[Federal Register Volume 77, Number 132 (Tuesday, July 10, 2012)]
[Notices]
[Pages 40614-40618]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2012-16730]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Agency Information Collection Activities; Proposed Collection; 
Comment Request; Extension

AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The information collection requirements described below will 
be submitted to the Office of Management and Budget (``OMB'') for 
review, as required by the Paperwork Reduction Act (``PRA''). The FTC 
is seeking public comments on its proposal to extend through November 
30, 2015, the current PRA clearance requirements contained in the FTC 
Red Flags/Card Issuers/Address Discrepancies Rules \1\ (``Red Flags 
Rule'' or ``Rule''). The current clearance expires on November 30, 
2012.
---------------------------------------------------------------------------

    \1\ 16 CFR 681.1; 16 CFR 681.2; 16 CFR part 641.

---------------------------------------------------------------------------
DATES: Comments must be submitted on or before September 10, 2012.

ADDRESSES: Interested parties may file a comment online or on paper, by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Red Flags Rule, PRA 
Comment, Project No. P095406'' on your comment, and file your comment 
online at https://ftcpublic.commentworks.com/ftc/RedFlagPRA by 
following the instructions on the web-based form. If you prefer to file 
your comment on paper, mail or deliver your comment to the following 
address: Federal Trade Commission, Office of the Secretary, Room H-113 
(Annex J), 600 Pennsylvania Avenue NW., Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Steven Toporoff, Attorney, Bureau of 
Consumer Protection, (202) 326-2252, Federal Trade Commission, 600 
Pennsylvania Avenue NW., Washington, DC 20580.

SUPPLEMENTARY INFORMATION:

I. Overview of the Rule

    The Rule implements sections 114 and 315 of the Fair Credit 
Reporting Act (``FCRA''), 15 U.S.C. 1681 et seq., to

[[Page 40615]]

require businesses to undertake measures to prevent identity theft and 
to increase the accuracy of consumer reports.
    Specifically, section 114 requires financial institutions and some 
creditors to develop and implement written Identity Theft Prevention 
Programs. Section 114 also mandates specific regulations that require 
credit and debit card issuers to assess the validity of notifications 
of changes of address under certain circumstances. Section 315 requires 
regulations that provide guidance on what users of consumer reports 
must do when they receive a notice of address discrepancy from a 
nationwide consumer reporting agency (``CRA'').
    Since promulgation of the original Rule, President Obama signed the 
Red Flag Program Clarification Act of 2010 (``Clarification Act''), 
which narrowed the definition of ``creditor'' for purposes of section 
114 of the FCRA. Specifically, the Clarification Act limits application 
of the Red Flags Rule to creditors that regularly and in the ordinary 
course of business: (1) Obtain or use consumer reports, directly or 
indirectly, in connection with a credit transaction; (2) furnish 
information to consumer reporting agencies in connection with a credit 
transaction; or (3) advance funds to or on behalf of a person, based on 
a person's obligation to repay the funds or on repayment from specific 
property pledged by or on the person's behalf. This third prong does 
not include a creditor that advances funds on behalf of a person for 
expenses incidental to a service provided by the creditor to that 
person.

II. Description of Collection of Information

A. FCRA Section 114

    The Rule requires financial institutions and covered creditors to 
develop and implement a written Identity Theft Prevention Program 
(``Program'') to detect, prevent, and mitigate identity theft in 
connection with existing accounts or the opening of new accounts. Under 
the Rule, financial institutions and certain creditors must conduct a 
periodic risk assessment to determine if they maintain ``covered 
accounts.'' The Rule defines that term ``covered account'' as either: 
(1) A consumer account that is designed to permit multiple payments or 
transactions, or (2) any other account for which there is a reasonably 
foreseeable risk of identity theft. Each financial institution and 
covered creditor that has covered accounts must create a written 
Program that contains reasonable policies and procedures to identity 
relevant indicators of the possible existence of identity theft (``Red 
Flags''); detect Red Flags that have been incorporated into the 
Program; respond appropriately to any Red Flags that are detected to 
prevent and mitigate identity theft; and update the Program 
periodically to ensure it reflects change in risks to customers.
    The Rule also requires financial institutions and covered creditors 
to: (1) Obtain approval of the initial written Program by the board of 
directors; a committee thereof or, if there is no board, an appropriate 
senior employee; (2) ensure oversight of the development, 
implementation, and administration of the Program; and (3) train staff, 
as needed, to implement the Program; and (4) exercise appropriate and 
effective oversight of service provider arrangements.
    In addition, the Rule implements the section 114 requirement that 
financial institutions or covered creditors that issue debit or credit 
cards (``card issuers'') generally must assess the validity of change 
of address notifications. Specifically, if the card issuer receives a 
notice of change of address for an existing account and, within a short 
period of time (during at least the first 30 days), receives a request 
for an additional or replacement card for the same account, the issuer 
must follow reasonable policies and procedures to assess the validity 
of the change of address.

B. FCRA Section 315

    The Rule also implements section 315 of the FCRA, requiring each 
user of consumer reports to have reasonable policies and procedures in 
place to employ when the user receives a notice of address discrepancy 
from a CRA. Specifically, each user of consumer reports must develop 
and implement reasonable policies and procedures to: (1) Enable the 
user to form a reasonable belief that a consumer report relates to the 
consumer about whom it has requested the report, when the user receives 
a notice of address discrepancy; and (2) furnish an address for the 
consumer that the user has reasonably confirmed is accurate to the CRA 
from which it receives a notice of address discrepancy, if certain 
conditions are met.

III. Burden Estimates

    Overall estimated burden hours regarding sections 114 and 315, 
combined, total 2,629,940 hours and the associated estimated labor 
costs are $81,837,080. Staff assumes that affected entities will 
already have in place, independent of the Rule, equipment and supplies 
necessary to carry out the tasks necessary to comply with it.

A. FCRA Section 114

1. Estimated Hours Burden--Red Flags Rule
    As noted above, the Rule requires financial institutions and 
certain creditors with covered accounts to develop and implement a 
written Program. Under the FCRA, financial institutions over which the 
FTC has jurisdiction include state chartered credit unions and certain 
insurance companies.
    Although narrowed by the Clarification Act, the definition of 
``creditor'' still covers a broad array of entities. Moreover, the 
Clarification Act does not set forth any exemptions from Rule coverage. 
Rather, application of the Rule depends upon an entity's course of 
conduct, not its status as a particular type of business. For these 
reasons, it is difficult to determine precisely the number of creditors 
subject to the FTC's jurisdiction. There are numerous small businesses 
under the FTC's jurisdiction that may qualify as ``creditors,'' and 
there is no formal way to track them. Nonetheless, FTC staff estimates 
that the Rule's requirement to have a written Program affects over 
7,025 financial institutions \2\ and 160,614 creditors.\3\
---------------------------------------------------------------------------

    \2\ The total number of financial institutions (7,025) is 
derived from an analysis of state credit unions and insurers within 
the FTC's jurisdiction using 2007 Census data (the most recent 
Census data available) and, where also available, online industry 
data. The FTC's 2009 PRA submission estimated that the Rule affects 
over 57,000 financial institutions. 74 FR 42303, 42304 (Aug. 21, 
2009). That figure also included, however, investment companies, 
broker dealers, and money service businesses. Those financial 
institutions are now covered by the Commodities Future Trading 
Commission and Securities and Exchange Commission, and, therefore, 
have been eliminated from the calculation of financial institutions 
in this submission, leaving the net amount of 7,025 financial 
institutions within the FTC's jurisdiction.
    \3\ The total number of creditors (160,614) is derived from an 
analysis of 2007 Census data and industry data for businesses or 
organizations that market goods and services to consumers or other 
businesses or organizations subject to the FTC's jurisdiction, 
reduced by entities not likely to: (1) Obtain credit reports, report 
credit transactions, or advance loans; and (2) entities not likely 
to have covered accounts under the Rule. As a result, the estimated 
number of covered creditors has decreased from nearly 2 million 
creditors in the FTC's 2009 submission to 160,614 creditors 
currently. See 74 FR at 42304.
---------------------------------------------------------------------------

    To estimate burden hours for the Red Flags Rule under section 114, 
FTC staff divided affected entities into two categories, based on the 
nature of their business: (1) Entities that are subject to high risk of 
identity theft and (2) entities that are subject to a low risk of 
identity theft, but have covered accounts that

[[Page 40616]]

will require them to have a written Program.
a. High-Risk Entities
    FTC staff estimates that high-risk entities \4\ will each require 
25 hours to create and implement a written Program, with an annual 
recurring burden of one hour. FTC staff anticipates that these entities 
will incorporate into their Program policies and procedures that they 
likely already have in place. Further, FTC staff estimates that 
preparation for an annual report will require each high-risk entity 
four hours initially, with an annual recurring burden of one hour. 
Finally, FTC staff believes that many of the high-risk entities, as 
part of their usual and customary business practice, already take steps 
to minimize losses due to fraud, including conducting employee 
training. Accordingly, only relevant staff need be trained to implement 
the Program: For example, staff already trained as part of a covered 
entity's anti-fraud prevention efforts do not need to be re-trained as 
incrementally needed. FTC staff estimates that training connected with 
the implementation of a Program of a high-risk entity will require four 
hours, and annual training thereafter will require one hour.
---------------------------------------------------------------------------

    \4\ High-risk entities include, for example, financial 
institutions within the FTC's jurisdiction and utilities, motor 
vehicle dealerships, telecommunications firms, colleges and 
universities, and hospitals.
---------------------------------------------------------------------------

    Thus, estimated hours for high-risk entities are as follows:
     105,774 high-risk entities subject to the FTC's 
jurisdiction at an average annual burden of 13 hours per entity 
[average annual burden over 3-year clearance period for creation and 
implementation of a Program ((25+1+1)/3), plus average annual burden 
over 3-year clearance period for staff training ((4+1+1)/3), plus 
average annual burden over 3-year clearance period for preparing an 
annual report ((4+1+1)/3)], for a total of 1,375,062 hours.
b. Low-Risk Entities
    Entities that have a minimal risk of identity theft,\5\ but that 
have covered accounts, must develop a Program; however, they likely 
will only need a streamlined Program. FTC staff estimates that such 
entities will require one hour to create such a Program, with an annual 
recurring burden of five minutes. Training staff of low-risk entities 
to be attentive to future risks of identity theft should require no 
more than 10 minutes in an initial year, with an annual recurring 
burden of five minutes. FTC staff further estimates that these entities 
will require, initially, 10 minutes to prepare an annual report, with 
an annual recurring burden of five minutes.
---------------------------------------------------------------------------

    \5\ Low-risk entities include, for example, public warehouse and 
storage firms, nursing and residential care facilities, automotive 
equipment rental and leasing firms, office supplies and stationary 
stores, fuel dealers, and financial transactions processing firms.
---------------------------------------------------------------------------

    Thus, the estimated hours burden for low-risk entities is as 
follows:
     61,865 low risk entities that have covered account subject 
to the FTC's jurisdiction at an average annual burden of approximately 
37 minutes per entity [average annual burden over 3-year clearance 
period for creation and implementation of streamlined Program 
((60+5+5)/3), plus average annual burden over 3-year clearance period 
for staff training ((10+5+5)/3), plus average annual burden over 3-year 
clearance period for preparing annual report ((10+5+5)/3], for a total 
of 38,150 hours.
2. Estimated Hours Burden--Card Issuers Rule
    As noted above, section 114 also requires financial institutions 
and covered creditors that issue credit or debit cards to establish 
policies and procedures to assess the validity of a change of address 
request, including notifying the cardholder or using another means of 
assessing the validity of the change of address. FTC staff estimates 
that the Rule affects as many as 17,978\6\ card issues within the FTC's 
jurisdiction. FTC staff believes that most of these card issuers 
already have automated the process of notifying the cardholder or are 
using another means to assess the validity of the change of address, 
such that implementation will pose no further burden. Nevertheless, 
taking a conservative approach, FTC staff estimates that it will take 
each card issuer 4 hours to develop and implement policy and procedures 
to assess the validity of a change of address request for a total 
burden of 71,912 hours.
---------------------------------------------------------------------------

    \6\ Card issuers within the FTC's jurisdiction include, for 
example, state credit unions, general retail merchandise stores, 
colleges and universities, and telecoms.
---------------------------------------------------------------------------

    Thus, the total average annual estimated burden for Section 114 is 
1,485,124 hours.
3. Estimated Cost Burden--Red Flags and Card Issuers Rules
    The FTC staff estimates labor costs by applying appropriate 
estimated hourly cost figures to the burden hours described above. It 
is difficult to calculate with precision the labor costs associated 
with compliance with the Rule, as they entail varying compensation 
levels of management (e.g., administrative services, computer and 
information systems, training and development) and/or technical staff 
(e.g., computer support specialists, systems analysts, network and 
computer systems administrators) among companies of different sizes. 
FTC staff assumes that for all entities, professional technical 
personnel and/or management personnel will create and implement the 
Program, prepare the annual report, and train employees, at an hourly 
rate of $42.\7\
---------------------------------------------------------------------------

    \7\ This estimate is based on mean hourly wages found at http://www.bls.gov/news.release/archives/ocwage_03272012.pdf 
(``Occupational Employment and Wages-May 2011,'' U.S. Department of 
Labor, released March 2012, Table 1 (``National employment and wage 
data from the Occupational Employment Statistics survey by 
occupation, May 2011'') for the various managerial and technical 
staff support exemplified above.
---------------------------------------------------------------------------

    Based on the above estimates and assumptions, the total annual 
labor costs for all categories of covered entities under the Red Flags 
and Card Issuers Rules for Section 114 is $62,375,208 (1,485,124 hours 
x $42).

B. FCRA Section 315--The Address Discrepancy Rule

    As discussed above, the Rule's implementation of Section 315 
provides guidance on reasonable policies and procedures that a user of 
consumer reports must employ when a user receives a notice of address 
discrepancy from a CRA. Given the broad scope of users of consumer 
reports, it is difficult to determine with precision the number of 
users of consumer reports that are subject to the FTC's jurisdiction. 
As noted above, there are numerous small businesses under the FTC's 
jurisdiction, and there is no formal way to track them; moreover, as a 
whole, the entities under the FTC's jurisdiction are so varied that 
there are no general sources that provide a record of their existence. 
Nonetheless, FTC staff estimates that the Rule's implementation of 
section 315 affects approximately 2,449,605 users of consumer reports 
subject to the FTC's jurisdiction.\8\ Commission staff estimates that 
approximately 10,000 of these users will receive notice of a 
discrepancy, in the course of their usual and customary business 
practices, and thereby have to furnish to CRAs an address 
confirmation.\9\
---------------------------------------------------------------------------

    \8\ This estimate is derived from an analysis of Census 
databases of U.S. businesses based on NAICS codes for businesses in 
industries that typically use consumer reports from CRAs described 
in the Rule, which total 2,449,605 users of consumer reports subject 
to the FTC's jurisdiction.
    \9\ Report to Congress Under Sections 318 and 319 of the Fair 
and Accurate Credit Transactions of 2003, Federal Trade Commission, 
80 (Dec. 2004) available at http://www.ftc.gov/reports/facta/041209factarpt.pdf.

---------------------------------------------------------------------------

[[Page 40617]]

    For section 315, FTC staff estimates that the average annual 
information collection burden during the three-year period for which 
OMB clearance is sought will be 1,144,816 hours. The estimated 
associated labor cost is $19,461.872.
1. Estimated Hours Burden
    Prior to enactment of the Address Discrepancy Rule, users of 
consumer reports could compare the address on a consumer report to the 
address provided by the consumer and discern for themselves any 
discrepancy. As a result, FTC staff believes that many users of 
consumer reports have developed methods of reconciling address 
discrepancies, and the following estimates represent the incremental 
amount of time users of consumer reports may require to develop and 
comply with the policies and procedures for when they receive a notice 
of address discrepancy.
a. Customer Verification
    Given the varied nature of the entities under the FTC's 
jurisdiction, it is difficult to determine precisely the appropriate 
burden estimates. Nonetheless, FTC staff estimates that it would 
require an infrequent user of consumer reports no more than 16 minutes 
to develop and comply with the policies and procedures that it will 
employ when it receives a notice of address discrepancy, while a 
frequent user might require one hour. Similarly, FTC staff estimates 
that, during the remaining two years of clearance, it may take an 
infrequent user no more than one minute to comply with the policies and 
procedures it will employ when it receives a notice of address 
discrepancy, while a frequent user might require 45 minutes. Taking 
into account these extremes, FTC staff estimates that, during the first 
year, it will take users of consumer reports under the FTC's 
jurisdiction an average of 38 minutes [the midrange between 16 minutes 
and 60 minutes] to develop and comply with the policies and procedures 
that they will employ when they receive a notice of address 
discrepancy. FTC staff also estimates that the average recurring burden 
for users of consumer reports to comply with the Rule will be 23 
minutes [the midrange between one minute and 45 minutes].
    Thus, for these 2,449,605 entities, the average annual burden for 
each of them to perform these collective tasks will be 28 minutes [(38 
+ 23 + 23) / 3]; cumulatively, 1,143,149 hours.
b. Address Verification
    For the estimated 10,000 users of consumer reports that will 
additionally have to furnish to CRAs an address confirmation upon 
notice of a discrepancy, staff estimates that these entities will 
require, initially, 30 minutes to develop related policies and 
procedures. But, these 10,000 affected entities likely will have 
automated the process of furnishing the correct address in the first 
year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes 
in the first year, with no annual recurring burden in the second and 
third years of clearance, yields an average annual burden of 10 minutes 
per entity to furnish a correct address to a CRA, for a total of 1,667 
hours.
2. Estimated Cost Burden
    FTC staff assumes that the policies and procedures for compliance 
with the address discrepancy part of the Rule will be set up by 
administrative support personnel at an hourly rate of $17.\10\ Based on 
the above estimates and assumptions, the total annual labor cost for 
the two categories of burden under section 315 is $19,461,872.
---------------------------------------------------------------------------

    \10\ This estimate is based on mean hourly wages found at http://www.bls.gov/news.release/archives/ocwage_03272012.pdf 
(``Occupational Employment and Wages-May 2011,'' U.S. Department of 
Labor, released March 2012, Table 1 (``National employment and wage 
data from the Occupational Employment Statistics survey by 
occupation, May 2011'') for administrative support staff (computer 
operators, data entry, word processors and typists).
---------------------------------------------------------------------------

C. Burden Totals for FCRA Sections 114 and 315

    Cumulatively, then, estimated burden is 2,629,940 hours (1,485,124 
hours for section 114 and 1,144,816 hours for section 315) and 
$81,837,080 ($62,375,208 and $19,461,872) in associated labor costs.

IV. Request for Comment

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before September 10, 
2012. Write ``Red Flags Rule, PRA Comment, Project No. P095406'' on 
your comment. Your comment--including your name and your state--will be 
placed on the public record of this proceeding, including to the extent 
practicable, on the public Commission Web site, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries 
to remove individuals' home contact information from comments before 
placing them on the Commission Web site.
    Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, like anyone's Social Security number, 
date of birth, driver's license number or other state identification 
number or foreign country equivalent, passport number, financial 
account number, or credit or debit card number. You are also solely 
responsible for making sure that your comment does not include any 
sensitive health information, like medical records or other 
individually identifiable health information. In addition, do not 
include any ``[t]rade secret or any commercial or financial information 
which is obtained from any person and which is privileged or 
confidential'' as provided in Section 6(f) of the FTC Act, 15 U.S.C. 
46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do 
not include competitively sensitive information such as costs, sales 
statistics, inventories, formulas, patterns, devices, manufacturing 
processes, or customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you have to follow the procedure explained 
in FTC Rule 4.9(c).\11\ Your comment will be kept confidential only if 
the FTC General Counsel, in his or her sole discretion, grants your 
request in accordance with the law and the public interest.
---------------------------------------------------------------------------

    \11\ In particular, the written request for confidential 
treatment that accompanies the comment must include the factual and 
legal basis for the request, and must identify the specific portions 
of the comment to be withheld from the public record. See FTC Rule 
4.9(c), 16 CFR 4.9(c).
---------------------------------------------------------------------------

    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/RedFlagPRA, by following the instructions on the web-based form. If 
this Notice appears at http://www.regulations.gov/#!home, you also may 
file a comment through that Web site.
    If you file your comment on paper, write ``Red Flags Rule, PRA 
Comment, Project No. P095406'' on your comment and on the envelope, and 
mail or deliver it to the following address: Federal Trade Commission, 
Office of the Secretary, Room H-113 (Annex J), 600 Pennsylvania Avenue 
NW., Washington, DC 20580. If possible, submit your paper comment to 
the Commission by courier or overnight service.

[[Page 40618]]

    Visit the Commission Web site at to read this Notice and the news 
release describing it. The FTC Act and other laws that the Commission 
administers permit the collection of public comments to consider and 
use in this proceeding as appropriate. The Commission will consider all 
timely and responsive public comments that it receives on or before 
September 10, 2012. You can find more information, including routine 
uses permitted by the Privacy Act, in the Commission's privacy policy, 
at http://www.ftc.gov/ftc/privacy.htm.

Willard K. Tom,
General Counsel.
[FR Doc. 2012-16730 Filed 7-9-12; 8:45 am]
BILLING CODE 6750-01-P