63740
Federal Register / Vol. 72, No. 217 / Friday, November 9, 2007 / Rules and Regulations
of a change of address notification
before honoring a request for an
additional or replacement card received
during at least the first 30 days after it
receives the notification; and (2) notify
the cardholder in writing, electronically,
or orally, or use another means of
assessing the validity of the change of
address.
Section 315: The proposed rules
implementing section 315 required each
user of consumer reports to (1) develop
reasonable policies and procedures it
would employ when it receives a notice
of address discrepancy from a CRA; and
(2) to furnish an address the user
reasonably confirmed is accurate to the
CRA from which it receives a notice of
address discrepancy.
The information collections in the
final rulemaking are the same as those
in the proposal.
Comments Received
The Agencies sought comment on the
burden estimates for the information
collections described in the proposal.
The Agencies received approximately
129 comments on the proposed
rulemaking. Most commenters
maintained that proposal would impose
additional regulatory burden and
asserted that the estimates of the cost of
compliance should be considerably
higher than the Agencies projected. A
few of these commenters specifically
addressed PRA burden, however, they
did not provide specific estimates of
additional burden hours that would
result from the proposal. Some of these
commenters stated that staff training
estimates were significantly
underestimated. Other commenters
stated that the costs of compliance
failed to consider the cost to third-party
service providers that the commenters
characterized as being required to
implement the Program.
Explanation of Burden Estimates Under
the Final Rulemaking
The Agencies believe that many of the
comments received regarding burden
stemmed from commenters’ misreading
of the requirements of the proposed
rulemaking. The final rulemaking
clarifies these requirements, including
those that relate to the information
collections. It also differs from the
proposal as described below.
The Agencies continue to believe that
most covered entities already employ a
variety of measures to detect and
address identity theft that are required
by section 114 of the final rulemaking
because these are usual and customary
business practices that they employ to
minimize losses due to fraud. In
addition, the Agencies believe that
many financial institutions and
creditors already have implemented
some of the requirements of the final
rules implementing section 114 as a
result of having to comply with other
existing regulations and guidance, such
as the CIP regulations implementing
section 326 of the USA PATRIOT Act,
31 U.S.C. 5318(l) that require
verification of the identity of persons
opening new accounts),
55
the
Information Security Standards that
implement section 501(b) of the Gramm-
Leach-Bliley Act (GLBA), 15 U.S.C.
6801, and section 216 of the FACT Act,
15 U.S.C. 1681w,
56
and guidance issued
by the Agencies or the Federal Financial
Institutions Examination Council
regarding information security,
authentication, identity theft, and
response programs.
57
The final
rulemaking underscores the ability of a
financial institution or creditor to
incorporate into its Program its existing
processes that control reasonably
foreseeable risks to customers or to its
own safety and soundness from identity
theft, such as those already developed
in connection with the covered entity’s
fraud prevention program. Thus, the
burden estimate attributable to the
creation of a Program is unchanged.
55
See, e.g., 31 CFR 103.121 (banks, savings
associations, credit unions, and certain non-
federally regulated banks); 31 CFR 103.122 (broker-
dealers); 31 CFR 103.123 (futures commission
merchants).
56
12 CFR part 30, app. B (national banks); 12 CFR
part 208, app. D–2 and part 225, app. F (state
member banks and holding companies); 12 CFR
part 364, app. B (state non-member banks); 12 CFR
part 570, app. B (savings associations); 12 CFR part
748, app. A and B, and 12 CFR 717 (credit unions);
16 CFR part 314 (financial institutions that are not
regulated by the Board, FDIC, NCUA, OCC and
OTS).
57
See, e.g., 12 CFR part 30, supp. A to app. B
(national banks); 12 CFR part 208, supp. A to app.
D–2 and part 225, supp. A to app. F (state member
banks and holding companies); 12 CFR part 364,
supp. A to app. B (state non-member banks); 12 CFR
part 570, supp. A to app. B (savings associations);
12 CFR 748, app. A and B (credit unions); Federal
Financial Institutions Examination Council (FFIEC)
Information Technology Examination Handbook’s
Information Security Booklet (the ‘‘IS Booklet’’)
available at http://www.ffiec.gov/guides.htm; FFIEC
‘‘Authentication in an Internet Banking
Environment’’ available at http://www.ffiec.gov/
pdf/authentication_guidance.pdf; Board SR 01–11
(Supp) (Apr. 26, 2001) available at: http://
www.federalreserve.gov/boarddocs/srletters/2001/
sr0111.htm; ‘‘Guidance on Identity Theft and
Pretext Calling,’’ OCC AL 2001–4 (April 30, 2001);
‘‘Identity Theft and Pretext Calling,’’ OTS CEO
Letter #139 (May 4, 2001); NCUA Letter to Credit
Unions 01–CU–09, ‘‘Identity Theft and Pretext
Calling’’ (Sept. 2001); OCC 2005–24, ‘‘Threats from
Fraudulent Bank Web Sites: Risk Mitigation and
Response Guidance for Web Site Spoofing
Incidents,’’ (July 1, 2005); ‘‘Phishing and E-mail
Scams,’’ OTS CEO Letter #193 (Mar. 8, 2004);
NCUA Letter to Credit Unions 04–CU–12,
‘‘Phishing Guidance for Credit Unions’’ (Sept.
2004).
The final rulemaking also clarifies
that only relevant staff need be trained
to implement the Program, as
necessary—meaning that staff already
trained, for example, as a part of a
covered entity’s anti-fraud prevention
efforts do not need to be re-trained
except as necessary. Despite this
clarification, in response to comments
received, the Agencies are increasing
the burden estimates attributable to
training from two to four hours.
The Agencies’ estimates attribute all
burden to covered entities, which are
entities directly subject to the
requirements of the final rulemaking. A
covered entity that outsources activities
to a third-party service provider is, in
effect, reallocating to that service
provider the burden that it would
otherwise have carried itself. Under
these circumstances, burden is, by
contract, shifted from the covered entity
to the service provider, but the total
amount of burden is not increased.
Thus, third-party service provider
burden is already included in the
burden estimates provided for covered
entities.
The Agencies continue to believe that
card issuers already assess the validity
of change of address requests and, for
the most part, have automated the
process of notifying the cardholder or
using other means to assess the validity
of changes of address. Further, as
commenters requested, the final
rulemaking clarifies that card issuers
may satisfy the requirements of this
section by verifying the address at the
time the address change notification is
received, before a request for an
additional or replacement card.
Therefore, the estimates attributable to
this portion of the rulemaking are
unchanged.
Regarding the final rules
implementing section 315, the Agencies
recognize that users of consumer reports
will need to develop policies and
procedures to employ upon receiving a
notice of address discrepancy in order
to: (1) Ensure that the user has obtained
the correct consumer report for the
consumer; and (2) confirm the accuracy
of the address the user furnishes to the
CRA. However, under the final rules, a
user only must furnish a confirmed
address to a CRA for new relationships.
Thus, the required policies and
procedures will no longer need to
address the furnishing of confirmed
addresses for existing relationships, and
users will not need to furnish to the
CRA in connection with existing
relationships an address the user
reasonably confirmed is accurate.
The Agencies believe that users of
credit reports covered by the final rules,