83 FR 63604 - Identity Theft Rules

FEDERAL TRADE COMMISSION

Federal Register Volume 83, Issue 237 (December 11, 2018)

The Federal Trade Commission (``FTC'' or ``Commission'') requests public comment on its Identity Theft Rules. The Commission is soliciting comment as part of the FTC's systematic review of all current Commission regulations and guides.

[Federal Register Volume 83, Number 237 (Tuesday, December 11, 2018)]
[Proposed Rules]
[Pages 63604-63606]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-26609]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

16 CFR Part 681

RIN 3084-AB50


Identity Theft Rules

AGENCY: Federal Trade Commission.

ACTION: Request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'' or ``Commission'') 
requests public comment on its Identity Theft Rules. The Commission is 
soliciting comment as part of the FTC's systematic review of all 
current Commission regulations and guides.

DATES: Comments must be received on or before February 11, 2019.

ADDRESSES: Interested parties may file a comment online or on paper by:
     Online: Write ``Identity Theft Rules, 16 CFR part 681, 
Project No. 188402'' on

[[Page 63605]]

your comment and file your comment at https://ftcpublic.commentworks.com/ftc/identitytheftrulesreview by following 
the instructions on the web-based form.
     Paper: Write ``Identity Theft Rules, 16 CFR part 681, 
Project No. 188402'' on your comment and on the envelope and mail your 
comment to the following address: Federal Trade Commission, Office of 
the Secretary, 600 Pennsylvania Avenue NW, Suite CC-5610 (Annex B), 
Washington, DC 20580, or deliver your comment to the following address: 
Federal Trade Commission, Office of the Secretary, Constitution Center, 
400 7th Street SW, 5th Floor, Suite 5610 (Annex B), Washington, DC 
20024.
    See the Instructions for Submitting Comments part of the 
SUPPLEMENTARY INFORMATION section below for additional information.

FOR FURTHER INFORMATION CONTACT: Stacy Procter, Western Region--Los 
Angeles Office, Bureau of Consumer Protection, Federal Trade 
Commission, 10990 Wilshire Blvd., Suite 400, Los Angeles, CA 90024, 
(310) 824-4300, or Amanda Koulousias, Division of Privacy and Identity 
Protection, Bureau of Consumer Protection, Federal Trade Commission, 
600 Pennsylvania Avenue NW, Washington, DC 20580, (202) 326-3334.

SUPPLEMENTARY INFORMATION:

I. Background

    The Fair and Accurate Credit Transactions Act (``FACTA'') was 
enacted in December 2003.\1\ Section 114 of FACTA amended section 615 
of the Fair Credit Reporting Act (``FCRA'') and required the Commission 
and other federal agencies to establish and maintain guidelines for 
financial institutions and creditors to identify patterns, practices 
and activities that might indicate identity theft.\2\ FACTA also 
required the Commission and other federal agencies to prescribe 
regulations requiring financial institutions and creditors to establish 
reasonable policies and procedures for implementing the established 
guidelines.\3\ In addition, FACTA required the Commission and other 
federal agencies to prescribe regulations requiring debit and credit 
card issuers to validate notifications of changes of address under 
certain situations.\4\
---------------------------------------------------------------------------

    \1\ Public Law 108-159, 117 Stat. 1952 (codified as amended at 
15 U.S.C. 1681-1681x).
    \2\ 15 U.S.C. 1681m(e)(1)(A), (e)(2). The other federal agencies 
include the Federal banking agencies, the National Credit Union 
Administration, the Commodity Futures Trading Commission (``CFTC'') 
and the Securities and Exchange Commission (``SEC''). The CFTC and 
SEC obtained regulatory authority in July 2010 pursuant to the Dodd 
Frank Wall Street Reform and Consumer Protection Act. Public Law 
111-203, 124 Stat. 1376-2223.
    \3\ 15 U.S.C. 1681m(e)(1)(B).
    \4\ 15 U.S.C. 1681m(e)(1)(C).
---------------------------------------------------------------------------

    In November 2007, the Commission and banking agencies published 
final rules and guidelines implementing the red flags provisions of 
section 615 of the FCRA.\5\ These rules include the duties regarding 
the detection, prevention, and mitigation of identity theft (``Red 
Flags Rule'') \6\ and the duties of card issuers regarding changes of 
address (``Card Issuers Rule'') \7\ (collectively, the ``Identity Theft 
Rules'' or ``Rules''). In December 2010, the President signed the Red 
Flag Program Clarification Act (``Clarification Act''), which narrowed 
the scope of entities covered as a ``creditor'' under the Red Flags 
Rule.\8\ The Clarification Act also empowers the Commission and other 
federal agencies to determine through rulemaking whether any other type 
of creditor should be subject to the Red Flags Rule based on whether 
such creditor offers or maintains accounts with a reasonably 
foreseeable risk of identity theft.\9\
---------------------------------------------------------------------------

    \5\ 72 FR 63718.
    \6\ 16 CFR 681.1.
    \7\ 16 CFR 681.2.
    \8\ Public Law 111-319, 124 Stat. 3457 (codified at 15 U.S.C. 
1681m(e)(4)). The Clarification Act retains the definition of 
``creditor'' from section 702 of the Equal Credit Opportunity Act 
(``ECOA''), 15 U.S.C. 1691a, but generally limits application of the 
Red Flags Rule to ECOA creditors that engage in certain conduct 
regularly and in the ordinary course of business.
    \9\ 15 U.S.C. 1681m(e)(4)(C).
---------------------------------------------------------------------------

    The Red Flags Rule requires each ``financial institution'' and 
``creditor'' subject to the Commission's enforcement authority to 
periodically determine whether it maintains ``covered accounts,'' and 
to develop and maintain a written Identity Theft Prevention Program 
(``Program'') to detect, prevent and mitigate identity theft in 
connection with the opening or existence of any ``covered account.'' 
\10\ Financial institutions or creditors that are required to implement 
a Program must administer the Program in accordance with the Red Flags 
Rule, consider the guidelines set forth in appendix A, and include in 
their Program those guidelines that are appropriate.\11\ The Card 
Issuers Rule requires that debit or credit card issuers establish and 
implement reasonable policies and procedures to assess the validity of 
a change of address request if, within a short period of time after 
receiving the request, the card issuer receives a request for an 
additional or replacement card for the same account.\12\ The Card 
Issuers Rule further prohibits a card issuer from issuing an additional 
or replacement card until it has (1) notified the cardholder of the 
request and provided a reasonable means for the cardholder to promptly 
report an incorrect address change, or (2) otherwise assessed the 
validity of the address change.\13\ Card issuers within the FTC's 
jurisdiction include, for example, state credit unions, general retail 
merchandise stores, colleges and universities, and telecoms.
---------------------------------------------------------------------------

    \10\ 16 CFR 681.1(c)-(d).
    \11\ 16 CFR 681.1(e)-(f).
    \12\ 16 CFR 681.2(c).
    \13\ Id.
---------------------------------------------------------------------------

II. Regulatory Review of the Identity Theft Rules

    The Commission periodically reviews all of its rules and guides. 
These reviews seek information about the costs and benefits of the 
agency's rules and guides, and their regulatory and economic impact. 
The information obtained assists the Commission in identifying those 
rules and guides that warrant modification or rescission. Therefore, 
the Commission solicits comments on, among other things, the economic 
impact and benefits of the Identity Theft Rules; possible conflict 
between the Identity Theft Rules and state, local, or other federal 
laws or regulations; and the effect on the Identity Theft Rules of any 
technological, economic, or other industry changes.

III. Issues for Comment

    The Commission requests written comment on any or all of the 
following questions. These questions are designed to assist the public 
and should not be construed as a limitation on the issues about which 
public comments may be submitted. The Commission requests that 
responses to its questions be as specific as possible, including a 
reference to the question being answered, and refer to empirical data 
or other evidence upon which the comment is based whenever available 
and appropriate.

A. General Issues

    1. Is there a continuing need for specific provisions of the Rules? 
Why or why not?
    2. What benefits have the Rules provided to consumers? What 
evidence supports the asserted benefits?
    3. What modifications, if any, should be made to the Rules to 
increase the benefits to consumers?
    a. What evidence supports the proposed modifications?

[[Page 63606]]

    b. How would these modifications affect the costs the Rules impose 
on businesses, including small businesses?
    4. What significant costs, if any, have the Rules imposed on 
consumers? What evidence supports the asserted costs?
    5. What modifications, if any, should be made to the Rules to 
reduce any costs imposed on consumers?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the benefits provided by 
the Rules?
    6. What benefits, if any, have the Rules provided to businesses, 
including small businesses? What evidence supports the asserted 
benefits?
    7. What modifications, if any, should be made to the Rules to 
increase their benefits to businesses, including small businesses?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the costs the Rules impose 
on businesses, including small businesses?
    c. How would these modifications affect the benefits to consumers?
    8. What significant costs, if any, including costs of compliance, 
have the Rules imposed on businesses, including small businesses? What 
evidence supports the asserted costs?
    9. What modifications, if any, should be made to the Rules to 
reduce the costs imposed on businesses, including small businesses?
    a. What evidence supports the proposed modifications?
    b. How would these modifications affect the benefits provided by 
the Rules?
    10. What evidence is available concerning the degree of industry 
compliance with the Rules?
    11. What modifications, if any, should be made to the Rules to 
account for changes in relevant technology or economic conditions? What 
evidence supports the proposed modifications?
    12. Do the Rules overlap or conflict with other federal, state, or 
local laws or regulations? If so, how?
    a. What evidence supports the asserted conflicts?
    b. With reference to the asserted conflicts, should the Rules be 
modified? If so, why, and how? If not, why not?

B. Specific Issues

    1. Do the guidelines in appendix A of the Red Flags Rule need 
updating? If so, what updates should be made?
    a. What evidence supports the proposed modification?
    b. [Reserved]
    2. The Red Flags Rule covers creditors that regularly and in the 
ordinary course of business: (1) Obtain or use consumer reports in 
connection with a credit transaction; (2) furnish information to 
consumer reporting agencies in connection with a credit transaction; or 
(3) advance funds to or on behalf of a person, based on an obligation 
of the person to repay the funds or repayable from specific property 
pledged by or on behalf of the person, unless the expenses for which 
the funds are advanced are incidental to a service the creditor 
provides to that person. Is there any other type of creditor that is 
not subject to the Red Flags Rule that offers or maintains accounts 
that are subject to a reasonably foreseeable risk of identity theft?
    a. If so, what type of creditor and what evidence supports that 
conclusion?
    b. [Reserved]

IV. Instructions for Submitting Comments

    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before February 11, 
2019. Write ``Identity Theft Rules, 16 CFR part 681, Project No. 
188402'' on the comment. Your comment, including your name and your 
state, will be placed on the public record of this proceeding, 
including, to the extent practicable, on the public Commission website, 
at https://www.ftc.gov/policy/public-comments. As a matter of 
discretion, the Commission tries to remove individuals' home contact 
information from comments before placing them on the Commission 
website. Because your comment will be made public, you are solely 
responsible for making sure that your comment does not include any 
sensitive personal information, such as a Social Security number, date 
of birth, driver's license number or other state identification number 
or foreign country equivalent, passport number, financial account 
number, or payment card number. You are also solely responsible for 
making sure that your comment does not include any sensitive health 
information, such as medical records or other individually identifiable 
health information.
    In addition, do not include any ``[t]rade secret or any commercial 
or financial information which is . . . privileged or confidential,'' 
as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC 
Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include 
competitively sensitive information such as costs, sales statistics, 
inventories, formulas, patterns, devices, manufacturing processes, or 
customer names.
    If you want the Commission to give your comment confidential 
treatment, you must file it in paper form, with a request for 
confidential treatment, and you must follow the procedure explained in 
FTC Rule 4.9(c), 16 CFR 4.9(c). In particular, the written request for 
confidential treatment that accompanies the comment must include the 
factual and legal basis for the request, and must identify the specific 
portions of the comments to be withheld from the public record. Your 
comment will be kept confidential only if the FTC General Counsel 
grants your request in accordance with the law and the public interest.
    Postal mail addressed to the Commission is subject to delay due to 
heightened security screening. As a result, we encourage you to submit 
your comment online. To make sure that the Commission considers your 
online comment, you must file it at https://ftcpublic.commentworks.com/ftc/identitytheftrulesreview by following the instructions on the web-
based form. If this document appears at https://www.regulations.gov, 
you also may file a comment through that website.
    If you file your comment on paper, write ``Identity Theft Rules, 16 
CFR part 681, Project No. 188402'' on your comment and on the envelope, 
and mail your comment to the following address: Federal Trade 
Commission, Office of the Secretary, 600 Pennsylvania Avenue NW, Suite 
CC-5610 (Annex B), Washington, DC 20580, or deliver your comment to the 
following address: Federal Trade Commission, Office of the Secretary, 
Constitution Center, 400 7th Street SW, 5th Floor, Suite 5610 (Annex 
B), Washington, DC 20024.
    Visit the Commission website at https://www.ftc.gov to read this 
document and the news release describing it. The FTC Act and other laws 
that the Commission administers permit the collection of public 
comments to consider and use in this proceeding as appropriate. The 
Commission will consider all timely and responsive public comments that 
it receives on or before February 11, 2019. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see https://www.ftc.gov/site-information/privacy-policy.

    By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2018-26609 Filed 12-10-18; 8:45 am]
BILLING CODE 6750-01-P