2015-27291. Removal of Transferred OTS Regulations Regarding Fair Credit Reporting and Amendments; Amendment to the “Creditor” Definition in Identity Theft Red Flags Rule; Removal of FDIC Regulations Regarding Fair Credit Reporting Transferred to ...  

  • Start Preamble

    AGENCY:

    Federal Deposit Insurance Corporation.

    ACTION:

    Final rule.

    SUMMARY:

    The Federal Deposit Insurance Corporation (FDIC) is adopting a final rule (Final Rule) to make several amendments to its regulations covering “Fair Credit Reporting.” The amendments conform FDIC Fair Credit Reporting regulations to the Dodd-Frank Act by consolidating the regulations for all institutions for which the FDIC is the appropriate Federal banking agency into a single part. The amendments also address the role of the Consumer Financial Protection Bureau in promulgating rules relating to Fair Credit Reporting.

    DATES:

    The Final Rule is effective November 27, 2015.

    Start Further Info

    FOR FURTHER INFORMATION CONTACT:

    Sandra Barker, Senior Policy Analyst, Division of Depositor and Consumer Protection, (202) 898-3615 or sabarker@fdic.gov; Jeffrey Kopchik, Senior Policy Analyst, Division of Risk Management Supervision, (703) 254-0459 or jkopchik@fdic.gov; Richard M. Schwartz, Counsel, Legal Division, (202) 898-7424 or rischwartz@fdic.gov.

    End Further Info End Preamble Start Supplemental Information

    SUPPLEMENTARY INFORMATION:

    I. Removal of Transferred OTS Regulations Regarding Fair Credit Reporting and Amendments to 12 CFR Part 334 of FDIC's Rules and Regulations

    A. Background

    The Dodd-Frank Wall Street Reform and Consumer Protection Act (Dodd-Frank Act) [1] provided for a substantial reorganization of the regulation of State and Federal savings associations and their holding companies. Beginning July 21, 2011, the transfer date established by section 311 of the Dodd-Frank Act, codified at 12 U.S.C. 5411, the powers, duties, and functions formerly performed by the OTS were divided among the FDIC, as to State savings associations, the Office of the Comptroller of the Currency (OCC), as to Federal savings associations, and the Board of Governors of the Federal Reserve System (FRB), as to savings and loan holding companies.[2] Section 316(b) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(b), provided the manner of treatment for all orders, resolutions, determinations, regulations, and advisory materials that had been issued, made, prescribed, or allowed to become effective by the OTS. The section provided that if such materials were in effect on the day before the transfer date, they continue to be in effect and are enforceable by or against the appropriate successor agency until they are modified, terminated, set aside, or superseded in accordance with applicable law by such successor agency, by any court of competent jurisdiction, or by operation of law.

    Section 316(c) of the Dodd-Frank Act, codified at 12 U.S.C. 5414(c), further directed the FDIC and the OCC to consult with one another and to publish a list of the continued OTS regulations that would be enforced by the FDIC and the OCC, respectively. On June 14, 2011, the FDIC's Board of Directors approved a “List of OTS Regulations to be Enforced by the OCC and the FDIC Pursuant to the Dodd-Frank Wall Street Reform and Consumer Protection Act.” This list was published by the FDIC and the OCC as a Joint Notice in the Federal Register on July 6, 2011.[3]

    Although section 312(b)(2)(B)(i)(II) of the Dodd-Frank Act, codified at 12 U.S.C. 5412(b)(2)(B)(i)(II), granted the OCC rulemaking authority relating to both State and Federal savings associations, nothing in the Dodd-Frank Act affected the FDIC's existing authority to issue regulations under the FDI Act and other laws as the “appropriate Federal banking agency” or under similar statutory terminology. Section 312(c) of the Dodd-Frank Act amended the definition of “appropriate Federal banking agency” contained in section 3(q) of the FDI Act, 12 U.S.C. 1813(q), to add State savings associations whose deposits are insured by the FDIC (State savings associations) to the list of entities for which the FDIC is designated as the “appropriate Federal banking agency.” As a result, when the FDIC acts as the designated “appropriate Federal banking agency” (or under similar terminology) for State savings associations, as it does here, the FDIC is authorized to issue, modify and Start Printed Page 65914rescind regulations involving such associations, as well as for State nonmember banks and insured branches of foreign banks.

    As noted, on June 14, 2011, pursuant to this authority, the FDIC's Board of Directors reissued and redesignated certain transferring regulations of the former OTS. These transferred OTS regulations were published as new FDIC regulations in the Federal Register on August 5, 2011.[4] When it republished the transferred OTS regulations as new FDIC regulations, the FDIC specifically noted that its staff would evaluate the transferred OTS rules and might later recommend incorporating the transferred OTS regulations into other FDIC rules, amending them, or rescinding them, as appropriate.

    One of the OTS rules transferred to the FDIC governed OTS oversight of the Fair Credit Reporting regulations, which implemented the Fair Credit Reporting Act (FCRA),[5] in the context of State savings associations. The OTS rule, formerly found at 12 CFR part 571, was transferred to the FDIC [6] and was moved to the FDIC's rules at part 391, subpart C, entitled “Fair Credit Reporting.” Before the transfer of the OTS rules and continuing today, the FDIC's rules contained part 334, also entitled “Fair Credit Reporting,” a rule governing FDIC regulation with respect to IDIs for which the FDIC has been designated the appropriate Federal banking agency. After careful review and comparison of part 391, subpart C and part 334, the FDIC rescinds part 391, subpart C, because, as discussed below, it is substantively redundant to existing part 334 and simultaneously makes technical conforming edits to our existing rule.

    B. FDIC's Existing 12 CFR Section 334.2 and Former OTS's 12 CFR Section 571.2 (transferred to FDIC's Part 391, Subpart C, as 12 CFR Section 391.20)

    On November 22, 2005, the FDIC, OTS, OCC, FRB and NCUA (“the Agencies”) jointly published rules in the Federal Register[7] to implement section 411 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act),[8] which amended section 604 of the FCRA.[9] Section 411 of the FACT Act generally limited the ability of creditors to obtain and use medical information in connection with credit eligibility determinations and the ability of consumer reporting agencies to disclose medical information, as well as restricting the sharing of medical information and other medically related information with affiliates.[10] That section required the Agencies to issue regulations on several aspects related to the medical privacy amendment.

    Although Dodd-Frank Act transferred the 2005 medical privacy regulations to the CFPB, as discussed below, the Agencies issued a regulation in the “General Provisions” portion of the Fair Credit Reporting regulations that remains in effect in the Agencies' regulations today.

    That regulation related to “examples” issued in any regulation in the Fair Credit Reporting part. The OTS regulation, stated: “The examples in this part are not exclusive. Compliance with an example, to the extent applicable, constitutes compliance with this part. Examples in a paragraph illustrate only the issue described in the paragraph and do not illustrate any other issue that may arise in this part.” [11] The concurrently issued FDIC regulation contains identical language.[12]

    The OTS regulation issued at § 391.20 was amended slightly because it was placed in a subpart of part 391: the word “part” was replace by “subpart.” Nevertheless, the portion of the OTS regulation that applied to State savings associations and their subsidiaries, originally codified at 12 CFR part 571 and subsequently transferred to FDIC's part 391, subpart C, is substantively similar to the current FDIC regulations codified at 12 CFR part 334. Therefore, to eliminate redundancy and streamline its regulations, the FDIC rescinds and removes § 391.20.

    C. FDIC's Existing 12 CFR Section 334.83 and Former OTS's 12 CFR Section 571.83 (transferred to FDIC's Part 391, Subpart C, as 12 CFR Section 391.21)

    Section 216 of the FACT Act added a new section 628 to the FCRA that, in general was designed to protect a consumer against the risks associated with the unauthorized access to information about a consumer contained in a consumer report, such as fraud and related crimes including identity theft.[13] Specifically, section 216 required each of the Agencies, including the Federal Trade Commission (FTC), to adopt a regulation with respect to the entities subject to its enforcement authority “requiring any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from a consumer report for a business purpose to properly dispose of any such information or compilation.” [14] The FDIC, OCC, FRB and OTS jointly published their rules in the Federal Register on December 28, 2004.[15] The FDIC and OTS regulations were identical.[16] Neither regulation contained a scope provision, because each regulation referred to the respective agency's version of the Interagency Guidelines Establishing Information Security Standards, which itself contained a scope provision.[17]

    In 2007, the Agencies jointly issued rules pursuant to section 114 of the FACT Act, which dealt with identity theft “red flag” rules and rules on the duties of credit card issuers to validate notifications of changes of address under certain circumstances,[18] as discussed in more detail below. Although those regulations were nearly identical from agency to agency, the OTS unilaterally amended its disposal regulation, as part of that rulemaking, to include a scope provision.[19] The OTS explained that that amendment was nonsubstantive and technical in nature, caused by the placement of the address discrepancy regulation in the same subpart as the disposal regulation.[20] No other Agency amended its disposal regulation.

    Start Printed Page 65915

    After careful comparison of the FDIC's disposal regulation with the transferred OTS rule in part 391, subpart C, the FDIC has concluded that, with the exception of the scope provision, which now includes “State savings associations whose deposits are insured by the Federal Deposit Insurance Corporation,” [21] the transferred OTS rule is substantively redundant. Therefore, based on the foregoing, the FDIC rescinds and removes from the Code of Federal Regulations the rule located at part 391, subpart C and makes minor conforming changes to incorporate State savings associations.

    There were several ways to deal with this technical difference between the FDIC and the OTS disposal regulations, including adding a scope provision to the FDIC's disposal regulation at § 334.83, an idea that was not proposed back in 2007. Instead, because of the direct reference in the disposal regulation to the Interagency Guidelines Establishing Information Security Standards, the FDIC, through a separate final rule relating to the FDIC's Safety and Soundness regulations, 12 CFR part 364, to be issued shortly, is adopting a change in the scope provision of the FDIC's version to cover State savings associations.

    As a backstop for this and any future fair credit regulations, the FDIC is also making a change to § 334.1(b), the general scope provision of the FDIC's Fair Credit Reporting regulations, to cover State savings associations. The FDIC is also adding a definition of “State savings association” to § 334.3. That definition would have the same meaning as in section 3(b)(3) of the FDI Act, 12 U.S.C. 1813(b)(3).[22]

    D. FDIC's Existing 12 CFR Sections 334.90 and 334.91 and Part 334, Appendix J, and Former OTS's 12 CFR Sections 571.82 and 571.90 and Part 571, Appendix J (transferred to FDIC's Part 391, Subpart C, as 12 CFR Sections 391.22 and 391.23 and Part 391, Subpart C, Appendix)

    As discussed above (and in some detail below), the Agencies, in 2007, jointly issued rules pursuant to section 114 of the FACT Act, which dealt with identity theft “red flag” rules and rules on the duties of credit card issuers to validate notifications of changes of address under certain circumstances.[23] In addition to the rules required in section 114, the Agencies also jointly issued Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation.

    The FDIC's “red flag” rule, styled as “duties regarding the detection, prevention, and mitigation of identity theft,” was issued as § 334.90. The concurrently issued OTS rule was issued as § 571.90. That rule was later transferred to the FDIC rules as § 391.22. Apart from their scope provisions, the FDIC and the OTS “red flag” rules are substantively identical. As with the disposal rule, the scope of the transferred OTS rule covers “a State savings association whose deposits are insured by the Federal Deposit Insurance Corporation.” [24]

    The FDIC's “duties of card issuers regarding changes of address” regulation was issued as § 334.91. The concurrently issued OTS rule was issued as § 571.91. That rule was later transferred to the FDIC rules as § 391.23. As with the “red flag” rules, apart from their scope provisions, the FDIC and OTS change of address rules are substantively identical. The OTS rule covers “an issuer of a debit or credit card (card issuer) that is a State savings association whose deposits are insured by the Federal Deposit Insurance Corporation.” [25]

    Finally, the FDIC's Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation was issued as part 334, appendix J. The concurrently issued OTS guidelines were issued as part 571, appendix J. Those guidelines were later transferred to the FDIC rules as part 391, subpart C, appendix. The FDIC and the OTS guidelines are substantively identical.

    After careful comparison of the FDIC's rules and guidelines with the transferred OTS rules and guidelines in part 391, subpart C, the FDIC has concluded that, with the exception of the scope provisions, as set out above, the transferred OTS rules and guidelines are substantively redundant. Therefore, based on the foregoing, the FDIC rescinds and removes from the Code of Federal Regulations the rules located at §§ 391.22 and 391.23 and guidelines located at part 391, subpart C, appendix, and makes minor conforming changes in §§ 334.90 and 334.91 to incorporate State savings associations.

    II. Amendments to Fair Credit Red Flag Identity Theft Rule and Guidelines

    As discussed above, on November 9, 2007, the FDIC, OCC, FRB, NCUA, OTS, and FTC published final rules and guidelines [26] to implement the identity theft red flags provisions of section 114 of the FACT Act.[27] In addition to these agencies, the Commodity Futures Trading Commission (CFTC) and the Securities and Exchange Commission (SEC) obtained rulemaking authority for these regulations under section 615 of the FCRA, as amended by section 1088 of the Dodd-Frank Act.

    Section 615 directed the covered Agencies to issue joint regulations and guidelines requiring “financial institutions” and “creditors” to develop and implement a written identity theft program to identify, detect, and respond to possible risks of identity theft relevant to them.

    The 2007 final interagency rule (the Red Flags Rule) [28] included a definition of “financial institution,” as set forth in in section 603(t) of the FCRA, as amended in section 111 of the FACT Act.[29] That term includes “a State or National bank, a State or Federal savings and loan association, a mutual savings bank, a State or Federal credit union, or any other person that, directly or indirectly, holds a transaction account (as defined in section 19(b) of the Federal Reserve Act) belonging to a consumer.” [30]

    The Red Flags Rule [31] also included a definition of “creditor,” as set forth in section 603(r)(5) of the FCRA, as amended in section 111 of the FACT Act.[32] That definition referenced the definition of “creditor” in section 702 of the Equal Credit Opportunity Act (“ECOA”). The ECOA defines the term “creditor” broadly as “any person who regularly extends, renews, or continues credit; any person who regularly Start Printed Page 65916arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit.”  [33] The ECOA further defines “credit” as “the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor.” [34] Regulation B, promulgated under the ECOA, defines “credit” in similar terms: “the right granted by a creditor to an applicant to defer payment of a debt, incur debt and defer its payment, or purchase property or services and defer payment therefor.” [35]

    The current FDIC definition of “creditor” also expressly includes “lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies,” [36] the same definition as the joint rules issued by the OCC, FRB, OTS and FTC.

    Since the scope of the FDIC's red flag regulation covers “an insured state nonmember bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisors),” [37] the vast majority, but not all, of the entities covered by the FDIC regulation fall under the “financial institutions” definition.[38]

    In contrast, the vast majority of the entities supervised by the FTC's rule would be covered by the statutory “creditor” definition. As such, the FTC had issued guidance on the scope of that definition. For example, in a set of answers to frequently asked questions issued in June, 2009, the FTC stated: “Under the [Red Flags Rule], the definition of `creditor' is broad and includes businesses or organizations that regularly provide goods or services first and allow customers to pay later. . . . Examples of groups that may fall within this definition are utilities, health care providers, lawyers, accountants, and other professionals, and telecommunications companies.” [39] The FTC had also stated in the preamble to the final Red Flags Rule that a “broad scope of entities” was covered.[40] Similar guidance was provided in policy statements issued in 2008 and early 2009.[41] This guidance led to a law suit brought by the American Bar Association against the FTC alleging that the application of the rules to attorneys exceeded FTC's authority. Similar complaints were brought by the American Medical Association and other professionals.

    In December 2010, Congress enacted the Red Flag Program Clarification Act (Clarification Act), 15 U.S.C. 1681m(e)(4), which narrowed the scope of entities covered as “creditors” under the Red Flags Rule.[42] The Clarification Act retained the ECOA definition of “creditor,” but generally limited the application of the Red Flags Rule to those ECOA creditors that “regularly and in the ordinary course of business” engaged in at least one of the following three types of conduct:

    1. Obtaining or using consumer reports, directly or indirectly, in connection with a credit transaction; [43]

    2. Furnishing information to consumer reporting agencies in connection with a credit transaction; [44] or

    3. Advancing funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person.[45]

    The Clarification Act also expressly excluded creditors that advanced funds on behalf of a person for expenses incidental to a service provided by the creditor to that person.[46]

    Finally, in addition to limiting the scope of coverage for “creditors” by creating these specified categories, the Clarification Act empowered the Agencies to determine through a future rulemaking whether to include any other type of creditor that offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft.[47]

    When amending its Red Flag “creditor” definition in 2012, the FTC choose not to use its discretionary rulemaking to extend coverage of the Red Flags Rule to additional creditors and merely cited to the Clarification Act statutory definition.[48] The FDIC is now adopting a similar result, to amend the “creditor” definition in its Red Flags Rule to expressly cite to the Clarification Act statutory provision, 15 U.S.C. 1681m(e)(4).

    The FDIC has conferred with staff from the other Federal banking agencies, who do not object to the issuance of this final rulemaking to amend the Red Flags Rule to conform it to the Clarification Act. In fact, in May, 2014, both the OCC and the Federal Reserve Board issued final rules making the conforming change.[49] The SEC and CFTC have previously issued final rules under section 615 of FCRA that included a definition of “creditor” as set forth in the Clarification Act.[50]

    The FDIC is also adopting a technical amendment to supplement A to the guidelines that accompanied the Red Flags Rule consistent with the amendments, discussed below, to vacate the FDIC Fair Credit Reporting regulations with rule writing authority transferred to the CFPB.[51] In supplement A, the Agencies provided a list of red flags to be considered by the entities covered by the rule. One of those red flags was “[a] consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) of this part.” [52] Since the FDIC is vacating its regulation at 12 CFR 334.82, the FDIC is changing the citation in that red flag to the CFPB regulation: § 1022.82(b).

    III. Removal of FDIC Fair Credit Regulations Transferred to the Consumer Financial Protection Bureau

    In amending the FCRA, the FACT Act gave the FDIC, along with the other Federal banking regulators (and, in some cases, the FTC and the SEC), rule writing authority for a variety of Fair Credit Reporting regulations. Since 2004, those regulations have been promulgated on an inter-agency basis as follows:

    Title X of the Dodd-Frank Act amended a number of consumer financial protection laws, including provisions of the FCRA. In addition to substantive amendments, the Dodd-Frank Act transferred rulemaking authority from the FDIC, FRB, OCC, FTC, NCUA, and OTS for several provisions of the “Fair Credit Reporting” regulations to the CFPB, effective July 21, 2011.[54] These include the following regulations listed above: medical information; affiliate marketing; address discrepancy; and duties of furnishers of information. Those regulations were covered under 12 CFR part 334 subparts C, D, and E, as well as 12 CFR 334.82 in subpart I. The transfer also included the related Appendices, 12 CFR part 334, Appendices C and E. On December 21, 2011, the CFPB published in the Federal Register an interim final rule Regulation V, which implemented the Dodd-Frank Act amendments to the FCRA with regard to those regulations and appendices.

    As discussed above, the Dodd-Frank Act did not transfer all rulemaking authority under the FCRA. Specifically, the Act did not transfer to the CFPB the authority to promulgate: rules on the disposal of consumer information; [55] rules on identity theft red flags and corresponding interagency guidelines on identity theft detection, prevention, and mitigation; [56] and rules on the duties of card issuers regarding changes of address.[57] These existing provisions are not included in the Bureau's new Regulation V.[58]

    As a result of the of rule writing authority transferred to the CFPB, the FDIC rescinds and removes those regulations and appendices covered under the CFPB's Regulation V. In addition to the specific citations set out above, the FDIC is also rescinding and removing those parts of the Purpose and Definition provisions of the “Fair Credit Reporting” regulations that related to the substantive regulations transferred to the CFPB.[59]

    Even though there is no longer rule writing authority for those “Fair Credit Reporting” rules, the FDIC will continue to examine for compliance with the rules and take enforcement action when warranted.

    IV. Regulatory Analysis and Procedure

    A. The Paperwork Reduction Act

    In accordance with the requirements of the Paperwork Reduction Act (“PRA”) of 1995, 44 U.S.C. 3501-3521, the FDIC may not conduct or sponsor, and the respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (“OMB”) control number.

    Part of the Final Rule rescinds and removes part 391, subpart C from the FDIC regulations. This rule was transferred with only nominal changes to the FDIC from the OTS when the OTS was abolished by title III of the Dodd-Frank Act. Part 391, subpart C is largely redundant of the FDIC's existing part 334 regarding “Fair Credit Reporting” regulations, including appendix J to the part. The FDIC reviewed its burden estimates for the collection at the time it assumed responsibility for supervision of State savings associations transferred from the OTS and determined that no changes to the burden estimates were necessary. This Final Rule will not modify the FDIC's existing collection and does not involve any new collections of information pursuant to the PRA.

    The Final Rule also amends §§ 334.83, 334.90, and 334.91 to include State savings associations and their subsidiaries within the scope of part 334. The Final Rule also amends those provisions to define “State savings association.” These measures clarify that State savings associations, as well as State nonmember banks are subject to part 334. Thus, these provisions of the Final Rule will not involve any new collections of information under the PRA or impact current burden estimates.

    Part of the Final Rule would amend the “creditor” definition in the FDIC's Identity Theft Red Flag regulation in conformance with the Clarification Act. The vast majority of entities regulated by the FDIC under the Identity Theft Red Flag regulation fall under the “financial institution” definition, and, therefore, would be covered under the rule regardless of the change in the “creditor” definition. For any subsidiary of a covered financial institution not covered under the “financial institution” definition, the change to the “creditor” definition would, arguably, cover fewer, rather than more, entities. Thus, this provision of the Final Rule will not involve any new collections of information under the PRA or substantively impact current burden estimates.

    Finally, part of the Final Rule rescinds and removes those portions of 12 CFR part 334 where rule writing authority was transferred to the CFPB. This portion of the Final Rule will also not involve any new collections of information under the PRA or impact current burden estimates.

    Based on the foregoing, no information collection request has been submitted to the OMB for review.

    B. The Regulatory Flexibility Act

    The Regulatory Flexibility Act (“RFA”), requires that each federal agency either (1) certify that a proposed rule would not, if adopted in final form, have a significant economic impact on a substantial number of small entities (defined in regulations promulgated by the Small Business Administration to include banking organizations with total assets of less than or equal to $550 million), or (2) prepare an initial regulatory flexibility analysis of the rule and publish the analysis for comment.[60] For the reasons provided below, the FDIC certifies that the Final Rule would not have a significant economic impact on a substantial number of small entities.

    As discussed in the proposed rule, part 391, subpart C was transferred from OTS part 571, which governed Fair Credit Reporting. OTS part 571 had been in effect beginning in 2004, and all State savings associations were required to comply with it. Because it is basically redundant of existing part 334 of the FDIC's rules, the FDIC rescinds and removes part 391, subpart C. As a result, all FDIC-supervised institutions—Start Printed Page 65918including State savings associations and their subsidiaries—are required to comply with part 334. Because all State savings associations and their subsidiaries have been required to comply with substantially the same rules beginning in 2004, today's Final Rule would have no significant economic impact on any State savings association.

    In a similar way, portions of part 334 of the FDIC's rules were transferred to the CFPB Regulation V effective 2011. Because all FDIC supervised institutions—including State savings associations and their subsidiaries—have been required to comply with part 334 beginning in 2004, today's Final Rule would have no significant economic impact on those institutions.[61]

    With regard to the portion of the Final Rule amending the Red Flags Rule and appendix:

    1. Statement of the need for, and objectives of, the proposed rule. As noted above, the Clarification Act amended the definition of “creditor” in the FCRA for purposes of the red flags provisions. The FDIC is amending the definition of “creditor” in its Red Flags Rule to reflect the revised definition of that term in the Clarification Act. As also noted above, the FDIC is updating a cross-reference in the Red Flags Rule to reflect the CFPB's rulemaking authority for the notice of address discrepancy provisions in the FCRA.

    2. Small entities affected by the proposed rule. The Final Rule would amend the definition of “creditor” in 12 CFR 334.90 to conform to the revised definition of that term in the Clarification Act. The definition continues to refer to the FCRA definition of “creditor,” which references the ECOA definition of “creditor,” but limits the application of the red flags provisions to only those creditors that regularly and in the ordinary course of business: (a) Obtain or use consumer reports in connection with a credit transaction; (b) furnish information to consumer reporting agencies in connection with a credit transaction; or (c) advance funds to or on behalf of a person, based on an obligation of the person to repay the funds or repayable from specific property pledged by or on behalf of the person. 12 U.S.C. 1681m(e)(4)(A). Creditors that advance funds on behalf of a person for expenses incidental to a service provided by the creditor to that person are excluded from the definition. Small entity creditors that do not meet this more limited definition would no longer be covered by the rule. However, small entities that are financial institutions would still be covered by the rule, regardless of whether they meet the revised definition of creditor.

    The Final Rule also updates a cross-reference in the Red Flags Rule to reflect the CFPB's rulemaking authority for the notice of address discrepancy provisions in the FCRA. This revision would have no effect on small entities because there was no substantive difference between the FDIC definition of a “notice of address discrepancy” and the CFPB's definition.

    3. Recordkeeping, reporting, and compliance requirements. The Final Rule does not impose any new recordkeeping, reporting, or compliance requirements on small entities. Small entities that no longer meet the narrower definition of “creditor” would not have to comply with the requirements of the Red Flags Rule. However, small entity financial institutions would still be required to comply with the Red Flags Rule, regardless of whether they meet the revised definition of creditor.

    4. Other federal rules. The FDIC has not identified any federal statutes or regulations that would duplicate, overlap, or conflict with the proposed revision.

    5. Significant alternatives to the proposed revisions. The revisions to the definition of “creditor” and the cross-reference to the definition of a “notice of address discrepancy” reflect statutory changes. The FDIC does not believe there are significant alternatives to these revisions. Although the FDIC has authority to determine through a rulemaking that any other creditor that offers or maintains accounts that are subject to a reasonably foreseeable risk of identity theft is subject to the Red Flags Rule, the FDIC does not believe it is appropriate to use its discretionary rulemaking authority at this time.

    C. Plain Language

    Section 722 of the GLB Act, codified at 12 U.S.C. 4809, requires each Federal banking agency to use plain language in all of its proposed and final rules published after January 1, 2000. The FDIC received no comments on whether the Proposed Rule was clearly stated and effectively organized or on how the FDIC might make it easier to understand.

    D. The Economic Growth and Regulatory Paperwork Reduction Act

    Under section 2222 of the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (“EGRPRA”), the FDIC is required to review all of its regulations, at least once every 10 years, in order to identify any outdated or otherwise unnecessary regulations imposed on insured institutions.[62] The FDIC completed the last comprehensive review of its regulations under EGRPRA in 2006 and is commencing the next decennial review. The action taken on this rule will be included as part of the EGRPRA review that is currently in progress. The FDIC received no comments concerning whether the Proposed Rule would impose any outdated or unnecessary regulatory requirements on insured depository institutions.

    Start List of Subjects

    List of Subjects

    12 CFR Part 334

    • Fair credit reporting

    12 CFR Part 391

    • Fair credit reporting
    End List of Subjects

    Authority and Issuance

    For the reasons stated in the preamble, the Board of Directors of the Federal Deposit Insurance Corporation amends parts 334 and 391 of title 12 of the Code of Federal Regulations as set forth below:

    Start Part

    PART 334—FAIR CREDIT REPORTING

    Subpart A—General Provisions

    End Part Start Amendment Part

    1. The authority citation for part 334 continues to read as follows:

    End Amendment Part Start Authority

    Authority: 12 U.S.C. 1818, 1819 (Tenth), and 1831p-1; 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s-2, 1681s-3, 1681t, 1681w, 6801 et seq., Pub. L. 108-159, 117 Stat. 1952.

    End Authority Start Amendment Part

    2. Revise § 334.1 to read as follows:

    End Amendment Part
    Purpose and scope.

    (a) Purpose The purpose of this part is to implement the Fair Credit Reporting Act.

    (b) Scope Except as otherwise provided in this part, the regulations in this part apply to insured state nonmember banks, state savings associations whose deposits are insured by the Federal Deposit Insurance Corporation, insured state licensed branches of foreign banks, and subsidiaries of such entities (except Start Printed Page 65919brokers, dealers, persons providing insurance, investment companies, and investment advisers).

    Start Amendment Part

    3. Amend § 334.3 by adding paragraph (m) to read as follows:

    End Amendment Part
    Definitions.
    * * * * *

    (m) State savings association has the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).

    Subparts C through E—[Removed and Reserved]

    Start Amendment Part

    3. Remove and reserve subparts C, D, and E.

    End Amendment Part

    Subpart I—Records Disposal

    Start Amendment Part

    4. Revise the heading for subpart I to read as set forth above.

    End Amendment Part
    [Removed and Reserved]
    Start Amendment Part

    5. Remove and reserve § 334.82.

    End Amendment Part

    Subpart J—Identity Theft Red Flags

    Start Amendment Part

    6. Amend § 334.90 by revising paragraphs (a) and (b)(5) and adding paragraph (b)(11) to read as follows:

    End Amendment Part
    Duties regarding the detection, prevention, and mitigation of identity theft.

    (a) Scope This section applies to a financial institution or creditor that is an insured state nonmember bank, State savings association whose deposits are insured by the Federal Deposit Insurance Corporation, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).

    (b) * * *

    (5) Creditor has the same meaning as in 15 U.S.C. 1681m(e)(4).

    * * * * *

    (11) State savings association has the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).

    * * * * *
    Start Amendment Part

    7. Amend § 334.91 by revising paragraph (a) and adding paragraph (b)(3) to read as follows:

    End Amendment Part
    Duties of card issuers regarding change of address.

    (a) Scope This section applies to an issuer of a debit or credit card (card issuer) that is an insured state nonmember bank, state savings association whose deposits are insured by the Federal Deposit Insurance Corporation, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, or investment advisers).

    (b) * * *

    (3) State savings association has the same meaning as in section 3(b)(3) of the Federal Deposit Insurance Act, 12 U.S.C. 1813(b)(3).

    * * * * *
    Start Amendment Part

    8. In appendix J to part 334, amend supplement A under the heading “Alerts, Notifications or Warnings from a Consumer Reporting Agency” by revising paragraph 3 to read as follows:

    End Amendment Part

    Appendix J to Part 334—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation

    * * * * *

    Supplement A to Appendix J

    * * * * *

    Alerts, Notifications or Warnings from a Consumer Reporting Agency

    * * * * *
    Start Amendment Part

    3. A consumer reporting agency provides a notice of address discrepancy, as defined in 12 CFR 1022.82(b).

    End Amendment Part
    * * * * *
    Start Part

    PART 391—REGULATIONS TRANSFERRED FROM THE OFFICE OF THRIFT SUPERVISION

    End Part Start Amendment Part

    9. The authority citation for part 391 continues, in part, to read as follows:

    End Amendment Part Start Authority

    Authority: 12 U.S.C. 1819.

    End Authority
    * * * * *

    Subpart C also issued under 12 U.S.C. 1462a; 1463; 1464; 1828; 1831p-1; and 1881-1884; 15 U.S.C. 1681m; 1681w.

    * * * * *

    Subpart C—[Removed and Reserved]

    Start Amendment Part

    10. Remove and reserve subpart C, consisting of §§ 391.20 through 391.23 and an appendix.

    End Amendment Part Start Signature

    Dated at Washington, DC, this 22nd day of October, 2015.

    By order of the Board of Directors.

    Federal Deposit Insurance Corporation.

    Robert E. Feldman,

    Executive Secretary.

    End Signature End Supplemental Information

    Footnotes

    1.  Public Law 111-203, 124 Stat. 1376 (2010).

    Back to Citation

    2.  Section 312 of the Dodd-Frank Act, codified at 12 U.S.C. 5412.

    Back to Citation

    3.  76 FR 39247 (July 6, 2011).

    Back to Citation

    4.  76 FR 47652 (Aug. 5, 2011).

    Back to Citation

    6.  The Dodd-Frank Act transferred the rule-writing authority of several parts of the “Fair Credit Reporting” regulations contained in parts 334 and 571, as well as the regulations of the OCC, FRB, and National Credit Union Administration (“NCUA”), to the newly created CFPB. See sections 1061 and 1088, codified at 12 U.S.C. 5581, 15 U.S.C. 1681 et seq. When the OTS regulations for state savings associations were transferred to part 391, only those portions of the regulation that were retained by the FDIC were included.

    Back to Citation

    7.  70 FR 70664 (Nov. 22, 2005).

    Back to Citation

    8.  Public Law 108-159, 117 Stat. 1952, 1999-2002 (2003).

    Back to Citation

    10.  70 FR at 70664.

    Back to Citation

    15.  69 FR 77610 (Dec. 28, 2004).

    Back to Citation

    17.  Id. (both regulations stated, in relevant part, “You must properly dispose of any consumer information that you maintain or otherwise possess in accordance with the Interagency Guidelines Establishing Information Security Standards . . . to the extent the Guidelines are applicable to you.”). Both the FDIC's and the OTS's Interagency Guidelines were placed in the Safety and Soundness regulations, parts 364 and 570, respectively.

    Back to Citation

    18.  72 FR 63718 (Nov. 9, 2007). That rulemaking also included rules issued pursuant to section 315 of the FACT Act, which required the Agencies to issue joint regulations that provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of an address discrepancy. The rule-writing authority for that rule was given to the CFPB in the Dodd-Frank Act.

    Back to Citation

    20.  72 FR at 63739.

    Back to Citation

    21.  The scope provision of the original 2007 amendment covered all savings associations with deposits insured by the FDIC and Federal savings associations' operating subsidiaries. When the OTS disposal regulation was transferred to section 391.21, it was amended to state that the scope provision applies to “State savings associations whose deposits are insured by the Federal Deposit Insurance Corporation,” consistent with the authority given to the FDIC in the Dodd-Frank Act.

    Back to Citation

    22.  “The term `State savings association' means— (A) any building and loan association, savings and loan association, or homestead association; or (B) any cooperative bank (other than a cooperative bank which is a State bank as defined in subsection (a)(2) of this section), which is organized and operating according to the laws of the State (as defined in subsection (a)(3) of this section) in which it is chartered or organized.” 12 U.S.C. 1813(b)(3).

    Back to Citation

    23.  72 FR 63718 (Nov. 9, 2007).

    Back to Citation

    26.  72 FR 63718 (Nov. 9, 2007).

    Back to Citation

    38.  This result would be the same if the new scope provision of the Red Flags Rule as proposed in this notice of proposed rulemaking—which would add “a State savings association whose deposits are insured by the Federal Deposit Insurance Corporation”—is finalized.

    Back to Citation

    39.  See American Bar Ass'n v. Federal Trade Comm'n (“ABA v. FTC”), 671 F. Supp. 2d 64, 70 (D.D.C. 2009) (quoting Red Flags Rule: Frequently Asked Questions, http://www.ftc.gov/​bcp/​edu/​microsites/​redflagsrule/​faqs.shtm (since amended)), vacated as moot, 636 F.3d 641 (D.C. Cir. 2011).

    Back to Citation

    40.  72 FR at 63741.

    Back to Citation

    41.  See ABA v. FTC, 671 F. Supp. 2d at 69-70.

    Back to Citation

    42.  Pub. L. 111-319, 124 Stat. 3457 (2010).

    Back to Citation

    48.  See 77 FR 72712 (Dec. 6, 2012).

    Back to Citation

    49.  See 79 FR 28393, 28400 (May 16, 2014) (OCC); 79 FR 30709, 30711 (May 29, 2014) (Federal Reserve Board).

    Back to Citation

    50.  See 78 FR 23638 (Apr. 19, 2013) (SEC and CFTC joint final rules; the CFTC “creditor” definition cited the Clarification Act provision, but also specifically listed the covered entities).

    Back to Citation

    51.  12 CFR part 334, supplement A to appendix J.

    Back to Citation

    52.  Id. at 3.

    Back to Citation

    53.  As amended by the Clarification Act. See discussion above.

    Back to Citation

    54.  See sections 1061 and 1088 of the Dodd-Frank Act.

    Back to Citation

    55.  See 15 U.S.C. 1681m(e); section 1088 of the Dodd-Frank Act.

    Back to Citation

    56.  See 15 U.S.C. 1681w; section 1088 of the Dodd-Frank Act.

    Back to Citation

    57.  See 15 U.S.C. 1681m(e); section 1088 of the Dodd-Frank Act.

    Back to Citation

    58.  The Act also did not transfer rulemaking authority under the FCRA over any motor vehicle dealer that is predominantly engaged in the sale and servicing of motor vehicles, the leasing and servicing of motor vehicles, or both, subject to certain exceptions. See section 1029 of the Dodd-Frank Act.

    Back to Citation

    59.  Those provisions include part of 12 CFR 334.1 and the definitions set out at 12 CFR 334.3(a), (b), (d), (i), and (k).

    Back to Citation

    61.  When propounding its new Regulation V, the CFPB made the following representation in its Regulatory Flexibility Act discussion:

    [T]his rule has only a minor impact on entities subject to Regulation V. Accordingly, the undersigned certifies that this interim final rule will not have a significant economic impact on a substantial number of small entities. The rule imposes no new, substantive obligations on covered entities and will require only minor, one-time adjustments to certain model form. . . .

    76 FR at 79312.

    Back to Citation

    62.  Public Law 104-208 (Sept. 30, 1996).

    Back to Citation

    [FR Doc. 2015-27291 Filed 10-27-15; 8:45 am]

    BILLING CODE 6714-01-P

Document Information

Effective Date:
11/27/2015
Published:
10/28/2015
Department:
Federal Deposit Insurance Corporation
Entry Type:
Rule
Action:
Final rule.
Document Number:
2015-27291
Dates:
The Final Rule is effective November 27, 2015.
Pages:
65913-65919 (7 pages)
RINs:
3064-AE29: Transfer and Removal of OTS and CFPB Regulations Regarding Fair Credit Reporting and Amendments and Amendment to the Creditor Definition in Identity Theft Red Flags Rule
RIN Links:
https://www.federalregister.gov/regulations/3064-AE29/transfer-and-removal-of-ots-and-cfpb-regulations-regarding-fair-credit-reporting-and-amendments-and-
PDF File:
2015-27291.pdf
CFR: (5)
12 CFR 334.1
12 CFR 334.3
12 CFR 334.82
12 CFR 334.90
12 CFR 334.91