[Federal Register Volume 83, Number 153 (Wednesday, August 8, 2018)]
[Notices]
[Pages 39096-39100]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-16936]


-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


Agency Information Collection Activities; Proposed Collection; 
Comment Request

AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: The FTC intends to ask the Office of Management and Budget 
(``OMB'') to extend for an additional three years the current Paperwork 
Reduction Act (``PRA'') clearance for the information collection 
requirements in the FTC Red Flags, Card Issuers, and Address 
Discrepancies Rules \1\ (``Rules''). That clearance expires on November 
30, 2018.
---------------------------------------------------------------------------

    \1\ 16 CFR 681.1 (Duties regarding the detection, prevention, 
and mitigation of identity theft); 16 CFR 681.2 (Duties of card 
issuers regarding changes of address); 16 CFR 641.1 (Duties of users 
of consumer reports regarding address discrepancies).

---------------------------------------------------------------------------
DATES: Comments must be submitted by October 9, 2018.

ADDRESSES: Interested parties may file a comment online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Write ``Red Flags Rule, PRA 
Comment, Project No. P095406'' on your comment. File your comment 
online at https://ftcpublic.commentworks.com/ftc/RedFlagsPRA by 
following the instructions on the web-based form. If you prefer to file 
your comment on paper, mail your comment to the following address: 
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania 
Avenue NW, Suite CC-5610 (Annex J), Washington, DC 20580, or deliver 
your comment to the following address: Federal Trade Commission, Office 
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, 
Suite 5610 (Annex J), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT: Requests for additional information 
should be addressed to Mark Eichorn, Assistant Director, Division of 
Privacy and Identity Protection, Bureau of Consumer Protection, (202) 
326-3053, Federal Trade Commission, 600 Pennsylvania Avenue NW, 
Washington, DC 20580.

[[Page 39097]]


SUPPLEMENTARY INFORMATION: 

I. Overview of the Rules

    The Red Flags Rule requires financial institutions and certain 
creditors to develop and implement written Identity Theft Prevention 
Programs (``Program''). The Card Issuers Rule requires credit and debit 
card issuers (``card issuers'') to assess the validity of notifications 
of address changes under certain circumstances. The Address Discrepancy 
Rule provides guidance on what users of consumer reports must do when 
they receive a notice of address discrepancy from a nationwide consumer 
reporting agency (``CRA''). Collectively, these three anti-identity 
theft provisions are intended to prevent impostors from misusing 
another person's personal information for a fraudulent purpose.
    The Rules implement sections 114 and 315 of the FACT Act, Public 
Law 108-159, which amended the Fair Credit Reporting Act (``FCRA''), 15 
U.S.C. 1681 et seq., to require businesses to undertake measures to 
prevent identity theft and increase the accuracy of consumer reports.
    Since promulgation of the original Rule, President Obama signed the 
Red Flag Program Clarification Act of 2010 (``Clarification Act''), 
which narrowed the definition of ``creditor'' for purposes of the Red 
Flags Rule. Specifically, the Clarification Act limits application of 
the Red Flags Rule to creditors that regularly and in the ordinary 
course of business: (1) Obtain or use consumer reports, directly or 
indirectly, in connection with a credit transaction; (2) furnish 
information to consumer reporting agencies in connection with a credit 
transaction; or (3) advance funds to or on behalf of a person, based on 
an obligation of the person to repay the funds or to make repayment 
from specific property pledged by or on behalf of the person. This 
third prong does not include a creditor that advances funds on behalf 
of a person for expenses incidental to a service provided by the 
creditor to that person.

II. Description of Collection of Information

A. FACT Act Section 114

    The FTC Red Flags and Card Issuers Rules implement requirements 
under Section 114 of the FACT Act. The Red Flags Rule requires 
financial institutions and covered creditors to develop and implement a 
written Program to detect, prevent, and mitigate identity theft in 
connection with existing accounts or the opening of new accounts. Under 
the Rule, financial institutions and certain creditors must conduct a 
periodic risk assessment to determine if they maintain ``covered 
accounts.'' The Rule defines the term ``covered account'' as either: 
(1) A consumer account that is designed to permit multiple payments or 
transactions, or (2) any other account for which there is a reasonably 
foreseeable risk of identity theft. Each financial institution and 
covered creditor that has covered accounts must create a written 
Program that contains reasonable policies and procedures to identify 
relevant indicators of the possible existence of identity theft (``red 
flags''); detect red flags that have been incorporated into the 
Program; respond appropriately to any red flags that are detected to 
prevent and mitigate identity theft; and update the Program 
periodically to ensure it reflects change in risks to customers.
    The Red Flags Rule also requires financial institutions and covered 
creditors to: (1) Obtain approval of the initial written Program by the 
board of directors; a committee thereof; or, if there is no board, an 
appropriate senior employee; (2) ensure oversight of the development, 
implementation, and administration of the Program; and (3) exercise 
appropriate and effective oversight of service provider arrangements.
    In addition, the Card Issuers Rule requires that card issuers 
generally must assess the validity of change of address notifications. 
Specifically, if the card issuer receives a notice of change of address 
for an existing account and, within a short period of time (during at 
least the first 30 days), receives a request for an additional or 
replacement card for the same account, the issuer must follow 
reasonable policies and procedures to assess the validity of the change 
of address.

B. FACT Act Section 315

    In implementing section 315 of the FACT Act, the Address 
Discrepancies Rule requires each user of consumer reports to have 
reasonable policies and procedures in place to employ when the user 
receives a notice of address discrepancy from a CRA. Specifically, each 
user must develop reasonable policies and procedures to: (1) Enable the 
user to form a reasonable belief that a consumer report relates to the 
consumer about whom it has requested the report; and (2) in certain 
circumstances, provide to the CRA from which it received the notice an 
address for the consumer that the user has reasonably confirmed is 
accurate.

II. Burden Estimates

    Under the PRA, 44 U.S.C. 3501-3521, Federal agencies must get OMB 
approval for each collection of information they conduct or sponsor. 
``Collection of information'' includes agency requests or requirements 
to submit reports, keep records, or provide information to a third 
party. 44 U.S.C. 3502(3); 5 CFR 1320.3(c). The figures below reflect 
FTC staff's estimates of the hours burden and labor costs to complete 
the tasks described above that fall within reporting, disclosure, or 
recordkeeping requirements. FTC staff believes that the Rules impose 
negligible capital or other non-labor costs, as the affected entities 
are likely to have the necessary supplies and/or equipment already 
(e.g. offices and computers) for the information collection described 
herein.
    Overall estimated burden hours regarding sections 114 and 315, 
combined, total 2,296,863 hours and the associated estimated labor 
costs are $92,465,982.

A. FACT Act Section 114

1. Estimated Hours Burden--Red Flags Rule
    As noted above, the Rule requires financial institutions and 
certain creditors with covered accounts to develop and implement a 
written Program. Under the FCRA, financial institutions over which the 
FTC has jurisdiction include state chartered credit unions and certain 
insurance companies, among other entities.
    Although narrowed by the Clarification Act, the definition of 
``creditor'' still covers a broad array of entities, and application of 
the Rule depends upon an entity's course of conduct, not its status as 
a particular type of business. For these reasons, it is difficult to 
determine precisely the number of creditors subject to the FTC's 
jurisdiction. There are numerous small businesses under the FTC's 
jurisdiction that may qualify as ``creditors,'' and there is no formal 
way to track them. Nonetheless, FTC staff estimates that the Rule's 
requirement to have a written Program affects 6,278 financial 
institutions \2\ and 157,585 creditors.\3\
---------------------------------------------------------------------------

    \2\ The total number of financial institutions is derived from 
an analysis of state credit unions and insurers within the FTC's 
jurisdiction using 2015 Census data (``County Business Patterns,'' 
U.S.) and other online industry data.
    \3\ The total number of creditors (157,585) is derived mostly 
from an analysis of 2015 Census data and industry data for 
businesses or organizations that market goods and services to 
consumers or other businesses or organizations subject to the FTC's 
jurisdiction, reduced by (1) entities not likely to obtain credit 
reports, report credit transactions, or advance loans; and (2) 
entities not likely to have covered accounts under the Rule.

---------------------------------------------------------------------------

[[Page 39098]]

    To estimate burden hours for the Red Flags Rule under section 114, 
FTC staff divided affected entities into two categories, based on the 
nature of their business: (1) Entities that are subject to high risk of 
identity theft, and (2) entities that are subject to a low risk of 
identity theft, but have covered accounts that will require them to 
have a written Program.
a. High-Risk Entities
    FTC staff estimates that high-risk entities \4\ will each require 
25 hours to create and implement a written Program, with an annual 
recurring burden of one hour. FTC staff anticipates that these entities 
will incorporate into their Program policies and procedures that they 
likely already have in place. Further, FTC staff estimates that 
preparation for an annual report will require each high-risk entity 
four hours initially, with an annual recurring burden of one hour. 
Finally, FTC staff believes that many of the high-risk entities, as 
part of their usual and customary business practice, already take steps 
to minimize losses due to fraud, including conducting employee 
training. Accordingly, only relevant staff need be trained to implement 
the Program: for example, staff already trained as part of a covered 
entity's anti-fraud prevention efforts do not need to be re-trained. 
FTC staff estimates that training connected with the implementation of 
a Program of a high-risk entity will require four hours, and annual 
training thereafter will require one hour.
---------------------------------------------------------------------------

    \4\ High-risk entities include, for example, financial 
institutions within the FTC's jurisdiction and utilities, motor 
vehicle dealerships, telecommunications firms, colleges and 
universities, and hospitals.
---------------------------------------------------------------------------

    Thus, estimated hours for high-risk entities are as follows:
     94,052 high-risk entities subject to the FTC's 
jurisdiction at an average annual burden of 13 hours per entity 
[average annual burden over 3-year clearance period for creation and 
implementation of a Program ((25 + 1 + 1) hours/3), plus average annual 
burden over 3-year clearance period for staff training ((4 + 1 + 1) 
hours/3), plus average annual burden over 3-year clearance period for 
preparing an annual report ((4 + 1 + 1) hours/3)], for a total of 
1,222,676 hours.
b. Low-Risk Entities
    Entities that have a minimal risk of identity theft,\5\ but that 
have covered accounts, must develop a Program; however, they likely 
will only need a streamlined Program. FTC staff estimates that such 
entities will require one hour to create such a Program, with an annual 
recurring burden of five minutes. Training staff of low-risk entities 
to be attentive to future risks of identity theft should require no 
more than 10 minutes in an initial year, with an annual recurring 
burden of five minutes. FTC staff further estimates that these entities 
will require, initially, 10 minutes to prepare an annual report, with 
an annual recurring burden of five minutes.
---------------------------------------------------------------------------

    \5\ Low-risk entities include, for example, public warehouse and 
storage firms, nursing and residential care facilities, automotive 
equipment rental and leasing firms, office supplies and stationery 
stores, fuel dealers, and financial transaction processing firms.
---------------------------------------------------------------------------

    Thus, the estimated hours burden for low-risk entities is as 
follows:
     63,533 low risk entities that have covered account subject 
to the FTC's jurisdiction at an average annual burden of approximately 
37 minutes per entity [average annual burden over 3-year clearance 
period for creation and implementation of streamlined Program ((60 + 5 
+ 5) minutes/3), plus average annual burden over 3-year clearance 
period for staff training ((10 + 5 + 5) minutes/3), plus average annual 
burden over 3-year clearance period for preparing annual report ((10 + 
5 + 5) minutes/3], for a total of 39,179 hours.
2. Estimated Hours Burden--Card Issuers Rule
    As noted above, section 114 also requires financial institutions 
and covered creditors that issue credit or debit cards to establish 
policies and procedures to assess the validity of a change of address 
request, including notifying the cardholder or using another means of 
assessing the validity of the change of address.
     FTC staff estimates that the Rule affects as many as 
16,742 \6\ card issuers within the FTC's jurisdiction. FTC staff 
believes that most of these card issuers already have automated the 
process of notifying the cardholder or are using another means to 
assess the validity of the change of address, such that implementation 
will pose no further burden. Nevertheless, taking a conservative 
approach, FTC staff estimates that it will take each card issuer 4 
hours to develop and implement policy and procedures to assess the 
validity of a change of address request for a total burden of 66,968 
hours.
---------------------------------------------------------------------------

    \6\ Card issuers within the FTC's jurisdiction include, for 
example, state credit unions, general retail merchandise stores, 
colleges and universities, and telecoms.
---------------------------------------------------------------------------

    Thus, the total average annual estimated burden for Section 114 is 
1,328,823 hours.
3. Estimated Cost Burden--Red Flags and Card Issuers Rules
    The FTC staff estimates labor costs by applying appropriate 
estimated hourly cost figures to the burden hours described above. It 
is difficult to calculate with precision the labor costs associated 
with compliance with the Rule, as they entail varying compensation 
levels of management (e.g., administrative services, computer and 
information systems, training and development) and/or technical staff 
(e.g., computer support specialists, systems analysts, network and 
computer systems administrators) among companies of different sizes. 
FTC staff assumes that for all entities, professional technical 
personnel and/or management personnel will create and implement the 
Program, prepare the annual report, and train employees, at an hourly 
rate of $49.\7\
---------------------------------------------------------------------------

    \7\ This estimate is based on mean hourly wages found at http://www.bls.gov/news.release/ocwage.t01.htm, ``Occupational Employment 
and Wages Summary--May 2017,'' U.S. Department of Labor, Table 1, 
released March 30, 2018 (``National employment and wage data from 
the Occupational Employment Statistics survey by occupation, May 
2017'') for the various managerial and technical staff support 
exemplified above (administrative service managers, computer & 
information systems managers, training & development managers, 
computer systems analysts, network & computer systems 
administrators, and computer support specialists).
---------------------------------------------------------------------------

    Based on the above estimates and assumptions, the total annual 
labor costs for all categories of covered entities under the Red Flags 
and Card Issuers Rules for Section 114 is $65,112,327 (1,328,823 hours 
x $49).

B. FACT Act Section 315--The Address Discrepancy Rule

    As discussed above, the Rule's implementation of Section 315 
provides guidance on reasonable policies and procedures that a user of 
consumer reports must employ when a user receives a notice of address 
discrepancy from a CRA. Given the broad scope of users of consumer 
reports, it is difficult to determine with precision the number of 
users of consumer reports that are subject to the FTC's jurisdiction. 
As noted above, there are numerous small businesses under the FTC's 
jurisdiction, and there is no formal way to track them; moreover, as a 
whole, the entities under the FTC's jurisdiction are so

[[Page 39099]]

varied that there are no general sources that provide a record of their 
existence. Nonetheless, FTC staff estimates that the Rule's 
implementation of section 315 affects approximately 1,967,161 users of 
consumer reports subject to the FTC's jurisdiction.\8\ Commission staff 
estimates that approximately 10,000 of these users will receive notice 
of a discrepancy, in the course of their usual and customary business 
practices, and thereby have to furnish to CRAs an address 
confirmation.\9\
---------------------------------------------------------------------------

    \8\ This estimate is derived from an analysis of Census 
databases of U.S. businesses based on NAICS codes for businesses in 
industries that typically use consumer reports from CRAs described 
in the Rule, which total 1,967,161 users of consumer reports subject 
to the FTC's jurisdiction.
    \9\ Report to Congress Under Sections 318 and 319 of the Fair 
and Accurate Credit Transactions of 2003, Federal Trade Commission, 
80 (Dec. 2004) available at http://www.ftc.gov/reports/facta/041209factarpt.pdf.
---------------------------------------------------------------------------

    For section 315, as detailed below, FTC staff estimates that the 
average annual burden during the three-year period for which OMB 
clearance is sought will be 919,678 hours with an associated labor cost 
of $17,473,882.
1. Estimated Hours Burden
    Prior to enactment of the Address Discrepancy Rule, users of 
consumer reports could compare the address on a consumer report to the 
address provided by the consumer and discern for themselves any 
discrepancy. As a result, FTC staff believes that many users of 
consumer reports have developed methods of reconciling address 
discrepancies, and the following estimates represent the incremental 
amount of time users of consumer reports may require to develop and 
comply with the policies and procedures for when they receive a notice 
of address discrepancy.
a. Customer Verification
    Given the varied nature of the entities under the FTC's 
jurisdiction, it is difficult to determine precisely the appropriate 
burden estimates. Nonetheless, FTC staff estimates that it would 
require an infrequent user of consumer reports no more than 16 minutes 
to develop and comply with the policies and procedures that it will 
employ when it receives a notice of address discrepancy, while a 
frequent user might require one hour. Similarly, FTC staff estimates 
that, during the remaining two years of clearance, it may take an 
infrequent user no more than one minute to comply with the policies and 
procedures it will employ when it receives a notice of address 
discrepancy, while a frequent user might require 45 minutes. Taking 
into account these extremes, FTC staff estimates that, during the first 
year, it will take users of consumer reports under the FTC's 
jurisdiction an average of 38 minutes [the midrange between 16 minutes 
and 60 minutes] to develop and comply with the policies and procedures 
that they will employ when they receive a notice of address 
discrepancy. FTC staff also estimates that the average recurring burden 
for users of consumer reports to comply with the Rule will be 23 
minutes [the midrange between one minute and 45 minutes].
    Thus, for these 1,967,167 entities, the average annual burden for 
each of them to perform these collective tasks will be 28 minutes [(38 
+ 23 +23) / 3]; cumulatively, 918,011 hours.
b. Address Verification
    For the estimated 10,000 users of consumer reports that will 
additionally have to furnish to CRAs an address confirmation upon 
notice of a discrepancy, staff estimates that these entities will 
require, initially, 30 minutes to develop related policies and 
procedures. But, these 10,000 affected entities likely will have 
automated the process of furnishing the correct address in the first 
year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes 
in the first year, with no annual recurring burden in the second and 
third years of clearance, yields an average annual burden of 10 minutes 
per entity to furnish a correct address to a CRA, for a total of 1,667 
hours.
2. Estimated Cost Burden
    FTC staff assumes that the policies and procedures for compliance 
with the address discrepancy part of the Rule will be set up by 
administrative support personnel at an hourly rate of $19.\10\ Based on 
the above estimates and assumptions, the total annual labor cost for 
the two categories of burden under section 315 is $17,473,882.
---------------------------------------------------------------------------

    \10\ This estimate--rounded to the nearest dollar--is based on 
mean hourly wages for all management occupations found within the 
``Bureau of Labor Statistics, Economic News Release,'' March 30, 
2018, Table 1, ``National employment and wage data from the 
Occupational Employment Statistics survey by occupation, May 2017.'' 
http://www.bls.gov/news.release/ocwage.t01.htm.
---------------------------------------------------------------------------

C. Burden Totals for FACT Act Sections 114 and 315

    Cumulatively, then, estimated burden is 2,246,834 hours (1,328,823 
hours for section 114 and 918,011 hours for section 315) and 
$82,586,209 ($65,112,327 and $17,473,882) in associated labor costs.

IV. Request for Comment

    Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invites 
comments on: (1) Whether the disclosure requirements are necessary, 
including whether the information will be practically useful; (2) the 
accuracy of our burden estimates, including whether the methodology and 
assumptions used are useful; (3) ways to enhance the quality, utility, 
and clarity of the information to be collected; and (4) ways to 
minimize the burden of providing the required information to consumers.
    You can file a comment online or on paper. For the FTC to consider 
your comment, we must receive it on or before October 9, 2018. Write: 
``Red Flags Rule, PRA Comment, Project No. P095406'' on your comment. 
Your comment--including your name and your state--will be placed on the 
public record of this proceeding, including, to the extent practicable, 
on the public Commission website, at http://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to 
remove individuals' home contact information from comments before 
placing them on the Commission website.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comments online, or to send them to the Commission by courier or 
overnight service. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/RedFlagsPRA by following the instructions on the web-based form. 
When this Notice appears at http://www.regulations.gov/#!home, you also 
may file a comment through that website.
    If you file your comment on paper, write ``Red Flags Rule PRA, 
Project No. P095406'' on your comment and on the envelope, and mail it 
to the following address: Federal Trade Commission, Office of the 
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 
20024. If possible, submit your paper comment to the Commission by 
courier or overnight service.
    Because your comment will be placed on the publicly accessible FTC 
website at https://www.ftc.gov/, you are solely responsible for making 
sure that your

[[Page 39100]]

comment does not include any sensitive or confidential information. In 
particular, your comment should not include any sensitive personal 
information, such as your or anyone else's Social Security number; date 
of birth; driver's license number or other state identification number, 
or foreign country equivalent; passport number; financial account 
number; or credit or debit card number. You are also solely responsible 
for making sure that your comment does not include any sensitive health 
information, such as medical records or other individually identifiable 
health information. In addition, your comment should not include any 
``trade secret or any commercial or financial information which . . . 
is privileged or confidential''--as provided by Section 6(f) of the FTC 
Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--
including in particular competitively sensitive information such as 
costs, sales statistics, inventories, formulas, patterns, devices, 
manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular, 
the written request for confidential treatment that accompanies the 
comment must include the factual and legal basis for the request, and 
must identify the specific portions of the comment to be withheld from 
the public record. See FTC Rule 4.9(c). Your comment will be kept 
confidential only if the General Counsel grants your request in 
accordance with the law and the public interest. Once your comment has 
been posted on the public FTC website--as legally required by FTC Rule 
4.9(b)--we cannot redact or remove your comment from the FTC website, 
unless you submit a confidentiality request that meets the requirements 
for such treatment under FTC Rule 4.9(c), and the General Counsel 
grants that request.
    The FTC Act and other laws that the Commission administers permit 
the collection of public comments to consider and use in this 
proceeding as appropriate. The Commission will consider all timely and 
responsive public comments that it receives on or before October 9, 
2018. For information on the Commission's privacy policy, including 
routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

Heather Hippsley,
Acting Principal Deputy General Counsel.
[FR Doc. 2018-16936 Filed 8-7-18; 8:45 am]
 BILLING CODE 6750-01-P