[Federal Register Volume 80, Number 208 (Wednesday, October 28, 2015)]
[Rules and Regulations]
[Pages 65913-65919]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-27291]


-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Parts 334 and 391

RIN 3064-AE29


Removal of Transferred OTS Regulations Regarding Fair Credit 
Reporting and Amendments; Amendment to the ``Creditor'' Definition in 
Identity Theft Red Flags Rule; Removal of FDIC Regulations Regarding 
Fair Credit Reporting Transferred to the Consumer Financial Protection 
Bureau

AGENCY: Federal Deposit Insurance Corporation.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Federal Deposit Insurance Corporation (FDIC) is adopting a 
final rule (Final Rule) to make several amendments to its regulations 
covering ``Fair Credit Reporting.'' The amendments conform FDIC Fair 
Credit Reporting regulations to the Dodd-Frank Act by consolidating the 
regulations for all institutions for which the FDIC is the appropriate 
Federal banking agency into a single part. The amendments also address 
the role of the Consumer Financial Protection Bureau in promulgating 
rules relating to Fair Credit Reporting.

DATES: The Final Rule is effective November 27, 2015.

FOR FURTHER INFORMATION CONTACT: Sandra Barker, Senior Policy Analyst, 
Division of Depositor and Consumer Protection, (202) 898-3615 or 
[email protected]; Jeffrey Kopchik, Senior Policy Analyst, Division of 
Risk Management Supervision, (703) 254-0459 or [email protected]; 
Richard M. Schwartz, Counsel, Legal Division, (202) 898-7424 or 
[email protected].

SUPPLEMENTARY INFORMATION: 

I. Removal of Transferred OTS Regulations Regarding Fair Credit 
Reporting and Amendments to 12 CFR Part 334 of FDIC's Rules and 
Regulations

A. Background

    The Dodd-Frank Wall Street Reform and Consumer Protection Act 
(Dodd-Frank Act) \1\ provided for a substantial reorganization of the 
regulation of State and Federal savings associations and their holding 
companies. Beginning July 21, 2011, the transfer date established by 
section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the 
powers, duties, and functions formerly performed by the OTS were 
divided among the FDIC, as to State savings associations, the Office of 
the Comptroller of the Currency (OCC), as to Federal savings 
associations, and the Board of Governors of the Federal Reserve System 
(FRB), as to savings and loan holding companies.\2\ Section 316(b) of 
the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provided the manner 
of treatment for all orders, resolutions, determinations, regulations, 
and advisory materials that had been issued, made, prescribed, or 
allowed to become effective by the OTS. The section provided that if 
such materials were in effect on the day before the transfer date, they 
continue to be in effect and are enforceable by or against the 
appropriate successor agency until they are modified, terminated, set 
aside, or superseded in accordance with applicable law by such 
successor agency, by any court of competent jurisdiction, or by 
operation of law.
---------------------------------------------------------------------------

    \1\ Public Law 111-203, 124 Stat. 1376 (2010).
    \2\ Section 312 of the Dodd-Frank Act, codified at 12 U.S.C. 
5412.
---------------------------------------------------------------------------

    Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 
5414(c), further directed the FDIC and the OCC to consult with one 
another and to publish a list of the continued OTS regulations that 
would be enforced by the FDIC and the OCC, respectively. On June 14, 
2011, the FDIC's Board of Directors approved a ``List of OTS 
Regulations to be Enforced by the OCC and the FDIC Pursuant to the 
Dodd-Frank Wall Street Reform and Consumer Protection Act.'' This list 
was published by the FDIC and the OCC as a Joint Notice in the Federal 
Register on July 6, 2011.\3\
---------------------------------------------------------------------------

    \3\ 76 FR 39247 (July 6, 2011).
---------------------------------------------------------------------------

    Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, 
codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking 
authority relating to both State and Federal savings associations, 
nothing in the Dodd-Frank Act affected the FDIC's existing authority to 
issue regulations under the FDI Act and other laws as the ``appropriate 
Federal banking agency'' or under similar statutory terminology. 
Section 312(c) of the Dodd-Frank Act amended the definition of 
``appropriate Federal banking agency'' contained in section 3(q) of the 
FDI Act, 12 U.S.C. 1813(q), to add State savings associations whose 
deposits are insured by the FDIC (State savings associations) to the 
list of entities for which the FDIC is designated as the ``appropriate 
Federal banking agency.'' As a result, when the FDIC acts as the 
designated ``appropriate Federal banking agency'' (or under similar 
terminology) for State savings associations, as it does here, the FDIC 
is authorized to issue, modify and

[[Page 65914]]

rescind regulations involving such associations, as well as for State 
nonmember banks and insured branches of foreign banks.
    As noted, on June 14, 2011, pursuant to this authority, the FDIC's 
Board of Directors reissued and redesignated certain transferring 
regulations of the former OTS. These transferred OTS regulations were 
published as new FDIC regulations in the Federal Register on August 5, 
2011.\4\ When it republished the transferred OTS regulations as new 
FDIC regulations, the FDIC specifically noted that its staff would 
evaluate the transferred OTS rules and might later recommend 
incorporating the transferred OTS regulations into other FDIC rules, 
amending them, or rescinding them, as appropriate.
---------------------------------------------------------------------------

    \4\ 76 FR 47652 (Aug. 5, 2011).
---------------------------------------------------------------------------

    One of the OTS rules transferred to the FDIC governed OTS oversight 
of the Fair Credit Reporting regulations, which implemented the Fair 
Credit Reporting Act (FCRA),\5\ in the context of State savings 
associations. The OTS rule, formerly found at 12 CFR part 571, was 
transferred to the FDIC \6\ and was moved to the FDIC's rules at part 
391, subpart C, entitled ``Fair Credit Reporting.'' Before the transfer 
of the OTS rules and continuing today, the FDIC's rules contained part 
334, also entitled ``Fair Credit Reporting,'' a rule governing FDIC 
regulation with respect to IDIs for which the FDIC has been designated 
the appropriate Federal banking agency. After careful review and 
comparison of part 391, subpart C and part 334, the FDIC rescinds part 
391, subpart C, because, as discussed below, it is substantively 
redundant to existing part 334 and simultaneously makes technical 
conforming edits to our existing rule.
---------------------------------------------------------------------------

    \5\ 15 U.S.C. 1681a, et seq.
    \6\ The Dodd-Frank Act transferred the rule-writing authority of 
several parts of the ``Fair Credit Reporting'' regulations contained 
in parts 334 and 571, as well as the regulations of the OCC, FRB, 
and National Credit Union Administration (``NCUA''), to the newly 
created CFPB. See sections 1061 and 1088, codified at 12 U.S.C. 
5581, 15 U.S.C. 1681 et seq. When the OTS regulations for state 
savings associations were transferred to part 391, only those 
portions of the regulation that were retained by the FDIC were 
included.
---------------------------------------------------------------------------

B. FDIC's Existing 12 CFR Section 334.2 and Former OTS's 12 CFR Section 
571.2 (transferred to FDIC's Part 391, Subpart C, as 12 CFR Section 
391.20)

    On November 22, 2005, the FDIC, OTS, OCC, FRB and NCUA (``the 
Agencies'') jointly published rules in the Federal Register \7\ to 
implement section 411 of the Fair and Accurate Credit Transactions Act 
of 2003 (FACT Act),\8\ which amended section 604 of the FCRA.\9\ 
Section 411 of the FACT Act generally limited the ability of creditors 
to obtain and use medical information in connection with credit 
eligibility determinations and the ability of consumer reporting 
agencies to disclose medical information, as well as restricting the 
sharing of medical information and other medically related information 
with affiliates.\10\ That section required the Agencies to issue 
regulations on several aspects related to the medical privacy 
amendment.
---------------------------------------------------------------------------

    \7\ 70 FR 70664 (Nov. 22, 2005).
    \8\ Public Law 108-159, 117 Stat. 1952, 1999-2002 (2003).
    \9\ 15 U.S.C. 1681b.
    \10\ 70 FR at 70664.
---------------------------------------------------------------------------

    Although Dodd-Frank Act transferred the 2005 medical privacy 
regulations to the CFPB, as discussed below, the Agencies issued a 
regulation in the ``General Provisions'' portion of the Fair Credit 
Reporting regulations that remains in effect in the Agencies' 
regulations today.
    That regulation related to ``examples'' issued in any regulation in 
the Fair Credit Reporting part. The OTS regulation, stated: ``The 
examples in this part are not exclusive. Compliance with an example, to 
the extent applicable, constitutes compliance with this part. Examples 
in a paragraph illustrate only the issue described in the paragraph and 
do not illustrate any other issue that may arise in this part.'' \11\ 
The concurrently issued FDIC regulation contains identical 
language.\12\
---------------------------------------------------------------------------

    \11\ 12 CFR 571.2.
    \12\ 12 CFR 334.2.
---------------------------------------------------------------------------

    The OTS regulation issued at Sec.  391.20 was amended slightly 
because it was placed in a subpart of part 391: the word ``part'' was 
replace by ``subpart.'' Nevertheless, the portion of the OTS regulation 
that applied to State savings associations and their subsidiaries, 
originally codified at 12 CFR part 571 and subsequently transferred to 
FDIC's part 391, subpart C, is substantively similar to the current 
FDIC regulations codified at 12 CFR part 334. Therefore, to eliminate 
redundancy and streamline its regulations, the FDIC rescinds and 
removes Sec.  391.20.

C. FDIC's Existing 12 CFR Section 334.83 and Former OTS's 12 CFR 
Section 571.83 (transferred to FDIC's Part 391, Subpart C, as 12 CFR 
Section 391.21)

    Section 216 of the FACT Act added a new section 628 to the FCRA 
that, in general was designed to protect a consumer against the risks 
associated with the unauthorized access to information about a consumer 
contained in a consumer report, such as fraud and related crimes 
including identity theft.\13\ Specifically, section 216 required each 
of the Agencies, including the Federal Trade Commission (FTC), to adopt 
a regulation with respect to the entities subject to its enforcement 
authority ``requiring any person that maintains or otherwise possesses 
consumer information, or any compilation of consumer information, 
derived from a consumer report for a business purpose to properly 
dispose of any such information or compilation.'' \14\ The FDIC, OCC, 
FRB and OTS jointly published their rules in the Federal Register on 
December 28, 2004.\15\ The FDIC and OTS regulations were identical.\16\ 
Neither regulation contained a scope provision, because each regulation 
referred to the respective agency's version of the Interagency 
Guidelines Establishing Information Security Standards, which itself 
contained a scope provision.\17\
---------------------------------------------------------------------------

    \13\ Public Law 108-159, 117 Stat. at 1985-86; 15 U.S.C. 1681w.
    \14\ Id.
    \15\ 69 FR 77610 (Dec. 28, 2004).
    \16\ 12 CFR 334.83, 571.83 (2004).
    \17\ Id. (both regulations stated, in relevant part, ``You must 
properly dispose of any consumer information that you maintain or 
otherwise possess in accordance with the Interagency Guidelines 
Establishing Information Security Standards . . . to the extent the 
Guidelines are applicable to you.''). Both the FDIC's and the OTS's 
Interagency Guidelines were placed in the Safety and Soundness 
regulations, parts 364 and 570, respectively.
---------------------------------------------------------------------------

    In 2007, the Agencies jointly issued rules pursuant to section 114 
of the FACT Act, which dealt with identity theft ``red flag'' rules and 
rules on the duties of credit card issuers to validate notifications of 
changes of address under certain circumstances,\18\ as discussed in 
more detail below. Although those regulations were nearly identical 
from agency to agency, the OTS unilaterally amended its disposal 
regulation, as part of that rulemaking, to include a scope 
provision.\19\ The OTS explained that that amendment was nonsubstantive 
and technical in nature, caused by the placement of the address 
discrepancy regulation in the same subpart as the disposal 
regulation.\20\ No other Agency amended its disposal regulation.
---------------------------------------------------------------------------

    \18\ 72 FR 63718 (Nov. 9, 2007). That rulemaking also included 
rules issued pursuant to section 315 of the FACT Act, which required 
the Agencies to issue joint regulations that provide guidance 
regarding reasonable policies and procedures that a user of a 
consumer report should employ when the user receives a notice of an 
address discrepancy. The rule-writing authority for that rule was 
given to the CFPB in the Dodd-Frank Act.
    \19\ See 12 CFR 571.83(a) (2007).
    \20\ 72 FR at 63739.

---------------------------------------------------------------------------

[[Page 65915]]

    After careful comparison of the FDIC's disposal regulation with the 
transferred OTS rule in part 391, subpart C, the FDIC has concluded 
that, with the exception of the scope provision, which now includes 
``State savings associations whose deposits are insured by the Federal 
Deposit Insurance Corporation,'' \21\ the transferred OTS rule is 
substantively redundant. Therefore, based on the foregoing, the FDIC 
rescinds and removes from the Code of Federal Regulations the rule 
located at part 391, subpart C and makes minor conforming changes to 
incorporate State savings associations.
---------------------------------------------------------------------------

    \21\ The scope provision of the original 2007 amendment covered 
all savings associations with deposits insured by the FDIC and 
Federal savings associations' operating subsidiaries. When the OTS 
disposal regulation was transferred to section 391.21, it was 
amended to state that the scope provision applies to ``State savings 
associations whose deposits are insured by the Federal Deposit 
Insurance Corporation,'' consistent with the authority given to the 
FDIC in the Dodd-Frank Act.
---------------------------------------------------------------------------

    There were several ways to deal with this technical difference 
between the FDIC and the OTS disposal regulations, including adding a 
scope provision to the FDIC's disposal regulation at Sec.  334.83, an 
idea that was not proposed back in 2007. Instead, because of the direct 
reference in the disposal regulation to the Interagency Guidelines 
Establishing Information Security Standards, the FDIC, through a 
separate final rule relating to the FDIC's Safety and Soundness 
regulations, 12 CFR part 364, to be issued shortly, is adopting a 
change in the scope provision of the FDIC's version to cover State 
savings associations.
    As a backstop for this and any future fair credit regulations, the 
FDIC is also making a change to Sec.  334.1(b), the general scope 
provision of the FDIC's Fair Credit Reporting regulations, to cover 
State savings associations. The FDIC is also adding a definition of 
``State savings association'' to Sec.  334.3. That definition would 
have the same meaning as in section 3(b)(3) of the FDI Act, 12 U.S.C. 
1813(b)(3).\22\
---------------------------------------------------------------------------

    \22\ ``The term `State savings association' means-- (A) any 
building and loan association, savings and loan association, or 
homestead association; or (B) any cooperative bank (other than a 
cooperative bank which is a State bank as defined in subsection 
(a)(2) of this section), which is organized and operating according 
to the laws of the State (as defined in subsection (a)(3) of this 
section) in which it is chartered or organized.'' 12 U.S.C. 
1813(b)(3).
---------------------------------------------------------------------------

D. FDIC's Existing 12 CFR Sections 334.90 and 334.91 and Part 334, 
Appendix J, and Former OTS's 12 CFR Sections 571.82 and 571.90 and Part 
571, Appendix J (transferred to FDIC's Part 391, Subpart C, as 12 CFR 
Sections 391.22 and 391.23 and Part 391, Subpart C, Appendix)

    As discussed above (and in some detail below), the Agencies, in 
2007, jointly issued rules pursuant to section 114 of the FACT Act, 
which dealt with identity theft ``red flag'' rules and rules on the 
duties of credit card issuers to validate notifications of changes of 
address under certain circumstances.\23\ In addition to the rules 
required in section 114, the Agencies also jointly issued Interagency 
Guidelines on Identity Theft Detection, Prevention, and Mitigation.
---------------------------------------------------------------------------

    \23\ 72 FR 63718 (Nov. 9, 2007).
---------------------------------------------------------------------------

    The FDIC's ``red flag'' rule, styled as ``duties regarding the 
detection, prevention, and mitigation of identity theft,'' was issued 
as Sec.  334.90. The concurrently issued OTS rule was issued as Sec.  
571.90. That rule was later transferred to the FDIC rules as Sec.  
391.22. Apart from their scope provisions, the FDIC and the OTS ``red 
flag'' rules are substantively identical. As with the disposal rule, 
the scope of the transferred OTS rule covers ``a State savings 
association whose deposits are insured by the Federal Deposit Insurance 
Corporation.'' \24\
---------------------------------------------------------------------------

    \24\ 12 CFR 391.22(a).
---------------------------------------------------------------------------

    The FDIC's ``duties of card issuers regarding changes of address'' 
regulation was issued as Sec.  334.91. The concurrently issued OTS rule 
was issued as Sec.  571.91. That rule was later transferred to the FDIC 
rules as Sec.  391.23. As with the ``red flag'' rules, apart from their 
scope provisions, the FDIC and OTS change of address rules are 
substantively identical. The OTS rule covers ``an issuer of a debit or 
credit card (card issuer) that is a State savings association whose 
deposits are insured by the Federal Deposit Insurance Corporation.'' 
\25\
---------------------------------------------------------------------------

    \25\ 12 CFR 391.23(a).
---------------------------------------------------------------------------

    Finally, the FDIC's Interagency Guidelines on Identity Theft 
Detection, Prevention, and Mitigation was issued as part 334, appendix 
J. The concurrently issued OTS guidelines were issued as part 571, 
appendix J. Those guidelines were later transferred to the FDIC rules 
as part 391, subpart C, appendix. The FDIC and the OTS guidelines are 
substantively identical.
    After careful comparison of the FDIC's rules and guidelines with 
the transferred OTS rules and guidelines in part 391, subpart C, the 
FDIC has concluded that, with the exception of the scope provisions, as 
set out above, the transferred OTS rules and guidelines are 
substantively redundant. Therefore, based on the foregoing, the FDIC 
rescinds and removes from the Code of Federal Regulations the rules 
located at Sec. Sec.  391.22 and 391.23 and guidelines located at part 
391, subpart C, appendix, and makes minor conforming changes in 
Sec. Sec.  334.90 and 334.91 to incorporate State savings associations.

II. Amendments to Fair Credit Red Flag Identity Theft Rule and 
Guidelines

    As discussed above, on November 9, 2007, the FDIC, OCC, FRB, NCUA, 
OTS, and FTC published final rules and guidelines \26\ to implement the 
identity theft red flags provisions of section 114 of the FACT Act.\27\ 
In addition to these agencies, the Commodity Futures Trading Commission 
(CFTC) and the Securities and Exchange Commission (SEC) obtained 
rulemaking authority for these regulations under section 615 of the 
FCRA, as amended by section 1088 of the Dodd-Frank Act.
---------------------------------------------------------------------------

    \26\ 72 FR 63718 (Nov. 9, 2007).
    \27\ 15 U.S.C. 1681m(e).
---------------------------------------------------------------------------

    Section 615 directed the covered Agencies to issue joint 
regulations and guidelines requiring ``financial institutions'' and 
``creditors'' to develop and implement a written identity theft program 
to identify, detect, and respond to possible risks of identity theft 
relevant to them.
    The 2007 final interagency rule (the Red Flags Rule) \28\ included 
a definition of ``financial institution,'' as set forth in in section 
603(t) of the FCRA, as amended in section 111 of the FACT Act.\29\ That 
term includes ``a State or National bank, a State or Federal savings 
and loan association, a mutual savings bank, a State or Federal credit 
union, or any other person that, directly or indirectly, holds a 
transaction account (as defined in section 19(b) of the Federal Reserve 
Act) belonging to a consumer.'' \30\
---------------------------------------------------------------------------

    \28\ 12 CFR 334.90(b)(7).
    \29\ 15 U.S.C. 1681a(t).
    \30\ Id.
---------------------------------------------------------------------------

    The Red Flags Rule \31\ also included a definition of ``creditor,'' 
as set forth in section 603(r)(5) of the FCRA, as amended in section 
111 of the FACT Act.\32\ That definition referenced the definition of 
``creditor'' in section 702 of the Equal Credit Opportunity Act 
(``ECOA''). The ECOA defines the term ``creditor'' broadly as ``any 
person who regularly extends, renews, or continues credit; any person 
who regularly

[[Page 65916]]

arranges for the extension, renewal, or continuation of credit; or any 
assignee of an original creditor who participates in the decision to 
extend, renew or continue credit.'' \33\ The ECOA further defines 
``credit'' as ``the right granted by a creditor to a debtor to defer 
payment of debt or to incur debts and defer its payment or to purchase 
property or services and defer payment therefor.'' \34\ Regulation B, 
promulgated under the ECOA, defines ``credit'' in similar terms: ``the 
right granted by a creditor to an applicant to defer payment of a debt, 
incur debt and defer its payment, or purchase property or services and 
defer payment therefor.'' \35\
---------------------------------------------------------------------------

    \31\ 12 CFR 334.90(b)(5)
    \32\ 15 U.S.C. 1681a(r)(5).
    \33\ 15 U.S.C. 1691a(e).
    \34\ 15 U.S.C. 1691a(d).
    \35\ 12 CFR 1002.2(j).
---------------------------------------------------------------------------

    The current FDIC definition of ``creditor'' also expressly includes 
``lenders such as banks, finance companies, automobile dealers, 
mortgage brokers, utility companies, and telecommunications 
companies,'' \36\ the same definition as the joint rules issued by the 
OCC, FRB, OTS and FTC.
---------------------------------------------------------------------------

    \36\ 12 CFR 334.90(b)(5).
---------------------------------------------------------------------------

    Since the scope of the FDIC's red flag regulation covers ``an 
insured state nonmember bank, or a subsidiary of such entities (except 
brokers, dealers, persons providing insurance, investment companies, 
and investment advisors),'' \37\ the vast majority, but not all, of the 
entities covered by the FDIC regulation fall under the ``financial 
institutions'' definition.\38\
---------------------------------------------------------------------------

    \37\ 12 CFR 334.90(a).
    \38\ This result would be the same if the new scope provision of 
the Red Flags Rule as proposed in this notice of proposed 
rulemaking--which would add ``a State savings association whose 
deposits are insured by the Federal Deposit Insurance 
Corporation''--is finalized.
---------------------------------------------------------------------------

    In contrast, the vast majority of the entities supervised by the 
FTC's rule would be covered by the statutory ``creditor'' definition. 
As such, the FTC had issued guidance on the scope of that definition. 
For example, in a set of answers to frequently asked questions issued 
in June, 2009, the FTC stated: ``Under the [Red Flags Rule], the 
definition of `creditor' is broad and includes businesses or 
organizations that regularly provide goods or services first and allow 
customers to pay later. . . . Examples of groups that may fall within 
this definition are utilities, health care providers, lawyers, 
accountants, and other professionals, and telecommunications 
companies.'' \39\ The FTC had also stated in the preamble to the final 
Red Flags Rule that a ``broad scope of entities'' was covered.\40\ 
Similar guidance was provided in policy statements issued in 2008 and 
early 2009.\41\ This guidance led to a law suit brought by the American 
Bar Association against the FTC alleging that the application of the 
rules to attorneys exceeded FTC's authority. Similar complaints were 
brought by the American Medical Association and other professionals.
---------------------------------------------------------------------------

    \39\ See American Bar Ass'n v. Federal Trade Comm'n (``ABA v. 
FTC''), 671 F. Supp. 2d 64, 70 (D.D.C. 2009) (quoting Red Flags 
Rule: Frequently Asked Questions, http://www.ftc.gov/bcp/edu/microsites/redflagsrule/faqs.shtm (since amended)), vacated as moot, 
636 F.3d 641 (D.C. Cir. 2011).
    \40\ 72 FR at 63741.
    \41\ See ABA v. FTC, 671 F. Supp. 2d at 69-70.
---------------------------------------------------------------------------

    In December 2010, Congress enacted the Red Flag Program 
Clarification Act (Clarification Act), 15 U.S.C. 1681m(e)(4), which 
narrowed the scope of entities covered as ``creditors'' under the Red 
Flags Rule.\42\ The Clarification Act retained the ECOA definition of 
``creditor,'' but generally limited the application of the Red Flags 
Rule to those ECOA creditors that ``regularly and in the ordinary 
course of business'' engaged in at least one of the following three 
types of conduct:
---------------------------------------------------------------------------

    \42\ Pub. L. 111-319, 124 Stat. 3457 (2010).
---------------------------------------------------------------------------

    1. Obtaining or using consumer reports, directly or indirectly, in 
connection with a credit transaction; \43\
---------------------------------------------------------------------------

    \43\ 15 U.S.C. 1681m(e)(4)(A)(i).
---------------------------------------------------------------------------

    2. Furnishing information to consumer reporting agencies in 
connection with a credit transaction; \44\ or
---------------------------------------------------------------------------

    \44\ 15 U.S.C. 1681m(e)(4)(A)(ii).
---------------------------------------------------------------------------

    3. Advancing funds to or on behalf of a person, based on an 
obligation of the person to repay the funds or repayable from specific 
property pledged by or on behalf of the person.\45\
---------------------------------------------------------------------------

    \45\ 15 U.S.C. 1681m(e)(4)(A)(iii).
---------------------------------------------------------------------------

    The Clarification Act also expressly excluded creditors that 
advanced funds on behalf of a person for expenses incidental to a 
service provided by the creditor to that person.\46\
---------------------------------------------------------------------------

    \46\ 15 U.S.C. 1681m(e)(4)(B).
---------------------------------------------------------------------------

    Finally, in addition to limiting the scope of coverage for 
``creditors'' by creating these specified categories, the Clarification 
Act empowered the Agencies to determine through a future rulemaking 
whether to include any other type of creditor that offers or maintains 
accounts that are subject to a reasonably foreseeable risk of identity 
theft.\47\
---------------------------------------------------------------------------

    \47\ 15 U.S.C. 1681m(e)(4)(C).
---------------------------------------------------------------------------

    When amending its Red Flag ``creditor'' definition in 2012, the FTC 
choose not to use its discretionary rulemaking to extend coverage of 
the Red Flags Rule to additional creditors and merely cited to the 
Clarification Act statutory definition.\48\ The FDIC is now adopting a 
similar result, to amend the ``creditor'' definition in its Red Flags 
Rule to expressly cite to the Clarification Act statutory provision, 15 
U.S.C. 1681m(e)(4).
---------------------------------------------------------------------------

    \48\ See 77 FR 72712 (Dec. 6, 2012).
---------------------------------------------------------------------------

    The FDIC has conferred with staff from the other Federal banking 
agencies, who do not object to the issuance of this final rulemaking to 
amend the Red Flags Rule to conform it to the Clarification Act. In 
fact, in May, 2014, both the OCC and the Federal Reserve Board issued 
final rules making the conforming change.\49\ The SEC and CFTC have 
previously issued final rules under section 615 of FCRA that included a 
definition of ``creditor'' as set forth in the Clarification Act.\50\
---------------------------------------------------------------------------

    \49\ See 79 FR 28393, 28400 (May 16, 2014) (OCC); 79 FR 30709, 
30711 (May 29, 2014) (Federal Reserve Board).
    \50\ See 78 FR 23638 (Apr. 19, 2013) (SEC and CFTC joint final 
rules; the CFTC ``creditor'' definition cited the Clarification Act 
provision, but also specifically listed the covered entities).
---------------------------------------------------------------------------

    The FDIC is also adopting a technical amendment to supplement A to 
the guidelines that accompanied the Red Flags Rule consistent with the 
amendments, discussed below, to vacate the FDIC Fair Credit Reporting 
regulations with rule writing authority transferred to the CFPB.\51\ In 
supplement A, the Agencies provided a list of red flags to be 
considered by the entities covered by the rule. One of those red flags 
was ``[a] consumer reporting agency provides a notice of address 
discrepancy, as defined in Sec.  334.82(b) of this part.'' \52\ Since 
the FDIC is vacating its regulation at 12 CFR 334.82, the FDIC is 
changing the citation in that red flag to the CFPB regulation: Sec.  
1022.82(b).
---------------------------------------------------------------------------

    \51\ 12 CFR part 334, supplement A to appendix J.
    \52\ Id. at 3.
---------------------------------------------------------------------------

III. Removal of FDIC Fair Credit Regulations Transferred to the 
Consumer Financial Protection Bureau

    In amending the FCRA, the FACT Act gave the FDIC, along with the 
other Federal banking regulators (and, in some cases, the FTC and the 
SEC), rule writing authority for a variety of Fair Credit Reporting 
regulations. Since 2004, those regulations have been promulgated on an 
inter-agency basis as follows:
     2004: Disposal of Consumer Information, 12 CFR 334.83, 
implementing FACT Act section 216 (FCRA section 628 (15 U.S.C. 1681w));
     2005: Medical Information, 12 CFR part 334, subpart D, 
implementing FACT Act section 411 (FCRA section 604(g)(5) (15 U.S.C. 
1681b(g)(5));
     2007: Affiliate Marketing, 12 CFR part 334, subpart C and 
appendix C,

[[Page 65917]]

implementing FACT Act section 214 (FCRA section 624 note (15 U.S.C. 
1681s-3 note));
     2007: Identity Theft Red Flags, 12 CFR part 334, subpart J 
and appendix J, implementing FACT Act section 114 (FCRA section 615(e) 
(15 U.S.C. 1681m(e)); \53\
---------------------------------------------------------------------------

    \53\ As amended by the Clarification Act. See discussion above.
---------------------------------------------------------------------------

     2007: Address Discrepancy, 12 CFR 334.82, implementing 
FACT Act section 315 (FCRA section 605(h) (15 U.S.C. 1681c(h)); and
     2009: Duties of Furnishers of Information, 12 CFR part 
334, subpart E and appendix E, implementing FACT Act section 312 (FCRA 
section 623(e) (15 U.S.C. 1681S-2(e)).
    Title X of the Dodd-Frank Act amended a number of consumer 
financial protection laws, including provisions of the FCRA. In 
addition to substantive amendments, the Dodd-Frank Act transferred 
rulemaking authority from the FDIC, FRB, OCC, FTC, NCUA, and OTS for 
several provisions of the ``Fair Credit Reporting'' regulations to the 
CFPB, effective July 21, 2011.\54\ These include the following 
regulations listed above: medical information; affiliate marketing; 
address discrepancy; and duties of furnishers of information. Those 
regulations were covered under 12 CFR part 334 subparts C, D, and E, as 
well as 12 CFR 334.82 in subpart I. The transfer also included the 
related Appendices, 12 CFR part 334, Appendices C and E. On December 
21, 2011, the CFPB published in the Federal Register an interim final 
rule Regulation V, which implemented the Dodd-Frank Act amendments to 
the FCRA with regard to those regulations and appendices.
---------------------------------------------------------------------------

    \54\ See sections 1061 and 1088 of the Dodd-Frank Act.
---------------------------------------------------------------------------

    As discussed above, the Dodd-Frank Act did not transfer all 
rulemaking authority under the FCRA. Specifically, the Act did not 
transfer to the CFPB the authority to promulgate: rules on the disposal 
of consumer information; \55\ rules on identity theft red flags and 
corresponding interagency guidelines on identity theft detection, 
prevention, and mitigation; \56\ and rules on the duties of card 
issuers regarding changes of address.\57\ These existing provisions are 
not included in the Bureau's new Regulation V.\58\
---------------------------------------------------------------------------

    \55\ See 15 U.S.C. 1681m(e); section 1088 of the Dodd-Frank Act.
    \56\ See 15 U.S.C. 1681w; section 1088 of the Dodd-Frank Act.
    \57\ See 15 U.S.C. 1681m(e); section 1088 of the Dodd-Frank Act.
    \58\ The Act also did not transfer rulemaking authority under 
the FCRA over any motor vehicle dealer that is predominantly engaged 
in the sale and servicing of motor vehicles, the leasing and 
servicing of motor vehicles, or both, subject to certain exceptions. 
See section 1029 of the Dodd-Frank Act.
---------------------------------------------------------------------------

    As a result of the of rule writing authority transferred to the 
CFPB, the FDIC rescinds and removes those regulations and appendices 
covered under the CFPB's Regulation V. In addition to the specific 
citations set out above, the FDIC is also rescinding and removing those 
parts of the Purpose and Definition provisions of the ``Fair Credit 
Reporting'' regulations that related to the substantive regulations 
transferred to the CFPB.\59\
---------------------------------------------------------------------------

    \59\ Those provisions include part of 12 CFR 334.1 and the 
definitions set out at 12 CFR 334.3(a), (b), (d), (i), and (k).
---------------------------------------------------------------------------

    Even though there is no longer rule writing authority for those 
``Fair Credit Reporting'' rules, the FDIC will continue to examine for 
compliance with the rules and take enforcement action when warranted.

IV. Regulatory Analysis and Procedure

A. The Paperwork Reduction Act

    In accordance with the requirements of the Paperwork Reduction Act 
(``PRA'') of 1995, 44 U.S.C. 3501-3521, the FDIC may not conduct or 
sponsor, and the respondent is not required to respond to, an 
information collection unless it displays a currently valid Office of 
Management and Budget (``OMB'') control number.
    Part of the Final Rule rescinds and removes part 391, subpart C 
from the FDIC regulations. This rule was transferred with only nominal 
changes to the FDIC from the OTS when the OTS was abolished by title 
III of the Dodd-Frank Act. Part 391, subpart C is largely redundant of 
the FDIC's existing part 334 regarding ``Fair Credit Reporting'' 
regulations, including appendix J to the part. The FDIC reviewed its 
burden estimates for the collection at the time it assumed 
responsibility for supervision of State savings associations 
transferred from the OTS and determined that no changes to the burden 
estimates were necessary. This Final Rule will not modify the FDIC's 
existing collection and does not involve any new collections of 
information pursuant to the PRA.
    The Final Rule also amends Sec. Sec.  334.83, 334.90, and 334.91 to 
include State savings associations and their subsidiaries within the 
scope of part 334. The Final Rule also amends those provisions to 
define ``State savings association.'' These measures clarify that State 
savings associations, as well as State nonmember banks are subject to 
part 334. Thus, these provisions of the Final Rule will not involve any 
new collections of information under the PRA or impact current burden 
estimates.
    Part of the Final Rule would amend the ``creditor'' definition in 
the FDIC's Identity Theft Red Flag regulation in conformance with the 
Clarification Act. The vast majority of entities regulated by the FDIC 
under the Identity Theft Red Flag regulation fall under the ``financial 
institution'' definition, and, therefore, would be covered under the 
rule regardless of the change in the ``creditor'' definition. For any 
subsidiary of a covered financial institution not covered under the 
``financial institution'' definition, the change to the ``creditor'' 
definition would, arguably, cover fewer, rather than more, entities. 
Thus, this provision of the Final Rule will not involve any new 
collections of information under the PRA or substantively impact 
current burden estimates.
    Finally, part of the Final Rule rescinds and removes those portions 
of 12 CFR part 334 where rule writing authority was transferred to the 
CFPB. This portion of the Final Rule will also not involve any new 
collections of information under the PRA or impact current burden 
estimates.
    Based on the foregoing, no information collection request has been 
submitted to the OMB for review.

B. The Regulatory Flexibility Act

    The Regulatory Flexibility Act (``RFA''), requires that each 
federal agency either (1) certify that a proposed rule would not, if 
adopted in final form, have a significant economic impact on a 
substantial number of small entities (defined in regulations 
promulgated by the Small Business Administration to include banking 
organizations with total assets of less than or equal to $550 million), 
or (2) prepare an initial regulatory flexibility analysis of the rule 
and publish the analysis for comment.\60\ For the reasons provided 
below, the FDIC certifies that the Final Rule would not have a 
significant economic impact on a substantial number of small entities.
---------------------------------------------------------------------------

    \60\ 5 U.S.C. 601 et seq.
---------------------------------------------------------------------------

    As discussed in the proposed rule, part 391, subpart C was 
transferred from OTS part 571, which governed Fair Credit Reporting. 
OTS part 571 had been in effect beginning in 2004, and all State 
savings associations were required to comply with it. Because it is 
basically redundant of existing part 334 of the FDIC's rules, the FDIC 
rescinds and removes part 391, subpart C. As a result, all FDIC-
supervised institutions--

[[Page 65918]]

including State savings associations and their subsidiaries--are 
required to comply with part 334. Because all State savings 
associations and their subsidiaries have been required to comply with 
substantially the same rules beginning in 2004, today's Final Rule 
would have no significant economic impact on any State savings 
association.
    In a similar way, portions of part 334 of the FDIC's rules were 
transferred to the CFPB Regulation V effective 2011. Because all FDIC 
supervised institutions--including State savings associations and their 
subsidiaries--have been required to comply with part 334 beginning in 
2004, today's Final Rule would have no significant economic impact on 
those institutions.\61\
---------------------------------------------------------------------------

    \61\ When propounding its new Regulation V, the CFPB made the 
following representation in its Regulatory Flexibility Act 
discussion:
    [T]his rule has only a minor impact on entities subject to 
Regulation V. Accordingly, the undersigned certifies that this 
interim final rule will not have a significant economic impact on a 
substantial number of small entities. The rule imposes no new, 
substantive obligations on covered entities and will require only 
minor, one-time adjustments to certain model form. . . .
    76 FR at 79312.
---------------------------------------------------------------------------

    With regard to the portion of the Final Rule amending the Red Flags 
Rule and appendix:
    1. Statement of the need for, and objectives of, the proposed rule. 
As noted above, the Clarification Act amended the definition of 
``creditor'' in the FCRA for purposes of the red flags provisions. The 
FDIC is amending the definition of ``creditor'' in its Red Flags Rule 
to reflect the revised definition of that term in the Clarification 
Act. As also noted above, the FDIC is updating a cross-reference in the 
Red Flags Rule to reflect the CFPB's rulemaking authority for the 
notice of address discrepancy provisions in the FCRA.
    2. Small entities affected by the proposed rule. The Final Rule 
would amend the definition of ``creditor'' in 12 CFR 334.90 to conform 
to the revised definition of that term in the Clarification Act. The 
definition continues to refer to the FCRA definition of ``creditor,'' 
which references the ECOA definition of ``creditor,'' but limits the 
application of the red flags provisions to only those creditors that 
regularly and in the ordinary course of business: (a) Obtain or use 
consumer reports in connection with a credit transaction; (b) furnish 
information to consumer reporting agencies in connection with a credit 
transaction; or (c) advance funds to or on behalf of a person, based on 
an obligation of the person to repay the funds or repayable from 
specific property pledged by or on behalf of the person. 12 U.S.C. 
1681m(e)(4)(A). Creditors that advance funds on behalf of a person for 
expenses incidental to a service provided by the creditor to that 
person are excluded from the definition. Small entity creditors that do 
not meet this more limited definition would no longer be covered by the 
rule. However, small entities that are financial institutions would 
still be covered by the rule, regardless of whether they meet the 
revised definition of creditor.
    The Final Rule also updates a cross-reference in the Red Flags Rule 
to reflect the CFPB's rulemaking authority for the notice of address 
discrepancy provisions in the FCRA. This revision would have no effect 
on small entities because there was no substantive difference between 
the FDIC definition of a ``notice of address discrepancy'' and the 
CFPB's definition.
    3. Recordkeeping, reporting, and compliance requirements. The Final 
Rule does not impose any new recordkeeping, reporting, or compliance 
requirements on small entities. Small entities that no longer meet the 
narrower definition of ``creditor'' would not have to comply with the 
requirements of the Red Flags Rule. However, small entity financial 
institutions would still be required to comply with the Red Flags Rule, 
regardless of whether they meet the revised definition of creditor.
    4. Other federal rules. The FDIC has not identified any federal 
statutes or regulations that would duplicate, overlap, or conflict with 
the proposed revision.
    5. Significant alternatives to the proposed revisions. The 
revisions to the definition of ``creditor'' and the cross-reference to 
the definition of a ``notice of address discrepancy'' reflect statutory 
changes. The FDIC does not believe there are significant alternatives 
to these revisions. Although the FDIC has authority to determine 
through a rulemaking that any other creditor that offers or maintains 
accounts that are subject to a reasonably foreseeable risk of identity 
theft is subject to the Red Flags Rule, the FDIC does not believe it is 
appropriate to use its discretionary rulemaking authority at this time.

C. Plain Language

    Section 722 of the GLB Act, codified at 12 U.S.C. 4809, requires 
each Federal banking agency to use plain language in all of its 
proposed and final rules published after January 1, 2000. The FDIC 
received no comments on whether the Proposed Rule was clearly stated 
and effectively organized or on how the FDIC might make it easier to 
understand.

D. The Economic Growth and Regulatory Paperwork Reduction Act

    Under section 2222 of the Economic Growth and Regulatory Paperwork 
Reduction Act of 1996 (``EGRPRA''), the FDIC is required to review all 
of its regulations, at least once every 10 years, in order to identify 
any outdated or otherwise unnecessary regulations imposed on insured 
institutions.\62\ The FDIC completed the last comprehensive review of 
its regulations under EGRPRA in 2006 and is commencing the next 
decennial review. The action taken on this rule will be included as 
part of the EGRPRA review that is currently in progress. The FDIC 
received no comments concerning whether the Proposed Rule would impose 
any outdated or unnecessary regulatory requirements on insured 
depository institutions.
---------------------------------------------------------------------------

    \62\ Public Law 104-208 (Sept. 30, 1996).
---------------------------------------------------------------------------

List of Subjects

12 CFR Part 334

    Fair credit reporting.

12 CFR Part 391

    Fair credit reporting.

Authority and Issuance

    For the reasons stated in the preamble, the Board of Directors of 
the Federal Deposit Insurance Corporation amends parts 334 and 391 of 
title 12 of the Code of Federal Regulations as set forth below:

PART 334--FAIR CREDIT REPORTING

Subpart A--General Provisions

0
1. The authority citation for part 334 continues to read as follows:

    Authority: 12 U.S.C. 1818, 1819 (Tenth), and 1831p-1; 15 U.S.C. 
1681a, 1681b, 1681c, 1681m, 1681s, 1681s-2, 1681s-3, 1681t, 1681w, 
6801 et seq., Pub. L. 108-159, 117 Stat. 1952.


0
2. Revise Sec.  334.1 to read as follows:


Sec.  334.1  Purpose and scope.

    (a) Purpose The purpose of this part is to implement the Fair 
Credit Reporting Act.
    (b) Scope Except as otherwise provided in this part, the 
regulations in this part apply to insured state nonmember banks, state 
savings associations whose deposits are insured by the Federal Deposit 
Insurance Corporation, insured state licensed branches of foreign 
banks, and subsidiaries of such entities (except

[[Page 65919]]

brokers, dealers, persons providing insurance, investment companies, 
and investment advisers).


0
3. Amend Sec.  334.3 by adding paragraph (m) to read as follows:


Sec.  334.3  Definitions.

* * * * *
    (m) State savings association has the same meaning as in section 
3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).

Subparts C through E--[Removed and Reserved]

0
3. Remove and reserve subparts C, D, and E.

Subpart I--Records Disposal

0
4. Revise the heading for subpart I to read as set forth above.


Sec.  334.82  [Removed and Reserved]

0
5. Remove and reserve Sec.  334.82.

Subpart J--Identity Theft Red Flags

0
6. Amend Sec.  334.90 by revising paragraphs (a) and (b)(5) and adding 
paragraph (b)(11) to read as follows:


Sec.  334.90  Duties regarding the detection, prevention, and 
mitigation of identity theft.

    (a) Scope This section applies to a financial institution or 
creditor that is an insured state nonmember bank, State savings 
association whose deposits are insured by the Federal Deposit Insurance 
Corporation, insured state licensed branch of a foreign bank, or a 
subsidiary of such entities (except brokers, dealers, persons providing 
insurance, investment companies, and investment advisers).
    (b) * * *
    (5) Creditor has the same meaning as in 15 U.S.C. 1681m(e)(4).
* * * * *
    (11) State savings association has the same meaning as in section 
3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).
* * * * *

0
7. Amend Sec.  334.91 by revising paragraph (a) and adding paragraph 
(b)(3) to read as follows:


Sec.  334.91  Duties of card issuers regarding change of address.

    (a) Scope This section applies to an issuer of a debit or credit 
card (card issuer) that is an insured state nonmember bank, state 
savings association whose deposits are insured by the Federal Deposit 
Insurance Corporation, insured state licensed branch of a foreign bank, 
or a subsidiary of such entities (except brokers, dealers, persons 
providing insurance, investment companies, or investment advisers).
    (b) * * *
    (3) State savings association has the same meaning as in section 
3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).
* * * * *

0
8. In appendix J to part 334, amend supplement A under the heading 
``Alerts, Notifications or Warnings from a Consumer Reporting Agency'' 
by revising paragraph 3 to read as follows:

Appendix J to Part 334--Interagency Guidelines on Identity Theft 
Detection, Prevention, and Mitigation

* * * * *

Supplement A to Appendix J

* * * * *

Alerts, Notifications or Warnings from a Consumer Reporting Agency

* * * * *

0
3. A consumer reporting agency provides a notice of address 
discrepancy, as defined in 12 CFR 1022.82(b).
* * * * *

PART 391--REGULATIONS TRANSFERRED FROM THE OFFICE OF THRIFT 
SUPERVISION

0
9. The authority citation for part 391 continues, in part, to read as 
follows:

    Authority: 12 U.S.C. 1819.
* * * * *
    Subpart C also issued under 12 U.S.C. 1462a; 1463; 1464; 1828; 
1831p-1; and 1881-1884; 15 U.S.C. 1681m; 1681w.
* * * * *

Subpart C--[Removed and Reserved]

0
10. Remove and reserve subpart C, consisting of Sec. Sec.  391.20 
through 391.23 and an appendix.

    Dated at Washington, DC, this 22nd day of October, 2015.

    By order of the Board of Directors.

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 2015-27291 Filed 10-27-15; 8:45 am]
 BILLING CODE 6714-01-P