the 90th percentile for six occupations adjusted for inflation (2 percent as of Q1 2021), plus an additional 33.4 percent for benefits (based on the percent of total compensation allocated to benefits as of Q4 2020 for NAICS 522: credit intermediation and related activities).
13. Estimate of total annual costs to respondents (excluding cost of hour burden in Item #12):
Not applicable.
14. Estimate of annualized costs to the Federal Government:
Not applicable.
15. Change in burden:
Prior Burden: 132,007 Hours
Current Burden: 130,342 Hours
Difference: -1,665 Hours
The decrease in burden is due to the decrease in the number of institutions subject to the rule.
16. Information regarding collections whose results are to be published for statistical use:
The results of these collections will not be published for statistical use.
17. Reasons for not displaying OMB approval expiration date:
Not applicable.
18. Exceptions to the certification statement:
None.
B. Collections of Information Employing Statistical Methods
Not applicable.
1 15 U.S.C. 1681m(e).
2 15 U.S.C. 1681m.
3 Section 114 required the guidelines and regulations to be issued jointly by the federal banking agencies (OCC, Board of Governors of the Federal Reserve System, and Federal Deposit Insurance Corporation), the National Credit Union Administration and the Federal Trade Commission. Therefore, for purposes of this filing, “Agencies” refers to these entities. Note that section 1088(a)(8) of the Dodd-Frank Act further amended section 615 of FCRA to also require the Securities and Exchange Commission and the Commodity Futures Trading Commission to issue Red Flags guidelines and regulations.
4 15 U.S.C. 1681c(h)(2).
5 These regulations have been transferred to the Bureau of Consumer Financial Protection (BCFP).
6 Title X of the Dodd-Frank Wall Street Reform and Consumer Protection Act transferred this regulation to the BCFP. The OCC retains enforcement authority for this regulation for institutions with $10 billion in total assets or less.
7 Includes board approval of material changes and, if required, modifying procedures.
8 In addition to the requirements of 12 CFR 41.90 this includes developing policies and procedures to assess validity of changes of address pursuant to 12 CFR 41.91 and developing policies and procedures to respond to notices of address discrepancy pursuant to 12 CFR 1022.88.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Title | PAPERWORK REDUCTION ACT SUBMISSION |
| Author | FDIC |
| File Modified | 0000-00-00 |
| File Created | 2022-06-08 |