Agency Information Collection Activities; Proposed Collection; Comment Request, 39096-39100 [2018-16936]
Download as PDF
sradovich on DSK3GMQ082PROD with NOTICES
39096
Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices
germane to the current public notice
and comment process. We have referred
M/M. Kerz’s comment to the FTC’s
Consumer Response Center for entry
into the Consumer Sentinel Network of
complaints and related inquiries.
The second commenter, Thomas
Dickinson, also filed a comment that is
non-germane to the current public
notice and comment process. Mr.
Dickinson asks the FTC to apply a
‘‘monitor’’ to individuals’ home phones
that identifies violations of the Do-NotCall Rule and allows the FTC to take
appropriate punitive actions. We have
also referred Mr. Dickinson’s complaint
to the FTC’s Consumer Response Center
for entry into the Consumer Sentinel
Network.
The third commenter, Dave Root,
commented that ‘‘due process and . . .
[his] . . . privacy . . . [would] . . . be
harmed by open access to sharing . . .
[his] . . . personal info between all
government agencies as outlined in this
notice.’’ Mr. Root asked if there are ‘‘any
safeguards against ‘political
weaponization’ without any
accountability, by any federal, state or
local governmental agency having
access to this information.’’ Mr. Root
asked for ‘‘‘teeth’ in the rule for anyone
. . . that purposefully uses this
information incorrectly . . . [meaning]
. . . seriously enforced jail time for
anyone who fails to act in the
investigation and prosecution process.’’
The revised routine use would not
provide ‘‘open access’’ to ‘‘all
government agencies’’ but would
require that the FTC receive a request
from another Federal agency or Federal
entity that provides enough supporting
information such that the FTC can
determine that information from an FTC
Privacy Act system or systems is
reasonably necessary to assist the
recipient agency or entity in (a)
responding to a suspected or confirmed
breach or (b) preventing, minimizing, or
remedying the risk of harm to
individuals, the recipient agency or
entity (including its information
systems, programs, and operations), the
Federal Government, or national
security, resulting from a suspected or
confirmed breach.
The Privacy Act specifically provides
civil remedies, 5 U.S.C. 552a(g),
including damages, and criminal
penalties, 5 U.S.C. 552a(i), for violations
of the Act. In addition, an individual
may be fined up to $5,000 for knowingly
and willfully requesting or gaining
access to a record about an individual
under false pretenses. 5 U.S.C.
552a(i)(3).
As stated in the Federal Register
Notice dated May 3, 2018, the FTC
VerDate Sep<11>2014
22:37 Aug 07, 2018
Jkt 244001
believes that the modified and
bifurcated routine use on data breaches
is compatible with the collection of
information pertaining to individuals
affected by a breach, and that the
disclosure of such records will help
prevent, minimize or remedy a data
breach or compromise that may affect
such individuals. By contrast, the FTC
believes that failure to take reasonable
steps to help prevent, minimize or
remedy the harm that may result from
such a breach or compromise would
jeopardize, rather than promote, the
privacy of such individuals.
The FTC provided a public comment
period and notice to OMB and Congress
as required by the Privacy Act and
implementing OMB guidelines.1
Accordingly, the FTC hereby amends
Appendix I of its Privacy Act system
notices, as published at 73 FR 33591, by
revising item number (22), adding new
item number (23), and re-designating
the former item number (23) as (24)
(without any other change) at the end of
the existing routine uses set forth in that
Appendix:
*
*
*
*
*
(22) To appropriate agencies, entities,
and persons when (a) the FTC suspects
or has confirmed that there has been a
breach of the system of records; (b) the
FTC has determined that as a result of
the suspected or confirmed breach there
is a risk of harm to individuals, the FTC
(including its information systems,
programs, and operations), the Federal
Government, or national security; and
(c) the disclosure made to such
agencies, entities, and persons is
reasonably necessary to assist in
connection with the FTC’s efforts to
respond to the suspected or confirmed
breach or to prevent, minimize, or
remedy such harm.
(23) To another Federal agency or
Federal entity, when the FTC
determines that information from this
system of records is reasonably
necessary to assist the recipient agency
or entity in (a) responding to a
suspected or confirmed breach or (b)
preventing, minimizing, or remedying
the risk of harm to individuals, the
recipient agency or entity (including its
information systems, programs, and
operations), the Federal Government, or
national security, resulting from a
suspected or confirmed breach.
(24) May be disclosed to FTC
contractors, volunteers, interns or other
authorized individuals who have a need
for the record in order to perform their
officially assigned or designated duties
for or on behalf of the FTC.
1 See U.S.C. 552a(e)(11) and 552a(r); OMB
Circular A–108 (2016).
PO 00000
Frm 00056
Fmt 4703
Sfmt 4703
HISTORY
73 FR 33591–33634 (June 12, 2008).
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018–16935 Filed 8–7–18; 8:45 am]
BILLING CODE 6750–01–P
FEDERAL TRADE COMMISSION
Agency Information Collection
Activities; Proposed Collection;
Comment Request
Federal Trade Commission
(‘‘FTC’’ or ‘‘Commission’’).
ACTION: Notice.
AGENCY:
The FTC intends to ask the
Office of Management and Budget
(‘‘OMB’’) to extend for an additional
three years the current Paperwork
Reduction Act (‘‘PRA’’) clearance for the
information collection requirements in
the FTC Red Flags, Card Issuers, and
Address Discrepancies Rules 1
(‘‘Rules’’). That clearance expires on
November 30, 2018.
DATES: Comments must be submitted by
October 9, 2018.
ADDRESSES: Interested parties may file a
comment online or on paper by
following the instructions in the
Request for Comment part of the
SUPPLEMENTARY INFORMATION section
below. Write ‘‘Red Flags Rule, PRA
Comment, Project No. P095406’’ on your
comment. File your comment online at
https://ftcpublic.commentworks.com/
ftc/RedFlagsPRA by following the
instructions on the web-based form. If
you prefer to file your comment on
paper, mail your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
600 Pennsylvania Avenue NW, Suite
CC–5610 (Annex J), Washington, DC
20580, or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex J),
Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT:
Requests for additional information
should be addressed to Mark Eichorn,
Assistant Director, Division of Privacy
and Identity Protection, Bureau of
Consumer Protection, (202) 326–3053,
Federal Trade Commission, 600
Pennsylvania Avenue NW, Washington,
DC 20580.
SUMMARY:
1 16 CFR 681.1 (Duties regarding the detection,
prevention, and mitigation of identity theft); 16 CFR
681.2 (Duties of card issuers regarding changes of
address); 16 CFR 641.1 (Duties of users of consumer
reports regarding address discrepancies).
E:\FR\FM\08AUN1.SGM
08AUN1
Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices
SUPPLEMENTARY INFORMATION:
I. Overview of the Rules
The Red Flags Rule requires financial
institutions and certain creditors to
develop and implement written Identity
Theft Prevention Programs (‘‘Program’’).
The Card Issuers Rule requires credit
and debit card issuers (‘‘card issuers’’)
to assess the validity of notifications of
address changes under certain
circumstances. The Address
Discrepancy Rule provides guidance on
what users of consumer reports must do
when they receive a notice of address
discrepancy from a nationwide
consumer reporting agency (‘‘CRA’’).
Collectively, these three anti-identity
theft provisions are intended to prevent
impostors from misusing another
person’s personal information for a
fraudulent purpose.
The Rules implement sections 114
and 315 of the FACT Act, Public Law
108–159, which amended the Fair
Credit Reporting Act (‘‘FCRA’’), 15
U.S.C. 1681 et seq., to require
businesses to undertake measures to
prevent identity theft and increase the
accuracy of consumer reports.
Since promulgation of the original
Rule, President Obama signed the Red
Flag Program Clarification Act of 2010
(‘‘Clarification Act’’), which narrowed
the definition of ‘‘creditor’’ for purposes
of the Red Flags Rule. Specifically, the
Clarification Act limits application of
the Red Flags Rule to creditors that
regularly and in the ordinary course of
business: (1) Obtain or use consumer
reports, directly or indirectly, in
connection with a credit transaction; (2)
furnish information to consumer
reporting agencies in connection with a
credit transaction; or (3) advance funds
to or on behalf of a person, based on an
obligation of the person to repay the
funds or to make repayment from
specific property pledged by or on
behalf of the person. This third prong
does not include a creditor that
advances funds on behalf of a person for
expenses incidental to a service
provided by the creditor to that person.
II. Description of Collection of
Information
sradovich on DSK3GMQ082PROD with NOTICES
A. FACT Act Section 114
The FTC Red Flags and Card Issuers
Rules implement requirements under
Section 114 of the FACT Act. The Red
Flags Rule requires financial institutions
and covered creditors to develop and
implement a written Program to detect,
prevent, and mitigate identity theft in
connection with existing accounts or the
opening of new accounts. Under the
Rule, financial institutions and certain
VerDate Sep<11>2014
22:37 Aug 07, 2018
Jkt 244001
creditors must conduct a periodic risk
assessment to determine if they
maintain ‘‘covered accounts.’’ The Rule
defines the term ‘‘covered account’’ as
either: (1) A consumer account that is
designed to permit multiple payments
or transactions, or (2) any other account
for which there is a reasonably
foreseeable risk of identity theft. Each
financial institution and covered
creditor that has covered accounts must
create a written Program that contains
reasonable policies and procedures to
identify relevant indicators of the
possible existence of identity theft (‘‘red
flags’’); detect red flags that have been
incorporated into the Program; respond
appropriately to any red flags that are
detected to prevent and mitigate
identity theft; and update the Program
periodically to ensure it reflects change
in risks to customers.
The Red Flags Rule also requires
financial institutions and covered
creditors to: (1) Obtain approval of the
initial written Program by the board of
directors; a committee thereof; or, if
there is no board, an appropriate senior
employee; (2) ensure oversight of the
development, implementation, and
administration of the Program; and (3)
exercise appropriate and effective
oversight of service provider
arrangements.
In addition, the Card Issuers Rule
requires that card issuers generally must
assess the validity of change of address
notifications. Specifically, if the card
issuer receives a notice of change of
address for an existing account and,
within a short period of time (during at
least the first 30 days), receives a
request for an additional or replacement
card for the same account, the issuer
must follow reasonable policies and
procedures to assess the validity of the
change of address.
B. FACT Act Section 315
In implementing section 315 of the
FACT Act, the Address Discrepancies
Rule requires each user of consumer
reports to have reasonable policies and
procedures in place to employ when the
user receives a notice of address
discrepancy from a CRA. Specifically,
each user must develop reasonable
policies and procedures to: (1) Enable
the user to form a reasonable belief that
a consumer report relates to the
consumer about whom it has requested
the report; and (2) in certain
circumstances, provide to the CRA from
which it received the notice an address
for the consumer that the user has
reasonably confirmed is accurate.
PO 00000
Frm 00057
Fmt 4703
Sfmt 4703
39097
II. Burden Estimates
Under the PRA, 44 U.S.C. 3501–3521,
Federal agencies must get OMB
approval for each collection of
information they conduct or sponsor.
‘‘Collection of information’’ includes
agency requests or requirements to
submit reports, keep records, or provide
information to a third party. 44 U.S.C.
3502(3); 5 CFR 1320.3(c). The figures
below reflect FTC staff’s estimates of the
hours burden and labor costs to
complete the tasks described above that
fall within reporting, disclosure, or
recordkeeping requirements. FTC staff
believes that the Rules impose
negligible capital or other non-labor
costs, as the affected entities are likely
to have the necessary supplies and/or
equipment already (e.g. offices and
computers) for the information
collection described herein.
Overall estimated burden hours
regarding sections 114 and 315,
combined, total 2,296,863 hours and the
associated estimated labor costs are
$92,465,982.
A. FACT Act Section 114
1. Estimated Hours Burden—Red Flags
Rule
As noted above, the Rule requires
financial institutions and certain
creditors with covered accounts to
develop and implement a written
Program. Under the FCRA, financial
institutions over which the FTC has
jurisdiction include state chartered
credit unions and certain insurance
companies, among other entities.
Although narrowed by the
Clarification Act, the definition of
‘‘creditor’’ still covers a broad array of
entities, and application of the Rule
depends upon an entity’s course of
conduct, not its status as a particular
type of business. For these reasons, it is
difficult to determine precisely the
number of creditors subject to the FTC’s
jurisdiction. There are numerous small
businesses under the FTC’s jurisdiction
that may qualify as ‘‘creditors,’’ and
there is no formal way to track them.
Nonetheless, FTC staff estimates that the
Rule’s requirement to have a written
Program affects 6,278 financial
institutions 2 and 157,585 creditors.3
2 The total number of financial institutions is
derived from an analysis of state credit unions and
insurers within the FTC’s jurisdiction using 2015
Census data (‘‘County Business Patterns,’’ U.S.) and
other online industry data.
3 The total number of creditors (157,585) is
derived mostly from an analysis of 2015 Census
data and industry data for businesses or
organizations that market goods and services to
consumers or other businesses or organizations
subject to the FTC’s jurisdiction, reduced by (1)
E:\FR\FM\08AUN1.SGM
Continued
08AUN1
39098
Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices
To estimate burden hours for the Red
Flags Rule under section 114, FTC staff
divided affected entities into two
categories, based on the nature of their
business: (1) Entities that are subject to
high risk of identity theft, and (2)
entities that are subject to a low risk of
identity theft, but have covered
accounts that will require them to have
a written Program.
a. High-Risk Entities
b. Low-Risk Entities
Entities that have a minimal risk of
identity theft,5 but that have covered
accounts, must develop a Program;
however, they likely will only need a
streamlined Program. FTC staff
estimates that such entities will require
one hour to create such a Program, with
an annual recurring burden of five
minutes. Training staff of low-risk
entities to be attentive to future risks of
identity theft should require no more
than 10 minutes in an initial year, with
an annual recurring burden of five
minutes. FTC staff further estimates that
these entities will require, initially, 10
minutes to prepare an annual report,
with an annual recurring burden of five
minutes.
Thus, the estimated hours burden for
low-risk entities is as follows:
• 63,533 low risk entities that have
covered account subject to the FTC’s
jurisdiction at an average annual burden
of approximately 37 minutes per entity
[average annual burden over 3-year
clearance period for creation and
implementation of streamlined Program
((60 + 5 + 5) minutes/3), plus average
annual burden over 3-year clearance
period for staff training ((10 + 5 + 5)
minutes/3), plus average annual burden
over 3-year clearance period for
preparing annual report ((10 + 5 + 5)
minutes/3], for a total of 39,179 hours.
sradovich on DSK3GMQ082PROD with NOTICES
FTC staff estimates that high-risk
entities 4 will each require 25 hours to
create and implement a written
Program, with an annual recurring
burden of one hour. FTC staff
anticipates that these entities will
incorporate into their Program policies
and procedures that they likely already
have in place. Further, FTC staff
estimates that preparation for an annual
report will require each high-risk entity
four hours initially, with an annual
recurring burden of one hour. Finally,
FTC staff believes that many of the highrisk entities, as part of their usual and
customary business practice, already
take steps to minimize losses due to
fraud, including conducting employee
training. Accordingly, only relevant staff
need be trained to implement the
Program: for example, staff already
trained as part of a covered entity’s antifraud prevention efforts do not need to
be re-trained. FTC staff estimates that
training connected with the
implementation of a Program of a highrisk entity will require four hours, and
annual training thereafter will require
one hour.
Thus, estimated hours for high-risk
entities are as follows:
• 94,052 high-risk entities subject to
the FTC’s jurisdiction at an average
annual burden of 13 hours per entity
[average annual burden over 3-year
clearance period for creation and
implementation of a Program ((25 + 1 +
1) hours/3), plus average annual burden
over 3-year clearance period for staff
training ((4 + 1 + 1) hours/3), plus
average annual burden over 3-year
clearance period for preparing an
annual report ((4 + 1 + 1) hours/3)], for
a total of 1,222,676 hours.
2. Estimated Hours Burden—Card
Issuers Rule
As noted above, section 114 also
requires financial institutions and
covered creditors that issue credit or
debit cards to establish policies and
procedures to assess the validity of a
change of address request, including
notifying the cardholder or using
another means of assessing the validity
of the change of address.
• FTC staff estimates that the Rule
affects as many as 16,742 6 card issuers
within the FTC’s jurisdiction. FTC staff
believes that most of these card issuers
already have automated the process of
notifying the cardholder or are using
another means to assess the validity of
the change of address, such that
implementation will pose no further
burden. Nevertheless, taking a
conservative approach, FTC staff
estimates that it will take each card
entities not likely to obtain credit reports, report
credit transactions, or advance loans; and (2)
entities not likely to have covered accounts under
the Rule.
4 High-risk entities include, for example, financial
institutions within the FTC’s jurisdiction and
utilities, motor vehicle dealerships,
telecommunications firms, colleges and
universities, and hospitals.
5 Low-risk entities include, for example, public
warehouse and storage firms, nursing and
residential care facilities, automotive equipment
rental and leasing firms, office supplies and
stationery stores, fuel dealers, and financial
transaction processing firms.
6 Card issuers within the FTC’s jurisdiction
include, for example, state credit unions, general
retail merchandise stores, colleges and universities,
and telecoms.
VerDate Sep<11>2014
22:37 Aug 07, 2018
Jkt 244001
PO 00000
Frm 00058
Fmt 4703
Sfmt 4703
issuer 4 hours to develop and
implement policy and procedures to
assess the validity of a change of
address request for a total burden of
66,968 hours.
Thus, the total average annual
estimated burden for Section 114 is
1,328,823 hours.
3. Estimated Cost Burden—Red Flags
and Card Issuers Rules
The FTC staff estimates labor costs by
applying appropriate estimated hourly
cost figures to the burden hours
described above. It is difficult to
calculate with precision the labor costs
associated with compliance with the
Rule, as they entail varying
compensation levels of management
(e.g., administrative services, computer
and information systems, training and
development) and/or technical staff
(e.g., computer support specialists,
systems analysts, network and computer
systems administrators) among
companies of different sizes. FTC staff
assumes that for all entities,
professional technical personnel and/or
management personnel will create and
implement the Program, prepare the
annual report, and train employees, at
an hourly rate of $49.7
Based on the above estimates and
assumptions, the total annual labor
costs for all categories of covered
entities under the Red Flags and Card
Issuers Rules for Section 114 is
$65,112,327 (1,328,823 hours × $49).
B. FACT Act Section 315—The Address
Discrepancy Rule
As discussed above, the Rule’s
implementation of Section 315 provides
guidance on reasonable policies and
procedures that a user of consumer
reports must employ when a user
receives a notice of address discrepancy
from a CRA. Given the broad scope of
users of consumer reports, it is difficult
to determine with precision the number
of users of consumer reports that are
subject to the FTC’s jurisdiction. As
noted above, there are numerous small
businesses under the FTC’s jurisdiction,
and there is no formal way to track
them; moreover, as a whole, the entities
under the FTC’s jurisdiction are so
7 This estimate is based on mean hourly wages
found at https://www.bls.gov/news.release/
ocwage.t01.htm, ‘‘Occupational Employment and
Wages Summary—May 2017,’’ U.S. Department of
Labor, Table 1, released March 30, 2018 (‘‘National
employment and wage data from the Occupational
Employment Statistics survey by occupation, May
2017’’) for the various managerial and technical
staff support exemplified above (administrative
service managers, computer & information systems
managers, training & development managers,
computer systems analysts, network & computer
systems administrators, and computer support
specialists).
E:\FR\FM\08AUN1.SGM
08AUN1
Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices
varied that there are no general sources
that provide a record of their existence.
Nonetheless, FTC staff estimates that the
Rule’s implementation of section 315
affects approximately 1,967,161 users of
consumer reports subject to the FTC’s
jurisdiction.8 Commission staff
estimates that approximately 10,000 of
these users will receive notice of a
discrepancy, in the course of their usual
and customary business practices, and
thereby have to furnish to CRAs an
address confirmation.9
For section 315, as detailed below,
FTC staff estimates that the average
annual burden during the three-year
period for which OMB clearance is
sought will be 919,678 hours with an
associated labor cost of $17,473,882.
1. Estimated Hours Burden
Prior to enactment of the Address
Discrepancy Rule, users of consumer
reports could compare the address on a
consumer report to the address provided
by the consumer and discern for
themselves any discrepancy. As a result,
FTC staff believes that many users of
consumer reports have developed
methods of reconciling address
discrepancies, and the following
estimates represent the incremental
amount of time users of consumer
reports may require to develop and
comply with the policies and
procedures for when they receive a
notice of address discrepancy.
sradovich on DSK3GMQ082PROD with NOTICES
a. Customer Verification
Given the varied nature of the entities
under the FTC’s jurisdiction, it is
difficult to determine precisely the
appropriate burden estimates.
Nonetheless, FTC staff estimates that it
would require an infrequent user of
consumer reports no more than 16
minutes to develop and comply with the
policies and procedures that it will
employ when it receives a notice of
address discrepancy, while a frequent
user might require one hour. Similarly,
FTC staff estimates that, during the
remaining two years of clearance, it may
take an infrequent user no more than
one minute to comply with the policies
and procedures it will employ when it
receives a notice of address discrepancy,
while a frequent user might require 45
8 This estimate is derived from an analysis of
Census databases of U.S. businesses based on
NAICS codes for businesses in industries that
typically use consumer reports from CRAs
described in the Rule, which total 1,967,161 users
of consumer reports subject to the FTC’s
jurisdiction.
9 Report to Congress Under Sections 318 and 319
of the Fair and Accurate Credit Transactions of
2003, Federal Trade Commission, 80 (Dec. 2004)
available at https://www.ftc.gov/reports/facta/
041209factarpt.pdf.
VerDate Sep<11>2014
22:37 Aug 07, 2018
Jkt 244001
minutes. Taking into account these
extremes, FTC staff estimates that,
during the first year, it will take users
of consumer reports under the FTC’s
jurisdiction an average of 38 minutes
[the midrange between 16 minutes and
60 minutes] to develop and comply with
the policies and procedures that they
will employ when they receive a notice
of address discrepancy. FTC staff also
estimates that the average recurring
burden for users of consumer reports to
comply with the Rule will be 23
minutes [the midrange between one
minute and 45 minutes].
Thus, for these 1,967,167 entities, the
average annual burden for each of them
to perform these collective tasks will be
28 minutes [(38 + 23 +23) ÷ 3];
cumulatively, 918,011 hours.
b. Address Verification
For the estimated 10,000 users of
consumer reports that will additionally
have to furnish to CRAs an address
confirmation upon notice of a
discrepancy, staff estimates that these
entities will require, initially, 30
minutes to develop related policies and
procedures. But, these 10,000 affected
entities likely will have automated the
process of furnishing the correct address
in the first year of a three-year PRA
clearance cycle. Thus, allowing for 30
minutes in the first year, with no annual
recurring burden in the second and
third years of clearance, yields an
average annual burden of 10 minutes
per entity to furnish a correct address to
a CRA, for a total of 1,667 hours.
2. Estimated Cost Burden
FTC staff assumes that the policies
and procedures for compliance with the
address discrepancy part of the Rule
will be set up by administrative support
personnel at an hourly rate of $19.10
Based on the above estimates and
assumptions, the total annual labor cost
for the two categories of burden under
section 315 is $17,473,882.
C. Burden Totals for FACT Act Sections
114 and 315
Cumulatively, then, estimated burden
is 2,246,834 hours (1,328,823 hours for
section 114 and 918,011 hours for
section 315) and $82,586,209
($65,112,327 and $17,473,882) in
associated labor costs.
10 This estimate—rounded to the nearest dollar—
is based on mean hourly wages for all management
occupations found within the ‘‘Bureau of Labor
Statistics, Economic News Release,’’ March 30,
2018, Table 1, ‘‘National employment and wage
data from the Occupational Employment Statistics
survey by occupation, May 2017.’’ https://
www.bls.gov/news.release/ocwage.t01.htm.
PO 00000
Frm 00059
Fmt 4703
Sfmt 4703
39099
IV. Request for Comment
Pursuant to Section 3506(c)(2)(A) of
the PRA, the FTC invites comments on:
(1) Whether the disclosure requirements
are necessary, including whether the
information will be practically useful;
(2) the accuracy of our burden estimates,
including whether the methodology and
assumptions used are useful; (3) ways to
enhance the quality, utility, and clarity
of the information to be collected; and
(4) ways to minimize the burden of
providing the required information to
consumers.
You can file a comment online or on
paper. For the FTC to consider your
comment, we must receive it on or
before October 9, 2018. Write: ‘‘Red
Flags Rule, PRA Comment, Project No.
P095406’’ on your comment. Your
comment—including your name and
your state—will be placed on the public
record of this proceeding, including, to
the extent practicable, on the public
Commission website, at https://
www.ftc.gov/os/publiccomments.shtm.
As a matter of discretion, the
Commission tries to remove individuals’
home contact information from
comments before placing them on the
Commission website.
Postal mail addressed to the
Commission is subject to delay due to
heightened security screening. As a
result, we encourage you to submit your
comments online, or to send them to the
Commission by courier or overnight
service. To make sure that the
Commission considers your online
comment, you must file it at https://
ftcpublic.commentworks.com/ftc/
RedFlagsPRA by following the
instructions on the web-based form.
When this Notice appears at https://
www.regulations.gov/#!home, you also
may file a comment through that
website.
If you file your comment on paper,
write ‘‘Red Flags Rule PRA, Project No.
P095406’’ on your comment and on the
envelope, and mail it to the following
address: Federal Trade Commission,
Office of the Secretary, 600
Pennsylvania Avenue NW, Suite CC–
5610 (Annex J), Washington, DC 20580,
or deliver your comment to the
following address: Federal Trade
Commission, Office of the Secretary,
Constitution Center, 400 7th Street SW,
5th Floor, Suite 5610 (Annex J),
Washington, DC 20024. If possible,
submit your paper comment to the
Commission by courier or overnight
service.
Because your comment will be placed
on the publicly accessible FTC website
at https://www.ftc.gov/, you are solely
responsible for making sure that your
E:\FR\FM\08AUN1.SGM
08AUN1
sradovich on DSK3GMQ082PROD with NOTICES
39100
Federal Register / Vol. 83, No. 153 / Wednesday, August 8, 2018 / Notices
comment does not include any sensitive
or confidential information. In
particular, your comment should not
include any sensitive personal
information, such as your or anyone
else’s Social Security number; date of
birth; driver’s license number or other
state identification number, or foreign
country equivalent; passport number;
financial account number; or credit or
debit card number. You are also solely
responsible for making sure that your
comment does not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, your comment should not
include any ‘‘trade secret or any
commercial or financial information
which . . . is privileged or
confidential’’—as provided by Section
6(f) of the FTC Act, 15 U.S.C. 46(f), and
FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)—
including in particular competitively
sensitive information such as costs,
sales statistics, inventories, formulas,
patterns, devices, manufacturing
processes, or customer names.
Comments containing material for
which confidential treatment is
requested must be filed in paper form,
must be clearly labeled ‘‘Confidential,’’
and must comply with FTC Rule 4.9(c).
In particular, the written request for
confidential treatment that accompanies
the comment must include the factual
and legal basis for the request, and must
identify the specific portions of the
comment to be withheld from the public
record. See FTC Rule 4.9(c). Your
comment will be kept confidential only
if the General Counsel grants your
request in accordance with the law and
the public interest. Once your comment
has been posted on the public FTC
website—as legally required by FTC
Rule 4.9(b)—we cannot redact or
remove your comment from the FTC
website, unless you submit a
confidentiality request that meets the
requirements for such treatment under
FTC Rule 4.9(c), and the General
Counsel grants that request.
The FTC Act and other laws that the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives on or
before October 9, 2018. For information
on the Commission’s privacy policy,
including routine uses permitted by the
VerDate Sep<11>2014
22:37 Aug 07, 2018
Jkt 244001
Privacy Act, see https://www.ftc.gov/
site-information/privacy-policy.
Heather Hippsley,
Acting Principal Deputy General Counsel.
[FR Doc. 2018–16936 Filed 8–7–18; 8:45 am]
BILLING CODE 6750–01–P
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
Centers for Disease Control and
Prevention
[30Day–18–1072]
Agency Forms Undergoing Paperwork
Reduction Act Review
In accordance with the Paperwork
Reduction Act of 1995, the Centers for
Disease Control and Prevention (CDC)
has submitted the information
collection request titled Enhanced STD
surveillance Network (SSuN) to the
Office of Management and Budget
(OMB) for review and approval. CDC
previously published a ‘‘Proposed Data
Collection Submitted for Public
Comment and Recommendations’’
notice on March, 15, 2018 to obtain
comments from the public and affected
agencies. CDC received 37 comments
related to the previous notice. This
notice serves to allow an additional 30
days for public and affected agency
comments.
CDC will accept all comments for this
proposed information collection project.
The Office of Management and Budget
is particularly interested in comments
that:
(a) Evaluate whether the proposed
collection of information is necessary
for the proper performance of the
functions of the agency, including
whether the information will have
practical utility;
(b) Evaluate the accuracy of the
agencies estimate of the burden of the
proposed collection of information,
including the validity of the
methodology and assumptions used;
(c) Enhance the quality, utility, and
clarity of the information to be
collected;
(d) Minimize the burden of the
collection of information on those who
are to respond, including, through the
use of appropriate automated,
electronic, mechanical, or other
technological collection techniques or
other forms of information technology,
e.g., permitting electronic submission of
responses; and
(e) Assess information collection
costs.
To request additional information on
the proposed project or to obtain a copy
PO 00000
Frm 00060
Fmt 4703
Sfmt 4703
of the information collection plan and
instruments, call (404) 639–7570 or
send an email to omb@cdc.gov. Direct
written comments and/or suggestions
regarding the items contained in this
notice to the Attention: CDC Desk
Officer, Office of Management and
Budget, 725 17th Street NW,
Washington, DC 20503 or by fax to (202)
395–5806. Provide written comments
within 30 days of notice publication.
Proposed Project
Enhanced STD surveillance Network
(SSuN)—Reinstatement with Change—
Division of STD Prevention (DSTDP),
National Center for HIV/AIDS, Viral
Hepatitis, STD, and TB prevention
(NCHHSTP), Centers for Disease Control
and Prevention (CDC).
Background and Brief Description
The Enhanced STD surveillance
network project was created to provide
enhanced behavioral, demographic, and
clinical information on gonorrhea cases
reported to state and local health
departments, to provide information on
patients presenting for care in STD
clinical settings, and to provide an
infrastructure for identifying emerging
sequelae of STDs.
Enhanced SSuN continues to be a
collaboration between different
branches of the CDC Division of STD
Prevention and selected state/local
public health departments and their
associated STD specialty care clinics in
the US. Data from enhanced SSuN data
is used to (1) provide a dataset of
supplemental information on gonorrhea
case reports; (2) provide geographic
information on case reports of STDs of
interest for investigating social
determinants of STDs, (3) monitor STD
screening, incidence, prevalence,
epidemiologic and health care access
trends in populations of interest, (4)
monitor STD treatment and prevention
service practices, and (5) monitor
selected adverse health outcomes of
STDs, including neuro/ocular syphilis,
This project will continue to utilize
two distinct surveillance strategies to
collect information. The first strategy
employs facility-based sentinel
surveillance, which will abstract routine
standardized data from existing
electronic medical records for all patient
visits to participating STD clinics
during the project period. For the
facility-based component of enhanced
SSuN, participating sites have
developed common protocols
stipulating data elements to be
collected, including patient
demographics, clinical, risk and sexual
behaviors. The specified data elements
are abstracted by clinic staff from
E:\FR\FM\08AUN1.SGM
08AUN1
Agencies
[Federal Register Volume 83, Number 153 (Wednesday, August 8, 2018)]
[Notices]
[Pages 39096-39100]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-16936]
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
Agency Information Collection Activities; Proposed Collection;
Comment Request
AGENCY: Federal Trade Commission (``FTC'' or ``Commission'').
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The FTC intends to ask the Office of Management and Budget
(``OMB'') to extend for an additional three years the current Paperwork
Reduction Act (``PRA'') clearance for the information collection
requirements in the FTC Red Flags, Card Issuers, and Address
Discrepancies Rules \1\ (``Rules''). That clearance expires on November
30, 2018.
---------------------------------------------------------------------------
\1\ 16 CFR 681.1 (Duties regarding the detection, prevention,
and mitigation of identity theft); 16 CFR 681.2 (Duties of card
issuers regarding changes of address); 16 CFR 641.1 (Duties of users
of consumer reports regarding address discrepancies).
---------------------------------------------------------------------------
DATES: Comments must be submitted by October 9, 2018.
ADDRESSES: Interested parties may file a comment online or on paper by
following the instructions in the Request for Comment part of the
SUPPLEMENTARY INFORMATION section below. Write ``Red Flags Rule, PRA
Comment, Project No. P095406'' on your comment. File your comment
online at https://ftcpublic.commentworks.com/ftc/RedFlagsPRA by
following the instructions on the web-based form. If you prefer to file
your comment on paper, mail your comment to the following address:
Federal Trade Commission, Office of the Secretary, 600 Pennsylvania
Avenue NW, Suite CC-5610 (Annex J), Washington, DC 20580, or deliver
your comment to the following address: Federal Trade Commission, Office
of the Secretary, Constitution Center, 400 7th Street SW, 5th Floor,
Suite 5610 (Annex J), Washington, DC 20024.
FOR FURTHER INFORMATION CONTACT: Requests for additional information
should be addressed to Mark Eichorn, Assistant Director, Division of
Privacy and Identity Protection, Bureau of Consumer Protection, (202)
326-3053, Federal Trade Commission, 600 Pennsylvania Avenue NW,
Washington, DC 20580.
[[Page 39097]]
SUPPLEMENTARY INFORMATION:
I. Overview of the Rules
The Red Flags Rule requires financial institutions and certain
creditors to develop and implement written Identity Theft Prevention
Programs (``Program''). The Card Issuers Rule requires credit and debit
card issuers (``card issuers'') to assess the validity of notifications
of address changes under certain circumstances. The Address Discrepancy
Rule provides guidance on what users of consumer reports must do when
they receive a notice of address discrepancy from a nationwide consumer
reporting agency (``CRA''). Collectively, these three anti-identity
theft provisions are intended to prevent impostors from misusing
another person's personal information for a fraudulent purpose.
The Rules implement sections 114 and 315 of the FACT Act, Public
Law 108-159, which amended the Fair Credit Reporting Act (``FCRA''), 15
U.S.C. 1681 et seq., to require businesses to undertake measures to
prevent identity theft and increase the accuracy of consumer reports.
Since promulgation of the original Rule, President Obama signed the
Red Flag Program Clarification Act of 2010 (``Clarification Act''),
which narrowed the definition of ``creditor'' for purposes of the Red
Flags Rule. Specifically, the Clarification Act limits application of
the Red Flags Rule to creditors that regularly and in the ordinary
course of business: (1) Obtain or use consumer reports, directly or
indirectly, in connection with a credit transaction; (2) furnish
information to consumer reporting agencies in connection with a credit
transaction; or (3) advance funds to or on behalf of a person, based on
an obligation of the person to repay the funds or to make repayment
from specific property pledged by or on behalf of the person. This
third prong does not include a creditor that advances funds on behalf
of a person for expenses incidental to a service provided by the
creditor to that person.
II. Description of Collection of Information
A. FACT Act Section 114
The FTC Red Flags and Card Issuers Rules implement requirements
under Section 114 of the FACT Act. The Red Flags Rule requires
financial institutions and covered creditors to develop and implement a
written Program to detect, prevent, and mitigate identity theft in
connection with existing accounts or the opening of new accounts. Under
the Rule, financial institutions and certain creditors must conduct a
periodic risk assessment to determine if they maintain ``covered
accounts.'' The Rule defines the term ``covered account'' as either:
(1) A consumer account that is designed to permit multiple payments or
transactions, or (2) any other account for which there is a reasonably
foreseeable risk of identity theft. Each financial institution and
covered creditor that has covered accounts must create a written
Program that contains reasonable policies and procedures to identify
relevant indicators of the possible existence of identity theft (``red
flags''); detect red flags that have been incorporated into the
Program; respond appropriately to any red flags that are detected to
prevent and mitigate identity theft; and update the Program
periodically to ensure it reflects change in risks to customers.
The Red Flags Rule also requires financial institutions and covered
creditors to: (1) Obtain approval of the initial written Program by the
board of directors; a committee thereof; or, if there is no board, an
appropriate senior employee; (2) ensure oversight of the development,
implementation, and administration of the Program; and (3) exercise
appropriate and effective oversight of service provider arrangements.
In addition, the Card Issuers Rule requires that card issuers
generally must assess the validity of change of address notifications.
Specifically, if the card issuer receives a notice of change of address
for an existing account and, within a short period of time (during at
least the first 30 days), receives a request for an additional or
replacement card for the same account, the issuer must follow
reasonable policies and procedures to assess the validity of the change
of address.
B. FACT Act Section 315
In implementing section 315 of the FACT Act, the Address
Discrepancies Rule requires each user of consumer reports to have
reasonable policies and procedures in place to employ when the user
receives a notice of address discrepancy from a CRA. Specifically, each
user must develop reasonable policies and procedures to: (1) Enable the
user to form a reasonable belief that a consumer report relates to the
consumer about whom it has requested the report; and (2) in certain
circumstances, provide to the CRA from which it received the notice an
address for the consumer that the user has reasonably confirmed is
accurate.
II. Burden Estimates
Under the PRA, 44 U.S.C. 3501-3521, Federal agencies must get OMB
approval for each collection of information they conduct or sponsor.
``Collection of information'' includes agency requests or requirements
to submit reports, keep records, or provide information to a third
party. 44 U.S.C. 3502(3); 5 CFR 1320.3(c). The figures below reflect
FTC staff's estimates of the hours burden and labor costs to complete
the tasks described above that fall within reporting, disclosure, or
recordkeeping requirements. FTC staff believes that the Rules impose
negligible capital or other non-labor costs, as the affected entities
are likely to have the necessary supplies and/or equipment already
(e.g. offices and computers) for the information collection described
herein.
Overall estimated burden hours regarding sections 114 and 315,
combined, total 2,296,863 hours and the associated estimated labor
costs are $92,465,982.
A. FACT Act Section 114
1. Estimated Hours Burden--Red Flags Rule
As noted above, the Rule requires financial institutions and
certain creditors with covered accounts to develop and implement a
written Program. Under the FCRA, financial institutions over which the
FTC has jurisdiction include state chartered credit unions and certain
insurance companies, among other entities.
Although narrowed by the Clarification Act, the definition of
``creditor'' still covers a broad array of entities, and application of
the Rule depends upon an entity's course of conduct, not its status as
a particular type of business. For these reasons, it is difficult to
determine precisely the number of creditors subject to the FTC's
jurisdiction. There are numerous small businesses under the FTC's
jurisdiction that may qualify as ``creditors,'' and there is no formal
way to track them. Nonetheless, FTC staff estimates that the Rule's
requirement to have a written Program affects 6,278 financial
institutions \2\ and 157,585 creditors.\3\
---------------------------------------------------------------------------
\2\ The total number of financial institutions is derived from
an analysis of state credit unions and insurers within the FTC's
jurisdiction using 2015 Census data (``County Business Patterns,''
U.S.) and other online industry data.
\3\ The total number of creditors (157,585) is derived mostly
from an analysis of 2015 Census data and industry data for
businesses or organizations that market goods and services to
consumers or other businesses or organizations subject to the FTC's
jurisdiction, reduced by (1) entities not likely to obtain credit
reports, report credit transactions, or advance loans; and (2)
entities not likely to have covered accounts under the Rule.
---------------------------------------------------------------------------
[[Page 39098]]
To estimate burden hours for the Red Flags Rule under section 114,
FTC staff divided affected entities into two categories, based on the
nature of their business: (1) Entities that are subject to high risk of
identity theft, and (2) entities that are subject to a low risk of
identity theft, but have covered accounts that will require them to
have a written Program.
a. High-Risk Entities
FTC staff estimates that high-risk entities \4\ will each require
25 hours to create and implement a written Program, with an annual
recurring burden of one hour. FTC staff anticipates that these entities
will incorporate into their Program policies and procedures that they
likely already have in place. Further, FTC staff estimates that
preparation for an annual report will require each high-risk entity
four hours initially, with an annual recurring burden of one hour.
Finally, FTC staff believes that many of the high-risk entities, as
part of their usual and customary business practice, already take steps
to minimize losses due to fraud, including conducting employee
training. Accordingly, only relevant staff need be trained to implement
the Program: for example, staff already trained as part of a covered
entity's anti-fraud prevention efforts do not need to be re-trained.
FTC staff estimates that training connected with the implementation of
a Program of a high-risk entity will require four hours, and annual
training thereafter will require one hour.
---------------------------------------------------------------------------
\4\ High-risk entities include, for example, financial
institutions within the FTC's jurisdiction and utilities, motor
vehicle dealerships, telecommunications firms, colleges and
universities, and hospitals.
---------------------------------------------------------------------------
Thus, estimated hours for high-risk entities are as follows:
94,052 high-risk entities subject to the FTC's
jurisdiction at an average annual burden of 13 hours per entity
[average annual burden over 3-year clearance period for creation and
implementation of a Program ((25 + 1 + 1) hours/3), plus average annual
burden over 3-year clearance period for staff training ((4 + 1 + 1)
hours/3), plus average annual burden over 3-year clearance period for
preparing an annual report ((4 + 1 + 1) hours/3)], for a total of
1,222,676 hours.
b. Low-Risk Entities
Entities that have a minimal risk of identity theft,\5\ but that
have covered accounts, must develop a Program; however, they likely
will only need a streamlined Program. FTC staff estimates that such
entities will require one hour to create such a Program, with an annual
recurring burden of five minutes. Training staff of low-risk entities
to be attentive to future risks of identity theft should require no
more than 10 minutes in an initial year, with an annual recurring
burden of five minutes. FTC staff further estimates that these entities
will require, initially, 10 minutes to prepare an annual report, with
an annual recurring burden of five minutes.
---------------------------------------------------------------------------
\5\ Low-risk entities include, for example, public warehouse and
storage firms, nursing and residential care facilities, automotive
equipment rental and leasing firms, office supplies and stationery
stores, fuel dealers, and financial transaction processing firms.
---------------------------------------------------------------------------
Thus, the estimated hours burden for low-risk entities is as
follows:
63,533 low risk entities that have covered account subject
to the FTC's jurisdiction at an average annual burden of approximately
37 minutes per entity [average annual burden over 3-year clearance
period for creation and implementation of streamlined Program ((60 + 5
+ 5) minutes/3), plus average annual burden over 3-year clearance
period for staff training ((10 + 5 + 5) minutes/3), plus average annual
burden over 3-year clearance period for preparing annual report ((10 +
5 + 5) minutes/3], for a total of 39,179 hours.
2. Estimated Hours Burden--Card Issuers Rule
As noted above, section 114 also requires financial institutions
and covered creditors that issue credit or debit cards to establish
policies and procedures to assess the validity of a change of address
request, including notifying the cardholder or using another means of
assessing the validity of the change of address.
FTC staff estimates that the Rule affects as many as
16,742 \6\ card issuers within the FTC's jurisdiction. FTC staff
believes that most of these card issuers already have automated the
process of notifying the cardholder or are using another means to
assess the validity of the change of address, such that implementation
will pose no further burden. Nevertheless, taking a conservative
approach, FTC staff estimates that it will take each card issuer 4
hours to develop and implement policy and procedures to assess the
validity of a change of address request for a total burden of 66,968
hours.
---------------------------------------------------------------------------
\6\ Card issuers within the FTC's jurisdiction include, for
example, state credit unions, general retail merchandise stores,
colleges and universities, and telecoms.
---------------------------------------------------------------------------
Thus, the total average annual estimated burden for Section 114 is
1,328,823 hours.
3. Estimated Cost Burden--Red Flags and Card Issuers Rules
The FTC staff estimates labor costs by applying appropriate
estimated hourly cost figures to the burden hours described above. It
is difficult to calculate with precision the labor costs associated
with compliance with the Rule, as they entail varying compensation
levels of management (e.g., administrative services, computer and
information systems, training and development) and/or technical staff
(e.g., computer support specialists, systems analysts, network and
computer systems administrators) among companies of different sizes.
FTC staff assumes that for all entities, professional technical
personnel and/or management personnel will create and implement the
Program, prepare the annual report, and train employees, at an hourly
rate of $49.\7\
---------------------------------------------------------------------------
\7\ This estimate is based on mean hourly wages found at https://www.bls.gov/news.release/ocwage.t01.htm, ``Occupational Employment
and Wages Summary--May 2017,'' U.S. Department of Labor, Table 1,
released March 30, 2018 (``National employment and wage data from
the Occupational Employment Statistics survey by occupation, May
2017'') for the various managerial and technical staff support
exemplified above (administrative service managers, computer &
information systems managers, training & development managers,
computer systems analysts, network & computer systems
administrators, and computer support specialists).
---------------------------------------------------------------------------
Based on the above estimates and assumptions, the total annual
labor costs for all categories of covered entities under the Red Flags
and Card Issuers Rules for Section 114 is $65,112,327 (1,328,823 hours
x $49).
B. FACT Act Section 315--The Address Discrepancy Rule
As discussed above, the Rule's implementation of Section 315
provides guidance on reasonable policies and procedures that a user of
consumer reports must employ when a user receives a notice of address
discrepancy from a CRA. Given the broad scope of users of consumer
reports, it is difficult to determine with precision the number of
users of consumer reports that are subject to the FTC's jurisdiction.
As noted above, there are numerous small businesses under the FTC's
jurisdiction, and there is no formal way to track them; moreover, as a
whole, the entities under the FTC's jurisdiction are so
[[Page 39099]]
varied that there are no general sources that provide a record of their
existence. Nonetheless, FTC staff estimates that the Rule's
implementation of section 315 affects approximately 1,967,161 users of
consumer reports subject to the FTC's jurisdiction.\8\ Commission staff
estimates that approximately 10,000 of these users will receive notice
of a discrepancy, in the course of their usual and customary business
practices, and thereby have to furnish to CRAs an address
confirmation.\9\
---------------------------------------------------------------------------
\8\ This estimate is derived from an analysis of Census
databases of U.S. businesses based on NAICS codes for businesses in
industries that typically use consumer reports from CRAs described
in the Rule, which total 1,967,161 users of consumer reports subject
to the FTC's jurisdiction.
\9\ Report to Congress Under Sections 318 and 319 of the Fair
and Accurate Credit Transactions of 2003, Federal Trade Commission,
80 (Dec. 2004) available at https://www.ftc.gov/reports/facta/041209factarpt.pdf.
---------------------------------------------------------------------------
For section 315, as detailed below, FTC staff estimates that the
average annual burden during the three-year period for which OMB
clearance is sought will be 919,678 hours with an associated labor cost
of $17,473,882.
1. Estimated Hours Burden
Prior to enactment of the Address Discrepancy Rule, users of
consumer reports could compare the address on a consumer report to the
address provided by the consumer and discern for themselves any
discrepancy. As a result, FTC staff believes that many users of
consumer reports have developed methods of reconciling address
discrepancies, and the following estimates represent the incremental
amount of time users of consumer reports may require to develop and
comply with the policies and procedures for when they receive a notice
of address discrepancy.
a. Customer Verification
Given the varied nature of the entities under the FTC's
jurisdiction, it is difficult to determine precisely the appropriate
burden estimates. Nonetheless, FTC staff estimates that it would
require an infrequent user of consumer reports no more than 16 minutes
to develop and comply with the policies and procedures that it will
employ when it receives a notice of address discrepancy, while a
frequent user might require one hour. Similarly, FTC staff estimates
that, during the remaining two years of clearance, it may take an
infrequent user no more than one minute to comply with the policies and
procedures it will employ when it receives a notice of address
discrepancy, while a frequent user might require 45 minutes. Taking
into account these extremes, FTC staff estimates that, during the first
year, it will take users of consumer reports under the FTC's
jurisdiction an average of 38 minutes [the midrange between 16 minutes
and 60 minutes] to develop and comply with the policies and procedures
that they will employ when they receive a notice of address
discrepancy. FTC staff also estimates that the average recurring burden
for users of consumer reports to comply with the Rule will be 23
minutes [the midrange between one minute and 45 minutes].
Thus, for these 1,967,167 entities, the average annual burden for
each of them to perform these collective tasks will be 28 minutes [(38
+ 23 +23) / 3]; cumulatively, 918,011 hours.
b. Address Verification
For the estimated 10,000 users of consumer reports that will
additionally have to furnish to CRAs an address confirmation upon
notice of a discrepancy, staff estimates that these entities will
require, initially, 30 minutes to develop related policies and
procedures. But, these 10,000 affected entities likely will have
automated the process of furnishing the correct address in the first
year of a three-year PRA clearance cycle. Thus, allowing for 30 minutes
in the first year, with no annual recurring burden in the second and
third years of clearance, yields an average annual burden of 10 minutes
per entity to furnish a correct address to a CRA, for a total of 1,667
hours.
2. Estimated Cost Burden
FTC staff assumes that the policies and procedures for compliance
with the address discrepancy part of the Rule will be set up by
administrative support personnel at an hourly rate of $19.\10\ Based on
the above estimates and assumptions, the total annual labor cost for
the two categories of burden under section 315 is $17,473,882.
---------------------------------------------------------------------------
\10\ This estimate--rounded to the nearest dollar--is based on
mean hourly wages for all management occupations found within the
``Bureau of Labor Statistics, Economic News Release,'' March 30,
2018, Table 1, ``National employment and wage data from the
Occupational Employment Statistics survey by occupation, May 2017.''
https://www.bls.gov/news.release/ocwage.t01.htm.
---------------------------------------------------------------------------
C. Burden Totals for FACT Act Sections 114 and 315
Cumulatively, then, estimated burden is 2,246,834 hours (1,328,823
hours for section 114 and 918,011 hours for section 315) and
$82,586,209 ($65,112,327 and $17,473,882) in associated labor costs.
IV. Request for Comment
Pursuant to Section 3506(c)(2)(A) of the PRA, the FTC invites
comments on: (1) Whether the disclosure requirements are necessary,
including whether the information will be practically useful; (2) the
accuracy of our burden estimates, including whether the methodology and
assumptions used are useful; (3) ways to enhance the quality, utility,
and clarity of the information to be collected; and (4) ways to
minimize the burden of providing the required information to consumers.
You can file a comment online or on paper. For the FTC to consider
your comment, we must receive it on or before October 9, 2018. Write:
``Red Flags Rule, PRA Comment, Project No. P095406'' on your comment.
Your comment--including your name and your state--will be placed on the
public record of this proceeding, including, to the extent practicable,
on the public Commission website, at https://www.ftc.gov/os/publiccomments.shtm. As a matter of discretion, the Commission tries to
remove individuals' home contact information from comments before
placing them on the Commission website.
Postal mail addressed to the Commission is subject to delay due to
heightened security screening. As a result, we encourage you to submit
your comments online, or to send them to the Commission by courier or
overnight service. To make sure that the Commission considers your
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/RedFlagsPRA by following the instructions on the web-based form.
When this Notice appears at https://www.regulations.gov/#!home, you also
may file a comment through that website.
If you file your comment on paper, write ``Red Flags Rule PRA,
Project No. P095406'' on your comment and on the envelope, and mail it
to the following address: Federal Trade Commission, Office of the
Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex J),
Washington, DC 20580, or deliver your comment to the following address:
Federal Trade Commission, Office of the Secretary, Constitution Center,
400 7th Street SW, 5th Floor, Suite 5610 (Annex J), Washington, DC
20024. If possible, submit your paper comment to the Commission by
courier or overnight service.
Because your comment will be placed on the publicly accessible FTC
website at https://www.ftc.gov/, you are solely responsible for making
sure that your
[[Page 39100]]
comment does not include any sensitive or confidential information. In
particular, your comment should not include any sensitive personal
information, such as your or anyone else's Social Security number; date
of birth; driver's license number or other state identification number,
or foreign country equivalent; passport number; financial account
number; or credit or debit card number. You are also solely responsible
for making sure that your comment does not include any sensitive health
information, such as medical records or other individually identifiable
health information. In addition, your comment should not include any
``trade secret or any commercial or financial information which . . .
is privileged or confidential''--as provided by Section 6(f) of the FTC
Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2)--
including in particular competitively sensitive information such as
costs, sales statistics, inventories, formulas, patterns, devices,
manufacturing processes, or customer names.
Comments containing material for which confidential treatment is
requested must be filed in paper form, must be clearly labeled
``Confidential,'' and must comply with FTC Rule 4.9(c). In particular,
the written request for confidential treatment that accompanies the
comment must include the factual and legal basis for the request, and
must identify the specific portions of the comment to be withheld from
the public record. See FTC Rule 4.9(c). Your comment will be kept
confidential only if the General Counsel grants your request in
accordance with the law and the public interest. Once your comment has
been posted on the public FTC website--as legally required by FTC Rule
4.9(b)--we cannot redact or remove your comment from the FTC website,
unless you submit a confidentiality request that meets the requirements
for such treatment under FTC Rule 4.9(c), and the General Counsel
grants that request.
The FTC Act and other laws that the Commission administers permit
the collection of public comments to consider and use in this
proceeding as appropriate. The Commission will consider all timely and
responsive public comments that it receives on or before October 9,
2018. For information on the Commission's privacy policy, including
routine uses permitted by the Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.
Heather Hippsley,
Acting Principal Deputy General Counsel.
[FR Doc. 2018-16936 Filed 8-7-18; 8:45 am]
BILLING CODE 6750-01-P