Before the FEDERAL TRADE COMMISSION Washington, D.C. 20580 In the Matter of ) ) Identity Theft Red Flag and Address) Project No. R611019 Discrepancies Under the Fair and ) RIN 3084-AA94 Accurate Credit Transaction Act of 2003 ) ) Comments of the Office of Advocacy, U.S. Small Business Administration on the Notice of Proposed Rulemaking The Office of Advocacy of the United States Small Business Administration (Advocacy) submits these comments to the Federal Trade Commission (FTC or Commission) regarding its Notice of Proposed Rulemaking (NPRM)(1) in the above-captioned proceeding. The FTC, jointly with five other agencies,(2) issued the NPRM to implement sections of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act).(3) In the proposed rule, the agencies jointly propose guidelines for creditors on identity theft "Red Flags" which are patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The proposed rule requires financial institutions and creditors to establish reasonable policies and procedures for implementing the Red Flag guidelines as well as how to handle address discrepancies on credit reports. Advocacy offers these comments to help the FTC in assessing the impact of the implementation of this law on small businesses as well as to help the Commission in preparing a regulatory flexibility analysis for a proposed rule on identity theft. 1. Advocacy Background. Congress established the Office of Advocacy under Pub. L. 94- 305 to represent the views of small business before Federal agencies and Congress. Advocacy is an independent office within the Small Business Administration (SBA), so the views expressed by Advocacy do not necessarily reflect the views of the SBA or the Administration. Section 612 of the Regulatory Flexibility Act (RFA) requires Advocacy to monitor agency compliance with the RFA, as amended by the Small Business Regulatory Enforcement Fairness Act.(4) On August 13, 2002, President George W. Bush signed Executive Order 13272 requiring federal agencies to implement policies protecting small entities when writing new rules and regulations.(5) In accordance with Executive Order 13272, Advocacy may provide comment on draft rules to the agency that has proposed a rule, as well as to the Office of Information and Regulatory Affairs (OIRA) of the Office of Management and Budget.(6) Executive Order 13272 also requires agencies to give every appropriate consideration to any comments provided by Advocacy. Under the Executive Order, the agency must include, in any explanation or discussion accompanying the final rule's publication in the Federal Register, the agency's response to any written comments submitted by Advocacy on the proposed rule, unless the agency certifies that the public interest is not served by doing so.(7) 2. Overview of the Identity Theft Red Flags NPRM. The purpose of the NPRM is to implement Sections 114 and 115 of the FACT Act. Section 114 requires agencies to prepare guidelines on how to identify and prevent identity theft and instructs the agencies to create regulations requiring creditors to create a policy for implementing those guidelines.(8) The term "creditors" is interpreted very broadly under the FACT Act and includes any extension of credit whether it be to an individual or to a business. To implement this section, the FTC and the other agencies propose that creditors must have a written program which considers the 31 "Red Flags" identified by the agencies that could be evidence of identity theft.(9) The program must: ú identify those Red Flags that are relevant to detecting a possible risk of identity theft; ú verify the identity of persons opening accounts; ú monitor Red Flags that the creditors has identified as relevant; ú assess whether an action that triggers a Red Flag is an instance of identity theft; ú mitigate the risk of identity theft; ú train staff to implement the program; and ú oversee service provider agreements.(10) The board of directors or senior management must exercise oversight over the program's implementation. Staff implementing the program must report at least annually to the board of directors or senior management.(11) Section 315 requires the agencies to establish requirements for consumer reporting agencies to handle address discrepancies and for users to report confirmed and updated addresses.(12) The NPRM requires nationwide consumer reporting agencies to provide a notice of an address discrepancy to the user of a credit report if the address provided by the user in its request substantially differs from the one that the credit reporting agency has on file.(13) The NPRM also requires users of consumer credit reports to develop and implement policies and procedures for verifying the identity of a consumer if it receives a notice of address discrepancy from the credit reporting agency. Through these procedures, the user must reasonably confirm that an address is accurate and notify the consumer reporting agency of the updated address.(14) 3. The FTC Does Not Have a Factual Basis for a Certification. Section 605(b) of the RFA permits an agency to certify that a rule will not have a significant economic impact on a substantial number of small entities if it has a factual basis for doing so.(15) The FTC recognizes that the proposed rule has the potential to impact any small business that extends credit, which could be as many as 11 million small businesses.(16) While agreeing that the number is substantial, the agency certified the rule, stating that the economic impact would be minimal as it believes the burden on most small entities will not be complex or involve resource-intensive tasks.(17) The FTC does not provide sufficient information to create a factual basis for a certification as it provides no evidence to support its belief that the impact will be minimal. Each of the 11 million small businesses covered by the rule would be required to create a written program to address identity theft. While the scope of the impact varies for each small business, there is no factual record to support a claim that the impact will be minimal for any of the 11 million small businesses. With the expansive scope of this rulemaking, any requirement to produce a written report annually is likely to impose significant burdens and should be analyzed. 4. The NPRM Will Have a Significant Impact on Small Businesses. Although the FTC certified, the Commission determined in the NPRM that it was appropriate to publish an initial regulatory flexibility analysis (IRFA) to inquire into the impact of the proposed regulations on small entities.(18) Advocacy agrees with the FTC's determination that it is appropriate to conduct an IRFA for this proposed rule. To respond properly to the FTC's inquiry, Advocacy spoke with many small business associations regarding the economic impact of the proposed rules and our comment is based upon that outreach.(19) In its estimation of time to comply with the NPRM, the Commission divided the regulated entities into two groups - those with a high risk of identity theft and those with a low risk.(20) High-risk entities are financial institutions and those that provide goods that are easily convertible into cash.(21) Low- risk entities are everyone else. For high-risk entities, the FTC estimated that implementing the program will take 31 hours with an annual recurring burden of 3 hours. For low-risk entities, the FTC estimated 40 minutes with an annual recurring burden of 15 minutes. Small businesses believe that the economic impact of the rule will be significant. While they are supportive of the overall goals of the rulemaking, they believe that it will take low-risk entities a significant amount of time to review all 31 Red Flags and determine which are relevant to their businesses, develop the policy, write the policy, and train employees. Based upon our outreach, Advocacy estimates that the time required to implement the Red Flag program for low-risk entities to be approximately 20 hours (8 hours to gather the information needed, 3 hours to assess the information, 3 hours to organize the information, and 6 hours to prepare the report) instead of the 40 minutes predicted by the FTC. Because of the lower risk of identity theft, training will only take 1 hour and the annual report will take 1 hour. For the hourly cost to comply with the rulemaking, the FTC estimated the hourly rate for high-risk entities at $32/hour, because professional technical personnel are needed to create and implement the program. The FTC estimated the hourly rate for low- risk entities at $16/hour, because administrative support personnel would be sufficient for the task. Based upon our outreach, Advocacy believes that the cost per hour for low-risk entities would be the same as for high-risk entities. Because all entities are required to review the same 31 Red Flags, the compliance with the NPRM requires professional technical personnel regardless of whether the entity is low-risk or high-risk. The $32/hour estimate given for high-risk entities corresponds to the paperwork cost-per-hour for an owner according to research by the National Federation of Independent Business.(22) 5. The FTC Should Consider Alternatives to Minimize Impact. In the course of its outreach, Advocacy identified several alternatives that the FTC should consider in its regulatory flexibility analysis. Because the NPRM implements sections of the FACT Act, the Commission is limited in the alternatives that it can consider. These alternatives were chosen because they are consistent with the statutory language. These alternatives are aimed at minimizing regulatory burdens for the low-risk entities, as they are the least likely to be targets of identity theft and are the least likely to have the regulatory expertise to comply with the rule. Delay Implementation. The FTC should consider a delay in implementation of the rules for small entities. A longer period for small businesses to come into compliance would give companies that lack regulatory expertise to review the Red Flag guidelines established by the FTC and set up their policies and procedures. Small businesses suggested a minimum six-month delay. Shortened Red Flag List. The FTC should consider producing a shortened Red Flag list for low-risk entities. Small businesses which are high-risk entities were supportive of the Red Flag guidelines proposed by the FTC, which are targeted for their use. This is logical since they are the ones that are most likely to encounter identity theft. While the complete list of Red Flags are needed for financial institutions and those identified as high-risk, only a subset may be relevant for low- risk entities. The FTC should review the 31 Red Flags and identify the ones that are applicable to low-risk entities. A shortened Red Flag List will minimize the time it takes for low- risk entities to comply with the rule and focus their attention on the Red Flags that the FTC believes is pertinent to them. Certification. The FTC should consider creating a certification option for small low-risk entities. Under this option, the FTC would produce a one-page certification form that would take the place of the written report required in the NPRM. This form would state that the undersigned small business has reviewed their policy on preventing identity theft, found that there was an extremely small likelihood of such occurrence, and have taken steps necessary to prevent or mitigate it. If the FTC adopts a shortened Red Flag list, as described above, these could be listed on the form as steps necessary for certification. Making this option available to small businesses which have a low risk of identity theft will increase compliance with the rule by making it simple and efficient to do so. In addition, the FTC can state the minimum steps necessary on the certification form, which will help prevent identity theft involving low-risk entities. Compliance Guide. While not technically an alternative, the Commission should issue a compliance guide for small businesses which would walk them through each step in the program. Because of the extensive reach of this program, many small businesses will be covered by the program that do not have professional expertise in this area. A clearly written compliance guide will help them comply while minimizing the amount of time and resources they must spend preparing their identity theft red flag program. 6. Conclusion. Advocacy encourages the FTC to reach out to small businesses to gain more information of the economic impact of this rule. We are willing to assist the Commission on these efforts. Thank you for your consideration of these matters, and please do not hesitate to contact me or Eric Menge of my staff at (202) 205- 6533 or eric.menge@sba.gov if you have questions, comments, or concerns. Respectfully submitted, /s/ _____________________ Thomas M. Sullivan Chief Counsel for Advocacy /s/ _____________________ Eric E. Menge Assistant Chief Counsel for Telecommunications Office of Advocacy U.S. Small Business Administration 409 3rd Street, S.W. Washington, DC 20416 September 18, 2006 cc: Steven D. Aitken, Acting Administrator, Office of Information and Regulatory Affairs ENDNOTES 1. In the Matter of Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, Notice of Proposed Rulemaking, 71 Fed. Reg. 40786 (July 18, 2006). 2. The other five agencies are the Office of the Comptroller of the Currency, Department of Treasury; the Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision, Department of Treasury; and the National Credit Union Administration. Because these agencies regulate financial services that are already subject to identity theft regulations, Advocacy has limited its comments to the FTC. 3. Fair and Accurate Credit Transactions Act of 2003. Pub. L. No. 108-159, 117 Stat. 1953 (200) (codified at 15 U.S.C. 1601 et seq.). 4. Pub. L. No. 96-354, 94 Stat. 1164 (1980) (codified at 5 U.S.C. 601-612) amended by Subtitle II of the Contract with America Advancement Act, Pub. L No. 104-121, 110 Stat. 857 (1996). 5 U.S.C. 612(a). 5. Exec. Order. No. 13272 at 1, 67 Fed. Reg. 53,461 (2002). 6. E.O. 13272, at 2(c). 7. Id. at 3(c). 8. 15 U.S.C. 1628(m). 9. 71 Fed. Reg. 40,788 (July 18, 2006). 10. Id. at 40,789. 11. Id. 12. 15 U.S.C. 1681(c). 13. 71 Fed. Reg. at 40,795. 14. Id. at 40,796. 15. 5 U.S.C. 605(b). 16. Id. 17. 71 Fed. Reg. at 40,805-6. 18. Id. at 40,805-6. 19. Advocacy outreach included the National Federation of Independent Business, National Association of Realtors, U.S. Chamber of Commerce, America's Community Bankers, National Multi- Housing Council, the National Association of Wholesalers and Distributors, the National Automobile Dealer's Association, and the National Retail Federation. 20. 71 Fed. Reg. at 40,800. 21. High-risk entities include consumer financial services, such as loans and credit cards, or services of value that are easily convertible to cash, such as telecommunications services or utilities. 22. National Federation of Independent Business, National Small Business Poll: Paperwork and Record-keeping (2003) http://www.nfib.com/object/4131277.html.