Information Collection Request

Part 162 - Protection of Consumer Information under the Fair Credit Reporting Act

ICR 202506-3038-002 · OMB 3038-0067 · Received in OIRA

Forms and Documents

Document	Type	Status	Availability
2026 Supporting Statement 3038-0067.docx	Supporting Statement A	Uploaded 2026-06-11	Available

IC Document Collections

IC ID	Collection	Type	Status	Form
194902	Collection 3038–0067, Part 162: Protection of Consumer Information under the Fair Credit Reporting Act		Modified

ICR Details

OMB Control No: 3038-0067	ICR Reference No: 202506-3038-002
Status: Received in OIRA	Previous ICR Reference No: 202207-3038-007
Agency/Subagency: CFTC	Agency Tracking No:
Title: Part 162 - Protection of Consumer Information under the Fair Credit Reporting Act
Type of Information Collection: Reinstatement without change of a previously approved collection	Common Form ICR: No
Type of Review Request: Regular	Date Submitted to OIRA: 06/17/2026

	Requested	Previously Approved
Expiration Date	36 Months From Approved
Responses	361,947	0
Time Burden (Hours)	46,603	0
Cost Burden (Dollars)	0	0

Abstract: The CFTC requests approval of its request to extend OMB approval of the information collection requirements associated with the Commission's rules under Part 162 - Protection of Consumer Information under the Fair Credit Reporting Act ("FCRA"). Title X of the Dodd-Frank Act, which is titled the Consumer Financial Protection Act of 2010 (âCFP Actâ), amends a number of federal consumer protection laws enacted prior to the Dodd-Frank Act including, in relevant part, the FCRA and the Fair and Accurate Credit Transactions Act of 2003 (âFACT Actâ). Specifically, Section 1088 of the CFP Act sets out certain amendments to the FCRA and the FACT Act directing the Commission to promulgate regulations that are intended to provide privacy protections to certain consumer information held by an entity that is subject to the jurisdiction of the Commission. Section 1088 amends section 214(b) of the FACT Actâwhich added section 624 to the FCRA in 2003âand directs the Commission to implement the provisions of section 624 of the FCRA with respect to persons that are subject to the Commissionâs enforcement jurisdiction. Section 624 of the FCRA gives a consumer the right to block affiliates of an entity subject to the Commissionâs jurisdiction from using certain information obtained from such entity to make solicitations to that consumer (hereinafter referred to as the âaffiliate marketing rulesâ). Under the affiliate marketing rules, the entities covered by the regulations are expected to prepare and provide clear, conspicuous and concise opt-out notices to any consumers with whom such entities have a pre-existing business relationship. A covered entity only has to provide an opt-out notice to the extent that an affiliate of the covered entity plans to make a solicitation to any of the covered entityâs consumers. A covered entity is required to send opt-out notices at the maximum of once every five years. Section 1088 of the CFP Act also amends section 628 of the FCRA and mandates that the Commission implement regulations requiring persons subject to the Commissionâs jurisdiction who possess or maintain consumer report information in connection with their business activities to properly dispose of that information (hereinafter referred to as the âdisposal rulesâ). Under the disposal rules, the entities covered by the regulations are expected to develop and implement a written disposal plan with respect to any consumer information within such entitiesâ possession. The regulations provide that a covered entity develop a written disposal plan that is tailored to the size and complexity of such entityâs business. The purpose of the written disposal plan is to establish a formal plan for the disposal of nonpublic, consumer information, which otherwise could be illegally confiscated and used by unauthorized third parties. Under the rules, a covered entity is required to develop a written disposal plan only once, but may subsequently amend such plan from time to time. In addition, Section 1088 of the CFP Act amended the FCRA by adding the CFTC and the Securities and Exchange Commission (âSEC,â together with the CFTC, the âCommissionsâ) to the list of federal agencies required to jointly prescribe and enforce identity theft red flags rules and guidelines and card issuer rules. Under the identity theft rules, entities covered by the regulation are required to develop and implement reasonable policies and procedures to identify, detect, and respond to relevant red flags for identity theft that are appropriate to the size and complexity of such entityâs business and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding address changes. They are also required to provide for the continued administration of identity theft policies and procedures.

Authorizing Statute(s): US Code: 15 USC 1681 Name of Law: FCRA-Identity Theft
PL: Pub.L. 111 - 203 124 Stat. 1376 (2010) Name of Law: Dodd-Frank Act

Citations for New Statutory Requirements: PL: Pub.L. 111 - 203 124 Stat. 1376 (2010) Name of Law: Dodd-Frank Wall Street Reform

Associated Rulemaking Information
RIN:	Stage of Rulemaking:	Federal Register Citation:	Date:
	Not associated with rulemaking

Federal Register Notices & Comments
60-day Notice:	Federal Register Citation:	Citation Date:
	90 FR 24387	06/10/2025
30-day Notice:	Federal Register Citation:	Citation Date:
	91 FR 36570	06/17/2026
Did the Agency receive public comments on this ICR? No

Number of Information Collection (IC) in this ICR: 1

IC Title	Form No.	Form Name
Collection 3038â0067, Part 162: Protection of Consumer Information under the Fair Credit Reporting Act

ICR Summary of Burden

	Total Request	Change Due to Adjustment in Estimate	Change Due to Potential Violation of the PRA
Annual Number of Responses	361,947	-93,313	455,260
Annual Time Burden (Hours)	46,603	-11,487	58,090
Annual Cost Burden (Dollars)	0	0	0

Burden increases because of Program Change due to Agency Discretion: No

Burden Increase Due to:

Burden decreases because of Program Change due to Agency Discretion: No

Burden Reduction Due to:

Short Statement: The estimated total annual burden has decreased from 58,090 to 46,603 hours (a reduction of 11,487 burden hours) to reflect the Commissionâs current estimate of the number of respondents subject to the requirements of Part 162. This updated burden estimate reflects the total burden hours from the affiliate marketing rules (Subpart A), the disposal rules (Subpart B), and the identity theft rules (Subpart C).

Annual Cost to Federal Government: $0

Does this IC contain surveys, censuses, or employ statistical methods? No

Does this ICR request any personally identifiable information (see OMB Circular No. A-130 for an explanation of this term)? Please consult with your agency's privacy program when making this determination. No

Does this ICR include a form that requires a Privacy Act Statement (see 5 U.S.C. §552a(e)(3))? Please consult with your agency's privacy program when making this determination. No

Is this ICR related to the Affordable Care Act [Pub. L. 111-148 & 111-152]? No

Is this ICR related to the Dodd-Frank Wall Street Reform and Consumer Protection Act, [Pub. L. 111-203]? Yes

Is this ICR related to the American Recovery and Reinvestment Act of 2009 (ARRA)? No

Is this ICR related to the Pandemic Response? No

Agency Contact: Kenny Wright 202 326-2907 [email protected]

Common Form ICR: No