[Federal Register Volume 79, Number 103 (Thursday, May 29, 2014)]
[Rules and Regulations]
[Pages 30709-30711]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-12358]


-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

12 CFR Part 222

[Docket No. R-1484]
RIN 7100 AE14


Identity Theft Red Flags (Regulation V)

AGENCY: Board of Governors of the Federal Reserve System.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Board of Governors of the Federal Reserve System is 
amending its rule on identity theft ``red flags'' (``Red Flags rule''), 
which implements section 615(e) of the Fair Credit Reporting Act 
(FCRA). The Red Flag Program Clarification Act of 2010 (the 
Clarification Act) added a definition of ``creditor'' in FCRA section 
615(e) that is specific to section 615(e). Accordingly, the final rule 
amends the definition of ``creditor'' in the Red Flags rule to reflect 
the definition of that term as added by the Clarification Act. The 
final rule also updates a cross-reference in the Red Flags rule to 
reflect a statutory change in rulemaking authority.

DATES: The final rule is effective June 30, 2014.

FOR FURTHER INFORMATION CONTACT: Mandie K. Aubrey, Counsel, Division of 
Consumer and Community Affairs, at (202) 452-3667, Board of Governors 
of the Federal Reserve System, 20th and C Streets NW., Washington, DC 
20551. For users of Telecommunications Device for the Deaf (TDD) only, 
contact (202) 263-4869.

SUPPLEMENTARY INFORMATION: 

I. Background

    On November 9, 2007, the Board of Governors of the Federal Reserve 
System (Board), along with the other banking agencies,\1\ National 
Credit Union Administration (NCUA), and the Federal Trade Commission 
(FTC) (collectively, the ``Agencies''), published final rules and 
guidelines on identity theft ``red flags'' (``Red Flags rule'') to 
implement section 615(e) of the Fair Credit Reporting Act (FCRA) (15 
U.S.C. 1681m(e)).\2\ The Red Flags rule requires each financial 
institution and creditor that holds any consumer account, or other 
account for which there is a reasonably foreseeable risk of identity 
theft, to develop and implement an identity theft prevention program in 
connection with new and existing accounts. The program must include 
reasonable policies and procedures for detecting, preventing, and 
mitigating identity theft. The Agencies also issued guidelines to 
assist financial institutions and creditors in developing and 
implementing a program, including a supplement that provides examples 
of red flags.
---------------------------------------------------------------------------

    \1\ The other banking agencies included the Office of the 
Comptroller of the Currency; Federal Deposit Insurance Corporation; 
and Office of Thrift Supervision. The Dodd-Frank Wall Street Reform 
and Consumer Protection Act (Dodd-Frank Act) added the Commodity 
Futures Trading Commission (CFTC) and the Securities and Exchange 
Commission (SEC) to the list of agencies with rulemaking and 
enforcement authority under the Fair Credit Reporting Act with 
respect to the Red Flags rule. Public Law 111-203, 124 Stat. 1376 
(2010).
    \2\ 72 FR 63718 (Nov. 9, 2007).
---------------------------------------------------------------------------

    The Red Flags rule, implemented in the Board's Regulation V, 
Subpart J, defines the terms ``credit'' and ``creditor'' by cross-
reference to FCRA section 603(r)(5). 15 U.S.C. 1681a(r)(5). Section 
603(r)(5) defines the terms ``credit'' and ``creditor'' by cross-
reference to section 702 of the Equal Credit Opportunity Act (ECOA). 
ECOA section 702 defines ``creditor'' as ``any person who regularly 
extends, renews, or continues credit; any person who regularly arranges 
for the extension, renewal, or continuation of credit; or any assignee 
of an original creditor who participates in the decision to extend, 
renew, or continue credit.'' 15 U.S.C. 1691a(e). The ECOA defines 
``credit'' as ``the right granted by a creditor to a debtor to defer 
payment of debt or to incur debts and defer its payment or to purchase 
property or services and defer

[[Page 30710]]

payment therefor.'' 15 U.S.C. 1691a(d). Thus, the FCRA's red flags 
provisions have been broadly applied to banks, finance companies, 
automobile dealers, mortgage brokers, utility companies, and 
telecommunications companies. 12 CFR 222.90(b)(5).
    The scope of the Board's Red Flags rule is set forth in 12 CFR 
222.90(a), which states that the Board's rule applies to financial 
institutions and creditors that are state member banks (other than 
national banks) and their respective operating subsidiaries, branches 
and agencies of foreign banks (other than federal branches, federal 
agencies, and insured state branches of foreign banks), commercial 
lending companies owned or controlled by foreign banks, and 
organizations operating under section 25 or 25A of the Federal Reserve 
Act. Financial institutions and creditors that are not covered by the 
Board's rule are covered by substantially identical rules issued by 
other federal agencies.

II. The Red Flag Program Clarification Act of 2010

    On December 18, 2010, Congress enacted the Red Flag Program 
Clarification Act of 2010 (the Clarification Act).\3\ The Clarification 
Act amended section 615(e) of the FCRA (15 U.S.C. 1681m(e)) by adding a 
definition of the term ``creditor'' that is specific to section 615(e). 
The Clarification Act continues to define creditor by cross-reference 
to the ECOA's definition of creditor, but limits the application of the 
red flags provisions of the FCRA to only those creditors that regularly 
and in the ordinary course of business: (a) Obtain or use consumer 
reports, directly or indirectly, in connection with a credit 
transaction; (b) furnish information to consumer reporting agencies, as 
described in FCRA section 623, in connection with a credit transaction; 
or (c) advance funds to or on behalf of a person, based on an 
obligation of the person to repay the funds or repayable from specific 
property pledged by or on behalf of the person. 15 U.S.C. 
1681m(e)(4)(A).
---------------------------------------------------------------------------

    \3\ Public Law 111-319, 124 Stat. 3457 (Dec. 18, 2010).
---------------------------------------------------------------------------

    The Clarification Act's revised definition excludes, however, those 
creditors that advance funds on behalf of a person for expenses 
incidental to a service provided by the creditor to that person. 15 
U.S.C. 1681m(e)(4)(B). The legislative intent of narrowing the 
definition of ``creditor'' in the Red Flags rule was to exclude from 
coverage those persons that sell a product or service for which the 
consumer can pay later, such as lawyers and doctors.\4\
---------------------------------------------------------------------------

    \4\ 156 Cong. Rec. S8289 (daily ed. Nov. 30, 2010) (statement of 
Sen. Dodd).
---------------------------------------------------------------------------

    The Clarification Act also grants authority to the Board and the 
other agencies to determine, through a rulemaking, whether there are 
other creditors that offer or maintain accounts that are subject to a 
reasonably foreseeable risk of identity theft that should be subject to 
the Red Flags rule. 15 U.S.C. 1681m(e)(4)(C). The Board is not using 
its discretionary rulemaking authority at this time to extend the 
application of its Red Flags rule to additional creditors.

III. The Board's Proposed Revisions to Regulation V

    In February 2014, the Board proposed to amend the definition of 
``creditor'' in Regulation V (12 CFR 222.90) to conform the rule to the 
definition of ``creditor'' in the FCRA as amended by the Clarification 
Act (Proposed Rule).\5\ The Board also proposed to update a citation in 
Supplement A to Appendix J of Regulation V in light of the transfer of 
rulemaking authority to the Consumer Financial Protection Bureau 
(CFPB). The Board received five comments on the Proposed Rule.
---------------------------------------------------------------------------

    \5\ 79 FR 9645 (Feb. 20, 2014).
---------------------------------------------------------------------------

IV. The Final Rule

    As discussed above, the Board proposed to amend the definition of 
``creditor'' in Sec.  222.90(b)(5) to cross-reference the limited 
definition of creditor in section 615(e) of the FCRA, which is specific 
to the statute's red flags provisions. Accordingly, proposed Sec.  
222.90(b)(5) provided that ``creditor has the same meaning as in 15 
U.S.C. 1681m(e)(4).'' Commenters unanimously supported the Board's 
proposal to amend the definition, and the Board is adopting the 
proposed changes in the final rule.
    Under the Clarification Act and the final rule, creditors that do 
not regularly and in the ordinary course of business: (a) Obtain or use 
consumer reports in connection with a credit transaction; (b) furnish 
information to consumer reporting agencies in connection with a credit 
transaction; or (c) advance funds to or on behalf of a person, are no 
longer subject to the identity theft red flags requirements. However, 
the Red Flags rule still covers all financial institutions, regardless 
of whether they meet the revised definition of creditor.\6\ As a 
result, the revised definition does not affect the scope of the Board's 
rules, which only apply to state member banks and other financial 
institutions.
---------------------------------------------------------------------------

    \6\ The Board consulted and coordinated with the other banking 
agencies, the FTC, the NCUA, the CFTC, and the SEC with respect to 
the final rule. The FTC issued an interim final rule and the OCC 
issued a final rule amending the definition of ``creditor'' in their 
respective Red Flags rules, consistent with the revised definition 
in the Clarification Act. 77 FR 72712 (Dec. 6, 2012) (FTC) and 79 FR 
28393 (May 16, 2014) (OCC). The CFTC and SEC jointly issued final 
Red Flags rules and guidelines reflecting the FCRA definition of 
``creditor'' as amended by the Clarification Act. 78 FR 23637 (Apr. 
19, 2013). The Board understands that the FDIC and the NCUA will act 
separately with respect to any necessary updates to each agency's 
Red Flags rule.
---------------------------------------------------------------------------

    Commenters also supported the proposal to revise Supplement A to 
Appendix J of Regulation V, which included a cross-reference to the 
Board's definition of a ``notice of address discrepancy'' in Regulation 
V (12 CFR 222.82(b)). Because the Board's rulemaking authority for the 
notice of address discrepancy provisions of the FCRA (15 U.S.C. 
1681c(h)) transferred to the CFPB under the Dodd-Frank Act, the Board 
proposed to revise the citation in Appendix J so that it cross-
references the CFPB's definition of a ``notice of address discrepancy'' 
in the CFPB's Regulation V (12 CFR 1022.82(b)).\7\ The Board is 
updating the citation as proposed.
---------------------------------------------------------------------------

    \7\ The Board notes that there is no substantive difference 
between the Board's definition of a ``notice of address 
discrepancy'' and the CFPB's definition.
---------------------------------------------------------------------------

    One commenter suggested that the Board make further amendments to 
Regulation V to repeal provisions for which the rulemaking authority 
was not retained by the Board after the transfer of authority to the 
CFPB under the Dodd-Frank Act. The Board intends to make further 
revisions to Regulation V to reflect changes in its rulemaking 
authority at a later date.

V. Final Regulatory Flexibility Analysis

    The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) (RFA) 
generally requires an agency to perform an assessment of the impact a 
rule is expected to have on small entities. Based on its analysis, and 
for the reasons stated below, the Board believes that this final rule 
will not have a significant economic impact on a substantial number of 
small entities.
    1. Statement of the need for, and objectives of, the final rule. As 
noted above, the Clarification Act amended the definition of 
``creditor'' in the FCRA for purposes of the red flags provisions. The 
Board is amending the definition of ``creditor'' in its Red Flags rule 
to reflect the revised definition of that term in the Clarification 
Act. As also noted above, the Board is updating a cross-reference in 
the Red Flags rule to reflect the CFPB's rulemaking authority for the

[[Page 30711]]

notice of address discrepancy provisions in the FCRA.
    2. Summary of issues raised by comments in response to the initial 
regulatory flexibility analysis. The Board did not receive any comments 
on the initial regulatory flexibility analysis.
    3. Small entities affected by the final rule. The final rule amends 
the definition of ``creditor'' in the Board's Regulation V to conform 
to the revised definition of that term in the Clarification Act. The 
definition continues to refer to the FCRA definition of ``creditor,'' 
which references the ECOA definition of ``creditor,'' but limits the 
application of the red flags provisions to only those creditors that 
regularly and in the ordinary course of business: (a) Obtain or use 
consumer reports in connection with a credit transaction; (b) furnish 
information to consumer reporting agencies in connection with a credit 
transaction; or (c) advance funds to or on behalf of a person, based on 
an obligation of the person to repay the funds or repayable from 
specific property pledged by or on behalf of the person. 15 U.S.C. 
1681m(e)(4)(A). However, small entities that are financial institutions 
are still subject to the requirements, regardless of whether they meet 
the revised definition of creditor. Consequently, the revisions do not 
affect the scope of the Board's rules, which only apply to state member 
banks and other financial institutions, so no small entities are 
affected.
    The final rule also updates a cross-reference in the Red Flags rule 
to reflect the CFPB's rulemaking authority for the notice of address 
discrepancy provisions in the FCRA. This revision has no effect on 
small entities because there is no substantive difference between the 
Board's definition of a ``notice of address discrepancy'' and the 
CFPB's definition.
    4. Recordkeeping, reporting, and compliance requirements. The final 
rule does not impose any new recordkeeping, reporting, or compliance 
requirements on small entities. Small entities that no longer meet the 
narrower definition of ``creditor'' would not have to comply with the 
requirements of the Red Flags rule. However, small entity financial 
institutions would still be required to comply with the Red Flags rule, 
regardless of whether they meet the revised definition of creditor. 
Thus, the revisions do not affect the scope of the Board's rules, which 
only apply to state member banks and other financial institutions. In 
addition, the updated cross-reference in the final rule that reflects 
the CFPB's rulemaking authority for the notice of address discrepancy 
provisions in the FCRA is not a substantive change.
    5. Significant alternatives to the final revisions. Because the 
amendments in the final rule will have no impact, there are no 
significant alternatives that would further minimize the economic 
impact of the final rule on small entities.

VI. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act (PRA) of 1995 (44 
U.S.C. 3506; 5 CFR Part 1320, Appendix A.1), the Board reviewed the 
rule under the authority delegated to the Federal Reserve by the Office 
of Management and Budget (OMB). The final rule contains no requirements 
subject to the PRA.

List of Subjects in 12 CFR Part 222

    Banks, banking, Consumer protection, Safety and soundness, and 
State member banks.

Authority and Issuance

    For the reasons set forth in the preamble, the Board amends 
Regulation V, 12 CFR part 222, as set forth below:

PART 222--FAIR CREDIT REPORTING (REGULATION V)

0
1. The authority citation for part 222 continues to read as follows:

    Authority:  15 U.S.C. 1681b, 1681c, 1681m and 1681s; Secs. 3, 
214, and 216, Pub. L. 108-159, 117 Stat. 1952.

0
2. Amend Sec.  222.90 by revising paragraph (b)(5) to read as follows:


Sec.  222.90  Duties regarding the detection, prevention, and 
mitigation of identity theft.

* * * * *
    (b) * * *
    (5) Creditor has the same meaning as in 15 U.S.C. 1681m(e)(4).
* * * * *

0
3. Amend Supplement A to Appendix J by revising example 3. to read as 
follows:

Appendix J to Part 222--Interagency Guidelines on Identity Theft 
Detection, Prevention, and Mitigation

* * * * *
    Supplement A to Appendix J
* * * * *
    3. A consumer reporting agency provides a notice of address 
discrepancy, as defined in 12 CFR 1022.82(b).
* * * * *

    By order of the Board of Governors of the Federal Reserve 
System, May 22, 2014.
Robert deV. Frierson,
Secretary of the Board.
[FR Doc. 2014-12358 Filed 5-28-14; 8:45 am]
BILLING CODE 6210-01-P