Sections 52.21 through 52.37, Telephone Number 3060-0742
Portability, 47 CFR Part 52, Subpart (C) and October 2024
CC Docket No 95-116
SUPPORTING STATEMENT
This revised information collection is being submitted to obtain approval from the Office of Management and Budget (OMB) for new or revised information collection requirements that result in part from actions taken in the recent Federal Communications Commission (Commission or FCC) SIM Swap and Port-Out Fraud Report and Order (FCC 23-95, 88 FR 85794 (Dec. 8, 2023)), as explained below.
A. Justification:
1. Circumstances that make the collection necessary. 47 CFR Part 52, Subpart C implements the statutory requirement that local exchange carriers (LECs) and Commercial Mobile Radio Service (CMRS) providers provide local number portability (LNP) as set forth in Sections 1, 2, 4, 251 and 332 of the Communications Act of 1934, as amended (the Act).
SIM Swap and Port-Out Fraud Order. On November 16, 2023, the FCC released a Report and Order and Further Notice of Proposed Rulemaking (FCC 23-95) (88 FR 85794 (Dec. 8, 2023)) (SIM Swap and Port-Out Fraud Order), which adds new information collection requirements in paragraphs (e) through (g) of this supporting statement. The SIM Swap and Port-Out Fraud Order adopted baseline measures to increase protections for customers against fraudulent port-outs by adding new section 52.37 in Part 52, and adds new information collection requirements in paragraphs (c), (e), and (g) of that rule. Port-out fraud occurs where a bad actor impersonates a customers of a wireless provider and convinces the provider to port the real customer’s telephone number to a new wireless provider and a device that the bad actor controls, allowing a bad actor to control the victim’s mobile account and receive text messages and phone calls intended for the victim. The new rules establish a uniform framework that gives wireless providers1 flexibility to implement customer authentication and security methods to address port-out fraud. See SIM Swap and Port-Out Fraud Order. Wireless providers are required to comply with the new or modified rules except where the Safe Connections Act requires alternate procedures to be used, as discussed below. The SIM Swap and Port-Out Fraud Order modifies the existing Local Number Portability (LNP) collection requirements to require wireless providers to: (1) immediately notify customers of any requests for a port-out request associated with the customer’s account before effectuating the request; (2) provide customers with advance notice of any account protection measures offered; and (3) maintain a clear process for customers to report fraudulent number ports, and promptly provide customers with documentation of fraudulent ports involving their accounts.
The Commission requires the following information to be collected from various entities:
Currently Approved Information Collection Requirements—paragraphs (a) through (d):
a. Requests for long-term number portability: Long-term number portability must be provided by Local Exchange Carriers (LECs) and Commercial Mobile Radio Service (CMRS) providers in switches for which another carrier has made a specific request for number portability, according to the Commission’s deployment schedule. Wireline carriers began providing LNP in 1998. In a Memorandum Opinion and Order (FCC 02-215) in CC Docket No. 95-116, the Commission extended the deadline for CMRS providers to offer LNP. CMRS providers began offering LNP in 2003.
b. Tariffs and Cost Support: Incumbent LECs may recover their carrier-specific costs directly related to providing long-term number portability by establishing in tariffs filed with the Commission certain number portability charges. See 47 CFR § 52.33. Incumbent LECs are required to include many details in their cost support that are unique to the number portability proceeding pursuant to the Cost Classification Order. For instance, incumbent LECs must demonstrate that any incremental overhead costs claimed in their cost support are actually new costs incremental to and resulting from the provision of long-term number portability. See Cost Classification Order.
c. Recordkeeping Requirement: Incumbent LECs are required to maintain records that detail both the nature and specific amount of these carrier-specific costs that are directly related to number portability, and those carrier-specific costs that are not directly related to number portability. See the Third Report and Order, CC Docket No. 95-116, released May 12, 1998.
d. Standardized Local Service Request Data Fields: Section 251(b)(2) of the Telecommunications Act of 1996 requires LECs to “provide, to the extent technically feasible, number portability in accordance with requirements prescribed by the Commission.” Through the LNP process, consumers have the ability to retain their phone number when switching telecommunications service providers, enabling them to choose a provider that best suits their needs and enhancing competition. In the Porting Interval Order and Further Notice, the Commission mandated a one business day porting interval for simple wireline-to-wireline and intermodal port requests. The information collected in the standard local service request data fields is necessary to complete simple wireline-to-wireline and intermodal ports within the one business day porting interval mandated by the Commission and will be used to comply with Section 251 of the Telecommunications Act of 1996.
New or Revised Information Collection Requirements Resulting from Changes in SIM Swap and Port-Out Fraud Order
e. Customer notification of port-out requests: To provide customers with an early warning that their account may be subject to fraudulent activity, upon receiving a port-out request, CMRS providers must provide immediate notification to customers that a port-out request associated with the customer’s account was made, sent in accordance with customer preferences, if indicated. While the Commission declines to prescribe particular content or wording of port-out request notifications, the notifications must use clear and concise language with sufficient information to effectively inform a customer that a port-out request involving the customer’s account was made. See 47 CFR § 52.37(c) and paragraphs 58-60 of the SIM Swap and Port-Out Fraud Order (FCC 23-95).
f. Notice of account protection measures: CMRS providers must provide customers with notice of any account protection measures offered, including those to prevent port-out fraud, and to make this notice easily accessible via provider websites and applications. See 47 CFR § 52.37(e) and paragraph 67 of the SIM Swap and Port-Out Fraud Order (FCC 23-95).
g. Procedures to resolve fraudulent SIM changes: CMRS providers must maintain a clearly disclosed, transparent, and easy-to-use process, at no cost, for customers to report port-out fraud, promptly investigate and take reasonable steps to remediate such fraud, and upon request, promptly provide customers with documentation of the fraud involving their accounts. See 47 CFR § 52.37(g) and paragraphs 72-76 of the SIM Swap and Port-Out Fraud Order (FCC 23-95).
The Commission is seeking a revision to an existing collection from the Office of Management and Budget (OMB) in order to obtain the full three-year clearance from them.
This information collection does not affect individuals or households; thus, there are no impacts under the Privacy Act.
The statutory authority for this collection is contained in: 47 U.S.C. §§ 151, 152, 154(i), 201-205, 215, 251(b)(2), 251(e)(2), and 332.
2. Use of information. Providers already exchange numerous types of information in order to complete port requests. The information collected in the standard local service request data fields minimizes and standardizes that information at the request of the industry to ensure that providers are able to complete simple wireline-to-wireline and intermodal ports within the one business day porting interval mandated by the Commission and will be used to comply with Section 251 of the Telecommunications Act of 1996. The new information collection requirements will help to protect customers from port-out fraud.
3. Technological collection techniques. Incumbent LECs seeking to recover their number portability costs must file a tariff. All incumbent LECs were directed to file interstate tariffs and associated documents through the Internet on ETFS as of July 1, 1998, pursuant to an Order, Electronic Tariff Filing System (ETFS), adopted May 28, 1998, released May 28, 1998, DA 98-914. Accordingly, paper tariff filings will not be accepted.
In addition, information collected in the standard local service request data fields may be both collected and provided through the use of automated or electronic collection techniques, depending on the provider.
4. Efforts to identify duplication. There will be no duplication of information filed.
5. Impact on small entities. The collection of information will affect large and small entities. Because the information sought is relatively modest, we do not believe that the requirements severely impact small businesses. The tariff filing enables small entities to recover their costs so it will not negatively impact small businesses.
6. Consequences if the information is not collected. If the information sought is not collected, it will impair the Commission’s ability to protect customers from fraudulent use of phone numbers, and to ensure that carriers are in compliance with the Commission’s number portability rules and that long-term number portability costs are recovered in a competitively-neutral manner, in accordance with the requirements of the Telecommunications Act of 1996.
7. Special circumstances. There are no special circumstances associated with this information collection.
8. Federal Register Notice. Pursuant to 5 CFR § 1320.8(d), the Commission published a notice in the Federal Register to solicit public comment on June 25, 2024 (89 FR 53079). Three comments were received in response to the 60-day notice, from Competitive Carriers Association (CCA), NCTA – The Internet & Television Association (NCTA), and CTIA. Generally, CCA asserts that the FCC “severely underestimates the burden and time required to come in to compliance,” and urges the FCC to revise its cost and burden estimates.2 Similarly, NCTA requests that the Commission reassess the burdens of compliance with the new rules, and urges the Commission to reissue the PRA notice with more detailed burden and cost analysis.3 NCTA asserts that the initial 60-day notice did not provide sufficiently detailed burden estimates for each of the requirements.4 NCTA further asserts that providers anticipate that the cost of implementing the rules subject to the PRA “will be between $500,000 and $1 million.”5 Likewise, CTIA raises concerns that the FCC has “underestimated the burdens and costs of the new information collections and urges” the FCC to reissue its PRA Notice with an updated analysis for its burden and cost estimates, which should “either increase the Commission’s estimate, consistent with the record, or explain its rational for the current estimates in the PRA Notice.”6 CTIA raises concerns that the PRA Notice provides aggregate estimates, but does not explain how those totals should be divided among the various information collections under the Order.7 CTIA also asserts that the burdens are too low, and the notice “appears to ignore the burden of initial implementation of the new information collection requirements.”8
As an initial matter, the 60-day PRA notices published by the Commission comply with the PRA and OMB regulations. Additionally, this supporting statement provides significant detail broken down by requirement, as CTIA and NCTA request.9 Further, as explained below in paragraph 12, the burden estimates include front-end time necessary for providers to design, develop, test, and implement procedures to address the new requirements subject to the PRA. However, to address commenter concerns, we upwardly adjust the burden estimate to account for additional time necessary for these activities, which are specifically associated with initial implementation.
Commenters also raise concerns about the burdens associated with specific new requirements. With respect to account locking, CCA asserts that some members’ vendors do not have readily accessible solutions and that “expensive unanticipated, and time-intensive software upgrades or customer solutions have been required.”10 With regard to customer notifications, CCA asserts that implementing the various customer notification requirements will take upwards of 700-800 hours of work at a cost of at least $70,000-$80,000 for vendor services and carrier resources required for implementation.11 CCA further estimates that achieving compliance with new requirements for account protection measures and procedures to resolve fraudulent SIM swaps or ports will take no less than 3,000-4,000 hours at a cost of between $300,000-$400,000 for vendor services and carrier resources required for implementation.12 CTIA, too, raises concerns regarding the ongoing burdens associated with the new requirements for customer notifications, customer account locks, and procedures to resolve fraudulent SIM changes and port-outs.13
The commenters do not, however, fully distinguish between the burden associated with the information collection elements of the new rules and full compliance with the new rules generally. For example, the SIM Swap and Port-Out Fraud Order requires providers to provide notice of any account protection measures the provider offers. The rules also require providers to maintain “a clearly disclosed, transparent, and easy-to-use process for customers to report SIM swap and port-out fraud, promptly investigate and take reasonable steps within their control to remediate such fraud, and upon request, promptly provide customers with documentation of SIM swap and port-out fraud involving their accounts.”14 CCA estimates 3,000-4,000 hours to comply with these rules alone. However, CCA does not distinguish between the burden of providing notice of account protection measures and costs associated with implementing account protection measures themselves (which are not collections of information subject to the PRA),15 nor do commenters distinguish between the burden of developing and providing notice of a fraud reporting mechanism, and investigating and remediating fraud (which are also not subject to the PRA).16 We nonetheless upwardly adjust the burden estimates associated with the notice and disclosure aspects of the new rules to account for commenter concerns.
Further, we do not believe that CCA’s burden estimates for complying with the new account locking requirements are relevant to PRA calculations because such requirements and the costs of implementing “account locking solutions” do not implicate the PRA.17 And, with respect to customer notifications, we explain further below that the primary burden associated with notifications to customers is in developing the initial system to automate such notices, which we have accounted for in our burden estimate. Nonetheless, we upwardly adjust this estimate based on commenter concerns.
The record in the SIM Swap and Port-Out Fraud Order indicated that a number of wireless providers already rely, at least partly, on some of the policies and procedures adopted in that Order and that are the subject of this collection.18 But neither CCA, CTIA, nor NCTA quantify how many providers already have processes in place to comply with the newly-adopted requirements, or how many would require more significant time to come into compliance, and how those numbers would affect the burden estimates they cite. Based on the record in the SIM Swap and Port-Out Fraud proceeding and the comments received in response to the 60-day PRA notice, we believe it is reasonable to assume that some providers would incur less burden, and others a greater burden, in implementing the requirements subject to the PRA, and thus use a burden hour estimate in between such ranges. Further, none of the commenters distinguished between the burdens associated with complying with the new rules for port-out fraud, covered by this collection, and for SIM changes, covered in collection 3060-0715. Nonetheless, to address commenter concerns, we upwardly adjust the burden estimates overall pertaining to the new requirements from the SIM Swap and Port-Out Fraud Order subject to the PRA in both this collection and collection 3060-0715, but split the burden for developing systems between the two collections, on the assumption that there will be substantial overlap between the two.
CCA also asserts that the Commission’s estimate regarding the notice requirements adopted in the SIM Swap and Port-Out Fraud Order does not account for the going forward increases in customer representative time and other employee time due to the new procedures and processes. We do not believe that such costs are implicated by the PRA with respect to the notice requirements adopted. Nonetheless, we upwardly adjust the burden estimates pertaining to the development of automated systems to implement the notice requirements in response to commenter concerns.
Commenters also raise three comments about timing. NCTA asserts that the 60-day PRA notice fails to meet the requirement that the information collection “reduces to the extent practicable and appropriate the burden,” because the Commission has “disregarded” providers’ requests for additional time.19 And CCA contends that that the FCC “provided no indication” of the timing of the Public Notice announcing the compliance date or how long after the Public Notice enforcement might begin.20 The Commission did not, however, disregard requests for additional time. On July 5, 2024, the Wireline Competition Bureau (Bureau) adopted an Order finding that good cause exists to waive compliance with the rules adopted in the SIM Swap and Port-Out Fraud Order that are not subject to OMB review until the effective date of the rules that are subject to OMB approval, which effectively results in a single synchronized timeframe: compliance with the rules in their entirety, including those not subject to the PRA, will not be required until after OMB completes review of the information collection requirements associated with the Order, and the Commission publishes a notice in the Federal Register announcing the compliance date.21 As for the timing of the Public Notice announcing a compliance date, to provide additional clarity to providers, the Commission commits to ensuring that compliance with the new rules will not be required for at least 30 days after the publication in the Federal Register of notice that OMB has completed its review.
Finally, CTIA raises concerns regarding the “No Cost Burden” estimates for the information collections. CTIA asserts that “providers report that the costs of contracting vendors and other third-party resources to assist in implementing the systems to fulfill the Order’s information collection requirements could range from tens of thousands of dollars for regional providers, to millions of dollars for nationwide wireless providers.”22 With respect to CTIA’s concerns raised about the “no cost burden” estimates for the information collections, consistent with OMB’s instructions, the Commission’s estimate of “Total Annual Cost” includes capital, start-up, operation, and maintenance costs, and excludes hourly labor costs, which are estimated separately. Thus $0 “Total Annual Cost” does not mean that the Commission does not expect that providers will have no costs to implement the collection. Provider costs are simply captured elsewhere in the information collection. Further, while CTIA and CCA assert that complying with the new rules will require engagement with outside vendors, contractors, and equipment manufacturers,23 we make clear that the Commission did not suggest that providers would incur no costs in responding to the collection. Further, neither CTIA nor CCA provided estimates for: (a) how many providers would rely on outside expert consultants, (b) how much consultant time would be incurred by providers, (c) what type of consultants would be used (e.g., NTCA did not specify whether “outside expert consultants” would be attorneys, engineers, or web administrators, etc.), or (d) the costs of obtaining outside expert consultants (e.g., hourly rates). We do not estimate that any costs associated with obtaining necessary outside consultants would be substantially different from the estimates of in-house costs.
9. Payments or gifts to respondents. The Commission does not anticipate providing any payment or gift to respondents.
10. Assurances of Confidentiality. The Commission is not requesting respondents to submit confidential information to the Commission. If the Commission requests respondents to submit information which the respondents believe is confidential, respondents may request confidential treatment of such information pursuant to Section 0.459 of the Commission’s rules, 47 CFR § 0.459.
11. Questions of a Sensitive Nature. There are no questions of a sensitive nature with respect to the information collected.
12. Estimates of the hour burden of the collection to respondents. The following represents the estimates of hour burden of the collection of information:
Currently Approved Information Collection Requirements—paragraphs (a) through (d):
a. Requests for long-term number portability:
(1) Long-term number portability must be provided by LECs and CMRS providers within six months after a specific request by another telecommunications carrier. It is difficult to reliably estimate how many requests will occur, since it is difficult to predict how quickly competition will develop. More specifically, it is difficult to determine the number of likely new entrants. There are approximately 9,000 switches nationwide (not counting remote switches), many of which were upgraded to accommodate number portability during the 15 months prior to December 31, 1998.
(A) Number of respondents: 300.
(B) Frequency of Response: Once per geographic area (reporting requirement).
(C) Total number of responses annually: 300.
(D) Estimated Time per Response: 3 hours; Total annual hour burden: 900 hours.
(E) How the burden was estimated: We estimate that the preparation of a specific request for number portability will take a relatively short period of time because the request must simply state: (1) the requester's desire for long-term number portability, and (2) an identification of the switch or area covered by the request.
(F) Estimate of total in-house cost to respondents for the hour burdens for collection of information: $64.06 (comparable to a GS 13, step 5 hourly rate24) x 3 hours x 300 respondents = $57,654.00.
(2) As stated above, the states will have the option to aggregate switch requests. The Commission believes that these figures will be useful in accessing implementation of number portability.
(A) Number of respondents: 50.
(B) Frequency of Response: Once per geographic area (reporting requirement).
(C) Total number of responses annually: 50.
(D) Estimated Time per Response: 3 hours; Total annual hour burden: 150 hours.
(E) How the burden was estimated: We estimate that the tabulation of requests for portability for each switch will take a relatively short period of time because the states can obtain statistics from carriers which are required to provide these lists to anyone who asks for the information.
(F) Estimate of total in-house cost to respondents for the hour burdens for collection of information: $64.06 (comparable to a GS 13, step 5 hourly rate) x 3 hours x 50 respondents = $9,609.00.
b. Tariffs and Cost Support:
(1) Number of respondents: 50.
(2) Frequency of response: On occasion reporting requirement.
(3) Total number of responses annually: 50.
(4) Estimated Time per Response: 50 hours; Total annual hour burden: 2,500 hours.
(5) How the burden was estimated: Based on past experience with tariff filings, this is an estimate of the amount of time that an average incumbent LEC will spend preparing a tariff filing and cost support for submission to the Commission.
(6) Estimate of total in-house cost to respondents for the hour burdens for collections of information: 2,500 hours x $64.06 per hour (comparable to a GS 13, step 5 hourly rate) + (50 respondents x $1040 tariff filing fee) = $212,150.00.
c. Recordkeeping Requirement
(1) Number of respondents: 1,600.
(2) Frequency of response: Recordkeeping requirement.
(3) Total number of responses annually: 1,600.
(4) Estimated Time per Response: 2 hours. Total annual hour burden: 3,200 hours.
(5) How the burden was estimated: Based on the implementation of LNP by wireline carriers and CMRS providers to date.
(6) Estimate of in-house cost to respondent for the hour burdens for collection of information: 3,200 hours x $64.06 per hour (comparable to a GS 13, step 5 hourly rate) = $204,992.00.
d. Standardized Local Service Request Data Fields
(1) Number of respondents: 1,626. (6,150 annual responses per respondent).
(2) Frequency of response: On occasion reporting requirement/recordkeeping requirement.
(3) Total number of responses annually: 10,000,000
(4) Estimated Time per Response: 6,150 responses x 0.0666 hours = 410 hours per respondent x 1,626 respondents. Total annual hour burden: 666,660 hours (rounded up).
(5) How the burden was estimated: Based on the amount of time it would take wireline and CMRS providers to complete local service request standardized data fields for every simple intermodal and wireline port. We estimate an average of 1,626 carriers that engage
in simple intermodal and wireline ports. We also estimate an average total of 10,000,000 simple intermodal and wireline ports per year. Accordingly, we estimate that each of the 1,626 carriers completes an average of 6,150 simple intermodal and wireline ports per year (10,000,000/1,626= 6,150).
(6) Estimate of in-house cost to respondent for the hour burdens for collection of information: 666,660 hours x $33.63 per hour (comparable to a GS 8, step 5 hourly rate) = $22,419,775.80.
New Information Collection Requirements—paragraph (e):
e. Number Portability Requirements for Wireless Providers.
(1) § 52.37(c) Customer notification of port-out requests.
To provide customers with an early warning that their account may be subject to fraudulent activity, CMRS providers are required to provide immediate notification to a customer that a port-out request associated with the customer’s account was made, sent in accordance with customer preferences, if indicated, and specify that the notification must be sent before the port-out is effectuated, except to the extent otherwise required by the Safe Connections Act. This would include delivering a notification in the language of the customer’s choosing, if the CMRS provider permits communications preferences in other languages and the customer has previously indicated such choice. Compliance also may require system upgrades to handle increased customer notification volumes and development for pre-paid notifications. Providers have flexibility to determine the most appropriate methods to provide the required notifications, so that providers can account for the complexities of notifications in various contexts as well as the technical capabilities, accessibility needs, or broadband access of individual customers. Providers are permitted to use existing methods of notification that are reasonably designed to reach the customer associated with the account.
Total Number of Respondents (CMRS Providers): 600
Frequency of Response: Third-party disclosure; Design, development, and implementation of procedures.
(3) Number of Responses Annually: 3,650,000 responses
Wireless providers typically report less than 1% churn rate of their customers. Thus we conservatively estimate that approximately 1% of wireless customers will request a port-out each year. Further, since we expect these notifications to be automated, the only cost is in designing and implementing the system.
Assuming approximately 365,000,000 wireless customers x 0.01 = 3,650,000 responses
4) Total Annual Burden Hours: 48,000 hours
CMRS providers should already have processes in place to immediately notify customers of certain account changes in accordance with existing rules, which should enable them to build on these processes to provide immediate notification regarding port-out requests, thereby minimizing potential burdens associated with this new rule. The record demonstrates that some providers already notify customers of port-out requests in most instances and therefore will only need to update their processes to notify customers in all cases.
For these reasons, the Commission estimates that respondents in the aggregate (i.e., certain respondents will require significantly more hours and many other respondents will require significantly less hours) will require approximately 80 hours to build on existing processes to provide immediate notification to a customer that a port-out request associated with the customer’s account was made, including employee training. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar immediate customer notification requirement for port-out requests adopted in this proceeding and to come into compliance with the Safe Connections Act and its implementing regulations.
Total Cumulative Burden Hours: 600 respondents x 80 hours = 48,000 hours
5) Estimate of in-house cost to respondent for the hour burdens for collection of information
The Commission assumes that respondents will use personnel comparable in pay to a GS-14/Step 5 ($75.70/hour) Federal employee, plus 30% overhead, to develop, test, and implement procedures to provide immediate notification that a port-out request was made.
Estimated Cumulative In-House Cost to Respondents: 48,000 x $75.70 = $3,633,600
+30% overhead = $1,090,080
Estimated Total Cumulative In-House Cost to Respondents: = $4,723,680
Average Cost per Respondent to Design, Develop, and Implement: $4,723,680/600 = $7,873
f. § 52.37(e) Notice of account protection measures.
CMRS providers are required to provide customers with notice of any account protection measures offered, including those to prevent port-out fraud. Providers have flexibility to design the format and content of the required notice, but must use clear and concise language and make the notice easily accessible via provider websites and applications. The record demonstrates that some wireless providers have already developed content to educate customers about some account protection measures.
Given that providers already develop content to educate customers about their product and service offerings and display such content on their websites and applications, the Commission believes that compliance with this requirement will have a negligible impact. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar account protection measures to prevent SIM swap fraud adopted same SIM Swap/Port-Out Fraud proceeding.
Notice of account protection measures:
Total Number of Respondents (CMRS Providers): 600
Frequency of Response: Development and implementation of procedures.
The Commission estimates that respondents will require approximately 5 hours to develop and implement this measure. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar account protection measures to prevent SIM swap fraud.
(3) Total Number of Responses Annually: 600
(4) Total Annual Burden Hours: 3,000 hours
Total Cumulative Burden Hours: 600 respondents x 5 hours = 3,000 hours
The Commission assumes that respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee to develop content to provide customers with notice of any account protection measures offered, including to prevent port-out fraud.
Estimated Total Cumulative In-House Cost to Respondents: 3,000 x $53.87= $161,610
30% overhead =$ 48,483
=$210,093
Average Cost per Respondent to Develop and Implement: $210,093/600 = $350
g. Processes for receiving port-out fraud reports.
CMRS providers are required to maintain a clearly disclosed, easy-to-use and transparent process for reporting port-out fraud, and promptly provide customers, at no cost, with documentation of fraud involving their accounts upon request. Providers have flexibility to determine the form and content of such documentation.
Total Number of Respondents (CMRS Providers): 600
Frequency of Response: Development and implementation of procedures; third party disclosures.
(3) Total Number of Responses Annually: 19,450 responses
Development of process for reporting fraud (600) + disclosure of fraud reporting process (600) + documentation of fraud upon customer request (0.5%25 of 3,650,000 port-out requests = 18,250) = 19,450 responses
(4) Total Hourly Burden: 67,825 hours
While we expect that most wireless carriers already have a method for customers to report fraud, the Commission estimates that respondents will require approximately 100 hours to modify their systems to develop an easy-to-use and transparent process for reporting port-out fraud and an additional 10 hours to disclose and maintain that process. Our burden estimate takes into consideration that respondents will be able to leverage the resources utilized while simultaneously preparing to come into compliance with the similar requirement to make available a process for reporting fraudulent SIM changes. In addition, we expect that provision of documentation of port-out fraud will be automated and integrated into the fraud reporting process in most cases, imposing minimal burden hours (0.1 hours per request) for most providers once the reporting system has been implemented.
Modification and development of systems for reporting fraud: 100 hours x 600 responses = 60,000 hours
Maintenance and disclosure of port-out fraud reporting process: 10 hours x 600 responses = 6,000 hours
Providing documentation of fraud upon request: 0.1 hours x 18,250 responses = 1,825 hours
Total Cumulative Burden Hours: 60,000 hours + 6,000 hours + 1,825 hours = 67,825 hours
5) Total “In House” Costs:
The Commission assumes that respondents will use personnel comparable in pay to a GS-12/Step 5 ($53.87/hour) Federal employee to develop and implement a fraud reporting process, disclose their process for reporting fraud, and provide documentation to customers upon request.
.
Estimated Total Cumulative In-House Cost to Respondents: $4,749,853
67,825 x $53.87= $3,653,733
30% overhead = $1,096,120
$ 4,749,853
Average Cost per Respondent to Develop and Implement: $4,749,853/600 = $7,916
Total Respondents: 1,626
Total Annual Responses: 300 + 50 + 50 +1,600 + 10,000,000 + 3,650,000 + 600 + 19,450 = 13,672,050
Total Annual Burden Hours: 900 + 150 + 2,500 + 3,200 + 666,660 + 48,000 + 3,000 + 67,825 = 792,235
Total In-House Cost to Respondents: $57,654 + $9,609 + $212,150 + $204,992 + $22,419,775.80 + $4,723,680 + $210,093 + $4,749,853 = $32,587,807
13. The Commission believes that the respondents have sufficient “in-house” staff to address all the information collection requirements using their “in-house” personnel rather than having to contract out this requirement. Thus:
(a) Total annualized capital/startup costs: $0.00
(b) Total annualized costs (O&M): $0.00
(c) Total annualized cost requested: $0.00
14. Estimates of the cost burden to the Commission. There will be few, if any, costs to the Commission resulting from the information collection requirements.
15. Program Changes or Adjustments. The Commission is reporting program changes/increases to this revised information collection resulting from program changes due to the adoption of certain new or modified rules in the SIM Swap and Port-Out Fraud Order. As discussed in this Supporting Statement, we believe that most respondents have previously developed and currently use a digital internal system to manage and respond to many compliance obligations. Because of this, the burden for many compliance obligations will be limited to new entrants. However, implementation of new obligations in the SIM Swap and Port-Out Fraud Order will require additional hours to design, develop, test, and implement procedures, including employee training. Taken together, these changes have resulted in corresponding increases to the total figures in the total number of responses 10,002,000 to 13,672,050 (+3,670,050) and to the total annual burden hours from 673,410 to 792,235 (+118,825) burden hours. The number of respondents has also decreased from 3,626 to 1,626 (-2,000) in an adjustment. The prior collection inadvertently counted the same respondents multiple times for the collection by adding the respondents for each requirement. However, the respondents are all pulled from the same pool – all carriers required to implement local number portability – and the Commission has adjusted this number accordingly.
16. Collections of information whose results will be published. The Commission does not anticipate that it will publish any of the information.
17. Display of expiration date for OMB approval of information collection. The Commission does not seek approval not to display the expiration date for OMB approval of the information collections.
18. Exceptions to certification for Paperwork Reduction Act submissions. The Commission is reporting an exception to the Certification Statement. In the 60-day notice published in the Federal Register on June 25, 2024 (89 FR 53079), the Commission stated the total respondents as 6,026, total annual responses as 10,002,000 and the total annual burden hours as 748,410. In this Supporting Statement, the total respondents decreased to 1,626
(-4,400); annual responses increased from 10,002,000 to 13,672,050 (+3,670,050) and the total annual burden hours increased from 748,410 to 792,235 (+43,825). The 60-day notice inadvertently counted the same respondents multiple times for the collection by adding the respondents for each requirement. However, the respondents are all pulled from the same pool – all voice providers – and the Commission has adjusted this number accordingly. Further, as explained above, the Commission has since determined that certain requirements are not information collections under the PRA, and has also revised the burden estimates upward in response to information provided in comments to the Federal Register notice. These adjustments are reported in the 30-day notice and reflected in this submission to OMB. There are no other exceptions to the Certification Statement.
B. Collections of Information Employing Statistical Methods:
The Commission does not anticipate that the collection of information will employ statistical methods.
1 Use of the term “wireless provider” is intended to encompasses providers of commercial mobile radio service (CMRS) as defined in section 20.3 of the Commission’s rules. 47 CFR § 20.3 (defining commercial mobile radio service as a mobile service that is “(1) provided for profit, i.e. with the intent of receiving compensation or monetary gain; (2) an interconnected service; and (3) available to the public, or to such classes of eligible users as to be effectively available to a substantial portion of the public,” or the “functional equivalent of such a mobile service.”
2 CCA SIM Swap and Port-Out Fraud PRA Comments at 2.
3 NCTA SIM Swap and Port-Out Fraud PRA Comments at 1.
4 Id. at 3.
5 Id. at 4.
6 CTIA SIM Swap and Port-Out Fraud PRA Comments at 2.
7 Id. at 5.
8 Id. at 8-9 (detailing the various internal steps required for providers to implement the new requirements).
9 See NCTA PRA Comments at 3; CTIA PRA Comments at 5.
10 Id. at 3. CCA estimates that initial compliance with the account locking requirements is estimated to take at least between 750-800 hours of work at a cost of no less than between $80,000-$90,000 per carrier for vendor services and carrier resources required for implementation. Id.
11 Id. at 4.
12 Id.
13 CTIA SIM Swap and Port-Out Fraud PRA Comments at 11-16.
14 SIM Swap and Port Out Fraud Order at paras. 67, 72.
15 CCA SIM Swap and Port-Out Fraud PRA Comments at 4.
16 CTIA SIM Swap and Port-Out Fraud PRA Comments at 14. Although CTIA implicitly acknowledges a difference between rules that require providers to provide customers documentation of SIM fraud and rules that require providers to investigate and remediate fraud, id., it nonetheless focuses on burden associated with the latter, despite any such burdens not being “information collection” burdens for PRA purposes because “investigation and mitigation” are not collections of information.
17 CCA SIM SWAP and Port-Out Fraud PRA Comments at 3.
18 SIM Swap and Port Out Fraud Order at para. 20.
19 NCTA SIM Swap and Port-Out Fraud PRA Comments at 4-5.
20 CCA SIM Swap and Port-Out Fraud PRA Comments at 5.
21 See Protecting Consumers from SIM Swap and Port-Out Fraud, WC Docket No. 21-341, Order, DA 24-649 (WCB July 5, 2024). The Bureau also found that waiver of the rules until March 10, 2025 would not serve the public interest.
22 Id. at 17.
23 See CTIA PRA Comments at 18; CCA PRA Comments at 3.
24 In this section, hourly rates were calculated using the 2024 General Schedule Locality Area of DC-MD-VA-WVA-PASalary Pay Scale.
25 The record in the SIM Swap and Port-Out Fraud proceeding indicates that over 99% of port-out requests are legitimate.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Title | 3060-0742 |
Author | SHAIR |
File Modified | 0000-00-00 |
File Created | 2024-10-30 |