Download:
pdf |
pdfFederal Trade Commission
Supporting Statement for Information Collection Provisions in the Identity Theft Red Flags,
Card Issuers, and Address Discrepancy Rules
(OMB Control #: 3084-0137)
The Federal Trade Commission (“FTC” or “Commission”) requests renewed Office of
Management and Budget (“OMB”) clearance for the collections of information in the rules
implementing Sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003
(“FACT Act”), as amended by the Dodd-Frank Wall Street Reform and Consumer Protection Act
(“Dodd-Frank Act”) 1 and the Red Flags Program Clarification Act of 2010 (“Clarification
Act”). 2 These rules 3 enhance the ability of consumers to resolve problems caused by identity
theft and increase the accuracy of consumer reports.
1.
Necessity for Collecting and Retaining the Information
FACT Act Section 114:
Section 114 of the FACT Act, 15 U.S.C. 1681m(e), amended Section 615 of the Fair
Credit Reporting Act (“FCRA”) to require the Commission, among other things, to issue: (1) a
regulation requiring covered financial institutions and creditors to develop and implement a
written Identity Theft Prevention Program (“Program”) to detect, prevent, and mitigate identity
theft in connection with existing accounts or the opening of new accounts (“Red Flags Rule”);
and (2) a regulation generally requiring credit and debit card issuers to assess the validity of
change of address requests (“Card Issuers Rule”).
FACT Act Section 315:
Section 315 of the FACT Act, 15 U.S.C. 1681c(h), amended Section 605 of the FCRA to
require the Federal Trade Commission to issue regulations providing guidance regarding
reasonable policies and procedures that a user of consumer reports must employ when a user
receives a notice of address discrepancy from a consumer reporting agency (“Address
Discrepancy Rule”). On July 21, 2010, the Dodd-Frank Wall Street Reform and Consumer
Protection Act (“Dodd-Frank Act”) was enacted. The Dodd-Frank Act substantially changed the
federal legal framework for financial services providers. Among the changes, the Dodd-Frank
Act transferred to the Bureau of Consumer Financial Protection the Commission's rulemaking
authority under portions of the FCRA. The FTC retained rulemaking and enforcement authority
for the Address Discrepancy Rule to the extent the rule applies to motor vehicle dealers described
in Section 1029(a) of the Dodd-Frank Act that are predominantly engaged in the sale and
servicing of motor vehicles, the leasing and servicing of them, or both. See 77 Fed. Reg. 22200,
22201 (Apr. 13, 2012). The Commission is authorized to maintain the Address Discrepancy
Rule pursuant to Section 1029(c) of the Dodd-Frank Act and Section 504(a) of the Gramm1
Pub. L. 111-203 (2010).
2
Red Flag Program Clarification Act of 2010, 15 U.S.C. 1681m(e)(4).
Red Flags Rule (16 CFR 681.1); Card Issuers Rule (16 CFR 681.2); and Address Discrepancy Rule (16 CFR pt.
641) (collectively, “Rules”).
3
�Leach-Bliley Act, and the rule remains in effect to the extent that it applies to motor vehicle
dealers. Id. The FTC also retains its authority to bring law enforcement actions to enforce both
its Address Discrepancy Rule and the Bureau of Consumer Financial Protection’s corresponding
rule. Id.
The Address Discrepancy Rule requires covered motor vehicle dealers that use
consumer reports (“users”) to develop and implement reasonable policies and procedures to: (1)
enable a user to form a reasonable belief that it knows the identity of the person for whom it has
obtained a consumer report; and (2) reconcile the address of the consumer with the consumer
reporting agency, if the user establishes a continuing relationship with the consumer and regularly
and in the ordinary course of business furnishes information to the consumer reporting agency.
2.
Use of the Information
FACT Act Section 114:
As required by Section 114, the Red Flags Rule requires financial institutions and covered
creditors within the FTC’s jurisdiction to conduct a periodic risk assessment to determine if they
maintain covered accounts, and if so, to create a written identity theft prevention program to
address the risk of identity theft. Among other things, covered entities should identify patterns,
practices, and specific forms of activity that indicate the possible existence of identity theft and
have procedures to detect them. In addition, each covered entity must report to the board of
directors, a committee thereof, or senior management at least annually on compliance with the
Red Flags Rule. In addition, staff of covered entities must be trained to carry out the program.
Further, the Card Issuers Rule requires credit card and debit card issuers to develop
policies and procedures to assess the validity of a request for a change of address under certain
circumstances. Each credit and debit card issuer must establish policies and procedures to assess
the validity of a change of address request. The card issuer must notify the cardholder or use
another means to assess the validity of the change of address.
FACT Act Section 315:
As required by Section 315, the Address Discrepancy Rule provides guidance on
reasonable policies and procedures that a covered motor vehicle dealer that is a user of consumer
reports must follow when the user receives a notice of address discrepancy from a consumer
reporting agency. Each user of consumer reports that is a motor vehicle dealer described in
Section 1029(a) of the Dodd-Frank Act that is predominantly engaged in the sale and servicing of
motor vehicles, the leasing and servicing of them, or both, must develop and implement
reasonable policies and procedures that it will follow when it receives a notice of address
discrepancy from a consumer reporting agency. In certain instances, the user must furnish an
address that the user has reasonably confirmed to be accurate to the consumer reporting agency
from which it receives a notice of address discrepancy.
2
�3.
Consideration of Using Improved Information Technology to Reduce Burden
Consistent with the aims of the Government Paperwork Elimination Act, 44 U.S.C. 3504
Note, the Rules permit covered financial institutions (including motor vehicle dealers), creditors,
and credit card users great latitude in using new technologies to reduce compliance costs.
Nothing in the Rules precludes the use of electronic methods for compliance purposes. For
example, the Red Flags Rule was drafted to be flexible and in a technologically neutral manner so
that covered entities would not be forced to acquire expensive new technology in order to comply
with that rule.
4.
Efforts to Identify Duplication/Availability of Similar Information
FTC staff has not identified any other federal or state statutes, rules, or policies that
duplicate, overlap, or conflict with the Rules. To the extent that there exist any such state laws,
Sections 114 and 314 of the FACT Act preempt them.
5.
Efforts to Minimize Burdens on Small Businesses
Although the reach of the Red Flags Rule is broad, the Rule nonetheless permits
maximum flexibility, enabling each covered entity to prepare a Program tailored to its particular
size, sophistication, and prior experience with identity theft. Moreover, since promulgation of
the original Rule, President Obama signed the Clarification Act, which narrowed the definition of
“creditor” for purposes of Section 114 of the FCRA. Specifically, only those creditors using
consumer reports, furnishing information to consumer reporting agencies, or advancing funds are
now covered by the Red Flags Rule. As a practical matter, this means that many small businesses
no longer fall within the scope of the Rule.
The Address Discrepancy Rule and Card Issuers Rule minimize the burden on covered
businesses—including small businesses—by building upon standard business practices, many of
which were in use before these two rules were promulgated. As noted above, only users of
consumer reports that are motor vehicle dealers described in Section 1029(a) of the Dodd-Frank
Act and that are predominantly engaged in the sale and servicing of motor vehicles, the leasing
and servicing of them, or both, are covered under the Address Discrepancy Rule. It is the usual
and customary business practice for users covered by the Address Discrepancy Rule to furnish
information to consumer reporting agencies in response to notices of address discrepancies.
Similarly, many entities covered by the Card Issuers Rule routinely assess the validity of change
of address requests and, for the most part, have automated the process for doing so.
Accordingly, the burden on businesses covered by the Address Discrepancy Rule and Card
Issuers Rule is minimal.
6.
Consequences of Conducting Collection Less Frequently
The burden associated with the Rules is largely attributable to the policies and procedures
that a covered entity must develop to create a Program, to assess the validity of a change of
3
�address request, or to respond to notices of address discrepancy. Once they are developed, these
policies and procedures will only need to be adjusted if they become ineffective. Similarly, staff
of covered entities will need to be trained only once, unless policies and procedures change.
The Red Flags Rule requires annual reports to the board or senior management of covered
entities. The Commission believes that the board, a committee of the board, or senior
management should monitor compliance through the review of annual reports that assess the
effectiveness of the entity’s Program.
7.
Circumstances Requiring Disclosures Inconsistent with Guidelines
The collection of information required by the Rules is consistent with all applicable
guidelines contained in 5 CFR 1320.5(d)(2).
8.
Consultation Outside the Agency/Public Comments
In addition to past consultations and public comments sought for the Rules when they
were proposed, the Commission more recently sought public comment regarding its latest PRA
clearance request for these Rules. See 89 FR 67938 (Aug. 22, 2024). Two germane comments
were received.
The two comments were generally supportive of the information collection, although the
two commenters indicated that they believe that the federal government’s efforts in the context of
personal data protections should be expanded. 4 The Commission thanks the commenters for
their submissions, and notes that the Commission has also supported greater personal data
protections for American consumers by, among other things, encouraging Congress to enact
comprehensive federal privacy legislation. 5 However, such initiatives would be beyond the
scope of this PRA renewal request.
Pursuant to PRA implementing regulations under 5 CFR part 1320, the Commission is
providing a second opportunity for public comment on the instant burden analysis,
contemporaneous with this submission.
9.
Payments/Gifts to Respondents
Not applicable.
10. & 11. Assurances of Confidentiality/Matters of a Sensitive Nature
See https://www.regulations.gov/comment/FTC-2022-0010-0004; https://www.regulations.gov/comment/FTC2022-0010-0003.
5
See, e.g., A Look Behind the Screens: Examining the Data Practices of Social Media and Video Streaming Services
(Sept. 11, 2024), https://www.ftc.gov/system/files/ftc_gov/pdf/Social-Media-6b-Report-9-11-2024.pdf
(recommending that Congress enact comprehensive federal privacy legislation that limits surveillance and grants
consumers data rights).
4
4
�No assurance of confidentiality is necessary because the Rules do not require financial
institutions or creditors to register or file any documents with the Commission. To the extent
that information covered by a recordkeeping requirement is collected by the Commission for law
enforcement purposes, the confidentiality protections of Sections 6(f) and 21 of the FTC Act, 15
U.S.C. 46(f), and 57b-2, will apply.
12.
Estimated Annual Hours Burden and Associated Labor Costs
A.
Estimated Annual Burden Hours: 398,479 Hours.
I.
Red Flags Rule: 358,124 Hours.
Affected Public: Utilities; motor vehicle dealerships; telecommunications firms; colleges
and universities; hospitals; nursing homes; public warehouse and storage firms; fuel dealers;
financial transaction processing firms; certain creditors; 6 and other categories of persons that
qualify as financial institutions.
The Red Flags Rule requires financial institutions and certain creditors with covered
accounts to develop and implement a written Program and report to the board of directors, a
committee thereof, or senior management at least annually on compliance with the Rule. Under
the Rule, a “financial institution” is “a State or National bank, a State or Federal saving and loan
association, a mutual savings bank, a State or Federal credit union, or any other person that,
directly or indirectly, holds a transaction account (as defined in Section 19(b) of the Federal
Reserve Act, 12 U.S.C. ch. 3) belonging to a consumer.” 7
The Red Flags Rule applies to certain “creditors” as defined in Section 702 of the Equal
Credit Opportunity Act (“ECOA”) 8 that use consumer reports, furnish information to consumer
reporting agencies, or advance funds. 9 As a result, many small businesses, service providers,
and other persons that would ordinarily satisfy the ECOA definition of “creditor” are excluded
from the Red Flags Rule’s definition of “creditor.”
Nonetheless, the scope of entities covered by the Red Flags Rule within the FTC’s
jurisdiction is broad, making it difficult to determine precisely the number of financial institutions
and creditors that are subject to the FTC’s jurisdiction. There are numerous businesses under the
FTC’s jurisdiction and there is no formal way to track them. Moreover, as a whole, the entities
under the FTC’s jurisdiction are so varied that there are no general sources that provide a record
15 U.S.C. 1681m(e)(4).
The Red Flags Rule refers to the definition of “financial institution” in the Fair Credit Reporting Act, 15 U.S.C.
1681a(t).
8
15 U.S.C. 1681a(r)(5).
9
15 U.S.C. 1681m(e)(4).
6
7
5
�of their existence. Nonetheless, FTC staff estimates that the Red Flag Rule’s requirement to
have a written Program affects over 6,027 financial institutions 10 and 157,564 creditors. 11
To estimate burden hours for the Red Flags Rule under Section 114, FTC staff has divided
affected entities into two categories, based on the nature of their businesses: (1) entities that are
subject to a high risk of identity theft; 12 and (2) entities that are subject to a low risk of identity
theft. 13
1.
High-Risk Entities
FTC staff estimates that, on an annual basis, there are approximately 1,447 new high-risk
entities, 14 and there are currently approximately 97,770 existing high-risk entities. 15 Thus, in
order to account for the fact that the number of high-risk entities will most likely increase over the
3-year clearance period, the remainder of this burden analysis relies on the average number of
high-risk entities that will be subject to the FTC’s jurisdiction over the next three years (99,217).
FTC staff estimates that new high-risk entities will each require 25 hours to create and
implement a written Program. FTC staff estimates that existing high-risk entities have likely
already created and implemented a written Program, but will require an annual recurring burden
of one hour. Further, FTC staff estimates that existing high-risk entities have already prepared
an annual report and will have an annual recurring burden of one hour to update the report for
each year, but that preparation of an annual report will require four hours initially for each new
high-risk entity. Finally, FTC staff believes that many of the high-risk entities, as part of their
usual and customary business practices, already take steps to minimize losses due to fraud,
The total number of financial institutions is derived from an analysis of state credit unions and insurers within the
FTC’s jurisdiction using 2021 Census data (“County Business Patterns,” U.S.) and other online industry data.
11
This figure comprises 157,564 creditors (91,743 high-risk creditors + 65,821 low-risk creditors). The total
number of creditors draws from FTC staff analysis of 2021 Census data and industry data for businesses or
organizations that market goods and services to consumers or other businesses or organizations subject to the FTC’s
jurisdiction, excluding entities not likely to (1) obtain credit reports, report credit transactions, or advance loans, and
(2) have covered accounts under the Rule. Currently, no further updated Census data is available online to inform
revised estimates.
12
In general, high-risk entities include, for example, financial institutions within the FTC’s jurisdiction and utilities,
motor vehicle dealerships, telecommunications firms, colleges and universities, and hospitals.
13
Low-risk entities have a minimal risk of identity theft, but have covered accounts. These include, for example,
public warehouse and storage firms, nursing and residential care facilities, automotive equipment rental and leasing
firms, office supplies and stationery stores, fuel dealers, and financial transaction processing firms.
14
For the purpose of the 2022 renewal request for this information collection clearance, FTC staff estimated that
there were approximately 98,393 existing high-risk entities and approximately 1,447 new high-risk entities. See 86
FR 57425 (Oct. 15, 2021); 87 FR 4239 (Jan. 27, 2022). FTC staff estimates that there are currently 97,770 high-risk
entities, which represents a 0.63 percent decrease from the previous estimate. As this decrease is not significant, FTC
staff believes that, for the purpose of an approximation, it is appropriate to continue to assume that, each year, there
will be approximately 1,447 new high-risk entities.
15
This number was derived from the average annual number of existing high-risk entities, taking into account that
the new entities from year one will become existing entities in year two and the new entities from year two will
become existing entities in year three.
10
6
�including employee training. Thus, only relevant staff need to be trained to implement the
Program. For example, staff already trained as part of a covered entity’s anti-fraud prevention
efforts do not need to be re-trained except as incrementally needed. FTC staff estimates that
recurring annual training in connection with the implementation of a Program of an existing highrisk entity will require one hour each year, and for new entities will require four hours initially.
Accordingly, FTC staff anticipates that high-risk entities will incur the following burden:
• 1,447 new high-risk entities subject to the FTC’s jurisdiction at an average annual
burden of 33 hours per entity (including 25 hours to create and implement the Program, plus 4
hours for staff training, plus 4 hours for preparing annual report), for an annual total of 47,751
hours.
• 97,770 existing high-risk entities subject to the FTC’s jurisdiction at an average annual
burden of 3 hours per entity (including one hour to update the Program, plus one hour for staff
training, plus one hour for preparing the annual report), for an annual total of 293,310 hours.
• In total, 99,217 high-risk entities subject to the FTC’s jurisdiction, for an annual total
of 341,061 hours.
2.
Low-Risk Entities
FTC staff estimates that, on an annual basis, there are approximately 456 new low-risk
entities, and there are currently approximately 65,821 existing low-risk entities. Thus, in order
to account for the fact that the number of low-risk entities will steadily increase over the 3-year
clearance period, the remainder of this burden analysis relies on the average number of low-risk
entities that will be subject to the FTC’s jurisdiction over the next three years (66,277).
FTC staff believes that the burden on low-risk entities to comply with the Rules is
minimal. Entities that have a low risk of identity theft, but that have covered accounts, will
likely only need a streamlined Program. FTC staff estimates that any such new entities will
require one hour to create such a Program. Existing low-risk entities will only have an annual
recurring burden of 5 minutes. Training staff of low-risk entities to be attentive to future risks of
identity theft and preparing an annual report should require no more than 10 minutes each in an
initial year for new low-risk entities. Existing low-risk entities will only have an annual
recurring burden of 5 minutes each.
Accordingly, FTC staff anticipates that low-risk entities will incur the following burden:
7
�• 456 new low-risk entities 16 that have covered accounts subject to the FTC’s
jurisdiction at an average annual burden of approximately 80 minutes per entity (including 60
minutes to create and implement a streamlined Program, plus ten minutes for staff training and
ten minutes for preparing the annual report), for an annual total of 608 hours.
• 65,821 existing low-risk entities 17 that have covered accounts subject to the FTC’s
jurisdiction at an average annual burden of approximately 15 minutes per entity (including 5
minutes for updating of streamlined Program, plus 5 minutes for staff training, and 5 minutes for
preparing annual report), for an annual total of 16,455 hours.
• In total, 66,277 low-risk entities subject to the FTC’s jurisdiction, for an annual total
of 17,063 hours.
3.
Combined Annual Burden Hours
Based on the foregoing, FTC staff estimates that the 165,494 entities (99,217 high-risk
entities + 66,277 low-risk entities) subject to the Red Flags Rule will incur a total annual burden
of 358,124 hours (341,061 hours for high-risk entities + 17,063 hours for low-risk entities).
II.
Card Issuers Rule: 18,608 Hours.
Affected Public: State-chartered credit unions; general merchandise stores; colleges and
universities; telecommunications firms; and certain “creditors.” 18
The Card Issuers Rule requires credit and debit card issuers to establish policies and
procedures to assess the validity of a change of address request, including notifying the
cardholder or using another means of assessing the validity of the change of address. FTC staff
estimates that there are currently 18,464 credit and debit card issuers under the FTC’s jurisdiction,
and there are approximately 36 new entrants each year. Thus, in order to account for this annual
increase in the number of credit and debit card issuers, FTC staff will assume that, in each year of
the 3-year clearance period, there will be a total of 18,500 credit and debit card issuers, which
represents the average number of credit and debit card issuers during the 3-year clearance period.
FTC staff believes that each of the 36 new entrants will spend approximately 4 hours
developing and implementing policies and procedures to assess the validity of a change of address
request. Additionally, FTC staff believes that existing card issuers will likely already have
automated the process of notifying the cardholder or are using other means to assess the validity
Estimates of new and existing low-risk entities are derived from an analysis of a database of U.S. businesses based
on NAICS codes for businesses that market goods or services to consumers or other businesses within the FTC’s
jurisdiction, reduced further to: (1) those that satisfy the Red Flag Rule’s definition of “creditor;” and (2) those that
are likely to have covered accounts.
17
This number was derived from the average annual number of existing low-risk entities, taking into account that the
new entities from year one will become existing entities in year two and the new entities from year two will become
existing entities in year three.
18
15 U.S.C. 1681m(e)(4).
16
8
�of the change of address, such that implementation will pose no further burden. However, in
order to provide a conservative estimate, FTC staff will assume that each existing card issuer will
spend each year approximately one hour reviewing and maintaining policies and procedures in
order to assess the validity of a change of address request.
Accordingly, FTC staff anticipates that card issuers will incur the following burden:
• 36 new credit and debit card issuers under the FTC’s jurisdiction, at an annual average
burden of approximately 4 hours per entity, for an annual total of 144 hours.
• 18,464 existing credit and debit card issuers subject to the FTC’s jurisdiction, at an
average annual burden of approximately 1 hour per entity, for an annual total of 18,464 hours.
• In total, 18,500 credit and debit card issuers subject to the FTC’s jurisdiction, for an
annual total of 18,608 hours.
III.
Address Discrepancy Rule: 21,747 Hours.
Affected Public: Users of consumer reports that are motor vehicle dealers described in
Section 1029(a) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the DoddFrank Act), 12 U.S.C. 5519, and that are predominantly engaged in the sale and servicing of
motor vehicles, the leasing and servicing of them, or both (below, referenced as “users”).
As discussed above, the Address Discrepancy Rule provides guidance on reasonable
policies and procedures that a user of consumer reports must employ when a user receives a
notice of address discrepancy from a consumer reporting agency. The FTC Address
Discrepancy Rule covers only users of consumer reports that are motor vehicle dealers described
in Section 1029(a) of the Dodd-Frank Act and that are predominantly engaged in the sale and
servicing of motor vehicles, the leasing and servicing of them, or both.
Assuming that every covered motor vehicle dealer is a user of consumer reports, FTC staff
estimates that the Address Discrepancy Rule currently affects approximately 52,211 entities.
FTC staff further estimates that there are approximately 2,737 new entrants each year,
representing motor vehicle dealers that have not previously implemented procedures to comply
with this Rule. Thus, in order to account for the fact that the number of entities that are subject
to the FTC’s Address Discrepancy Rule will increase during the 3-year clearance period, this
burden analysis relies on the average count of entities that will be subject to the Rule during the 3year clearance period (54,948).
For the 2,737 new entrants, FTC staff estimates that it would take an infrequent user of
consumer reports no more than 16 minutes to develop and follow the policies and procedures that
it will employ when it receives a notice of address discrepancy, whereas a frequent user may take
1 hour. Taking into account these extremes, FTC staff estimates that, during the first year of the
9
�clearance, for the 2,737 new entrants, it will take users of consumer reports an average of 38
minutes (the average of 16 minutes and 60 minutes) to develop and comply with the policies and
procedures that they will employ when they receive a notice of address discrepancy.
FTC staff assumes that the 52,211 existing motor vehicle dealers will already have
developed the necessary compliance policies and procedures, and will only incur a burden in
complying with those policies and procedures. Specifically, FTC staff estimates that it may take
an infrequent user of consumer reports no more than one minute to comply with the policies and
procedures that it will employ when it receives a notice of address discrepancy, whereas a
frequent user of consumer reports may take 45 minutes. FTC staff estimates that the average
annual burden for the 52,211 existing motor vehicle dealers will be 23 minutes (the average of
one minute and 45 minutes).
Thus, for the 2,737 new entrants, the average annual burden for each of them to perform
these collective tasks will be 38 minutes; cumulatively, 1,733 hours. For the 52,211 existing
motor vehicle dealers, the average annual burden for each of them to perform these collective
tasks will be 23 minutes; cumulatively, 20,014 hours. Collectively, the total burden for the
54,948 motor vehicle dealers will be 21,747 hours. 19
IV.
Combined Annual Burden Hours
Based on the foregoing, FTC staff estimates that the 238,942 entities subject to the Red
Flags, Card Issuers, and Address Discrepancy Rules (165,494 for Red Flags Rule + 18,500 for
Card Issuers Rule + 54,948 for Address Discrepancy Rule) will incur a total annual burden of
398,479 hours (358,124 hours for Red Flags Rule + 18,608 hours for Card Issuers Rule + 21,747
hours for Address Discrepancy Rule).
B. Estimated Annual Labor Cost: $22,350,652.
I.
Section 114—Red Flags and Card Issuers Rules: $21,850,471.
FTC staff derived labor costs by applying appropriate estimated hourly cost figures to the
burden hours described above. It is difficult to calculate the labor costs associated with the
The above-noted customer verification requirements and the estimate of 21,747 hours concern 16 CFR 641.1(c).
In addition, 16 CFR 641.1(d) requires users that (1) furnish a consumer’s address to a consumer reporting agency,
and (2) have established a continuing relationship with the consumer, to develop and implement reasonable policies
and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate. The
FTC previously estimated that the cumulative burden hours associated with 16 CFR 641.1(d) would be de minimis.
Thus, the estimate above concerns solely 16 CFR 641.1(c).
19
10
�Rules with precision, as they entail varying compensation levels of management and/or technical
staff among companies of different sizes. In calculating the cost figures, FTC staff assumes that
entities’ professional technical personnel and/or managerial personnel will create and implement
the Program, prepare the annual report, train employees, and assess the validity of a change of
address request at an hourly rate of $58.
Based on the above estimates and assumptions, the total annual labor costs for all
categories of covered entities under the Red Flags and Card Issuers Rules for Section 114 is
$21,850,471 (376,732 hours x $58).
II.
Section 315—Address Discrepancy Rule: $500,181.
FTC staff assumes that the policies and procedures for compliance with the Address
Discrepancy Rule will be set up by administrative support personnel at an hourly rate of $23.
Based on the above estimates and assumptions, the total annual labor cost for the two categories
of burden under Section 315 is $500,181 (21,747 hours × $23).
III.
Combined Annual Labor Costs
Based on the foregoing, FTC staff estimates that the Red Flags, Card Issuers, and Address
Discrepancy Rules will result in total annual labor costs of approximately $22,350,652
($21,850,471 + $500,181).
13.
Estimated Capital and Other Non-Labor Costs
The FTC staff believes that the Rules impose negligible capital or other non-labor costs, as
the affected entities are likely to have the necessary supplies and/or equipment already (e.g.,
offices and computers) for the information collections described herein.
14.
Estimated Cost to the Federal Government
FTC staff estimates that a representative year’s cost to the FTC of administering the
Rules’ requirements during the 3-year clearance period sought will be approximately $65,516.
This represents three-tenths of an attorney’s work year, including employee benefits.
15.
Program Changes or Adjustments
Compared to the estimates used in the 2022 renewal request, there is an increase of 1,181
hours in the total estimated annual hours burden (397,298 hours in 2022, 398,479 in 2024), and an
increase of $2,246,900 in the total estimated annual labor costs ($20,103,752 in 2022 and
$22,350,652 in 2024). The total estimated capital and other non-labor costs continue to be de
minimis. The differences in the estimates of the total annual hours burdens and labor costs are
11
�due to adjustments to the estimates, and do not constitute program changes. They are
attributable to an increase in hourly wage rates and an increase in the number of covered entities.
16.
Publishing Results of the Collection of Information
There are no plans to publish any information for statistical use.
17.
Display of Expiration Date for OMB Approval
Not applicable.
18.
Exceptions to the Certifications for PRA Submissions
Not applicable.
12
�
| File Type | application/pdf |
| File Modified | 0000-00-00 |
| File Created | 0000-00-00 |