[Federal Register Volume 79, Number 34 (Thursday, February 20, 2014)]
[Proposed Rules]
[Pages 9645-9647]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-03264]


=======================================================================
-----------------------------------------------------------------------

FEDERAL RESERVE SYSTEM

12 CFR Part 222

[Docket No. R-1484]
RIN 7100 AE14


Identity Theft Red Flags (Regulation V)

AGENCY: Board of Governors of the Federal Reserve System.

ACTION: Notice of proposed rulemaking; request for public comment.

-----------------------------------------------------------------------

SUMMARY: The Board of Governors of the Federal Reserve System (Board) 
is proposing to amend its Identity Theft Red Flags rule, which 
implements section 615(e) of the Fair Credit Reporting Act (FCRA). The 
Red Flag Program Clarification Act of 2010 (Clarification Act) added a 
definition of ``creditor'' in FCRA section 615(e) that is specific to 
section 615(e). Accordingly, the proposed rule would amend the 
definition of ``creditor'' in the Identity Theft Red Flags rule to 
reflect the definition of that term as added by the statute. The 
proposed rule would also update a cross-reference in the Identity Theft 
Red Flags rule to reflect a statutory change in rulemaking authority.

DATES: Comments must be received on or before April 21, 2014.

ADDRESSES: You may submit comments, identified by Docket No. R-1484, by 
any of the following methods:
     Agency Web site: http://www.federalreserve.gov. Follow the 
instructions for submitting comments at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm.
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Email: regs.comments@federalreserve.gov. Include the 
docket number in the subject line of the message.
     FAX: (202) 452-3819 or (202) 452-3102.
     Mail: Robert deV. Frierson, Secretary, Board of Governors 
of the Federal Reserve System, 20th Street and Constitution Avenue NW., 
Washington, DC 20551.

All public comments are available from the Board's Web site at http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm as submitted, 
unless modified for technical reasons. Accordingly, your comments will 
not be edited to remove any identifying or contact information. Public 
comments may also be viewed electronically or in paper form in Room MP-
500 of the Board's Martin Building (20th and C Streets NW.) between 
9:00 a.m. and 5:00 p.m. on weekdays.

FOR FURTHER INFORMATION CONTACT: Kara L. Handzlik, Counsel, Legal 
Division, at (202) 452-3852, Board of Governors of the Federal Reserve 
System, 20th and C Streets NW., Washington, DC 20551. For users of 
Telecommunications Device for the Deaf (TDD) only, contact (202) 263-
4869.

SUPPLEMENTARY INFORMATION:

I. Background

    On November 9, 2007, the Board, along with the other banking 
agencies \1\ and the Federal Trade Commission (FTC) (collectively, the 
``Agencies''), published final rules and guidelines on identity theft 
``red flags'' (``Red Flags rule'') to implement section 615(e) of the 
Fair Credit Reporting Act (FCRA) (15 U.S.C. 1681m(e)).\2\ The final 
rules require each financial institution and creditor that holds any 
consumer account, or other account for which there is a reasonably 
foreseeable risk of identity theft, to develop and implement an 
identity theft prevention program in connection with new and existing 
accounts. The program must include reasonable policies and procedures 
for detecting, preventing, and mitigating identity theft. The Agencies 
also issued guidelines to assist financial institutions and creditors 
in developing and implementing a program, including a supplement that 
provides examples of red flags.
---------------------------------------------------------------------------

    \1\ The other banking agencies included the Office of the 
Comptroller of the Currency (OCC); Federal Deposit Insurance 
Corporation (FDIC); Office of Thrift Supervision (OTS); and National 
Credit Union Administration (NCUA). The Dodd-Frank Wall Street 
Reform and Consumer Protection Act (Dodd-Frank Act) added the 
Commodity Futures Trading Commission (CFTC) and the Securities and 
Exchange Commission (SEC) to the list of agencies with rulemaking 
and enforcement authority under the Fair Credit Reporting Act with 
respect to the Red Flags rule. Public Law 111-203, 124 Stat. 1376 
(2010).
    \2\ 72 FR 63718 (Nov. 9, 2007).
---------------------------------------------------------------------------

    The Red Flags rule, implemented in the Board's Regulation V Subpart 
J, defines the terms ``credit'' and ``creditor'' by cross-reference to 
FCRA section 603(r)(5). 15 U.S.C. 1681a(r)(5). Section 603(r)(5) 
defines the terms ``credit'' and ``creditor'' by cross-reference to 
section 702 of the Equal Credit Opportunity Act (ECOA). ECOA section 
702 defines ``creditor'' as ``any person who regularly extends, renews, 
or continues credit; any person who regularly arranges for the 
extension, renewal, or continuation of credit; or any assignee of an 
original creditor who participates in the decision to extend, renew, or 
continue credit.'' 15 U.S.C. 1691a(e). The ECOA defines ``credit'' as 
``the right granted by a creditor to a debtor to defer payment of debt 
or to incur debts and defer its payment or to purchase property or 
services and defer payment therefor.'' 15 U.S.C. 1691a(d). Thus, the 
FCRA's red flags provisions have been broadly applied to banks, finance 
companies, automobile dealers, mortgage brokers, utility companies, and 
telecommunications companies. 12 CFR 222.90(b)(5).
    The scope of the Board's Red Flags rule is set forth in Sec.  
222.90(a), which states that the Board's rule applies to financial 
institutions and creditors that are state member banks (other than 
national banks) and their respective operating subsidiaries, branches 
and agencies of foreign banks (other than federal branches, federal 
agencies, and insured state branches of foreign banks), commercial 
lending companies owned or controlled by foreign banks, and 
organizations operating under section 25 or 25A of the Federal Reserve 
Act. Financial institutions and creditors that are not covered by the 
Board's rule are covered by substantially identical rules issued by 
other federal agencies.

II. The Red Flag Program Clarification Act of 2010

    On December 18, 2010, Congress enacted the Red Flag Program 
Clarification Act of 2010 (the Clarification Act).\3\ The Clarification 
Act amended section 615(e) of the FCRA (15 U.S.C. 1681m(e)) by adding a 
definition of the term ``creditor'' specific to section 615(e). The 
Clarification Act continues to define creditor by cross-reference to

[[Page 9646]]

the ECOA's definition of creditor, but limits the application of the 
red flags provisions of the FCRA to only those creditors that regularly 
and in the ordinary course of business: (a) Obtain or use consumer 
reports, directly or indirectly, in connection with a credit 
transaction; (b) furnish information to consumer reporting agencies, as 
described in FCRA section 623, in connection with a credit transaction; 
or (c) advance funds to or on behalf of a person, based on an 
obligation of the person to repay the funds or repayable from specific 
property pledged by or on behalf of the person. 15 U.S.C. 
1681m(e)(4)(A).
---------------------------------------------------------------------------

    \3\ Public Law 111-319, 124 Stat. 3457 (Dec. 18, 2010).
---------------------------------------------------------------------------

    The Clarification Act's revised definition excludes, however, those 
creditors that advance funds on behalf of a person for expenses 
incidental to a service provided by the creditor to that person. 15 
U.S.C. 1681m(e)(4)(B). The legislative intent of narrowing the 
definition of ``creditor'' in the Red Flags rule was to exclude from 
coverage those persons that sell a product or service for which the 
consumer can pay later, such as lawyers and doctors.\4\
---------------------------------------------------------------------------

    \4\ 156 Cong. Rec. S8289 (daily ed. Nov. 30, 2010) (statement of 
Sen. Dodd).
---------------------------------------------------------------------------

    The Clarification Act also grants authority to the Board and the 
other agencies to determine, through a rulemaking, whether there are 
other creditors that offer or maintain accounts that are subject to a 
reasonably foreseeable risk of identity theft that should be subject to 
the Red Flags rule. 12 U.S.C. 1681m(e)(4)(C). The Board is not using 
its discretionary rulemaking authority at this time to extend the 
application of its Red Flags rule to additional creditors.

III. Proposed Amendment

    The Board is proposing to amend the definition of ``creditor'' in 
Regulation V (12 CFR 222.90) to conform the rule to the definition of 
``creditor'' in FCRA as amended by the Clarification Act. As noted 
above, the existing definition of ``creditor'' in Sec.  222.90(b)(5) 
makes a cross-reference to the general definition of ``creditor'' in 
section 603(r)(5) of the FCRA and provides a list of examples of 
lenders. The proposed revised definition of ``creditor'' in Sec.  
222.90(b)(5) would instead cross-reference the more limited definition 
of creditor in section 615(e) of the FCRA, which is specific to the 
statute's red flags provisions. Accordingly, proposed Sec.  
222.90(b)(5) provides that ``creditor has the same meaning as in 15 
U.S.C. 1681m(e)(4).''
    As discussed above, the Red Flags rule requires each financial 
institution and creditor that holds any consumer account, or other 
account for which there is a reasonably foreseeable risk of identity 
theft, to develop and implement an identity theft prevention program. 
Under the revised definition, creditors that do not regularly and in 
the ordinary course of business: (a) Obtain or use consumer reports in 
connection with a credit transaction; (b) furnish information to 
consumer reporting agencies in connection with a credit transaction; or 
(c) advance funds to or on behalf of a person, would no longer be 
covered by the rule. The Board notes, however, that the Red Flags rule 
still covers all financial institutions, regardless of whether they 
meet the revised definition of creditor.\5\
---------------------------------------------------------------------------

    \5\ The Board has consulted and coordinated with the other 
banking agencies, the FTC, the CFTC, and the SEC with respect to 
this proposed rulemaking to amend the Red Flags rule to conform it 
to the Clarification Act. The Board understands that the other 
banking agencies will act separately with respect to any necessary 
updates to each of the banking agency's Red Flags rules. The FTC 
issued an interim final rule that amends the definition of 
``creditor'' in its Red Flags rule, consistent with the revised 
definition in the Clarification Act. See 77 FR 72712 (Dec. 6, 2012). 
The CFTC and SEC issued final Red Flags rules implementing section 
615 of FCRA, which includes the definition of ``creditor'' as set 
forth in the Clarification Act. See 76 FR 23638 (Apr. 19, 2013).
---------------------------------------------------------------------------

    The Board is also proposing to update a citation in Supplement A to 
Appendix J of the Red Flags rule. Supplement A to Appendix J includes a 
cross-reference to the Board's definition of a ``notice of address 
discrepancy'' in Regulation V (12 CFR 222.82(b)). Pursuant to the Dodd-
Frank Act, the Board's rulemaking authority for the notice of address 
discrepancy provisions of the FCRA (15 U.S.C. 1681c(h)) transferred to 
the Consumer Financial Protection Bureau (CFPB). Accordingly, the Board 
is proposing to update the cross-reference to the CFPB's definition of 
a ``notice of address discrepancy'' in the CFR's Regulation V Sec.  
1022.82(b).\6\
---------------------------------------------------------------------------

    \6\ The Board notes that there is no substantive difference 
between the Board's definition of a ``notice of address 
discrepancy'' and the CFPB's definition. The Board also notes that 
it plans to make further revisions to Regulation V outside of this 
Red Flags rulemaking to reflect changes in rulemaking authority.
---------------------------------------------------------------------------

IV. Initial Regulatory Flexibility Analysis

    The Regulatory Flexibility Act (5 U.S.C. 601 et seq.) (RFA) 
generally requires an agency to perform an assessment of the impact a 
rule is expected to have on small entities. Based on its analysis, and 
for the reasons stated below, the Board believes that this proposed 
rule will not have a significant economic impact on a substantial 
number of small entities. A final regulatory flexibility analysis will 
be conducted after consideration of comments received during the public 
comment period.
    1. Statement of the need for, and objectives of, the proposed rule. 
As noted above, the Clarification Act amended the definition of 
``creditor'' in the FCRA for purposes of the red flags provisions. The 
Board is proposing to amend the definition of ``creditor'' in its Red 
Flags rule to reflect the revised definition of that term in the 
Clarification Act. As also noted above, the Board is proposing to 
update a cross-reference in the Red Flags rule to reflect the CFPB's 
rulemaking authority for the notice of address discrepancy provisions 
in the FCRA.
    2. Small entities affected by the proposed rule. The proposed rule 
would amend the definition of ``creditor'' in the Board's Regulation V 
Subpart J to conform to the revised definition of that term in the 
Clarification Act. The proposed definition continues to refer to the 
FCRA definition of ``creditor,'' which references the ECOA definition 
of ``creditor,'' but limits the application of the red flags provisions 
to only those creditors that regularly and in the ordinary course of 
business: (a) Obtain or use consumer reports in connection with a 
credit transaction; (b) furnish information to consumer reporting 
agencies in connection with a credit transaction; or (c) advance funds 
to or on behalf of a person, based on an obligation of the person to 
repay the funds or repayable from specific property pledged by or on 
behalf of the person. 12 U.S.C. 1681m(e)(4)(A). Creditors that advance 
funds on behalf of a person for expenses incidental to a service 
provided by the creditor to that person are excluded from the 
definition. Small entity creditors that do not meet this more limited 
definition would no longer be covered by the rule. However, small 
entities that are financial institutions would still be covered by the 
rule, regardless of whether they meet the revised definition of 
creditor.
    The proposed rule would also update a cross-reference in the Red 
Flags rule to reflect the CFPB's rulemaking authority for the notice of 
address discrepancy provisions in the FCRA. This revision would have no 
effect on small entities because there is no substantive difference 
between the Board's definition of a ``notice of address discrepancy'' 
and the CFPB's definition.
    3. Recordkeeping, reporting, and compliance requirements. The 
proposed rule does not impose any new recordkeeping, reporting, or 
compliance requirements on small entities. Small entities that no 
longer meet the

[[Page 9647]]

narrower definition of ``creditor'' would not have to comply with the 
requirements of the Red Flags rule. However, small entity financial 
institutions would still be required to comply with the Red Flags rule, 
regardless of whether they meet the revised definition of creditor.
    4. Other federal rules. The Board has not identified any federal 
statutes or regulations that would duplicate, overlap, or conflict with 
the proposed revision.
    5. Significant alternatives to the proposed revisions. The proposed 
revisions to the definition of ``creditor'' and the cross-reference to 
the definition of a ``notice of address discrepancy'' reflect statutory 
changes. The Board does not believe there are significant alternatives 
to these revisions. Although the Board has authority to determine 
through a rulemaking that any other creditor that offers or maintains 
accounts that are subject to a reasonably foreseeable risk of identity 
theft is subject to the Red Flags rule, the Board does not believe it 
is appropriate to use its discretionary rulemaking authority at this 
time.

III. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act (PRA) of 1995 (44 
U.S.C. 3506; 5 CFR part 1320 Appendix A.1), the Board reviewed the rule 
under the authority delegated to the Federal Reserve by the Office of 
Management and Budget (OMB). The proposed rule contains no requirements 
subject to the PRA.

List of Subjects in 12 CFR Part 222

    Banks, banking, Consumer protection, Holding companies, Safety and 
soundness, and State member banks.

Authority and Issuance

    For the reasons set forth in the preamble, the Board proposes to 
amend Regulation V, 12 CFR part 222, as set forth below:

PART 222--FAIR CREDIT REPORTING (REGULATION V)

0
1. The authority citation for part 222 continues to read as follows:

    Authority 5 U.S.C. 1681b, 1681c, 1681m and 1681s; Secs. 3, 214, 
and 216, Pub. L. 108-159, 117 Stat. 1952.

0
2. Amend Sec.  222.90 by revising paragraph (b)(5) to read as follows:


Sec.  222.90  Duties regarding the detection, prevention, and 
mitigation of identity theft.

* * * * *
    (b) * * *
    (5) Creditor has the same meaning as in 15 U.S.C. 1681m(e)(4).
* * * * *
0
3. Amend Supplement A to Appendix J by revising example 3. to read as 
follows:

Appendix J to Part 222--Interagency Guidelines on Identity Theft 
Detection, Prevention, and Mitigation

* * * * *

Supplement A to Appendix J

* * * * *
0
3. A consumer reporting agency provides a notice of address 
discrepancy, as defined in 12 CFR 1022.82(b).
* * * * *

    By order of the Board of Governors of the Federal Reserve 
System, February 10, 2014.
Robert deV. Frierson,
Secretary of the Board.
[FR Doc. 2014-03264 Filed 2-19-14; 8:45 am]
BILLING CODE P