Agency Information Collection Activities; Proposed Collection; Comment Request; Extension

AGENCY:

Federal Trade Commission.

ACTION:

Notice.

SUMMARY:

In accordance with the Paperwork Reduction Act of 1995 (PRA), the Federal Trade Commission (FTC or Commission) is seeking public comment on its proposal to extend for an additional three years the Office of Management and Budget (OMB) clearance for information collection requirements contained in the Red Flags, Card Issuers, and Address Discrepancy Rules (Rules). That clearance expires on December 31, 2021.

DATES:

Comments must be received on or before December 14, 2021.

ADDRESSES:

Interested parties may file a comment online or on paper by following the instructions in the Request for Comments part of the SUPPLEMENTARY INFORMATION section below. Write “Red Flags, Card Issuers, and Address Discrepancy Rules; PRA Comment: FTC File No. P072108” on your comment, and file your comment online at https://www.regulations.gov by following the instructions on the web-based form. If you prefer to file your comment on paper, mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024.

FOR FURTHER INFORMATION CONTACT:

Whitney Moore, Attorney, Division of Division of Privacy and Identity Protection, Bureau of Consumer Protection, Federal Trade Commission, Mail Code CC-8232, 600 Pennsylvania Ave. NW, Washington, DC 20580, (202) 326-2645.

SUPPLEMENTARY INFORMATION:

Title: Red Flags Rule, 16 CFR 681.1; Card Issuers Rule, 16 CFR 681.2; Address Discrepancy Rule, 16 CFR part 641.

OMB Control Number: 3084-0137.

Type of Review: Extension of currently approved collection.

Estimated Annual Burden: (397,298 hours; $20,103,752 in labor costs).

A. Section 114—Red Flags and Card Issuers Rules:

(1) Red Flags:

(a) Estimated Number of Respondents: 164,591

(i) High-Risk Entities: 99,830

(ii) Low-Risk Entities: 64,761

(b) Estimated Hours Burden:

(i) High-Risk Entities: 342,900 hours

(ii) Low-Risk Entities: 16,523 hours

(2) Card Issuers Rule:

(a) Estimated Number of Respondents: 18,894

(b) Estimated Hours Burden: 20,508 hours

(3) Combined Labor Cost Burden: $19,756,412

B. Section 315—Address Discrepancy Rule:

(1) Estimated Number of Respondents: 44,000

(2) Estimated Hours Burden: 17,367 hours

(3) Estimated Labor Cost Burden: $347,340

C. Capital/Non-Labor Costs for Sections 114 and 315

FTC staff believes that the Rules impose negligible capital or other non-labor costs, as the affected entities are likely to have the necessary supplies and/or equipment already ( e.g., offices and computers) for the information collections described herein.

As required by section 3506(c)(2)(A) of the PRA, 44 U.S.C. 3506(c)(2)(A), the FTC is providing this opportunity for public comment before requesting that OMB extend the existing clearance for the information collection requirements contained in the Commission's Rules.

Overview of the Rules

A. FACT Act Section 114

The FTC Red Flags and Card Issuers Rules implement requirements under Section 114 of the FACT Act (officially the Fair and Accurate Credit Transactions Act of 2003). The Red Flags Rule requires financial institutions and covered creditors to develop and implement a written Program to detect, prevent, and mitigate identity theft in connection with existing accounts or the opening of new accounts. Under the Rule, financial institutions and certain creditors must conduct a periodic risk assessment to determine if they maintain “covered accounts.” The Rule defines the term “covered account” as either: (1) A consumer account that is designed to permit multiple payments or transactions, or (2) any other account for which there is a reasonably foreseeable risk of identity theft. Each financial institution and covered creditor that has covered accounts must create a written Program that contains reasonable policies and procedures to identify relevant indicators of the possible existence of identity theft (“red flags”); detect red flags that have been incorporated into the Program; respond appropriately to any red flags that are detected to prevent and mitigate identity theft; and update the Program periodically to ensure it reflects change in risks to customers.

The Red Flags Rule also requires financial institutions and covered creditors to: (1) Obtain approval of the initial written Program by the board of directors; a committee thereof; or, if there is no board, an appropriate senior employee; (2) ensure oversight of the development, implementation, and administration of the Program; and (3) exercise appropriate and effective oversight of service provider arrangements.

In addition, the Card Issuers Rule requires that card issuers generally must assess the validity of change of address notifications. Specifically, if the card issuer receives a notice of change of address for an existing account and, within a short period of time (during at least the first 30 days), receives a request for an additional or replacement card for the same account, the issuer must follow reasonable policies and procedures to assess the validity of the change of address.

B. FACT Act Section 315

The Address Discrepancy Rule, which implements section 315 of the FACT Act, requires each user of consumer reports to have reasonable policies and procedures in place to employ when the user receives a notice of address discrepancy from a consumer reporting agency (CRA). Specifically, each user must develop reasonable policies and procedures to: (1) Enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report; and (2) in certain circumstances, provide to the CRA from which it received the notice an address for the consumer that the user has reasonably confirmed is accurate.

Burden Statement

A. Estimated Annual Hours of Burden

Section 114—(1) Red Flags Rule and (2) Card Issuers Rule

Red Flags Rule

Affected Public: Utilities; motor vehicle dealerships; telecommunications firms; colleges and universities; hospitals; nursing homes; public warehouse and storage firms; fuel dealers; financial transaction processing firms; other persons satisfying the definition of “creditor,” as modified by the Red Flags Program Clarification Act of 2010 (the “Clarification Act”); and other categories of persons that qualify as financial institutions.

Estimated Hours Burden (Red Flags): 359,423 hours.

The Red Flags Rule requires financial institutions and certain creditors with covered accounts to develop and implement a written Program and report to the board of directors, a committee thereof, or senior management at least annually on compliance with the Rule. Under the Rule, a “financial institution” is “a State or National bank, a State or Federal saving and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act, 12 U.S.C. ch. 3) belonging to a consumer.”

Under the Rule, “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA). The Clarification Act, however, narrows the definition to those creditors that use consumer reports, furnish information to consumer reporting agencies, or advance funds. As a result, many small businesses, service providers, and other persons that would ordinarily satisfy the ECOA definition of “creditor” will nonetheless be excluded from the definition of “creditor” for purposes of the Red Flags Rule.

Nonetheless, the scope of entities covered by the Red Flags Rule within the FTC's jurisdiction is broad, making it difficult to determine precisely the number of financial institutions and creditors that are subject to the FTC's jurisdiction. There are numerous businesses under the FTC's jurisdiction and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the Red Flag Rule's requirement to have a written Program affects over 5,666 financial institutions and 157,180 creditors.

To estimate burden hours for the Red Flags Rule under section 114, FTC staff has divided affected entities into two categories, based on the nature of their businesses: (1) Entities that are subject to a high risk of identity theft; and (2) entities that are subject to a low risk of identity theft.

1. High-Risk Entities

FTC staff estimates that on an annual basis, there are around 1,447 new high-risk entities and approximately 98,393 existing high-risk entities. FTC staff estimates that new high-risk entities will each require 25 hours to create and implement a written Program. FTC staff estimates that existing high-risk entities have likely already created and implemented a written Program, but will require an annual recurring burden of one hour. Further, FTC staff estimates that existing entities have already prepared an annual report and will have an annual recurring burden of one hour to update the report for each year, but that preparation of an annual report will require four hours initially for each new high-risk entity. Finally, FTC staff believes that many of the high-risk entities, as part of their usual and customary business practices, already take steps to minimize losses due to fraud, including employee training. Accordingly, only relevant staff need to be trained to implement the Program: For example, staff already trained as part of a covered entity's anti-fraud prevention efforts do not need to be re-trained except as incrementally needed. FTC staff estimates that recurring annual training in connection with the implementation of a Program of an existing high-risk entity will require one hour each year, and for new entities will require four hours initially. Thus, the estimated hours of burden for high-risk entities is as follows:

• 1,447 new high-risk entities subject to the FTC's jurisdiction at an average annual burden of 33 hours per entity [including 25 hours to create and implement the Program, plus four hours for staff training, plus four hours for preparing annual report], for a total of 47,751 hours.
• 98,383 existing high-risk entities subject to the FTC's jurisdiction at an average annual burden of 3 hours per entity [including one hour to update the Program, plus one hour for staff training, plus one hour for preparing the annual report], for a total of 295,149 annual hours.
• In total, 99,830 high-risk entities subject to the FTC's jurisdiction for a total of 342,900 hours.

2. Low-Risk Entities

FTC staff believes that the burden on low-risk entities to comply with the rules is minimal. Entities that have a low risk of identity theft, but that have covered accounts, likely will only need a streamlined Program. FTC staff estimates that any new such entities will require one hour to create such a Program. Existing entities will only have an annual recurring burden of 5 minutes. Training staff of low-risk entities to be attentive to future risks of identity theft and preparing an annual report should require no more than 10 minutes each in an initial year for new entities. Existing entities will only have an annual recurring burden of 5 minutes each. Thus, the estimated hours of burden for low-risk entities is as follows:

• 307 new low-risk entities that have covered accounts subject to the FTC's jurisdiction at an average annual burden of approximately 80 minutes per entity [including 60 minutes to create and implement a streamlined Program, plus ten minutes for staff training and ten minutes for preparing the annual report], for a total of 409 hours.

• 64,454 existing low-risk entities that have covered accounts subject to the FTC's jurisdiction at an average annual burden of approximately 15 minutes per entity [including five minutes for updating of streamlined Program, plus five minutes for staff training, and five minutes for preparing annual report], for a total of 16,114 hours.

• In total, 64,761 low-risk entities subject to the FTC's jurisdiction for a total of 16,523 hours.

Card Issuers Rule

Affected Public: State-chartered credit unions; general merchandise stores; colleges and universities; telecommunications firms; and other persons satisfying the definition of “creditor,” as modified by the Clarification Act.

Estimated Hours Burden (Card Issuers): 20,508 hours.

The Card Issuers Rule requires credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request, including notifying the cardholder or using another means of assessing the validity of the change of address. FTC staff believes that there may be as many as 18,894 credit or debit card issuers under the FTC's jurisdiction, including state-chartered credit unions, retailers, and certain universities, businesses, and telecommunications companies. FTC staff estimates that on an annual basis, approximately 538 of these card issuers may be new entrants that will need to develop and implement policies and procedures to assess the validity of a change of address request. FTC staff estimates that process will take approximately four hours for a total burden of 2,152 hours. FTC staff estimates that the remaining 18,356 card issuers likely already have automated the process of notifying the cardholder or are using other means to assess the validity of the change of address, such that implementation will pose no further burden. Nevertheless, in order to be conservative, FTC staff estimates that it will take the 18,356 card issuers one hour to review and maintain policies and procedures to assess the validity of a change of address request for a total burden of 18,356 hours. Collectively, the total burden for the 18,894 card issuers is 20,508 hours.

Section 315—Address Discrepancy Rule

Affected Public: Users of consumer reports that are motor vehicle dealers described in section 1029(a) of the Dodd-Frank Wall Street Reform and Consumer Protection Act (the Dodd-Frank Act), 12 U.S.C. 5519, and that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of them, or both (below, referenced as “users”).

Estimated Hours Burden:

As discussed above, the Address Discrepancy Rule provides guidance on reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency. The FTC Address Discrepancy Rule covers only users of consumer reports that are motor vehicle dealers described in section 1029(a) of the Dodd-Frank Act and that are predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of them, or both. Assuming that every covered motor vehicle dealer is a user of consumer reports, FTC staff estimates that the Rule affects approximately 44,000 entities. FTC staff also estimates that approximately 2,000 of those motor vehicle dealers may be new entrants who have not previously implemented procedures to comply with this rule.

For the 2,000 new entrants, FTC staff estimates that it would take an infrequent user of consumer reports no more than 16 minutes to develop and follow the policies and procedures that it will employ when it receives a notice of address discrepancy, whereas a frequent user may take one hour. Taking into account these extremes, FTC staff estimates that, during the first year of the clearance, for the 2,000 new entrants, it will take users of consumer reports an average of 38 minutes [the midpoint between 16 minutes and 60 minutes] to develop and comply with the policies and procedures that they will employ when they receive a notice of address discrepancy.

For the 42,000 existing motor vehicle dealers, FTC staff expects that the policies and procedures that they will employ when they receive a notice of address discrepancy will have already been developed. Accordingly, during the three years of the clearance, it may take an infrequent user of consumer reports no more than one minute to comply with the policies and procedures that it will employ when it receives a notice of address discrepancy, whereas a frequent user of consumer reports may take 45 minutes. FTC staff estimates that the average annual burden for the 42,000 existing motor vehicle dealers will be 23 minutes [the midpoint between one minute and 45 minutes].

Thus, for the 2,000 new entrants, the average annual burden for each of them to perform these collective tasks will be 38 minutes; cumulatively, 1,267 hours. For the 42,000 existing motor vehicle dealers, the average annual burden for each of them to perform these collective tasks will be 23 minutes; cumulatively, 16,100 hours. Collectively, the total burden for the 44,000 motor vehicle dealers will be 17,367 hours.

B. Estimated Labor Cost: $20,103,752 ($19,756,412 for Section 114 and $347,340 for Section 315)

Section 114—Red Flags and Card Issuers Rules

FTC staff derived labor costs by applying appropriate estimated hourly cost figures to the burden hours described above. It is difficult to calculate with precision the labor costs associated with the Rules, as they entail varying compensation levels of management and/or technical staff among companies of different sizes. In calculating the cost figures, staff assumes that entities' professional technical personnel and/or managerial personnel will create and implement the Program, prepare the annual report, train employees, and assess the validity of a change of address request at an hourly rate of $52.

Based on the above estimates and assumptions, the total annual labor costs for all categories of covered entities under the Red Flags and Card Issuers Rules for section 114 is $19,756,412 (379,931 hours × $52).

Section 315—Address Discrepancy Rule

FTC staff assumes that the policies and procedures for compliance with the Address Discrepancy Rule will be set up by administrative support personnel at an hourly rate of $20. Based on the above estimates and assumptions, the total annual labor cost for the two categories of burden under section 315 is $347,340 [(17,367 hours × $20)].

Request for Comments

Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invites comments on: (1) Whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (2) the accuracy of the agency's estimate of the burden of the proposed collection of information, including the validity of the methodology and assumptions used; (3) ways to enhance the quality, utility, and clarity of the information to be collected; and (4) ways to minimize the burden of maintaining records and providing disclosures to consumers. All comments must be received on or before December 14, 2021.

You can file a comment online or on paper. For the FTC to consider your comment, we must receive it on or before December 14, 2021. Write “Red Flags, Card Issuers, and Address Discrepancy Rules; PRA Comment: FTC File No. P072108” on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including the https://www.regulations.gov website.

Due to the public health emergency in response to the COVID-19 outbreak and the agency's heightened security screening, postal mail addressed to the Commission will be subject to delay. We encourage you to submit your comments online through the https://www.regulations.gov website.

If you prefer to file your comment on paper, write “Red Flags, Card Issuers, and Address Discrepancy Rules; PRA Comment: FTC File No. P072108” on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J), Washington, DC 20580; or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC 20024. If possible, submit your paper comment to the Commission by courier or overnight service.

Because your comment will become publicly available at https://www.regulations.gov,, you are solely responsible for making sure that your comment does not include any sensitive or confidential information. In particular, your comment should not include any sensitive personal information, such as your or anyone else's Social Security number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, such as medical records or other individually identifiable health information. In addition, your comment should not include any “trade secret or any commercial or financial information which . . . . is privileged or confidential”—as provided by Section 6(f) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—including in particular competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names.

Comments containing material for which confidential treatment is requested must be filed in paper form, must be clearly labeled “Confidential,” and must comply with FTC Rule 4.9(c). In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c). Your comment will be kept confidential only if the General Counsel grants your request in accordance with the law and the public interest. Once your comment has been posted publicly at www.regulations.gov,, we cannot redact or remove your comment unless you submit a confidentiality request that meets the requirements for such treatment under FTC Rule 4.9(c), and the General Counsel grants that request.

The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding, as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before December 14, 2021. For information on the Commission's privacy policy, including routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.