Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · REGISTER · 2007-11-09 · Postal Regulatory Commission · Rules and Regulations

Rules and Regulations. Final rule

122,369 words·~556 min read·/register/2007/11/09/07-5453

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

BILLING CODE 8320-07-M 72 217 Friday, November 9, 2007 Rules and Regulations Part II Postal Regulatory Commission 39 CFR Parts 3001, 3010, 3015 and 3020 Administrative Practice and Procedure, Postal Service; Final Rule POSTAL REGULATORY COMMISSION 39 CFR Parts 3001, 3010, 3015 and 3020 [Docket No. RM2007-1; Order No. 43] Administrative Practice and Procedure, Postal Service AGENCY: Postal Regulatory Commission. ACTION: Final rule. SUMMARY: A recently-enacted federal law directs the Commission to develop rules to implement a new postal ratemaking system.
This document responds to that directive by adopting rules addressing market dominant and competitive products, including negotiated service agreements, the regulatory calendar, and product lists. Adoption of the rules allows the Postal Service and mailers to begin to exercise its options under the new law. DATES: *Effective date:* November 9, 2007. November 20, 2007: deadline for the Postal Service to provide information necessary for further development of the Mail Classification Schedule.
FOR FURTHER INFORMATION CONTACT: Stephen L. Sharfman, General Counsel, 202-789-6820 and *stephen.sharfman@prc.gov* . SUPPLEMENTARY INFORMATION: Regulatory History 72 FR 5230, February 5, 2007 72 FR 29284, May 25, 2007 72 FR 33261, June 15, 2007 72 FR 50744, September 4, 2007 I. Introduction This order marks the end of the first phase of the Commission's efforts to develop the system of modern rate regulation contemplated by the Postal Accountability and Enhancement Act (PAEA), Public Law 109-435, 120 Stat. 3198, December 20, 2006.
The Order adopts final rules governing market dominant products, competitive products, and product lists. It represents the Commission's initial attempt to fashion a coherent set of regulations implementing the new rate-setting process, an effort that has been guided by the PAEA's bedrock principles, namely flexibility, accountability, and transparency. Throughout this rulemaking process, which began in January 2007, the parties' comments have been helpful, particularly in the latest round, sharpening the issues and suggesting alternative resolutions.
The Commission appreciates the parties' contributions. The final rules focus particularly on comments and reply comments received in response to Order No. 26, which included proposed rules for regulating rates and classes under the PAEA. 1 1 In this proceeding, the Commission has received more than 160 comments. In response to Order No. 26 alone, 58 sets of comments were filed. The Commission has carefully reviewed these comments and, where appropriate, addresses them in this Order.
The final rules differ from the proposed rules in ways designed to clarify the rules in response to these comments. Principal highlights of the Order and final rules include:
(1)Clarifying the intent of the proposed rules by specifying the content of notices of proceedings applicable to various types of filings, in lieu of uniform reliance on existing rule 3001.17;
(2)Clarifying the legal implications of Commission findings in various proceedings;
(3)Reaffirming the application of the rate cap to market dominant products;
(4)Adopting a transition rule concerning the calculation of the annual limitation in the event of a transitional rate filing;
(5)Clarifying the content of exigent rate requests;
(6)Reaffirming that each negotiated service agreement
(NSA)is a separate product, but noting that functionally equivalent NSAs may, upon proper showing, be grouped as one product; and
(7)Adopting initial lists of market dominant and competitive products. The final rules are issued almost 8 months before the statutory deadline. The rules do not purport to address every issue that might arise under the PAEA. Nonetheless, the benefits of implementing the regulations on an accelerated basis outweigh potential refinements in the rules that might be possible if the full 18-month period provided by statute were used. *See* 39 U.S.C. 3622(a) and 3633(a). With experience, the rules may be modified if deemed necessary. With the first phase of implementing the PAEA at an end, the Commission intends to turn as quickly as practicable to issuing proposed regulations on related matters under the PAEA, including those involving complaints, reporting requirements, and commercially sensitive materials. With the basic framework now in place, the Postal Service is free to utilize new flexible pricing approaches. Pending implementation of regulations on these related matters, the Commission's existing rules will continue to apply. II. Regulation of Market Dominant Products: Part 3010 A. Overview The Commission appreciates the commenters' thoughtful review of proposed part 3010 and their reasoned observations. It concludes that there is a broad consensus that the proposal's overall direction comports with the PAEA's philosophy. However, it also acknowledges that commenters identify aspects of the initial effort that would benefit from clarification or correction. A considered assessment of the commenters' suggestions results, in some instances, in revisions to the rules. 2 The Commission, on its own accord, also makes editorial and conforming changes to improve the clarity and readability of the rules or to conform them more closely to official publication requirements. 2 Discussion focuses primarily on comments suggesting the need for changes. In instances where more than one commenter present similar suggestions, the discussion sometimes focuses mainly on one commenter's submission. 1. Note on Due Process Review of the comments indicates that there are two broad due process concerns. One pertains to the Commission's issuance of rules implementing only some aspects of the PAEA's new regulatory framework. The other focuses on the approach reflected in specific rules in the proposals that have been issued. The Postal Service and most commenters addressing finalization of part 3010 recognize that this is one of the first steps the Commission is taking to implement the PAEA, and that it is developing complementary regulations on related matters, such as annual reporting requirements and complaint proceedings. The Commission appreciates that commenters are being asked to assess the advisability of certain procedures prior to issuance of a comprehensive set of regulations. However, it finds that pragmatic considerations and the interest in promptly implementing PAEA policies dictate serial issuance of new rulemaking proposals, rather than a complete set. Moreover, the Commission believes that issuance of the proposed regulations in parts 3010, 3015 and 3020 at the same time has provided commenters with an adequate basis for assessing many essential initial issues. However, as Advo observes with respect to all of the Order No. 26 proposals, * * * the true measure of their success will come when they are applied * * * to specific issues that arise in the future.” Advo Comments, September 24, 2007, at 1. The Commission recognizes this, and intends to provide an opportunity to address concerns about conflicts, gaps, or the need for other adjustments as the need arises. As to the specific proposals, some are concerned that the approach the Commission has adopted with respect to notices, public participation, and Commission review either is not consistent with due process considerations or does not make clear that the Commission intends to honor pertinent requirements. See, for example, Valpak Comments, September 24, 2007, at 3-16 and 20-27; Medco Comments, September 24, 2007, at 4-10; OCA Comments, September 24, 2007, at 12-15, and APWU Comments, September 25, 2007, at 1-4. In brief, the Commission believes that the rules, as proposed, are consistent with pertinent due process considerations. However, it appears that there are several areas where improvements can be made to make the Commission's intentions more clear, without imposing undue burden on the Postal Service or the Commission or compromising the PAEA's new regulatory approach. Accordingly, the Commission reconsiders its approach to several matters and revises or clarifies affected rules to reflect this decision. The Commission provides a single discussion of the matter here. 2. The Role of the Administrative Procedure Act As the Commission has noted in Order No. 26, there is a tension in the PAEA between its goals of facilitating rapid and flexible adjustments to rates and classifications, and increasing the transparency and accountability of those processes. 3 The regulations that the Commission proposed to govern Postal Service notices of rate adjustment for market dominant products, as well as changes to the Mail Classification Schedule, were intended to afford opportunities for public participation that meet the basic guarantees of public participation provided for by the PAEA and the Administrative Procedure Act
(APA)(chapter 5 of title 5 of the United States Code), either explicitly or implicitly. 3 *See* PRC Order No. 26, ¶¶ 3070, 3074. This tension is readily apparent from 39 U.S.C. 3622(b)(6), which simultaneously calls for reducing the administrative burden and increasing transparency relative to the system that prevailed under the Postal Reorganization Act. With respect to Type 1 rate adjustments, the essential features of the proposed regulations were requirements that the public receive notice of the proposed rate adjustment from both the Postal Service and the Commission (proposed rule 3010.10(a)), a 20-day period for public comment (proposed rule 3010.13(a)), and a 14-day period for the Commission to evaluate the consistency of the rates proposed with the relevant requirements of the PAEA and issue its findings (proposed rule 3010.13(c)). *Applicability of the APA* . Medco concludes that Commission orders that determine the status of the Postal Service's rate proposals are “rulemakings” subject to section 553 of the APA. *See* 5 U.S.C. 553. It argues that rate adjustments provided for in the PAEA fall unambiguously within the applicable definition of a rule for purposes of the APA, citing 5 U.S.C. 551(4): `[R]ule' means the whole or part of an agency statement of general or particular applicability and future effect designed to implement, interpret, or prescribe law or policy * * * and includes the approval or prescription for the future of rates. * * * Medco Comments, September 24, 2007, at 5. Consequently, Medco notes, Commission review of rate adjustments, such as those provided for in 39 U.S.C. 3622(d)(1)(C)(ii), is informal “rulemaking” that is subject to the notice and comment requirements of 5 U.S.C. 553 of the APA. *Id* . Because a “rule” can be of either “general or particular applicability,” the definition covers the adjustments that the Postal Service might propose to both Type 1 (general) and Type 2
(NSA)rates. Section 503 of title 39 authorizes the Commission to make such rules as are “necessary and proper” to carry out its duties. That section states that Commission rules, are “subject to chapters 5 and 7 of title 5.” (Section 553 of the APA is placed within chapter 5 of title 5.) Medco cites *National Easter Seal Society* v. *USPS* , 656 F.2d 754, 767 (D.C. Cir. 1981) as confirming this interpretation of what is now 39 U.S.C. 503. Because Commission orders that determine the status of postal rates are “rules,” and are subject to the requirements of 5 U.S.C. 553, Medco explains, Commission review of the Postal Service's rate adjustment proposals must satisfy the notice and public comment requirements of section 553. *Id* ., at 3. 5 U.S.C. 553 requires that an gency:
(1)Publish notice of the proposed rule in the **Federal Register** , and that it include “either the terms or substance of the proposed rule or a description of the subjects and issues involved”;
(2)“[G]ive interested persons an opportunity to participate in the rulemaking through submission of written data, views, or arguments * * *”;
(3)Consider “the relevant matter presented”; and
(4)“[I]ncorporate in the rules adopted a concise general statement of their basis and purpose.” Medco emphasizes that complying with these section 553 obligations is mandatory unless an exception can be shown to apply. *Id* . at 7. *The public notice requirements of section 553* . With respect to Type 1 notices of rate adjustment, Order No. 26 proposed that the Commission “publish notice of the [Postal Service rate adjustment filing] in the **Federal Register** ” and “post the filing on its Website.” *See* proposed rule 3010.13(a)(1). The Commission intended that consistent with existing rule 3001.17(d), APA notice requirements would be satisfied. 4 This pattern was followed in the remainder of the rules proposed in Order No. 26 that address various forms of pre-implementation review by the Commission. Valpak asserts that this set of notice requirements would not have satisfied section 553 of the APA because the proposed rules did not expressly require that they include the terms of the proposal ( *e.g.* , proposed rates) or any supporting detail. Valpak Reply Comments, October 9, 2007, at 9. 4 Order No. 26 also proposed that the Postal Service “[p]rovide public notice in a manner reasonably designed to inform the mailing community and the general public that it intends to change rates. * * *” *See* proposed rule 3010.10(a)(1). This is designed to fulfill the requirement of section 3622(d)(1)(C) of the PAEA. Although the Commission fully expected to issue notices that complied with the content requirement of section 553, it accepts that uncertainty is diminished by specifying this intention in every applicable regulation. The Commission revises its proposed regulations governing public notices to explicitly include the categories of information that section 553 requires. Under the final rules, the public can be assured that such notices will contain summaries of the Postal Service's proposed rate and classification-related changes in sufficient detail to satisfy the notice requirements of the APA. *See* final rules 3010.13(a), 3010.44(a), 3010.65(a), 3020.33, 3020.53, and 3020.73. 5 5 No party contested notice applicable to competitive products. *The public comment requirements of 5 U.S.C. 553* . The regulations proposed in Order No. 26 would have allowed the public 20 days from the filing of a proposed Type 1 rate adjustment to comment on whether the proposed rates comply with the rate cap provisions of the Commission's proposed rules and whether they comply “with the policies of 39 U.S.C. 3622.” *See* proposed rule 3010.13(b)(2). The regulations proposed in Order No. 26 did not specifically provide for public comment on proposed Type 2 rate adjustments. *See* proposed rule 3010.41. *Commenters' positions* . Some commenters argue that the regulations proposed in Order No. 26 provided opportunities for public comment during the pre-implementation period that went beyond what the PAEA intended. Advo Reply Comments, October 9, 2007, at 3; DFS Comments, September 24, 2007, at 2-4; and PostCom Comments, September 24, 2007, at 1-3. Another group of commenters argued that these opportunities were inadequate to honor the PAEA's directive to increase transparency and accountability in the rate-setting process, and inadequate to satisfy even the minimum requirements of the APA. APWU Reply Comments, October 9, 2007, at 1-2; Medco Comments, September 24, 2007, at 2-5; McGraw-Hill Reply Comments, October 9, 2007, at 4-5; NAA Reply Comments, October 9, 2007, at 1-5; OCA Reply Comments, October 9, 2007, at 3-4; Valpak Comments, September 24, 2007, at 2-16, 20-23; and Valpak Reply Comments, October 9, 2007, at 1-34. Advo argues that Congress did not contemplate, and the Commission should not allow, any public input prior to implementation of the Type 1 or Type 2 rates. It points out the PAEA provides for public comment during pre-implementation review of proposed Type 3 rates (those prompted by “extraordinary” circumstances), but makes no mention of them in the context of pre-implementation review of Type 1 and Type 2 rates. From this Advo infers that Congress meant to prohibit public participation in pre-implementation review wherever it did not expressly require it. Advo Reply Comments, October 9, 2007, at 1-3. DFS contends that no issues may be commented upon or considered by the Commission at the pre-implementation stage except compliance with the rate cap. It takes the view that the objectives and factors governing postal rate setting set out in section 3622(b) and
(c)are relevant only to the process by which the Commission designs a “modern system of ratemaking” for market dominant products. DFS Reply Comments, October 9, 2007, at 5-7. PostCom and the Postal Service offer another rationale for reaching the conclusion that public comment on any compliance issue other than the rate cap at the pre-implementation stage conflicts with the PAEA. They argue that the scope of pre-implementation review is necessarily limited by the changed role that the Commission plays in rate setting under the PAEA. They assert that it is the role of the Postal Service rather than the Commission to balance the elaborate list of largely qualitative objectives and factors that apply to the modern system of ratemaking when proposing changes in rates. They contend that Commission review is relevant only where a clear violation of one of those objectives or factors can be demonstrated. They argue that the rate cap is the only section 3622 requirement that is concrete and objective enough to be susceptible to such a finding. Therefore, in their view, compliance with the cap is the only issue upon which public comment might be relevant to Commission review. They emphasize that the rate-setting apparatus described in 39 U.S.C. 3622(d) focuses on the rate cap and its administrative details. In particular, they note that section 3622(d) provides for a feedback mechanism to resolve only the issue of non-compliance with the rate cap. This supports the conclusion that Congress intended the rate cap and its administration to be the only concern of pre-implementation review. PostCom Reply Comments, October 9, 2007, at 1-3; and Postal Service Reply Comments, October 9, 2007, at 14-17. A number of other commenters agree that pre-implementation public comment and Commission review should be confined to the issue of rate cap compliance. *See* ANM/MPA Comments, September 24, 2007, at 2; NPPC Comments, September 24, 2007, at 2; Pitney Bowes Comments, September 24, 2007, at 7-8; and Time Warner Comments, September 24, 2007, at 4-5. Another group of commenters take the opposing position, namely that failing to provide an opportunity for public comment before rate or classification changes take effect, or restricting the scope of the issues that such comments may address, undermines the PAEA's objective of increasing the transparency and accountability of the rate-setting system ( *see* 3622(b)(6)) and violates section 553 of the APA. 6 They note that section 553(c) requires an agency to allow interested persons to “participate” in substantive rulemakings by submitting “written data, views, or arguments * * *” They note that section 553(c) also requires an agency order adopting a rule to include “ `a concise general statement of the basis and purpose”' after considering the “ `relevant matter”' that has been presented in the course of the rulemaking. Medco Comments, September 24, 2007, at 3. These commenters acknowledge that in addressing pre-implementation procedures in 39 U.S.C. 3622(d), the PAEA emphasizes compliance with the rate cap. But, they point out, there is no language in section 3622(d) or elsewhere in chapter 36 that excludes broader pre-implementation review by the Commission. Therefore, they argue, there is no legal ground for excluding either the objectives and factors listed in section 3622, or the general policy provisions of title 39, from pre-implementation review. Valpak Reply Comments, October 9, 2007, at 12, 20; Medco Comments, September 24, 2007, at 7; and McGraw-Hill Reply Comments, October 9, 2007, at 5. 6 *See generally* Medco and Valpak comments, and the reply comments of McGraw-Hill, NAA, the OCA, and Valpak. These commenters also acknowledge that expedition and flexibility in rate setting are among the PAEA's goals, and that the Commission has a good deal of discretion to set priorities with respect to which compliance issues it will focus on in the limited time it has set aside for pre-implementation review. They contend, however, that prohibiting public comment outright on statutory policies, objectives, and standards that would be affected by the rates under Commission review would not allow some compliance issues to be evaluated by APA mandated procedures. This, they suggest, would have the effect of selectively reading section 503 of title 39 (which subjects substantive Commission orders to the requirements of the APA) out of the statute. *See* Medco Comments, September 24, 2007, at 4-5, 7. It is certain, Medco and others argue, that barring public comment altogether before adopting a substantive rule violates the notice and comment guarantee of section 553 of the APA. They note that regulations proposed in Order No. 26 do not explicitly assure an opportunity for public comment with respect to amended notices of Type 1 rate adjustments, all Type 2 rate adjustments, and significant classification changes that do not require amendments to the market dominant and competitive product lists. They argue that deferring consideration of the public's views to various *post hoc* forms such as the Commission's annual compliance report required by 39 U.S.C. 3653 or a complaint filed under 3662 does not preserve the interests protected by 5 U.S.C. 553. Those interests include the chance for the public to be heard before a rule has been finalized when its comments are more likely to influence the agency's rule. *See* Valpak Reply Comments, October 9, 2007, at 6, 7, and 16. *Commission analysis* . The tension between the groups interpreting the PAEA as mandating little, if any, pre-implementation review of proposed changes in postal rates and classes, and those interpreting it as requiring that all issues be reviewable prior to implementation, is clear. It is equally clear that the Commission can interpret its responsibilities in a way that reconciles the flexibility and expedition that the PAEA requires with the public participation guarantees of the APA. A statute should be construed “so that effect is given to all its provisions, so that no part will be inoperative or superfluous, void or insignificant.” *Pennsylvania Medical Society* v. *Snider* , 29 F.3d 886, 895 (3d Cir. 1994). The court observed in *Citizens to Save Spencer County* v. *EPA* : [i]f inconsistent provisions point generally in a common direction, it is the task of an agency with requisite authority to pursue a middle course that vitiates neither provision but implements to the fullest extent possible directives of each, * * * 600 F.2d 844, 870 (D.C. Cir. 1979). This is particularly true if a construction can be found that will give force to and preserve all the provisions of the statute. *FDA* v. *Brown and Williamson Tobacco Corp.* , 529 U.S. 120, 133 (2000). Accordingly, the Commission reconciles those provisions of the PAEA that promote flexible and expedited rate setting with those that foster transparent and accountable rate setting. To do this, it helps to clearly identify the statutory purposes that need to be reconciled. The Commission concludes that one of Congress's main motives in enacting the PAEA was to simplify and expedite the setting of postal rates. It further concludes that Congress intended to give the Postal Service wide latitude in designing specific rates and rate relationships, expecting that the Commission would alter those decisions only where disregard of particular statutory standards is clear. Consequently, the Commission now plays a different role in reviewing proposed rates prior to their implementation than it has in the past. The Commission also concludes that Congress expected that a modern system for regulating rates and classes would afford the public and the Commission only a limited period of pre-implementation comment and review. This finding is supported primarily by the 45-day period of advance notice of proposed changes in rates that is referenced in section 3622(d)(1)(C). This provision indicates that Congress viewed 45 days as an adequate review period for the compliance issues that would be raised prior to implementing new rates. This implies that the pre-implementation issues with which Congress expected the Commission to deal would be few enough, or the level of scrutiny would be light enough, to allow the Commission to evaluate them adequately within 45 days. The inference is strong that Congress contemplated that complicated or subjective compliance issues would be addressed during the annual compliance review, or through the complaint procedures of section 3662. Even though Congress intended limited pre-implementation review of postal rate changes, it must be presumed that Congress was aware of 5 U.S.C. 553 and the limits it sets on the extent to which public participation can be deferred until after a rule is finalized. That APA provision is designed to ensure that the opinion of those whose interests will be affected by an agency's rules will be heard before a rule is finalized, not after. Courts have emphasized the distinction: The EPA overlooks, however, the crucial difference between comments before and after rule promulgation. Section 553 is designed to insure that [parties affected by an agency decision] have an opportunity to participate in and influence agency decision-making at an early stage, when the agency is more likely to give real consideration to alternative ideas. *United States Steel Corp.* v. *EPA,* 595 F.2d 207, 214 (5th Cir. 1979), rehearing granted 598 F.2d 915. 7 7 *See also,* *City of New York* v. *Diamond,* 379 F. Supp. 503, 517 (S.D.N.Y. 1974) (“Permitting the submission of views after the effective date is no substitute for the right of interested persons to make their views known to the agency in time to influence the rule making process in a meaningful way * * *”). *Accord,* *Maryland* v. *EPA,* 215, 222 (4th Cir. 1975); vacated on other grounds *sub nom.* *EPA* v. *Brown,* 431 U.S. 99 (1977). The Commission notes that neither the PAEA nor its legislative history explicitly define the scope of public input or Commission review of proposed rates prior to their implementation. It concludes that the weight of the inferences that may be drawn from the provisions of the PAEA itself indicate that Congress intended to leave room for Commission discretion in determining the degree of public input that would be afforded in the pre-implementation period, the form that it should take, and what priority the Commission would give to evaluating the public input that it decided to elicit. Given this, the most likely and most reasonable assumption is that Congress expected the Commission to give as much consideration as it could to the issues most capable of resolution in the brief period that the PAEA provides, without violating the minimum guarantees that 5 U.S.C. 553 provides. The Commission can give close scrutiny to only a limited number of compliance issues in the time available before rate changes are implemented, but it can not always predict in advance precisely which issues will be of highest priority. In recognition of that fact, the final rules adopted by the Commission require the Postal Service to address a broad range of relevant issues in any notice of rate adjustment, but clarify that the Commission focus must be primarily on the requirements of 39 U.S.C. chapter 36, subchapter 1. See final rules 3010.13 and 3010.14. 8 8 Within the 45-day period contemplated for pre-implementation review, the Commission is likely to be able to scrutinize and reach definitive conclusions on compliance issues that are factually clear and straightforward-such as rate cap compliance, or compliance with formulas for calculating preferred rates. Commission review of more complex or nuanced issues within that timeframe is likely to be somewhat less thorough, and any conclusions that it reaches are likely to be of a preliminary nature. For that reason, final rule 3010.13(j) distinguishes between the effect of the Commission's pre-implementation findings concerning formula-determined caps and rates, and other issues. The Commission will treat its findings concerning the former as decided on the merits for purposes of subsequent proceedings, but will not attach comparable presumptions to findings concerning the consistency of a proposed change with complex or subjective policy factors. Final rule 3010.13(j) responds to a suggestion by GCA that this dichotomy be reflected in the Commission's rules. *See* GCA Comments, September 24, 2007, at 5-6. PRC Order No. 26, ¶ 2029 commented that the Commission would not entertain comments on costing methodology during the pre-implementation period. Valpak and NNA infer from this that the Commission proposed to prohibit public comments from discussing any issue that involves attributable costs. Valpak Comments, September 24, 2007, at 5; Valpak Reply Comments, October 9, 2007, at 29-34; and NNA Comments, September 24, 2007, at 8. Valpak argues that the requirement that classes and services cover their attributable costs remains a requirement of the PAEA ( *see* 39 U.S.C. 3622(c)(2)), just as it was under the Postal Reorganization Act. Valpak goes on to identify more than a dozen basic policies, objectives, and factors in title 39 that have no force unless attributable cost levels for the various classes and services are known. Valpak argues that it is inconsistent for the rules proposed in Order No. 26 to allow comments of section 3622 requirements generally in the pre-implementation review period, but single out costs for exclusion from consideration. The comment in Order No. 26 of which Valpak and NNA complain may not have been adequately explained. The merits of one attribution methodology relative to another is an example of an issue that is too complex to be re-evaluated in a pre-implementation context. Cost attribution methods should be reviewed in other rulemaking proceedings. Whether rates properly reflect costs will be judged using the most recently approved attribution methodologies. Final rule 3010.13 retains the 20-day period for public comment proposed in Order No. 26. Some commenters complain that Order No. 26 did not analyze the adequacy of this amount of time to afford a meaningful opportunity to respond to the issues that proposed rates might raise, as 5 U.S.C. 553 requires. Medco Comments, September 24, 2007, at 8; and Valpak Reply Comments, October 9, 2007, at 12. The adequacy of the 20-day comment period must be viewed in the context of the PAEA's goals. Major goals are to simplify and expedite the process by which rates are adjusted. Routinely enlarging the public comment period would reduce the time available to the Commission to evaluate the comments received, if it is to provide the expedition that Congress contemplated. Twenty days should be adequate to allow interested persons to identify and explain perceived failures to conform to the statutory requirements. *Type 1 and Type 2 rate adjustments compared.* The notice and comment guarantees of section 553 of the APA apply to both Type 1 and Type 2 rate adjustments. The Commission's final rules, however, still distinguish between Type 1 and Type 2 review. Where the scope of public comments and Commission orders addressing Type 1 rate adjustments primarily focus on the requirements of 39 U.S.C. 3622(d), the scope of comments and orders addressing Type 2 rate adjustments focus on compliance with the requirements of 39 U.S.C. 3622(c)(10). Similarly, where the period for public comments addressing Type 1 rate adjustments is 20 days from the Postal Service's filing, the period for public comments addressing Type 2 adjustments is 10 days from the Postal Service's filing. This reflects the narrower potential compliance issues that Type 2 rate adjustments raise, and a lesser need for review for such adjustments. *Compare* final rule 3010.13(c) with final rule 3010.44. *Implementation dates under the APA.* Section 553(d) of the APA states that: The required publication or service of a substantive rule shall be made not less than 30 days before its effective date, except— [A] substantive rule which grants or recognizes an exemption or relieves a restriction; [I]nterpretative rules and statements of policy; or [A]s otherwise provided by the agency for good cause found and published with the rule. If one were to add the 20-day comment period to the 14-day period that the Commission will allow itself for issuing an order regarding a proposed rate adjustment, and add a 30-day waiting period before the order could take effect, the total number of days required before a proposed rate adjustment could take effect would exceed the 45 day pre-implementation period provided for in section 3622(d)(1)(C). Recognizing this possibility, DFS urges the Commission to routinely accompany its rate adjustment orders with findings that there is good cause to waive the 30-day waiting period. It argues that the Commission could base its finding of good cause on the generalized notion that the PAEA puts a high priority on allowing the Postal Service to change rates quickly. DFS Reply Comments, October 9, 2007, at 4. Finding good cause, however, requires a showing that a 30-day waiting period is either “impractical, unnecessary, or contrary to the public interest.” It is essentially an emergency procedure. *See Buschmann* v. *Schweiker,* 676 F.2d 352, 357 (9th Cir. 1982). 9 Since the purpose of the section 553(d) waiting period is “to give affected parties a reasonable time to adjust their behavior before the final rule takes effect” ( *Omnipoint* v. *FCC,* 78 F.3d 620, 630 (D.C. Cir. 1981)), it usually requires an analysis of specific interests that will be hurt and those that will be helped by waiver of the waiting period. *See,* *for example,* * American Bankers Association* v. *National Credit Union Administration,* 38 F. Supp. 2d 114, 139,140 (D.D.C. 1999); *Buschmann* v. *Schweiker.* *Id.* Accordingly, it would seem problematic for the Commission to require itself, by rule, to routinely determine that the factual circumstances surrounding a rate adjustment support a finding of “good cause” for waiver. The Commission properly will consider such a finding on a case-by-case basis. 9 The need to meet tight statutory deadlines has been rejected as a justification for waiving the waiting period requirement. *U.S. Steel Corp.* v. *EPA,* 595 F.2d 207, 214 (5th Cir. 1979). *Classification issues and the APA.* Several commenters criticize the rules proposed in Order No. 26 for failing to explicitly provide notice and public comment opportunities before changes in the Mail Classification Schedule are put into effect. They note the Commission's proposed rules allow for public comment before the Mail Classification Schedule is adopted, but make no provision for notice or public comment for major classification changes unless they involve amendments to the lists of market dominant or competitive products that the Commission is required to maintain under 39 U.S.C. 3642. *See* proposed rules 3020.33, 3020.53, and 3020.73. This, they contend, violates the notice and comment guarantees of section 553 of the APA. They also note that Order No. 26 proposed rules that would require 15 days' notice from the Postal Service prior to “updating” product descriptions in the Mail Classification Schedule, but would not have provided an opportunity for public comment on these changes. *See* proposed rules 3020.90 *et seq.* They contend that major classification changes can potentially be imposed through such updates. Medco Comments, September 24, 2007, at 9-10; OCA Comments, September 24, 2007, at 15-17; McGraw-Hill Reply Comments, October 9, 2007, at 2-3; and Valpak Comments, September 24, 2007, at 4, 15-16. The Commission does not contemplate engaging in pre-implementation review of the merits of any classification change. However, to preserve Postal Service flexibility yet provide assurance that the Postal Service will not misuse the system for correcting the Mail Classification Schedule, additional opportunity for mailer comment is provided in the final rules. The Postal Service notices of planned classification changes will be posted on the Commission Web site and interested persons will be afforded the opportunity to comment. *See* chapter IV-B and rules 3020.91 through 3020.93. 3. Transparency Concerns Several commenters assert that the rules proposed in Order No. 26 are inadequate to preserve, let alone increase, the transparency and accountability of postal rate setting under the PAEA relative to the regulatory regime under the Postal Reorganization Act. They make this assertion, in large part, because the Commission has not published proposed rules specifying the information that the Postal Service will be required to provide to the Commission as part of its periodic reporting under 39 U.S.C. 3652, and the information and issues that will be covered by the Commission's annual compliance report under 39 U.S.C. 3653. *See,* for example, Valpak Comments, September 24, 2007, at 6; and Valpak Reply Comments, October 9, 2007, at 4. NAA observes that: [I]t is difficult to comment on * * * the proposed ratesetting rules without an understanding of how the Commission envisions the interplay between annual reporting requirements, the data submissions required to support notices of rate adjustments, and the respective roles of the reporting requirements and the complaint process. NAA Comments, September 24, 2007, at 13. The Commission anticipates issuing proposed rules soon after the close of this docket that specify the information that the Postal Service will provide in its periodic reporting under section 3652 to facilitate preparation of the annual compliance report that the Commission will provide pursuant to section 3653. Interested persons will have ample opportunity to identify the types of information that will best inform the Commission and the public, and assure the level of accountability and transparency contemplated by the PAEA. Data from the Postal Service's periodic reports under section 3652 will be available and provide the basis for pre-implementation analysis of the Postal Service's proposed rate adjustments, and will inform any complaints that might be filed by the public. The Commission is optimistic that the combination of pre-implementation review of rate changes, periodic reporting by the Postal Service, annual compliance reports by the Commission, and the complaint mechanism, all supported by the Commission's subpoena power, will serve to increase the level of transparency and accountability of postal rate setting under the PAEA relative to that which prevailed under the prior regulatory regime. Ex parte communications. In PRC Order No. 26, ¶ 2026, the Commission remarked that: [t]he Commission does not propose formal discovery, Notices of Inquiry, Presiding Officer's Information Requests, testimony, and hearings. It anticipates handling resolution of discrepancies or other matters through direct communication with the Postal Service. Valpak criticizes these remarks, observing that: PAEA-mandated transparency cannot be achieved by private communications, such as meetings or briefings held behind closed doors. Rather than achieving increased transparency, the result would be much-reduced transparency. Valpak Comments, September 24, 2007, at 11-12. Valpak misinterprets the Commission intentions for fact gathering during the pre-implementation review period. While the Commission does envision direct communications as an important method of promptly clarifying factual issues raised by the Postal Service's rate adjustment filings, it intends that the substance of those communications be made public in written memoranda placed in a public file. The Commission is aware that in formulating informal rules, which would include its orders determining compliance of proposed rate adjustments with the requirements of the PAEA, it must inform the public of the nature and substance of any exchanges with the Postal Service or other interested persons that address the merits of the proposed rate adjustment. The Commission anticipates issuing proposed rules regularizing ex parte procedures in the context of informal rulemakings soon after the conclusion of this docket. In the interim, if the Commission initiates ex parte communications concerning the merits of rate adjustment filings, including the accuracy of the data that support the filing, it will summarize the ex parte contact and place the summary in a public file shortly afterward. 4. Complaints In the context of this rulemaking, several commenters have expressed their views on certain aspects of the complaint process. PostCom argues that the Commission should not hear complaints against proposed rates during the 45-day notice period before a CPI increase takes effect. PostCom also advocates limiting the hearing of complaints under section 205 of the PAEA to the time of the annual compliance review. PostCom acknowledges that the Commission will promulgate rules governing the complaint process in the near future, yet it believes that the Commission should “nevertheless take the opportunity in this proceeding to clarify this matter.” PostCom Comments, September 24, 2007, at 2; *see also* MOAA Reply Comments, October 5, 2007, at 2, n.1. Other commenters oppose PostCom's proposed limitations on the filing of complaints on the grounds that they would unduly prejudice mail users or that the proposed limitations are contrary to the PAEA. GCA Reply Comments, October 9, 2007, at 2-5; NAA Reply Comments, October 9, 2007, at 10-13. NAA argues that the Commission should provide for expedited consideration of post-implementation complaints that allege a failure to meet the statutory conditions of 39 U.S.C. 3622(c)(10). Several commenters contend that
(1)the standard for setting a complaint for proceedings should be construed generously, and
(2)an expeditious complaint procedure should be adopted. 10 Other commenters believe that the complaint procedures are outside the scope of this rulemaking and these issues should be deferred to another rulemaking. 11 10 GCA Comments, September 24, 2007, at 2-5 (incorporating by reference: GCA Comments, April 6, 2007; Joint Comments of ABM, GCA, and NAA, April 6, 2007; GCA Reply Comments, May 7, 2007; ABM, GCA, NAA, and NNA Joint Reply Comments, May 7, 2007); *see also* NAA Comments, September 24, 2007, at 11-12. 11 ANM and MPA Reply Comments, October 9, 2007, at 11; Advo Reply Comments, October 9, 2007, at 10. These comments on the complaint process raise important policy considerations. They are, nonetheless, beyond the scope of this current rulemaking proceeding. The Commission does not find it appropriate in this proceeding to make any pronouncements on certain isolated aspects of the complaint process. The Commission will shortly initiate a separate rulemaking to consider modifications to the existing rules governing complaints, *see* 39 CFR 3001.81 *et seq.* , during which all interested persons can address all such issues. The Commission believes that the best way to make important policy decisions regarding the complaint process is by dealing with all complaint related issues together on a comprehensive basis. In its comments, GCA asks the Commission to make it the “next item of business to propose and enact appropriate rules governing the complaint process * * *” GCA Comments, September 24, 2007, at 5. Another commenter echoes this plea. *See* Valpak Comments, September 24, 2007, at 6-7. The Commission acknowledges that the complaint process is of great importance to the PAEA's statutory scheme and will shortly issue proposed rules for public comment. 5. Other Considerations Free Press and *The Nation,* in joint comments, raise concerns about the impact of the Commission's proposed implementation of a new ratemaking system on Periodicals. They say they strongly reject the notion that the Commission should take a “light-handed” approach in pursuit of values “held by the American people that are embodied in a free press that cultivates new ideas and fosters a robust political debate.” Free Press and *The Nation* Comments, September 25, 2007, at 1-2. They urge that Periodicals be considered very carefully and that rate setting reflect the unique character of publications in this subclass and their contribution to the nation. They propose that the Commission reincorporate these values into its proceeding. *Id.* at 2. 12 They also provide a summary of views on Docket No. R2006-1 to demonstrate why the Commission should “inject historical, democratic values back into its current work.” *Id.* at 2-3. This summary makes clear that they consider the outcome, for Periodicals, a reversal of public policy. 12 Dow Jones opposes any revision of the rules based on the comments of Free Press and *The Nation.* It notes: “There is no place in postal ratemaking to ignore proper cost-attribution, for otherwise, inefficiencies will be encouraged, not discouraged.” Dow Jones Reply Comments, October 4, 2007, at 3. Free Press and *The Nation* do not propose specific revision to the proposed rules. The Commission does not revise the rules to effect any additional preferences for Periodicals. The Commission notes that the regulatory calendar should provide publishers and other mailers with an increased degree of certainty about when changes will occur. Similarly, the annual limitation on rate increases should provide insulation from rate shock. B. Basic Framework for Rules on Market Dominant Products No commenter takes issue with the organizational structure the Commission has proposed for rules on market dominant products. The Commission has reviewed that structure, and finds it appropriate to adopt this framework without change; however, it makes two minor editorial revisions. One is a change in the caption of part 3010 from “Rules Applicable to Rate Adjustments for Market Dominant Products” to “Regulation of Rates for Market Dominant Products.” The other is a change in the caption of subpart B. 13 This entails revising the reference to “Type 1” to the more inclusive and descriptive reference to “Type 1-A and 1-B.” The intention is to make it readily apparent from a reading of the caption that the text addresses both types of filings. 13 Two commenters address other potential changes in terminology. NPMHU takes issue with the Commission's use of the term “exigent.” NPMHU Comments, September 24, 2007, at 8-10. MOAA notes that the Service's use of “customized agreement” may be more accurate than “negotiated service agreement.” MOAA Reply Comments, October 5, 2007, at 2. The Commission generally finds these points well taken, but retains the terms used in the proposed rules. They lack precision, but have met with wide acceptance in the postal community. Accordingly, part 3010, organized into five subparts, houses the text of the final rules regulating rates for market dominant products. The Commission emphasizes that although the overall organization remains the same at the part and subpart level, the number, designation, and text within the five subparts differ in some respects from the proposal, based on revisions associated with comments, Commission decisions, or on publication requirements. For example, in subpart C as adopted, a new rule 3010.29 is added to address transitional filings. This change, and others, are identified and discussed within. Based on the foregoing considerations, the Commission adopts the following organization and captions for the final set of regulations on market dominant products in its final rules: Part 3010—Regulation of Rates for Market Dominant Products Subpart A—General Provisions Subpart B—Rules for Rate Adjustments for Rates of General Applicability (Type 1-A and 1-B Rate Adjustments) Subpart C—Rules for Applying the Price Cap Subpart D—Rules for Rate Adjustments for Negotiated Service Agreements (Type 2 Rate Adjustments) Subpart E—Rules for Rate Adjustments in Exigent Circumstances (Type 3 Rate Adjustments) C. Subpart A—General Provisions 1. Overview Subpart A, as originally proposed, consists of a set of seven general provisions. These provisions include a standard statement (in rule 3010.1) noting that the rules in this subpart implement provisions in the PAEA related to market dominant products. They also provide that advance notice-and-review period for planned rate adjustments consists of a minimum of 45 days for adjustments other than those based on an exigency. They establish that exigency-based rate adjustments require the Postal Service to file a formal request with the Commission and state that they entail special procedures. There is more detailed development of these general points in subsequent rules. 2. Issues *Rule 3010.1.* In Order No. 26, the Commission said that the crux of the debate that had emerged over the length of time for Commission review was whether 45 days constitutes the statutory maximum or minimum. It noted that the Postal Service interpreted the language in the statute as establishing a maximum, but also had acknowledged that some changes, as a matter of good business practice, will entail considerable implementation, and that it intended to provide additional notice in these instances. PRC Order No. 26, ¶¶ 2019-21. Some commenters viewed the wording in the statute as establishing an absolute minimum, and therefore clearly authorizing the Commission to explicitly require the Postal Service to provide more notice. The Commission concluded that the appropriate way to implement the PAEA was to require that the Postal Service provide notice of rate adjustments no later than 45 days before the intended implementation date. Rule 3010.1, as proposed, reflects this assessment. *Commenters' positions.* Most commenters addressing this point agree with or accept the Commission's disposition. 14 Some, however, continue to express concerns about the impact of a short notice period on adjustments on mailers. The NPPC, for example, emphasizes “that the minimum notice period needed for mailers and third-party vendors to *implement* rate changes will often be considerably longer, particularly when classification changes require substantial rewriting of software.” NPPC Comments, September 24, 2007, at 5. (Emphasis in original.) Similarly, MMA considers the Postal Service's promised 90 days' notice insufficient, given implementation requirements. MMA Comments, September 24, 2007, at 5. It suggests addressing this problem by limiting index and exigent rate adjustments to rate changes, and not permitting other changes, such as new mail preparation requirements and transportation requirements, to be part of the proceedings. *Id.* at 6. 14 NNA suggests consideration be given to requiring notice in public media. NNA Comments, September 24, 2007, at 5-6. *Commission analysis; final rule.* The Commission agrees that both the 45 days provided in the rule and the 90 days' notice the Postal Service intends to issue allows only a brief period for assessing the Postal Service's notice and implementing the changes, but continues to believe that the proposed approach comports with the statutory language and strikes an appropriate initial balance between Postal Service flexibility and Commission review responsibilities. The Commission appreciates mailers' concerns in this regard, but considers revisions that would explicitly extend the period inappropriate at this time as they would reduce the flexibility the PAEA intends the Postal Service to have. Thus, MMA's suggestion is not accepted, although minor changes to improve clarity are made. *Rules 3010.2 through 3010.6.* This series of rules codify “type” and address general aspects of the PAEA-authorized scenarios for addressing rate changes for market dominant products. As explained in Order No. 26, the rationale for assigning types to the various scenarios is to facilitate future reporting and general discussion, and the proposal generally tracks an approach that has been successfully employed for filing library references since Docket No. RM98-2. PRC Order No. 26, ¶ 2017. *Suggested revisions.* No commenter takes issue with the overall approach in this series. However, OCA suggests, in the nature of a clarification, that the Commission revise rule 3010.2(b) by adding references to “service” and “by class of service.” It suggests the inclusion of similar references in other rules for consistency. 15 OCA Comments, September 24, 2007, at 23-24. The Commission does not find that this clarification will assist administration of the new ratemaking process. 15 OCA identifies the following rules as candidates for similar treatment: rules 3010.3(a); 3010.4(a) and (b); 3010.11(b); 3010.14(b)(4); 3010.26(b); 3010.27; 3010.28; and 3010.63(a) and (b). *Id.* Commenters propose two revisions in proposed rule 3010.4. The Postal Service points out that the reference to “a rate” in the second sentence of paragragh
(a)of this section is not consistent with the language in the relevant provision in the PAEA. It suggests that substituting the phrase “an increase for the class” for the original wording would achieve this consistency. In addition, DMA expresses concern that the Commission has not adequately addressed the limit on application of unused rate authority for Type 1-B adjustments filed within 12 months of each other, and suggests adding language that clarifies this point. DMA Comments, September 24, 2007, at 3. The Postal Service considers this concern adequately addressed by operation of rule 3010.7. Postal Service Reply Comments, October 9, 2007, at 40. *Commission analysis; final rule.* The Commission finds proposed rules 3010.2 and 3010.3 achieve their intended objective and adopts them without change. The Commission finds that several revisions to rule 3010.4 are warranted, based on commenters' observations. One simply reflects redesignation of proposed paragraph
(b)as final paragraph
(c)to accommodate a new provision. The other revisions are substantive. The first adopts the Postal Service's suggested revision to the second sentence of rule 3010.4(a). In final form, this now reads as follows: “A rate adjustment using unused rate adjustment authority may not result in an increase for the class that exceeds the applicable annual limitation plus 2 percentage points.” The second change, based on DMA's suggestion, entails the addition of a new paragraph (b), which reads as follows: “Type 1-B rate adjustments filed within 12 months of each other may not apply more than 2 percentage points of unused rate authority to any class.” The Commission adopts rule 3010.4 as revised and explained above. The Commission adopts rule 3010.5 as proposed, without change, as no commenter took issue with it and it achieves the intended objective of providing a basic statement defining Type 2 rate adjustments. *Rule 3010.6: general information about Type 3 proceedings.* This provision consists of three paragraphs. The text provides in general terms for public participation in Type 3 cases and Commission review in 90 days. Subpart E addresses Type 3 requests in considerably more detail. *Suggested revisions.* OCA proposes revision of proposed rule 3010.6(c) to address its due process concerns and consistency with the PAEA. It suggests adding an explicit reference to notice and an opportunity for a public hearing and comment. OCA Comments, September 24, 2007, at 24-25. *Commission analysis; final rule.* The Commission is revising other rules in subpart E of part 3010 to make clear its intentions with respect to due process. As this rule is only a general statement, the Commission does not find that OCA's proposed revision, even if modified to reflect the Commission's approach, appropriate. Accordingly, it adopts proposed rule 3010.6 without change. *Rule 3010.7.* This proposed rule consists of six paragraphs addressing the regulatory calendar, which the Commission refers to as a schedule in the rules. The text provides, among other things, for development, maintenance and posting of the calendar. *Suggested revisions.* The Commission's proposed treatment of issues related to the regulatory calendar did not generate proposals for revisions, but Valpak expresses a concern about how exigent requests will mesh with the regulatory calendar and poses several potential scenarios. Valpak Comments, September 24, 2007, at 26-27. *Commission analysis; final rule.* The Commission agrees that in the event of an exigent request, it is likely the points NNA usefully raises will need to be addressed. At the same time, the Commission notes that in the interest of getting a basic framework in place for the new system, it is not practical to attempt to address every eventuality. This is especially the case with respect to exigent requests, which the Commission (and presumably most others) hope does not materialize in the near future. Accordingly, it adopts proposed rule 3010.7 without change. D. Subpart B—Rules for Rate Adjustments for Rates of General Applicability (Type 1-A and 1-B Rate Adjustments) 1. Overview Subpart B, as proposed, consists of five sections covering basic matters related to Type 1-A and Type 1-B rate adjustments. There was no objection to the proposed organization of this set of rules; therefore, the Commission carries it over into the final rules. 2. Summary The rules in this subpart, as proposed, reflect a broad range of considerations related to rate adjustments for Type 1-A and Type 1-B filings. These include, among others, the procedures to be followed by the Postal Service and the Commission (including each agency's notice requirements), the public's role, technical matters related to limits on adjustments, and the scope of Commission review. Several rules are affected by the Commission's decision on due process considerations. The impact mainly affects the text of rule 3010.13. 3. Issues *Rule 3010.10: procedures.* This rule, as proposed, consists of two paragraphs that set out the basic procedures associated with Type 1-A and Type 1-B rate adjustments. Paragraph
(a)establishes the minimum requirements regarding the timing and nature of notices of these two types of adjustments, as well as the filing thereof with the Commission. The notice is to be provided in a manner reasonably designed to inform the mailing community and the general public that the Postal Service intends to change rates not later than 45 days prior to the intended implementation date. Transmission of a notice of rate adjustment to the Commission is also to occur no later than 45 days prior to the intended rate implementation date. Paragraph
(b)encourages the Postal Service to provide public notice and to submit its notice of rate adjustment as far in advance of the 45-day minimum as practicable, especially in instances where the intended price changes include classification changes or operations changes likely to have material impact on mailers. *Suggested revisions.* McGraw-Hill suggests that the Commission should allow for an extension of the 45-day review period, of its own accord, or at the request of any interested party for good cause shown to the extent reasonably necessary under the circumstances. McGraw-Hill Comments, September 24, 2007, at 5. *Commission analysis; final rule.* The Commission has considered the suggestion that it should impose more explicit or extensive notice requirements on the Postal Service. At this point, it continues to believe that leaving the Postal Service with the flexibility to determine the most effective way to distribute information about planned rate adjustments is the more appropriate course. This approach can be revisited if there are serious shortcomings in the Postal Service's practice. The Commission makes one minor editorial revision to rule 3010.10(a)(2). This consists of deleting the word “rate” in the phrase “intended rate implementation date.” This deletion makes this reference consistent with rule 3010.10(a)(1). Accordingly, the Commission adopts rule 3010.10 as proposed, with the referenced editorial revision. *Rule 3010.11: limit on size of rate increases.* This rule, as proposed, consists of an introductory phrase and three paragraphs. The introductory statement provides that rate increases for each class of market dominant products in any 12-month period are limited. Paragraph
(a)notes that rates of general applicability are subject to an inflation-based limitation computed using the CPI-U values as detailed in section 3010.12. Paragraph
(b)recognizes that the PAEA authorizes an exception to the inflation-based limitation by allowing the Postal Service to make a limited annual recapture of unused rate adjustment authority. It further provides that the amount of unused rate authority is measured separately for each class of mail. Paragraph
(c)provides that in any 12-month period the inflation-based limitation combined with the allowable recapture of unused rate authority equals the price cap applicable to each class of mail. OCA suggests revising paragraph
(c)to conform it to the description of the price cap in proposed rule 3010.28. OCA Comments, September 24, 2007, at 25. *Commission analysis; final rule.* The Commission has considered OCA's suggestion, but finds such a change unnecessary. Accordingly, it adopts the language of rule 3010.11 as proposed without change; however, it designates the introductory statement as paragraph
(a)to conform the format to other rules, and redesignates the remaining paragraphs. *Proposed addition to rate increase limitation.* Some commenters pursue the Commission's decision not to attempt to develop an adjustment to CPI-U, based on service deterioration or other considerations such as mail makeup requirements. ANM/MPA and NPPC observe that there is broad consensus among mailers that an index adjustment is necessary. They note that the principle involved is straightforward, even if a method has not been presented yet. They suggest adding to the weighted average change in rates for each class the additional costs imposed by changes in Postal Service mail preparation requirements and the diminution of economic value caused by changes in the quality of service. They assert that the magnitude of the adjustment (if any) could depend on evidence developed in a complaint or annual compliance proceeding. They recognize that fleshing out the details of an adjustment mechanism will become more practical once service standards and performance measurement systems are in place. They therefore urge that the issue be revisited as soon as possible after that occurs. ANM/MPA Comments, September 24, 2007, at 4-6; and NPPC Comments, September 24, 2007, at 7-8. Pitney Bowes notes that in addition to the need for an adjustment factor to account for service degradation and additional mail preparation requirements, the Postal Service could also unfairly charge mailers for technological or other innovative enhancements to mail that increase its value, but impose no costs on the Postal Service. It asserts that charging for “value added” by mailers is equivalent to a tax on innovation and should be discouraged. It notes that either path would frustrate the purpose of the annual limitation and undercut the intended discipline of the price cap on operational efficiency. Pitney Bowes Comments, September 24, 2007, at 11-12. DMA seeks inclusion of a general, but clear, statement that the CPI number upon which annual increases will be based assumes no change in service standards, actual performance, or make-up requirements, and that any such change will result in an adjustment to that number. DMA Comments, September 24, 2007, at 8-9. McGraw-Hill also seeks an affirmative indication from the Commission, to affirm in its rules that its remedial authority after an annual compliance review extends to rolling back the price cap or any unused rate adjustment authority if and as appropriate, to mitigate any wide and sustained deterioration in service (or cost shifting to mailers). McGraw-Hill Comments, September 24, 2007, at 8-9. NNA suggests that this proposal be considered in a future service standards rulemaking. NNA Comments, September 24, 2007, at 10. The Postal Service opposes any revision in the rules to address these concerns not only on the grounds the Commission expressed in Order No. 26 (relating to lack of a method and the need to develop rules on this issue), but also on grounds that the PAEA provides no legal foundation for such an adjustment. It urges the Commission to adhere to this position as well, and let experience determine whether additional regulations in this area prove necessary. USPS Reply Comments, October 9, 2007, at 45-46. *Commission analysis.* The Commission recognizes that this is of conern to mailers. Nevertheless, the Commission continues to conclude that any attempt to develop an adjustment factor based on service performance could be premature at this time. *Rule 3010.12: source of CPI-U data.* This rule, as proposed, consists of a two-sentence paragraph explaining that the source of the monthly CPI-U values for the calculation of the annual limitation is the Bureau of Labor Statistics
(BLS)Consumer Price Index—All Urban Consumers, U.S. All Items, Not Seasonally Adjusted, Base Period 1982-84 = 100. It also identifies the current series identification number. No commenter suggested any revision to this rule. The Commission adopts proposed rule 3010.12 without revision. *Rule 3010.13: Type 1-A and Type 1-B proceedings.* This rule, as proposed, consists of five paragraphs addressing proceedings for the two referenced types of adjustment filings. It addresses a considerable range of responsibilities on the part of the Postal Service and the Commission, and identifies the rights of the public in terms of public participation. The discussion at the outset of this order noted and addressed many commenter suggestions regarding notice and public comments. There are some additional suggestions not directly addressed in the earlier discussion. For example, OCA proposes revising rule 3010.13(b)(1) to make it clear that comments may address planned rate adjustments that exceed the annual limitation. *Id.* NAA suggests a revision in this same rule to include a reference to 39 U.S.C. 403(c). NAA Comments, September 24, 2007, at 13-15. MOAA opposes NAA's suggestion on grounds of redundancy. MOAA Reply Comments, October 5, 2007, at 4-5. The Commission does not adopt these suggestions. *Commission analysis; final rule.* Most of the revisions in rule 3010.13 flow from the Commission's decision to make its intentions with respect to ensuring adequate due process more clear. The Commission concludes that the approach it adopts is consistent with the PAEA. Proposed paragraph
(a)provides that the Commission will establish a docket for each rate adjustment filing, promptly publish notice of the filing in the **Federal Register** , post the filing on its Web site, and allow 20 days from the date of the filing for public comment. The Commission revises this rule to make its intentions with respect to due process and related considerations more clear, based on the rationale set out previously. This paragraph, as revised and adopted, provides that the Commission's notice shall include the general nature of the proceeding; a reference to legal authority to which the proceeding is to be conducted; a concise description of the planned changes in rates, fees, and the Mail Classification Schedule; identification of an officer of the Commission to represent the interests of the general public in the docket; a period of 20 days from the date of the filing for public comment; and such other information as the Commission deems appropriate. Rules 3010.13(b) and
(c)will be discussed together. Proposed rule 3010.13(b) invites public comments on whether planned rate adjustments are consistent with the annual limitation on increases (in subpart (1)) and the policies of 39 U.S.C. 3622 (in subpart (2)). Proposed rule 3010.13(c) then provided for a Commission order on whether the planned rate adjustments were consistent with the annual limitations on rate increases established in 39 U.S.C. 3622(d). Consistent with the previous discussion on APA requirements, and upon consideration of the extensive arguments presented on the proper scope of public comments and Commission action under these two rules, the Commission has determined to clarify its expectations by redrafting subparts
(b)and
(c)of the rule. Rule 3010.13(b) now makes more clear that the primary focus of public comment should be on the mandatory requirements of the PAEA subchapter detailing provisions relating to market dominant products. The two subparts now accurately cross-reference rules implementing the two mandatory annual limitations on rate increases established in 39 U.S.C. 3622(d). Rule 3010.13(c), as redrafted, continues to provide for a Commission decision within 14 days, and now specifies that the Commission will address the statutory requirements related to the annual limitation on rate increases, the limits on the recapture of unused rate authority, and certain statutory rate preferences codified in that subchapter. Rule 3010.13(c) is further clarified by changing “and issue a notice and order announcing its findings” to “an order announcing its findings.” An identical conforming change is made in rule 3010.13(g). The text of new paragraph (d), which was formerly a subpart under paragraph (c), in addition to reflecting the clarified scope of the Commission's review, is also revised to provide that rate adjustments that are in compliance may take effect “pursuant to appropriate action by the Governors”. *See* 39 U.S.C. 404(a). Former paragraph
(d)is similarly clarified and retained as new paragraph (h). New paragraph
(f)reflects the Commission's decision to post any amended notice of rate adjustment on its Web site and allow a period of 10 days from the date of the filing for public comment. This reflects the Commission's decision to more clearly specify potential procedural processes. In paragraph (g), the text is revised to affirmatively note that the Commission will review the public comments, as well as the amended notice. The Commission adds a new paragraph
(j)to clarify that for purposes of subsequent proceedings, certain Commission conclusions with respect to the planned adjustments will be considered findings on the merits, and others provisional and subject to challenge. Conclusive findings are those related to compliance with the annual limitation set forth in rule 3010.11; the limitations set forth in rule 3010.28; and the requirements of 39 U.S.C. 3626, 3627, and 3629. The Commission rejects the suggestion to disallow complaint filings related to the planned adjustments during the pendency of compliance reviews. This is based, in part, on the conclusion that 39 U.S.C. 3662 does not include any restriction or limitation on filing time. While a limitation may not be strictly prohibited, the Commission finds it should be hesitant to foreclose complaints. In addition, it is developing complaint rules that will provide a better forum for considering this issue. The Commission declines to adopt NAA's suggestion that an explicit reference be added in this rule to 39 U.S.C. 403(c). The same considerations are already covered in the rule. *Rule 3010.14: contents of rate adjustment notice.* This section, as proposed, consists of three paragraphs. Paragraph
(a)is a general provision requiring a Postal Service notice of rate adjustment to include a schedule of proposed rates; the planned effective date(s) of the proposed rates; a representation or evidence that public notice of the planned changes has been issued or will be issued at least 45 days before the effective date(s) for the proposed new rates; and the identity of a responsible Postal Service official who will be available to provide prompt responses to requests for clarification from the Commission. Paragraph
(b)requires and describes supporting technical information and justifications that are to accompany the notice of rate adjustment. This pertains to CPI-U calculation; a schedule showing unused rate authority available for each class of mail displayed by class and available amount for each of the preceding five years; the percentage change in rates for each class of mail calculated as required by the Commission; the amount of new unused rate authority, if any, that will be generated by the rate adjustment calculated as required by the Commission; and, if new unused rate authority will be generated for a class of mail that is not expected to cover its attributable costs, an explanation of the rationale underlying this rate adjustment. It also requires a schedule of the workshare discounts included in the proposed rates; a companion schedule listing the avoided costs that underlie each such discount; a separate justification for all proposed workshare discounts that exceed avoided costs; identification and explanation of discounts that are set substantially below avoided costs focusing on any relationship between discounts that are above and those that are below avoided costs; a discussion addressing how the planned rate adjustments will help achieve the objectives listed in 39 U.S.C. 3622(b) and properly take into account the factors listed in 39 U.S.C. 3622(c); and such other information as the Postal Service believes will assist the Commission to issue a timely determination of whether the requested increases are consistent with applicable statutory policies. Proposed paragraph
(c)addresses new workshare discounts. It provides that whenever the Postal Service establishes a new workshare discount rate, it must include with its filing a statement explaining its reasons for establishing the discount; all data, economic analyses, and other information believed to justify the discount; and a certification based on comprehensive, competent analyses that the discount will not adversely affect either the rates or the service levels of users of postal services who do not take advantage of the discount. Proposed paragraph
(d)addresses the type of information that is required to be provided when only Type 1-B rate adjustments are proposed. It provides that the notice of rate adjustment shall identify for each affected class how much existing unused rate authority is used in the proposed rates calculated as required by rule 3010.27. It states that all calculations are to be shown, including citations to the original sources. *Suggested revisions.* Suggestions related to this proposal differ on the amount and type of information the Postal Service should provide in its notice of adjustment, and run in opposite directions. Some say workshare information should not be required, or language should be revised to be less sweeping. Others, based either on due process considerations or on a general interest in more information and explanation, suggest adding more requirements to rule 3010.14. One of these is a proposal to require a schedule identifying every change in the Mail Classification Schedule that will be needed to implement the planned adjustments. OCA asserts that proposed rule 3010.14(b)(4) may not sufficiently ensure that rates will satisfy the “requirement” of 39 U.S.C. 3622(c)(2) that each class or type of mail service bear its direct and indirect attributable costs. It expresses concern that the proposed rule may allow the requirement to be “explained away[.]” It proposes that the Postal Service be required to increase rates the full amount possible under the CPI-U cap, plus any allowable banked authority, for any class that fails to cover its attributable costs. OCA Comments, September 24, 2007, at 18-22. Valpak argues that the proposed rule should go further to require the Postal Service to provide more detail as to how the rates will move towards eliminating any cross-subsidy. Valpak Comments, September 24, 2007, at 17-20. In contrast to its opposition to proposals that would allow 39 U.S.C. 3622(c)(2) to trump the rate cap, ANM/MPA find OCA's proposal to require the rates for a class that is below attributable cost to increase by the maximum amount of the CPI-U cap, plus banked authority “quite reasonable.” ANM/MPA Reply Comments, October 9, 2007, at 7. The Postal Service sees the styling of 39 U.S.C. 3622(c)(2) as a “requirement” as an indication that its importance is elevated above that of the other factors of 39 U.S.C. 3622(c). It concludes that “§ 3622(c)(2) should be interpreted as requiring that each ‘class’ of market-dominant mail cover its attributable costs.” Postal Service Reply Comments, October 9, 2007, at 46-47. Time Warner discusses the issue at length and concludes that, at least for the time being, the proposed rules adequately address it. Time Warner Reply Comments, October 9, 2007, at 11-23. APWU recommends that the Commission establish procedures for making a finding of compliance or non-compliance for workshare discounts prior to the annual compliance review. APWU acknowledges that the 45-day review period associated with notices of rate adjustments does not lend itself to an in-depth review of workshare discounts, but it recommends that the Commission “evaluate workshare discounts early in the process[.]” APWU Comments, September 25, 2007, at 5. On reply, several commenters oppose this suggestion on the grounds that it would undermine the streamlined rate-setting process contemplated in the PAEA. Advo Reply Comments, October 9, 2007, at 4; ANM/MPA Reply Comments, October 9, 2007, at 4; and NAPM Reply Comments, October 9, 2007, at 3. The Postal Service claims that additional procedures are not necessary because it intends to compare workshare discounts with cost avoidance numbers from the previous annual review and provide the required justifications. Postal Service Reply Comments, October 9, 2007, at 54-55. *Commission analysis; final rule.* The Commission does not find it necessary to develop separate procedures at this time. Rule 3010.14 will assure that interested persons can evaluate workshare discounts in a timely fashion, and the Postal Service has committed to preparing and providing appropriate justifications. If this system proves inadequate, the Commission will elicit specified suggested remedies. 39 U.S.C. 3622(e)(2)(B) provides that any discount above cost avoided must be phased out over time. Therefore, according to APWU, the regulations should require the Postal Service to explain how it will eliminate any passthroughs that are above 100 percent. APWU Comments, September 25, 2007, at 6. NAPM opposes this assertion, claiming that such a requirement would effectively ignore the limited exceptions allowed in 39 U.S.C. 3622(e)(2)(A)-(D). NAPM Comments, October 9, 2007, at 3. *See also* Pitney Bowes Reply Comments, October 9, 2007, at 4. The Commission views the provisions in 39 U.S.C. 3622 as a means to foster pricing flexibility, reduce burden, and facilitate swift rate changes. Requiring the Postal Service to plan specifically how it intends to reduce excess discounts in the future is inconsistent with this purpose. NPPC notes “the Commission should clarify that the cap on worksharing discounts established by 39 U.S.C. 3622(e)(2) has five exceptions, not just the four listed in Order No. 26 ¶ 2037 n.10.” NPPC Comments, September 24, 2007, at 3. Footnote 10 of Order No. 26 was intended to summarize the four specific exceptions to 39 U.S.C. 3622(e)(2):
(2)Scope.—The Postal Regulatory Commission shall ensure that such discounts do not exceed the cost that the Postal Service avoids as a result of workshare activity, unless—
(A)the discount is—
(i)associated with a new postal service, a change to an existing postal service, or with a new work share initiative related to an existing postal service; and
(ii)necessary to induce mailer behavior that furthers the economically efficient operation of the Postal Service and the portion of the discount in excess of the cost that the Postal Service avoids as a result of the workshare activity will be phased out over a limited period of time;
(B)the amount of the discount above costs avoided—
(i)is necessary to mitigate rate shock; and
(ii)will be phased out over time;
(C)the discount is provided in connection with subclasses of mail consisting exclusively of mail matter of educational, cultural, scientific, or informational value; or
(D)reduction or elimination of the discount would impede the efficient operation of the Postal Service. 39 U.S.C. 3622(e)(2)(A)-(D). The Commission is quite aware that 39 U.S.C. 3622(e)(3) includes a limitation on reducing worksharing discounts that are already in place. Presumably, this limitation is the fifth exception that NPPC refers to:
(3)Limitation.—Nothing in this subsection shall require that a work share discount be reduced or eliminated if the reduction or elimination of the discount would—
(A)lead to a loss of volume in the affected category or subclass of mail and reduce the aggregate contribution to the institutional costs of the Postal Service from the category or subclass subject to the discount below what it otherwise would have been if the discount had not been reduced or eliminated; or
(B)result in a further increase in the rates paid by mailers not able to take advantage of the discount. Proposed rule 3010.14(b)(6) makes specific reference to the limitations contained in both 39 U.S.C. 3622(e)(2) and (3). No further clarification of this area is required. Proposed rule 3010.14(b)(6) requires the Postal Service to “identify and explain discounts that are set substantially below avoided costs.” Pitney Bowes suggests that the word “substantially” be removed from this section. It claims that this modification would encourage the use of efficient component pricing as a guiding principle and promote productive efficiency. Pitney Bowes also notes that the word “substantially” is open to interpretation and removing it would avoid uncertainty. Pitney Bowes Comments, September 24, 2007, at 2-3. On reply, Stamps.com concurs with Pitney Bowes while APWU and the Postal Service oppose the suggestion. Stamps.com Reply Comments, October 9, 2007, at 4; and APWU Reply Comments, October 9, 2007, at 3-6. The Postal Service explains: [T]he Postal Service has some concerns about the Commission's proposal to require an explanation of any discounts “substantially below” avoided costs. * * * Understanding, however, that the Commission is attempting to navigate through a wide variety of competing concerns in developing an entirely new system, the Postal Service was willing [to] accept the rule as proposed as a practical compromise, which would still allow the Postal Service to achieve a workable balance for rate design purposes. If, however, the word “substantially” were removed as Pitney Bowes advocates, this balance would be upset. A system designed to presumptively lock-in all workshare passthroughs at exactly 100 percent of avoided costs would remove much of the flexibility that a price cap system is intended to achieve. Postal Service Reply Comments, October 9, 2007, at 50. The Commission purposefully included the word “substantially” in the rule so that the Postal Service would not be required to explain reasonable passthroughs of less than 100 percent that were due to rounding, or other similar rate design goals. Therefore, the wording will remain in the rules. If in the future the word “substantially” requires clarification, a more detailed and precise definition can be crafted. Pitney Bowes suggests that efficient component pricing concepts should be extended to cost differences not strictly related to worksharing. It suggests that when the Postal Service departs from cost-based rate design, it should be required to explain its reasons for doing so. Pitney Bowes Comments, September 24, 2007, at 4. The Commission has used efficient component pricing as a guiding principle in rate design; however, the PAEA does not specifically require it for rate differences not related to worksharing. NPPC suggests the Commission clarify that the term “workshare discounts” refers solely to presorting, prebarcoding, handling, and transportation. It argues that some discounts for cost saving activities performed by mailers should not be subject to worksharing rules. NPPC Comments, September 24, 2007, at 2-3. Pitney Bowes and NAPM support this suggestion. Pitney Bowes Reply Comments, October 9, 2007, at 3; and NAPM Reply Comments, October 9, 2007, at 2. APWU opposes this suggestion on the grounds that the suggestion seems to be designed to avoid appropriate scrutiny for some types of discounts. This could have detrimental effects on the Postal Service and other users of the mail. APWU Reply Comments, October 9, 2007, at 7. In its explanation of the proposed rules the Commission acknowledges that the PAEA defines worksharing as activities related to four broad areas. However, the Commission finds that it is unnecessary and premature to explicitly decide what types of justification beyond those provided for in rule 3010.14(b), if any, would be necessary to support other rate distinctions. In rule 3010.14(c), the Commission proposes a procedure for establishing new workshare discounts. This rule directs the Postal Service to provide certain information including the reasons for establishing the new discount, analysis supporting establishment of the new discount, and certification that the discount will not adversely affect other mailers. Section 3010.14(c)(2) requires the Postal Service to provide, “all data, economic analysis, and other information believed to justify the discount.” Stamps.com Comments, September 24, 2007, at 4 finds this language to be overbroad and contends that the Postal Service should only be required to provide the data that it formally relied on in developing the discount. The Commission did not contemplate that the Postal Service would have to provide a laundry list of possible justifications. Rather, the Postal Service should provide only the information it relied on in developing the discount. The word “believed” has been changed to “relied on” to clarify the intent of this subsection. NPPC asserts that the Postal Service should not be required to certify that the new worksharing discount will not adversely affect other mailers. In making this assertion, NPPC argues that nothing in the PAEA supports this regulation. It claims that new worksharing discounts are often designed to correct existing cross-subsidies and therefore do have negative impacts on other mailers' rates. NPPC Comments, September 24, 2007, at 4. *See also* Stamps.com Reply Comments, October 9, 2007, at 1-2. To illustrate its point, NPPC cites a discussion in the Commission's Second Opinion and Recommended Decision on Reconsideration in Docket No. R2006-1 related to the letter/flat differential. This reference is of limited value as workshare discounts, as defined in the PAEA, do not include shape-based differences. The intent of proposed rule 3010.14(c)(3) is to ensure that the Postal Service complies with 39 U.S.C. 3622(e)(4)(C) when designing new worksharing discounts. This section requires the Postal Service to certify “that the discount will not adversely affect rates or services provided to users of postal services who do not take advantage of the discount rate.” GCA correctly describes the intent of the rule: The phrase “workshare discount,” properly understood, refers to a price concession reflecting (ideally at 100 percent passthrough) cost savings to the Postal Service generated by substitution of mailer activity for *work that the Postal Service would otherwise have had to perform.* If the discount is properly designed, and does pass through 100 percent of the savings, then a mailer who does not take advantage of it is not enjoying an “internal cross-subsidy.” So far as the workshared mail is concerned, the Postal Service is shedding costs precisely equal to the revenue it gives up by reason of the discount. In other words, the Service is (as it should be under efficient component pricing) indifferent as to whether it or the mailer performs the function on which the discount is based. GCA Reply Comments, October 9, 2007, at 6. (Footnotes omitted; emphasis in original.) *Commission analysis; final rule.* The Commission retains rule 3010.14 largely as proposed, but makes several revisions in response to commenters' suggestions on other matters. The first change is to rule 3010.14(b)(4). The Commission revises this provision by changing the words “should explain” in the last sentence to “must provide.” As adopted in final form, the last sentence now reads: “If new unused rate authority will be generated for a class of mail that is not expected to cover its attributable costs, the Postal Service must provide the rationale underlying this adjustment.” This does not precisely track OCA's suggestion that the Postal Service should be required to make an adjustment in circumstances where attributable costs are not covered, but strengthens the existing approach. The Commission anticipates that the Postal Service will make every effort to ensure that classes of mail recover their attributable costs including, if necessary, using its full authority to increase rates under the cap. The final rule allows the Postal Service to provide an explanation should it somehow not be possible to do so. The second change is to rule 3010.14(b)(7), where the Commission conforms the language to its decision on the scope of the compliance review. Accordingly, this paragraph, as adopted, reads as follows: “A discussion that demonstrates how the planned rate adjustments are designed to help achieve the objectives listed in 39 U.S.C. 3622(b) and properly take into account the factors listed in 39 U.S.C. 3622(c).” A related change, also consistent with the decision on scope of review, is the addition of new rule 3010.14(b)(8). This provision reads as follows: “A discussion that demonstrates the planned rate adjustments are consistent with 39 U.S.C. 3626, 3627 and 3629.” The next change is the addition of a new requirement, rule 3010.14(b)(9), that the Postal Service provide a schedule identifying every change to the Mail Classification Schedule that will be necessary to implement the planned rate adjustments. This addition responds to Valpak's suggestion. The addition of these provisions requires redesignating proposed rule 3010.14(b)(8) as rule 3010.14(b)(10). This affects only the paragraph designation, not the text. The Commission retains paragraph
(c)largely as proposed, but revises rule 3010.14(c)(2) as discussed above. Accordingly, the Commission adopts proposed rule 3010.14 as final, with the referenced revisions. E. Subpart C—Rules for Applying the Price Cap Subpart C, as proposed, consists of nine rules focused primarily on essential aspects of price cap administration. These rules are more technical than the others in part 3010, as most involve calculations. The Commission has attempted to make the rules understandable to lay readers. *Structure.* There was no opposition to the proposed format of this subpart. However, the Commission, in response to a suggestion, adds a new rule 3010.29 to address the possibility of a transitional filing using Postal Reorganization Act procedures. *Rule 3010.20: test for compliance with the annual limitation.* This rule, as proposed, addresses how to calculate the statutory price cap mechanism. It resolves a debate over whether the moving average method or the point to point method should be used. The rule reflected adoption of the moving average method. It did not reflect a requested adjustment for service degradation or costs associated with mail preparation and related activities. *Suggested revisions.* Several commenters continue to express concern about the absence of an adjustment factor to account for the impact of certain developments. See, for example, DMA Comments, September 24, 2007, at 8-9; NPPC Comments, September 24, 2007, at 6; Pitney Bowes Comments, September 24, 2007, at 11-12; and ANM/MPA Comments, September 26, 2007, at 4-5. ANM/MPA further suggests a that could be used to make such an adjustment, thereby addressing one consideration the Commission mentioned in Order No. 26. *Id.* at 5. DMA also believes the cap should reflect any degradation in service. It proposes that the Commission state that the CPI number that forms the basis for the planned changes assumes no change in service standards, actual performance, or makeup requirements, and that any such changes will result in an adjustment to that factor. DMA Comments, September 6, 2007, at 7-8. *Commission analysis; final rule.* The Commission continues to believe that it is not appropriate to include the requested adjustment in its rules at this time. It reiterates that the statute establishes a system of accountability through increased transparency, and that an anticipated rulemaking on annual reporting requirements will include data on service achievement. It also notes that if experience shows that additional regulations are needed to achieve the objectives of the legislation, the Commission is obligated to develop appropriate regulations or recommend legislative changes to Congress. *Rule 3010.21: Calculation of annual limitation.* This rule, as proposed, consists of two paragraphs explaining how the annual limitation is calculated and setting out the formula. On behalf of Advo, Antoinette Crowder and William C. Miller present an alternative method of calculating the annual inflation cap (cap). 16 Crowder and Miller calculate the cap by first computing the percentage change in the CPI-U for each of the 12 preceding months over the same period last year (SPLY), and then take the simple average of these percentages. The Commission's proposed rule calculates the cap by first computing two sequential, 12-month simple averages of the CPI-U that are 12 months apart (referred to as Recent and Base Averages), and then takes the percentage change in these averages. *See* rule 3010.21. Both methods utilize the preceding 24 monthly values of the CPI-U. The Crowder and Miller method can be characterized as a month-SPLY method, while the Commission's method can be characterized as a year-SPLY method. 16 Statement of Antoinette Crowder and William C. Miller in Response to Commission Order No. 26, September 24, 2007 (Crowder and Miller). *Commission analysis.* Crowder and Miller contend that the Commission's method yields a biased measure of inflation and that their method is statistically superior to the Commission's method. Crowder and Miller at 11. The Commission does not find the criticism of Crowder and Miller sufficiently compelling to change its proposed cap calculation for the following reasons. First, the Commission uses the same as the Bureau of Labor Statistics to calculate the annual percentage change in the CPI-U so it is officially accepted for this purpose. 17 Until the Commission finds that this method of calculating annual percentage changes in the CPI-U is faulty in some meaningful fashion, the Commission concurs with the Bureau of Labor Statistics on the appropriate method. 17 *See ftp://ftp.bls.gov/pub/special.requests/cpi/cpiai.txt.* Note that the percentage change in the CPI-U in the “avg-avg” column for 2005-2006 is 3.2 percent. This is calculated as the 2006 annual average CPI-U divided by the 2005 annual average CPI-U minus 1, which is the Commission's method. Second, the Commission finds the basis of the assertion by Crowder and Miller that the Commission's inflation cap calculation formula is biased to be theoretically limited. Crowder and Miller arrive at this conclusion by expressing the Commission's year-SPLY method in month-SPLY terms. In order to do this, they must multiply their own month-SPLY terms by monthly weights they have derived. Because these monthly weights are correlated with the month-SPLY inflation terms, Crowder and Miller conclude that the Commission's method yields a biased measure of inflation. 18 While it is true that the weights needed to express the Commission's formula in month-SPLY terms are correlated with those month-SPLY terms, this does not prove that the year-SPLY method is a biased measure of inflation and the month-SPLY method is not. That would be the case only if the month-SPLY method used by Crowder and Miller was an unbiased measure of inflation. Crowder and Miller attempt to show this is the case, but they are able to do this only by assuming that month-SPLY inflation is constant across months. 19 This unrealistic assumption undermines Crowder and Miller's claim that their method is unbiased and therefore superior to the Commission's method. All that can be said is that the Commission's method of calculating the annual inflation cap is not identical to the method used by Crowder and Miller. 18 Crowder and Miller specifically attribute the cause of the bias to the interaction in month-SPLY CPI indices and a monthly weight, because they share a common term, namely. *See* Crowder and Miller at 14. 19 *See* Crowder and Miller at 13 where they assume that the “* * * expected value of any month-to-SPLY adjustment factor is one plus the expected value of the inflation rate, a constant (r).” Third, the method used by Crowder and Miller yields no material difference in the measurement of inflation compared to the Commission's method. Employing monthly CPI-U data from the Bureau of Labor Statistics from 1962 through 2006 (a total of 540 monthly CPI-U values), the Commission calculated 516 annual percentage changes in inflation using each of the two methods. The method used by Crowder and Miller yields cumulative percentage changes in inflation just over 1 percent greater than the Commission's method for the entire 43-year period. If anything, the method used by Crowder and Miller seems to favor a higher cap on average. Moreover, there is no material difference in any one of the 516 annual percentage changes calculated by the two methods. The Commission found that there was not a single month in which the absolute inflation difference between the two methods exceeded one-tenth of one percent (0.1%). 20 20 The Bureau of Labor Statistics has recently started to report the CPI-U index to three decimal places. For this reason, the cap is rounded to three decimal places before being expressed as a percentage change, and to one decimal place when expressed as a percentage change. The Postal Service reaches the same conclusions about the method used by Crowder and Miller. The Postal Service first states that the method used by Crowder and Miller appears to have *de minimis* practical consequences. Further, the Postal Service is unconvinced that the method used by Crowder and Miller can be considered to be statistically superior to the Commission's method. Postal Service Reply Comments, October 9, 2007, at 40, n.96. *Final rule.* Final rule 3010.21 remains largely as initially proposed. The Commission revises the last sentence of paragraph
(a)to eliminate a potential source of confusion. The revision clarifies that rounding of the percentage referred to is to one decimal place. *Rule 3010.22: Calculation of less than annual limitation.* This rule, as proposed, consists of three paragraphs addressing situations where a calculation of a less than annual limitation is required. *Rule 3010.23: Calculation of percentage change in rates.* This rule contains four paragraphs. *Commenters' positions.* In discussing proposed rules 3010.22 and 3010.23, several commenters raise concerns that the proposed rules may allow the Postal Service to implement rate increases that exceed the intended limits of the cap over time. Advo Comments, September 24, 2007, at 5-6; DMA Comments, September 24, 2007, at 6-8; Pitney Bowes Comments, September 24, 2007, at 10-11; and MOAA Reply Comments, October 5, 2007, at 4. One topic of discussion is whether the cap should be applied to average revenue or to rates. DMA and Advo describe potential scenarios whereby more frequent rate increases would result in higher average revenue than what would be achieved with annual rate increases. Advo supplements its comments with a detailed technical analysis of the Commission's proposed rule 3010.22 governing Type 1 rate adjustments filed less than one year apart. The statement interprets the purpose of the rule for a partial year limitation, demonstrates that it does not achieve that purpose, concludes that it would permit excessive increases in average revenue, and proposes an alternative formulation to achieve the perceived intent of the rule. Crowder and Miller at 2-11. The Postal Service responds to these concerns with a discussion of the difference between a cap on average revenue and a cap on rates. Postal Service Reply Comments, October 9, 2007, at 30-35. It argues that the proposed rules appropriately identify the “percentage differences between sets of rates, and not * * * total revenue or revenue per piece for particular time periods.” Id. at 32. It applies the same logic to address the concerns of DMA and Advo that more frequent rate increases may allow the Postal Service to collect excess revenue. The Postal Service concludes that the Commission's proposed rules correctly place the restriction on rates, rather than revenue. It also points out that proposed rule 3010.7 requires the Postal Service to provide a schedule of regular rate changes, and prevents it from deviating from the schedule without some articulated rationale. *Id.* at 35-40. *Commission analysis.* The Commission finds that, by applying the CPI-U cap as a limitation on the percentage change in rates, its proposed rules are consistent with 39 U.S.C. 3622(d)(1)(A). While more frequent rate increases may produce higher revenue, other components of the rules and the PAEA, as well as practical operational and market considerations, constrain the frequency with which rates can be adjusted. The Commission also believes that its clarification of the treatment of rates of limited duration ( *e.g.* , seasonal or temporary) in rule 3010.23 may address some of the concerns of commenters who urge the use of average revenue in the application of the cap. Crowder and Miller's critique of the partial-year rate adjustment rule (3010.22) mistakenly assumes that the cap is based on the estimated increase in CPI-U for the next year. Crowder and Miller at 2. The historical increase in CPI-U that establishes the allowable increase is not assumed to be a forecast proxy. Accordingly, the partial-year rate adjustment rule is not designed to account for the difference between actual increases in CPI-U and those estimated at the beginning of the year. The rule is intended to give the Postal Service flexibility in the timing of rate adjustments. Therefore, the alternative calculation suggested in the statement is not adopted. Also, the suggested alteration to the rules for applying the cap to a subsequent adjustment is unnecessary. The Commission's proposed rule 3010.22 takes into account rate adjustments (including partial-year adjustments) within the previous year to determine the allowable increase. *Commission analysis; final rule.* The Commission makes one revision to this rule. It adds, in the last sentence of paragraph (b), the same limit on rounding that now appears in final rule 3010.21(a). The rationale is the same: Eliminating a potential source of confusion. The Commission does perceive a need for a slight modification of other proposed rules governing notices of rate adjustment filed less than a year apart. The language of rules 3010.4 and 3010.28 are clarified to better reflect 39 U.S.C. 3622(d)(2)(C)(iii)(IV). The Commission remains sensitive to concerns that its untested rules successfully implement the requirements of the PAEA as intended. It will monitor and evaluate the effectiveness of the rules as they are utilized and consider modifications. *Rule 3010.23: Calculation of percentage change in rates.* Several commenters found the proposed language in rule 3010.23 addressing rates of limited duration ( *e.g.* , seasonal or temporary) to be potentially confusing. DMA Comments, September 24, 2007, at 7; NPPC Comments, September 24, 2007, at 6; ANM/MPA Comments, September 24, 2007, at 3-4; and GCA Reply Comments, October 9, 2007, at 12. Specifically, there is concern that the third sentence of rule 3010.23(b) may conflict with the last sentence in rule 3010.23(a) and unintentionally lead to rate increases that violate the intent of the cap. The commenters suggest either deleting the third sentence of rule 3010.23(b) or revising it to make it more clearly consistent with the last sentence in rule 3010.23(a). In its reply comments, the Postal Service suggests an interpretation of the rules whereby the third sentence of rule 3010.23(b) creates an exception to the last sentence in rule 3010.23(a). It proposes alternative wording for the third sentence of rule 3010.23(b) that would codify an exception for rates that are not “in effect at the time of notice of proposed rate changes, and there is no expectation that [the rates] will necessarily be offered again in subsequent years[.]” Postal Service Reply Comments, October 9, 2007, at 41. *Commission analysis.* To clarify the intent of the rules, the Commission deletes the third sentence of proposed rule 3010.23(b). The Postal Service's interpretation and suggested language is not consistent with the Commission's intent for the treatment of seasonal or temporary rates. Such an interpretation could imply that the introduction of a seasonal discount would be included in the test for compliance with the cap, while the subsequent elimination of the discount might not be included (depending on the timing of the notice). The intent of rule 3010.23(a) is for each rate that is either current (even if it is not available at the time of year of the notice) or planned, or both, to be treated as a rate cell and thus included in the formula in rule 3010.23(c). If a seasonal or temporary rate is to be eliminated, the volume for the rate cell will be applied to the applicable planned permanent or year-round rate in the numerator of the rule 3010.23(c) formula, and the same volume will be applied to the current seasonal or temporary rate in question in the denominator. This is to be done without regard to the timing of the notice within a calendar year. A simplified example may be helpful. Suppose a class consists of a single type of mail, with one rate (10 cents) applied from January through June and another (9 cents) applied from July through December. Further suppose that the Postal Service files a notice of rate adjustment in which the July though December rate is eliminated (making the current January through June the new year-round rate) with no other changes. Assume the volumes from the most recent available 12 months of billing determinants are 50 million pieces for each of the two rates, for a total of 100 million pieces in the class. Regardless of the time of year of the notice, the method for calculating the percentage change in rates is the same. The first step is to sum the products of the planned rates and volumes ((50,000,000 × .10 = 5,000,000) + (50,000,000 × .10 = 5,000,000) = 10,000,000)). The second step is to sum the products of the current rates and volumes ((50,000,000 × .10 = 5,000,000) + (50,000,000 × .09 = 4,500,000) = 9,500,000)). The final step is to divide the results of the first step by the results of the second step and subtract 1 from the quotient ((10,000,000 × 9,500,000 = 1.0526)−1 = 0.0526 = 5.26%)). The elimination of the July through December rate would therefore result in a 5.26 percent increase in rates for the class. *Selection of volumes for weights.* Time Warner proposes to add before-rates subscripts to the volume variable
(V)in the formula in rule 3010.23(c), to clarify that a Laspeyres index will be used to test for compliance with the cap. Time Warner Comments, September 24, 2007, at 10. The Postal Service asserts that rule 3010.23(d) adequately identifies the volume weights to be used in the calculation. Postal Service Reply Comments, October 9, 2007, at 33-34. The Commission finds that the language of rule 3010.23(d) sufficiently defines the weights to be applied. Moreover, referring to the weights as “before-rates” would not be a completely accurate description, as 3010.23(d) instructs the Postal Service to adjust the billing determinants to account for classification changes. Using Time Warner's proposed language, if a new rate is introduced, its “before-rates” volume would be zero, and the effects of introducing it would be improperly excluded from the calculation of the percentage change in rates. For these reasons, the Commission does not incorporate the suggested modification. *Commission analysis; final rule.* The Commission agrees that clarification is warranted. It finds this can be achieved by deleting the third sentence in paragraph (b). The Commission, on its own accord, adds the term “where,” in paragraph
(c)immediately after the presentation of the formula and before the key. The Commission makes no other changes in this rule. *Rule 3010.24: Treatment of volume associated with negotiated service agreements.* This rule, as proposed, generally provides that mail volumes sent at non-tariff rates under negotiated service agreements are to be included in the calculation of percentage change in rates as though they paid the appropriate rates of general applicability. It also requires supporting explanations and the rationale for assumptions. There were no suggested revisions to this rule. The Commission adopts the rule with one editorial change. It eliminates the superfluous term “non-tariff”. *Rule 3010.25: Limitation on unused rate adjustment authority rate adjustments.* This rule, as proposed, addresses certain limits on unused rate adjustment authority. There were no suggested revisions to this rule. The Commission adopts it as proposed. *Rule 3010.26: Calculation of unused rate adjustment authority.* This rule, as proposed, consists of four paragraphs addressing several matters related to the calculation of unused rate adjustment authority. *Commission analysis; final rule.* The Commission makes several clarifying revisions in rule 3010.26. In paragraph (a), it adds the words “notices of” before “Type 1 rate adjustment” to assist in determining the accrual period. In paragraph (b), it adds the words “Type 1” before rate adjustment for consistency with the previous reference. It also revises the phrase “or .22(b)” to “or 3010.22(b)” to conform to publication requirements. It makes no other revisions to this rule. *Rule 3010.27: Application of unused rate adjustment authority.* This rule, as proposed, consists of one paragraph addressing application of unused rate adjustment authority. The Commission adopts it as proposed. *Rule 3010.28: Maximum size of Type 1-B adjustments.* This rule, as proposed, describes the limitations on size of the adjustment based on unused rate adjustment authority. *Commission analysis; final rule.* The Commission makes minor editorial changes in the introductory portion of this rule to improve clarity and readability and conform to publication requirements. It now reads as follows: “Unused rate adjustment authority exercised in notices of rate adjustments for any class in any 12-month period may not exceed the applicable limitations described in rules 3010.21 or 3010.22 plus the lesser of:”. The Commission makes no changes in the following two paragraphs. The Commission adopts this rule as revised. *New rule 3010.29: Transitional filings.* New rule 3010.29 addresses the fact that 39 U.S.C. 3622(f) explicitly allows the Postal Service to file an omnibus rate case through December 19, 2007. The addition of this rule responds to OCA's apt assertion that neither the Commission's Order No. 26 discussion nor the accompanying proposed rules addressed the possibility of a Postal Service filing PAEA-type rate adjustments during an omnibus rate case, or the potential impact of another omnibus rate case on a rate adjustment filing. A transitional filing would have an impact on subsequent calculation of the annual limitation. Accordingly, the new rule provides: “If the Postal Service initial exercise of its authority to file a Type 1-A notice of rate adjustment is preceded by a transitional rate case filing under 39 U.S.C. 3622(f):
(a)The annual limitation as calculated in rule 3010.21 is applicable if the notice of rate adjustment is 12 months or more after the date of the Decision of the Governors approving rate changes associated with the transitional filing; and
(b)The annual limitation as calculated in rule 3010.22 is applicable if the notice of rate adjustment is less than 12 months after the date of the Decision of the Governors approving rate changes associated with the transitional filing. In such circumstances, the date of the Decision of the Governors approving rate changes associated with the transitional filing is the most recent notice of rate adjustment.” *Commission analysis; final rule.* The Commission agrees that the rules should be supplemented to address the consequences associated with a transitional filing. It adopts new rule 3010.29, as set out above, to address the impact on key aspects of rate adjustment filings. F. Subpart D—Rules for Rate Adjustments for Negotiated Service Agreements (Type 2 Rate Adjustments) In Order No. 26, the Commission proposes rules for evaluating and approving negotiated service agreements for both market dominant and competitive products. The proposed rules include procedures, filing requirements, and data collection requirements. Several parties have commented on these rules. Advo, Pitney Bowes, NPPC, and Time Warner find the filing requirements to be too stringent while Valpak, Newspaper Association of America (NAA), National Newspaper Association (NNA), APWU, and the Office of Consumer Advocate
(OCA)believe more rigorous requirements are necessary. 21 These commenters offer valid and compelling arguments, often in stark contrast to one another. This highlights the need for a regulatory process that balances the divergent interests of mailers. The Commission recognizes that although its rules attempt to strike this balance, modifications may be necessary as experience under the new system is gained. 21 The Postal Service, Parcel Shippers Association (PSA), Discover Financial Services (DFS), and Amazon.com also provided comments on negotiated servie agreement rules. Order No. 26 classified negotiated service agreements, both market dominant and competitive, as separate products. PRC Order No. 26, ¶ 3073, n.75 and ¶ 3079. Several parties contend that negotiated service agreements should not be classified as separate products. The Postal Service and PSA claim that negotiated service agreements do not meet the definition of separate products because they will typically involve the provision of existing products. Postal Service Comments, September 24, 2007, at 11; and PSA Comments, September 24, 2007, at 10-11. Advo, the Postal Service, and DFS contend that classifying negotiated service agreements as separate products will lengthen the review process and subject the agreements to procedural requirements beyond the specific negotiated service agreement rules in sections 3010.40 *et seq.* and 3015.5. The Postal Service claims this is unnecessary. It contends that rules 3010.4 and 3010.5 provide sufficient transparency. DFS asserts this extra burden will discourage negotiated service agreements. It states: It is important for the Commission to realize that the fear of * * * indeterminate pre-implementation NSA review procedures has been one of the primary factors that has scared off mailers from entering into NSA negotiations over the last several years. The overlay of rule 3642 procedures on top of the NSA procedures 3010.40-3010.43 or 3015.5 confuses and unnecessarily complicates the NSA process and has the potential to continue that chilling effect. It also creates a procedural loophole that opponents of pricing flexibility could use to impede the development of the new system and the development of NSAs. DFS Comments, September 24, 2007, at 2-3. Advo also argues that “[t]o the extent that the Commission's concern is that negotiated service agreements must cover attributable costs, that requirement can be achieved without designating an NSA as a separate product.” Advo Comments, September 24, 2007, at 2. On reply, several parties agree that negotiated service agreements should not be considered separate products. Valpak, however, asserts that negotiated service agreements are separate products under the definition of “product” in the PAEA. *See* 39 U.S.C. 102(6). Valpak argues that negotiated service agreements have distinct cost and market demand characteristics and are charged rates not of general applicability. Valpak Reply Comments, October 9, 2007, at 22. NAA and UPS contend that the question of whether or not a negotiated service agreement is a product should be considered on a case-by-case basis. NAA Reply Comments, October 9, 2007, at 4; and UPS Reply Comments, October 9, 2007, at 2. *Commission analysis.* The Commission finds that negotiated service agreements meet the definition of separate products. To date, every proposed negotiated service agreement filed with the Commission was premised either on distinct market characteristics, distinct cost characteristics, or both. 22 This is true even though they were applied to existing products. In the future, it may be appropriate to group functionally equivalent negotiated service agreements as a single product if it can be shown that they have similar cost and market characteristics. However, as a starting point, it is appropriate to assume new negotiated service agreements will be separate products as defined by the PAEA. 22 International Customized Mailing Agreements have not yet been filed with the Commission. The rules regarding negotiated service agreements, rules 3010.42 and 3015.5, are intended to operate in harmony with subpart B of part 3020. A single filing, pursuant to rule 3020.31, is sufficient when the Postal Service proposes to add a new negotiated service agreement to either the market dominant or competitive product list. 23 If the Postal Service proposes changes in the rates of an existing negotiated service agreement, the filing would be made pursuant to rule 3010.42 or rule 3015.5, as appropriate. The Commission does not anticipate that the review process for new negotiated service agreements will cause implementation of such negotiated service agreements to be delayed appreciably. As stated in Order No. 26: 23 Assuming the Postal Service indicates a preference that the negotiated service agreement be classified as market dominant or competitive, it would comply with the filing requirements of rule 3010.42 or 3015.5, as appropriate. The primary focus of the review will be on compliance with the statutory requirements for proper categorization of the Postal Service product as either market dominant or competitive. Review of the operational parameters of the product and the financial basis of the product typically will be minimal. PRC Order No. 26, ¶ 4026. Pitney Bowes is concerned that the data collection and production requirements outlined in rules 3010.42 and 3010.43 will be prohibitive to small-volume mailers. It suggests that the Commission consider allowing exceptions to these requirements for small volume mailers. The data in question-mailer specific volume, cost, and revenue data—to date, have been largely compiled from billing determinants maintained by the Postal Service and budgeting and planning data held by the co-proponents. Data of this type should be readily available regardless of the company's mail volume. Allowing mailers of any size to enter into negotiated service agreements without providing this data would hinder the Commission's ability to determine compliance with the PAEA as provided for in rule 3010.40. Therefore, at the present time, the Commission will not develop procedures for granting exceptions to its rules regarding negotiated service agreements. It should be noted that the Commission has long been concerned that negotiated service agreements be available to small mailers. Consequently, it developed a model for structuring volume-based negotiated service agreements that was designed to streamline the negotiation process. 24 Persons interested in negotiated service agreements are encouraged to explore application of this model. 24 Docket No. MC2004-3, library reference PRC-LR-2. Pitney Bowes also contends that “the proposed rules are incomplete insofar as they fail to address the need to protect * * * commercially sensitive information.” Pitney Bowes Comments, September 24, 2007, at 13. As is currently the case, parties to negotiated service agreements may seek protective conditions where appropriate. Time Warner requests that the Commission consider removing rule 3010.42(d)(3) from the final rule. Rule 3010.42(d) requires the projection of change in the net financial position of the Postal Service as a result of each negotiated service agreement, which includes “[a]n analysis of the effects of the negotiated service agreement on the contribution to institutional costs from mailers not party to the agreement.” Rule 3010.42(d)(3). Time Warner contends that the PAEA requires negotiated service agreements to not cause unreasonable harm to the marketplace. It argues that the PAEA does not require that no other mailer be disadvantaged as a consequence of a negotiated service agreement, as applicable under the Postal Reorganization Act. Time Warner Comments, September 24, 2007, at 11-13; *see also,* Advo Comments, September 24, 2007, at 3-4; Pitney Bowes Reply Comments, October 9, 2007, at 6-7; and Postal Service Reply Comments, October 9, 2007, at 21-22. APWU supports retention of rule 3010.42(d)(3). APWU Reply Comments, October 9, 2007, at 3. APWU contends that the requirement to not cause unreasonable harm to the marketplace is applicable to every negotiated service agreement. It argues that individual mailers may be harmed by negotiated service agreements, and this can adversely impact the overall marketplace. The intent of rule 3010.42(d)(3) requires clarification. Rule 3010.42(d)(3) facilitates evaluation of the 39 U.S.C. 3622(c)(10)(A)(i) factor that negotiated service agreements “improve the net financial position of the Postal Service through reducing Postal Service costs or increasing the overall contribution to the institutional costs of the Postal Service.” This is one of two alternative criteria for entering into a negotiated service agreement. Rule 3010.42(d)(3) does not directly address the 39 U.S.C. 3622(c)(10)(B) factor which requires that negotiated service agreements “do not cause unreasonable harm to the marketplace.” This factor is addressed separately in rule 3010.42(f). NAA correctly explains why rule 3010.42(d)(3) allows computation of the net financial position of the Postal Service resulting from implementation of a negotiated service agreement: Advo and Time Warner overlook that when the Postal Service chooses to rely on the “increasing the overall contribution to the institutional costs of the Postal Service” alternative in (A)(i), the analysis necessarily must include an evaluation of lost contribution from non-parties to an NSA. This is because subsection (A)(i) refers to improving the net financial position of the Postal Service by increasing the *overall* institutional cost contribution. Ignoring the effect on contribution from other mailers would limit consideration to merely the gross effect from the NSA mailer and ignore the net impact on the Postal Service. NAA Reply Comments, October 9, 2007, at 6-8. (Emphasis in original.) Valpak and NAA contend that the proposed rules do not indicate that filings under subpart D will be publicly available and suggest the Commission make clear in its rules that the negotiated service agreement filings, including the terms of the agreement, will be made available to the public. Valpak Comments, September 24, 2007, at 21; and NAA Comments, September 24, 2007, at 5. Several parties express concern that subpart D does not provide sufficient transparency or accountability. Comments fall generally into three categories:
(1)Lack of explicit procedures for public comment;
(2)no assurance regarding compliance with all PAEA requirements; and
(3)lack of procedures if the Commission finds the negotiated service agreement is not in compliance. Valpak, APWU, NNA, and NAA assert that the regulations should provide the opportunity for public comment. They argue that public comment would provide valuable insight into negotiated service agreement compliance with statutory requirements, particularly the provision that negotiated service agreements not cause undue harm to the marketplace. *Id.* at 8; NNA Comments, September 24, 2007, at 11; Valpak Comments, September 24, 2007, at 22; and APWU Comments, September 25, 2007, at 6. Valpak and APWU contend that the proposed rules do not ensure that negotiated service agreements meet statutory requirements. They argue that negotiated service agreement filings should comport with all provisions of the PAEA, including the objectives and factors in sections 3622(b) and (c). Valpak Comments, September 24, 2007, at 23; and APWU Comments, September 25, 2007, at 6. Valpak and NAA request that the Commission include procedures for dealing with negotiated service agreement filings that do not comply with the provisions of the PAEA. They maintain that such procedures are necessary to protect non-negotiated service agreement mailers and the marketplace from potentially unlawful negotiated service agreements. NAA Comments, September 24, 2007, at 10; and Valpak Comments, September 24, 2007, at 23. On reply, many commenters oppose increased filing requirements and pre-implementation review arguing that “Congress intended that the process for considering negotiated service agreements be greatly simplified.” Advo Reply Comments, October 9, 2007, at 6. *See also* NPPC Reply Comments, October 9, 2007, at 11-12; PSA Reply Comments, October 9, 2007, at 1-2; DMA Reply Comments, October 9, 2007, at 4-6; and Postal Service Reply Comments, October 9, 2007, at 22. The focus of subpart D is to provide pricing flexibility while maintaining accountability and transparency for negotiated service agreements. *See* NPPC Comments, September 24, 2007, at 8-10. The rules outlined in rules 3010.40 *et seq.* and 3015.5 minimize the administrative and economic burden of implementing agreements and enhance the Postal Service's pricing flexibility. At the same time, rules 3010.40 *et seq.* require the co-proponents of negotiated service agreements to submit copies of the agreement, as well as specific data related to cost, revenue, volume, operational enhancements, and marketplace impacts. Filings will be publicly available unless subject to protective conditions. A period for public comment will be available. 25 In addition, it is the Commission's intent to review actual performance of these agreements in the annual compliance report. Interested persons may comment and suggest appropriate Commission findings as part of that process. Taken as a whole, rules 3010.40 *et seq.* and 3015.5 strike a reasonable, initial balance to foster pricing flexibility, transparency, and accountability. 25 For the reasons discussed above, the Commission adds rule 3010.44 to provide APA notice and a specified opportunity for comment. The Commission recognizes that the 45-day review period does not lend itself to in-depth analysis; however, the complaint process will allow for further review where necessary. NAA expresses some concern about the adequacy of the complaint process to prevent irreparable harm to non-negotiated service agreement mailers and suggests that the rules provide for expedited review of complaints that aver the negotiated service agreement does not meet statutory requirements. *See* NAA Comments, September 24, 2007, at 4. The Commission intends to initiate a rulemaking in the immediate future to allow for evaluation and improvement of the complaint process. In the meantime, it is the expectation of the Commission that the Postal Service will balance increased flexibility with increased diligence in negotiating sound agreements. OCA proposes that the “suggested framework” outlined in library reference PRC-LR-1 of the Commission's decision in Docket No. MC2004-3 be modified to cover all negotiated service agreements—not just volume discount ones—and incorporated into section 3010.40 of the proposed rules. OCA believes that incorporating this framework would “increase Commission and public confidence that implementation of future negotiated service agreements will improve the net financial position * * * of the Postal Service.” OCA Comments, September 24, 2007, at 4. The Commission initially suggested this framework in the hope it might serve as a useful tool for evaluating the financial impact of individual negotiated service agreements. However, the statute seeks to provide the Postal Service with greater pricing flexibility for negotiated service agreements coupled with enhanced transparency and accountability. Requiring a specific formula or model for evaluating agreements is contrary to that intent. Proposed rules 3010.42 and 3010.43 require pre- and post-implementation submission of mailer-specific data that the Commission, and interested parties, can use to evaluate the expected and actual performance of a negotiated service agreement. The Commission finds, at least initially, that these data should be sufficient to provide necessary transparency and accountability. Three additional clarifications to proposed subpart D will be made by the Commission. First, APWU and NAA suggest that the word “increases” in rule 3010.42(g) be changed to either “adjustments” or “changes” to reflect the fact that changes can either be upward or downward. The Commission agrees. The revised rule shall read: Such other information as the Postal Service believes will assist the Commission to issue a timely determination of whether the requested changes are consistent with applicable statutory policies. Second, APWU sought clarification of the sentence in rule 3010.43 which reads, “This shall include, at a minimum, a plan for providing the following annualized information on a yearly basis within 60 days of the date of implementation of a proposed agreement.” This section requires the Postal Service to provide, when it files a notice of rate adjustment, a plan for providing various types of information. The information required is to be reported each year that the agreement is in effect and is to span each 12-month period following implementation. The Postal Service will have 60 days after each anniversary date to compile the data report. The revised rule shall read: The data report is due 60 days after each anniversary date of implementation and shall include, at a minimum, the following information for each 12-month period the agreement has been in effect. Finally, NAA suggests that the statutory language regarding similarly situated mailers be included in rule 3010.40. NAA Comments, September 24, 2007, at 12. On reply, the Postal Service states “[i]f the Commission decides * * * to continue treating market-dominant customized agreements as being separate ‘products,’ then distinguishing between baseline and functionally-equivalent agreements would probably be important.” Postal Service Reply Comments, October 9, 2007, at 21. NAA also suggests that procedures similar to the existing rules regarding functionally equivalent negotiated service agreements be carried forward into the rules. The intent of the rules regarding functionally equivalent negotiated service agreements was to streamline the litigation process. Given the 45-day review contemplated in subpart D, retaining these rules seems unnecessary. Moreover, although the Commission contemplates that negotiated service agreements will be initially classified as separate products, it has not foreclosed the possibility that some functionally equivalent negotiated service agreements may be considered one product. The language from 39 U.S.C. 3622(c)(10) of the statute which reads “available on public and reasonable terms to similarly situated mailers” will be added to clarify the availability of negotiated service agreements provided by rule 3010.40. G. Subpart E—Rules for Rate Adjustments in Exigent Circumstances (Type 3 Rate Adjustments) 1. Overview Subpart E, as proposed, addresses implementation of the PAEA's requirement, in 39 U.S.C 3622(d)(1)(E), that the modern regulatory system for market dominant products include procedures whereby rates may be adjusted on an expedited basis due to exceptional or extraordinary circumstances. The Commission refers to these as exigent requests and classifies them as Type 3 filings. This subpart consists of seven proposed sections. These sections, in keeping with a formal distinction in the PAEA, establish more elaborate procedures for such requests, relative to Type 1-A and Type 1-B, which follow “notice” requirements. *Structure.* There was no opposition to the proposed format; the Commission adopts it without change. Text and designation of some paragraphs within individual sections differs in some instances from the proposal, based on revisions adopted in response to comments. *Issues.* The Commission intends its subpart E provisions to establish a functional and flexible framework for Type 3 cases. The assumption is that the approach will accommodate associated uncertainties, such as what events might give rise to a filing and how much additional revenue the Postal Service might seek. In particular, the proposal reflects a decision to forgo attempting to identify with specificity circumstances on either side of the question of qualifying circumstances. Thus, the proposal not only excluded definitions of “triggering events” for Type 3 filings, but also excluded defining, in advance, circumstances that would not qualify. This decision, which reflected consideration of earlier comments, is the focus of suggested revisions in this round. The Commission also proposed streamlined proceedings for Type 3 adjustments, which it viewed as consistent with the 90-day review period and due process considerations. This decision gained widespread support, but some have criticized it as either inconsistent with the APA or insufficiently clear on how the Commission intends to satisfy due process requirements. MMA, for example, generally agrees with the Commission's overall direction, but expresses reservations about the specific procedures, such as the limitation to submission of written comments. MMA Comments, September 24, 2007, at 4. *See also* APWU Comments, September 24, 2007, at 9. *Note on use of the term “exigent”.* The Commission acknowledges NPMHU's point that the use of the term exigent as shorthand or as a synonym for Type 3 filings is not precise. NPMHU Comments, September 24, 2007, at 10. However, it continues to believe that the sense of the rule is not seriously compromised by this lack of precision, and that the term serves satisfactorily as shorthand for this type of filing. Accordingly, the Commission uses this term in its final rules. 2. Review *Rule 3010.60:* *applicability.* This rule, as proposed, establishes that the Postal Service may request rate increases for market dominant products in excess of the annual limitation due to extraordinary or exceptional circumstances. It states that such requests shall be known as exigent requests. *Suggested revisions.* Most commenters addressing this issue agree with the Commission's decision to track the language of the PAEA by referring only to “extraordinary or exceptional” circumstances, and not define the type of event or circumstances that would be deemed to justify an exigent filing, or define those that would not be deemed to qualify. *See* , for example, NPPC Comments, September 24, 2007, at 10; NPMHU Comments, September 24, 2007, at 1-2; and NAPUS Reply Comments, October 10, 2007, at 2. NNA, however, qualifies its general support for this approach by asserting that the regulations should clearly indicate that circumstances giving rise to a Type 3 filing must have taken shape outside the ambit of both management and labor, making “neither unwise investments nor excessive compensations” a rationale for exceeding the cap. NNA Comments, September 24, 2007, at 12. (Emphasis in original.) *Commission analysis; final rule.* The Commission has considered suggestions that this rule be revised to make clear that certain events or developments will not constitute the basis for an exigent request, including NNA's specific proposal for adoption of language foreclosing unwise investments or excessive compensation as triggers. This suggestion, like others that seek more specificity, reflects understandable concern that the Postal Service will take undue advantage of its statutory authorization to seek increases beyond the annual limitation. The Commission appreciates this concern, but finds that the better solution at this time is to avoid identifying events on either side of the coin. Accordingly, the Commission declines to revise the proposed rule, and adopts it as final. *Rule 3010.61: Contents of exigent requests.* This rule, as proposed, consists of two paragraphs addressing the contents of an exigent request. Paragraph
(a)consists of eight subparagraphs detailing the contents. Paragraph
(b)is a one-sentence provision requiring the Postal Service to identify responsible officials who can reply to Commission inquiries on each topic specified in rule 3010.61(a). Commenters' suggested revisions focus primarily on subparagraphs 6 and 7 of rule 3010.61(a). They seek clarification with respect to rescission of exigent requests and clarification of the Commission's use of the terms “foreseeable” and “avoidable.” At issue in proposed rule 3010.61(a)(6) is language directing the Postal Service to explain “when, or under what circumstances, the Postal Service expects to be able to rescind the exigent increases in whole or in part.” Some assert that the PAEA does not require that an exigent increase be temporary, and are therefore concerned about the wording. NPMHU, for example, asserts that to the extent this rule may be read to imply that a rate adjustment under 39 U.S.C. 3622(d)(1)(E) can only be temporary, it is without support in the statute. It asserts: Nowhere in the PAEA is there any indication that a rate adjustment under § 3622(d)(1)(E) must be temporary. Nor is there any provision in the statute for rescind[ing] such rate adjustments. Rather, to the extent that the circumstances necessitating the rate * * * adjustment no longer exist, it is to be expected that the Postal Service would take account of these changed circumstances by foregoing, or reducing the magnitude of, subsequent rate adjustments it otherwise would have made. NPMHU Comments, September 24, 2007, at 7. It also suggests curing the problem by including the qualifying term “whether” in this provision. *Id.* at 8. The Postal Service endorses this revision. Postal Service Reply Comments, October 9, 2007, at 7. Others seek more specific assurance that exigent increases will be rolled back, and are concerned that the wording does not make this clear. ANM/MPA Comments, September 24, 2007, at 6-7; APWU Comments, September 25, 2007, at 9; and DMA Comments, September 24, 2007, at 9. *Commission analysis; final rule.* The Commission agrees that the PAEA does not include a requirement that exigent increases, by definition, must be temporary. This means that adding an explicit requirement for rollback would not be fully consistent with the statute. It has considered NPMHU's suggested revision, but concludes that the original formulation is neither inaccurate nor misleading. Accordingly, the Commission adopts proposed rule 3010.61(a)(6) without change. *Commission references to circumstances warranting an exigent request in rule 3010.61(a)(7).* NPMHU and Time Warner observe that the Commission's Order No. 26 discussion and the proposal refer to an exigent filing in terms of unforeseeable and unavoidable events. Both briefly review the legislative history on exigent filings, and point out that although there were variations on what would constitute grounds for a Type 3 case in legislative proposals leading up to the PAEA, the legislation as enacted does not include any reference to unforeseeablity or avoidability of circumstances. NPMHU Comments, September 24, 2007, at 1-2; and Time Warner Reply Comments, September 24, 2007, at 7-11. *See also,* NAPUS Reply Comments, October 10, 2007, at 2-3. The Commission agrees with these observations. The text of Order No. 26 and the related rule were inexact in this respect. However, the Commission continues to believe that it is reasonable to require the Postal Service to address these considerations, as the discussion is likely to shed light on matters of considerable concern to mailers. To accommodate this interest and to recognize the commenters' point, the Commission revises rule 3010.61(a)(7) essentially along the lines suggested by Time Warner to read as follows: An analysis of the circumstances giving rise to the request, which should, where applicable, include a discussion of whether the circumstances were foreseeable or could have been avoided by reasonable prior action[.] With the inclusion of this revision, the Commission adopts the other provisions in rule 3010.61(a). Rule 3010.61(b) requires the Postal Service to identify one or more knowledgeable Postal Service official(s) who will be available to provide prompt responses to Commission requests for clarification related to each topic specified in rule 3010.61(a). There was no objection to this proposal. The Commission recognizes that this provision places an administrative burden on the Postal Service, but considers it slight in terms of the overall importance of ensuring ready reference to a list of officials in a position to provide prompt responses to Commission requests for clarification. This requirement will also facilitate expeditious consideration of a Type 3 request. The Commission adopts proposed rule 3010.61(b) without change. *Rules 3010.62 through 3010.64.* Proposed rule 3010.62 provides that the Commission may require the Postal Service to clarify its request; proposed rule 3010.63 addresses how unused rate adjustment authority is to be handled; and proposed rule 3010.64 states that the Commission's policy is to provide expeditious treatment of exigent requests, consistent with statutory requirements and procedural fairness. Specific procedures are not spelled out in this provision, but appear in rule 3010.65. *Commission analysis; final rules.* Commenters do not suggest any specific revisions to these provisions, which cover relatively straightforward matters connected with administration of exigent cases. The Commission notes, with respect to rule 3010.62, that it intends to make public any supplemental information it requires the Postal Service to provide under this rule, to require a written response, and to ensure that the response is posted on the Commission's Web site. At this time, however, the Commission does not find it essential to include a provision detailing these points in its rules. The Postal Service has cooperated with these types of requests in the past, and it fully anticipates that this cooperation will continue under the new system. The Commission does not find any need for changes to rules 3010.63 and 3010.64. Accordingly, it adopts proposed rules 3010.62, 3010.63 and 3010.64 without change. *Rule 3010.65: Special procedures applicable to exigent requests.* This rule, as proposed, sets out various provisions related to procedures for exigent hearings. Accordingly, it is affected by the Commission's decision to revise the rules to more fully address due process concerns. *Suggested revisions.* Commenters asserting the need for revisions to this rule suggest changes that would expand notice, public representation, and public participation, including at the hearing stage. *See generally* Valpak Comments, September 24, 2007, at 3-16 and 20-27; Medco Comments, September 24, 2007, at 4-10; OCA Comments, September 24, 2007, at 12-15; and APWU Comments, September 25, 2007, at 1-4. *Commission analysis; final rules.* The Commission adopts the rationale set out previously in support of its decision to revise rule 3010.65(a). The changes parallel, with only minor adaptation to reflect Type 3 filings, the language of final rule 3010.13. Thus, in place of proposed paragraph (a), which provides no detail about the contents of the Commission's notice, there are six paragraphs. One refers to identification of an officer of the Commission; another provides that the Commission will specify a period of time for comment. The last is a “catchall” provision allowing the Commission to include any other information it deems appropriate. The Commission believes that this adds useful clarity about what the Commission will address in its notice. The Commission appreciates the commenters' interest in more extensive opportunities to probe the Postal Service's request. However, at this time, it has decided not to revise its public comment and hearing procedures. It believes the approach it has proposed strikes an acceptable accommodation to the hearing called for under the PAEA. The statutory deadline gives cause to question the Commission's ability to complete action on the Postal Service's request if trial-type hearings and related measures were deemed the only approach consistent with due process. Furthermore, depending on circumstances, an exigent request may require action in an even more truncated timeframe. Given that the PAEA clearly commits the Commission to issuing a decision in 90 days, the Commission believes that the comment approach provides an appropriate for public participation. The Commission adopts proposed rule 3010.65, with revisions limited to paragraph (a). *Rule 3010.66: Deadline for Commission decision.* This rule, as proposed, provides that the Commission will act expeditiously on an exigent request, will consider all written comments, and will issue its decision within 90 days of the filing of a request. The deadline is identical to the one established in 39 U.S.C. 3622(d)(1)(E). No commenter objects to the adoption of this rule. The Commission adopts the proposed rule without change. *Additional considerations on scope of subpart E.* Several commenters seek expansion of the rates governing exigent rate increases to address specific aspects related to interpretation and administration of 39 U.S.C. 3622(d)(1)(E). ANM/MPA urges the Commission to require uniform increases, and opposes the suggestion that non-uniform increases should be used to account for revenue shortfalls in a particular class. It contends non-uniform changes could mark a return to cost-of-service ratemaking. *See* ANM/MPA Comments, September 24, 2007, at 6-7 and ANM/MPA Reply Comments, October 9, 2007, at 9-10 (citing OCA Comments, September 24, 2007, at 21 and Valpak Comments, September 24, 2007, at 19-20 and 23-26). GCA opposes the suggestion for requiring uniform application, taking issue with the assertion that non-uniform rates would mark a return to cost of service ratemaking. GCA Reply Comments, October 9, 2007, at 12-13. ANM/MPA also ask that the Commission require rollback of exigent increases as soon as the costs that purportedly justify the exigent increases recede or are reflected in the CPI itself. It also asks the Commission to clarify that cost increases associated with an exigent increase may not be recovered anew through a subsequent CPI index adjustment. ANM/MPA Comments, September 24, 2007, at 7-8. NPPC and DMA seek the same type of changes. NPPC Comments, September 24, 2007, at 10-11; and DMA Comments at 9. APWU suggests there may be circumstances where exigency increases need not be rescinded, such as when inflation has caught up with the exigency. It questions whether the Postal Service must rescind an exigent increase. APWU Comments, September 24, 2007, at 9. *See also* NPMHU Comments, September 24, 2007, at 7-8, seeking clarification that exigent increases need not be temporary. PostCom opposes revisions that would prevent double recovery. It suggests addressing this concern on a case-by-case basis. PostCom Reply Comments, October 9, at 6. DFS asserts that the question of whether exigent rate increases should be permanent or temporary should not be addressed in rules, but developed in response to concrete facts and specific requests. DFS Reply Comments, October 9, 2007, at 8. The Postal Service asserts, more broadly, that the record in this proceeding is not developed to the point where the Commission can reasonably resolve the issues that have been raised, nor does anything require that it do so at this time. Postal Service Reply Comments, October 9, 2007, at 43. *Commission analysis.* The Commission acknowledges the interest some commenters express in resolution of several issues related to interpretation and administration of the PAEA's provision for an exigent increases, including adoption of definitive interpretations on rescission, application of increases, and impact on unused rate adjustment authority and the attributable cost floor. It declines at this time to adopt to either policy statements or specific regulations on these points. The state of the record on these issues, as the Postal Service points out, makes such actions premature. III. Competitive Products In Order No. 26, the Commission, among other things, identified the initial list of competitive products and proposed regulations applicable to them. Parties commenting on these matters raise issues regarding negotiated service agreements, international mail, and modifications to the proposed rules. Several parties argue that competitive negotiated service agreements should not be classified as separate products, contending, *inter alia,* that the proposed rules require sufficient information to demonstrate compliance with the statutory criteria and that negotiated service agreements are analogous to rate cells within products of general applicability such as Priority Mail or Parcel Select, rather than separate products themselves. *See, e.g.* , Postal Service Comments, September 24, 2007, at 5-12; PSA Comments, September 24, 2007, at 9-11, and Advo Comments, September 24, 2007, at 2-3. Similar claims are made with respect to market dominant negotiated service agreements. As discussed in chapter II-F, the Commission is not persuaded that negotiated service agreements are not separate products. In this chapter, the Commission addresses parties' comments advocating changes to the classification of products as market dominant or competitive, an issue that largely affects international mail. In addition, the Commission addresses the relatively few suggestions that the proposed rules be modified. As discussed below, upon review of the parties' comments, the Commission has revised or otherwise clarified certain of the rules. A. International Mail Under the PAEA, international mail is categorized as market dominant or competitive depending on whether it is single piece or bulk. *See* 39 U.S.C. 3621(a)(10), and 3631(a)(4). Additional competitive categories of mail include priority mail, expedited mail, and bulk parcel post. 39 U.S.C. 3631(a). In Order No. 26, the Commission classified domestic and international priority mail and expedited mail as competitive. PRC Order No. 26, August 15, 2007, ¶ 3010. In addition, the Commission defined bulk international mail by reference to bulk commercial services, including International Priority Airmail Service (IPA), International Surface Airlift Service (ISAL), direct sacks of printed matter sent to a single foreign address (M-bags), and Individual Customized Mailing Agreements (ICMs). *Id.* , ¶ 3019. The Commission distinguished between inbound and outbound international mail, suggesting that inbound international mail or a subset thereof, *i.e.* , Letter Post, may be classified as market dominant. Indicating that it lacked sufficient information to determine the proper classification for inbound international mail, the Commission requested that interested parties address the issue. *Id.* , ¶¶ 3021-22. Several parties, including the Postal Service, FedEx, XLA, and UPS, did. The issues raised by the parties' comments are addressed below. 1. Exceptional Treatment for Inbound International Mail The Postal Service advocates that inbound international mail not be classified as either market dominant or competitive, but rather should be treated on an exceptional basis. 26 The exceptional treatment sought is that “inbound international mail should not be ‘classified' in the [Mail Classification Schedule], and that inbound charges should not be subject to the same regulations as other Postal Service products.” *Id.* at 22 (footnote omitted). 26 Postal Service Comments, September 24, 2007, at 13-22. In support of its position, the Postal Service advances two principal arguments. 27 First, it argues that inbound services are not offered or priced by the Postal Service in the same manner as outbound products and services, concluding that prices for inbound mail are largely beyond the Postal Service's control. *Id.* at 13-15. For example, it notes that Letter Post terminal dues are set by the Universal Postal Union
(UPU)Congress, and that for inbound Parcel Post, inward land rates are set pursuant to a prescribed rate-setting formula adopted by the Postal Operations Council (POC). *Id.* at 14. 28 27 The Postal Service also contends that practical considerations justify exceptional treatment for inbound international mail. Its arguments, however, largely reiterate points made in support of its two principal arguments, *e.g.* , the problematic application of the price cap to inbound international mail. *Id.* at 20-22. 28 In addition, the Postal Service contends that inbound international mail is distinguishable from outbound mail because it has no relationship with the originator of inbound mail. *Id.* at 15. Second, it asserts that section 407 of title 39 “establishes a separate scheme for transparency and oversight of inbound international mail charges,” which warrants not classifying inbound international mail as either market dominant or competitive. *Id.* at 16. It contends that sections 407(c)(1) and (c)(2) create a unique regulatory scheme for inbound charges established through the UPU, with the State Department responsible for the development of international postal policy, while the Commission is responsible for developing and applying pricing rules. 29 Characterizing the Commission's role as one of oversight, the Postal Service further contends that the “oversight mechanism recognizes the incompatibility of applying a price cap to inbound charges.” *Id.* at 17. 29 *Id.* at 16-17. Section 407(c)(1) requires the Secretary of State to solicit the Commission's views prior to concluding any postal treaty, convention, or amendment establishing a rate or classification for a market dominant product. Section 407(c)(2) requires the Secretary of State to ensure that each such treaty, convention, or amendment is consistent with the Commission's views, unless the Secretary of State makes a written determination that it is not in the foreign policy or national security interest of the United States to ensure consistency with the Commission's views. In addition, the Postal Service references section 407(d), which, with certain limitations, permits the Postal Service to enter into commercial and operational contracts relating to international postal services and international delivery services. *Id.* at 18-20. The Postal Service acknowledges that the Commission has no oversight role under section 407(d), but asserts that transparency is assured because a copy of the contract must be filed with the Commission and the Secretary of State. Aside from that, the Postal Service emphasizes that reciprocity influences the outcome of bilateral contracts and thus has a considerable influence on inbound charges. 30 30 The Postal Service would exempt what it calls “specialized arrangements,” which provide for the entry of mail overseas bearing domestic postage indicia, from the exceptional treatment it espouses for all other inbound international mail. *Id.* at 22, n.36. For financial reporting purposes, the Postal Service proposes that the costs and revenues of single-piece inbound mail be reported as market dominant or competitive based on considerations such as the content of the mailpiece and whether the inbound charges are negotiated or not. 31 Taking these considerations into account, the Postal Service proposes that the costs and revenues for inbound single-piece international mail be recorded as follows: 31 *Id.* at 22. The omission of bulk inbound mail is not explained. Market dominant, consisting of Letter Post tendered under UPU terminal dues, Letter Post tendered under bilateral contract arrangements, and Parcel Post tendered at UPU inward land rates, and Competitive, consisting of Parcel Post tendered at negotiated charges and EMS. *Id.* at 23-24. 32 32 Pitney Bowes endorses the Postal Service's proposal to treat inbound international mail on an exceptional basis, but alternatively suggests that, if it is classified, inbound international mail be classified as competitive. Pitney Bowes Reply Comments, October 9, 2007, at 8. *Commission analysis.* The notion that sections 407(c) and
(d)create a “different system of regulation for inbound international mail” based on considerations of transparency and oversight is unsustainable. *Id.* at 19. Had Congress intended to exempt inbound international mail from the requirement that all products be categorized as either market dominant or competitive, it would have done so explicitly, as it did by specifically exempting experimental products from the requirements of section 3642. 33 Unambiguously, the PAEA requires international mail to be classified as either market dominant or competitive. *See* FedEx Reply Comments, October 10, 2007, at 2-14. 33 Because the Commission rejects the proposal that inbound international mail be treated in exceptional fashion, there is no need to address the Postal Service's related but contingent proposal to report single-piece inbound costs and revenues as market dominant or competitive based on various factors. None of the rationales offered by the Postal Service in support of its request that inbound international mail be accorded exceptional treatment, *e.g.* , that prices for inbound services are largely beyond its control or that section 407 establishes a different system of regulation for inbound mail, is persuasive. As explained in Order No. 26 in this proceeding, the Commission will, *inter alia* , identify the initial market dominant and competitive product lists required by section 3642. *See* Order No. 26, ¶¶ 3072-76. International mail is comprised of one or more postal products, 34 which depending on their characteristics may be categorized as market dominant or competitive. *See* 39 U.S.C. 3621(a) and 3631(a). By its express terms, section 3642(e) prohibits the Postal Service from offering any product, except an experimental product, involving the physical delivery of letters, printed matter, or packages that has not been assigned by the Commission to either the market dominant or competitive category of mail. This directive even extends to the provision of nonpostal services. 35 Thus, that inbound services may be priced in a manner different from outbound mail does not exempt inbound international mail from the requirement that it be categorized as a product. 34 The term “product” is defined as “a postal service with a distinct cost or market characteristic for which a rate or rates are, or may reasonably be, applied[.]” 39 U.S.C. 102(6). The term “postal service” is defined as “the delivery of letters, printed matter, or mailable packages, including acceptance, collection, sorting, transportation, or other functions ancillary thereto[.]” 39 U.S.C. 102(5). 35 *See* 39 U.S.C. 404(e)(5) (“the Postal Regulatory Commission shall designate whether the [continuing nonpostal] service shall be regulated under this title as a market dominant product, a competitive product, or an experimental product.”). Section 407 does not establish a different system of regulation for inbound mail. Rather, that section delineates, *inter alia* , the Secretary of State's responsibilities regarding international postal arrangements, the Commission's role with respect to certain arrangements, and the Postal Service's authority to execute bilateral contracts. Nothing in sections 407(c) or
(d)create an express or implied exemption for inbound international mail from the requirement that it be categorized as a market dominant or competitive product. Nothing in section 407(c) suggests a unique regulatory scheme for inbound international mail. Section 407(c) applies only to market dominant products. It requires the Secretary of State, prior to concluding any treaty or convention establishing a rate or classification for a market dominant product, to request the Commission's views “whether such rate or classification is consistent with the standards and criteria established by the Commission under section 3622.” As FedEx observes, rather than establishing a separate regulatory scheme, “§ 407(c) explicitly references the broader regulatory framework applicable to market dominant products: ‘a product subject to subchapter I of chapter 36.' ” FedEx Reply Comments, October 10, 2007, at 11 (emphasis omitted). The subject matter of section 407(c) concerns market dominant products, requiring, in the first instance, a determination that the product be categorized as market dominant. The Postal Service's interpretation renders the phrase “rate or classification for a product subject to subchapter I of chapter 36” largely meaningless since inbound market dominant mail would not be categorized as a product. 36 A cardinal rule of statutory construction is that each word, phrase, sentence and part of a statute be given effect. 37 The Postal Service's proposal that inbound international mail be given exceptional treatment violates this basic principle. 36 Implicitly, the Postal Service recognizes the requirement that each product be categorized as market dominant or competitive as evidenced by its proposal to use financial data as a surrogate means for distinguishing between market dominant and competitive products. 37 *See* 2A Sutherland Statutory Construction § 47.21 (7 thed. 2007). Section 407(d) authorizes the Postal Service to enter into bilateral contract agreements, subject to certain limitations, concerning international postal services. As the Postal Service notes, its authority extends to market dominant and competitive international postal services. Postal Service Comments, September 24, 2007, at 18. By definition, 39 U.S.C. 102(6), international postal services are products, and as such, must be categorized by the Commission as either market dominant or competitive before the Postal Service may offer the service. 39 U.S.C. 3642(e). In sum, sections 407(c) and
(d)do not create a different system of regulation that exempts inbound international mail from the requirement that it be categorized as a market dominant or competitive product. 2. Outbound and Inbound International Mail Section 3631(a) lists priority mail, expedited mail, bulk parcel post, and bulk international mail as being within the competitive category of mail. Section 3621(a) lists single-piece international mail and single-piece parcel post as being in the market dominant category of mail. The classification of these categories of mail as either market dominant or competitive would appear to be relatively straightforward. That assumption holds true for domestic mail. It is problematic for international mail, particularly inbound international mail, which is complicated by the fact that the UPU's designation of three types of service does not neatly correspond with existing Postal Service outbound services. XLA and FedEx argue that postal services classified as competitive for outbound shipments should likewise be classified as competitive for inbound shipments. XLA is explicit, although its discussion is somewhat cryptic. 38 FedEx's discussion is more expansive; its conclusion, however, is the same. For example, it argues that the Commission's conclusion classifying outbound priority mail and expedited mail as competitive should be extended to inbound shipments as well. FedEx Comments, September 25, 2007, at 6-8. It also argues that inbound international parcel post mail should be classified as “bulk parcel post” and that inbound international letter post mail should be classified as “bulk international mail” if such mail meets the definition of “bulk” applicable to outbound international mail. *Id.* at 8-14. 39 38 XLA Comments, September 24, 2007, at 4. XLA interprets Order No. 26 as classifying all inbound postal products as market dominant. It discusses the implications of such a finding on customs and other border-related requirements, arguing, among other things, that it would preserve preferential treatment for inbound postal products to the detriment of private carriers. *Id.* at 1-3. 39 Preliminarily, two additional points raised by FedEx merit brief mention. In its comments, FedEx provides an extended discussion of section 407(e)(2) concerning the interplay between the Commission's findings in this proceeding and the responsibilities of other federal agencies concerning customs regulations. In addition, FedEx comments on the scope of the letter monopoly, offering its preliminary views on the Commission's responsibilities under section 601, and noting an apparent anomaly concerning the inclusion of “bulk international mail” as a competitive category of mail (interpreted as applicable to bulk international letters) notwithstanding the letter monopoly. *Id.* at 14-29. In its reply comments, the Postal Service responds to each of these arguments. Postal Service Reply Comments, October 9, 2007, at 64-72. While the parties' comments are instructive, the Commission finds it unnecessary, for purposes of this proceeding, to address the issues substantively. The Postal Service takes issue with the parties' position and, as noted above, proposes that inbound costs and revenues be used to categorize inbound shipments as market dominant or competitive based on factors such as the content of the mail and whether the charges are negotiated or not. Postal Service Comments, September 24, 2007, 22-24; Postal Service Reply Comments, October 9, 2007, at 60-64. *Commission analysis* . The UPU identifies three types of inbound international mail: Letter Post, Parcel Post, and EMS (express mail service). Each is addressed below. EMS is an express service for documents and merchandise. It is an optional service which postal administrations may provide. Order No. 26 classified outbound expedited mail as competitive. FedEx, XLA, and UPS argue that inbound express mail service should likewise be categorized as competitive. 40 The Postal Service agrees with the characterization of inbound EMS as competitive. 41 40 *See* FedEx Comments, September 25, 2007, at 6-8; XLA Comments, September 24, 2007, at 1-4, and UPS Reply Comments, October 9, 2007, at 5-6. 41 Postal Service Reply Comments, October 9, 2007, at 61. The Postal Service's agreement is qualified in terms of its proposed treatment of inbound costs and revenues for this mail. *Id* ., n.161. EMS is a service offered by postal administrations in competition with private carriers. Although an optional service posts may offer, EMS is currently available in at least 191 countries worldwide. EMS is administered by the EMS Cooperative, which was established by the UPU's POC approximately 10 years ago. EMS postal administration charges are not established by the UPU, but instead are established through bilateral or multilateral negotiations. Outbound rates charged to customers are set by each national postal administration. The Commission concurs with the parties, concluding that inbound EMS is properly categorized as competitive. Letter Post consists of letters, postcards, printed papers, and small packets weighing up to 2 kilograms; priority and non-priority items weighing up to 2 kilograms; literature for the blind up to 7 kilograms; and M-bags (special bags containing newspapers, periodicals, books and similar matter mailed to a single address). 42 UPU member countries are required to “ensure the acceptance, handling, conveyance and delivery of letter-post items.” *Id* . 42 Universal Postal Union Convention, Article 12, section 2. FedEx argues that inbound international Letter Post mail should be classified as “bulk international mail” if such mail meets the definition of “bulk” applicable to outbound international mail. FedEx Comments, September 25, 2007, at 12-14. In an effort to define the term “bulk,” FedEx endorses, in principle, an earlier suggestion by the Postal Service that “bulk international mail” be interpreted as multi-item mailings tendered by a single mailer. FedEx argues that this definition would appear to be serviceable for inbound international Letter Post, noting that the Postal Service employed it to identify outbound bulk international Letter Post and Parcel Post mail. *Id* . at 13. 43 XLA's position is not clear, although it appears to argue that “bulk letters” should be categorized as competitive. XLA Comments, September 24, 2007, at 2. 43 FedEx also discusses the UPU's characterization of the term “bulk,” suggesting that the Commission could adopt that standard for inbound bulk Letter Post mail. *Id* . at 13-14. The Postal Service opposes FedEx's proposal, arguing that determining which shipments from foreign posts would qualify as “bulk” would be problematic for several reasons, *e.g.* , inability to verify foreign posts' classifications for accuracy. Postal Service Reply Comments, October 9, 2007, at 63. 44 The Postal Service also notes that FedEx's proposal to classify inbound bulk letter mail as competitive appears to disregard the applicability of the Private Express Statutes, including the new price and weight tests applicable to letters in section 601(b) of title 39. *Id* . at 64. The Postal Service proposes that, for financial reporting purposes, Letter Post be categorized as market dominant. Postal Service Comments, September 24, 2007, at 23. 44 The Postal Service dismisses the possibility of using the UPU's definition of “bulk” mail, arguing that the definition is designed to address concerns involving remail arbitrage, and further that no UPU post dispatches its international letters to the Postal Service using UPU's bulk mail provisions. *Id* . at 63-64. UPS agrees with the Postal Service that inbound mail subject to the letter monopoly should be classified as market dominant. UPS Reply Comments, October 9, 2007, at 7. Letter Post items include matter subject to the Postal Service's monopoly over letter mail. It may also include items that, if mailed domestically, would qualify as Priority Mail, applicable to First-Class Mail weighing more than 13 ounces. In its proposed Mail Classification Schedule, the Postal Service has classified First-Class International Mail weighing more than 13 ounces as market dominant. It indicates, however, that such mail would more appropriately be viewed as competitive. The Postal Service states its intent to seek a transfer of outbound First-Class International Mail above 13 ounces to the competitive products list, advocating that, if the transfer occurs, inbound Letter Post costs and revenues for such mail should be categorized as competitive as well. Postal Service Initial Mail Classification Schedule, September 24, 2007, at 22-23. Letter mail is subject to the Postal Service's letter monopoly. Thus, it is properly categorized as market dominant. The Postal Service's current inbound data collection system does not distinguish Letter Post items by weight or content. Thus, as a practical matter, the Postal Service could not identify mail that is not subject to the monopoly. The Postal Service's plan to transfer First-Class International Mail above 13 ounces to the competitive products list should resolve that issue. In the interim, for purposes of establishing the initial product lists, the Commission concludes that Letter Post should be classified as market dominant. Moreover, as there is no incoming bulk international Letter Post, this conclusion is consistent with section 3621(a)(10), which categorizes single-piece international mail as market dominant. UPU member countries' duties with respect to Parcel Post include ensuring the acceptance, handling, conveyance and delivery of parcels weighing up to 20 kilograms pursuant to the UPU Convention or through bilateral agreements. 45 For financial reporting purposes, the Postal Service proposes to classify inbound Parcel Post shipments tendered by foreign posts at inward land rates set by the POC as market dominant, with inbound shipments tendered at negotiated charges classified as competitive. 45 UPU Convention, Article 12, section 5. Higher weight limits optionally apply for certain Parcel Post items pursuant to the Parcel Post Regulations. *Id* ., section 6. FedEx makes essentially the same argument regarding inbound bulk Parcel Post as it did regarding inbound bulk international mail, i.e., that inbound international Parcel Post should be classified as “bulk parcel post” if it meets the definition of “bulk” applicable to outbound international mail. FedEx Comments, September 25, 2007, at 8-12. XLA argues that “bulk packages” should be classified as competitive. XLA Comments, September 24, 2007, at 2. UPS also argues that inbound international parcels are properly classified as competitive. UPS Reply Comments, October 9, 2007, at 6. The Postal Service's response to FedEx's arguments is largely the same as its response to FedEx's arguments concerning “bulk international mail.” Postal Service Reply Comments, October 9, 2007, at 61-62. In addition, however, the Postal Service notes that inward land rates are set by the POC, that the rates may not be cost remunerative, and that UPU member countries must provide Parcel Post service. Further, it states that no special “bulk” rate exists for inbound parcels. *Id* . at 62-63. The parcels market is by all accounts competitive. The statute, however, distinguishes between single-piece and bulk Parcel Post. Other than Global Bulk Economy, available only by contract, the Postal Service does not offer outbound surface Parcel Post service. Pursuant to UPU requirements, it accepts both inbound surface and air Parcel Post shipments. There is no specific inbound bulk Parcel Post rate. To give effect to the statute while recognizing the competitive realities, the Commission finds it appropriate to distinguish between the Parcel Post shipments based on two factors: The mode of transportation and whether the rate is negotiated or not. To that end, the Commission concludes that air Parcel Post shipments are appropriately classified as competitive. This classification treats air Parcel Post as equivalent to Priority Mail, a competitive category of mail, and recognizes the reality that the international air parcels market is competitive. 46 46 The Postal Service's discussion of its bilateral contracting authority emphasizes the role of reciprocity in such negotiations. Postal Service Comments, September 24, 2007, at 18-19. That discussion, however, also acknowledges the competitive nature of the international mail market. *Id* . at 19. Surface Parcel Post shipments are distinguishable by the rate paid by the shipper. Surface Parcel Post shipments tendered at UPU rates are appropriately classified as market dominant, while surface Parcel Post shipments tendered at negotiated rates are appropriately classified as competitive. This bifurcation is consistent with both section 3621(a)(5), which categorizes single-piece Parcel Post as market dominant, and section 3631(a)(3), which categorizes bulk Parcel Post as competitive. While there may be no generally available inbound bulk Parcel Post rate, any agreements for surface Parcel Post service are likely to be for bulk quantities. Moreover, classifying surface Parcel Post shipments tendered at UPU rates as market dominant assures universal access to Parcel Post services. 3. Outbound Mail Is Subject to the Price Cap In its reply comments, the Postal Service proposes a new rule regarding adjustments to the price cap for market dominant classes of outbound international mail. Postal Service Reply Comments, October 9, 2007, at 72. 47 Under the proposed rule, the Postal Service would calculate a modified cap based on a comparison of international mail cost data reported in the most recent annual compliance report with that reported in the previous year's annual compliance report. The Postal Service indicates that the modified cap is intended to reflect the change between the prior year's total unit costs and the sum of actual unit delivery costs in the most recent year “plus what all other unit costs would have been had they changed precisely by the applicable CPI-U change.” Postal Service Reply Comments, October 9, 2007, at 74. 47 The Postal Service notes that it discussed its concerns regarding outbound international mail in its initial comments, indicating that it would present a proposed rule in the near term. *See* Postal Service Comments, September 24, 2007, at 20, n.35. More specifically, the Postal Service would calculate the “adjusted total unit costs” by:
(1)Identifying the actual “unit destination delivery charges” reported in the most recent annual compliance report;
(2)identifying the “unit other costs” reported in the previous year's annual compliance report and increasing that amount by the annual limitation percentage (CPI-U) calculated pursuant to rule 3010.21; and
(3)summing the results of the first two steps, yielding the “adjusted total unit costs.” The “adjusted annual limitation for a class of [outbound] international mail,” the modified cap, is calculated by dividing the adjusted total unit costs by the “base total unit cost” (the total unit costs reported in the previous year's annual compliance filing) and subtracting 1 from the quotient. The result, expressed as a percentage, represents the “adjusted annual limitation” which, along with any allowable recapture of unused rate authority, would equal the modified price cap applicable to each class of international mail. 48 48 For a more complete discussion of the Postal Service's proposal, see id. at 72-76. Attachment A to the Postal Service's Reply Comments sets forth the proposed rule. *Commission analysis* . The Postal Service takes the position that the Commission may, in its discretion, modify the price cap applicable to outbound mail because section 3622(d)(2)(A) applies only to domestic mail. *Id* . at 20, n.35. The Commission declines the invitation to exercise its discretion in this fashion. Pursuant to section 3622(d)(2)(A), the price cap applies to each class of mail listed in the Domestic Mail Classification Schedule
(DMCS)in effect on the date of enactment of the PAEA. To be sure, the DMCS does not include international mail. Nonetheless, the conclusion that “§ 3622(d)(2)(A) applies only to domestic mail” does not necessarily follow. *Id* . First, section 3622(d)(2)(A) does not preclude application of the price cap to single-piece international mail. Second, regarding international postal arrangements, section 407(c) specifically references rates and classes of market dominant products; it does not, however, exempt such arrangements from application of the price cap. When it is intended that a specific statutory provision be waived, the PAEA is explicit. *See* 39 U.S.C. 3641(a)(2), exempting experimental products from application of sections 3622, 3633, and 3642. Finally, the PAEA creates a new system of rate regulation for market dominant products that is keyed to the price cap. The inclusion of single-piece international mail in section 3621(a) as market dominant addresses the needs of individual consumers, particularly as it relates to letter mail. Thus, for purposes of implementing the initial system of modern rate regulation, the Commission finds that the price cap is applicable to outbound single-piece international mail. The Commission notes that Letter Post is the international counterpart to First-Class Mail. Inbound Letter Post is categorized as market dominant. The PAEA classifies single-piece international mail as market dominant. As the name suggests, single-piece international mail is intended for use by individual customers, particularly for correspondence, since competitive alternatives exist for other international mail services. Consequently, for purposes of applying the price cap, the Commission concludes that it is appropriate to list single-piece international mail as a product within First-Class Mail. 49 49 This process should afford the Postal Service flexibility to address cost issues that may arise regarding such mail. Other options may be available as well, including bilateral or multilateral agreements. Moreover, while the Commission has declined to exercise its discretion at this time, should circumstances change the Postal Service may request that the issue be revisited. The PAEA also classifies single-piece Parcel Post as market dominant. Earlier this year, however, the Postal Service consolidated its international non-express parcel services under one umbrella labeled Priority Mail International (PMI). 72 FR 16604 (April 4, 2007). PMI is an airmail service and is provided in compliance with the UPU's parcel provisions. With the change, the Postal Service discontinued offering international (outbound) single-piece surface Parcel Post service. 50 Thus, in terms of service, all PMI parcels are equivalent to air Parcel Post, which, for inbound shipments, the Commission classifies as competitive. Since the Postal Service provides no outbound single-piece surface Parcel Post service, only domestic single-piece Parcel Post is classified as market dominant. 50 The Postal Service offers Global Bulk Economy, an outbound service for mail deposited in bulk and shipped via surface transportation, which is classified as competitive. If the Commission's understanding that the Postal Service no longer provides non-bulk surface Parcel Post service is inaccurate, the Postal Service should so advise and, if appropriate, seek to modify the product lists accordingly. B. Appropriate Share of Institutional Costs The PAEA requires that competitive products collectively cover an “appropriate share” of the Postal Service's institutional costs. 39 U.S.C. 3633(a)(3). In Order No. 26, the Commission proposed to set the initial contribution at 5.5 percent of the Postal Service's total institutional costs. Order No. 26, ¶¶ 3049-61. Several parties address the proposed contribution level, but only one, PSA, urges its modification. PSA recommends that proposed rule 3015.7(c) be modified in two respects. First, it proposes that the appropriate share requirement be reduced to 4.5 percent of total institutional costs, arguing that lowering the contribution would provide a margin of safety against factors unrelated to postal pricing and beyond the Postal Service's control. 51 Second, PSA proposes that, for purposes of the Postal Service's compliance with section 3633(a)(3), the appropriate share requirement be implemented on a multi-year, as opposed to annual, basis. PSA contends that a multi-year requirement would afford the Postal Service pricing flexibility and smooth economic cycles. PSA Comments, September 24, 2007, at 7. 51 PSA Comments, September 24, 2007, at 6. PSA notes that under the proposed 5.5 percent appropriate share, as contrasted with a minimum percentage markup, the contribution from competitive products is highly dependent on their volumes, particularly higher margin products. *Id.* at 3. In reply comments, DMA touches on the issue of competitive volumes and, in a roundabout manner, appears to endorse PSA's 4.5 percent recommendation. DMA Reply Comments, October 9, 2007, at 6-8. From that apparent endorsement, DMA segues to the suggestion that the final rule should explicitly provide an opportunity to revisit the issue of appropriate share based on changed circumstances. *Id.* at 8-9. APMU also comments on PSA's recommendation, contending that the 4.5 percent “is the absolutely highest level that can be imposed on all competitive products during a transitional period.” APMU Reply Comments, October 9, 2007, at 1. APMU comments on the parcels market, including contributions from competitive products, and cautions the Commission about the consequences of setting an excessive minimum contribution level. *Id.* at 2-4. Recognizing “the transitional needs of the Postal Service[,]” UPS does not object to the 5.5 percent contribution level. UPS Comments, September 24, 2007, at 1. Looking to the future, it advocates that the appropriate share be established as a fixed percentage of institutional costs with the percentage reflecting competitive products' historic contribution levels over a period longer than two years. 52 52 *Id.* at 2-6. The Postal Service and PSA respond to UPS's vision of what the appropriate share should represent in the future. Postal Service Reply Comments, October 9, 2007, at 57-58; PSA Reply Comments, October 9, 2007, at 2-5. While it appreciates the parties' comments, the Commission finds it unnecessary to address them since what the contribution level should be in the future is not ripe for decision. In its reply comments, the Postal Service endorses the reasonableness of the 5.5 percent contribution level, characterizing it as a challenging, but attainable, benchmark. Postal Service Reply Comments, October 9, 2007, at 55-57. Referencing Order No. 26, the Postal Service also comments that “if circumstances so require” the contribution level may be revisited. *Id.* at 56-57. *Commission analysis.* The Commission rejects PSA's proposals to modify rule 3015.7(c). In Order No. 26, the Commission explained in detail the basis for establishing 5.5 percent as the appropriate initial contribution level. Order No. 26, ¶¶ 3052-61. PSA has not made a compelling case for lowering the contribution level. 53 PSA argues that the Postal Service's ability to achieve a specified contribution level from competitive products is, compared to a minimum percentage markup requirement, heavily dependent on volume, which, it says, is of concern in two respects. First, PSA makes the point that competitive product volumes are dependent on exogenous factors, such as economic conditions and competitors' prices, over which the Postal Service has no control. 54 Second, although acknowledging the recent increases in Priority Mail and Express Mail volumes, PSA suggests that longer term competitive product volumes may be declining. *Id.* at 4. 53 UPS opposes PSA's proposal to reduce the contribution level to 4.5 percent. UPS Reply Comments, October 9, 2007, at 4. 54 *Id.* PSA cites Priority Mail elasticity estimates from Docket No. R2006-1, which it says suggest “a dependency on the pricing decisions of USPS competitors that seems entirely inappropriate.” *Id.* at 3-4. To the extent this conclusion has merit, PSA does not explain how its proposal would make it less so. In any event, the predicate for the conclusion appears to be problematic. The elasticity estimates from Docket No. R2006-1 predate passage of the PAEA. Thus, they do not reflect the new, flexible pricing regime under the PAEA. PSA's first argument is that competitive markets are risky. Its solution seeks simply to reduce the Postal Service's risks without consideration of any factors relevant to establishing the contribution level at 5.5 percent. 55 Fluctuation of volumes is an inherent market risk. PSA's speculation about competitive volume trends does not take into account the regulatory changes brought about by the PAEA, which, at a minimum, afford the Postal Service substantial pricing flexibility. 55 That solution differs from PSA's earlier comments suggesting a basis for setting the contribution level. *See* PSA Comments, June 18, 2007, at 7. PSA's proposal to calculate compliance over a three-year period is rejected. Proposed rule 3015.7(c) imposes an annual compliance requirement associated with the 5.5 percent contribution level, a standard that is fully consistent with the statute. PSA does not contend otherwise, but notes that section 3633(a)(3) “is silent as to the time period over which the appropriate share requirement be met.” PSA Comments, September 24, 2007, at 7. The “omission” of any such time period in section 3633(a)(3) does not support PSA's proposal that compliance be measured over three-year periods. Rather, the “omission” supports the annual compliance requirement. Section 3652 requires the Postal Service to file certain annual reports with the Commission. Section 3653 requires the Commission to issue annual compliance reports addressing, among other things, the Postal Service's compliance with section 3633. Plainly, compliance is to be determined on an annual basis. Had Congress intended a different standard for competitive products, it would have stated so explicitly. C. Filing Requirements for Competitive Product Rate Decreases Proposed rule 3015.3 prescribes filing requirements for decreases in rates of general applicability. PSA requests clarification of the proposed rule, contending that it should apply only to decreases in the average rate of a product, “not when the rate in a particular rate cell will decrease.” *Id.* at 8. PSA argues that the filing requirements should not apply below the product level because “the rate offered in a particular rate cell has no direct effect on compliance.” 56 56 *Id.* The Postal Service and Stamps.com agree that rule 3015.3 should apply only when the average rate for a competitive product decreases, not to decreases in individual rate cells. Postal Service Reply Comments, October 9, 2007, at 59; and Stamps.com Reply Comments, October 9, 2007, at 3-4. PSA also contends that the rule 3015.3 filing requirements should apply only to the product subject to the decrease, not to all competitive products, because the cost coverage requirement, section 3633(a)(2), only applies to the specific product. The Postal Service agrees with PSA's interpretation on this issue. Postal Service Reply Comments, October 9, 2007, at 59. *Commission analysis.* As proposed, rule 3015.2, concerning increases in rates of general applicability, and rule 3015.3, concerning decreases in rates of general applicability, are designed to operate in concert, *i.e.* , whenever the Postal Service changes rates of general applicability, notice must be filed pursuant to rules 3015.2 and/or 3015.3. PSA notes that rule 3015.3 is unclear regarding the circumstances which trigger the filing requirements. PSA asks whether the rule is to be invoked for any rate decrease, even a rate cell, or only when the average rate of a product decreases. PSA Comments, September 24, 2007, at 8. PSA contends that rule 3015.3 should be applied only when the average rate for a product will decrease. *Id.* PSA's request for clarification is reasonable; it is granted. Whenever the Postal Service decreases the average rate of a product, notice must be filed pursuant to rule 3015.3. 57 57 Accordingly, rule 3015.3(a) is modified as follows:
(a)When the Postal Service determines to change a rate or rates of general applicability for any competitive product that results in a decrease in the average rate of that product, it shall file notice of the change with the Commission no later than the date of publication of the decision in the **Federal Register** concerning such change, but at least 30 days before the effective date of the change. To ensure that the rules continue to operate in concert as intended, this clarification requires that rule 3015.2(a) be modified to address rate changes, not merely increases. 58 Thus, whenever the Postal Service changes any competitive product rates of general applicability, notice must be filed pursuant to rule 3015.2. If, however, the average rate of a product decreases, notice must be filed pursuant to rule 3015.3. 58 Rule 3015.2 is revised as follows: § 3015.2 Changes in rates of general applicability.
(a)When the Postal Service determines to change a rate or rates of general applicability, it shall file notice of the change with the Commission no later than the date of publication of the decision in the **Federal Register** concerning such change, but at least 30 days before the effective date of the change. PSA also commented on the interrelationship between rules 3015.2 and 3015.3, suggesting that a decrease in the rate of one product would trigger only rule 3015.3 filing requirements, not for all competitive products. The Commission clarifies that whenever the Postal Service changes rates of general applicability notice is to be filed pursuant to rule 3015.2. Thus, for example, if the Postal Service changes the rates of three competitive products, including decreasing the average rate of one, it would file notice of the changes pursuant to rule 3015.2 and, for the product with the average rate decrease, would file notice pursuant to rule 3015.3. Notice regarding the remaining competitive products for which rates are unchanged would not be required. D. Filing Requirements for Rate or Class Not of General Applicability Proposed rule 3015.5 governs the filing requirements when the Postal Service determines to add or change a rate or class not of general applicability, *i.e.* , competitive negotiated service agreements. PSA suggests two changes to the rule. Proposed rule 3015.5(c)(1) requires the Postal Service to file “[s]ufficient annualized revenue and cost data to demonstrate that each affected competitive product will be in compliance with 39 U.S.C. § 3633(a)(2).” PSA interprets this provision as requiring the Postal Service to file “ *total* cost and revenue data by year associated with the contract rate.” PSA Comments, September 24, 2007, at 11 (emphasis in original). PSA argues that this provision may hinder the Postal Service's ability to execute negotiated service agreements in instances where it is unable to estimate the contract volumes and thus could not estimate total costs and revenues. PSA suggests that unit revenue and cost data are reasonable proxies for compliance with section 3633(a)(2). PSA proposes that rule 3015.5(c)(1) be revised by deleting the phrase “annualized revenues and cost” to read as follows: “[s]ufficient data to demonstrate that each affected competitive product will be in compliance with 39 U.S.C. § 3633(a)(2).” Second, PSA proposes deleting the rule 3015.5(c)(2) requirement that the Postal Service explain “why, following the change, competitive products in total will be in compliance with 39 U.S.C. §§ 3633(a)(1) and (3).” PSA argues that sections 3633(a)(1) and
(3)apply to competitive products as a whole, not individual products. It contends that whether the Postal Service complies with section 3633(a)(1) and
(3)will generally not depend on individual contract rates (rates not of general applicability). PSA, therefore, suggests that the provision is redundant. *Id.* at 13. *Commission analysis.* The Commission will not adopt PSA's suggestion that rule 3015.5(c)(1) be modified. The predicate for the proposal, that the Postal Service “is unable to estimate mail volumes associated with the deal,” is unrealistic. *Id.* at 2. In evaluating whether to execute a competitive negotiated service agreement, the Postal Service must have a reasonable estimate of the contract's economic value, a calculation dependent, in part, on either a reasonably reliable volume estimate or other type of annual guarantee. Moreover, PSA's suggestion that unit cost and revenue data may serve as reasonable proxies for compliance purposes is not well taken in circumstances where the negotiated service agreement involves multiple products or mail mix options. For example, if the negotiated service agreement involved Parcel Select, the costs and revenues under the agreement would be contingent on, among other things, volumes by dropship destination, *i.e.* , DBMC, DSCF, and DDU. PSA's proposal focuses attention on proposed rule 3015.5(c)(1) and, upon reconsideration, the Commission finds it appropriate to clarify the proposed rule. The proposed rule used the phrase “annualized revenue and cost data.” The term “annualized” is ambiguous and may be at odds with the annual compliance reporting requirements of sections 3652 and 3653. Thus, to clarify the filing requirements, the Commission will modify rule 3015.5(c)(1) to read as follows: “Sufficient revenue and cost data for the 12-month period following the effective date of the rate or class to demonstrate that each affected competitive product will be in compliance with 39 U.S.C. 3633(a)(2)”. 59 59 Rule 3015.3(c)(1), which used the same language concerning decreases in rates of general applicability, will also be modified similarly: “Sufficient revenue and cost data for the 12-month period following the effective date of the rate to demonstrate that each affected competitive product will be in compliance with 39 U.S.C. 3633(a)(2)”. The Commission will not adopt PSA's proposal that rule 3015.5(c)(2) be modified to eliminate the requirement that the Postal Service include an explanation that, following the change in the rate (or rates) not of general applicability, competitive products will be in compliance with sections 3633(a)(1) and (3). The assumption that the Postal Service's compliance with sections 3633(a)(1) and
(3)will not be dependent on individual negotiated service agreements is untested and, thus, premature. International mail excepted, no competitive negotiated service agreements exist. Consequently, their impact is uncertain. The limited review contemplated by the rules is intended to provide some assurance that, at least preliminarily, the rates not of general applicability satisfy section 3633. Once experience under the PAEA is gained, including with rates not of general applicability, the rules can be revisited and modified as deemed appropriate. E. Parcel Select In Order No. 26, the Commission identified three bulk Parcel Post products, consisting of Parcel Select, Parcel Return Service, and Parcel Post mail qualifying for OBMC, BMC, and barcode discounts. Order No. 26, ¶ 3012. The Postal Service proposes that OBMC, BMC, and barcode discounts be included as price categories within Parcel Select. Postal Service Initial Mail Classification Schedule, September 24, 2007, at 7-8. The Postal Service cites common characteristics between mailers using these rates and those using Parcel Select rates as a basis for consolidation. Both involve commercial mailers; some Parcel Select mailers also enter mail in the OBMC, BMC, and barcode discount categories. In addition, the Postal Service notes that the minimum volume requirements are the same as for Parcel Select. *Id.* at 8. *Commission analysis.* The Commission will adopt the Postal Service's proposal, notwithstanding having some concerns about the sufficiency of the rationale offered in support of consolidation, i.e., similarities between mailers. This decision is influenced by several considerations. First, the proposal generated no controversy, as evidenced by the fact that no party commented it. Second, consolidating the discounts with Parcel Select has a plausible basis; both involve parcels and are subject to the same volume requirements. Third, timing is not unimportant. This proceeding represents the initial attempt to develop rules implementing the modern system of rate regulation under the PAEA. Granting the Postal Service's proposal at the outset may enable the Postal Service to market Parcel Select in new ways. Experience, however, may demonstrate that Parcel Select and OMBC, BMC, and barcode discounts should be classified as separate products. Consolidation now does not preclude such a result later. IV. Product Lists A. Subpart A—Mail Classification Schedule Initially, section 3020.11 required the Postal Service to propose a Mail Classification Schedule within 30 days of enactment of the final rule. At the same time, Order No. 26 requested that the Postal Service prepare a draft Mail Classification Schedule in expedited fashion. The Postal Service complied with the request for expedition and filed a draft Mail Classification Schedule on September 24, 2007. 60 Order No. 26 also requested initial comments from interested persons on the Postal Service's draft Mail Classification Schedule. Specific comments were received from Advo, APWU, Carlson, DFS, MOAA, NAPUS, OCA, Pitney Bowes, Popkin, and PostCom. 60 United States Postal Service Submission of Initial Mail Classification Schedule in Response to Order No. 26, September 24, 2007. The Postal Service's commendable efforts will allow publication of a complete Mail Classification Schedule as anticipated. However, additional work remains. In this order, the Commission reaffirms that negotiated service agreements initially will be treated as individual products. To implement this finding, the Commission requests further information from the Postal Service. The Commission requests the Postal Service to develop and file with the Commission the descriptive information necessary to identify and explain each market dominant and competitive negotiated service agreement (including each International Customized Mail Agreement). For both market-dominant and competitive agreements, consideration should be given to grouping agreements with identical or very similar terms and conditions. This information is to be provided to the Commission by November 20, 2007. The Commission also has integrated several international products under the classifications of their domestic counterparts. Single-piece First-Class Mail International has been subdivided into Outbound Single-piece First-Class Mail International and Inbound Single-piece First-Class Mail International, and assigned to the First-Class Mail class. International Ancillary Services, International Reply Coupon Service, and International Business Reply Mail Service have been included with Special Services. A product described as Inbound Surface Parcel Post (at UPU rates) has been assigned to the Package Services class. Classes of Express Mail and Priority Mail have been assigned to the competitive products list. The “class” terminology within the competitive products list is used merely as an organizational aid to group products with similar characteristics and is not meant to imply ratemaking significance. The Express Mail class is to include Express Mail (Domestic), Outbound International Expedited Services, and Inbound Expedited Services. The Priority Mail class is to include Priority Mail (Domestic), Outbound Priority Mail International, and Inbound Air Parcel Post. As discussed above, DBMC, BMC, and barcode discount parcels have been consolidated with Parcel Select as one product. Parcel Return Service remains as proposed by the Postal Service. A product described as Inbound Surface Parcel Post (at non-UPU rates) has been assigned to the competitive products list international class. The above changes will either require modification to the Postal Service's proposed Mail Classification Schedule, or additional information from the Postal Service to accurately describe these products. This information is to be provided to the Commission by November 20, 2007. While the Commission is comfortable in most instances with the Postal Service naming its own products, the Commission's preference is for product names that appropriately identify the characteristics of the products. In this respect, the term “bulk” as used in First-Class Mail “Bulk Letters/Postcards” is not helpful because large quantities of what might commonly be thought of as “bulk” mail also is mailed at single-piece rates. Furthermore, bulk mail can not be entered at Bulk Letters/Postcards rates unless it is also presorted. The Commission asks the Postal Service to consider whether another descriptive term other than bulk might be more appropriate, such as “presorted” or “workshared”. The Commission will develop a comprehensive Mail Classification Schedule for incorporation into its rules after thorough review of the Postal Service's proposals and the comments already provided. Notice and the opportunity for comment on the Mail Classification Schedule developed by the Commission will be provided. The Postal Service suggests that product descriptions be omitted from the Mail Classification Schedule when published as Commission regulations in the Code of Federal Regulations. Postal Service Reply Comments, October 9, 2007, at 26-27. The Postal Service contends that since changes to provisions for existing products are made by the Postal Service in the Domestic Mail Manual, it may be confusing also to have to revise the Mail Classification Schedule. In addition, the Postal Service questions whether such treatment would conform with the Governors' ability to enact classification changes for competitive products under 39 U.S.C. 3632. The Commission previously explained that: The Commission is charged with maintaining accurate product lists. 39 U.S.C. § 3642. The Commission views the Mail Classification Schedule as the vehicle for presenting the product lists with necessary descriptive content. The explanatory information included with the product lists will inform participants in Commission proceedings of the nature and scope of Postal Service products and must be sufficiently detailed to allow the Commission to verify that the rates and categorization of products are in compliance with the PAEA. Thus, the Mail Classification Schedule is important in that it will provide for the transparent and accurate maintenance of the product lists. PRC Order No. 26 at ¶ 4003. The explanatory information performs an important function in the Commission's responsibility to establish and maintain “a modern system for regulating rates and classes for market-dominant products.” *See* 39 U.S.C. 3622(a). Furthermore, the explanatory information facilitates the Commission's understanding of the Postal Service's products when reviewing service standards under 39 U.S.C. 3691. With the Commission's role in maintaining the product lists, regulating rates and classes for market dominant products, and reviewing service standards, the explanatory information provides a baseline for the Commission in undertaking its important responsibilities. The rules require only minimal descriptive information to be included in the Mail Classification Schedule. 61 The level of detail that the Postal Service provided in its proposed Mail Classification Schedule, with some minor adjustments, appears adequate. The rules also specify an expeditious and unburdensome approach to updating the Mail Classification Schedule that is consistent with providing the Postal Service with great flexibility to manage its products. Thus, the Postal Service's suggestion to omit the descriptive information from the CFR will not be adopted. 61 This is to be contrasted against the detailed product information provided by the Postal Service in the Domestic Mail Manual. The Postal Service has great flexibility in developing the detailed requirements in the Domestic Mail Manual, consistent with the general descriptions provided in the Mail Classification Schedule. Initially, rule 3020.12 was written to incorporate by reference the Mail Classification Schedule into the **Federal Register** . This method of publication requires the approval of the Director of the Federal Register. At this time, the Commission has not received approval. Because the initial Mail Classification Schedule is a required component of this final rule, rule 3020.12 has been revised to publish the Mail Classification Schedule in the **Federal Register** as an appendix. The final rule establishes an initial framework for operating under the PAEA. This requires at a minimum publication of the market dominant and competitive product lists. Section 3020.11 has been modified to provide for publication of an abbreviated Mail Classification Schedule which provides these product lists. The rule indicates that the additional descriptive material will be added in a subsequent rulemaking. An initial Mail Classification Schedule has been prepared as Appendix A to these rules. It provides a skeleton of the Mail Classification Schedule that indicates the general format of the document and reserves space for including the individual product descriptions in the near future. The Mail Classification Schedule includes the complete market dominant and competitive product lists which allows the Postal Service and the Commission to operate under the PAEA. The product lists generally are consistent with the product lists proposed by the Postal Service in its draft Mail Classification Schedule, except for the modifications discussed in this Order. APWU opposes the Postal Service's proposal to create separate products for Single-piece Letters/Postcards and Bulk Letters/Postcards within First-Class Mail. It expresses concern that the separation may lead to rates that violate the workshare provision of the PAEA and fail to encourage efficiency. APWU MCS Comments, October 9, 2007, at 1-4. In its comments supporting the Postal Service's proposed Mail Classification Schedule, Advo argues that the separation of single-piece and bulk letters and postcards is “imminently reasonable.” Advo MCS Comments, October 9, 2007, at 2. The Postal APWU opposes the Postal Service's proposal to create separate products for Single-piece Letters/Postcards and Bulk Letters/Postcards within First-Class Mail. It expresses concern that the separation may lead to rates that violate the workshare provision of the PAEA and fail to encourage efficiency. APWU MCS Comments, October 9, 2007, at 1-4. In its comments supporting the Postal Service's proposed Mail Classification Schedule, Advo argues that the separation of single-piece and bulk letters and postcards is “imminently reasonable.” Advo MCS Comments, October 9, 2007, at 2. The Postal Service has the flexibility to initially describe its product lines in conformance with the statutory requirements of the PAEA. A product is defined as “a postal service with a distinct cost or market characteristic for which a rate or rates are, or may reasonably be, applied.” 39 U.S.C. 102(6). It is possible to apply this definition and categorize First-Class Mail postal services into products in several different ways. The selections made by the Postal Service comply with the definition, and represent postal services with distinct cost or market characteristics. The product lines are subject to adjustments in the future as conditions change. The Commission finds that the Postal Service has appropriately described product lines applicable to First-Class Mail. The Postal Service has the flexibility to initially describe its product lines in conformance with the statutory requirements of the PAEA. A product is defined as “a postal service with a distinct cost or market characteristic for which a rate or rates are, or may reasonably be, applied.” 39 U.S.C. 102(6). It is possible to apply this definition and categorize First-Class Mail postal services into products in several different ways. The selections made by the Postal Service comply with the definition, and represent postal services with distinct cost or market characteristics. The product lines are subject to adjustments in the future as conditions change. The Commission finds that the Postal Service has appropriately described product lines applicable to First-Class Mail. The public had an opportunity to comment on the product lists as provided in Order No. 26. OCA, and others, express opinions on the content and level of detail of the product lists. *See* OCA MCS Comments, October 10, 2007. The Commission acknowledges that these comments raise important issues applicable to many mailers. The Commission finds that the product lists specified in the initial Mail Classification Schedule provide mailers, the Postal Service, and the Commission a legally sufficient starting point for operating under the PAEA. Rules to modify the product lists are specified in this final rule, and the Commission anticipates that these rules will be put to use. B. Requests to Modify the Product Lists The Commission has identified an error in the **Federal Register** notice. Rule 3020.31(b) should read “Provide a copy of the Governor's decision supporting the request, if any;”. Order No. 26 includes the correct text. The correct language is included in the final rule. The Commission has made conforming changes to docket and notice rules 3020.33, 3020.53, and 3020.73, which make the language consistent, wherever possible, with the provisions applicable to notices of Type 1 rate adjustments for market dominant products. *Suggested revisions.* PostCom suggests combining part 3020 subparts B, C, and D. PostCom Comments, September 24, 2007, at 7. PostCom contends that the subparts contain identical procedures for reviewing product list modifications depending on the party that initiates a request. The Commission will not adopt PostCom's suggestion. There are differences in requirements based on the filing party, and the Commission anticipates further variations as the rules develop over time. PostCom further suggests making the requirements of part 3020 inapplicable for product list modifications associated with CPI rate increases. PostCom Comments, September 24, 2007, at 5-7. PostCom has not made a persuasive argument that there should be an exception to the requirements of 39 U.S.C. 3642 when CPI rate adjustments are made. GCA suggests that explicit language be included in rules 3020.30, 3020.50, and 3020.70 to prohibit the transfer of products between product lists that are subject to the private express statutes. GCA Comments, September 24, 2007, at 6-7. This prohibition is specified in 39 U.S.C. 3642(b)(2). The Commission's rules as proposed require the Postal Service to demonstrate that this requirement is met. *See* rules 3020.32(e), 3020.52(e), and 3020.72(e). Thus, the rules adequately address GCA's concern. Pitney Bowes suggests incorporating a 45-day time limit into the rules for the initial review of proposals to add, delete, or transfer products between product lists. *See* rules 3020.34, 3020.55, and 3020.75. Pitney Bowes further suggests incorporating a 90-day time limit into the rules when further proceedings are required to review these proposals. *See* rules 3020.35, 3020.56, and 3020.76. Pitney Bowes Comments, September 24, 2007, at 14-15. The Commission will handle requests to add, delete, or transfer products between product lists in an expedient manner consistent with due process and procedural fairness. When the proposals appear to meet statutory requirements, the proposals should receive prompt approval. However, when there is a demonstration by a party submitting comments or when it is independently apparent to the Commission that there may be compliance issues with the proposal, the Commission will allow adequate time on a case-by-case basis to evaluate the issues and review statutory compliance. Establishing an artificial time constraint will not facilitate resolving identified compliance issues, and it may prolong resolution of the issues by requiring parties to initiate litigious complaint proceedings. *Final rules.* With the exception of the changes identified at the beginning of this section, the rules for requests to modify product lists initiated by the Postal Service, users of mail, and the Commission (part 3020, subparts B, C, and D), are adopted without change. C. Subpart E—Requests Initiated by the Postal Service To Change the Mail Classification Schedule *Suggested revisions.* McGraw-Hill is concerned that the Postal Service will use part 3020 subpart E, which does not provide for Commission review or allow for public comment, to make what it considers major classification changes. McGraw-Hill Comments, September 24, 2007, at 2-5. McGraw-Hill requests prospective review and the opportunity for comment on Postal Service proposed major classification changes that do not involve modifications to the product lists. Valpak expresses similar concerns and seeks an alternative way of handling major classification changes. Valpak Comments, September 24, 2007, at 12-16. *Commission analysis.* Commenters correctly infer that there is a continuum of possible classification changes from those only requiring the Postal Service to inform the Commission of a classification change to those triggering the requirements of 39 U.S.C. 3642. The Postal Service asserts that it will initially provide an opportunity for formal public comment on important and complex changes to its processes and products. Postal Service Reply Comments, October, 9, 2007, at 27-29. Thus, it contends, the public will have notice and an opportunity for comments on proposed changes provided by the Postal Service. Parties also have the opportunity to utilize the Commission's complaint procedures whenever compliance with the statutory requirements becomes an issue. Further opportunities for public comment will be available during the annual compliance process, and also may be available when the Commission evaluates service standards. The rules proposed in subparts B, C, and D establish formal procedures for classification changes triggering the requirements of 39 U.S.C. 3642. For classification changes below this level, the proposed rules provide the Postal Service with great flexibility to manage Postal Service products, as long as the products conform to the statutory requirements of the PAEA. Neither the PAEA nor sound public policy suggests that the Commission exercise pre-implementation authority at this time. The purpose of subpart E is to keep the Mail Classification Schedule up to date when product changes are made below the 39 U.S.C. 3642 level. This facilitates the Commission's maintenance of the product lists and makes it possible for the Commission to undertake its other statutory responsibilities. Subpart E was not intended to provide an avenue for comprehensive pre-implementation review of classification changes. The Commission will provide notice and the opportunity for comment on Mail Classification Schedule changes under subpart E. Comments can be beneficial in assuring that proposals are properly filed under the correct rules, and not inadvertently filed under subpart E. For these limited purposes, it will be sufficient to provide notice of Postal Service submissions under rule 3020.91 on the Commission's Web site and allow a period for public comment on whether the changes are inconsistent with 39 U.S.C. 3642. A new rule, 3020.92, Public Input, is added. That rule will provide for the Commission publishing Postal Service submissions pursuant to rule 3020.91 on its Web site and give interested members of the public an opportunity to comment. Proposed rule 3020.92, Implementation, is renumbered as rule 3020.93, and modified to reflect consideration of public comments. No participant commented on the proposed rules in part 3020, subpart F, and they are adopted without change. V. Ordering Paragraphs *It is ordered:* 1. The Postal Service shall provide the information necessary for further development of the Mail Classification Schedule as specified in chapter IV, ¶¶ 4002 through 4004 of this Order by November 20, 2007. 2. The Commission hereby adopts final rules amending the definitions of terms appearing in rule 3001.5 that follow the Secretary's signature into the Commission's Rules of Practice and Procedure appearing in 39 CFR 3001. 3. The Commission hereby adopts final rules establishing new rules applicable to Regulation of Market Dominant Products (part 3010), Competitive Products (part 3015), and Product Lists (part 3020) that follow the Secretary's signature into the Commission's Rules of Practice and Procedure to appear in 39 CFR 3010, 3015, and 3020 respectively. 4. The Commission hereby adopts final rules establishing a Mail Classification Schedule, appearing as Appendix A to subpart A of new rule 3020 that follow the Secretary's signature into the Commission's Rules of Practice and Procedure to appear in 39 CFR 3020. 5. The Secretary shall arrange for publication of this Order amending the definitions of terms, establishing rules applicable to Regulation of Market Dominant Products, Competitive Products, and Product Lists, and establishing a Mail Classification Schedule in the **Federal Register** . These changes will take effect 30 days after publication in the **Federal Register** . 6. The Secretary shall arrange for publication of this order in the **Federal Register** . List of Subjects 39 CFR Part 3001 Administrative practice and procedure; Confidential business information, Freedom of information, Sunshine Act. 39 CFR Part 3010 Administrative practice and procedure; Postal Service. 39 CFR Part 3015 Administrative practice and procedure; Postal Service. 39 CFR Part 3020 Administrative practice and procedure; Postal Service. By the Commission. Steven W. Williams, Secretary. For the reasons stated in the preamble, under the authority at 39 U.S.C. 503, the Postal Regulatory Commission amends 39 CFR chapter III as follows: PART 3001—RULES OF PRACTICE AND PROCEDURE 1. Revise the authority citation for part 3001 to read as follows: Authority: 39 U.S.C. 404(d); 503; 3622; 3633; 3661, 3652. Subpart A—Rules of General Applicability 2. Amend § 3001.5 as follows: a. Revise paragraphs
(r)and (s); and b. Add paragraphs
(t)and (u). § 3001.5 Definitions.
(r)*Negotiated service agreement* means a written contract, to be in effect for a defined period of time, between the Postal Service and a mailer, that provides for customer-specific rates or fees and/or terms of service in accordance with the terms and conditions of the contract. A rate associated with a negotiated service agreement is not a rate of general applicability.
(s)*Postal service* refers to the delivery of letters, printed matter, or mailable packages, including acceptance, collection, sorting, transportation, or other functions ancillary thereto.
(t)*Product* means a postal service with a distinct cost or market characteristic for which a rate or rates are, or may reasonably be, applied.
(u)*Rate or class of general applicability* means a rate or class that is available to all mailers equally on the same terms and conditions. 3. Add part 3010 to read as follows: PART 3010—REGULATION OF RULES FOR MARKET DOMINANT PRODUCTS Subpart A—General Provisions Sec. 3010.1 Applicability. 3010.2 Types of rate adjustments for market dominant products. 3010.3 Type 1-A rate adjustment—in general. 3010.4 Type 1-B rate adjustment—in general. 3010.5 Type 2 rate adjustment—in general. 3010.6 Type 3 rate adjustment—in general. 3010.7 Schedule of regular rate changes. Subpart B—Rules for Rate Adjustments for Rates of General Applicability (Type 1-A and 1-B Rate Adjustments) 3010.10 Procedures. 3010.11 Limit on size of rate increases. 3010.12 Source of CPI-U data for purposes of annual limitation. 3010.13 Proceedings for Type 1-A and Type 1-B rate adjustment filings. 3010.14 Contents of notice of rate adjustment. Subpart C—Rules for Applying the Price Cap 3010.20 Test for compliance with the annual limitation. 3010.21 Calculation of annual limitation. 3010.22 Calculation of less than annual limitation. 3010.23 Calculation of percentage change in rates. 3010.24 Treatment of volume associated with negotiated service agreements. 3010.25 Limitation on unused rate adjustment authority rate adjustments. 3010.26 Calculation of unused rate adjustment authority. 3010.27 Application of unused rate adjustment authority. 3010.28 Maximum size of unused rate adjustment authority rate adjustments. 3010.29 Transition rule. Subpart D—Rules for Rate Adjustments for Negotiated Service Agreements (Type 2 Rate Adjustments) 3010.40 Negotiated service agreements. 3010.41 Procedures. 3010.42 Contents of notice of agreement in support of a negotiated service agreement. 3010.43 Data collection plan. 3010.44 Proceedings for Type 2 rate adjustments. Subpart E—Rules for Rate Adjustments for Exigent Circumstances (Type 3 Rate Adjustments) 3010.60 Applicability. 3010.61 Contents of exigent requests. 3010.62 Supplemental information. 3010.63 Treatment of unused rate adjustment authority. 3010.64 Expeditious treatment of exigent requests. 3010.65 Special procedures applicable to exigent requests. 3010.66 Deadline for Commission decision. Authority: 39 U.S.C. 503; 3622. Subpart A—General Provisions § 3010.1 Applicability. The rules in this part implement provisions in the Postal Accountability and Enhancement Act
(PAEA)establishing ratesetting policies and procedures for market dominant products. With the exception of exigency-based rate adjustments, these procedures allow a minimum of 45 days for advance public notice of the Postal Service's planned rate adjustments. Exigency-based rate adjustments require the Postal Service to file a formal request with the Commission and are subject to special procedures. § 3010.2 Types of rate adjustments for market dominant products.
(a)There are four types of rate adjustments for market dominant products. A Type 1-A rate adjustment, authorized under 39 U.S.C. 3622(d)(1)(D), is based on the statutory annual limitation. A Type 1-B rate adjustment, authorized under 39 U.S.C. 3622(d)(2)(C), is based on an exception to the annual limitation, and is referred to as unused rate adjustment authority. A Type 2 rate adjustment, authorized under 39 U.S.C. 3622(c)(10), is based on a negotiated service agreement. A Type 3 rate adjustment, authorized under 39 U.S.C. 3622(d)(1)(E), is based on exigent circumstances.
(b)Upon the establishment of unused rate adjustment authority in any class, the Postal Service shall devise and maintain a schedule that tracks the establishment and subsequent use of unused rate adjustment authority.
(c)The Postal Service may combine Types 1-A, 1-B and 2 rate adjustments for purposes of filing with the Commission. § 3010.3 Type 1-A rate adjustment—in general.
(a)A Type 1-A rate adjustment represents the usual type of adjustment to rates of general applicability.
(b)A Type 1-A rate adjustment may result in a rate adjustment that is less than or equal to the annual limitation, but may not exceed the annual limitation.
(c)A Type 1-A rate adjustment for any class that is less than the applicable change in CPI-U results in unused rate adjustment authority associated with that class. Part or all of the unused rate adjustment authority may be used in a subsequent adjustment for that class, subject to the expiration terms in § 3010.26(d). § 3010.4 Type 1-B rate adjustment—in general.
(a)A Type 1-B rate adjustment is a rate adjustment which uses unused rate adjustment authority in whole or in part. A rate adjustment using unused rate adjustment authority may not result in an increase for the class that exceeds the applicable annual limitation plus 2 percentage points.
(b)Type 1-B rate adjustments filed within 12 months of each other may not apply more than 2 percentage points of unused rate authority to any class.
(c)Unused rate adjustment authority in each class may be applied to rate adjustments in the same class for up to 5 years. § 3010.5 Type 2 rate adjustment—in general. A negotiated service agreement rate adjustment entails a rate adjustment negotiated between the Postal Service and a customer or group of customers. § 3010.6 Type 3 adjustment—in general.
(a)A Type 3 rate adjustment is a request for an exigency-based rate adjustment. It is authorized only when justified by exceptional or extraordinary circumstances.
(b)An exigency-based rate adjustment is not subject to the inflation-based limitation or the restrictions on the use of unused rate adjustment authority, and does not implement a negotiated service agreement.
(c)A Postal Service request for a Type 3 rate adjustment is subject to public participation and Commission review within 90 days. § 3010.7 Schedule of regular rate changes.
(a)The Postal Service shall maintain on file with the Commission a Schedule for Regular and Predictable Rate Changes. The Commission shall display the Schedule for Regular and Predictable Rate Changes on the Commission Web site, *http:// www.prc.gov* .
(b)The Schedule for Regular and Predictable Rate Changes shall provide mailers with estimated implementation dates for future Type 1-A rate changes for each separate class of mail, should such changes be necessary and appropriate. Rate changes will be scheduled at specified regular intervals.
(c)The Schedule for Regular and Predictable Rate Changes shall provide an explanation that will allow mailers to predict with reasonable accuracy the amounts of future scheduled rate changes.
(d)The initial Schedule for Regular and Predictable Rate Changes must be filed within 90 days of the effective date of this rule. The Postal Service should balance its financial and operational needs with the convenience of mailers of each class of mail in developing the schedule.
(e)Whenever the Postal Service deems it appropriate to change the Schedule for Regular and Predictable Rate Changes, it shall file a revised schedule and explanation with the Commission.
(f)The Postal Service may, for good cause shown, vary rate adjustments from those estimated by the Schedule for Regular and Predictable Rate Changes. In such case, the Postal Service should provide a succinct explanation for such variation with its Type 1-A filing. No explanation is required for changes involving smaller than predicted rate adjustments. Subpart B—Rules for Rate Adjustments for Rates of General Applicability (Type 1-A and 1-B Rate Adjustments) § 3010.10 Procedures.
(a)The Postal Service, in every instance in which it determines to exercise its statutory authority to make a Type 1-A or Type 1-B rate adjustment for a market dominant postal product shall:
(1)Provide public notice in a manner reasonably designed to inform the mailing community and the general public that it intends to change rates not later than 45 days prior to the intended implementation date; and
(2)Transmit a notice of rate adjustment to the Commission no later than 45 days prior to the intended implementation date.
(b)The Postal Service is encouraged to provide public notice and to submit its notice of rate adjustment as far in advance of the 45-day minimum as practicable, especially in instances where the intended price changes include classification changes or operations changes likely to have material impact on mailers. § 3010.11 Limit on size of rate increases.
(a)Rate increases for each class of market dominant products in any 12-month period are limited.
(b)Rates of general applicability are subject to an inflation-based limitation computed using CPI-U values as detailed in § 3010.12.
(c)An exception to the inflation-based limitation allows a limited annual recapture of unused rate authority. The amount of unused rate authority is measured separately for each class of mail.
(d)In any 12-month period the inflation-based limitation combined with the allowable recapture of unused rate authority equals the price cap applicable to each class of mail. § 3010.12 Source of CPI-U data for purposes of annual limitation. The monthly CPI-U values needed for the calculation of the annual limitation under this part shall be obtained from the Bureau of Labor Statistics
(BLS)Consumer Price Index—All Urban Consumers, U.S. All Items, Not Seasonally Adjusted, Base Period 1982-84 = 100. The current Series ID for the index is “CUUR0000SA0.” § 3010.13 Proceedings for Type 1-A and Type 1-B rate adjustment filings.
(a)The Commission will establish a docket for each rate adjustment filing, promptly publish notice of the filing in the **Federal Register** , and post the filing on its Web site. The notice shall include:
(1)The general nature of the proceeding;
(2)A reference to legal authority to which the proceeding is to be conducted;
(3)A concise description of the planned for changes in rates, fees, and the Mail Classification Schedule;
(4)The identification of an officer of the Commission to represent the interests of the general public in the docket;
(5)A period of 20 days from the date of the filing for public comment; and
(6)Such other information as the Commission deems appropriate.
(b)Public comments should focus primarily on whether planned rate adjustments comply with the following mandatory requirements of 39 U.S.C. chapter 36, subchapter 1:
(1)Whether the planned rate adjustments measured using the formula established in § 3010.23(b) are at or below the annual limitation established in § 3010.11; and
(2)Whether the planned rate adjustments measured using the formula established in § 3010.23(b) are at or below the limitations established in § 3010.28.
(c)Within 14 days of the conclusion of the public comment period the Commission will determine, at a minimum, whether the planned rate adjustments are consistent with the annual limitation set forth in rule 3010.11; the limitations set forth in rule 3010.28; and 39 U.S.C. 3626, 3627, and 3629, and issue an order announcing its findings.
(d)If the planned rate adjustments are found consistent with applicable law by the Commission, they may take effect pursuant to appropriate action by the Governors.
(e)If planned rate adjustments are found inconsistent with applicable law by the Commission, the Postal Service will submit an amended notice of rate adjustment and describe the modifications to its planned rate adjustments that will bring its rate adjustments into compliance. An amended notice of rate adjustment shall be accompanied by sufficient explanatory information to show that all deficiencies identified by the Commission have been corrected.
(f)The Commission will post any amended notice of rate adjustment filing on its Web site and allow a period of 10 days from the date of the filing for public comment. Comments in the amended notice of rate adjustment should address the subjects identified in rule 3010.13(b).
(g)The Commission will review any amended notice of rate adjustment together with any comments filed for compliance and within 14 days issue an order announcing its findings.
(h)If the planned rate adjustments as amended are found to be consistent with applicable law, they may take effect pursuant to appropriate action by the Governors. However, no rate shall take effect until 45 days after the Postal Service files a notice of rate adjustment specifying that rate.
(i)If the planned rate adjustments in an amended notice of rate adjustment are found to be inconsistent with applicable law, the Commission shall explain the basis of its determination and suggest an appropriate remedy.
(j)For purposes of subsequent Commission proceedings, findings that a planned Type 1 rate adjustment is in compliance with the annual limitation set forth in § 3010.11; the limitations set forth in § 3010.28; and 39 U.S.C. 3626, 3627, and 3629 are decided on the merits. A Commission finding that a planned Type 1 rate adjustment does not contravene other policies of 39 U.S.C. chapter 36, subchapter 1 is provisional and subject to subsequent review. § 3010.14 Contents of notice of rate adjustment.
(a)*General* . The Postal Service notice of rate adjustment must include the following information:
(1)A schedule of the proposed rates;
(2)The planned effective date(s) of the proposed rates;
(3)A representation or evidence that public notice of the planned changes has been issued or will be issued at least 45 days before the effective date(s) for the proposed new rates; and
(4)The identity of a responsible Postal Service official who will be available to provide prompt responses to requests for clarification from the Commission.
(b)*Supporting technical information and justifications.* The notice of rate adjustment shall be accompanied by:
(1)The amount of the applicable change in CPI-U calculated as required by § 3010.21 or § 3010.22, as appropriate. This information must be supported by workpapers in which all calculations are shown, and all input values including all relevant CPI-U values are listed with citations to the original sources;
(2)A schedule showing unused rate authority available for each class of mail displayed by class and available amount for each of the preceding 5 years. This information must be supported by workpapers in which all calculations are shown;
(3)The percentage change in rates for each class of mail calculated as required by § 3010.23. This information must be supported by workpapers in which all calculations are shown, and all input values including current rates, new rates, and billing determinants are listed with citations to the original sources;
(4)The amount of new unused rate authority, if any, that will be generated by the rate adjustment calculated as required by § 3010.26. All calculations are to be shown with citations to the original sources. If new unused rate authority will be generated for a class of mail that is not expected to cover its attributable costs, the Postal Service must provide the rationale underlying this rate adjustment;
(5)A schedule of the workshare discounts included in the proposed rates, and a companion schedule listing the avoided costs that underlie each such discount. The avoided cost figures must be developed from the most recent PRC Annual Compliance Report. This information must be supported by workpapers in which all calculations are shown, and all input values are listed with citations to the original sources;
(6)Separate justification for all proposed workshare discounts that exceed avoided costs. Each such justification shall reference applicable reasons identified in 39 U.S.C. 3622(e)(2) or (3). The Postal Service shall also identify and explain discounts that are set substantially below avoided costs and explain any relationship between discounts that are above and those that are below avoided costs;
(7)A discussion that demonstrates how the planned rate adjustments are designed to help achieve the objectives listed in 39 U.S.C. 3622(b) and properly take into account the factors listed in 39 U.S.C. 3622(c);
(8)A discussion that demonstrates the planned rate adjustments are consistent with 39 U.S.C. 3626, 3627, and 3629;
(9)A schedule identifying every change to the Mail Classification Schedule that will be necessary to implement the planned rate adjustments; and
(10)Such other information as the Postal Service believes will assist the Commission to issue a timely determination of whether the requested increases are consistent with applicable statutory policies.
(c)*New workshare discounts.* Whenever the Postal Service establishes a new workshare discount rate, it must include with its filing:
(1)A statement explaining its reasons for establishing the discount;
(2)All data, economic analyses, and other information relied on to justify the discount; and
(3)A certification based on comprehensive, competent analyses that the discount will not adversely affect either the rates or the service levels of users of postal services who do not take advantage of the discount.
(d)*Information required only when Type 1-B rate adjustments are proposed.* The notice of rate adjustment shall identify for each affected class how much existing unused rate authority is used in the proposed rates calculated as required by § 3010.27. All calculations are to be shown, including citations to the original sources. Subpart C—Rules for Applying the Price Cap § 3010.20 Test for compliance with the annual limitation. The appropriate annual limitation shall be applied to a measure of the rates paid by mail sent in each class for which rate adjustments are to be made to determine whether planned rates are consistent with the annual limitation. § 3010.21 Calculation of annual limitation.
(a)The calculation of an annual limitation involves three steps. First, a simple average CPI-U index is calculated by summing the most recently available 12 monthly CPI-U values from the date the Postal Service files its notice of rate adjustment and dividing the sum by 12 (Recent Average). Then, a second simple average CPI-U index is similarly calculated by summing the 12 monthly CPI-U values immediately preceding the Recent Average and dividing the sum by 12 (Base Average). Finally, the annual limitation is calculated by dividing the Recent Average by the Base Average and subtracting 1 from the quotient. The result is expressed as a percentage, rounded to one decimal place.
(b)The formula for calculating an annual limitation is as follows: Annual Limitation = (Recent Average/Base Average)−1. § 3010.22 Calculation of less than annual limitation.
(a)If a notice of rate adjustment is filed less than 1 year after the last Type 1-A or Type 1-B notice of rate adjustment applicable to an affected class of mail, then the annual limitation will recognize the rate increases that have occurred during the preceding 12 months. When the effects of those increases are removed, the remaining partial year limitation is the applicable restriction on rate increases.
(b)The applicable partial year limitation is calculated in two steps. First, a simple average CPI-U index is calculated by summing the 12 most recently available monthly CPI-U values from the date the Postal Service files its notice of rate adjustment and dividing the sum by 12 (Recent Average). The partial year limitation is then calculated by dividing the Recent Average by the Recent Average from the most recent previous notice of rate adjustment (Previous Recent Average) applicable to each affected class of mail and subtracting 1 from the quotient. The result is expressed as a percentage, rounded to one decimal place.
(c)The formula for calculating the partial year limitation for a notice of rate adjustment filed less than 1 year after the last notice is as follows: Partial Year Limitation = (Recent Average/Previous Recent Average)−1. § 3010.23 Calculation of percentage change in rates.
(a)The term *rate cell* as applied in the test for compliance with the annual limitation shall apply to each and every separate rate identified in any applicable notice of rate adjustment for rates of general applicability. Thus, seasonal or temporary rates, for example, shall be identified and treated as rate cells separate and distinct from the corresponding non-seasonal or permanent rates.
(b)For each class of mail, the percentage change in rates is calculated in three steps. First, the volume of each rate cell in the class is multiplied by the planned rate for the respective cell and the resulting products are summed. Then, the same set of rate cell volumes are multiplied by the corresponding current rate for each cell and the resulting products are summed. Finally, the percentage change in rates is calculated by dividing the results of the first step by the results of the second step and subtracting 1 from the quotient. The result is expressed as a percentage.
(c)The formula for calculating the percentage change in rates for a class described in paragraph
(b)of this section is as follows: Percentage change in rates = ER09NO07.000 Where, N = number of rate cells in the class i = denotes a rate cell (i = 1, 2, ..., N) R i,n = planned rate of rate cell i R i,c = current rate of rate cell i V i = volume of rate cell i
(d)The volumes for each rate cell shall be obtained from the most recent available 12 months of Postal Service billing determinants. The Postal Service shall make reasonable adjustments to the billing determinants to account for the effects of classification changes such as the introduction, deletion, or redefinition of rate cells. Whenever possible, adjustments shall be based on known mail characteristics. The Postal Service shall identify and explain all adjustments. All information and calculations relied upon to develop the adjustments shall be provided together with an explanation of why the adjustments are appropriate. § 3010.24 Treatment of volume associated with negotiated service agreements.
(a)Mail volumes sent at rates under negotiated service agreements are to be included in the calculation of percentage change in rates as though they paid the appropriate rates of general applicability. Where it is impractical to identify the rates of general applicability ( *e.g.* , because unique rate categories are created for a mailer), the volumes associated with the mail sent under the terms of the negotiated service agreement shall be excluded from the calculation of percentage change in rates.
(b)The Postal Service shall identify and explain all assumptions it makes with respect to the treatment of negotiated service agreements in the calculation of the percentage change in rates and provide the rationale for its assumptions. § 3010.25 Limitation on unused rate adjustment authority rate adjustments. Unused rate adjustment authority rate adjustments may only be applied together with inflation-based limitation rate adjustments or when inflation-based limitation rate adjustments are not possible. Unused rate adjustment authority rate adjustments may not be used in lieu of an inflation-based limitation rate adjustment. § 3010.26 Calculation of unused rate adjustment authority.
(a)Unused rate adjustment authority accrues during the entire period between notices of Type 1 rate adjustments.
(b)When notices of Type 1 rate adjustments are filed 12 months apart or less, either the annual or partial year limitation (developed pursuant to § 3010.21(a) or § 3010.22(b) respectively) is used to measure the accrued unused rate authority. In either circumstance, the new unused rate authority for each class is equal to the difference between the maximum allowable percentage change in rates under the applicable rate limitation and the actual percentage change in rates for that class.
(c)When a notice of rate adjustment is filed more than 12 months after the previous notice of rate adjustment, unused rate authority is computed in three steps:
(1)The unused rate authority for the 12 months represented by the annual limitation is computed as described in paragraph
(b)of this section;
(2)The additional unused rate authority accrued is measured by dividing the Base Average applicable to the instant notice of rate adjustment (as developed pursuant to § 3010.21(a)) by the Recent Average utilized in the previous notice of rate adjustment (as developed pursuant to § 3010.21(a)) and subtracting 1 from the quotient. The result is expressed as a percentage; and
(3)The results from step 1 and step 2 are added together.
(d)Unused rate adjustment authority lapses 5 years after the date of filing of the notice of rate adjustment leading to its computation. § 3010.27 Application of unused rate adjustment authority. When the percentage change in rates for a class is greater than the applicable annual limitation, then the difference between the percentage change in rates for the class and the price cap shall be subtracted from the existing unused rate authority for the class, using a first-in, first-out
(FIFO)method, beginning 5 years before the instant notice. § 3010.28 Maximum size of unused rate adjustment authority rate adjustments. Unused rate adjustment authority exercised in notices of rate adjustments for any class in any 12-month period may not exceed the applicable limitations described in §§ 3010.21 or 3010.22 plus the lesser of:
(a)2 percent; or
(b)The sum of any unused rate adjustment authority for that class. § 3010.29 Transition rule. If the Postal Service initial exercise of its authority to file a Type 1-A notice of rate adjustment is preceded by a transitional rate case filing under 39 U.S.C. 3622(f):
(a)The annual limitation as calculated in § 3010.21 is applicable if the notice of rate adjustment is 12 months or more after the date of the Decision of the Governors approving rate changes associated with the transitional filing; and
(b)The annual limitation as calculated in § 3010.22 is applicable if the notice of rate adjustment is 12 months or more after the date of the Decision of the Governors approving rate changes associated with the transitional filing. In such circumstances, the date of the Decision of the Governors approving rate changes associated with the transitional filing is the most recent previous notice of rate adjustment. Subpart D—Rules for Rate Adjustments for Negotiated Service Agreements (Type 2 Rate Adjustments) § 3010.40 Negotiated service agreements.
(a)In administering this subpart, it shall be the objective of the Commission to allow implementation of negotiated service agreements that satisfy the statutory requirements of 39 U.S.C. 3622(c)(10). Negotiated service agreements must either:
(1)Improve the net financial position of the Postal Service (39 U.S.C. 3622(c)(10)(A)(i)); or
(2)Enhance the performance of operational functions (39 U.S.C. 3622(c)(10)(A)(ii)).
(b)Negotiated service agreements may not cause unreasonable harm to the marketplace (39 U.S.C. 3622(c)(10)(B)).
(c)Negotiated service agreements must be available on public and reasonable terms to similarly situated mailers. § 3010.41 Procedures. The Postal Service, in every instance in which it determines to exercise its statutory authority to make a Type 2 rate adjustment for a market dominant postal product shall provide public notice in a manner reasonably designed to inform the mailing community and the general public that it intends to change rates not later than 45 days prior to the intended implementation date; and transmit a notice of agreement to the Commission no later than 45 days prior to the intended implementation date. § 3010.42 Contents of notice of agreement in support of a negotiated service agreement.
(a)Whenever the Postal Service proposes to establish or change rates or fees and/or the Mail Classification Schedule based on a negotiated service agreement, the Postal Service shall file with the Commission a notice of agreement that shall include at a minimum:
(1)A copy of the negotiated service agreement;
(2)The planned effective date(s) of the proposed rates;
(3)A representation or evidence that public notice of the planned changes has been issued or will be issued at least 45 days before the effective date(s) for the proposed new rates; and
(4)The identity of a responsible Postal Service official who will be available to provide prompt responses to requests for clarification from the Commission.
(b)A statement identifying all parties to the agreement and a description clearly explaining the operative components of the agreement.
(c)Details regarding the expected improvements in the net financial position or operations of the Postal Service. The projection of change in net financial position as a result of the agreement shall include for each year of the agreement:
(1)The estimated mailer-specific costs, volumes, and revenues of the Postal Service absent the implementation of the negotiated service agreement;
(2)The estimated mailer-specific costs, volumes, and revenues of the Postal Service which result from implementation of the negotiated service agreement;
(3)An analysis of the effects of the negotiated service agreement on the contribution to institutional costs from mailers not party to the agreement; and
(4)If mailer-specific costs are not available, the source and derivation of the costs that are used shall be provided, together with a discussion of the currency and reliability of those costs and their suitability as a proxy for the mailer-specific costs.
(d)An identification of each component of the agreement expected to enhance the performance of mail preparation, processing, transportation or other functions in each year of the agreement, and a discussion of the nature and expected impact of each such enhancement.
(e)Details regarding any and all actions (performed or to be performed) to assure that the agreement will not result in unreasonable harm to the marketplace.
(f)Such other information as the Postal Service believes will assist the Commission to issue a timely determination of whether the requested changes are consistent with applicable statutory policies. § 3010.43 Data collection plan. The Postal Service shall include with any notice of agreement a detailed plan for providing data or information on actual experience under the agreement sufficient to allow evaluation of whether the negotiated service agreement operates in compliance with 39 U.S.C. 3622(c)(10). The data report is due 60 days after each anniversary date of implementation and shall include, at a minimum, the following information for each 12-month period the agreement has been in effect:
(a)The change in net financial position as a result of the agreement. This calculation shall include for each year of the agreement:
(1)The actual mailer-specific costs, volumes, and revenues of the Postal Service;
(2)An analysis of the effects of the negotiated service agreement on the net overall contribution to the institutional costs of the Postal Service; and
(3)If mailer-specific costs are not available, the source and derivation of the costs that are used shall be provided, including a discussion of the currency and reliability of those costs, and their suitability as a proxy for the mailer-specific costs.
(b)A discussion of the changes in operations of the Postal Service that have resulted from the agreement. This shall include, for each year of the agreement, identification of each component of the agreement known to enhance the performance of mail preparation, processing, transportation, or other functions in each year of the agreement.
(c)An analysis of the impact of the negotiated service agreement on the marketplace, including a discussion of any and all actions taken to protect the marketplace from unreasonable harm. § 3010.44 Proceedings for Type 2 rate adjustments
(a)The Commission will establish a docket for each Type 2 rate adjustment filing, promptly publish notice of the filing in the **Federal Register** , and post the filing on its Web site. The notice shall include:
(1)The general nature of the proceeding;
(2)A reference to legal authority to which the proceeding is to be conducted;
(3)A concise description of the planned changes in rates, fees, and the Mail Classification Schedule;
(4)The identification of an officer of the Commission to represent the interests of the general public in the docket;
(5)A period of 10 days from the date of the filing for public comment; and
(6)Such other information as the Commission deems appropriate.
(b)The Commission shall review the planned Type 2 rate adjustments and the comments thereon, and issue an order announcing its findings. So long as such adjustments are not inconsistent with 39 U.S.C. 3622, they may take effect pursuant to appropriate action by the Governors. However, no rate shall take effect until 45 days after the Postal Service files a notice of rate adjustment specifying that rate.
(c)Commission findings that a planned Type 2 rate adjustment is not inconsistent with 39 U.S.C.3622 are provisional and subject to subsequent review. Subpart E—Rules for Rate Adjustments in Exigent Circumstances (Type 3 Rate Adjustments) § 3010.60 Applicability. The Postal Service may request to increase rates for market dominant products in excess of the annual limitation on the percentage changes in rates described in § 3010.11(d) due to extraordinary or exceptional circumstances. Such requests will be known as exigent requests. § 3010.61 Contents of exigent requests.
(a)Each exigent request shall include the following:
(1)A schedule of the proposed rates;
(2)Calculations quantifying the increase for each affected product and class;
(3)A full discussion of the extraordinary or exceptional circumstance(s) giving rise to the request, and a complete explanation of how both the requested overall increase, and the specific rate increases requested, relate to those circumstances;
(4)A full discussion of why the requested increases are necessary to enable the Postal Service, under best practices of honest, efficient and economical management, to maintain and continue the development of postal services of the kind and quality adapted to the needs of the United States;
(5)A full discussion of why the requested increases are reasonable and equitable as among types of users of market dominant products;
(6)An explanation of when, or under what circumstances, the Postal Service expects to be able to rescind the exigent increases in whole or in part;
(7)An analysis of the circumstances giving rise to the request, which should, if applicable, include a discussion of whether the circumstances were foreseeable or could have been avoided by reasonable prior action; and
(8)Such other information as the Postal Service believes will assist the Commission to issue a timely determination of whether the requested increases are consistent with applicable statutory policies.
(b)The Postal Service shall identify one or more knowledgeable Postal Service official(s) who will be available to provide prompt responses to Commission requests for clarification related to each topic specified in § 3010.61(a). § 3010.62 Supplemental information. The Commission may require the Postal Service to provide clarification of its request or to provide information in addition to that called for by § 3010.61 in order to gain a better understanding of the circumstances leading to the request or the justification for the specific rate increases requested. § 3010.63 Treatment of unused rate adjustment authority.
(a)Each exigent request will identify the unused rate authority for each class of mail as of the date of the request.
(b)Pursuant to an exigent request, increases may use accumulated unused rate adjustment authority in amounts greater than the limitation described in § 3010.28.
(c)Exigent increases will exhaust all unused rate adjustment authority for each class of mail before imposing additional rate increases in excess of the price cap for any class of mail. § 3010.64 Expeditious treatment of exigent requests. Requests under this subpart seek rate relief required by extraordinary or exceptional circumstances and will be treated with expedition at every stage. It is Commission policy to provide appropriate relief as quickly as possible consistent with statutory requirements and procedural fairness. § 3010.65 Special procedures applicable to exigent requests.
(a)The Commission will establish a docket for each request for exigent rate adjustments, promptly publish notice of the request in the **Federal Register** , and post the filing on its Web site. The notice shall include:
(1)The general nature of the proceeding;
(2)A reference to legal authority to which the proceeding is to be conducted;
(3)A concise description of the proposals for changes in rates, fees, and the Mail Classification Schedule;
(4)The identification of an officer of the Commission to represent the interests of the general public in the docket;
(5)A specified period for public comment; and
(6)Such other information as the Commission deems appropriate.
(b)The Commission will hold a public hearing on the Postal Service request. During the public hearing, responsible Postal Service officials will appear and respond under oath to questions from the Commissioners or their designees addressing previously identified aspects of the Postal Service's request and the supporting information provided in response to the topics specified in § 3010.61(a).
(c)Interested persons will be given an opportunity to submit to the Commission suggested relevant questions that might be posed during the public hearing. Such questions, and any explanatory materials submitted to clarify the purpose of the questions, should be filed in accordance with § 3001.9, and will become part of the administrative record of the proceeding.
(d)The timing and length of the public hearing will depend on the nature of the circumstances giving rise to the request and the clarity and completeness of the supporting materials provided with the request.
(e)If the Postal Service is unable to provide adequate explanations during the public hearing, supplementary written or oral responses may be required.
(f)Following the conclusion of the public hearings and submission of any supplementary materials interested persons will be given the opportunity to submit written comments on:
(1)The sufficiency of the justification for an exigent rate increase;
(2)The adequacy of the justification for increases in the amounts requested by the Postal Service; and
(3)Whether the specific rate adjustments requested are reasonable and equitable.
(g)An opportunity to submit written reply comments will be given to the Postal Service and other interested persons. § 3010.66 Deadline for Commission decision. The Commission will act expeditiously on the Postal Service request, taking into account all written comments. In every instance a Commission decision will be issued within 90 days of a Postal Service request for an exigent rate increase. 4. Add part 3015 to read as follows: PART 3015—REGULATION OF RATES FOR COMPETITIVE PRODUCTS Sec. 3015.1 Scope. 3015.2 Changes in rates of general applicability. 3015.3 Decrease in rates of general applicability. 3015.4 Change in class of general applicability. 3015.5 Rate or class not of general applicability. 3015.6 Sufficiency of information. 3015.7 Standards for compliance. Authority: 39 U.S.C. 503; 3633. § 3015.1 Scope. Rules in this part are applicable to competitive products. § 3015.2 Changes in rates of general applicability.
(a)When the Postal Service determines to change a rate or rates of general applicability, it shall file notice of the change with the Commission no later than the date of publication of the decision in the **Federal Register** concerning such change, but at least 30 days before the effective date of the change.
(b)The notice filed with the Commission shall include an explanation and justification for the change, the effective date, and a schedule of the changed rates. § 3015.3 Decrease in rates of general applicability.
(a)When the Postal Service determines to change a rate or rates of general applicability for any competitive product that results in a decrease in the average rate of that product, it shall file notice of the change with the Commission no later than the date of publication of the decision in the **Federal Register** concerning such change, but at least 30 days before the effective date of the change.
(b)The notice filed with the Commission shall include an explanation and justification for the change, the effective date, and a schedule of the changed rates.
(c)In addition to the notice, the Postal Service shall file with the Commission:
(1)Sufficient revenue and cost data for the 12-month period following the effective date of the rate to demonstrate that each affected competitive product will be in compliance with 39 U.S.C. 3633(a)(2); and
(2)A certified statement by a representative of the Postal Service attesting to the accuracy of the data submitted, and explaining why, following the change, competitive products in total will be in compliance with 39 U.S.C. 3633(a)(1) and (3). § 3015.4 Change in class of general applicability.
(a)In the case of a change in class of general applicability, the Postal Service shall file notice of the change with the Commission no later than the date of publication of the decision in the **Federal Register** , but at least 30 days before the effective date of the increase.
(b)The notice filed with the Commission shall include an explanation and justification for the change, the effective date, and the record of proceedings regarding such decision. § 3015.5 Rate or class not of general applicability.
(a)When the Postal Service determines to add or change a rate or class not of general applicability, it shall file notice of its decision with the Commission at least 15 days before the effective date of the change.
(b)The notice filed with the Commission shall include an explanation and justification for the change, the effective date, the rate and class decision, and the record of proceedings regarding such decision.
(c)In addition to the notice, the Postal Service shall file with the Commission:
(1)Sufficient revenue and cost data for the 12-month period following the effective date of the rate or class to demonstrate that each affected competitive product will be in compliance with 39 U.S.C. 3633(a)(2); and
(2)A certified statement by a representative of the Postal Service attesting to the accuracy of the data submitted, and explaining why, following the change, competitive products in total will be in compliance with 39 U.S.C. 3633(a)(1) and (3). § 3015.6 Sufficiency of information. If, after review of the information submitted pursuant to this part, the Commission determines additional information is necessary to enable it to evaluate whether competitive products will be in compliance with 39 U.S.C. 3633(a), it may, in its discretion, require the Postal Service to provide additional information as deemed necessary. § 3015.7 Standards for compliance. For purposes of determining competitive products' compliance with 39 U.S.C. 3633, the Commission will apply the following standards:
(a)Incremental costs will be used to test for cross-subsidies by market dominant products of competitive products. To the extent that incremental cost data are unavailable, the Commission will use competitive products' attributable costs supplemented to include causally related, group-specific costs to test for cross-subsidies.
(b)Each competitive product must recover its attributable costs as defined in 39 U.S.C. 3631(b).
(c)Annually, on a fiscal year basis, the appropriate share of institutional costs to be recovered from competitive products collectively is, at a minimum, 5.5 percent of the Postal Service's total institutional costs. 5. Add part 3020 to read as follows: PART 3020—PRODUCT LISTS Subpart A—Mail Classification Schedule Sec. 3020.1 Applicability. 3020.10 General. 3020.11 Initial Mail Classification Schedule. 3020.12 Publication of the Mail Classification Schedule. 3020.13 Contents of the Mail Classification Schedule. 3020.14 Notice of change. Appendix A to Subpart A of Part 3020—Mail Classification Schedule Subpart B—Requests Initiated by the Postal Service To Modify the Product Lists Described Within the Mail Classification Schedule 3020.30 General. 3020.31 Contents of a request. 3020.32 Supporting justification. 3020.33 Docket and notice. 3020.34 Review. 3020.35 Further proceedings. Subpart C—Requests Initiated by Users of Mail To Modify the Product Lists Described Within the Mail Classification Schedule 3020.50 General. 3020.51 Contents of a request. 3020.52 Supporting justification. 3020.53 Docket and notice. 3020.54 Postal Service notice and reply. 3020.55 Review. 3020.56 Further proceedings. Subpart D—Proposal of the Commission To Modify the Product Lists Described Within the Mail Classification Schedule 3020.70 General. 3020.71 Contents of a proposal. 3020.72 Supporting justification. 3020.73 Docket and notice. 3020.74 Postal Service notice and reply. 3020.75 Review. 3020.76 Further proceedings. Subpart E—Requests Initiated by the Postal Service To Change the Mail Classification Schedule 3020.90 General. 3020.91 Modifications. 3020.92 Public input. 3020.93 Implementation. Subpart F—Size and Weight Limitations for Mail Matter 3020.110 General. 3020.111 Limitations applicable to market dominant mail matter. 3020.112 Limitations applicable to competitive mail matter. Authority: 39 U.S.C. 503; 3622; 3631; 3642; 3682. Subpart A—Mail Classification Schedule § 3020.1 Applicability.
(a)The rules in this part provide for establishing product lists. The product lists shall categorize postal products as either market dominant or competitive. As established, the market dominant and competitive product lists will be specified in the Mail Classification Schedule and shall be consistent with the market dominant products identified in 39 U.S.C. 3621(a) and the competitive products identified in 39 U.S.C. 3631(a).
(b)Once established, the Mail Classification Schedule may be modified subject to the procedures specified in this part. § 3020.10 General. The Mail Classification Schedule shall consist of two parts. Part One shall specify the list of market dominant products and include the explanatory information specified in § 3020.13(a). Part Two shall specify the list of competitive products and include the explanatory information specified in § 3020.13(b). § 3020.11 Initial Mail Classification Schedule. The initial Mail Classification Schedule shall specify the market dominant and competitive product lists. The Mail Classification Schedule product lists shall reflect the market dominant and competitive product lists identified in 39 U.S.C. 3621(a) and 39 U.S.C. 3631(a) respectively. The explanatory detailed descriptive information specified in § 3020.13(a) and § 3020.13(b) shall be incorporated by subsequent rulemaking. § 3020.12 Publication of the Mail Classification Schedule.
(a)The Mail Classification Schedule established in accordance with subchapters I, II, and III of chapter 36 of title 39 of the United States Code and this subpart shall appear as Appendix A to this subpart.
(b)*Availability of the Mail Classification Schedule.* Copies of the Mail Classification Schedule, both current and previous issues, are available during regular business hours for reference and public inspection at the Postal Regulatory Commission's Reading Room located at 901 New York Avenue, NW., Suite 200, Washington, DC 20268-0001. The Mail Classification Schedule, both current and previous issues, also is available on the Internet at *http://www.prc.gov.* § 3020.13 Contents of the Mail Classification Schedule. The Mail Classification Schedule shall provide:
(a)The list of market dominant products, including:
(1)The class of each market dominant product;
(2)The description of each market dominant product;
(3)A schedule listing for each market dominant product the current rates and fees;
(4)Where applicable, the identification of a product as a special classification within the meaning of 39 U.S.C. 3622(c)(10) for market dominant products;
(5)Where applicable, the identification of a product as an experimental product undergoing a market test; and
(6)Where applicable, the identification of a product as a non-postal product.
(b)The list of competitive products, including:
(1)The description of each competitive product;
(2)A schedule listing for each competitive product of general applicability the current rates and fees;
(3)The identification of each product not of general applicability within the meaning of 39 U.S.C. 3632(b)(3) for competitive products;
(4)Where applicable, the identification of a product as an experimental product undergoing a market test; and
(5)Where applicable, the identification of a product as a non-postal product. § 3020.14 Notice of change. Whenever the Postal Regulatory Commission modifies the list of products in the market dominant category or the competitive category, it shall cause notice of such change to be published in the **Federal Register** . The notice shall:
(a)Include the current list of market dominant products and the current list of competitive products appearing in the Mail Classification Schedule;
(b)Indicate how and when the previous product lists have been modified; and
(c)Describe other changes to the Mail Classification Schedule as necessary. Appendix A to Subpart A of Part 3020—Mail Classification Schedule Table of Contents Part A—Market Dominant Products Sec. 1000 Market Dominant Product List 1001 Market Dominant Product Descriptions 1100 First-Class Mail 1105 Single-piece Letters/Postcards 1110 Bulk Letters/Postcards 1115 Flats 1120 Parcels 1125 Outbound Single-Piece First-Class Mail International 1130 Inbound Single-Piece First-Class Mail International 1200 Standard Mail (Regular and Nonprofit) 1205 High Density and Saturation Letters 1210 High Density and Saturation Flats/Parcels 1215 Carrier Route 1220 Letters 1225 Flats 1230 Non Flat-Machinables (NFMs)/Parcels 1300 Periodicals 1305 Within County Periodicals 1310 Outside County Periodicals 1400 Package Services 1405 Single-Piece Parcel Post 1410 Inbound Surface Parcel Post (at UPU rates) 1415 Bound Printed Matter Flats 1420 Bound Printer Matter Parcels 1425 Media Mail/Library Mail 1500 Special Services 1505 Ancillary Services 1505.1 Address Correction Service 1505.2 Applications and Mailing Permits 1505.3 Business Reply Mail 1505.4 Bulk Parcel Return Service 1505.5 Certified Mail 1505.6 Certificate of Mailing 1505.7 Collect on Delivery 1505.8 Delivery Confirmation 1505.9 Insurance 1505.10 Merchandise Return Service 1505.11 Parcel Airlift
(PAL)1505.12 Registered Mail 1505.13 Return Receipt 1505.14 Return Receipt for Merchandise 1505.15 Restricted Delivery 1505.16 Shipper-Paid Forwarding 1505.17 Signature Confirmation 1505.18 Special Handling 1505.19 Stamped Envelopes 1505.20 Stamped Cards 1505.21 Premium Stamped Stationery 1505.22 Premium Stamped Cards 1510 International Ancillary Services 1510.1 International Certificate of Mailing 1510.2 International Registered Mail 1510.3 International Return Receipt 1510.4 International Restricted Delivery 1515 Address List Services 1520 Caller Service 1525 Change-of-Address Credit Card Authentication 1530 Confirm 1535 International Reply Coupon Service 1540 International Business Reply Mail Service 1545 Money Orders 1550 Post Office Box Service 1555 Premium Forwarding Service (Experiment) 1600 Negotiated Service Agreement 1605 Discover Financial Services Negotiated Service Agreement 1610 Bank One Negotiated Service Agreement 1615 HSBC North America Holdings Inc. Negotiated Service Agreement 1620 Bookspan Negotiated Service Agreement Part B—Competitive Products Sec. 2000 Competitive Product List 2001 Competitive Product Descriptions 2100 Express Mail 2105 Express Mail 2110 Outbound International Expedited Services 2115 Inbound International Expedited Services 2200 Priority Mail 2205 Priority Mail 2210 Outbound Priority Mail International 2215 Inbound Air Parcel Post 2300 Parcel Select 2400 Parcel Return Service 2500 International 2505 International Priority Airlift
(IPA)2510 International Surface Airlift
(ISAL)2515 International Direct Sacks—M-Bags 2520 Global Customized Shipping Services 2525 Inbound Surface Parcel Post (at non-UPU rates) 2530 International Money Transfer Service 2535 International Ancillary Services 2535.1 International Certificate of Mailing 2535.2 International Registered Mail 2535.3 International Return Receipt 2535.4 International Restricted Delivery 2535.5 International Insurance 2600 Negotiated Service Agreements 2605 Domestic 2610 Outbound International Glossary of Terms and Conditions Country Price Lists for International Mail Part A—Market Dominant Products 1000 Market Dominant Product List First-Class Mail Single-piece Letters/Postcards Bulk Letters/Postcards Flats Parcels Outbound Single-Piece First-Class Mail International Inbound Single-Piece First-Class Mail International Standard Mail (Regular and Nonprofit) High Density and Saturation Letters High Density and Saturation Flats/Parcels Carrier Route Letters Flats Not Flat-Machinables (NFMs)/Parcels Periodicals Within County Periodicals Outside County Periodicals Package Services Single-Piece Parcel Post Inbound Surface Parcel Post (at UPU rates) Bound Printed Matter Flats Bound Printed Matter Parcels Media Mail/Library Mail Special Services Ancillary Services International Ancillary Services Address List Services Caller Service Change-of-Address Credit Card Authentication Confirm International Reply Coupon Service International Business Reply Mail Service Money Orders Post Office Box Service Premium Forwarding Service (Experiment) Negotiated Service Agreements Discover Financial Services Negotiated Service Agreement Bank One Negotiated Service Agreement HSBC North America Holdings Inc. Negotiated Service Agreement Bookspan Negotiated Service Agreement 1001 Market Dominant Product Descriptions Sec. 1100 First-Class Mail [Reserved for Class Description] 1105 Single-Piece Letters/Postcards [Reserved for Product Description] 1110 Bulk Letters/Postcards [Reserved for Product Description] 1115 Flats [Reserved for Product Description] 1120 Parcels [Reserved for Product Description] 1125 Outbound Single-Piece First-Class Mail International [Reserved for Product Description] 1130 Inbound Single-Piece First-Class Mail International [Reserved for Product Description] 1200 Standard Mail (Regular and Nonprofit) [Reserved for Class Description] 1205 High Density and Saturation Letters [Reserved for Product Description] 1210 High Density and Saturation Flats/Parcels [Reserved for Product Description] 1215 Carrier Route [Reserved for Product Description] 1220 Letters [Reserved for Product Description] 1225 Flats [Reserved for Product Description] 1230 Not Flat-Machinables (NFMs)/Parcels [Reserved for Product Description] 1300 Periodicals [Reserved for Class Description] 1305 Within County Periodicals [Reserved for Product Description] 1310 Outside County Periodicals [Reserved for Product Description] 1400 Package Services [Reserved for Class Description] 1405 Single-Piece Parcel Post [Reserved for Product Description] 1410 Inbound Surface Parcel Post (at UPU rates) [Reserved for Product Description] 1415 Bound Printed Matter Flats [Reserved for Product Description] 1420 Bound Printed Matter Parcels [Reserved for Product Description] 1425 Media Mail/Library Mail [Reserved for Product Description] 1500 Special Services [Reserved for Class Description] 1505 Ancillary Services 1505.1 Address Correction Service [Reserved for Product Description] 1505.2 Applications and Mailing Permits [Reserved for Product Description] 1505.3 Business Reply Mail [Reserved for Product Description] 1505.4 Bulk Parcel Return Service [Reserved for Product Description] 1505.5 Certified Mail [Reserved for Product Description] 1505.6 Certificate of Mailing [Reserved for Product Description] 1505.7 Collect on Delivery [Reserved for Product Description] 1505.8 Delivery Confirmation [Reserved for Product Description] 1505.9 Insurance [Reserved for Product Description] 1505.10 Merchandise Return Service [Reserved for Product Description] 1505.11 Parcel Airlift
(PAL)[Reserved for Product Description] 1505.12 Registered Mail [Reserved for Product Description] 1505.13 Return Receipt [Reserved for Product Description] 1505.14 Return Receipt for Merchandise [Reserved for Product Description] 1505.15 Restricted Delivery [Reserved for Product Description] 1505.16 Shipper-Paid Forwarding [Reserved for Product Description] 1505.17 Signature Confirmation [Reserved for Product Description] 1505.18 Special Handling [Reserved for Product Description] 1505.19 Stamped Envelopes [Reserved for Product Description] 1505.20 Stamped Cards [Reserved for Product Description] 1505.21 Premium Stamped Stationery [Reserved for Product Description] 1505.22 Premium Stamped Cards [Reserved for Product Description] 1510 International Ancillary Services 1510.1 International Certificate of Mailing [Reserved for Product Description] 1510.2 International Registered Mail [Reserved for Product Description] 1510.3 International Return Receipt [Reserved for Product Description] 1510.4 International Restricted Delivery [Reserved for Product Description] 1515 Address List Services [Reserved for Product Description] 1520 Caller Service [Reserved for Product Description] 1525 Change-of-Address Credit Card Authentication [Reserved for Product Description] 1530 Confirm [Reserved for Product Description] 1535 International Reply Coupon Service [Reserved for Product Description] 1540 International Business Reply Mail Service [Reserved for Product Description] 1545 Money Orders [Reserved for Product Description] 1550 Post Office Box Service [Reserved for Product Description] 1555 Premium Forwarding Service (Experiment) [Reserved for Product Description] 1600 Negotiated Service Agreements [Reserved for Class Description] 1605 Discover Financial Services Negotiated Service Agreement [Reserved for Product Description] 1610 Bank One Negotiated Service Agreement [Reserved for Product Description] 1615 HSBC North America Holdings Inc. Negotiated Service Agreement [Reserved for Product Description] 1620 Bookspan Negotiated Service Agreement [Reserved for Product Description] Part B—Competitive Products 2000 Competitive Product List Express Mail Express Mail Outbound International Expedited Services Inbound International Expedited Services Priority Mail Priority Mail Outbound Priority Mail International Inbound Air Parcel Post Parcel Select Parcel Return Service International International Priority Airlift
(IPA)International Surface Airlift
(ISAL)International Direct Sacks-M-Bags Global Customized Shipping Services Inbound Surface Parcel Post (at non-UPU rates) International Money Transfer Service International Ancillary Services Negotiated Service Agreements Domestic Outbound International 2001 Competitive Product Descriptions Sec. 2100 Express Mail [Reserved for Group Description] 2105 Express Mail [Reserved for Product Description] 2110 Outbound International Expedited Services [Reserved for Product Description] 2115 Inbound International Expedited Services 2200 Priority [Reserved for Product Description] 2205 Priority Mail [Reserved for Product Description] 2210 Outbound Priority Mail International [Reserved for Product Description] 2215 Inbound Air Parcel Post [Reserved for Product Description] 2300 Parcel Select [Reserved for Group Description] 2400 Parcel Return Service [Reserved for Group Description] 2500 International [Reserved for Group Description] 2505 International Priority Airlift
(IPA)[Reserved for Product Description] 2510 International Surface Airlift
(ISAL)[Reserved for Product Description] 2515 International Direct Sacks—M-Bags 2520 Global Customized Shipping Services [Reserved for Product Description] 2525 International Money Transfer Service [Reserved for Product Description] 2530 Inbound Surface Parcel Post (at non-UPU rates) [Reserved for Product Description] 2535 International Ancillary Services [Reserved for Product Description] 2535.1 International Certificate of Mailing [Reserved for Product Description] 2535.2 International Registered Mail [Reserved for Product Description] 2535.3 International Return Receipt [Reserved for Product Description] 2535.4 International Restricted Delivery [Reserved for Product Description] 2535.5 International Insurance [Reserved for Product Description] 2600 Negotiated Service Agreements [Reserved for Group Description] 2605 Domestic [Reserved for Product Description] 2610 Outbound International [Reserved for Group Description] Glossary of Terms and Conditions [Reserved] Country Price Lists for International Mail [Reserved] Subpart B—Requests Initiated by the Postal Service To Modify the Product Lists Described Within the Mail Classification Schedule § 3020.30 General. The Postal Service, by filing a request with the Commission, may propose a modification to the market dominant product list or the competitive product list appearing in the Mail Classification Schedule. For purposes of this part, modification shall be defined as adding a product to a list, removing a product from a list, or moving a product from one list to the other list. § 3020.31 Contents of a request. A request to modify the market dominant product list or the competitive product list shall:
(a)Provide the name, and class if applicable, of each product that is the subject of the request;
(b)Provide a copy of the Governor's decision supporting the request, if any;
(c)Indicate whether the request proposes to add a product to the market dominant list or the competitive list, remove a product from the market dominant list or the competitive list, or transfer a product from the market dominant list to the competitive list or from the competitive list to the market dominant list;
(d)Indicate whether each product that is the subject of the request is:
(1)A special classification within the meaning of 39 U.S.C. 3622(c)(10) for market dominant products;
(2)A product not of general applicability within the meaning of 39 U.S.C. 3632(b)(3) for competitive products; or
(3)A non-postal product.
(e)Provide all supporting justification upon which the Postal Service proposes to rely; and
(f)Include a copy of the applicable sections of the Mail Classification Schedule and the proposed changes therein in legislative format. § 3020.32 Supporting justification. Supporting justification shall be in the form of a statement from one or more knowledgeable Postal Service official(s) who sponsors the request and attests to the accuracy of the information contained within the statement. The justification shall:
(a)Demonstrate why the change is in accordance with the policies and the applicable criteria of chapter 36 of title 39 of the United States Code;
(b)Explain why, as to market dominant products, the change is not inconsistent with each requirement of 39 U.S.C. 3622(d), and that it advances the objectives of 39 U.S.C. 3622(b), taking into account the factors of 39 U.S.C. 3622(c);
(c)Explain why, as to competitive products, the addition, deletion, or transfer will not result in the violation of any of the standards of 39 U.S.C. 3633;
(d)Verify that the change does not classify as competitive a product over which the Postal Service exercises sufficient market power that it can, without risk of losing a significant level of business to other firms offering similar products:
(1)Set the price of such product substantially above costs;
(2)Raise prices significantly;
(3)Decrease quality; or
(4)Decrease output.
(e)Explain whether or not each product that is the subject of the request is covered by the postal monopoly as reserved to the Postal Service under 18 U.S.C. 1696 subject to the exceptions set forth in 39 U.S.C. 601;
(f)Provide a description of the availability and nature of enterprises in the private sector engaged in the delivery of the product;
(g)Provide any information available on the views of those who use the product on the appropriateness of the proposed modification;
(h)Provide a description of the likely impact of the proposed modification on small business concerns; and
(i)Include such information and data, and such statements of reasons and bases, as are necessary and appropriate to fully inform the Commission of the nature, scope, significance, and impact of the proposed modification. § 3020.33 Docket and notice. The Commission will establish a docket for each request to modify the market dominant list or the competitive product list, promptly publish notice of the request in the **Federal Register** , and post the filing on its Web site. The notice shall include:
(a)The general nature of the proceeding;
(b)A reference to legal authority to which the proceeding is to be conducted;
(c)A concise description of the proposals for changes in the Mail Classification Schedule;
(d)The identification of an officer of the Commission to represent the interests of the general public in the docket;
(e)A specified period for public comment; and
(f)Such other information as the Commission deems appropriate. § 3020.34 Review. The Commission shall review the request and responsive comments. The Commission shall either:
(a)Approve the request to modify the market dominant and competitive product lists;
(b)Institute further proceedings to consider all or part of the request if it finds that there is substantial likelihood that the modification is inconsistent with statutory policies or Commission rules, and explain its reasons for not approving the request to modify the market dominant and competitive product lists;
(c)Provide an opportunity for the Postal Service to modify its request; or
(d)Direct other action as the Commission may consider appropriate. § 3020.35 Further proceedings. If the Commission determines that further proceedings are necessary, a conference shall be scheduled to consider the concerns expressed by the Commission. Written statements commenting on the Commission's concerns shall be requested, to be filed 7 days prior to the conference. Upon conclusion of the conference, the Commission shall promptly issue a ruling to:
(a)Provide for a period of discovery to obtain further information;
(b)Schedule a hearing on the record for further consideration of the request;
(c)Explain the reasons for not going forward with additional proceedings and approve the request to modify the market dominant and competitive product lists; or
(d)Direct other action as the Commission may consider appropriate. Subpart C—Requests Initiated by Users of the Mail To Modify the Product Lists Described Within the Mail Classification Schedule § 3020.50 General. Users of the mail, by filing a request with the Commission, may propose a modification to the market dominant product list or the competitive product list appearing in the Mail Classification Schedule. For purposes of this part, modification shall be defined as adding a product to a list, removing a product from a list, or transferring a product from one list to the other list. § 3020.51 Contents of a request. A request to modify the market dominant product list or the competitive product list shall:
(a)Provide the name, and class if applicable, of each product that is the subject of the request;
(b)Indicate whether the request proposes to add a product to the market dominant list or the competitive list, remove a product from the market dominant list or the competitive list, or move a product from the market dominant list to the competitive list or from the competitive list to the market dominant list;
(c)Indicate whether each product that is the subject of the request is:
(1)A special classification within the meaning of 39 U.S.C. 3622(c)(10) for market dominant products;
(2)A product not of general applicability within the meaning of 39 U.S.C. 3632(b) for competitive products; or
(3)A non-postal product.
(d)Provide all supporting justification upon which the proponent of the request proposes to rely; and
(e)Include a copy of the applicable sections of the Mail Classification Schedule and the proposed changes therein in legislative format. § 3020.52 Supporting justification. Supporting justification shall be in the form of a statement from a knowledgeable proponent of the request who attests to the accuracy of the information contained within the statement. The justification shall:
(a)Demonstrate why the change is in accordance with the policies and the applicable criteria of chapter 36 of 39 U.S.C.;
(b)Explain why, as to market dominant products, the change is not inconsistent with each requirement of 39 U.S.C. 3622(d), and that it advances the objectives of 39 U.S.C. 3622(b), taking into account the factors of 39 U.S.C. 3622(c);
(c)Explain why, as to competitive products, the addition, deletion, or transfer will not result in the violation of any of the standards of 39 U.S.C. 3633.
(d)Verify that the change does not classify as competitive a product over which the Postal Service exercises sufficient market power that it can, without risk of losing a significant level of business to other firms offering similar products:
(1)Set the price of such product substantially above costs;
(2)Raise prices significantly;
(3)Decrease quality; or
(4)Decrease output.
(e)Explain whether or not each product that is the subject of the request is covered by the postal monopoly, as reserved to the Postal Service under 18 U.S.C. 1696 subject to the exceptions set forth in 39 U.S.C. 601;
(f)Provide a description of the availability and nature of enterprises in the private sector engaged in the delivery of the product;
(g)Provide any information available on the views of those who use the product on the appropriateness of the proposed modification;
(h)Provide a description of the likely impact of the proposed modification on small business concerns; and
(i)Include such information and data, and such statements of reasons and bases, as are necessary and appropriate to fully inform the Commission of the nature, scope, significance, and impact of the proposed modification. § 3020.53 Docket and notice. The Commission will establish a docket for each request to modify the market dominant list or the competitive product list, promptly publish notice of the request in the **Federal Register** , and post the filing on its Web site. The notice shall include:
(a)The general nature of the proceeding;
(b)A reference to legal authority to which the proceeding is to be conducted;
(c)A concise description of the proposals for changes in the Mail Classification Schedule;
(d)The identification of an Office of the Commission to represent the interests of the general public in the docket;
(e)A specified period for public comment; and
(f)Such other information as the Commission deems appropriate. § 3020.54 Postal Service notice and reply. The Secretary of the Commission shall forward to the Postal Service a copy of the request. Within 28 days of the filing of the request, the Postal Service shall provide its preliminary views in regard to the request. The Postal Service may include suggestions for appropriate Commission action in response to the request. § 3020.55 Review. The Commission shall review the request, the Postal Service reply, and any public comment to determine whether the proposed modification to the market dominant and competitive product lists complies with applicable statutory requirements and the Commission's rules, and whether the proposed modification is consistent with the position of the Postal Service as expressed in its reply. The Commission shall either:
(a)Approve the request to modify the market dominant and competitive product lists, but only to the extent the modification is consistent with the position of the Postal Service;
(b)Reject the request;
(c)Institute further proceedings to consider the request to modify the market dominant and competitive product lists; or
(d)Direct other action as the Commission may consider appropriate. § 3020.56 Further proceedings. If the Commission determines that further proceedings are necessary, a conference shall be scheduled to consider the merits of going forward with the request. Upon conclusion of the conference, the Commission shall promptly issue a ruling to:
(a)Provide for a period of discovery to obtain further information;
(b)Schedule a hearing on the record for further consideration of the request;
(c)Explain the reasons for not going forward with formal proceedings; or
(d)Direct other action as the Commission may consider appropriate. Subpart D—Proposal of the Commission To Modify the Product Lists Described Within the Mail Classification Schedule § 3020.70 General. The Commission, of its own initiative, may propose a modification to the market dominant product list or the competitive product list provided within the Mail Classification Schedule. For purposes of this part, modification shall be defined as adding a product to a list, removing a product from a list, or transferring a product from one list to the other list. § 3020.71 Contents of a proposal. A proposal to modify the market dominant product list or the competitive product list shall:
(a)Provide the name, and class if applicable, of each product that is the subject of the proposal;
(b)Indicate whether the proposal would add a product to the market dominant list or the competitive list, remove a product from the market dominant list or the competitive list, or move a product from the market dominant list to the competitive list or from the competitive list to the market dominant list;
(c)Indicate whether each product that is the subject of the proposal is:
(1)A special classification within the meaning of 39 U.S.C. 3622(c)(10) for market dominant products;
(2)A product not of general applicability within the meaning of 39 U.S.C. 3632(b) for competitive products; or
(3)A non-postal product.
(d)Provide justification supporting the proposal; and
(e)Include a copy of the applicable sections of the Mail Classification Schedule and the proposed changes therein in legislative format. § 3020.72 Supporting justification. Supporting justification shall:
(a)Provide an explanation for initiating the docket;
(b)Explain why, as to market dominant products, the change is not inconsistent with each requirement of 39 U.S.C. 3622(d), and that it advances the objectives of 39 U.S.C. 3622(b), taking into account the factors of 39 U.S.C. 3622(c);
(c)Explain why, as to competitive products, the addition, subtraction, or transfer will not result in the violation of any of the standards of 39 U.S.C. 3633;
(d)Verify that the change does not classify as competitive a product over which the Postal Service exercises sufficient market power that it can, without risk of losing a significant level of business to other firms offering similar products:
(1)Set the price of such product substantially above costs;
(2)Raise prices significantly;
(3)Decrease quality; or
(4)Decrease output.
(e)Explain whether or not each product that is the subject of the request is covered by the postal monopoly as reserved to the Postal Service under 18 U.S.C. 1696 subject to the exceptions set forth in 39 U.S.C. 601;
(f)Provide a description of the availability and nature of enterprises in the private sector engaged in the delivery of the product;
(g)Provide any information available on the views of those who use the product involved on the appropriateness of the proposed modification;
(h)Provide a description of the likely impact of the proposed modification on small business concerns; and
(i)Include such information and data, and such statements of reasons and bases, as are necessary and appropriate to fully inform the Postal Service and users of the mail of the nature, scope, significance, and impact of the proposed modification. § 3020.73 Docket and notice. The Commission will establish a docket for each request to modify the market dominant list or the competitive product list, promptly publish notice of the request in the **Federal Register** , and post the filing on its Web site. The notice shall include:
(a)The general nature of the proceeding;
(b)A reference to legal authority to which the proceeding is to be conducted;
(c)A concise description of the proposals for changes in the Mail Classification Schedule;
(d)The identification of an officer of the Commission to represent the interests of the general public in the docket;
(e)A specified period for public comment; and
(f)Such other information as the Commission deems appropriate. § 3020.74 Postal Service notice and reply. The Secretary of the Commission shall forward to the Postal Service a copy of the notice of proposal. Within 28 days of the filing of the proposal, the Postal Service shall provide its preliminary views in regard to the proposal. The Postal Service may include suggestions for appropriate further procedural steps. § 3020.75 Review. The Commission shall review the Postal Service reply and public comment. The Commission shall either:
(a)Approve the proposal to modify the market dominant and competitive product lists, but only to the extent the modification is consistent with the position of the Postal Service;
(b)Withdraw the proposal;
(c)Institute further proceedings to consider the proposal, identifying relevant issues that may require further development; or
(d)Direct other action as the Commission may consider appropriate. § 3020.76 Further proceedings. If the Commission determines that further proceedings are appropriate, a conference shall be scheduled to consider the merits of going forward with the proposal. Upon conclusion of the conference, the Commission shall promptly issue a ruling to:
(a)Provide for a period of discovery to obtain further information;
(b)Schedule a hearing on the record for further consideration of the proposal;
(c)Explain the reasons for not going forward with formal proceedings; or
(d)Direct other action as the Commission may consider appropriate. Subpart E—Requests Initiated by the Postal Service to Change the Mail Classification Schedule § 3020.90 General. The Postal Service shall assure that product descriptions in the Mail Classification Schedule accurately represent the current offerings of Postal Service products and services. § 3020.91 Modification. The Postal Service shall submit corrections to product descriptions in the Mail Classification Schedule that do not constitute a proposal to modify the market dominant product list or the competitive product list as defined in § 3020.30 by filing notice of the proposed change with the Commission no later than 30 days prior to the effective date of the proposed change. § 3020.92 Public input. The Commission shall publish Postal Service submissions pursuant to § 3020.91 on its Web site and provide interested persons with an opportunity to comment on whether the planned changes are inconsistent with 39 U.S.C. 3642. § 3020.93 Implementation.
(a)The Commission shall review the proposed changes to product descriptions, and the comments thereon. So long as such changes are not inconsistent with 39 U.S.C. 3642, the Commission shall, subject to editorial corrections, change the Mail Classification Schedule to coincide with the effective date of the proposed change.
(b)The Commission's finding that changes to the market dominant product descriptions are not inconsistent with 39 U.S.C. 3642 is provisional and subject to subsequent review. Subpart F—Size and Weight Limitations for Mail Matter § 3020.110 General. Applicable size and weight limitations for mail matter shall appear in the Mail Classification Schedule as part of the description of each product. § 3020.111 Limitations applicable to market dominant mail matter.
(a)The Postal Service shall inform the Commission of updates to size and weight limitations for market dominant mail matter by filing notice with the Commission 45 days prior to the effective date of the proposed update. The notice shall include a copy of the applicable sections of the Mail Classification Schedule and the proposed updates therein in legislative format.
(b)The Commission shall provide notice of the proposed update in the **Federal Register** and seek public comment on whether the proposed update is in accordance with the policies and the applicable criteria of chapter 36 of title 39 of the United States Code.
(c)If the Commission finds the proposed update in accordance with the policies and the applicable criteria of chapter 36 of 39 U.S.C., the Commission shall review the proposed Mail Classification Schedule language for formatting and conformance with the structure of the Mail Classification Schedule, and subject to editorial changes, shall change the Mail Classification Schedule to coincide with the effective date of the proposed update.
(d)If the Commission finds the proposed update not in accordance with the policies and the applicable criteria of chapter 36 of title 39 of the United States Code, the Commission may direct other action as deemed appropriate. § 3020.112 Limitations applicable to competitive mail matter. The Postal Service shall notify the Commission of updates to size and weight limitations for competitive mail matter pursuant to subpart E of this part. [FR Doc. E7-21596 Filed 11-8-07; 8:45 am] BILLING CODE 7710-FW-P 72 217 Friday, November 9, 2007 Rules and Regulations Part III Department of Homeland Security Transportation Security Administration 49 CFR Part 1507 Privacy Act of 1974: Implementation of Exemptions and System of Records; Secure Flight Records; Final Rule and Notice DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration 49 CFR Part 1507 [Docket No. TSA-2007-28972; Amendment No. 1507-3] RIN 1652-AA48 Privacy Act of 1974: Implementation of Exemptions; Secure Flight Records AGENCY: Transportation Security Administration, DHS. ACTION: Final rule. SUMMARY: Following a Notice of Proposed Rulemaking
(NPRM)and public comment, this rule amends the Transportation Security Administration (TSA)'s regulations by exempting a new system of records from several provisions of the Privacy Act. The Secure Flight Records system (DHS/TSA 019) includes records used as part of the watch list matching program known as Secure Flight, which implements a mandate of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) and is consistent with TSA's authority under the Aviation and Transportation Security Act (ATSA). Under the Secure Flight program, TSA would assume the current watch list matching function to the No Fly and Selectee Lists from aircraft operators. TSA is exempting DHS/TSA 019 from provisions of the Privacy Act to the extent necessary to protect the integrity of investigatory information that may be included in the system of records. DATES: Effective December 10, 2007. FOR FURTHER INFORMATION CONTACT: Peter Pietra, Director, Privacy Policy and Compliance, TSA-36, Transportation Security Administration, 601 South 12th Street, Arlington, VA 22202-4220; facsimile
(571)227-1400; e-mail *TSAPrivacy@dhs.gov;* or Hugo Teufel III (703-235-0780), Chief Privacy Officer, U.S. Department of Homeland Security, Washington, DC 20528; e-mail *pia@dhs.gov.* SUPPLEMENTARY INFORMATION: Availability of Rulemaking Document You can get an electronic copy using the Internet by—
(1)Searching the electronic Federal Docket Management System
(FDMS)Web page at *http://www.regulations.gov;*
(2)Accessing the Government Printing Office's Web page at *http://www.gpoaccess.gov/fr/index.html;* or
(3)Visiting TSA's Security Regulations Web page at *http://www.tsa.gov* and accessing the link for “Research Center” at the top of the page. In addition, copies are available by writing or calling the individuals in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this rulemaking. Small Entity Inquiries The Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996 requires TSA to comply with small entity requests for information and advice about compliance with statutes and regulations within TSA's jurisdiction. Any small entity that has a question regarding this document may contact the person listed in FOR FURTHER INFORMATION CONTACT . Persons can obtain further information regarding SBREFA on the Small Business Administration's web page at *http://www.sba.gov/advo/laws/law_lib.html* . Abbreviations and Terms Used in This Document DHS—Department of Homeland Security FBI—Federal Bureau of Investigation TSA—Transportation Security Administration Background The Privacy Act of 1974 (Privacy Act), 5 U.S.C. 552a, governs the means by which the U.S. Government collects, maintains, uses, and disseminates personally identifiable information. The Privacy Act applies to information that is maintained in a “system of records.” A “system of records” is a group of any records under the control of an agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. See 5 U.S.C. 552a(a)(5). An individual may request access to records containing information about him or herself. 5 U.S.C. 552a(b), (d). However, the Privacy Act authorizes Government agencies to exempt systems of records from access by individuals under certain circumstances, such as where the access or disclosure of such information would impede national security or law enforcement efforts. Exemptions from Privacy Act provisions must be established by regulation. 5 U.S.C. 552a(j), (k). TSA's Privacy Act exemptions are found at 49 CFR part 1507. On August 23, 2007, TSA published a notice (Part III, 72 FR 48392) establishing a new Privacy Act system of records entitled Secure Flight Records (DHS/TSA 019). The Secure Flight Records system maintains records for the Secure Flight Program which carries out the requirement of section 4012(a)(1) of IRTPA (Pub. L. 08-458, 188 Stat. 3638, Dec. 17, 2004) and provides for TSA's assumption from air carriers the comparison of passenger information for domestic flights to the consolidated and integrated terrorist watch list maintained by the Federal Government. Section 4012(a)(2) of IRTPA similarly requires the DHS to compare passenger information for international flights to and from the United States against the consolidated and integrated terrorist watch list before departure of such flights. Further, as recommended by the 9/11 Commission, TSA may access the “larger set of watch lists maintained by the Federal Government.” 1 Therefore, as warranted by security considerations, TSA may use the full Terrorist Screening Database
(TSDB)or other government databases, such as intelligence or law enforcement databases (referred to as “watch list matching”). For example, TSA may obtain intelligence that flights flying a particular route may be subject to an increased security risk. Under this circumstance, TSA may decide to compare passenger information on some or all of the flights flying that route against the full TSDB or other government database. 1 “National Commission on Terrorist Attacks Upon the United States”, page 393. In conjunction with the establishment and publication of the Secure Flight Records system of records on August 23, 2007, TSA initiated a proposed rulemaking (Part III, 72 FR 48397) to exempt this system of records from a number of provisions of the Privacy Act because this system of records may contain records or information recompiled from, or created from, information contained in other systems of records, which are exempt from certain provisions of the Privacy Act. For these records or information only, to the extent necessary to protect the integrity of watch list matching procedures performed under the Secure Flight Program and in accordance with 5 U.S.C. 552a(j)(2) and (k)(2), TSA is claiming the following exemptions for certain records within the Secure Flight Records system: 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(1), (2), (3), (4)(G) through (I), (5), and (8); (f), and (g). Discussion of Comments TSA received comments on the proposed rule from both the Electronic Frontier Foundation
(EFF)and the Electronic Privacy Information Center (EPIC). Some of their comments dealt more generally with the Secure Flight Program and will be addressed in the final rule for the Secure Flight Program. The remaining comments relate to the exemptions claimed for the Secure Flight Records system, which TSA has addressed below. As a preliminary matter and an overall response to the comments, TSA recognizes that although there is a need for the exemptions provided for in this document, there may be instances where such exemptions can be waived. There may be times when the Privacy Act exemptions claimed here are not necessary to further a governmental interest. In appropriate circumstances, where compliance would not appear to interfere with, or adversely affect, the law enforcement and national security purposes of the system and the overall law enforcement and security process, the applicable exemptions may be waived. 1. *Applicability of Exemptions (j)(2), (k)(1), and (k)(2).* EFF raised a question about TSA's ability to use 5 U.S.C. 552a(j)(2), (k)(1), and (k)(2) as the basis for exempting the system from portions of the Privacy Act. Exemption (j)(2) applies where a system of records consists of information compiled for purposes of a criminal investigation and the system is maintained by an agency or component of the agency that performs as its principal function any activity pertaining to the enforcement of criminal laws, including efforts to prevent, control, or reduce crime, or apprehend criminals. EFF alleges that this exemption would only apply to the Secure Flight Records system if TSA believes that millions of innocent citizens are “criminal offenders or alleged offenders.” TSA disagrees that the Secure Flight Records system in any way suggests that the majority of individuals undergoing screening by the Secure Flight program are criminals. However, the Secure Flight system does contain records originating from the systems of records of other law enforcement and intelligence agencies, such as records obtained from the TSC of known or suspected terrorists in the Terrorist Screening Database
(TSDB)and records of individuals identified on classified and unclassified governmental watch lists, which may be properly exempt from certain provisions of the Privacy Act pursuant to (j)(2). In order to ensure that agencies' investigative or law enforcement efforts are unharmed, and information relating to DHS activities are protected from disclosure to subjects of investigations, TSA must use this exemption. However, TSA does not assert exemptions to any provision of the Privacy Act with respect to information submitted by or on behalf of individual passengers or non-travelers in the course of making a reservation or seeking access to a secured area under the Secure Flight program. Exemption (k)(1) applies to records that contain information that have been officially classified in the interest of national security. EFF noted that the designated security classification in the Privacy Act system or records notice for Secure Flight Records is “[u]nclassified; Sensitive Security Information” and, therefore, this system could not be exempt under (k)(1). TSA appreciates the comment, and upon re-examination concludes that the system will not be likely to contain classified material. TSA will update its system of records notice to delete the assertion of an exemption under (k)(1). Exemption (k)(2) applies to investigatory material compiled for law enforcement purposes that is not otherwise covered by exemption (j)(2), provided that an individual is not denied access to a record where the agency's maintenance of the record resulted in the individual being denied a right, privilege, or benefit to which he would otherwise be entitled. EFF alleges that Secure Flight potentially denies individuals their right to travel, so the exemption may not be invoked with respect to those individuals who have been denied this right and material in the system should be provided to them. As a preliminary matter, TSA does not believe that the Secure Flight program denies individuals their right to travel. Courts have consistently held that travelers do not have a Constitutional right to travel by a single mode or the most convenient form of travel. See for example: *Town of Southold* v. *Town of East Hampton,* 477 F.3d 38, 54 (2d Cir. 2007); *Gilmore* v. *Gonzales,* 435 F.3d 1125, 1136 (9th Cir. 2006); *Miller* v. *Reed,* 176 F.3d 1202, 1205 (9th Cir. 1999). The Secure Flight program would only regulate one mode of travel (aviation), and would not impose any restriction on other mode of travel. Therefore, a restriction on an individual's ability to board an aircraft as a result of the Secure Flight program would not implicate a Constitutional right to travel. In addition, as noted above, information in this system may be related to investigations arising out of DHS or other agency programs and activities, and may pertain to law enforcement or national security matters. In such cases, allowing access to information could alert subjects of investigations of actual or potential criminal, civil, or regulatory violations, and could reveal, in an untimely manner, DHS's and other agencies' investigative interests in law enforcement efforts to preserve national security. Further, to the extent that an individual is denied a right, benefit, or privilege due to the maintenance of a record by TSA in this system, TSA will provide access to that record to the extent the law requires. 2. *Exemption from Access and Amendment Requirements.* The bulk of both EFF and EPIC's comments constituted objections to TSA's proposal to exempt portions of the system from 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(4)(G)-(I); and
(f)which all relate to an individual's ability to request access to and correction of records in a system of records. Both groups are concerned that the watch lists used by the Secure Flight Program contain errors and inaccuracies that lead to inconveniences and, in some cases, a loss of liberty for individuals who are placed on a watch list in error. EFF and EPIC do not believe that TSA has an adequate redress process in place, and thus, the need for access and amendment under the Privacy Act is critical. TSA claims these exemptions in order to protect information relating to investigations from disclosure to subjects of investigations and others who could interfere with investigatory activities. Specifically, the exemptions are required to: Prevent subjects of investigations from frustrating the investigative process; avoid disclosure of investigative techniques; protect the privacy of confidential sources; ensure TSA, DHS and other agencies ability to obtain information from third party and other sources; and safeguard sensitive information. Allowing amendment of these records could interfere with ongoing counterterrorism, law enforcement, or intelligence investigations and analysis activities and impose an impossible administrative burden by requiring investigations, analyses, and reports to be continuously reinvestigated and revised. The exemptions proposed here are standard law enforcement and national security exemptions exercised by Federal law enforcement and intelligence agencies. EFF and EPIC refer to the redress process, DHS Traveler Redress Inquiry Program (DHS TRIP), as “vague,” “discretionary,” “not meaningful,” and “Kafkaesque.” These assertions are simply incorrect, and are not comments upon which TSA can meaningfully act. The DHS TRIP program is a robust and effective mechanism for individuals who believe that they have been delayed or prohibited from boarding or denied entry to the airport sterile area as the result of the Secure Flight program to seek redress and relief. With the implementation of Secure Flight, TSA believes that it will become even more effective with uniform application by the government, rather than relying on application by individual airlines. When an individual requests access to his or her information through the redress process, the request will be examined on a case by case basis, and, after conferring with the appropriate component or agency, the agency may waive applicable exemptions in appropriate circumstances where it would not appear to interfere with or adversely affect the law enforcement or national security purposes of the systems from which the information is recompiled or in which it is contained. Again, TSA shall not assert any exemption with respect to information submitted by and collected from the individual or the individual's representative in the course of the Secure Flight Program or any redress process associated with the underlying records. 3. *Exemption from Requirement to Collect Only Relevant and Necessary Information.* EFF and EPIC object to TSA's assertion of exemption authority under 5 U.S.C. 552a(e)(1) which permits the maintenance of information beyond that which is “relevant and necessary” to accomplish the agency's purpose. The groups' objection stems from their conviction that the watch lists used by Secure Flight are riddled with errors and inaccuracies. EFF states that the implementation of this exemption “will serve only to increase the likelihood that Secure Flight will become an error-filled, invasive repository of all sorts of information bearing no relationship to its stated goals of expediting the pre-boarding process for travelers and improving transportation security.” TSA appreciates this concern and similarly seeks to ensure that data used in the watch list matching process is as thorough, accurate, and current as possible. However, TSA must exempt portions of this system from (e)(1) because it is not always possible for TSA or other agencies to know in advance what information will be relevant or necessary for it to complete an identity comparison between aviation passengers or certain non-travelers and a known or suspected terrorist. For example, for one individual hair color might be the distinguishing feature that allows TSA to distinguish him or her from someone on the watch list. For other individuals, eye color, or whether they have a tattoo may be data needed to distinguish them from someone on the watch list. For these individuals, hair or eye color is relevant, but not always necessary. In addition, TSA and other agencies may not always know what information about an encounter with a known or suspected terrorist will be relevant to law enforcement for the purpose of conducting an operational response. Further, employing this exemption is not inconsistent with the principles of the Privacy Act; the drafters of the Act established exemptions to provisions like (e)(1) to avoid inappropriately limiting the ability of the Government to carry out certain functions such as law enforcement. Constraining the collection of information in the Secure Flight Records system in accordance with the “relevant and necessary” requirement could discourage the appropriate collection of information and impede TSA's efforts to identify known or suspected terrorists and keep them from threatening transportation security. 4. *Exemption from Requirement of Maintaining All Records Used by the Agency in Making a Determination About an Individual with Accuracy, Relevance, Timeliness, and Completeness.* Section (e)(5) of the Privacy Act requires agencies to maintain all records which are used by the agency in making any determination about any individual with such accuracy, relevance, timeliness, and completeness as is reasonably necessary to assure fairness to the individual in the determination. The comments received from EFF and EPIC were concerned that the quality of the watch lists used by the Secure Flight program are mediocre, and that inaccuracies in the lists coupled with exempting records from (e)(5) will lead to a loss of convenience and even liberty for those individuals who are mistakenly put on a watch list. TSA is sensitive to these concerns, however; because many of the records in this system come from other domestic and foreign agency records systems, it is not possible for TSA to ensure compliance with (e)(5). TSA is interested in eliminating erroneous and out of date information from the watch list matching process. To that end, the agency has implemented internal quality assurance procedures to ensure that data used by Secure Flight is as complete, accurate, and current as possible. In the collection of information for law enforcement, counterterrorism, and intelligence purposes, it is impossible to determine in advance what information is accurate, relevant, timely, and complete. With the passage of time, seemingly irrelevant or untimely information may acquire new significance as further investigation reveals additional details. The restriction imposed by (e)(5) would hamper the ability of those agencies' trained investigators and intelligence analysts to exercise their judgment in conducting investigations and impede the development of intelligence necessary for effective law enforcement and counterterrorism efforts. 5. *Exemption from the Requirement of Judicial Review.* EFF and EPIC both object to TSA's exemption of portions of the Secure Flight system of records from 5 U.S.C. 552a(g), which grants the right to judicial review. According to EFF and EPIC, the redress process offered by TSA and DHS is “unacceptably vague” and “not meaningful” because it is too “discretionary.” EFF states that without the right to judicial review under the Privacy Act, it is unclear what recourse is available to an individual who has been identified as potential match through Secure Flight based on incorrect information. TSA disagrees. The redress process is effective in assisting individuals who believe they have been delayed or prohibited from boarding or denied entry to the airport sterile area, as a result of the operation of the Secure Flight program. Each separate request for redress is examined on a case by case basis, and, after conferring with the appropriate agency, the agency may waive applicable exemptions in appropriate circumstances and where it would not appear to interfere with or adversely affect the law enforcement or national security purposes of the systems from which the information is recompiled or in which it is contained. If individuals disagree with the agency's final decision in the redress process, the Court of Appeals is the appropriate venue to contest the decision, not a suit for amendment of records under the Privacy Act. As courts have held, even for records that are not exempt from provisions of the Privacy Act, the Privacy Act may not be used as “a weapon to collaterally attack agency determinations.” *Pellerin* v. *V.A.,* 790 F.2d 1553, 1555 (11th Cir. 1986). TSA's exemption of portions of the Secure Flight Records system from judicial review does not impair an individual's ability to seek redress when they believe they have been erroneously delayed or denied boarding or entry to the airport sterile area. Paperwork Reduction Act The Paperwork Reduction Act of 1995
(PRA)(44 U.S.C. 3501 *et seq.* ) requires that TSA consider the impact of paperwork and other information collection burdens imposed on the public and, under the provisions of PRA section 3507(d), obtain approval from the Office of Management and Budget
(OMB)for each collection of information it conducts, sponsors, or requires through regulations. TSA has determined that there are no current or new information collection requirements associated with this rule. Regulatory Evaluation Summary Changes to Federal regulations must undergo several economic analyses. First, Executive Order 12866, Regulatory Planning and Review (58 FR 51735, October 4, 1993), directs each Federal agency to propose or adopt a regulation only upon a reasoned determination that the benefits of the intended regulation justify its costs. Second, the Regulatory Flexibility Act of 1980 (5 U.S.C. 601 *et seq.* , as amended by the Small Business Regulatory Enforcement Fairness Act (SBREFA) of 1996) requires agencies to analyze the economic impact of regulatory changes on small entities. Third, the Trade Agreements Act (19 U.S.C. 2531-2533) prohibits agencies from setting standards that create unnecessary obstacles to the foreign commerce of the United States. Fourth, the Unfunded Mandates Reform Act of 1995 (2 U.S.C. 1531-1538) requires agencies to prepare a written assessment of the costs, benefits, and other effects of proposed or final rules that include a Federal mandate likely to result in the expenditure by State, local, or tribal governments, in the aggregate, or by the private sector, of $100 million or more annually (adjusted for inflation). Executive Order 12866 Assessment In conducting these analyses, TSA has determined: 1. This rulemaking is not a “significant regulatory action” as defined in the Executive Order. Accordingly, this rule has not been reviewed by the Office of Management and Budget (OMB). Nevertheless, TSA has reviewed this rulemaking and concluded that there will not be any significant economic impact. 2. This rulemaking would not have a significant impact on a substantial number of small entities. 3. This rulemaking would not constitute a barrier to international trade. 4. This rulemaking does not impose an unfunded mandate on state, local, or tribal governments, or on the private sector. These analyses, available in the docket, are summarized below. Regulatory Flexibility Act The Regulatory Flexibility Act
(RFA)of 1980 requires that agencies perform a review to determine whether a proposed or final rule will have a significant economic impact on a substantial number of small entities. If the determination is that it will, the agency must prepare a regulatory flexibility analysis as described in the RFA. For purposes of the RFA, small entities include small businesses, not-for-profit organizations, and small governmental jurisdictions. Individuals and States are not included in the definition of a small entity. This final rule exempts records in the Secure Flight Records system of records from certain provisions of the Privacy Act. TSA certifies that this rulemaking will not have a significant economic impact on a substantial number of small entities. Further, the exemptions to the Privacy Act apply to individuals, and individuals are not covered entities under the RFA. International Trade Impact Assessment This rulemaking will not constitute a barrier to international trade. The exemptions relate to criminal investigations and agency documentation and, therefore, do not create any new costs or barriers to trade. Executive Order 13132, Federalism TSA has analyzed this final rule under the principles and criteria of Executive Order 13132, Federalism. We determined that this action will not have a substantial direct effect on the States, or the relationship between the National Government and the States, or on the distribution of power and responsibilities among the various levels of government, and, therefore, does not have federalism implications. Environmental Analysis TSA has reviewed this action for purposes of the National Environmental Policy Act of 1969
(NEPA)(42 U.S.C. 4321-4347) and has determined that this action will not have a significant effect on the human environment. Energy Impact The energy impact of the action has been assessed in accordance with the Energy Policy and Conservation Act (EPCA), Public Law 94-163, as amended (42 U.S.C. 6362). We have determined that this rulemaking is not a major regulatory action under the provisions of the EPCA. List of Subjects in 49 CFR Part 1507 Privacy. The Amendments In consideration of the foregoing, the Transportation Security Administration amends part 1507 of Chapter XII, Title 49 of the Code of Federal Regulations, as follows: PART 1507—PRIVACY ACT-EXEMPTIONS 1. The authority citation for part 1507 continues to read as follows: Authority: 49 U.S.C. 114(l)(1), 40113, 5 U.S.C. 552a(j) and (k). 2. Add a new paragraph
(k)to § 1507.3 to read as follows: § 1507.3 Exemptions.
(k)*Secure Flight Records* .
(1)Secure Flight Records (DHS/TSA 019) enables TSA to maintain a system of records related to watch list matching applied to air passengers and to non-traveling individuals authorized to enter an airport sterile area. Pursuant to 5 U.S.C. 552a(j)(2) and (k)(2), TSA is claiming the following exemptions for certain records within the Secure Flight Records system: 5 U.S.C. 552a(c)(3) and (4); (d)(1), (2), (3), and (4); (e)(1), (2), (3), (4)(G) through (I), (5), and (8); (f), and (g).
(2)In addition to records under the control of TSA, the Secure Flight system of records may include records originating from systems of records of other law enforcement and intelligence agencies which may be exempt from certain provisions of the Privacy Act. However, TSA does not assert exemption to any provisions of the Privacy Act with respect to information submitted by or on behalf of individual passengers or non-travelers in the course of making a reservation or seeking access to a secured area under the Secure Flight program.
(3)To the extent the Secure Flight system contains records originating from other systems of records, TSA will rely on the exemptions claimed for those records in the originating system of records. Exemptions for certain records within the Secure Flight Records system from particular subsections of the Privacy Act are justified for the following reasons:
(i)From subsection (c)(3) (Accounting for Disclosures) because giving a record subject access to the accounting of disclosures from records concerning him or her could reveal investigative interest on the part of the recipient agency that obtained the record pursuant to a routine use. Disclosure of the accounting could therefore present a serious impediment to law enforcement efforts on the part of the recipient agency because the individual who is the subject of the record would learn of third agency investigative interests and could take steps to evade detection or apprehension. Disclosure of the accounting also could reveal the details of watch list matching measures under the Secure Flight program, as well as capabilities and vulnerabilities of the watch list matching process, the release of which could permit an individual to evade future detection and thereby impede efforts to ensure transportation security.
(ii)From subsection (c)(4) because portions of this system are exempt from the access and amendment provisions of subsection (d).
(iii)From subsections (d)(1), (2), (3), and
(4)because these provisions concern individual access to and amendment of certain records contained in this system, including law enforcement counterterrorism, investigatory and intelligence records. Compliance with these provisions could alert the subject of an investigation of the fact and nature of the investigation, and/or the investigative interest of intelligence or law enforcement agencies; compromise sensitive information related to national security; interfere with the overall law enforcement process by leading to the destruction of evidence, improper influencing of witnesses, fabrication of testimony, and/or flight of the subject; identify a confidential source or disclose information which would constitute an unwarranted invasion of another's personal privacy; reveal a sensitive investigative or intelligence technique; or constitute a potential danger to the health or safety of law enforcement personnel, confidential informants, and witnesses. Amendment of these records would interfere with ongoing counterterrorism, law enforcement, or intelligence investigations and analysis activities and impose an impossible administrative burden by requiring investigations, analyses, and reports to be continuously reinvestigated and revised.
(iv)From subsection (e)(1) because it is not always possible for TSA or other agencies to know in advance what information is both relevant and necessary for it to complete an identity comparison between aviation passengers or certain non-travelers and a known or suspected terrorist. In addition, because TSA and other agencies may not always know what information about an encounter with a known or suspected terrorist will be relevant to law enforcement for the purpose of conducting an operational response.
(v)From subsection (e)(2) because application of this provision could present a serious impediment to counterterrorism, law enforcement, or intelligence efforts in that it would put the subject of an investigation, study or analysis on notice of that fact, thereby permitting the subject to engage in conduct designed to frustrate or impede that activity. The nature of counterterrorism, law enforcement, or intelligence investigations is such that vital information about an individual frequently can be obtained only from other persons who are familiar with such individual and his/her activities. In such investigations, it is not feasible to rely upon information furnished by the individual concerning his own activities.
(vi)From subsection (e)(3), to the extent that this subsection is interpreted to require TSA to provide notice to an individual if TSA or another agency receives or collects information about that individual during an investigation or from a third party. Should the subsection be so interpreted, exemption from this provision is necessary to avoid impeding counterterrorism, law enforcement, or intelligence efforts by putting the subject of an investigation, study or analysis on notice of that fact, thereby permitting the subject to engage in conduct intended to frustrate or impede that activity.
(vii)From subsections (e)(4)(G) and
(H)(Agency Requirements) and
(f)(Agency Rules), because this system is exempt from the access provisions of 5 U.S.C. 552a(d).
(viii)From subsection (e)(5) because many of the records in this system coming from other system of records are derived from other domestic and foreign agency record systems and therefore it is not possible for TSA to ensure their compliance with this provision, however, TSA has implemented internal quality assurance procedures to ensure that data used in the watch list matching process is as thorough, accurate, and current as possible. In addition, in the collection of information for law enforcement, counterterrorism, and intelligence purposes, it is impossible to determine in advance what information is accurate, relevant, timely, and complete. With the passage of time, seemingly irrelevant or untimely information may acquire new significance as further investigation brings new details to light. The restrictions imposed by (e)(5) would limit the ability of those agencies' trained investigators and intelligence analysts to exercise their judgment in conducting investigations and impede the development of intelligence necessary for effective law enforcement and counterterrorism efforts. However, TSA has implemented internal quality assurance procedures to ensure that the data used in the watch list matching process is as thorough, accurate, and current as possible.
(ix)From subsection (e)(8) because to require individual notice of disclosure of information due to compulsory legal process would pose an impossible administrative burden on TSA and other agencies and could alert the subjects of counterterrorism, law enforcement, or intelligence investigations to the fact of those investigations when not previously known.
(x)From subsection
(f)(Agency Rules) because portions of this system are exempt from the access and amendment provisions of subsection (d).
(xi)From subsection
(g)to the extent that the system is exempt from other specific subsections of the Privacy Act. Issued in Arlington, Virginia, on November 2, 2007. Kip Hawley, Assistant Secretary, Transportation Security Administration. John Kropf, Deputy Chief Privacy Officer, Department of Homeland Security. [FR Doc. E7-21907 Filed 11-8-07; 8:45 am] BILLING CODE 9110-05-P 72 217 Friday, November 9, 2007 Notices DEPARTMENT OF HOMELAND SECURITY Transportation Security Administration [Docket No. TSA-2007-28972] RIN 1652-ZA14 Privacy Act of 1974: System of Records; Secure Flight Records AGENCY: Transportation Security Administration, DHS. ACTION: Notice to alter an existing system of records. SUMMARY: The Transportation Security Administration
(TSA)is altering and re-publishing the complete system of records, DHS/TSA 019, under the Privacy Act of 1974, known as “Secure Flight Records,” for a passenger screening program known as Secure Flight. TSA originally established this system of records and published the system of records notice
(SORN)in the **Federal Register** on August 23, 2007 (Part III, 72 FR 48392). TSA received and considered public comments on the SORN and is altering the system of records to reflect the deletion of an exemption previously claimed under 5 U.S.C. 552a(k)(1). The Secure Flight program implements a mandate of the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA) and is consistent with TSA's authority under the Aviation and Transportation Security Act (ATSA). Section 4012(a)(1) of the IRTPA requires TSA to assume from air carriers the comparison of passenger information for domestic flights to the consolidated and integrated terrorist watch list maintained by the Federal Government. Further, section 4012(a)(2) of IRTPA similarly requires the DHS to compare passenger information for international flights to and from the United States against the consolidated and integrated terrorist watch list before departure of such flights. The SORN is being altered to reflect TSA's determination that the system will not contain classified material, and TSA will not claim an exemption under 5 U.S.C. 552a(k)(1). DATES: Effective upon publication. FOR FURTHER INFORMATION CONTACT: Peter Pietra, Director, Privacy Policy and Compliance, TSA-36, Transportation Security Administration, 601 South 12th Street, Arlington, VA 22202-4220; e-mail: *TSAPrivacy@dhs.gov* ; or Hugo Teufel III, Chief Privacy Officer, Privacy Office, U.S. Department of Homeland Security, Washington, DC 20528; e-mail: *pia@dhs.gov.* SUPPLEMENTARY INFORMATION: TSA previously established and published the SORN for this system of records in the **Federal Register** on August 23, 2007 (Part III, 72 FR 48392), and has received and considered public comments. TSA is modifying the “Exemptions claimed for the system” section of “Secure Flight Records” (DHS/TSA 019) system of records, to reflect the agency's determination that the system will not contain classified material, and TSA will not claim an exemption under 5 U.S.C. 552a(k)(1). TSA will continue to claim exemptions for this system of records pursuant to (j)(2) and (k)(2). Availability of Notice You can get an electronic copy using the Internet by—
(1)Searching the electronic Federal Docket Management System
(FDMS)Web page at *http://www.regulations.gov* ;
(2)Accessing the Government Printing Office's Web page at *http://www.gpoaccess.gov/fr/index.html* ; or
(3)Visiting TSA's Security Regulations Web page at *http://www.tsa.gov* and accessing the link for “Research Center” at the top of the page. In addition, copies are available by writing or e-mailing the TSA Privacy Office in the FOR FURTHER INFORMATION CONTACT section. Make sure to identify the docket number of this document. Background The Privacy Act of 1974 embodies fair information principles in a statutory framework governing the means by which Federal agencies collect, maintain, use, and disseminate personally identifiable information contained in a system of records. The Privacy Act requires each agency to publish in the **Federal Register** a description denoting the type and character of each system of records that the agency maintains, and the routine uses of the information contained in each system in order to make agency record-keeping practices transparent, to notify individuals regarding the uses to which individually identifiable information is put, and to assist the individual to more easily find such files within the agency. This **Federal Register** notice alters and re-publishes the complete system of records known as “Secure Flight Records” (DHS/TSA 019) in support of the Secure Flight program. The Secure Flight program is based on a mandate from Congress under sections 4012(a)(1) and
(2)of IRTPA (Pub. L. 108-458, 118 Stat. 3638, Dec. 17, 2004) that TSA and DHS assume from aircraft operators the comparison of passenger information to the consolidated and integrated terrorist watch list maintained by the Federal Government. In order to carry out this mandate, TSA intends to begin implementation of the Secure Flight program. TSA also published a Notice of Proposed Rulemaking
(NPRM)in the **Federal Register** on August 23, 2007 (Part III, 72 FR 48356), that would require certain U.S. aircraft operators and foreign air carriers to provide passenger information to TSA for the purpose of passenger watch list matching against the No Fly and Selectee list components of the consolidated and integrated terrorist watch list, known as the Terrorist Screening Database (TSDB), maintained by the Terrorist Screening Center (TSC). 1 Further, as recommended by the 9/11 Commission, TSA may access the “larger set of watch lists maintained by the Federal Government.” 2 Therefore, where warranted by security considerations, TSA may use the full TSDB or other government databases, such as intelligence or law enforcement databases (referred to as “watch list matching”). For example, TSA may obtain intelligence that flights flying a particular route may be subject to an increased security risk. Under this circumstance, TSA may decide to compare passenger information on some or all of the flights flying that route against the full TSDB or other government database. 1 The TSC was established by the Attorney General in coordination with the Secretary of State, the Secretary of Homeland Security, the Director of the Central Intelligence Agency, the Secretary of the Treasury, and the Secretary of Defense. The Attorney General, acting through the Director of the Federal Bureau of Investigation (FBI), established the TSC in support of Homeland Security Presidential Directive 6 (HSPD-6), dated September 16, 2003, which required the Attorney General to establish an organization to consolidate the Federal Government's approach to terrorism screening and provide for the appropriate and lawful use of terrorist information in screening processes. The TSC maintains the Federal Government's consolidated and integrated terrorist watch list, known as the TSDB. 2 “National Commission on Terrorist Attacks Upon the United States”, page 393. Although not required, aircraft operators may voluntarily choose to begin operational testing with TSA prior to publication of a final rule. In the event an aircraft operator begins early operational testing with TSA, the records created as part of that testing will be included in this system of records. During early operational testing, covered aircraft operators may provide watch list matching results conducted by the covered aircraft operators for both domestic and international flights and the passenger data elements outlined in the Secure Flight NPRM. DHS/TSA 019 will cover certain records TSA creates or receives in the course of operational testing and implementation of the Secure Flight program. Using commercial airline passenger information collected from aircraft operators and foreign air carriers under Secure Flight, TSA, in coordination with the TSC, will compare commercial airline passenger information described below to information about individuals on the No Fly and Selectee list components of the TSDB. In addition, in this watch list matching process , TSA will refer to information generated as a result of the redress process, including information about confirmed, misidentified persons who may previously have been mistaken for individuals on one of the watch lists. Owners or operators of leased or charter aircraft over 12,500 pounds may be permitted to request that TSA screen their passengers, aircraft operators, and lessor(s) through Secure Flight. Additionally, TSA will apply this screening process to non-traveling individuals who an aircraft or airport operator seeks to authorize to enter an airport sterile area 3 past a security checkpoint for another purpose approved by TSA, such as to escort a minor or a passenger with disabilities. 3 “Sterile area” is defined in 49 CFR 1540.5 and generally means an area of an airport with access limited to persons who have undergone security screening by TSA. Information that is maintained in this System of Records may be shared under certain circumstances to confirm watch list matching determinations. This ordinarily will occur when, in an effort to validate a potential match, the Secure Flight program may exchange information with another Federal, state, or local governmental entity, such as Federal, State, or local law enforcement, involved in an operational or informational process associated with watch list matching. Likewise, information may be shared with other Federal agencies where those agencies have information that can be used to distinguish the identity of the individual from that of another individual included on a watch list. Additionally, certain information may be shared with non-governmental entities where necessary for the sole purpose of effectuating a watch list match determination and the issuance of a boarding pass or gate pass printing instruction to aircraft and/or airport operators. Other types of information sharing that may result from the routine uses discussed below in this notice include:
(1)Disclosure to contractors, grantees, or other individuals who are not DHS employees but have an agency relationship with DHS to accomplish DHS responsibilities;
(2)sharing with other Federal, State, local, tribal, foreign or international government agencies and organizations for national security, law enforcement, immigration, or intelligence purposes in response to potential or actual threats to transportation or national security and as necessary to facilitate an operational response to such threats;
(3)sharing with Federal, State, local, tribal, foreign or international government agencies and organizations responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order regarding a violation or potential violation of civil or criminal law or regulation;
(4)sharing with the National Archives and Records Administration for proper handling of government records;
(5)sharing with the U.S. Department of Justice or other Federal agency for purposes of conducting litigation or administrative proceedings in which the Federal government or its employees are a party or has an interest;
(6)sharing with appropriate agencies, entities and persons to protect an individual who is the subject of the record from the harm of identity theft in the case of a data breach affecting this system; and
(7)sharing with other governmental agencies or multi-lateral governmental organizations, such as the World Health Organization, to help those agencies prevent exposure to a communicable or quarantinable disease or other significant health threat, such as transmissible tuberculosis, during aviation travel and prevent further transmission of such diseases as these diseases may pose a threat to transportation and national security if not addressed in a rapid manner. Sharing this information pursuant to this health routine use will assist those agencies in preventing passengers' exposure to communicable diseases during aviation travel and it will help those agencies rapidly notify individuals who may have been exposed to such diseases. This health routine use may reduce or eliminate potential duplicative reporting of passenger information to U.S. authorities for this purpose, thereby reducing the number of times this information must be transmitted to proper authorities. In the course of carrying out the Secure Flight program, TSA will review information from Federal Bureau of Investigation
(FBI)systems of records and from systems of records of other law enforcement and intelligence agencies if necessary to resolve an apparent match to the consolidated and integrated terrorist watch list. These may include classified and unclassified governmental terrorist, law enforcement, and intelligence databases, including databases maintained by the Department of Homeland Security, Department of Defense, National Counterterrorism Center, and FBI. Records from these systems are exempt from certain provisions of the Privacy Act because they contain law enforcement investigative information and intelligence information. To the extent records in the Secure Flight Records system are provided by or obtained from such other exempt systems of records, TSA would rely on the Privacy Act exemptions claimed for those systems. Such records or information may be exempt because they include law enforcement or national security investigation records, intelligence-related records, law enforcement encounter records, or terrorist screening records. These could come from various DHS systems, such as the Treasury Enforcement Communications System
(TECS)or from other agency systems. After conferring with the appropriate component or agency, TSA may waive applicable exemptions in appropriate circumstances and where it would not interfere with or adversely affect the law enforcement or national security purposes of the systems from which the information is recompiled or in which it is contained. SYSTEM OF RECORDS DHS/TSA 019 SYSTEM NAME: Secure Flight Records. SECURITY CLASSIFICATION: Unclassified; Sensitive Security Information. SYSTEM LOCATION: Records are maintained at the Transportation Security Administration, 601 South 12th Street, Arlington, VA, and at other secure TSA facilities in Annapolis Junction, Maryland and Colorado Springs, Colorado. Records also may be maintained at the secured facilities of contractors or other parties that perform functions under the Secure Flight program. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
(a)Individuals who attempt to make reservations for travel on, have traveled on, or have reservations to travel on, a flight operated by a U.S. aircraft operator or a flight into, out of, or overflying the United States that is operated by a foreign air carrier;
(b)Non-traveling individuals who seek to obtain authorization from an aircraft or airport operator to enter the sterile area of an airport;
(c)For flights that TSA grants a request by the operators of leased or charter aircraft over 12,500 pounds to screen the individuals using Secure Flight, the following individuals:
(1)individuals who seek to charter or lease an aircraft over 12,500 pounds or who are proposed to be transported on or operate such charter aircraft; and
(2)owners and/or operators of such chartered or leased aircraft;
(d)Known or suspected terrorists identified in the TSDB maintained by the TSC; and individuals identified on classified and unclassified governmental databases such as law enforcement, immigration, or intelligence databases; and
(e)Individuals who have been distinguished from individuals on a watch list through a redress process, or other means. CATEGORIES OF RECORDS IN THE SYSTEM:
(a)Records containing passenger and flight information (e.g., full name, date of birth, gender, redress number, known traveler number, passport information, and itinerary), information about non-traveling individuals seeking access to an airport sterile area in order to escort a minor passenger or for another purpose approved by TSA, and information about passengers on or individuals seeking to charter or lease an aircraft over 12,500 pounds if TSA grants the aircraft owner or operator requests to use Secure Flight.
(b)Records containing information from an individual's form of identification or a physical description of the individual;
(c)Records obtained from the TSC of known or suspected terrorists in the TSDB and records regarding individuals identified on classified and unclassified governmental watch lists;
(d)Records containing the results of comparisons of individuals to the TSDB and watch list matching analyses;
(e)Records related to communications between or among TSA and aircraft operators, airport operators, owners and/or operators of leased or charter aircraft over 12,500 pounds, TSC, law enforcement agencies, intelligence agencies, and agencies responsible for airspace safety or security, regarding the screening status of passengers or non-traveling individuals and any operational responses to individuals identified in the TSDB;
(f)Records of the redress process that include information on known misidentified persons, including any Redress Number assigned to those individuals; and
(g)Records that track the receipt, use, access, or transmission of information as part of the Secure Flight program. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 49 U.S.C. 114, 40113, 44901, 44903, and 44909. PURPOSE(S): The Secure Flight Records system will be used to identify and protect against potential and actual threats to transportation security and support the Federal Government's counterterrorism efforts by assisting in the identification of individuals who warrant further scrutiny prior to boarding an aircraft or seek to enter a sterile area or who warrant denial of boarding or denial of entry to a sterile area on security grounds. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:
(1)To the TSC in order to:
(a)Determine whether an individual is a positive identity match to an individual identified as a known or suspected terrorist in the watch list;
(b)allow redress of passenger complaints;
(c)facilitate an operational response, if one is deemed appropriate, for individuals who are a positive identity match to an individual identified as a known or suspected terrorist in the watch list;
(d)provide information and analysis about terrorist encounters and known or suspected terrorist associates to appropriate domestic and foreign government agencies and officials for counterterrorism purposes; and
(e)perform technical implementation functions necessary for the Secure Flight program.
(2)To contractors, grantees, experts, consultants, or other like persons when necessary to perform a function or service related to the operation, modification, or testing of the Secure Flight program in compliance with the Privacy Act of 1974 as amended.
(3)To aircraft operators, foreign air carriers, airport operators, and the Department of Transportation to communicate passenger watch list matching status and facilitate an operational response, where appropriate, to individuals who pose or are suspected of posing a risk to transportation or national security.
(4)To owners or operators of leased or charter aircraft to communicate passenger screening status and facilitate an operational response, where appropriate, to an individual identified in the watch list.
(5)To the appropriate Federal, State, local, tribal, territorial, foreign, or international agency regarding or to identify individuals who pose or under reasonable suspicion of posing a risk to transportation or national security.
(6)To the Department of Justice or other Federal agency for purposes of conducting litigation or administrative proceedings, when:
(a)DHS, or
(b)any employee of DHS in his/her official capacity, or
(c)any employee of DHS in his/her individual capacity where the Department of Justice
(DOJ)or DHS has agreed to represent the employee, or
(d)the United States or any agency thereof is a party to the litigation or proceeding or has an interest in such litigation or proceeding.
(7)To the National Archives and Records Administration
(NARA)or other Federal agencies pursuant to records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906.
(8)To a congressional office from the record of an individual in response to an inquiry from that congressional office made at the request of the individual.
(9)To the General Accountability Office, DHS Office of Inspector General or other agency, organization, or individual for the purposes of performing authorized audit or oversight operations but only such information as is necessary and relevant to such audit and oversight functions.
(10)To the appropriate Federal, State, local, tribal, territorial, foreign, or international agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order regarding a violation or potential violation of civil or criminal law or regulation when such disclosure is proper and consistent with the performance of the official duties of the person making the disclosure,
(11)To international and foreign governmental authorities in accordance with law and formal or informal international agreements when such disclosure is proper and consistent with the performance of the official duties of the person making the disclosure.
(12)To appropriate agencies, entities, and persons when
(a)TSA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised;
(b)TSA has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by TSA or another agency or entity) that rely upon the compromised information; and
(c)the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with TSA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm.
(13)To appropriate Federal, State, local, tribal, or foreign governmental agencies or multilateral governmental organizations, including the World Health Organization, for purposes of assisting such agencies or organizations in preventing exposure to or transmission of communicable or quarantinable disease or for combating other significant public health threats; appropriate notice will be provided of any identified health threat or risk. [0] DISCLOSURE TO CONSUMER REPORTING AGENCIES: Pursuant to routine use twelve (12), TSA may disclose information to a consumer reporting agency in relation to a breach or compromise of information. TSA may need to share information with a credit reporting agency in order to respond to the suspected or confirmed compromise and prevent, minimize, or remedy any resulting harm, such as identity theft. Such sharing would be limited to the purposes outlined in routine use (12). POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING OF RECORDS IN THE SYSTEM: Storage: Records are maintained at the Transportation Security Administration, 601 South 12th Street, Arlington, VA, and at other secure TSA facilities in Annapolis Junction, Maryland and Colorado Springs, Colorado. Records also may be maintained at the secured facilities of contractors or other parties that perform functions under the Secure Flight program. The records are stored on magnetic disc, tape, digital media, and CD-ROM, and may also be retained in hard copy format in secure file folders or safes. Retrievability: Data are retrievable by the individual's name or other identifier, as well as non-identifying information such as itinerary. Safeguards: All records are protected from unauthorized access through appropriate administrative, physical, and technical safeguards. The system is also protected through a multi-layer security approach. The protective strategies are physical, technical, administrative and environmental in nature and provide role-based access control to sensitive data, physical access control to DHS facilities, confidentiality of communications, including encryption, authentication of sending parties, compartmentalizing databases; auditing software and personnel screening to ensure that all personnel with access to data are screened through background investigations commensurate with the level of access required to perform their duties. Information in this system is safeguarded in accordance with applicable rules and policies, including any applicable TSA and DHS automated systems security and access policies. The system will be in compliance with Office of Management and Budget
(OMB)and National Institute of Standards and Technology
(NIST)guidance. Access to the computer system containing the records in this system of records is limited to those individuals who require it to perform their official duties. The computer system also maintains a real-time audit of individuals who access the system. Retention and Disposal: Records in this system will be retained in accordance with a schedule to be submitted for approval by NARA and other government-wide records schedules, as applicable. TSA is seeking to have records relating to individuals cleared through the automated matching process destroyed within 7 days after completion of the last leg of their directional travel itinerary. The Secure Flight program seeks to retain records reflecting watch list matching analysis and results for individuals who initially appear to be a match for 7 years after the completion of the individual's directional travel itinerary. Records associated with an individual who is determined to be a confirmed match will, consistent with established TSA practice, be retained for 99 years after the date of match confirmation. This retention period is consistent with TSC's NARA-approved record retention schedule for TSDB records. Records reflecting watch list matching analysis (i.e., match or non-match) for any individual who is confirmed to be a match may also be retained in DHS/TSA 011, Transportation Security Intelligence Service Operations Files (69 FR 71835, Dec. 10, 2004). Records associated with known misidentified persons, as well as the watch list and other government databases will be retained in accordance with the retention periods for the originating systems. SYSTEM MANAGER(S) AND ADDRESS: Donald Hubicki, Director, Secure Flight Program Operations, Transportation Security Administration (TSA), TSA-19, 601 South 12th Street, Arlington, VA 22202. NOTIFICATION PROCEDURE: To determine whether this system contains records relating to you, write to the FOIA and Privacy Act Office, Transportation Security Administration (TSA), TSA-20, 601 South 12th Street, Arlington, VA 22202. RECORDS ACCESS PROCEDURES: Requests for records access must be in writing and should be addressed to FOIA and Privacy Act Office, Transportation Security Administration (TSA), TSA-20, 601 South 12th Street, Arlington, VA 22202. Requests should conform to the requirements of 6 CFR part 5, Subpart B, which provides the rules for requesting access to Privacy Act records maintained by DHS. The envelope and letter should be clearly marked “Privacy Act Access Request.” The request should include a general description of the records sought and must include the requester's full name, current address, and date and place of birth. The request must be signed and either notarized or submitted under penalty of perjury. Some information may be exempt from access provisions. An individual who is the subject of a record in this system may access those records that are not exempt from disclosure. A determination whether a record may be accessed will be made at the time a request is received. If individuals are uncertain what agency handles the information, they may seek redress through the DHS Traveler Redress Program (“TRIP”) (See 72 FR 2294, January 18, 2007). Individuals who believe they have been improperly denied entry, refused boarding for transportation, or identified for additional screening by CBP may submit a redress request through the TRIP. TRIP is a single point of contact for individuals who have inquiries or seek resolution regarding difficulties they experienced during their travel screening at transportation hubs—like airports and train stations or crossing U.S. borders. Through TRIP, a traveler can correct erroneous data stored in Secure Flight and other data stored in other DHS databases through one application. Additionally, for further information on the Secure Flight Program and the redress options please see the accompanying Privacy Impact Assessment for Secure Flight published on the DHS Web site at *http://www.dhs.gov/privacy* in this edition of the **Federal Register** and at DHS.GOV. Redress requests should be sent to: DHS Traveler Redress Inquiry Program (TRIP), TSA-901, 601 South 12th Street, Arlington, VA 22202-4220, or online at *http://www.dhs.gov/trip.* CONTESTING RECORDS PROCEDURES: Same as “Notification Procedure” and “Record Access Procedure” above. RECORD SOURCE CATEGORIES: Information contained in the system is obtained from U.S. aircraft operators, foreign air carriers, the owners and operators of leased or charter aircraft over 12,500 pounds who request TSA screening, the TSC, TSA employees, airport operators, Federal, State, local, international and other governmental law enforcement , intelligence, immigration, and counterterrorism agencies, other Federal agencies responsible for airspace safety or security, and the individuals to whom the records in the system pertain. EXEMPTIONS CLAIMED FOR THE SYSTEM: No exemption will be asserted with respect to identifying information or flight information obtained from passengers and aircraft owners or operators. This system, however, may contain records or information recompiled from or created from information contained in other systems of records, which are exempt from certain provisions of the Privacy Act. For these records or information only, in accordance with 5 U.S.C. 552a(j)(2) and (k)(2), TSA claims the following exemptions for these records or information from subsections (c)(3) and (4); (d)(1), (2), (3), and (4); (e)(1), (2), (3), (4)(G) through (I), (5), and (8); (f); and
(g)of the Privacy Act of 1974, as amended, as necessary and appropriate to protect such information. Certain portions or all of these records may be exempt from disclosure pursuant to these exemptions. Issued in Arlington, Virginia, on November 2, 2007. John Kropf, Deputy Chief Privacy Officer, Department of Homeland Security. [FR Doc. E7-21908 Filed 11-8-07; 8:45 am] BILLING CODE 9110-05-P 72 217 Friday, November 9, 2007 Rules and Regulations Part IV Department of the Treasury Office of the Comptroller of the Currency 12 CFR Part 41 Federal Reserve System 12 CFR Part 222 Federal Deposit Insurance Corporation 12 CFR Parts 334 and 364 Department of the Treasury Office of Thrift Supervision 12 CFR Part 571 National Credit Union Administration 12 CFR Part 717 Federal Trade Commission 16 CFR Part 681 Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003; Final Rule DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 41 [Docket ID OCC-2007-0017] RIN 1557-AC87 FEDERAL RESERVE SYSTEM 12 CFR Part 222 [Docket No. R-1255] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Parts 334 and 364 RIN 3064-AD00 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 571 [Docket No. OTS-2007-0019] RIN 1550-AC04 NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Part 717 FEDERAL TRADE COMMISSION 16 CFR Part 681 RIN 3084-AA94 Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003 AGENCIES: Office of the Comptroller of the Currency, Treasury (OCC); Board of Governors of the Federal Reserve System (Board); Federal Deposit Insurance Corporation (FDIC); Office of Thrift Supervision, Treasury (OTS); National Credit Union Administration (NCUA); and Federal Trade Commission (FTC or Commission). ACTION: Joint final rules and guidelines. SUMMARY: The OCC, Board, FDIC, OTS, NCUA and FTC (the Agencies) are jointly issuing final rules and guidelines implementing section 114 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) and final rules implementing section 315 of the FACT Act. The rules implementing section 114 require each financial institution or creditor to develop and implement a written Identity Theft Prevention Program (Program) to detect, prevent, and mitigate identity theft in connection with the opening of certain accounts or certain existing accounts. In addition, the Agencies are issuing guidelines to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the rules. The rules implementing section 114 also require credit and debit card issuers to assess the validity of notifications of changes of address under certain circumstances. Additionally, the Agencies are issuing joint rules under section 315 that provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. DATES: The joint final rules and guidelines are effective January 1, 2008. The mandatory compliance date for this rule is November 1, 2008. FOR FURTHER INFORMATION CONTACT: *OCC:* Amy Friend, Assistant Chief Counsel,
(202)874-5200; Deborah Katz, Senior Counsel, or Andra Shuster, Special Counsel, Legislative and Regulatory Activities Division,
(202)874-5090; Paul Utterback, Compliance Specialist, Compliance Department,
(202)874-5461; or Aida Plaza Carter, Director, Bank Information Technology,
(202)874-4740, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219. *Board:* David A. Stein or Ky Tran-Trong, Counsels, or Amy Burke, Attorney, Division of Consumer and Community Affairs,
(202)452-3667; Kara L. Handzlik, Attorney, Legal Division,
(202)452-3852; or John Gibbons, Supervisory Financial Analyst, Division of Banking Supervision and Regulation,
(202)452-6409, Board of Governors of the Federal Reserve System, 20th and C Streets, NW., Washington, DC 20551. *FDIC:* Jeffrey M. Kopchik, Senior Policy Analyst,
(202)898-3872, or David P. Lafleur, Policy Analyst,
(202)898-6569, Division of Supervision and Consumer Protection; Richard M. Schwartz, Counsel,
(202)898-7424, or Richard B. Foley, Counsel,
(202)898-3784, Legal Division, Federal Deposit Insurance Corporation, 550 17th Street, NW., Washington, DC 20429. *OTS:* Ekita Mitchell, Consumer Regulations Analyst, Compliance and Consumer Protection,
(202)906-6451; Kathleen M. McNulty, Technology Program Manager, Information Technology Risk Management,
(202)906-6322; or Richard Bennett, Senior Compliance Counsel, Regulations and Legislation Division,
(202)906-7409, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552. *NCUA:* Regina M. Metz, Staff Attorney, Office of General Counsel,
(703)518-6540, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428. *FTC:* Naomi B. Lefkovitz, Attorney, or Pavneet Singh, Attorney, Division of Privacy and Identity Protection, Bureau of Consumer Protection,
(202)326-2252, Federal Trade Commission, 600 Pennsylvania Avenue, NW., Washington DC 20580. SUPPLEMENTARY INFORMATION: I. Introduction The President signed the FACT Act into law on December 4, 2003. 1 The FACT Act added several new provisions to the Fair Credit Reporting Act of 1970 (FCRA), 15 U.S.C. 1681 *et seq.* Section 114 of the FACT Act, 15 U.S.C. 1681m(e), amends section 615 of the FCRA, and directs the Agencies to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft, including special regulations requiring debit and credit card issuers to validate notifications of changes of address under certain circumstances. 2 Section 315 of the FACT Act, 15 U.S.C. 1681c(h), adds a new section 605(h)(2) to the FCRA requiring the Agencies to issue joint regulations that provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy. 1 Pub. L. 108-159. 2 Section 111 of the FACT Act defines “identity theft” as “a fraud committed using the identifying information of another person, subject to such further definition as the [Federal Trade] Commission may prescribe, by regulation.” 15 U.S.C. 1681a(q)(3). On July 18, 2006, the Agencies published a joint notice of proposed rulemaking
(NPRM)in the **Federal Register** (71 FR 40786) proposing rules and guidelines to implement section 114 and proposing rules to implement section 315 of the FACT Act. The public comment period closed on September 18, 2006. The Agencies collectively received a total of 129 comments in response to the NPRM, although many commenters sent copies of the same letter to each of the Agencies. The comments included 63 from financial institutions, 12 from financial institution holding companies, 23 from financial institution trade associations, 12 from individuals, nine from other trade associations, five from other business entities, three from consumer groups, 3 one from a member of Congress, and one from the United States Small Business Administration (SBA). 3 One of these letters represented the comments of five consumer groups. II. Section 114 of the FACT Act A. Red Flag Regulations and Guidelines 1. Background Section 114 of the FACT Act requires the Agencies to jointly issue guidelines for financial institutions and creditors regarding identity theft with respect to their account holders and customers. Section 114 also directs the Agencies to prescribe joint regulations requiring each financial institution and creditor to establish reasonable policies and procedures for implementing the guidelines, to identify possible risks to account holders or customers or to the safety and soundness of the institution or “customer.” 4 4 Use of the term “customer,” here, appears to be a drafting error and likely should read “creditor.” In developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft. The guidelines must be updated as often as necessary, and cannot be inconsistent with the policies and procedures issued under section 326 of the USA PATRIOT Act, 5 31 U.S.C. 5318(l), that require verification of the identity of persons opening new accounts. The Agencies also must consider including reasonable guidelines that would apply when a transaction occurs in connection with a consumer's credit or deposit account that has been inactive for two years. These guidelines would provide that in such circumstances, a financial institution or creditor “shall follow reasonable policies and procedures” for notifying the consumer, “in a manner reasonably designed to reduce the likelihood of identity theft.” 5 Pub. L. 107-56. 2. Overview of Proposal and Comments Received The Agencies proposed to implement section 114 through regulations requiring each financial institution and creditor to implement a written Program to detect, prevent and mitigate identity theft in connection with the opening of an account or any existing account. The Agencies also proposed guidelines that identified 31 patterns, practices, and specific forms of activity that indicate a possible risk of identity theft. The proposed regulations required each financial institution and creditor to incorporate into its Program relevant indicators of a possible risk of identity theft (Red Flags), including indicators from among those listed in the guidelines. To promote flexibility and responsiveness to the changing nature of identity theft, the proposed rules also stated that covered entities would need to include in their Programs relevant Red Flags from applicable supervisory guidance, their own experiences, and methods that the entity had identified that reflect changes in identity theft risks. The Agencies invited comment on all aspects of the proposed regulations and guidelines implementing section 114, and specifically requested comment on whether the elements described in section 114 had been properly allocated between the proposed regulations and the proposed guidelines. Consumer groups maintained that the proposed regulations provided too much discretion to financial institutions and creditors to decide which accounts and Red Flags to include in their Programs and how to respond to those Red Flags. These commenters stated that the flexible and risk-based approach taken in the proposed rulemaking would permit “business as usual.” Some small financial institutions also expressed concern about the flexibility afforded by the proposal. These commenters stated that they preferred to have clearer, more structured guidance describing exactly how to develop and implement a Program and what they would need to do to achieve compliance. Most commenters, however, including many financial institutions and creditors, asserted that the proposal was overly prescriptive, contained requirements beyond those mandated in the FACT Act, would be costly and burdensome to implement, and would complicate the existing efforts of financial institutions and creditors to detect and prevent identity theft. Some industry commenters asserted that the rulemaking was unnecessary because large businesses, such as banks and telecommunications companies, already are motivated to prevent identity theft and other forms of fraud in order to limit their own financial losses. Financial institution commenters maintained that they are already doing most of what would be required by the proposal as a result of having to comply with the customer identification program
(CIP)regulations implementing section 326 of the USA PATRIOT Act 6 and other existing requirements. These commenters suggested that the regulations and guidelines take the form of broad objectives modeled on the objectives set forth in the “Interagency Guidelines Establishing Information Security Standards” (Information Security Standards). 7 A few financial institution commenters asserted that the primary cause of identity theft is the lack of care on the part of the consumer. They stated that consumers should be held responsible for protecting their own identifying information. 6 *See, e.g.* , 31 CFR 103.121 (applicable to banks, thrifts and credit unions and certain non-federally regulated banks). 7 12 CFR part 30, app. B (national banks); 12 CFR part 208, app. D-2 and part 225, app. F (state member banks and holding companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR part 570, app. B (savings associations); 12 CFR part 748, App. A (credit unions). The Agencies have modified the proposed rules and guidelines in light of the comments received. An overview of the final rules, guidelines, and supplement, a discussion of the comments, and the specific manner in which the proposed rules and guidelines have been modified, follows. 3. Overview of final rules and guidelines The Agencies are issuing final rules and guidelines that provide both flexibility and more guidance to financial institutions and creditors. The final rules also require the Program to address accounts where identity theft is most likely to occur. The final rules describe which financial institutions and creditors are required to have a Program, the objectives of the Program, the elements that the Program must contain, and how the Program must be administered. Under the final rules, only those financial institutions and creditors that offer or maintain “covered accounts” must develop and implement a written Program. A covered account is
(1)an account primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, or
(2)any other account for which there is a reasonably foreseeable risk to customers or the safety and soundness of the financial institution or creditor from identity theft. Each financial institution and creditor must periodically determine whether it offers or maintains a “covered account.” The final regulations provide that the Program must be designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. In addition, the Program must be tailored to the entity's size, complexity and nature of its operations. The final regulations list the four basic elements that must be included in the Program of a financial institution or creditor. The Program must contain “reasonable policies and procedures” to: • Identify relevant Red Flags for covered accounts and incorporate those Red Flags into the Program; • Detect Red Flags that have been incorporated into the Program; • Respond appropriately to any Red Flags that are detected to prevent and mitigate identity theft; and • Ensure the Program is updated periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. The regulations also enumerate certain steps that financial institutions and creditors must take to administer the Program. These steps include obtaining approval of the initial written Program by the board of directors or a committee of the board, ensuring oversight of the development, implementation and administration of the Program, training staff, and overseeing service provider arrangements. In order to provide financial institutions and creditors with more flexibility in developing a Program, the Agencies have moved certain detail formerly contained in the proposed regulations to the guidelines located in Appendix J. This detailed guidance should assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the regulations to detect, prevent, and mitigate identity theft. Each financial institution or creditor that is required to implement a Program must consider the guidelines and include in its Program those guidelines that are appropriate. The guidelines provide policies and procedures for use by institutions and creditors, where appropriate, to satisfy the requirements of the final rules, including the four elements listed above. While an institution or creditor may determine that particular guidelines are not appropriate to incorporate into its Program, the Program must nonetheless contain reasonable policies and procedures to meet the specific requirements of the final rules. The illustrative examples of Red Flags formerly in Appendix J are now listed in a supplement to the guidelines. 4. Section-by-Section Analysis 8 8 The OCC, Board, FDIC, OTS and NCUA are placing the regulations and guidelines implementing section 114 in the part of their regulations that implement the FCRA—12 CFR parts 41, 222, 334, 571, and 717, respectively. In addition, the FDIC cross-references the regulations and guidelines in 12 CFR part 364. For ease of reference, the discussion in this preamble uses the shared numerical suffix of each of these agency's regulations. The FTC also is placing the final regulations and guidelines in the part of its regulations implementing the FCRA, specifically 16 CFR part 681. However, the FTC uses different numerical suffixes that equate to the numerical suffixes discussed in the preamble as follows: preamble suffix .82 = FTC suffix .1, preamble suffix .90 = FTC suffix .2, and preamble suffix .91 = FTC suffix .3. In addition, Appendix J referenced in the preamble is the FTC's Appendix A. Section _.90(a) Purpose and Scope Proposed §_.90(a) described the statutory authority for the proposed regulations, namely, section 114 of the FACT Act. It also defined the scope of this section; each of the Agencies proposed tailoring this paragraph to describe those entities to which this section would apply. The Agencies received no comments on this section, and it is adopted as proposed. Section _.90(b) Definitions Proposed §_.90(b) contained definitions of various terms that applied to the proposed rules and guidelines. While §_.90(b) of the final rules continues to describe the definitions applicable to the final rules and guidelines, changes have been made to address the comments, as follows. *Section _.90(b)(1) Account.* The Agencies proposed using the term “account” to describe the relationships covered by section 114 that an account holder or customer may have with a financial institution or creditor. 9 The proposed definition of “account” was “a continuing relationship established to provide a financial product or service that a financial holding company could offer by engaging in an activity that is financial in nature or incidental to such a financial activity under section 4(k) of the Bank Holding Company Act, 12 U.S.C. 1843(k).” The definition also gave examples of types of “accounts.” 9 The Agencies acknowledged that section 114 does not use the term “account” and, in other contexts, the FCRA defines the term “account” narrowly to describe certain consumer deposit or asset accounts. See 15 U.S.C. 1681a(r)(4). Some commenters stated that the regulations do not need a definition of “account” to give effect to their terms. Some commenters maintained that a new definition for “account” would be confusing as this term is already defined inconsistently in several regulations and in section 615(e) of the FCRA. These commenters recommended that the Agencies use the term “continuing relationship” instead, and define this phrase in a manner consistent with the Agencies” privacy rules 10 implementing Title V of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801. 11 These commenters urged that the definition of “account” not be expanded to include relationships that are not “continuing.” They stated that it would be very burdensome to gather and maintain information on non-customers for one-time transactions. Other commenters suggested defining the term “account” in a manner consistent with the CIP rules. 10 *See* 12 CFR 40 (OCC); 12 CFR 216 (Board); 12 CFR 332 (FDIC); 12 CFR 573 (OTS); 12 CFR 716 (NCUA); and 16 CFR 313 (FTC). 11 Pub. L. 106-102. Many commenters stated that defining “account” to cover both consumer and business accounts was too broad, exceeded the scope of the FACT Act, and would make the regulation too burdensome. These commenters recommended limiting the scope of the regulations and guidelines to cover only consumer financial services, specifically accounts established for personal, family and household purposes, because these types of accounts typically are targets of identity theft. They asserted that identity theft has not historically been common in connection with business or commercial accounts. Consumer groups maintained that the proposed definition of “account” was too narrow. They explained that because the proposed definition was tied to financial products and services that can be offered under the Bank Holding Company Act, it inappropriately excluded certain transactions involving creditors that are not financial institutions that should be covered by the regulations. Some of these commenters recommended that the definition of “account” include any relationship with a financial institution or creditor in which funds could be intercepted or credit could be extended, as well as any other transaction which could obligate an individual or other covered entity, including transactions that do not result in a continuing relationship. Others suggested that there should be no flexibility to exclude any account that is held by an individual or which generates information about individuals that reflects on their financial or credit reputations. The Agencies have modified the definition of “account” to address these comments. First, the final rules now apply to “covered accounts,” a term that the Agencies have added to the definition section to eliminate confusion between these rules and other rules that apply to an “account.” The Agencies have retained a definition of “account” simply to clarify and provide context for the definition of “covered account.” Section 114 provides broad discretion to the Agencies to prescribe regulations and guidelines to address identity theft. The terminology in section 114 is not confined to “consumer” accounts. While identity theft primarily has been directed at consumers, the Agencies are aware that small businesses also have been targets of identity theft. Over time, identity theft could expand to affect other types of accounts. Thus, the definition of “account” in §_.90(b)(1) of the final rules continues to cover *any* relationship to obtain a product or service that an account holder or customer may have with a financial institution or creditor. 12 Through examples, the definition makes clear that the purchase of property or services involving a deferred payment is considered to be an account. 12 Accordingly, the definition of “account” still applies to fiduciary, agency, custodial, brokerage and investment advisory activities. Although the definition of “account” includes business accounts, the risk-based nature of the final rules allows each financial institution or creditor flexibility to determine which business accounts will be covered by its Program through a risk evaluation process. The Agencies also recognize that a person may establish a relationship with a creditor, such as an automobile dealer or a telecommunications provider, primarily to obtain a product or service that is not financial in nature. To make clear that an “account” includes relationships with creditors that are not financial institutions, the definition is no longer tied to the provision of “financial” products and services. Accordingly, the Agencies have deleted the reference to the Bank Holding Company Act. The definition of “account” still includes the words “continuing relationship.” The Agencies have determined that, at this time, the burden that would be imposed upon financial institutions and creditors by a requirement to detect, prevent and mitigate identity theft in connection with single, non-continuing transactions by non-customers would outweigh the benefits of such a requirement. The Agencies recognize, however, that identity theft may occur at the time of account opening. Therefore, as detailed below, the obligations of the final rule apply not only to existing accounts, where a relationship already has been established, but also to account openings, when a relationship has not yet been established. *Section _.90(b)(2) Board of Directors.* The proposed regulations discussed the role of the board of directors of a financial institution or creditor. For financial institutions and creditors covered by the regulations that do not have boards of directors, the proposed regulations defined “board of directors” to include, in the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency. For other creditors that do not have boards of directors, the proposed regulations defined “board of directors” as a designated employee. Consumer groups objected to the proposed definition as it applied to creditors that do not have boards of directors. These commenters recommended that for these entities, “board of directors” should be defined as a designated employee at the level of senior management. They asserted that otherwise, institutions that do not have a board of directors would be given an unfair advantage for purposes of the substantive provisions of the rules, because they would be permitted to assign *any* employee to fulfill the role of the “board of directors.” The Agencies agree this important role should be performed by an employee at the level of senior management, rather than any designated employee. Accordingly, the definition of “board of directors” has been revised in § _.90(b)(2) of the final rules so that, in the case of a creditor that does not have a board of directors, the term “board of directors” means “a designated employee at the level of senior management.” *Section _.90(b)(3) Covered Account.* As mentioned previously, the Agencies have added a new definition of “covered account” in § _.90(b)(3) to describe the type of “account” covered by the final rules. The proposed rules would have provided a financial institution or creditor with broad flexibility to apply its Program to those accounts that it determined were vulnerable to the risk of identity theft, and did not mandate coverage of any particular type of account. Consumer group commenters urged the Agencies to limit the discretion afforded to financial institutions and creditors by requiring them to cover consumer accounts in their Programs. While seeking to preserve their discretion, many industry commenters requested that the Agencies limit the final rules to consumer accounts, where identity theft is most likely to occur. The Agencies recognize that consumer accounts are presently the most common target of identity theft and acknowledge that Congress expected the final regulation to address risks of identity theft to consumers. 13 For this reason, the final rules require each Program to cover accounts established primarily for personal, family or household purposes, that involve or are designed to permit multiple payments or transactions, *i.e.* , consumer accounts. As discussed above in connection with the definition of “account,” the final rules also require the Programs of financial institutions and creditors to cover any other type of account that the institution or creditor offers or maintains for which there is a reasonably foreseeable risk from identity theft. 13 *See* S. Rep. No. 108-166 at 13 (Oct. 17, 2003) (accompanying S. 1753). Accordingly, the definition of “covered account” is divided into two parts. The first part refers to “an account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions.” The definition provides examples to illustrate that these types of consumer accounts include, “a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account.” 14 14 These examples reflect the fact that the rules are applicable to a variety of financial institutions and creditors. They are not intended to confer any additional powers on covered entities. Nonetheless, some of the Agencies have chosen to limit the examples in their rule texts to those products covered entities subject to their jurisdiction are legally permitted to offer. The second part of the definition refers to “any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.” This part of the definition reflects the Agencies' belief that other types of accounts, such as small business accounts or sole proprietorship accounts, may be vulnerable to identity theft, and, therefore, should be considered for coverage by the Program of a financial institution or creditor. In response to the proposed definition of “account,” a trade association representing credit unions suggested that the term “customer” in the definition be revised to refer to “member” to better reflect the ownership structure of some financial institutions or to “consumer” to include all individuals doing business at all types of financial institutions. The definition of “account” in the final rules no longer makes reference to the term “customer”; however, the definition of “covered account” continues to employ this term, to be consistent with section 114 of the FACT Act, which uses the term “customer.” Of course, in the case of credit unions, the final rules and guidelines will apply to the accounts of members that are maintained primarily for personal, family, or household purposes, and those that are otherwise subject to a reasonably foreseeable risk of identity theft. *Sections _.90(b)(4) and (b)(5) Credit and Creditor.* The proposed rules defined these terms by cross-reference to the relevant sections of the FCRA. There were no comments on the definition of “credit” and § _.90(b)(4) of the final rules adopts the definition as proposed. Some commenters asked the Agencies to clarify that the term “creditor” does not cover third-party debt collectors who regularly arrange for the extension, renewal, or continuation of credit. Section 114 applies to financial institutions and creditors. Under the FCRA, the term “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a. 15 ECOA defines “creditor” to include a person who arranges for the extension, renewal, or continuation of credit, which in some cases could include third-party debt collectors. 15 U.S.C. 1691a(e). Therefore, the Agencies are not excluding third-party debt collectors from the scope of the final rules, and § _.90(b)(5) of the final rules adopts the definition of “creditor” as proposed. 15 *See* 15 U.S.C. 1681a(r)(5). *Section _.90(b)(6) Customer.* Section 114 of the FACT Act refers to “account holders” and “customers” of financial institutions and creditors without defining either of these terms. For ease of reference, the Agencies proposed to use the term “customer” to encompass both “customers” and “account holders.” “Customer” was defined as a person that has an account with a financial institution or creditor. The proposed definition of “customer” applied to any “person,” defined by the FCRA as any individual, partnership, corporation, trust, estate, cooperative, association, government or governmental subdivision or agency, or other entity. 16 The proposal explained that the Agencies chose this broad definition because, in addition to individuals, various types of entities ( *e.g.* , small businesses) can be victims of identity theft. Under the proposed definition, however, a financial institution or creditor would have had the discretion to determine which type of customer accounts would be covered under its Program, since the proposed regulations were risk-based. 17 16 *See* 15 U.S.C. 1681a(b). 17 Proposed § _.90(d)(1) required this determination to be substantiated by a risk evaluation that takes into consideration which customer accounts of the financial institution or creditor are subject to a risk of identity theft. As noted above, most industry commenters maintained that including all persons, not just consumers, within the definition of “customer” would impose a substantial financial burden on financial institutions and creditors, and make compliance with the regulations more burdensome. These commenters stated that business identity theft is rare, and maintained that financial institutions and creditors should be allowed to direct their fraud prevention resources to the areas of highest risk. They also noted that businesses are more sophisticated than consumers, and are in a better position to protect themselves against fraud than consumers, both in terms of prevention and in enforcing their legal rights. Some financial institution commenters were concerned that the broad definition of “customer” would create opportunities for commercial customers to shift responsibility from themselves to the financial institution for not discovering Red Flags and alerting business customers about embezzlement or other fraudulent transactions by the commercial customer's own employees. These commenters suggested narrowing the definition to cover natural persons and to exclude business customers. Some of these commenters suggested that the definition of “customer” should be consistent with the definition of this term in the Information Security Standards and the Agencies' privacy rules. Consumer groups commented that the proposed definition of “customer” was too narrow. They recommended that the definition be amended, so that the regulations would not only protect persons who are already customers of a financial institution or creditor, but also persons whose identities are used by an imposter to open an account. Section _.90(b)(6) of the final rule defines “customer” to mean a person that has a “covered account” with a financial institution or creditor. Under the definition of “covered account,” an individual who has a consumer account will always be a “customer.” A “customer” may also be a person that has another type of account for which a financial institution or creditor determines there is a reasonably foreseeable risk to its customers or to its own safety and soundness from identity theft. The Agencies note that the Information Security Standards and the privacy rules implemented various sections of Title V of the GLBA, 15 U.S.C. 6801, which specifically apply only to customers who are consumers. By contrast, section 114 does not define the term “customer.” Because the Agencies continue to believe that a business customer can be a target of identity theft, the final rules contain a risk-based process designed to ensure that these types of customers will be covered by the Program of a financial institution or creditor, when the risk of identity theft is reasonably foreseeable. The definition of “customer” in the final rules continues to cover only customers that already have accounts. The Agencies note, however, that the substantive provisions of the final rules, described later, require the Program of a financial institution or creditor to detect, prevent, and mitigate identity theft in connection with the opening of a covered account as well as any existing covered account. The final rules address persons whose identities are used by an imposter to open an account in these substantive provisions, rather than through the definition of “customer.” *Section _.90(b)(7) Financial Institution.* The Agencies received no comments on the proposed definition of “financial institution.” It is adopted in § _.90(b)(7), as proposed, with a cross-reference to the relevant definition in the FCRA. *Section _.90(b)(8) Identity Theft.* The proposal defined “identity theft” by cross-referencing the FTC's rule that defines “identity theft” for purposes of the FCRA. 18 18 69 FR 63922 (Nov. 3, 2004) (codified at 16 CFR 603.2(a)). Section 111 of the FACT Act added several new definitions to the FCRA, including “identity theft,” and authorized the FTC to further define this term. *See* 15 U.S.C. 1681a. Most industry commenters objected to the breadth of the proposed definition of “identity theft.” They recommended that the definition include only actual fraud committed using identifying information of a consumer, and exclude attempted fraud, identity theft committed against businesses, and any identity fraud involving the creation of a fictitious identity using fictitious data combined with real information from multiple individuals. By contrast, consumer groups supported a broad interpretation of “identity theft,” including the incorporation of “attempted fraud” in the definition. Section _.90(b)(8) of the final rules adopts the definition of “identity theft” as proposed. The Agencies believe that it is important to ensure that all provisions of the FACT Act that address identity theft are interpreted in a consistent manner. Therefore, the final rule continues to define identity theft with reference to the FTC's regulation, which as currently drafted provides that the term “identity theft” means “a fraud committed or attempted using the identifying information of another person without authority.” 19 The FTC defines the term “identifying information” to mean “any name or number that may be used, alone or in conjunction with any other information, to identify a specific person, including any— 19 *See* 16 CFR 603.2(a).
(1)Name, social security number, date of birth, official State or government issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;
(2)Unique biometric data, such as fingerprint, voice print, retina or iris image, or other unique physical representation;
(3)Unique electronic identification number, address, or routing code; or
(4)Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)). Thus, under the FTC's regulation, the creation of a fictitious identity using any single piece of information belonging to a real person falls within the definition of “identity theft” because such a fraud involves “using the identifying information of another person without authority.” 20 20 *See* 16 CFR 603.2(b). *Section _.90(b)(9) Red Flag.* The proposed regulations defined “Red Flag” as a pattern, practice, or specific activity that indicates the possible risk of identity theft. The preamble to the proposed rules explained that indicators of a “possible risk” of identity theft would include precursors to identity theft such as phishing, 21 and security breaches involving the theft of personal information, which often are a means to acquire the information of another person for use in committing identity theft. The preamble explained that the Agencies included such precursors to identity theft as “Red Flags” to better position financial institutions and creditors to stop identity theft at its inception. 21 Electronic messages to customers of financial institutions and creditors directing them to provide personal information in response to a fraudulent e-mail. Most industry commenters objected to the broad scope of the definition of “Red Flag,” particularly the phrase “possible risk of identity theft.” These commenters believed that this definition would require financial institutions and creditors to identify all risks and develop procedures to prevent or mitigate them, without regard to the significance of the risk. They asserted that the statute does not support the use of “possible risk” and suggested defining a “Red Flag” as an indicator of significant, substantial, or the probable risk of identity theft. These commenters stated that this would allow a financial institution or creditor to focus compliance in areas where it is most needed. Most industry commenters also stated that the inclusion of precursors to identity theft in the definition of “Red Flag” would make the regulations even broader and more burdensome. They stated that financial institutions and creditors do not have the ability to detect and respond to precursors, such as phishing, in the same manner as other Red Flags that are more indicative of actual ongoing identity theft. By contrast, consumer groups supported the inclusion of the phrase “possible risk of identity theft” and the reference to precursors in the proposed definition of “Red Flag.” These commenters stated that placing emphasis on detecting precursors to identity theft, instead of waiting for proven cases, is the right approach. The Agencies have concluded that the phrase “possible risk” in the proposed definition of “Red Flag” is confusing and could unduly burden entities with limited resources. Therefore, the final rules define “Red Flag” in § _.90(b)(9) using language derived directly from section 114, namely, “a pattern, practice, or specific activity that indicates the possible existence of identity theft.” 22 22 15 U.S.C. 1681m(c)(2)(A). The Agencies continue to believe, however, that financial institutions and creditors should consider precursors to identity theft in order to stop identity theft before it occurs. Therefore, as described below, the Agencies have chosen to address precursors directly, through a substantive provision in section IV of the guidelines titled “Prevention and Mitigation,” rather than through the definition of “Red Flag.” This provision states that a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft in determining an appropriate response to the Red Flags it detects. *Section _.90(b)(10) Service Provider.* The proposed regulations defined “service provider” as a person that provides a service directly to the financial institution or creditor. This definition was based upon the definition of “service provider” in the Information Security Standards. 23 23 The Information Security Standards define “service provider” to mean any person or entity that maintains, processes, or otherwise is permitted access to customer information or consumer information through the provision of services directly to the financial institution. 12 CFR part 30, app. B (national banks); 12 CFR part 208, app. D-2 and part 225, app. F (state member banks and holding companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR part 570, app. B (savings associations); 12 CFR part 748, App. A (credit unions). One commenter agreed with this definition. However, two other commenters stated that the definition was too broad. They suggested narrowing the definition of “service provider” to persons or entities that have access to customer information. Section _.90(b)(10) of the final rules adopts the definition as proposed. The Agencies have concluded that defining “service provider” to include only persons that have access to customer information would inappropriately narrow the coverage of the final rules. The Agencies have interpreted section 114 broadly to require each financial institution and creditor to detect, prevent, and mitigate identity theft not only in connection with any existing covered account, but also in connection with the opening of an account. A financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a third-party service provider. Thus, a financial institution or creditor that uses a service provider to open accounts will need to provide for the detection, prevention, and mitigation of identity theft in connection with this activity, even when the service provider has access to the information of a person who is not yet, and may not become, a “customer.” Section _.90(c) Periodic Identification of Covered Accounts To simplify compliance with the final rules, the Agencies added a new provision in § _.90(c) that requires each financial institution and creditor to periodically determine whether it offers or maintains any covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in § _.90(b)(3)(ii) (accounts other than consumer accounts), taking into consideration: • The methods it provides to open its accounts; • The methods it provides to access its accounts; and • Its previous experiences with identity theft. Thus, a financial institution or creditor should consider whether, for example, a reasonably foreseeable risk of identity theft may exist in connection with business accounts it offers or maintains that may be opened or accessed remotely, through methods that do not require face-to-face contact, such as through the internet or telephone. In addition, those institutions and creditors that offer or maintain business accounts that have been the target of identity theft should factor those experiences with identity theft into their determination. This provision is modeled on various process-oriented and risk-based regulations issued by the Agencies, such as the Information Security Standards. Compliance with this type of regulation is based upon a regulated entity's own preliminary risk assessment. The risk assessment required here directs a financial institution or creditor to determine, as a threshold matter, whether it will need to have a Program. 24 If a financial institution or creditor determines that it does need a Program, then this risk assessment will enable the financial institution or creditor to identify those accounts the Program must address. This provision also requires a financial institution or creditor that initially determines that it does not need to have a Program to reassess periodically whether it must develop and implement a Program in light of changes in the accounts that it offers or maintains and the various other factors set forth in the provision. 24 The Agencies anticipate that some financial institutions and creditors, such as various creditors regualted by the FTC that solely engage in business-to-business transactions, will be able to determine that they do not need to develop and implement a Program. Section _.90(d)(1) Identity Theft Prevention Program Requirement Proposed § _.90(c) described the primary objectives of a Program. It stated that each financial institution or creditor must implement a written Program that includes reasonable policies and procedures to address the risk of identity theft to its customers and to the safety and soundness of the financial institution or creditor, in the manner described in proposed § _.90(d), which described the development and implementation of a Program. It also stated that the Program must address financial, operational, compliance, reputation, and litigation risks and be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. Some commenters believed that the proposed regulations exceeded the scope of section 114 by covering deposit accounts and by requiring a response to the risk of identity theft, not just the identification of the risk of identity theft. One commenter expressed concern about the application of the Program to existing accounts. The SBA commented that requiring all small businesses covered by the regulations to create a written Program would be overly burdensome. Several financial institution commenters objected to what they perceived as a proposed requirement that financial institutions and creditors have a written Program solely to address identity theft. They recommended that the final regulations allow a covered entity to simply maintain or expand its existing fraud prevention and information security programs as long as they included the detection, prevention, and mitigation of identity theft. Some of these commenters stated that requiring a written program would merely focus examiner attention on documentation and cause financial institutions to produce needless paperwork. While commenters generally agreed that the Program should be appropriate to the size and complexity of the financial institution or creditor, and the nature and scope of its activities, many industry commenters objected to the prescriptive nature of this section. They urged the Agencies to provide greater flexibility to financial institutions and creditors by allowing them to implement their own procedures as opposed to those provided in the proposed regulations. Several other commenters suggested permitting financial institutions and creditors to take into account the cost and effectiveness of policies and procedures and the institution's history of fraud when designing its Program. Several financial institution commenters maintained that the Program required by the proposed rules was not sufficiently flexible. They maintained that a true risk-based approach would permit institutions to prioritize the importance of various controls, address the most important risks first, and accept the good faith judgments of institutions in differentiating among their options for conducting safe, sound, and compliant operations. Some of these commenters urged the Agencies to revise the final rules and guidelines and adopt an approach similar to the Information Security Standards which they characterized as providing institutions with an outline of issues to consider without requiring specific approaches. Although a few commenters believed that the proposed requirement to update the Program was burdensome and should be eliminated, most commenters agreed that the Program should be designed to address changing risks over time. A number of these commenters, however, objected to the requirement that the Program must be designed to address changing identity theft risks “as they arise,” as too burdensome a standard. Instead, they recommended that the final regulations require a financial institution or creditor to reassess periodically whether to adjust the types of accounts covered or Red Flags to be detected based upon any changes in the types and methods of identity theft that an institution or creditor has experienced. Section _.90(d) of the final rules requires each financial institution or creditor that offers or maintains one or more covered accounts to develop and implement a written Program that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. To signal that the final rules are flexible, and allow smaller financial institutions and creditors to tailor their Programs to their operations, the final rules state that the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. The guidelines are appended to the final rules to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of the regulation. Section I of the guidelines, titled “The Program,” makes clear that a covered entity may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, such as those already developed in connection with the entity's fraud prevention program. This will avoid duplication and allow covered entities to benefit from existing policies and procedures. The Agencies do not agree with those commenters who asserted that the scope of the proposed regulations (and hence the final rules that adopt the identical approach with respect to these issues) exceed the Agencies” statutory mandate. First, section 114 clearly permits the Agencies to issue regulations and guidelines that address more than the mere identification of the risk of identity theft. Section 114 contains a broad mandate directing the Agencies to issue guidelines “regarding identity theft” and to prescribe regulations requiring covered entities to establish reasonable policies and procedures for implementing the guidelines. Second, two provisions in section 114 indicate that Congress expected the Agencies to issue final regulations and guidelines requiring financial institutions and creditors to detect, prevent, and mitigate identity theft. The first relevant provision is codified in section 615(e)(1)(C) of the FCRA, where Congress addressed a particular scenario involving card issuers. In that provision, Congress directed the Agencies to prescribe regulations requiring a card issuer to take specific steps to assess the validity of a change of address request when it receives such a request and, within a short period of time, also receives a request for an additional or replacement card. The regulations must prohibit a card issuer from issuing an additional or replacement card under such circumstances, unless it notifies the cardholder or “uses other means of assessing the validity of the change of address in accordance with reasonable policies and procedures established by the card issuer in accordance with the regulations prescribed [by the Agencies] * * *.” This provision makes clear that Congress contemplated that the Agencies' regulations would require a financial institution or creditor to have policies and procedures not only to identify Red Flags, but also, to prevent and mitigate identity theft. The second relevant provision is codified in section 615(e)(2)(B) of the FCRA, and directs the Agencies to consider addressing in the identity theft guidelines transactions that occur with respect to credit or deposit accounts that have been inactive for more than two years. The Agencies must consider whether a creditor or financial institution detecting such activity should “follow reasonable policies that provide for notice to be given to the consumer in a manner reasonably designed to reduce the likelihood of identity theft with respect to such account.” This provision signals that the Agencies are authorized to prescribe regulations and guidelines that comprehensively address identity theft—in a manner that goes beyond the mere identification of possible risks. The Agencies' interpretation of section 114 is also supported by the legislative history that indicates Congress expected the Agencies to issue regulations and guidelines for the purposes of “identifying and preventing identity theft.” 25 25 *See* S. Rep. No. 108-166 at 13 (Oct. 17, 2003) (accompanying S. 1753). Finally, the Agencies' interpretation of section 114 is broad, based on a public policy perspective that regulations and guidelines addressing the identification of the risk of identity theft, without addressing the prevention and mitigation of identity theft, would not be particularly meaningful or effective. The Agencies also have concluded that the scope of section 114 does not only apply to credit transactions, but also applies, for example, to deposit accounts. Section 114 refers to the risk of identity theft, generally, and not strictly in connection with credit. Because identity theft can and does occur in connection with various types of accounts, including deposit accounts, the final rules address identity theft in a comprehensive manner. Furthermore, nothing in section 114 indicates that the regulations must only apply to identity theft in connection with account openings. The FTC has defined “identity theft” as “a fraud committed or attempted using the identifying information of another person without authority.” 26 Such fraud may occur in connection with account openings and with existing accounts. Section 615(e)(3) states that the guidelines that the Agencies prescribe “shall not be inconsistent” with the policies and procedures required under 31 U.S.C. 5318(l), a reference to the CIP rules which require certain financial institutions to verify the identity of customers opening new accounts. However, the Agencies do not read this phrase to prevent them from prescribing rules directed at existing accounts. To interpret the provision in this manner would solely authorize the Agencies to prescribe regulations and guidelines identical to and duplicative of those already issued—making the Agencies' regulatory authority in this area superfluous and meaningless. 27 26 16 CFR 603.2(a). 27 The Agencies' conclusion is also supported by case law interpreting similar terminology, albeit in a different context, finding that “inconsistent” means it is impossible to comply with two laws simultaneously, or one law frustrates the purposes and objectives of another. *See, e.g., Davenport* v. *Farmers Ins. Group,* 378 F.3d 839 (8th Cir. 2004); *Retail Credit Co.* v. *Dade County, Florida,* 393 F. Supp. 577 (S.D. Fla. 1975); *Alexiou* v. *Brad Benson Mitsubishi,* 127 F. Supp.2d 557 (D.N.J. 2000). The Agencies recognize that requiring a written Program will impose some burden. However, the Agencies believe the benefit of being able to assess a covered entity's compliance with the final rules by evaluating the adequacy and implementation of its written Program outweighs the burdens imposed by this requirement. Moreover, although the final rules continue to require a written Program, as detailed below, the Agencies have substantially revised the proposal to focus the final rules and guidelines on reasonably foreseeable risks, make the final rules less prescriptive, and provide financial institutions and creditors with more discretion to develop policies and procedures to detect, prevent, and mitigate identity theft. Proposed § _.90(c) also provided that the Program must address changing identity theft risks as they arise based upon the experience of the financial institution or creditor with identity theft and changes in: Methods of identity theft; methods to detect, prevent, and mitigate identity theft; the types of accounts the financial institution or creditor offers; and its business arrangements, such as mergers and acquisitions, alliances and joint ventures, and service provider arrangements. The Agencies continue to believe that, to ensure a Program's continuing effectiveness, it must be updated, at least periodically. However, in order to simplify the final rules, the Agencies moved this requirement into the next section, where it is one of the required elements of the Program, as discussed below. Development and Implementation of Identity Theft Prevention Program The remaining provisions of the proposed rules were set forth under the above-referenced section heading. Many commenters asserted that the Agencies should simply articulate certain objectives and provide financial institutions and creditors the flexibility and discretion to design policies and procedures to fulfill the objectives of the Program without the level of detail required under this section. As described earlier, to ensure that financial institutions and creditors are able to design Programs that effectively address identity theft in a manner tailored to their own operations, the Agencies have made significant changes in the proposal by deleting whole provisions or moving them into the guidelines in Appendix J. More specifically, the Agencies abbreviated the proposed requirements formerly located in the provisions titled “Identification and Evaluation of Red Flags” and “Identity Theft Prevention and Mitigation” and have placed them under a section of the final rules titled “Elements of a Program.” The proposed requirements on “Staff Training,” “Oversight of Service Provider Arrangements,” and “Involvement of Board of Directors and Senior Management” are now in a section of the final rules titled “Administration of the Program.” The guidelines in Appendix J elaborate on these requirements. A discussion of the comments received on these sections of the proposed rules, and the corresponding sections of the final rules and guidelines follows. Section _.90(d)(2)(i) Element I of the Program: Identification of Red Flags Proposed § _.90(d)(1)(i) required a Program to include policies and procedures to identify which Red Flags, singly or in combination, are relevant to detecting the possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor, using the risk evaluation described in § _.90(d)(1)(ii). It also required the Red Flags identified to reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. Proposed § _.90(d)(1)(i) provided that each financial institution and creditor must incorporate into its Program relevant Red Flags from Appendix J. The preamble to the proposed rules acknowledged that some Red Flags that are relevant today may become obsolete as time passes. The preamble stated that the Agencies expected to update Appendix J periodically, 28 but that it may be difficult to do so quickly enough to keep pace with rapidly evolving patterns of identity theft or as quickly as financial institutions and creditors experience new types of identity theft. Therefore, proposed § _.90(d)(1)(i) also provided that each financial institution and creditor must incorporate into its Program relevant Red Flags from applicable supervisory guidance, incidents of identity theft that the financial institution or creditor has experienced, and methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks. 28 Section 114 directs the Agencies to update the guidelines as often as necessary. *See* 15 U.S.C. 1681m(e)(1)(a). Some commenters objected to the proposed requirement that the Program contain policies and procedures to identify which Red Flags, singly or in combination, are relevant to detecting the possible risk of identity theft to customers or to the safety and soundness of the financial institution or creditor. They criticized the phrase “possible risk” as too broad and stated that it was unrealistic to impose upon covered entities a continuing obligation to incorporate into their Programs Red Flags to address virtually any new identity theft incident or trend and potential fraud prevention measure. These commenters stated that this would be a burdensome compliance exercise that would limit flexibility and add costs, which in turn, would take away limited resources from the ultimate objective of combating identity theft. Many commenters objected to the proposed requirement that the Red Flags identified by a financial institution or creditor reflect changing identity theft risks to customers and to the financial institution or creditor “as they arise.” These commenters requested that the final rules permit financial institutions and creditors a reasonable amount of time to adjust the Red Flags included in their Programs. Some commenters agreed that the enumerated sources of Red Flags were appropriate. A few commenters stated that financial institutions and creditors should not be required to include in their Programs any Red Flags except for those set forth in Appendix J or in supervisory guidance, or that they had experienced. However, most commenters objected to the requirement that, at a minimum, the Program incorporate any relevant Red Flags from Appendix J. Some financial institution commenters urged deletion of the proposed requirement to include a list of relevant Red Flags in their Program. They stated that a financial institution should be able to assess which Red Flags are appropriate without having to justify to an examiner why it failed to include a specific Red Flag on a list. Other commenters recommended that the list of Red Flags in Appendix J be illustrative only. These commenters recommended that a financial institution or creditor be permitted to include any Red Flags on its list that it concludes are appropriate. They suggested that the Agencies encourage institutions to review the list of Red Flags, and use their own experience and expertise to identify other Red Flags that become apparent as fraudsters adapt and develop new techniques. They maintained that in this manner, institutions and creditors would be able to identify the appropriate Red Flags and not waste limited resources and effort addressing those Red Flags in Appendix J that were obsolete or not appropriate for their activities. By contrast, consumer groups criticized the flexibility and discretion afforded to financial institutions and creditors in this section of the proposed rules. These commenters urged the Agencies to make certain Red Flags from Appendix J mandatory, such as a fraud alert on a consumer report. Proposed § _.90(d)(1)(ii) provided that in order to identify which Red Flags are relevant to detecting a possible risk of identity theft to its customers or to its own safety and soundness, the financial institution or creditor must consider: A. Which of its accounts are subject to a risk of identity theft; B. The methods it provides to open these accounts; C. The methods it provides to access these accounts; and D. Its size, location, and customer base. While some industry commenters thought the enumerated factors were appropriate, other commenters stated that the factors on the list were not necessarily the ones used by financial institutions to identify risk and were irrelevant to any determination of identity theft or actual fraud. These commenters maintained that this proposed requirement would require financial institutions to develop entirely new programs that may not be as effective or efficient as those designed by anti-fraud experts. Therefore, they recommended that the final rules provide financial institutions and creditors with wide latitude to determine what factors they should consider and how they categorize them. These commenters urged the Agencies to refrain from providing a list of factors that financial institutions and creditors would have to consider because a finite list could limit their ability to adapt to new forms of identity theft. Some commenters suggested that the risk evaluation include an assessment of other factors such as the likelihood of harm, the cost and operational burden of using a particular Red Flag and the effectiveness of a particular Red Flag for that institution or creditor. Some commenters suggested that the factors refer to the likely risk of identity theft, while others suggested that the factors be modified to refer to the possible risk of identity theft to which each type of account offered by the financial institution or creditor is subject. Other commenters, including a trade association representing small financial institutions, asked the Agencies to provide guidelines on how to conduct a risk assessment. The final rules continue to address the identification of relevant Red Flags, but simply state that the first element of a Program must be reasonable policies and procedures to identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains. The final rules also state that a financial institution or creditor must incorporate these Red Flags into its Program. The final rules do not require policies and procedures for identifying which Red Flags are relevant to detecting a “possible risk” of identity theft. Moreover, as described below, a covered entity's obligation to update its Red Flags is now a separate element of the Program. The section of the proposed rules describing the various factors that a financial institution or creditor must consider to identify relevant Red Flags, and the sources from which a financial institution or creditor must derive its Red Flags, are now in section II of the guidelines titled “ Identifying Relevant Red Flags.” The Agencies acknowledge that establishing a finite list of factors that a financial institution or creditor must consider when identifying relevant Red Flags for covered accounts could limit the ability of a financial institution or creditor to respond to new forms of identity theft. Therefore, section II of the guidelines contains a list of factors that a financial institution or creditor “should consider * * * as appropriate” in identifying relevant Red Flags. The Agencies also modified the list in order to provide more appropriate examples of factors for consideration by a financial institution or creditor determining which Red Flags may be relevant. These factors are: • The types of covered accounts it offers or maintains; • The methods it provides to open its covered accounts; • The methods it provides to access its covered accounts; and • Its previous experiences with identity theft. Thus, for example, Red Flags relevant to deposit accounts may differ from those relevant to credit accounts, and those applicable to consumer accounts may differ from those applicable to business accounts. Red Flags appropriate for accounts that may be opened or accessed remotely may differ from those that require face-to-face contact. In addition, a financial institution or creditor should consider identifying as relevant those Red Flags that directly relate to its previous experiences with identity theft. Section II of the guidelines also gives examples of sources from which financial institutions and creditors should derive relevant Red Flags, rather than requiring that the Program incorporate relevant Red Flags strictly from the four sources listed in the proposed rules. Section II states that a financial institution or creditor should incorporate into its Program relevant Red Flags from sources such as:
(1)Incidents of identity theft that the financial institution or creditor has experienced;
(2)methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
(3)applicable supervisory guidance. The Agencies have deleted the reference to the Red Flags in Appendix J as a source. Instead, a separate provision in section II of the guidelines, titled “Categories of Red Flags,” states that the Program of a financial institution or creditor “should include” relevant Red Flags from five particular categories “as appropriate.” The Agencies have included these categories, which summarize the various types of Red Flags that were previously enumerated in Appendix J, in order to provide additional non-prescriptive guidance regarding the identification of relevant Red Flags. Section II of the guidelines also notes that “examples” of individual Red Flags from each of the five categories are appended as Supplement A to Appendix J. The examples in Supplement A are a list of Red Flags similar to those found in the proposed rules. The Agencies did not intend for these examples to be a comprehensive list of all types of identity theft that a financial institution or creditor may experience. When identifying Red Flags, financial institutions and creditors must consider the nature of their business and the type of identity theft to which they may be subject. For instance, creditors in the health care field may be at risk of medical identity theft ( *i.e.* , identity theft for the purpose of obtaining medical services) and, therefore, must identify Red Flags that reflect this risk. The Agencies also have decided not to single out any specific Red Flags as mandatory for all financial institutions and creditors. Rather, the final rule continues to follow the risk-based, non-prescriptive approach regarding the identification of Red Flags that was set forth in the proposal. The Agencies recognize that the final rules and guidelines cover a wide variety of financial institutions and creditors that offer and maintain many different products and services, and require the flexibility to be able to adapt to rapidly changing risks of identity theft. Sections _.90(d)(2)(ii) and
(iii)Elements II and III of the Program: Detection of and Response to Red Flags Proposed § _.90(d)(2) stated that the Program must include reasonable policies and procedures designed to prevent and mitigate identity theft in connection with the opening of an account or any existing account. This section then described the policies and procedures that the Program must include, some of which related solely to account openings while others related to existing accounts. Some financial institution commenters acknowledged that reference to prevention and mitigation of identity theft was generally a good objective, but they urged that the final rules refrain from prescribing how financial institutions must achieve it. Others noted that the CIP rules and the Information Security Standards already required many of the steps in the proposal. They recommended that the final rules recognize this and clarify that compliance with parallel requirements would be sufficient for compliance under these rules. Section _.90(d)(1) of the final rules requires financial institutions and creditors to develop and implement a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. Therefore, the Agencies concluded that it was not necessary to reiterate this requirement in § _.90(d)(2). The Agencies have deleted the prefatory language from proposed § _.90(d)(2) on prevention and mitigation in order to streamline the final rules. The various provisions addressing prevention and mitigation formerly in this section, namely, verification of identity, detection of Red Flags, assessment of the risk of Red Flags, and responses to the risk of identity theft, have been incorporated into the final rules as “Elements of the Program” and into the guidelines elaborating on these provisions. Comments received regarding these provisions and the manner in which they have been integrated into the final rules and guidelines follows. Detecting Red Flags Proposed § _.90(d)(2)(i) stated that the Program must include reasonable policies and procedures to obtain identifying information about, and verify the identity of, a person opening an account. This provision was designed to address the risk of identity theft to a financial institution or creditor that occurs in connection with the opening of new accounts. The proposed rules stated that any financial institution or creditor would be able to satisfy the proposed requirement in § _.90(d)(2)(i) by using the policies and procedures for identity verification set forth in the CIP rules. The preamble to the proposed rules explained that although the CIP rules exclude a variety of entities from the definition of “customer” and exclude a number of products and relationships from the definition of “account,” 29 the Agencies were not proposing any exclusions from either of these terms given the risk-based nature of the regulations. 29 *See, e.g.* , 31 CFR 103.121(a). Most commenters supported this provision. Many of these commenters urged the Agencies to include in the final rules a clear statement acknowledging that financial institutions and creditors complying with the CIP rules would be deemed to be in compliance with this provision's requirements. Some of these commenters encouraged the Agencies to place the exemptions from the CIP rules in these final rules for consistency in implementing both regulatory mandates. Some commenters, however, believed the requirement to verify the identity of a person opening an account duplicated the requirements in the CIP rules and urged elimination of this redundancy. Other entities not already subject to the CIP rules stated that complying with those rules would be very costly and burdensome. These commenters asked that the Agencies provide them with additional guidance regarding the CIP rules. Consumer groups were concerned that use of the CIP rules would not adequately address identity theft. They stated that the CIP rules allow accounts to be opened before identity is verified, which is not the proper standard to prevent identity theft. As described below, the Agencies have moved verification of the identity of persons opening an account into section III of the guidelines where it is described as one of the policies and procedures that a financial institution or creditor should have to detect Red Flags in connection with the opening of a covered account. Proposed § _.90(d)(2)(ii) stated that the Program must include reasonable policies and procedures to detect the Red Flags identified pursuant to paragraph § _.90(d)(1). The Agencies did not receive any specific comments on this provision. In the final rules, the detection of Red Flags is the second element of the Program. The final rules provide that a Program must contain reasonable policies and procedures to detect the Red Flags that a financial institution or creditor has incorporated into its Program. Section III of the guidelines provides examples of various means to detect Red Flags. It states that the Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts, such as by obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the CIP rules. Section III also states that the Program's policies and procedures should address the detection of Red Flags in connection with existing covered accounts, such as by authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts. Covered entities subject to the CIP rules, the Federal Financial Institution's Examination Council's guidance on authentication, 30 the Information Security Standards, and Bank Secrecy Act
(BSA)rules 31 may already be engaged in detecting Red Flags. These entities may wish to integrate the policies and procedures already developed for purposes of complying with these issuances into their Programs. However, such policies and procedures may need to be supplemented. For example, the CIP rules were written to implement section 326 32 of the USA PATRIOT Act, 33 an Act directed toward facilitating the prevention, detection, and prosecution of international money laundering and the financing of terrorism. Certain types of “accounts,” “customers,” and products are exempted or treated specially in the CIP rules because they pose a lower risk of money laundering or terrorist financing. Such special treatment may not be appropriate to accomplish the broader objective of detecting, preventing, and mitigating identity theft. Accordingly, the Agencies expect all financial institutions and creditors to evaluate the adequacy of existing policies and procedures and to develop and implement risk-based policies and procedures that detect Red Flags in an effective and comprehensive manner. 30 “Authentication in an Internet Banking Environment” (October 12, 2005) available at *http://www.ffiec.gov/press/pr101205.htm.* 31 *See, e.g.* 12 CFR 21.21 (national banks); 12 CFR 208.63 (state member banks); 12 CFR 326.8 (state non-member banks); 12 CFR 563.177 (savings associations); and 12 CFR 748.2 (credit unions). 32 31 U.S.C. 5318(l). 33 Pub. L. 107-56. Responding to Red Flags Proposed § _.90(d)(2)(iii) stated that to prevent and mitigate identity theft, the Program must include policies and procedures to assess whether the Red Flags the financial institution or creditor detected pursuant to proposed § _.90(d)(2)(ii) evidence a risk of identity theft. It also stated that a financial institution or creditor must have a reasonable basis for concluding that a Red Flag (detected) does not evidence a risk of identity theft. Financial institution commenters expressed concern that this standard would force an institution to justify to examiners why it did not take measures to respond to a particular Red Flag. Some consumer groups believed it was appropriate to require a financial institution or creditor to have a reasonable basis for concluding that a particular Red Flag detected does not evidence a risk of identity theft. Other consumer groups believed that this was too weak a standard and that mandating the detection of certain Red Flags would be more effective and preventive. Some commenters mistakenly read the proposed provision as requiring a financial institution or creditor to have a reasonable basis for excluding a Red Flag listed in Appendix J from its Program requiring the mandatory review and analysis of each and every Red Flag. These commenters urged the Agencies to delete this provision. Proposed § _.90(d)(2)(iv) stated that to prevent and mitigate identity theft, the Program must include policies and procedures that address the risk of identity theft to the customer, the financial institution, or creditor, commensurate with the degree of risk posed. The proposed regulations also provided an illustrative list of measures that a financial institution or creditor could take, including: • Monitoring an account for evidence of identity theft; • Contacting the customer; • Changing any passwords, security codes, or other security devices that permit access to a customer's account; • Reopening an account with a new account number; • Not opening a new account; • Closing an existing account; • Notifying law enforcement and, for those that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation; • Implementing any requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h), such as declining to issue an additional credit card when the financial institution or creditor detects a fraud or active duty alert associated with the opening of an account, or an existing account; or • Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, to correct or update inaccurate or incomplete information. Some commenters agreed that financial institutions and creditors should be able to use their own judgment to determine which measures to take depending upon the degree of risk that is present. However, consumer groups believed that the final rules should require notification of consumers in every case where a Red Flag that requires a response has been detected. Other commenters objected to some of the examples given as measures that financial institutions and creditors could take to address the risk of identity theft. For example, one commenter objected to the inclusion, as an example, of the requirements regarding limitations on credit extensions under 15 U.S.C. 1681c-1(h). The commenter stated that this statutory provision is confusing, useless, and should not be referenced in the final rules. Other commenters suggested that the Agencies clarify that the inclusion of this statutory provision in the proposed rules as an example of how to address the risk of identity theft did not make this provision discretionary. The final rules merge the concepts previously in proposed § _.90(d)(2)(iii) and § _.90(d)(2)(iv) into the third element of the Program: reasonable policies and procedures to respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft. In order to “respond appropriately,” it is implicit that a financial institution or creditor must assess whether the Red Flags detected evidence a risk of identity theft, and must have a reasonable basis for concluding that a Red Flag does not evidence a risk of identity theft. Therefore, the Agencies concluded that it is not necessary to specify any such separate assessment, and, accordingly, deleted the language from the proposal regarding assessing Red Flags and addressing the risk of identity theft. Most of the examples of measures for preventing and mitigating identity theft previously listed in proposed § _.90(d)(2)(iv) are now located in section IV of the guidelines, titled “Prevention and Mitigation of Identity Theft.” Section IV states that the Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In addition, as described earlier, the final rules do not define Red Flags to include indicators of a “possible risk” of identity theft (including “precursors” to identity theft). Instead, section IV states that in determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, and provides examples of such factors. The Agencies also modified the examples of appropriate responses as follows. First, the Agencies added “not attempting to collect on a covered account or not selling a covered account to a debt collector” as a possible response to Red Flags detected. Second, the Agencies added “determining that no response is warranted under the particular circumstances” to make clear that an appropriate response may be no response, especially, for example, when a financial institution or creditor has a reasonable basis for concluding that the Red Flags detected do not evidence a risk of identity theft. In addition, the Agencies moved the proposed examples, that referenced responses mandated by statute, to section VII of the guidelines titled “Other Applicable Legal Requirements” to highlight that certain responses are legally required. The section of the proposal listing examples of measures to address the risk of identity theft included a footnote that discussed the relationship between a consumer's placement of a fraud or active duty alert on his or her consumer report and ECOA, 15 U.S.C. 1691, *et seq.* A few commenters objected to this footnote. Some commenters believed that creditors had a right to deny credit automatically whenever a fraud or active duty alert appears on the consumer report of an applicant. Other commenters believed that the footnote raised complex issues under the ECOA and FCRA that required more thorough consideration, and questioned the need and appropriateness of addressing ECOA in the context of this rulemaking. Under ECOA, it is unlawful for a creditor to discriminate against any applicant for credit because the applicant has in good faith exercised any right under the Consumer Credit Protection Act (CCPA), 15 U.S.C. 1691(a). A consumer who requests the inclusion of a fraud alert or active duty alert in his or her credit file is exercising a right under the FCRA, which is a part of the CCPA, 15 U.S.C. 1601, *et seq.* When a credit file contains a fraud or active duty alert, section 605A of the FCRA, 15 U.S.C. 1681c-1(h), requires a creditor to take certain steps before extending credit, increasing a credit limit, or issuing an additional card on an existing credit account. For an initial or active duty alert, these steps include utilizing reasonable policies and procedures to form a reasonable belief that the creditor knows the identity of the consumer and, where a consumer has specified a telephone number for identity verification purposes, contacting the consumer at that telephone number or taking reasonable steps to verify the consumer's identity and confirm that the application is not the result of identity theft, 15 U.S.C. 1681c-1(h)(1)(B). The purpose of the footnote was to remind financial institutions and creditors of their legal responsibilities in circumstances where a consumer has placed a fraud or active duty alert on his or her consumer report. In particular, the Agencies have concerns that in some cases, creditors have adopted policies of automatically denying credit to consumers whenever an initial fraud alert or an active duty alert appears on an applicant's consumer report. The Agencies agree that this rulemaking is not the appropriate vehicle for addressing issues under ECOA. However, the Agencies will continue to evaluate compliance with ECOA through their routine examination or enforcement processes, including issues related to fraud and active duty alerts. Section _.90(d)(2)(iv) Element IV of the Program: Updating the Program To ensure that the Program of a financial institution or creditor remains effective over time, the final rules provide a fourth element of the Program: policies and procedures to ensure the Program (including the Red Flags determined to be relevant) is updated periodically to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. As described earlier, this element replaces the requirements formerly in proposed § _.90(c)(2) which stated that the Program must be designed to address changing identity theft risks as they arise, and proposed § _.90(d)(1)(i) which stated that the Red Flags included in a covered entity's Program must reflect changing identity theft risks to customers and to the financial institution or creditor as they arise. Unlike the proposed provisions, however, this element only requires “periodic” updating. The Agencies concluded that requiring financial institutions and creditors to immediately and continuously update their Programs would be overly burdensome. Section V of the guidelines elaborates on the obligation to ensure that the Program is periodically updated. It reiterates the factors previously in proposed § _.90(c)(2) that should cause a financial institution or creditor to update its Program, such as its own experiences with identity theft, changes in methods of identity theft, changes in methods to detect, prevent and mitigate identity theft, changes in accounts that it offers or maintains, and changes in its business arrangements. Section _.90(e) Administration of the Program The final rules group the remaining provisions of the proposed rules under the heading “Administration of the Program,” albeit in a different order than proposed. This section of the final rules describes the steps that financial institutions and creditors must take to administer the Program, including: Obtaining approval of the initial written Program; ensuring oversight of the development, implementation and administration of the Program; training staff; and overseeing service provider arrangements. A number of commenters criticized each of the proposed provisions regarding administration of the Program, arguing they were not specifically required by section 114. The Agencies believe the mandate in section 114 is broad, and provides the Agencies with an ample basis to issue rules and guidelines containing these provisions because they are critical to ensuring the effectiveness of a Program. Therefore, the Agencies have retained these elements in the final rules and guidelines with some modifications, as follows. Sections _.90(e)(1) and
(2)Involvement of the Board of Directors and Senior Management Proposed § _.90(d)(5) highlighted the responsibility of the board of directors and senior management to develop, implement, and oversee the Program. Proposed § _.90(d)(5)(i) specifically required the board of directors or an appropriate committee of the board to approve the written Program. Proposed § _.90(d)(5)(ii) required that the board, an appropriate committee of the board, or senior management be charged with overseeing the development, implementation, and maintenance of the Program, including assigning specific responsibility for its implementation. The proposal also provided that persons charged with overseeing the Program must review reports prepared at least annually by staff regarding compliance by the financial institution or creditor with the regulations. Proposed § _.90(d)(5)(iii) stated that reports must discuss material matters related to the Program and evaluate issues such as: The effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of accounts and with respect to existing accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for changes in the Program. Some commenters agreed that identity theft is an important issue, and the board, therefore, should be involved in the overall development, approval, and oversight of the Program. These commenters suggested that the final rules make clear that the board need not be responsible for the day-to-day operations of the Program. Most industry commenters opposed the proposed requirement that the board or board committee approve the Program and receive annual reports about compliance with the Program. These commenters asserted that the statute does not mandate such requirements, and that compliance with these rules did not warrant more board attention than other regulations. They asserted that such requirements would impede the ability of a financial institution or creditor to keep up with the fast-paced changes and developments inherent with instances of fraud and identity theft. They stated that boards of directors should not be required to consider the minutiae of the fraud prevention efforts of a financial institution or creditor and suggested the task be delegated to senior management with expertise in this area. Some commenters suggested the final rules provide a covered entity with the discretion to assign oversight responsibilities in a manner consistent with the institution's own risk evaluation. One commenter suggested that the final rules permit the board of directors of a holding company to approve and oversee the Program for the entire organization. The commenter explained that this approach would eliminate the need for redundant actions by a multiplicity of boards, and help to insure uniformity of policy throughout large organizations. Some commenters stated that the preparation of reports for board review would be costly and burdensome. The SBA suggested that the FTC consider a one-page certification option for small low-risk entities to minimize the burden of reports. One commenter opined that it would be sufficient if the Agencies mandated that covered entities continuously review and evaluate the policies and procedures they adopted pursuant to the regulations and modify them as necessary. Consumer groups suggested that the final rules specifically require financial institutions and creditors to adjust their Programs to address deficiencies raised by their annual reports. Commenters generally took the position that reports to the board, a board committee, or senior management regarding compliance with the final rules should be prepared at most on a yearly basis, or when significant changes have occurred that alter the institution's risk. One commenter recommended a clarification that any reporting to the board of material information relating to the Program could be combined with reporting obligations required under the Information Security Standards. Section _.90(e)(1) of the final rules continues to require approval of the written Program by the board of directors or an appropriate committee of the board. However, to ensure that this requirement does not hamper the ability of a financial institution or creditor to update its Program in a timely manner, the final rules provide that the board or an appropriate committee must approve only the initial written Program. Thereafter, at the discretion of the covered entity, the board, a committee, or senior management may update the Program. Bank holding companies and their bank and non-bank subsidiaries will be governed by the principles articulated in connection with the banking agencies” Information Security Standards: The Agencies agree that subsidiaries within a holding company can use the security program developed at the holding company level. However, if subsidiary institutions choose to use a security program developed at the holding company level, the board of directors or an appropriate committee at each subsidiary institution must conduct an independent review to ensure that the program is suitable and complies with the requirements prescribed by the subsidiary's primary regulator * * * . 66 FR 8620 (Feb. 1, 2001) (Preamble to final Information Security Standards.) The Agencies recognize that boards of directors have many responsibilities and it generally is not feasible for a board to involve itself in the detailed oversight, development, implementation, and administration of the Program. Accordingly, § _.90(e)(2) of the final rules provides discretion to a financial institution or creditor to determine who will be responsible for these aspects of the Program. It states that a financial institution or creditor must involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation, and administration of the Program. Section VI of the guidelines elaborates on this provision of the final rules. The guidelines note that such oversight should include assigning specific responsibility for the Program's implementation and reviewing reports prepared by staff on compliance by the financial institution or creditor with this section. As suggested by commenters, the guidelines also state that oversight should include approving material changes to the Program as necessary to address changing identity theft risks. Section VI also provides that reports should be prepared at least annually and describes the contents of a report as proposed in § _.90(d)(5)(iii)(B). These steps are modeled on sections of the Information Security Standards. 34 As noted previously, financial institutions and creditors subject to these Standards may combine elements required under the final rules and guidelines, including reports, with those required by the Standards, as they see fit. 34 A board approval requirement is also found in the BSA rules of the Federal banking agencies and the NCUA. *See* 12 CFR 21.21; (OCC); 12 CFR 208.63 (Board); 12 CFR 326.8 (FDIC); 12 CFR 563.177 (OTS); and 12 CFR 748.2 (NCUA). Thus, contrary to the assertion of some commenters, this rule is being treated in a manner similar to other rules. Section _.90(e)(3) Staff Training Proposed § _.90(d)(3) required each financial institution or creditor to train staff to implement its Program. Consumer groups believed that this provision should be more detailed and specifically require monitoring, oversight, and auditing of a covered entity's training efforts. By contrast, a number of industry commenters recommended that the Agencies withdraw this provision because they believed it was burdensome. Some of these commenters asserted that the Agencies had not taken into account the limited personnel and resources available to smaller institutions to provide training. Some financial institution commenters stated that it was not clear why staff training would be specifically required under the final rules, absent a specific statutory requirement. They maintained that financial institutions have sufficient incentives to ensure that appropriate staff is trained. Other commenters suggested that the Agencies clarify that this provision would only require training for relevant staff and would permit training on identity theft that is integrated into overall staff training on similar or overlapping matters such as fraud prevention. One commenter objected to an example in the preamble to the proposed rules which stated that staff should be trained to detect “anomalous wire transfers in connection with a customer's deposit account.” The commenter stated that this example potentially exposed financial institutions to significant and unintended liability, predicting that customers and law enforcement would use the rules to support claims that financial institutions are responsible for authorizing transactions by fraudsters. The commenter asserted that financial institutions do not have systems that can detect these transactions because they fall outside the usual fraud filter parameters. Section _.90(e)(3) of the final rules provides that a covered entity must train staff, as necessary, to effectively implement the Program. There is no corresponding section of the guidelines. The Agencies continue to believe proper training will enable staff to address the risk of identity theft. However, this provision requires training of only relevant staff. In addition, staff that has already been trained, for example, as a part of the anti-fraud prevention efforts of the financial institution or creditor, do not need to be re-trained except “as necessary.” The Agencies recognize that some of the examples, such as detecting “anomalous wire transfers in connection with a customer's deposit account” may fall outside the usual fraud filter parameters. However, the Agencies expect that compliance with the final rules will improve the ability of financial institutions and creditors to detect, prevent, and mitigate identity theft. Section _.90(e)(4) Oversight of Service Provider Arrangements Proposed § _.90(d)(4) stated that, whenever a financial institution or creditor engaged a service provider to perform an activity on its behalf and the requirements of the Program applied to that activity, the financial institution or creditor would be required to take steps designed to ensure the activity is conducted in compliance with a Program that satisfies the regulations. The preamble to the proposed rules explained that this provision would allow a service provider serving multiple financial institutions and creditors to conduct activities on behalf of these entities in accordance with its own program to prevent identity theft, as long as the program meets the requirements of the regulations. The service provider would not need to apply the particular Program of each individual financial institution or creditor to whom it is providing services. Several commenters asserted it would be costly and burdensome for financial institutions and creditors to ensure third party compliance with the final rules and therefore, this provision should be eliminated. They urged that financial institutions and creditors be given maximum flexibility to manage service provider relationships. Some financial institution commenters also suggested that the Agencies withdraw this provision. They stated that the FACT Act does not address this issue and asserted that there already is no doubt that if a financial institution delegates any of its operations to a third party, the institution will remain responsible for related regulatory compliance. Other commenters stated that it should remain a contractual matter between the parties whether the service provider may implement a program that is different from its financial institution client. Consumer groups asked the Agencies to ensure that the decision of a financial institution or creditor to outsource would not lead to lower Red Flag standards. These commenters suggested the final rules state that the Program must also meet the requirements that would apply if the activity were performed without the use of a service provider. They also suggested the final rules clarify that, in addition to any responsibility on the service provider imposed by law, regulation, or contract, the financial institution or creditor would be responsible for a failure to comply with the Program. Most commenters, however, agreed with the proposal and stated that a service provider must have the flexibility to meet the objectives of the rules without having to tailor its services to the Program requirements of each company for which it provides service. These commenters noted that this proposed approach was the same as that used in the Information Security Standards. The Agencies believe it is important to retain a provision in the final rules addressing service providers to remind financial institutions and creditors that they continue to remain responsible for compliance with the final rules, even if they outsource operations to a third party. However, the Agencies have simplified the service provider provision in the final rules and moved the remaining parts of proposed § _.90(d)(4) to the guidelines. Section _.90(e)(4) of the final rules provides that a covered entity must exercise appropriate and effective oversight of service provider arrangements, without further elaboration. This provision provides maximum flexibility to financial institutions and creditors in managing their service provider arrangements, while making clear that a covered entity cannot escape its obligations to comply with the final rules and to include in its Program those guidelines that are appropriate by simply outsourcing an activity. Section VI(c) of the guidelines provides that, whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts, the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Thus, the guidelines make clear that a service provider that provides services to multiple financial institutions and creditors may do so in accordance with its own program to prevent identity theft, as long as the program meets the requirements of the regulations. The guidelines also provide an example of how a covered entity may comply with this provision. The guidelines state that a financial institution or creditor could require the service provider, by contract, to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities and either report the Red Flags to the financial institution or creditor or take appropriate steps to prevent or mitigate identity theft. Section _.90(f) Consideration of Guidelines in Appendix J The Agencies have added a provision to the final rules that explains the relationship of the rules to the guidelines. Section _.90(f) states that each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix J and include in its Program those guidelines that are appropriate. Each of the guidelines corresponds to a provision of the final rules. As mentioned earlier, the guidelines were issued to assist financial institutions and creditors in the development and implementation of a Program that satisfies the requirements of the final rules. The guidelines provide policies and procedures that financial institutions and creditors should use, where appropriate, to satisfy the regulatory requirements of the final rules. While an institution or a creditor may determine that a particular guideline is not appropriate for its circumstances, it nonetheless must ensure its Program contains reasonable policies and procedures to fulfill the requirements of the final rules. This approach provides financial institutions and creditors with the flexibility to determine “how best to develop and implement the required policies and procedures.” 35 35 *See* H.R. Rep. No. 108-263 at 43 (Sept. 4, 2003) (accompanying H.R. 2622); S. Rep. No. 108-166 at 13 (Oct. 17, 2003) (accompanying S. 1753). Supplement A to Appendix J: Examples of Red Flags Section 114 of the FACT Act states that, in developing the guidelines, the Agencies must identify patterns, practices, and specific forms of activity, that indicate the possible existence of identity theft. The Agencies proposed implementing this provision by requiring the Program of a financial institution or creditor to include policies and procedures for the identification and detection of Red Flags in connection with an account opening or an existing account, including from among those listed in Appendix J. The Agencies compiled the Red Flags enumerated in Appendix J from a variety of sources, such as literature on the topic, information from credit bureaus, financial institutions, creditors, designers of fraud detection software, and the Agencies' own experiences. The preamble to the proposed rules stated that some of the Red Flags, by themselves, may be reliable indicators of identity theft, while others are more reliable when detected in combination with other Red Flags. The preamble to the proposed rules explained that the Agencies recognized that a wide range of financial institutions and creditors, and a broad variety of accounts would be covered by the regulations. Therefore, the Agencies proposed to afford each financial institution and creditor flexibility to determine which Red Flags were relevant for their purposes to detect identity theft, including from among those listed in Appendix J. As mentioned previously, consumer groups criticized the discretion in the proposal that permitted financial institutions and creditors to choose Red Flags relevant to detecting the risk of identity theft based upon the list of enumerated factors. These groups urged the Agencies to make certain Red Flags in Appendix J mandatory. In addition, consumer groups suggested a number of additional Red Flags for inclusion in Appendix J. Some commenters agreed that the list of examples of Red Flags was appropriate because, in their view, it was designed to be flexible. Some industry commenters, including a number of small financial institutions, stated that the Red Flags set forth in Appendix J would assist them in developing and improving their identity theft prevention programs. Other commenters suggested deleting the list of Red Flags or modifying the list in a manner appropriate to the nature of their own operations. The Agencies have retained the list of examples of Red Flags because section 114 states that the Agencies “shall identify patterns, practices, and specific forms of activity that indicate the possible existence of identity theft.” The Agencies also retained the list because some commenters indicated that having examples of Red Flags would be helpful to them. However, the examples of Red Flags are now set forth in a separate supplement to the guidelines. The list of examples is similar to that which the Agencies proposed, however, the Red Flags that the Agencies identified as precursors to identity theft have been deleted and are now addressed in section IV of the guidelines. Moreover, in response to a Congressional commenter, the Agencies added, as an example of a Red Flag, an application that gives the appearance of having been destroyed and reassembled. The introductory language to the supplement clarifies that the enumerated Red Flags are examples. Thus, a financial institution or creditor may tailor the Red Flags it chooses for its Program to its own operations. A financial institution or creditor will not need to justify to an Agency its failure to include in the Program a specific Red Flag from the list of examples. However, a covered entity will have to account for the overall effectiveness of a Program that is appropriate to its size and complexity and the nature and scope of its activities. Inactive Accounts Section 114 also directs the Agencies to consider whether to include reasonable guidelines for notifying the consumer when a transaction occurs in connection with a consumer's credit or deposit account that has been inactive for two years, in order to reduce the likelihood of identity theft. The preamble to the proposed rules noted that the Agencies believed that the two-year limit was not always an accurate indicator of identity theft given the wide variety of credit and deposit accounts that would be covered by the provision. Therefore, in place of guidelines on inactive accounts, the Agencies proposed incorporating a Red Flag on inactive accounts into Appendix J that was flexible and was designed to take into consideration the type of account, the expected pattern of usage of the account, and any other relevant factors. Some consumer groups suggested that a new section be added to the guidelines requiring notice to the consumer when a transaction occurs in connection with a consumer's credit or deposit account that has been inactive for two years unless this pattern would be expected for a particular type of account. Other commenters agreed with the Agencies' proposal to simply make activity on an inactive account a Red Flag. They also agreed that the Agencies should not use two years of inactivity as a hard and fast rule, and allow financial institutions and creditors to use their own standards to determine when an account is inactive. In the final rules, the Agencies continue to list activity on an inactive account as a Red Flag. Given the variety of covered accounts to which the final rules and guidelines will apply, the Agencies concluded that the two-year period suggested in section 114 would not necessarily be a useful indicator of identity theft. Therefore, the Agencies have not included a provision in the guidelines regarding notification when a transaction occurs in connection with a consumer's credit or deposit account that has been inactive for two years. B. Special Rules for Card Issuers 1. Background Section 114 also requires the Agencies to prescribe joint regulations generally requiring credit and debit card issuers to assess the validity of change of address notifications. In particular, these regulations must ensure that if the card issuer receives a notice of change of address for an existing account and, within a short period of time (during at least the first 30 days), receives a request for an additional or replacement card for the same account, the issuer must follow reasonable policies and procedures to assess the validity of the change of address through one of three methods. The card issuer may not issue the card unless it:
(1)Notifies the cardholder of the request at the cardholder's former address and provides the cardholder with a means to promptly report an incorrect address;
(2)notifies the cardholder of the address change request by another means of communication previously agreed to by the issuer and the cardholder; or
(3)uses other means of evaluating the validity of the address change in accordance with the reasonable policies and procedures established by the card issuer to comply with the joint regulations described earlier regarding identity theft. For this reason, the Agencies also proposed special rules that required credit and debit card issuers to assess the validity of change of address notifications by notifying the cardholder or through certain other means. The proposed regulations stated that a financial institution or creditor that is a card issuer may incorporate the requirements of § _.91 into its Program. As described in the section-by-section analysis that follows, commenters generally requested changes that would make the proposed rules more flexible. 2. Section-by-Section Analysis Section _.91(a) Scope The proposed rules stated that this section applies to a person, described in proposed § _.90(a), that issues a debit or credit card. The Agencies did not receive any comments on this section. In the final rules, for clarity, the Agencies deleted the cross-reference to § _.90(a). Each Agency also revised its scope paragraph to list the entities over which it has jurisdiction that are subject to § _.91. Under the final rules, section _.91 applies to any debit or credit card issuer (card issuer) that is subject to an Agency's jurisdiction. Section _.91(b) Definitions The proposed rules included two definitions solely applicable to the special rules for card issuers: “cardholder” and “clear and conspicuous.” Section _.91(b) of the final rules also contains these definitions as follows. Section _.91(b)(1) Cardholder Under section 114, the Agencies must prescribe regulations requiring a card issuer to follow reasonable policies and procedures to assess the validity of a change of address, before issuing an additional or replacement card. Section 114 provides that a card issuer may satisfy this requirement by notifying “the cardholder.” The term “cardholder” is not defined in the FACT Act. The preamble to the proposed rules explained that the legislative record relating to this provision indicates that “issuers of credit cards and debit cards who receive a *consumer* request for an additional or replacement card for an existing account” may assess the validity of the request by notifying “the cardholder.” 36 As the preamble noted, the request, presumably, will be valid if the consumer making the request and the cardholder are one and the same “consumer.” Therefore, the proposal defined “cardholder” as a consumer who has been issued a credit or debit card. The preamble to the proposed rules also explained that, because “consumer” is defined in the FCRA as an “individual,” 37 the proposed regulations applied to any request for an additional or replacement card by an individual, including a card for a business purpose, such as a corporate card. 36 *See* 149 Cong. Rec. E2513 (daily ed. December 8, 2003) (statement of Rep. Oxley) (emphasis added). 37 15 U.S.C. 1681a(c). Some commenters asked the Agencies to clarify that this definition does not apply to holders of stored value cards, such as payroll and gift cards, or to cards used to access a home equity line of credit. Another commenter urged that the final rules exclude credit and debit cards for a business purpose. The final rules continue to define “cardholder” as a consumer who has been issued a credit or debit card. Both “credit card” and “debit card” are defined in section 603(r) of the FCRA. 38 The definition of “credit card” is defined by cross-reference to section 103 of the Truth in Lending Act, 15 U.S.C. 1601, *et seq.* 39 The definition of “debit card” is any card issued by a financial institution to a consumer for use in initiating an electronic fund transfer from the account of the consumer at such financial institution for the purposes of transferring money between accounts or obtaining money, property, labor, or services. 40 38 15 U.S.C. 1681a. 39 *See* 15 U.S.C. 1681a(r)(2). 40 15 U.S.C. 1681a(r)(3). Section 603(r) of the FCRA provides that “account” and “electronic fund transfer” have the same meaning as those terms have in the Electronic Funds Transfer Act (EFTA), 15 U.S.C. 1693, *et seq.* The EFTA, and Regulation E, 12 CFR part 205, govern electronic fund transfers. In contrast to section 603(r) of the FCRA, neither the EFTA nor Regulation E defines the term “debit card.” Instead, coverage under the EFTA and Regulation E depends upon whether electronic fund transfers can be made to or from an “account,” meaning a checking, savings, or other consumer asset account established primarily for personal, family or household purposes. The Board recently issued a final rule expanding the definition of “account” under Regulation E to cover payroll card accounts. 41 Therefore, a holder of a payroll card is a “cardholder” for purposes of § _.91(b)(1), provided that the card issuer is a “financial institution” as defined in section 603(t) of the FCRA. 41 *See* 71 FR 51,437 (August 10, 2006). The Board decided not to cover other types of prepaid cards as accounts under Regulation E at the time it issued the payroll card rule. Therefore, the definition of “cardholder” does not include the holder of a gift card or other prepaid card product, unless and until the Board elects to cover such cards as accounts under Regulation E. The definition of “cardholder” would also include a recipient of a home equity loan if the holder is able to access the proceeds of the loan with a credit or debit card within the meaning of 15 U.S.C. 1681a(r). Identity theft may occur in connection with a card that a consumer uses for a business purpose and may affect the consumer's personal credit standing. Additionally, the definition of “consumer” under the FCRA is simply an “individual.” 42 For this reason, the Agencies continue to believe that the protections of this provision must extend to consumers who hold a card for a personal, household, family or business purpose. 42 15 U.S.C. 1681a(c). Section _.91(b)(2) Clear and conspicuous The second proposed definition was for the phrase “clear and conspicuous.” Proposed § _.91 included a provision that required any written or electronic notice provided by a card issuer to the consumer pursuant to the regulations to be given in a “clear and conspicuous manner.” The proposed regulations defined “clear and conspicuous” based on the definition of this phrase found in the Agencies' privacy rules. The Agencies received no comments on the phrase “clear and conspicuous,” and have adopted the definition as proposed in § _.91(b)(2). Sections _.91(c) and
(d)Address Validation Proposed § _.91(c) simply restated the statutory requirements described above with some minor stylistic changes. A number of commenters noted that the requirements of this section would be difficult and expensive to implement. They stated that millions of address changes are processed every year, though very few turn out to be fraudulent. By contrast, consumer groups suggested that the final regulations should require the card issuer to notify the consumer of a request for an address change followed by the request for an additional or replacement card, unless there are special circumstances that prevent doing so in a timely manner. Many commenters recommended that the final rules provide credit and debit card issuers with greater flexibility to verify address changes. For example, they stated it is not clear that an address change linked with a request for an additional card is a significant indicator of identity theft. Therefore, they recommended the rules
(1)specifically permit card issuers to satisfy the requirements of this section by verifying the address at the time the address change notification is received, whether or not the notification is linked to a request for an additional or replacement card; or
(2)verify the address whenever a request for an additional or replacement card is made, whether or not the card issuer receives notification of an address change. One commenter suggested that the rules should only apply to card issuers that receive direct notification of an address change rather than an address change notification from the U.S. Postal Service. The commenter asserted that there is a higher risk of fraud with a direct request for a change of address. Consumer groups also recommended that the Agencies set a period longer than the 30-day minimum for card issuers to be on alert after an address change request. These commenters recommended that, because of billing cycles and the time it takes to issue a new card, an issuer should be required to assess the validity of an address change if it receives a request for an additional or replacement card within at least 90 days after the request for the address change. Some commenters asked the Agencies to clarify what “other means” would be acceptable in assessing the validity of a change in address. One commenter stated that it is not cost effective to contact the customer, therefore, most card issuers would use “other means” of assessing the validity of the change of address in accordance with the policies and procedures the card issuer establishes pursuant to § _.90. Commenters also asked the Agencies to clarify that the obligation to assess the validity of a request for an address change is not triggered unless the card issuer actually changes the cardholder's address. Some commenters asked the Agencies to clarify whether electronic notices would be acceptable if the cardholder had previously contracted for electronic communications. Consumer groups recommended electronic notification be permitted only when the consumer consents in accordance with the E-Sign Act. The Agencies note that the statutory provision being implemented here is quite specific. Congress mandated that the requirements set forth in section 615(e)(1)(C) of the FCRA apply to notifications of changes of address, which would necessarily include both those received directly from consumers and those received from the Postal Service. Congress also statutorily provided various methods to card issuers for assessing the validity of a change of address. 43 Accordingly, the final rules reflect these methods. 43 *See* S. Rep. No. 108-166 at 14 (October 17, 2003)(accompanying S. 1753)(stating that a card issuer may rely on authentication procedures that do not involve a separate communication with the cardholder so long as the issuer has reasonably assessed the validity of the address change.) Under § _.91(c) of the final rules, a card issuer that receives an address change notification and, within at least 30 days, a request for an additional or replacement card, may not issue an additional or replacement card *until* it has notified the cardholder or has otherwise assessed the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § _.90. The Agencies have concluded that card issuers should be granted additional flexibility. Therefore, § _.91(d) clarifies that a card issuer may satisfy the requirements of § _.91(c) by validating an address, according to the methods set forth in § _.91(c)(1) or (2), when it receives an address change notification, before it receives a request for an additional or replacement card. The rules do not require a card issuer that issues an additional or replacement card to validate an address whenever it receives a request for such a card, because section 114 only requires the validation of an address when the card issuer also has received a notification of a change of address. The Agencies also revised § _.91 to clarify that a card issuer must provide to the cardholder a “reasonable” means of promptly reporting incorrect address changes whenever the card issuer notifies the cardholder of the request for an additional or replacement card. 44 44 *See* S. Rep. No. 108-166 at 14 (October 17, 2003) (accompanying S. 1753) (stating that a means of reporting an incorrect change could be through the mail, by telephone, or electronically.) The Agencies declined to adopt the recommendation that an issuer assess the validity of an address change if it receives a request for an additional or replacement card within “at least 90 days” after an address change notification, as “at least 30 days” may be a reasonable period of time in some cases. However, a card issuer that does not validate an address when it receives an address change notification may find it prudent to validate the address before issuing an additional or replacement card, even when it receives a request for such a card more than 30 days after the notification of address change. In sum, the Agencies expect card issuers to exercise diligence commensurate with their own experiences with identity theft. The Agencies also confirm that a card issuer is not obligated to assess the validity of a notification of an address change after receiving a request for an additional or replacement card if it previously determined not to change the cardholder's address because the address change request was fraudulent. 45 45 This position is consistent with the legislative history of this section. *See* S. Rep. No. 108-166 at 14 (Oct. 17, 2003) (accompanying S. 1753) (stating that it would not be necessary for the card issuer to take these steps “if, despite receiving a request for an address change, the issuer did not actually change the cardholder's address for any reason ( *e.g.* , the card issuer had previously determined that the request for an address change was invalid)”). Section _.91(e) Form of Notice In the preamble to the proposed rules, the Agencies noted that Congress had singled out this scenario involving card issuers and placed it in section 114 because it is perceived to be a possible indicator of identity theft. To highlight the important and urgent nature of notice that a consumer receives from a card issuer pursuant to § _.91(c), the Agencies also proposed requiring that any written or electronic notice that a card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder. The preamble to the proposed rules stated that a card issuer could also provide notice orally, in accordance with the policies and procedures the card issuer has established. A few commenters recommended that this proposed requirement apply only if the issuer notifies the cardholder of the change of address request at the cardholder's former address. These commenters stated that, otherwise, the provision would prohibit other types of notices, such as those in periodic statements. Another commenter stated that this provision was not necessary because card issuers would send such notices separately in any event. The Agencies are not convinced that such a notice would be provided separately from a card issuer's regular correspondence with the cardholder unless required. Moreover, the Agencies do not agree that this requirement should apply only if a card issuer chooses to notify the cardholder of the change of address request at the cardholder's former address in accordance with § _.91(c)(1). Even where the card issuer and cardholder agree to some other means for notice, this alternative means does not change the important nature of the notice. Therefore, § _.91(e) of the final rules provides that any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous, and provided separately from its regular correspondence with the cardholder. III. Section 315 of the FACT Act A. Background Section 315 of the FACT Act amends section 605 of the FCRA, 15 U.S.C. 1681c, by adding a new subsection (h). Section 605(h)(1) requires that, when providing a consumer report to a person that requests the report (the user), a nationwide consumer reporting agency, as defined in section 603(p) of the FCRA,
(CRA)must provide a notice of the existence of a discrepancy if the address provided by the user in its request “substantially differs” from the address the CRA has in the consumer's file. Section 605(h)(2) requires the Agencies to issue joint regulations that provide guidance regarding reasonable policies and procedures a user of a consumer report should employ when the user receives a notice of address discrepancy. These regulations must describe reasonable policies and procedures for a user of a consumer report to employ to
(i)enable it to form a reasonable belief that the user knows the identity of the person for whom it has obtained a consumer report, and
(ii)reconcile the address of the consumer with the CRA, if the user establishes a continuing relationship with the consumer and regularly and in the ordinary course of business furnishes information to the CRA. B. Section-by-Section Analysis Section _.82(a) Scope Proposed § _.82(a) noted that the scope of section 315 differs from the scope of section 114 and explained that section 315 applies to “users of consumer reports” and “persons requesting consumer reports” (hereinafter referred to as “users”), as opposed to financial institutions and creditors. Therefore, section 315 does not apply to a financial institution or creditor that does not use consumer reports. The Agencies did not receive any comments on this section and have adopted it as proposed in the final rules. Section _.82(b) Definition Proposed § _.82(b) defined “notice of address discrepancy” as “a notice sent to a user of a consumer report by a CRA pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer provided by the user in requesting the consumer report and the address or addresses the CRA has in the consumer's file.” 46 46 All other terms used in this section have the same meanings as set forth in the FCRA (15 U.S.C. 1681a). In the preamble to the proposed rules, the Agencies noted that section 605(h)(1) requiring CRAs to provide notices of address discrepancy became effective on December 1, 2004. To the extent CRAs each have developed their own standards for delivery of notices of address discrepancy, the proposal noted that it is important for users to be able to recognize and receive notices of address discrepancy, especially if they are being delivered electronically by CRAs. For example, CRAs may provide consumer reports with some type of a code to indicate an address discrepancy. Users must be prepared to recognize the code as an indication of an address discrepancy. While some commenters agreed with the proposed definition, a number of commenters suggested that the Agencies clarify that only a “substantial” discrepancy would trigger the requirements in this provision and that obvious errors would not. Some commenters also suggested that the Agencies provide examples of what constitutes a “substantial difference.” One commenter stated that users should be able to determine when there is a substantial difference. As noted earlier, section 605(h)(1) requires a CRA to send a notice of address discrepancy when it determines that the address provided to the CRA by a user “substantially differs” from the address the CRA has in the consumer's file. The phrase “substantially differs” is not defined in the statute. Instead, the statute allows each CRA to construe this phrase as it chooses and, accordingly, to set the standard it will use to determine when it will send a notice of address discrepancy. As required by section 605(h)(2), this rulemaking focuses on the obligations of users that receive a notice of address discrepancy from a CRA. The statute does not indicate that the Agencies are to define the phrase “substantially differs” for CRAs or to permit users to define that phrase themselves. Therefore, the final rules adopt the proposed definition of “notice of address discrepancy” without change. Section _.82(c) Requirement to form a reasonable belief Proposed § _.82(c) implemented the requirement in section 605(h)(2)(B)(i) that the Agencies prescribe regulations describing reasonable policies and procedures to enable the user to form a reasonable belief that the user knows “the identity of the person to whom the consumer report pertains” when the user receives a notice of address discrepancy. Proposed § _.82(c) stated that a user must develop and implement reasonable policies and procedures for “verifying the identity of the consumer for whom it has obtained a consumer report” whenever it receives a notice of address discrepancy. The proposal stated further that these policies and procedures must be designed to enable the user to form a reasonable belief that it knows the identity of the consumer for whom it has obtained a consumer report, or determine that it cannot do so. A number of commenters stated that the statutory requirement that a user form a reasonable belief that it knows the identity of the consumer for whom it obtained a consumer report should only apply in situations where the user establishes a continuing relationship with the consumer. A consumer group suggested that the language in the proposed regulation permitting a user to determine that it cannot form a reasonable belief of the identity of the consumer should be deleted because the statute specifically requires a reasonable belief to be formed. This commenter stated that the purpose of the statute was to reduce the number of new accounts opened using false addresses, and that permitting a user to satisfy its obligations under the regulations by simply determining it cannot form a reasonable belief would allow the user to open an account, effectively rendering the statute meaningless. The purpose of section 315 is to enhance the accuracy of consumer information, specifically to ensure that the user has obtained the correct consumer report for the consumer about whom it has requested such a report. To implement this concept more clearly, § _.82(c) of the final rules provides that a user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report when the user receives a notice of address discrepancy. 47 47 The Agencies acknowledge that an address discrepancy also may be an indicator of identity theft. To address this problem, the Agencies included address discrepancies as an example of a Red Flag in connection with the Identity Theft Red Flag regulations. The Agencies do not agree with commenters who suggested that the proposed provision should apply only in connection with the establishment of a continuing relationship with a consumer, in other words, when a user is opening a new account. The statutory requirement in section 605(h)(2)(B)(i) that a user form a reasonable belief that it knows the identity of the consumer for whom it obtained a consumer report applies whether or not the user subsequently establishes a continuing relationship with the consumer. This is in contrast to the additional statutory requirement in section 605(h)(2)(B)(ii) that a user reconcile the address of the consumer with the CRA, only when the user establishes a continuing relationship with the consumer. In addition, a user may receive a notice of address discrepancy with a consumer report, both in connection with the opening of an account and in other circumstances when the user already has a relationship with the consumer, such as when the consumer applies for an increased credit line. The Agencies believe it is important for a user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report in both of these cases. Accordingly, the final rules do not limit this provision solely to the establishment of new accounts. Proposed § _.82(c) also provided that if a user employs the policies and procedures regarding identification and verification set forth in the CIP rules, 48 it would satisfy the requirement to have policies and procedures to verify the identity of the consumer. This provision took into consideration the fact that many users already may be subject to the CIP rules, and have in place procedures to comply with those rules, at least with respect to the opening of accounts. Thus, a user could rely upon its existing CIP policies and procedures to satisfy this requirement, so long as it applied them in all situations where it receives a notice of address discrepancy. The proposal also stated that any user, such as a landlord or employer, may adopt the CIP rules and apply them in all situations where it receives a notice of address discrepancy to meet this requirement, even if it is not subject to a CIP rule. 48 See, *e.g.* , 31 CFR 103.121(b)(2)(i) and (ii). The Agencies requested comment on whether the CIP procedures would be sufficient to enable a user that receives a notice of address discrepancy with a consumer report to form a reasonable belief that it knows the identity of the consumer for whom it obtained the report, both in connection with the opening of an account, as well as in other circumstances where a user obtains a consumer report, such as when a user requests a consumer report to determine whether to increase the consumer's credit line, or in the case of a landlord or employer, to determine a consumer's eligibility to rent housing or for employment. Many commenters supported the use of CIP to satisfy this requirement. Some commenters, however, asked the Agencies to clarify that once a consumer's identity was verified using CIP, it would not be necessary to re-verify that consumer's identity under this provision. Some commenters found the proposal's preamble language confusing. These commenters did not understand why a user would need to use its CIP policies in every situation where a notice of address discrepancy was received in order to comply with this requirement; they felt that it might be possible to form a reasonable belief without using CIP in some circumstances. Other commenters noted that the CIP rules, which were issued for different purposes, are not the appropriate standard for investigating a consumer's identity after a notice of address discrepancy because those rules permit verification of an address to occur after an account is opened and do not require contacting the consumer. One commenter stated that it was not clear whether a user relying on the CIP rules to satisfy the obligations under the regulation must comply with some or all of the requirements in the CIP rules, including those that require policies and procedures to address circumstances when a user cannot form a reasonable belief it knows the identity of the consumer. The Agencies believe that comparing information provided by a CRA to information the user obtains and uses (or has obtained and used) to verify a consumer's identity pursuant to the requirements set forth in the CIP rules is an appropriate way to satisfy this obligation, particularly in connection with the opening of a new account. However, when a user receives a notice of address discrepancy in connection with an existing account, after already having identified and verified the consumer in accordance with the CIP rules, the Agencies would not expect a user to employ the CIP procedures again. To address this issue and provide users with flexibility, § _.82(c) of the final rule provides examples of reasonable policies and procedures that a user may employ to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report. These examples include comparing information provided by the CRA with information the user:
(1)Obtains and uses to verify the consumer's identity in accordance with the requirements of the CIP rules;
(2)maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or
(3)obtains from third-party sources. Another example is to verify the information in the consumer report provided by the CRA with the consumer. If a user cannot establish a reasonable belief that the consumer report relates to the consumer about whom it has requested the report, the Agencies expect the user will not use that report. While section 605(h)(2)(B)(i) is silent on this point, other laws may be applicable in such a situation. For example, in the case of account openings, a user that is subject to the CIP rules generally will need to document how it has resolved the discrepancy between the address provided by the consumer and the address in the consumer report. 49 If the user cannot establish a reasonable belief that it knows the true identity of the consumer, it will need to implement the policies and procedures for addressing these circumstances as required by the CIP rules, which may involve not opening an account or closing an account. 50 If a user is a “financial institution” or “creditor” as defined by the FCRA, a notice of address discrepancy may be a Red Flag and require an appropriate response to prevent and mitigate identity theft under the user's Identity Theft Prevention Program. 49 *See* , *e.g.* , 31 CFR 103.121(b)(3)(i)(D). 50 *See* , *e.g.* , 31 CFR 103.121(b)(2)(iii). Section _.82(d)(1) Requirement To Furnish Consumer's Address to a Consumer Reporting Agency Proposed § _.82(d)(1) provided that a user must develop and implement reasonable policies and procedures for furnishing to the CRA from whom it received the notice of address discrepancy an address for the consumer that the user has reasonably confirmed is accurate when the following three conditions are satisfied. The first condition, in proposed § _.82(d)(1)(i), was that the user must be able to form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained. This condition would have ensured the user would furnish a new address for the consumer to the CRA only after the user had formed a reasonable belief that it knew the identity of the consumer, using the policies and procedures set forth in paragraph § _.82(c). The second condition, in proposed § _.82(d)(1)(ii), was that the user furnish the address to the CRA if it establishes or maintains a continuing relationship with the consumer. Section 315 specifically requires that the user furnish the consumer's address to the CRA if the user *establishes* a continuing relationship with the consumer. Therefore, proposed § _.82(d)(1)(ii) reiterated this requirement. However, because a user also may obtain a notice of address discrepancy in connection with a consumer with whom it already has an existing relationship, the proposal also provided that the user must furnish the consumer's address to the CRA from whom the user has received a notice of address discrepancy when the user maintains a continuing relationship with the consumer. Finally, the third condition, in proposed § _.82(d)(1)(iii), provided that if the user regularly and in the ordinary course of business furnishes information to the CRA from which a notice of address discrepancy pertaining to the consumer was obtained, the consumer's address must be communicated to the CRA as part of the information the user regularly provides. A majority of commenters recommended that the requirement to furnish a confirmed address should not apply to existing accounts. These commenters maintained that such a requirement would exceed the scope of the statute. They also noted that users often do not obtain full consumer reports for existing customers—just credit scores. These commenters noted that limited reports often do not contain an address for a customer. Some commenters also felt existing relationships should be excluded because users already would have verified a consumer's address at the time of account opening. The Agencies have modified this section as follows. The final rules continue to provide that a user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the CRA when three conditions are present. The first condition, in § _.82(d)(1)(i), has been revised to be consistent with the earlier changes in section § _.82(c) that focus more narrowly on accuracy and require that a user form a reasonable belief that a consumer report relates to the consumer about whom it requested the report. The second condition, in § _.82(d)(1)(ii), now applies only to new accounts and states that a confirmed address must be furnished if the user “establishes” a continuing relationship with the consumer. The reference to “or maintains” a continuing relationship has been deleted. The Agencies agree with commenters that section 605(h)(2)(B)(ii) does not require the reporting of a confirmed address to a CRA in connection with existing relationships. The Agencies have concluded that users are more likely than a CRA to have an accurate address for an existing customer and, therefore, should not be required by these rules to take additional steps to confirm the accuracy of the customer's address. Users already have an ongoing duty to correct and update information for their existing customers under section 623 of the FCRA, 15 U.S.C. 1681s-2. Accordingly, under the final rules, the obligation to furnish a confirmed address for the consumer to the CRA is applicable only to new relationships. The third condition, in § _.82(d)(1)(iii), has been adopted in the final rule without substantive change. Section _.82(d)(2) Requirement To Confirm Consumer's Address In the preamble to the proposal, the Agencies noted that section 315 requires them to prescribe regulations describing reasonable policies and procedures for a user “to reconcile the address of the consumer” about whom it has obtained a notice of address discrepancy with the CRA “by furnishing *such* address” to the CRA. (Emphasis added.) The Agencies noted that, even when the user is able to form a reasonable belief that it knows the identity of the consumer, there may be many reasons the initial address furnished by the consumer is incorrect. For example, a consumer may have provided the address of a secondary residence or inadvertently reversed a street number. To ensure that the address furnished to the CRA is accurate, the Agencies proposed to interpret the phrase, “such address,” as an address the user has reasonably confirmed is accurate. This interpretation would have required a user to take steps to “reconcile” the address it initially received from the consumer when it receives a notice of address discrepancy, rather than simply furnishing the initial address it received from the consumer to the CRA. Proposed § _.82(d)(2) contained the following list of illustrative measures that a user may employ to reasonably confirm the accuracy of the consumer's address: • Verifying the address with the person to whom the consumer report pertains; • Reviewing its own records of the address provided to request the consumer report; • Verifying the address through third-party sources; or • Using other reasonable means. The Agencies solicited comment on whether these examples were necessary, or whether different or additional examples should be listed. A number of commenters stated that requiring a user to confirm the address furnished exceeded the scope of the statute. They asserted that the benefit of improvements in the accuracy of addresses and the prevention of identity theft would not outweigh the additional burden of this requirement. A few commenters noted that complying with the CIP rules should be sufficient to verify the address. Commenters also felt that users should have the flexibility to establish their own validation processes based on risk. As stated earlier, the Agencies believe the purpose of the statute is to enhance the accuracy of information relating to consumers by requiring the user to furnish an address that the user has reasonably confirmed is accurate. 51 Simply providing the CRA with the initial address supplied to the user by the consumer, and which caused the CRA to send a notice of address discrepancy, would not serve this purpose. The Agencies believe the options for confirmation listed in the regulation provide sufficient flexibility for users to confirm consumers’ addresses. For this reason, they have been adopted in the final rule as proposed, with minor technical changes. Section _.82(d)(2)(i) has been revised to conform the language with § _.82(c). Section _.82(d)(2)(ii) has been revised to emphasize the verification of the consumer's address rather than the review of the user's records to determine whether the address given by the consumer is the same. 51 This requirement is consistent with the legislative history which provides that this section is intended to obligate the user to utilize reasonable policies and procedures to resolve discrepancies. *See* H.R. Rep. No. 108-263 at 46 (Sept. 4, 2003) (accompanying H.R. 2622). Section _.82(d)(3) Timing Section 315 specifies when a user must furnish the consumer's address to the CRA. It states that this information must be furnished for the reporting period in which the user's relationship with the consumer is established. Accordingly, proposed § _.82(d)(3)(i) stated that, with respect to new relationships, the policies and procedures a user develops in accordance with § _.82(d)(1) must provide that a user will furnish the consumer's address that it has reasonably confirmed to the CRA as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. The proposed rule also addressed other situations when a user may receive a notice of address discrepancy. Proposed § _.82(d)(3)(ii) stated that in other circumstances, such as when the user already has an existing relationship with the consumer, the user should furnish this information for the reporting period in which the user has reasonably confirmed the accuracy of the address of the consumer for whom it has obtained a consumer report. The Agencies also noted that, in order to satisfy the requirements of both § _.82(d)(1) and § _.82(d)(3)(i), a user employing the CIP rules would have to establish a continuing relationship and verify the identity of the consumer during the same reporting period. The Agencies recognized the timing provision for newly established relationships could be problematic for users hoping to take full advantage of the flexibility in timing for verification of identity afforded by the CIP rules. As required by statute, proposed § _.82(d)(3)(i) stated that the reconciled address must be furnished for the reporting period in which the user establishes a relationship with the consumer. Proposed § _.82(d)(1), which also mirrored the requirement of the statute, required the reconciled address to be furnished to the CRA only when the user both establishes a continuing relationship with the consumer and forms a reasonable belief that it knows the identity of the consumer to whom the consumer report relates. Typically, the CIP rules permit an account to be opened ( *i.e.* , relationship to be established) if certain identifying information is provided. Verification to establish the true identity of the customer is required within a reasonable period of time *after* the account has been opened. As explained in the preamble to the proposed rules, to satisfy the requirements of both § _.82(d)(1) and § _.82(d)(3)(i), a user employing the CIP rules would have to verify the identity of the consumer using the identifying information it obtained in accordance with the CIP rules within the same reporting period that the user opens the account and establishes a continuing relationship with the consumer. The Agencies requested comment on whether the timing for responding to notices of address discrepancy received in connection with newly established relationships and in connection with circumstances other than newly established relationships is appropriate. One commenter objected to the requirement that a user employing the CIP rules would have to both establish a continuing relationship and a reasonable belief that it knows the consumer's identity during the same reporting period. A few commenters noted that the timing for reporting should simply be “reasonable,” such as the next reporting cycle. Because the Agencies have determined that the requirement to furnish a confirmed address will apply only to newly established accounts, the Agencies have revised § _.82(d)(3) to remove the references to the timing for furnishing reports in connection with other accounts, contained in the proposal. The final rules reflect the language in section 605(h)(2)(B)(ii), and state that a user's policies and procedures must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. A timing issue still exists for a user that chooses to compare the information in the consumer report with information that the user obtains and uses to verify the consumer's identity in accordance with the CIP rules for the purpose of forming a reasonable belief that a consumer report relates to the consumer about whom it has requested the report. However, the Agencies believe that the benefits of being able to use CIP for this purpose should outweigh any additional burden of having to establish a reasonable belief that a consumer report relates to the consumer about whom it has requested the report within the same reporting period that the user opens the account and establishes a continuing relationship with the consumer. IV. General Provisions The OCC, the Board, the FDIC, the OTS, and the NCUA 52 proposed to amend the first sentence in § _.3, which contains the definitions that are applicable throughout this part. This sentence stated that the list of definitions in § _.3 apply throughout the part “unless the context requires otherwise.” These agencies proposed to amend this introductory sentence to make clear that the definitions in § _.3 apply “for purposes of this part, unless explicitly stated otherwise.” Thus, these definitions apply throughout the part unless defined differently in an individual subpart. There were no comments on this proposal, and the change to § _.3 is adopted as proposed. 52 The equivalent language for the FTC already exists in 16 CFR 603.1. OTS proposed nonsubstantive, technical changes to its rule sections on purpose and scope (§ 571.1) and disposal of consumer information (§ 571.83). OTS explained that these changes were necessary in light of the proposed incorporation of the address discrepancy section into subpart I. There were no comments on these proposed changes and they are adopted substantially as proposed. Further, since these changes render the definition of “you” in § 571.3(o) superfluous, OTS is removing that definition. The OCC's final rules add a purpose section at § 41.1. The final rules are simply restoring the purpose section of part 41 that was inadvertently deleted when “subpart D-Medical Information” was added to this part. V. Effective Date The Agencies received a number of comments regarding the effective date of the final regulations and guidelines, although the proposed rulemaking did not address this issue. While consumer groups recommended that the effective date for compliance with the regulations be the minimum time allowed by law, many financial institutions and creditors requested the time for compliance be extended from between 12 to 24 months from issuance of the final rules. These commenters felt they needed time to take an inventory of their existing systems and develop new programs necessary for compliance. Some commenters noted that they likely would use technological solutions to comply with the rules and that it is necessary to schedule such projects well in advance. Commenters also noted that compliance with the final rules may require systemic and operational changes across business lines and could affect relationships with vendors and third party service providers that would require time to change. Neither section 114 nor section 315 of the FACT Act specifically addresses the effective date of the regulations issued pursuant to these sections. Under the Administrative Procedure Act (APA), 5 U.S.C. 553(d), agencies must generally publish a substantive rule not less than 30 days before its effective date. In addition, under section 302 of the Riegle Community Development and Regulatory Improvement Act of 1994 (CDRIA), 53 rules issued by the Federal banking agencies that impose additional reporting, disclosure, or other new requirements on financial institutions generally will take effect on the first day of a calendar quarter that begins on or after the date on which the regulations are published in the **Federal Register** . Because these final rules are substantive and impose additional requirements on financial institutions, the Agencies have provided for an effective date of [January 1, 2008], consistent with the APA and CDRIA. 53 Pub. L. 103-325; 12 U.S.C. § 4802(b). At the same time, the Agencies have determined that it is appropriate to provide all covered entities with a delayed compliance date of November 1, 2008, to comply with the requirements of the final rulemaking. Some financial institutions and creditors already employ a variety of measures that satisfy the requirements of the final rulemaking because these are usual and customary business practices to minimize losses due to fraud, or as a result of already complying with other existing regulations and guidance that relate to information security, authentication, identity theft, and response programs. However, the Agencies recognize that these entities may still need time to evaluate their existing programs, and to integrate appropriate elements from them into the Program and into the other policies and procedures required by this final rulemaking. Further, the Agencies recognize that some covered entities have not previously been subject to any related regulations or guidance, and thus may need more time to implement the final rules and guidelines. Therefore, the Agencies are providing covered entities with a transition period to comply with the requirements contained in the final rulemaking. VI. Regulatory Analysis A. Paperwork Reduction Act In accordance with the requirements of the Paperwork Reduction Act of 1995
(PRA)(44 U.S.C. 3501 *et seq.* , 5 CFR part 1320 Appendix A.1), the Agencies have reviewed the final rulemaking and determined that it contains collections of information subject to the PRA. The Board made this determination under authority delegated to the Board by the Office of Management and Budget (OMB). The information collection requirements in the final rulemaking may be found in 12 CFR 41.82, 41.90, 41.91, 222.82, 222.90, 222.91, 334.82, 334.90, 334.91, 571.82, 571.90, 571.91, 717.82, 717.90; and 717.91; and 16 CFR 681.1, 681.2, and 681.3. An agency may not conduct or sponsor, and a respondent is not required to respond to, an information collection unless it displays a currently valid OMB control number. The information collection requirements contained in this joint final rule were submitted by the OCC, FDIC, OTS, NCUA, and FTC to OMB for review and approval under the Paperwork Reduction Act of 1995. OMB assigned the following control numbers to the collections of information: OMB Control Nos. 1557-0237 (OCC), 3064-0152 (FDIC), 1550-0113 (OTS), 3133-0175 (NCUA), and 3084-0137 (FTC). The Board's OMB Control No. is 7100-0308. 54 54 The information collections
(ICs)in this rule will be incorporated with the Board's Disclosure Requirements Associated with Regulation V (OMB No. 7100-0308). The burden estimates provided in this rule pertain only to the ICs associated with this final rulemaking. The current OMB inventory for Regulation V is available at: *http://www.reginfo.gov/public/do/PRAMain.* Description of the Collection *Section 114* : The proposed rules implementing section 114 required each financial institution and creditor to
(1)create an Identity Theft Prevention Program (Program);
(2)report to the board of directors, a committee thereof or senior management, at least annually, on compliance with the proposed regulations; and
(3)train staff to implement the Program. In addition, the proposed rules required each credit and debit card issuer (card issuer) to establish policies and procedures to
(1)assess the validity of a change of address notification before honoring a request for an additional or replacement card received during at least the first 30 days after it receives the notification; and
(2)notify the cardholder in writing, electronically, or orally, or use another means of assessing the validity of the change of address. *Section 315* : The proposed rules implementing section 315 required each user of consumer reports to
(1)develop reasonable policies and procedures it would employ when it receives a notice of address discrepancy from a CRA; and
(2)to furnish an address the user reasonably confirmed is accurate to the CRA from which it receives a notice of address discrepancy. The information collections in the final rulemaking are the same as those in the proposal. Comments Received The Agencies sought comment on the burden estimates for the information collections described in the proposal. The Agencies received approximately 129 comments on the proposed rulemaking. Most commenters maintained that proposal would impose additional regulatory burden and asserted that the estimates of the cost of compliance should be considerably higher than the Agencies projected. A few of these commenters specifically addressed PRA burden, however, they did not provide specific estimates of additional burden hours that would result from the proposal. Some of these commenters stated that staff training estimates were significantly underestimated. Other commenters stated that the costs of compliance failed to consider the cost to third-party service providers that the commenters characterized as being required to implement the Program. Explanation of Burden Estimates Under the Final Rulemaking The Agencies believe that many of the comments received regarding burden stemmed from commenters' misreading of the requirements of the proposed rulemaking. The final rulemaking clarifies these requirements, including those that relate to the information collections. It also differs from the proposal as described below. The Agencies continue to believe that most covered entities already employ a variety of measures to detect and address identity theft that are required by section 114 of the final rulemaking because these are usual and customary business practices that they employ to minimize losses due to fraud. In addition, the Agencies believe that many financial institutions and creditors already have implemented some of the requirements of the final rules implementing section 114 as a result of having to comply with other existing regulations and guidance, such as the CIP regulations implementing section 326 of the USA PATRIOT Act, 31 U.S.C. 5318(l) that require verification of the identity of persons opening new accounts), 55 the Information Security Standards that implement section 501(b) of the Gramm-Leach-Bliley Act (GLBA), 15 U.S.C. 6801, and section 216 of the FACT Act, 15 U.S.C. 1681w, 56 and guidance issued by the Agencies or the Federal Financial Institutions Examination Council regarding information security, authentication, identity theft, and response programs. 57 The final rulemaking underscores the ability of a financial institution or creditor to incorporate into its Program its existing processes that control reasonably foreseeable risks to customers or to its own safety and soundness from identity theft, such as those already developed in connection with the covered entity's fraud prevention program. Thus, the burden estimate attributable to the creation of a Program is unchanged. 55 *See* , *e.g.* , 31 CFR 103.121 (banks, savings associations, credit unions, and certain non-federally regulated banks); 31 CFR 103.122 (broker-dealers); 31 CFR 103.123 (futures commission merchants). 56 12 CFR part 30, app. B (national banks); 12 CFR part 208, app. D-2 and part 225, app. F (state member banks and holding companies); 12 CFR part 364, app. B (state non-member banks); 12 CFR part 570, app. B (savings associations); 12 CFR part 748, app. A and B, and 12 CFR 717 (credit unions); 16 CFR part 314 (financial institutions that are not regulated by the Board, FDIC, NCUA, OCC and OTS). 57 *See* , *e.g.* , 12 CFR part 30, supp. A to app. B (national banks); 12 CFR part 208, supp. A to app. D-2 and part 225, supp. A to app. F (state member banks and holding companies); 12 CFR part 364, supp. A to app. B (state non-member banks); 12 CFR part 570, supp. A to app. B (savings associations); 12 CFR 748, app. A and B (credit unions); Federal Financial Institutions Examination Council (FFIEC) Information Technology Examination Handbook's Information Security Booklet (the “IS Booklet”) *available at http://www.ffiec.gov/guides.htm* ; FFIEC “Authentication in an Internet Banking Environment” *available at http://www.ffiec.gov/pdf/authentication_guidance.pdf* ; Board SR 01-11
(Supp)(Apr. 26, 2001) *available at: http://www.federalreserve.gov/boarddocs/srletters/2001/sr0111.htm* ; “Guidance on Identity Theft and Pretext Calling,” OCC AL 2001-4 (April 30, 2001); “Identity Theft and Pretext Calling,” OTS CEO Letter #139 (May 4, 2001); NCUA Letter to Credit Unions 01-CU-09, “Identity Theft and Pretext Calling” (Sept. 2001); OCC 2005-24, “Threats from Fraudulent Bank Web Sites: Risk Mitigation and Response Guidance for Web Site Spoofing Incidents,” (July 1, 2005); “Phishing and E-mail Scams,” OTS CEO Letter #193 (Mar. 8, 2004); NCUA Letter to Credit Unions 04-CU-12, “Phishing Guidance for Credit Unions” (Sept. 2004). The final rulemaking also clarifies that only relevant staff need be trained to implement the Program, as necessary—meaning that staff already trained, for example, as a part of a covered entity's anti-fraud prevention efforts do not need to be re-trained except as necessary. Despite this clarification, in response to comments received, the Agencies are increasing the burden estimates attributable to training from two to four hours. The Agencies’ estimates attribute all burden to covered entities, which are entities directly subject to the requirements of the final rulemaking. A covered entity that outsources activities to a third-party service provider is, in effect, reallocating to that service provider the burden that it would otherwise have carried itself. Under these circumstances, burden is, by contract, shifted from the covered entity to the service provider, but the total amount of burden is not increased. Thus, third-party service provider burden is already included in the burden estimates provided for covered entities. The Agencies continue to believe that card issuers already assess the validity of change of address requests and, for the most part, have automated the process of notifying the cardholder or using other means to assess the validity of changes of address. Further, as commenters requested, the final rulemaking clarifies that card issuers may satisfy the requirements of this section by verifying the address at the time the address change notification is received, before a request for an additional or replacement card. Therefore, the estimates attributable to this portion of the rulemaking are unchanged. Regarding the final rules implementing section 315, the Agencies recognize that users of consumer reports will need to develop policies and procedures to employ upon receiving a notice of address discrepancy in order to:
(1)Ensure that the user has obtained the correct consumer report for the consumer; and
(2)confirm the accuracy of the address the user furnishes to the CRA. However, under the final rules, a user only must furnish a confirmed address to a CRA for new relationships. Thus, the required policies and procedures will no longer need to address the furnishing of confirmed addresses for existing relationships, and users will not need to furnish to the CRA in connection with existing relationships an address the user reasonably confirmed is accurate. The Agencies believe that users of credit reports covered by the final rules, on a regular basis, already furnish information to CRAs in response to notices of address discrepancy because it is a usual and customary business practice—except in connection with new deposit relationships. For the proposed rulemaking, the Agencies had estimated that there would be no implementation burden associated with furnishing confirmed addresses to CRAs. However, as the result of additional research, the Agencies now believe that some burden should be attributable to this collection, to account for information furnished to CRAs for new deposit relationships. Because this burden is offset by the reduction in burden described above, the estimates for the collections attributable to the final rules implementing section 315 remain unchanged. The Agencies continue to believe that 25 hours to develop a Program, four hours to prepare an annual report, four hours to develop policies and procedures to assess the validity of changes of address, and four hours to develop policies and procedures to respond to notices of address discrepancy, are reasonable estimates. The potential respondents are national banks and Federal branches and agencies of foreign banks and certain of their subsidiaries (OCC); state member banks, uninsured state agencies and branches of foreign banks, commercial lending companies owned or controlled by foreign banks, and Edge and agreement corporations (Board); insured nonmember banks, insured state branches of foreign banks, and certain of their subsidiaries (FDIC); savings associations and certain of their subsidiaries (OTS); Federally-chartered credit unions (NCUA); state-chartered credit unions, non-bank lenders, mortgage brokers, motor vehicle dealers, utility companies, and any other person that regularly participates in a credit decision, including setting the terms of credit (FTC). Burden Estimates The Agencies estimate the annual burden per respondent is 41 hours (25 hours to develop a Program, four hours to prepare an annual report, four hours for training, four hours for developing policies and procedures to assess the validity of changes of address, and four hours for developing policies and procedures to respond to notices of address discrepancy). The Agencies attribute total burden to covered entities as follows: *OCC* : *Number of respondents* : 1,806. *Total estimated annual burden:* 74,046. *Board* : *Number of respondents:* 1,172. *Total Estimated Annual Burden:* 48,052. *FDIC* : *Number of respondents:* 5,260. *Total Estimated Annual Burden:* 215,660 hours. *OTS* : *Number of respondents:* 832. *Total Estimated Annual Burden:* 34,112. *NCUA* : *Number of respondents:* 5,103. *Total Estimated Annual Burden:* 209,223. *FTC Estimated Burden* : 58 58 Due to the varied nature of the entities subject to the jurisdiction of the FTC, this Estimated Burden section reflects only the view of the FTC. The banking regulatory agencies have jointly prepared a separate analysis. *Section 114* : *Estimated Hours Burden* : As discussed above, the final regulations require financial institutions and creditors to conduct a risk assessment periodically to determine whether they have covered accounts, which include, at a minimum, consumer accounts. If the financial institutions and creditors determine that they have covered accounts, the final regulations require them to create a written Identity Theft Prevention Program (Program) and they should report to the board of directors, a committee thereof, or senior management at least annually on compliance with the final regulations. The FCRA defines “creditor” to have the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA). 59 Under Regulation B, which implements the ECOA, a creditor means a person who regularly participates in a credit decision, including setting the terms of credit. Regulation B defines credit as a transaction in which the party has a right to defer payment of a debt, regardless of whether the credit is for personal or commercial purposes. 60 Given the broad scope of entities covered, it is difficult to determine precisely the number of financial institutions and creditors that are subject to the FTC's jurisdiction. There are numerous small businesses under the FTC's jurisdiction, and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the proposed regulations implementing section 114 will affect over 3,500 financial institutions 61 and over 11 million creditors 62 subject to the FTC's jurisdiction, for a combined total of approximately 11.1 million affected entities. As detailed below, FTC staff estimates that the average annual information collection burden during the three-year period for which OMB clearance was sought will be 4,466,000 hours (rounded to the nearest thousand). The estimated annual labor cost associated with this burden is $142,925,000 (rounded to the nearest thousand). 59 U.S.C. 1681a(r)(5). 60 Regulation B Equal Credit Opportunity, 12 CFR 202 (as amended effective Apr. 15, 2003). 61 Under the FCRA, the only financial institutions over which the FTC has jurisdiction are state-chartered credit unions. 15 U.S.C. 1681s. As of December 31, 2005, there were 3,302 state-chartered federally-insured credit unions and 362 state-chartered nonfederally insured credit unions, totaling 3,664 financial institutions. *See* *www.ncua.gov/news/quick_facts/quick_facts.html and* “Disclosures for Non-Federally Insured Depository Institutions under the Federal Deposit Insurance Corporation Improvement Act (FDICIA),” 70 FR 12823 (Mar. 16, 2005). 62 This estimate is derived from an analysis of a database of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers or other businesses, which totaled 11,076,463 creditors subject to the FTC's jurisdiction. For the proposed rule, FTC staff had divided affected entities into two categories: entities that are subject to a high risk of identity theft and entities that are subject to a low risk of identity theft. Based on comments as well as changes in the final rule, FTC staff believes that the affected entities can be categorized in three groups, based on the nature of their businesses: entities subject to a high risk of identity theft, entities subject to a low risk of identity theft, but having consumer accounts that will require them to have a written Program, and entities subject to a low risk of identity theft, but not having consumer accounts. 63 63 In general, high-risk entities may provide consumer financial services or other goods or services of value to identity thieves such as telecommunication services or goods that are easily convertible to cash, whereas low-risk entities may do business primarily with other businesses or provide non-financial services or goods that are not easily convertible to cash. A. High-Risk Entities In drafting its PRA analysis for the proposed regulations, FTC staff believed that because motor vehicle dealers” loans typically are financed by financial institutions also subject to those regulations, the dealers were likely to use the latter's programs as a basis to develop their own. Therefore, although subject to a high risk of identity theft, their burden would be less than other high-risk entities. Commenters, however, noted among other concerns that some motor vehicle dealers finance their own loans. Thus, for this burden estimate, FTC staff no longer is considering motor vehicle dealers separately from other high-risk entities. As noted above, the Agencies continue to believe that many of the high-risk entities, as part of their usual and customary business practices, already take steps to minimize losses due to fraud. The final rulemaking clarifies that only relevant staff need be trained to implement the Program, as necessary meaning, for example, that staff already trained as a part of a covered entity's anti-fraud prevention efforts do not need to be re-trained except as incrementally needed. Notwithstanding this clarification, in response to comments received, the Agencies are increasing the burden estimates attributable to training from two to four hours, as is the FTC for high-risk entities in their initial year of implementing the Program, but FTC staff continues to believe that one hour of recurring annual training remains a reasonable estimate. The FTC staff maintains its estimate of 25 hours for high-risk entities to create and implement a written Program, with an annual recurring burden of 1 hour. As before, FTC staff anticipates that these entities will incorporate policies and procedures that they likely already have in place. The FTC staff continues to believe that preparation of an annual report will take high-risk entities 4 hours initially, with an annual recurring burden of 1 hour. B. Low-Risk Entities A few commenters believed that FTC staff had underestimated the amount of time it would take low-risk entities to comply with the proposed regulations. These commenters estimated that the amount of time would range from 6 to 20 hours to create a program and 1 hour each to train employees and draft the annual report. The FTC staff believes these estimates were based on a misunderstanding of the requirements of the proposed regulations, including that the list of 31 Red Flags in the proposed guidelines was intended to be a checklist. The final regulations clarify that the list of Red Flags is illustrative only. Moreover, the emphasis of the written Program, as required under the final regulations, is to identify risks of identity theft. To the extent that entities with consumer accounts determine that they have a minimal risk of identity theft, they would be tasked only with developing a streamlined Program. Therefore, the FTC staff does not believe that it would take such an entity 6 to 20 hours to develop a Program, 1 hour to train employees, and 1 hour to draft an annual report on risks of identity theft which are minimal or non-existent. Nonetheless, FTC staff believes that it may have underestimated the time low-risk entities may need to initially apply the final rule to develop a Program. Thus, FTC staff has increased from 20 minutes to 1 hour its previously stated estimate for this activity. The final regulations have been revised from the proposed regulations to alleviate the burden of creating a written Program for entities that determine that they do not have any covered accounts. The FTC staff believes that entities subject to a low risk of identity theft, but not having consumer accounts, will likely determine that they do not have covered accounts. Such entities would not be required to develop a written Program, and thus will not incur PRA burden. The FTC staff estimates that approximately 9,191,496 64 of the 10,813,525 low-risk entities subject to the requirement to create a written Program under the proposed regulations will not have covered accounts under the final rule. Therefore, these 9,191,496 low-risk entities will not be required to develop a written Program, thereby substantially reducing the original burden hours estimate in the NPRM for low-risk entities. 64 This estimate is derived from an analysis of a database of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers or other businesses, net of the number of creditors subject to the FTC's jurisdiction, an estimated subset of which comprise anticipated low-risk entities not having covered accounts under the final rule. The FTC staff believes that for entities subject to a low risk of identity theft, but having consumer accounts that will require them to have a written Program, it will take such entities 1 hour to review the final regulations and create a streamlined Program, with an annual recurring burden of 5 minutes. The FTC staff believes that training staff to be attentive to any future risks of identity theft will take low-risk entities 10 minutes, with an annual recurring burden of 5 minutes. The FTC staff believes that preparing an annual report will take low-risk entities 10 minutes, with an annual recurring burden of 5 minutes. Accordingly, FTC staff estimates that the final regulations implementing section 114 affect the following: 266,602 high-risk entities subject to the FTC's jurisdiction at an average annual burden of 13 hours per entity [average annual burden over 3-year clearance period for creation and implementation of Program ((25+1+1)/3) plus average annual burden over 3-year clearance period for staff training ((4+1+1)/3) plus average annual burden over 3-year clearance period for preparing annual report ((4+1+1)/3)], for a total of 3,466,000 hours (rounded to the nearest thousand); and 1,622,029 low-risk entities that have consumer accounts subject to the FTC's jurisdiction at an average annual burden of approximately 37 minutes per entity [average annual burden over 3-year clearance period for creation and implementation of streamlined Program ((60+5+5)/3) plus average annual burden over 3-year clearance period for staff training ((10+5+5)/3) plus average annual burden over 3-year clearance period for preparing annual report ((10+5+5)/3], for a total of 1,000,000 hours (rounded to the nearest thousand). The proposed regulations implementing Section 114 also require credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request, including notifying the cardholder or using another means of assessing the validity of the change of address. The FTC received no comments on its burden estimates in the NPRM and FTC staff does not believe that the changes made to the final regulation have altered its original burden estimates. Accordingly, FTC staff maintains that it will take 100 credit or debit card issuers 4 hours to develop and implement policies and procedures to assess the validity of a change of address request for a total burden of 400 hours. *Estimated Cost Burden:* The FTC staff derived labor costs by applying appropriate estimated hourly cost figures to the burden hours described above. It is difficult to calculate with precision the labor costs associated with the proposed regulations, as they entail varying compensation levels of management and/or technical staff among companies of different sizes. In the NPRM, FTC staff had estimated that low-risk entities would use administrative support personnel at an hourly cost of $16.00. A few commenters disagreed that low-risk entities would use administrative support personnel, arguing instead that the Program would be implemented at a managerial level, and the labor cost should be at least $32.00 and possibly even $48.00. Therefore, in calculating the cost figures, FTC staff assumes that for all entities, professional technical personnel and/or managerial personnel will create and implement the Program, prepare the annual report, train employees, and assess the validity of a change of address request, at an hourly rate of $32.00. 65 65 The cost is derived from a mid-range among the reported 2006 Bureau of Labor Statistics rates for likely positions within the professional technical and managerial categories. See June 2006 Bureau of Labor Statistics National Compensation Survey for occupational wages in the United States at *http://www.bls.gov/ncs/ocs/sp/ncbl0910.pdf* (“June 2006 BLS NCS Survey”). Based on the above estimates and assumptions, the total annual labor costs for all categories of covered entities under the final regulations implementing section 114 are $142,925,000 (rounded to the nearest thousand) [(3,466,000 hours + 400 hours + 1,000,000 hours) x $32.00)]. *Section 315:* *Estimated Hours Burden:* The Commission did not receive any comments relating to its original burden estimates for the information collection requirements under section 315. Although the final regulations were modified such that they no longer require users to furnish a confirmed address to a CRA for existing relationships, FTC staff does not believe that this modification will significantly alter its original burden estimates. Therefore, FTC staff burden estimates remain unchanged under section 315 from the estimates proposed in the NPRM. Accordingly, FTC staff estimates that the average annual information collection burden during the three-year period for which OMB clearance was sought will be 831,000 hours (rounded to the nearest thousand). The FTC staff continues to assume that the policies and procedures for notice of address discrepancy and furnishing the correct address will be set up by administrative support personnel at an hourly rate of $16. 66 Thus, the estimated annual labor cost associated with this burden is $13,296,000 (rounded to the nearest thousand). 66 This hourly wage is a conservative inflation-adjusted updating of hourly mean wages ($14.86) shown for administrative support personnel in the June 2006 BLS NCS Survey. The Agencies have a continuing interest in the public's opinions of our collections of information. At any time, comments regarding the burden estimate, or any other aspect of this collection of information, including suggestions for reducing the burden, may be sent to: OCC: Communications Division, Office of the Comptroller of the Currency, Public Information Room, Mail stop 1-5, Attention: 1557-0237, 250 E Street, SW., Washington, DC 20219. In addition, comments may be sent by fax to 202-874-4448, or by electronic mail to *regs.comments@occ.treas.gov* . You can inspect and photocopy the comments at the OCC's Public Information Room, 250 E Street, SW., Washington, DC 20219. For security reasons, the OCC requires that visitors make an appointment to inspect comments. You may do so by calling 202-874-5043. Upon arrival, visitors will be required to present valid government-issued photo identification and submit to security screening in order to inspect and photocopy comments. Board: You may submit comments, identified by R-1255, by any of the following methods: Agency Web site: *http://www.federalreserve.gov* . Follow the instructions for submitting comments on *http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm* . Federal eRulemaking Portal: *http://www.regulations.gov* . Follow the instructions for submitting comments. E-mail: *regs.comments@federalreserve.gov* . Include docket number in the subject line of the message. Fax: 202-452-3819 or 202-452-3102. Mail: Jennifer J. Johnson, Secretary, Board of Governors of the Federal Reserve System, 20th Street and Constitution Avenue, NW., Washington, DC 20551. All public comments are available from the Board's Web site at *http://www.federalreserve.gov/generalinfo/foia/ProposedRegs.cfm* as submitted, unless modified for technical reasons. Accordingly, your comments will not be edited to remove any identifying or contact information. Public comments may also be viewed electronically or in paper form in Room MP-500 of the Board's Martin Building (20th and C Streets, NW.) between 9 a.m. and 5 p.m. on weekdays. FDIC: You may submit written comments, which should refer to 3064-AD00, by any of the following methods: Agency Web site: *http://www.fdic.gov/regulations/laws/federal/propose.html* . Follow the instructions for submitting comments on the FDIC Web site. Federal eRulemaking Portal: *http://www.regulations.gov* . Follow the instructions for submitting comments. E-mail: *Comments@FDIC.gov* . Mail: Robert E. Feldman, Executive Secretary, Attention: Comments, FDIC, 550 17th Street, NW., Washington, DC 20429. Hand Delivery/Courier: Guard station at the rear of the 550 17th Street Building (located on F Street) on business days between 7 a.m. and 5 p.m. Public Inspection: All comments received will be posted without change to *http://www.fdic.gov/regulations/laws/federal/propose/html* including any personal information provided. Comments may be inspected at the FDIC Public Information Center, Room 100, 801 17th Street, NW., Washington, DC, between 9 a.m. and 4:30 p.m. on business days. OTS: Information Collection Comments, Chief Counsel's Office, Office of Thrift Supervision, 1700 G Street, NW., Washington, DC 20552; send a facsimile transmission to
(202)906-6518; or send an e-mail to related index on the OTS Internet site at *http://www.ots.treas.gov* . In addition, interested persons may inspect the comments at the Public Reading Room, 1700 G Street, NW., by appointment. To make an appointment, call
(202)906-5922, send an e-mail to *publicinfo@ots.treas.gov* , or send a facsimile transmission to
(202)906-7755. NCUA: You may submit comments by any of the following methods (Please send comments by one method only): Federal eRulemaking Portal: *http://www.regulations.gov* . Follow the instructions for submitting comments. NCUA Web site: *http://www.ncua.gov/RegulationsOpinionsLaws/proposedregs/proposedregs.html* . Follow the instructions for submitting comments. E-mail: Address to *regcomments@ncua.gov* . Include “[Your name] Comments on -,” in the e-mail subject line. Fax:
(703)518-6319. Use the subject line described above for e-mail. Mail: Address to Mary F. Rupp, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, VA 22314-3428. Hand Delivery/Courier: Same as mail address. Additionally, commenters may send a copy of their comments to the OMB desk officer for the OCC, Board, FDIC, OTS, and NCUA by mail to the Office of Information and Regulatory Affairs, U.S. Office of Management and Budget, New Executive Office Building, Room 10235, 725 17th Street, NW., Washington, DC 20503, or by fax to
(202)395-6974. FTC: Comments should refer to “The Red Flags Rule: Project No. R611019,” and may be submitted by any of the following methods. However, if the comment contains any material for which confidential treatment is requested, it must be filed in paper form, and the first page of the document must be clearly labeled “Confidential.” 67 67 Commission Rule 4.2(d), 16 CFR 4.2(d). The comment must be accompanied by an explicit request for confidential treatment, including the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. The request will be granted or denied by the Commission's General Counsel, consistent with applicable law and the public interest. See Commission Rule 4.9(c), 16 CFR 4.9(c). E-mail: Comments filed in electronic form should be submitted by clicking on the following Web link: *https://secure.commentworks.com/ftc-redflags* and following the instructions on the Web-based form. To ensure that the Commission considers an electronic comment, you must file it on the Web-based form at *https://secure.commentworks.com/ftc-redflags* . Federal eRulemaking Portal: If this notice appears at *http://www.regulations.gov* , you may also file an electronic comment through that Web site. The Commission will consider all comments that regulations.gov forwards to it. Mail or Hand Delivery: A comment filed in paper form should include “The Red Flags Rule, Project No. R611019,” both in the text and on the envelope and should be mailed or delivered, with two complete copies, to the following address: Federal Trade Commission/Office of the Secretary, Room H-135 (Annex M), 600 Pennsylvania Avenue, NW., Washington, DC 20580. Because paper mail in the Washington area and at the Commission is subject to delay, please consider submitting your comments in electronic form, as prescribed above. The FTC is requesting that any comment filed in paper form be sent by courier or overnight service, if possible. Comments on any proposed filing, recordkeeping, or disclosure requirements that are subject to paperwork burden review under the Paperwork Reduction Act should additionally be submitted to: Office of Management and Budget, Attention: Desk Officer for the Federal Trade Commission. Comments should be submitted via facsimile to
(202)395-6974 because U.S. Postal Mail is subject to lengthy delays due to heightened security precautions. The FTC Act and other laws the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. All timely and responsive public comments, whether filed in paper or electronic form, will be considered by the Commission, and will be available to the public on the FTC Web site, to the extent practicable, at *http://www.ftc.gov/os/publiccomments.htm* . As a matter of discretion, the FTC makes every effort to remove home contact information for individuals from the public comments it receives before placing those comments on the FTC Web site. More information, including routine uses permitted by the Privacy Act, may be found in the FTC's privacy policy, at *http://www.ftc.gov/ftc/privacy.htm* . Members of the public also can request additional information or a copy of the collection from: *OCC:* Mary Gottlieb, OCC Clearance Officer,
(202)874-5090, Legislative and Regulatory Activities Division, Office of the Comptroller of the Currency, 250 E Street, SW., Washington, DC 20219. *Board:* Michelle Shore, Clearance Officer, Division of Research and Statistics
(202)452-3829. *FDIC:* Steven F. Hanft, Clearance Officer, Legal Division, (202-898-3907). *OTS:* Ira L. Mills, OTS Clearance Officer, Litigation Division, Chief Counsel's Office, at *Ira.Mills@ots.treas.gov* ,
(202)906-6531, or facsimile number
(202)906-6518. *NCUA:* Regina M. Metz, Staff Attorney, Office of General Counsel,
(703)518-6540. *FTC:* See FOR FURTHER INFORMATION CONTACT above. B. Regulatory Flexibility Act *OCC:* Under section 605(b) of the Regulatory Flexibility Act (RFA), 5 U.S.C. 605(b), the OCC must either publish a Final Regulatory Flexibility Analysis
(FRFA)for a final rule or certify, along with a statement providing the factual basis for such certification, the rule will not have a significant economic impact on a substantial number of small entities. The Small Business Administration has defined “small entities” for banking purposes as a bank or savings institution with assets of $165 million or less. *See* 13 CFR 121.201. Based on its analysis and for the reasons stated below, the OCC certifies that this final rulemaking will not have a significant economic impact on a substantial number of small entities. Rules Implementing Section 114 The proposed regulations implementing section 114 required the development and establishment of a written identity theft prevention program to detect, prevent, and mitigate identity theft. The proposed regulations also required card issuers to assess the validity of a notice of address change under certain circumstances. In connection with the proposed rulemaking, the OCC concluded that the proposed regulations implementing section 114, if adopted as proposed, would not impose undue costs on national banks and would not have a substantial economic impact on a substantial number of small national banks. The OCC noted that national banks already employ a variety of measures that satisfy the requirements of the rulemaking because
(1)such measures are a good business practice and generally are a part of a bank's efforts to reduce losses due to fraud, and
(2)national banks already comply with other regulations and guidance that relate to information security, authentication, identity theft, and response programs. For example, national banks are already subject to CIP rules requiring them to verify the identity of a person opening a new account 68 and already have various systems in place to detect certain patterns, practices and specific activities that indicate the possible existence of identity theft in connection with the opening of new accounts. Similarly, national banks complying with the “Interagency Guidelines Establishing Information Security Standards” 69 and guidance recently issued by the FFIEC titled “Authentication in an Internet Banking Environment” 70 already have policies and procedures in place to detect attempted and actual intrusions into customer information systems and to detect patterns, practices and specific activities that indicate the possible existence of identity theft in connection with existing accounts. Banks complying with the OCC's “Guidance on Identity Theft and Pretext Calling” 71 already have policies and procedures to verify the validity of change of address requests on existing accounts. 68 31 CFR 103.121; 12 CFR 21.21 (national banks). 69 12 CFR part 30, app. B (national banks). 70 OCC Bulletin 2005-35 (Oct. 12, 2005). 71 OCC AL 2001-4 (April 30, 2001). Nonetheless, the OCC specifically requested comment and specific data on the size of the incremental burden creating an identity theft prevention program would have on small national banks, given banks” current practices and compliance with existing requirements. The OCC also requested comment on how the final regulations might minimize any burden imposed to the extent consistent with the requirements of the FACT Act. Commenters confirmed that the proposed regulations implementing section 114 of the FACT Act are consistent with banks” usual and customary business practices used to minimize losses due to fraud in connection with new and existing accounts. They also confirmed that banks have implemented measures to address many of the proposed requirements as a result of having to comply with existing regulations and guidance. However, commenters also asserted that the Agencies had underestimated the incremental burden imposed by the proposed rules. They highlighted aspects of the proposal that they maintained would have required banks to alter their current practices and implement duplicative policies and procedures. Only a few commenters provided estimates of additional burden that would result from the proposed rules. Many of these comments stemmed from a misreading of the requirements of the proposed rules. Further, many commenters confused the Agencies' PRA estimates with the Agencies' overall conclusions regarding regulatory burden. 72 72 The PRA focuses more narrowly on the time, effort, and financial resources expended by persons to generate, maintain, or provide information to or for a Federal agency. *See* 44 U.S.C. 3501 *et seq.* The OCC believes that the final rules substantially address the concerns of the commenters as follows: • The final rules allow a covered entity to tailor its Program to its size, complexity and nature of its operations. The final rules and guidelines do not require the use of any specific technology, systems, processes or methodology. • The final rules list the four elements that must be a part of a Program, and the steps that a covered entity must take to administer the Program. The rules provide covered entities with greater discretion to determine how to implement these mandates. • Additional requirements previously in the proposed rules are now in guidelines that are located in Appendix J. The guidelines describe various policies and procedures that a financial institution or creditor must consider and include in its Program, where appropriate, to satisfy the requirements of the final rules. The preamble to the rules explains that an institution or creditor may determine that particular guidelines are not appropriate to incorporate into its Program as long as its Program contains reasonable policies and procedures to meet the specific requirements of the final rules. • The guidelines clarify that a covered entity need not create duplicate policies and procedures and may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, such as those already developed in connection with the entity's fraud prevention program. • The final rules clarify that a Program (including the Red Flags determined to be relevant) may be periodically, rather than continually, updated to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. • The rules focus on consumer accounts, and require a Program to include only other accounts “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.” • The definition of “Red Flags” no longer includes reference to the “possible risk” of identity theft and no longer incorporates precursors to identity theft. • The final rules clarify that the Red Flags in Supplement A are examples rather than a mandatory checklist. • Supplement A includes a Red Flag for activity on an inactive account in place of a separate guideline. • The final rules clarify that the Board of Directors or a committee thereof must approve only the initial written Program. The rules provide a covered entity with the discretion to determine whether the Board or management will approve changes to the Program and the extent of Board involvement in oversight of the Program. • The final rules clarify that only relevant staff must be trained to implement the Program, as necessary. • Card issuers may satisfy the requirements of this section by verifying the address at the time the address change notification is received, whether or not the notification is linked to a request for an additional or replacement card—building on issuers' existing procedures. • Covered entities need not comply with the final rules until November 1, 2008. The Agencies did consider whether it would be appropriate to extend different treatment or exempt small covered entities from the requirements of this section of the final rulemaking. The Agencies note that identity theft can occur in small entities as well as large ones. The Agencies do not believe that an exemption for small entities is appropriate given the flexibility built into the final rules and guidelines and the importance of the statutory goals and mandate of section 114. As a result of the changes and clarifications noted above, this section of the final rule is far more flexible and less burdensome than that in the proposed rules while still fulfilling the statutory mandates enumerated in section 114. Moreover, the OCC has concluded that the incremental cost of these final rules and guidelines will not impose undue costs and will not have a significant economic impact on a substantial number of small entities. Rules Implementing Section 315 The proposed regulations implementing section 315 required a user of consumer reports to have policies and procedures to enable the user to form a reasonable belief that it knows the identity of the consumer for whom it has obtained a consumer report. The proposed rules also required the user to furnish to the CRA from whom it received the notice of address discrepancy an address for the consumer that the user has reasonably confirmed is accurate when the user:
(1)Is able to form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained;
(2)establishes *or* maintains a continuing relationship with the consumer; and
(3)regularly and in the ordinary course of business furnishes information to the CRA from which a notice of address discrepancy pertaining to the consumer was obtained. In connection with the proposed rulemaking the OCC noted that the FACT Act already requires CRAs to provide notices of address discrepancy to users of credit reports. The OCC stated that with respect to new accounts, a national bank already is required by the CIP rules to ensure that it knows the identity of a person opening a new account and to keep a record describing the resolution of any substantive discrepancy discovered during the verification process. The OCC also stated that as a matter of good business practice, most national banks currently have policies and procedures in place to respond to notices of address discrepancy when they are provided in connection with both new and existing accounts, by furnishing an address for the consumer that the bank has reasonably confirmed is accurate to the CRA from which it received the notice of address discrepancy. The OCC specifically requested comment on whether the proposed requirements differ from small banks' current practices and whether the proposed requirements on users of consumer reports to have policies and procedures to respond to the receipt of an address discrepancy could be altered to minimize any burden imposed to the extent consistent with the requirements of the FACT Act. Many suggestions received in response to this solicitation for comment would have required a statutory change. However, many commenters noted that section 315 does not require the reporting of a confirmed address to a CRA for a notice of address discrepancy received for an existing account. These commenters stated that the level of regulatory burden imposed by this requirement would be significant and would force users to reconcile and verify addresses millions of times a year in connection with routine account maintenance. Commenters maintained that this would result in enormous costs that provide relatively little benefit to consumers. The final rules address these comments and accordingly, under the rules implementing section 315, a user is not obligated to furnish a confirmed address for the consumer to the CRA in connection with existing accounts. Although, a bank will likely have to modify its existing procedures to add a new procedure for promptly reporting to CRAs the reconciled address for new deposit accounts, the OCC has concluded that the final rules implementing section 315 will not impose undue costs on national banks and will have not have a significant economic impact on a substantial number of small entities. Finally, as mentioned earlier, the final rules provide a transition period and do not require covered entities to fully comply with these requirements until November 1, 2008. *Board:* The Board prepared an initial regulatory flexibility analysis as required by the Regulatory Flexibility Act
(RFA)(5 U.S.C. 601 *et seq.* ) in connection with the July 18, 2006 proposed rule. The Board received one comment on its regulatory flexibility analysis. Under Section 605(b) of the RFA, 5 U.S.C. 605(b), the regulatory flexibility analysis otherwise required under Section 604 of the RFA is not required if an agency certifies, along with a statement providing the factual basis for such certification, that the rule will not have a significant economic impact on a substantial number of small entities. Based on its analysis and for the reasons stated below, the Board certifies that this final rule will not have a significant economic impact on a substantial number of small entities. 1. *Statement of the need for, and objectives of, the final rule.* The FACT Act amends the FCRA and was enacted, in part, for the purpose of helping to reduce identity theft. Section 114 of the FACT Act amends section 615 of the FCRA and directs the Board, together with the other Agencies, to issue joint regulations and guidelines regarding the detection, prevention, and mitigation of identity theft, including special regulations requiring debit and credit card issuers to validate notifications of changes of address under certain circumstances. Section 315 of the FACT Act adds section 605(h)(2) to the FCRA and requires the Agencies to issue joint regulations that provide guidance regarding reasonable policies and procedures that a user of a consumer report should employ when the user receives a notice of address discrepancy. The Board received no comments on the reasons for the proposed rule. The Board is adopting the final rule to implement sections 114 and 315 of the FACT Act. The SUPPLEMENTARY INFORMATION above contains information on the objectives of the final rule. 2. *Summary of issues raised by comments in response to the initial regulatory flexibility analysis.* In accordance with Section 3(a) of the RFA, the Board conducted an initial regulatory flexibility analysis in connection with the proposed rule. One commenter, the Mortgage Bankers Association (MBA), responded to the initial regulatory flexibility analysis and stated that contrary to the Agencies' belief, the proposed rule would have a significant economic impact on a substantial number of affected small entities. The MBA stated that commercial and multifamily mortgage lenders should not be subject to the proposed rule because it would constitute useless regulatory burden. Three commenters (Independent Community Bankers of America, The Financial Services Roundtable and BITS, and KeyCorp) believed that the Board and the other Agencies had underestimated the costs of compliance. The issues raised by these commenters did not apply uniquely to small entities and are described in the Paperwork Reduction Act section above. Some small financial institutions expressed concern about the flexibility granted by the proposal. As stated in the Overview of Proposal and Comments Received, these commenters preferred to have more structured guidance that describes how to develop and implement a Program and what they would need to do to achieve compliance. In addition, one commenter expressed concern that smaller institutions would be particularly burdened by the proposal's requirement that the Program be designed to address changing identity risks “as they arise.” 3. *Description and estimate of small entities affected by the final rule.* The final rule applies to all banks that are members of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and Agencies of foreign banks (other than Federal branches, Federal Agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 *et seq.* , and 611 *et seq.* ). The Board's rule will apply to the following institutions (numbers approximate): State member banks (881), operating subsidiaries that are not functionally regulated with in the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (877), U.S. branches and agencies of foreign banks (219), commercial lending companies owned or controlled by foreign banks (3), and Edge and agreement corporations (64), for a total of approximately 2,044 institutions. The Board estimates that more than 1,448 of these institutions could be considered small entities with assets of $165 million or less. 4. *Recordkeeping, reporting, and other compliance requirements.* Section 114 requires the Board to prescribe regulations that require financial institutions and creditors to establish reasonable policies and procedures to implement guidelines established by the Board and other federal agencies that address identity theft with respect to account holders and customers. This would be implemented by requiring a covered financial institution or creditor to create an Identity Theft Prevention Program that detects, prevents and mitigates the risk of identity theft applicable to its accounts. Section 114 also requires the Board to adopt regulations applicable to credit and debit card issuers to implement policies and procedures to assess the validity of change of address requests. The final rule implements this by requiring credit and debit card issuers to establish reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the issuer receives a request for an additional or replacement card for the same account. Section 315 requires the Board to prescribe regulations that provide guidance regarding the reasonable policies and procedures that a user of consumers' reports should employ to verify the identity of a consumer when a consumer reporting agency provides a notice of address discrepancy with the consumer reporting agency in certain circumstances. The final rule requires users of consumer reports to develop and implement reasonable policies and procedures for verifying the identity of a consumer for whom it has obtained a consumer report and for whom it receives a notice of address discrepancy and to reconcile an address discrepancy with the appropriate consumer reporting agency in certain circumstances. 5. *Steps taken to minimize the economic impact on small entities.* The Board and the other Agencies have attempted to minimize the economic impact on small entities by providing more flexibility in developing a Program and moving certain detail contained in the proposed regulations to the guidelines. In addition, to allow small entities and creditors to tailor their Programs to their operations, the final rules provide that the Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities. The Board has also eliminated the requirement for institutions to update their Program in response to changing identity theft risks “as they arise.” The final rule instead requires “periodic” updating. *FDIC:* The FDIC prepared an initial regulatory flexibility analysis as required by the Regulatory Flexibility Act
(RFA)(5 U.S.C. 601 et seq.) in connection with the July 18, 2006 proposed rule. Under Section 605(b) of the RFA, 5 U.S.C. 605(b), the regulatory flexibility analysis otherwise required under Section 604 of the RFA is not required if an agency certifies, along with a statement providing the factual basis for such certification, that the rule will not have a significant economic impact on a substantial number of small entities (defined for purposes of the RFA to include banks with less than $165 in assets). Based on its analysis and for the reasons stated below, the FDIC certifies that this final rule will not have a significant economic impact on a substantial number of small entities Under the final rule implementing FACT Act Section 114, financial institutions and creditors must have a written program that includes controls to address the identity theft risks they have identified. Credit and debit card issuers must also have additional policies and procedures to assess the validity of change of address requests. The final rule would apply to all FDIC-insured state nonmember banks, approximately 3,260 of which are small entities. The rule is drafted in a flexible manner that allows institutions to develop and implement different types of programs based upon their size, complexity, and the nature and scope of their activities. The final rules and guidelines do not require the use of any specific technology, systems, processes or methodology. The guidelines clarify that a covered entity need not create duplicate policies and procedures and may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, such as those already developed in connection with the entity's fraud prevention program. The FDIC believes that many institutions have already implemented a significant portion of the detection and mitigation efforts required by the rule. With respect to the portion of the rule covering card issuers, those entities may satisfy the requirements of this section by verifying the address at the time the address change notification is received, whether or not the notification is linked to a request for an additional or replacement card—building on issuers” existing procedures. Under the final rule implementing FACT Act Section 315, a user of consumer reports (which constitutes most, if not all, FDIC-insured state nonmember banks) must have policies and procedures to enable the user to form a reasonable belief that it knows the identity of the consumer for whom it has obtained a consumer report. Although, a bank will likely have to modify its existing procedures to add a new procedure for promptly reporting to consumer reporting agencies the reconciled address for new deposit accounts, the FDIC has concluded that the final rules implementing section 315—which only obligates a user to furnish a confirmed address for the consumer to the consumer reporting agency in connection with new, and not existing, accounts—will not impose undue costs on banks and will not have a significant economic impact on a substantial number of small entities. Moreover, the final rules provide a transition period and do not require covered entities to fully comply with these requirements until November 1, 2008. *OTS:* Under section 605(b) of the Regulatory Flexibility Act (RFA), 5 U.S.C. 605(b), OTS must either publish a Final Regulatory Flexibility Analysis
(FRFA)for a final rule or certify, along with a statement providing the factual basis for such certification, the rule will not have a significant economic impact on a substantial number of small entities. The Small Business Administration has defined “small entities” to include savings associations with total assets of $165 million or less. 13 CFR 121.201. The rule will implement section 114 and 315 of the FACT Act and will apply to all savings associations (and federal savings associations operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act), 424 of which have assets of less than or equal to $165 million. Based on its analysis and for the reasons stated below, OTS certifies that this final rulemaking will not have a significant economic impact on a substantial number of small entities. Rules Implementing Section 114 The proposed regulations implementing section 114 required the development and establishment of a written identity theft prevention program to detect, prevent, and mitigate identity theft. The proposed regulations also required card issuers to assess the validity of a notice of address change under certain circumstances. In connection with the proposed rulemaking, OTS concluded that the proposed regulations implementing section 114, if adopted as proposed, would not impose undue costs on savings associations and would not have a substantial economic impact on a substantial number of small savings associations. OTS noted that savings associations already employ a variety of measures that satisfy the requirements of the rulemaking because
(1)such measures are a good business practice and generally are a part of a thrift's efforts to reduce losses due to fraud, and
(2)savings associations already comply with other regulations and guidance that relate to information security, authentication, identity theft, and response programs. For example, savings associations are already subject to CIP rules requiring them to verify the identity of a person opening a new account 73 and already have various systems in place to detect certain patterns, practices and specific activities that indicate the possible existence of identity theft in connection with the opening of new accounts. Similarly, savings associations complying with the “Interagency Guidelines Establishing Information Security Standards” 74 and guidance recently issued by the FFIEC titled “Authentication in an Internet Banking Environment” 75 already have policies and procedures in place to detect attempted and actual intrusions into customer information systems and to detect patterns, practices and specific activities that indicate the possible existence of identity theft in connection with existing accounts. Savings associations complying with OTS's guidance on “Identity Theft and Pretext Calling” 76 already have policies and procedures to verify the validity of change of address requests on existing accounts. 73 31 CFR 103.121; 12 CFR 563.177 (savings associations). 74 12 CFR part 570, app. B (savings associations). 75 OTS CEO Letter 228 (Oct. 12, 2005). 76 OTS CEO Letter 139 (May 4, 2001). Nonetheless, OTS specifically requested comment and specific data on the size of the incremental burden creating an identity theft prevention program would have on small saving associations, given their current practices and compliance with existing requirements. OTS also requested comment on how the final regulations might minimize any burden imposed to the extent consistent with the requirements of the FACT Act. Commenters confirmed that the proposed regulations implementing section 114 of the FACT Act are consistent with savings associations' usual and customary business practices used to minimize losses due to fraud in connection with new and existing accounts. They also confirmed that savings associations have implemented measures to address many of the proposed requirements as a result of having to comply with existing regulations and guidance. However, commenters also asserted that the Agencies had underestimated the incremental burden imposed by the proposed rules. They highlighted aspects of the proposal that they maintained would have required savings associations to alter their current practices and implement duplicative policies and procedures. Only a few commenters provided estimates of additional burden that would result from the proposed rules. Many of these comments stemmed from a misreading of the requirements of the proposed rules. Further, many commenters confused the Agencies' PRA estimates with the Agencies' overall conclusions regarding regulatory burden. 77 77 The PRA focuses more narrowly on the time, effort, and financial resources expended by persons to generate, maintain, or provide information to or for a Federal agency. *See* 44 U.S.C. 3501 *et seq.* OTS believes that the final rules substantially address the concerns of the commenters as follows: • The final rules allow a covered entity to tailor its Program to its size, complexity and nature of its operations. The final rules and guidelines do not require the use of any specific technology, systems, processes or methodology. • The final rules list the four elements that must be a part of a Program, and the steps that a covered entity must take to administer the Program. The rules provide covered entities with greater discretion to determine how to implement these mandates. • Additional requirements previously in the proposed rules are now in guidelines that are located in Appendix J. The guidelines describe various policies and procedures that a financial institution or creditor must consider and include in its Program, where appropriate, to satisfy the requirements of the final rules. The preamble to the rules explains that an institution or creditor may determine that particular guidelines are not appropriate to incorporate into its Program as long as its Program contains reasonable policies and procedures to meet the specific requirements of the final rules. • The guidelines clarify that a covered entity need not create duplicate policies and procedures and may incorporate into its Program, as appropriate, its existing processes that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, such as those already developed in connection with the entity's fraud prevention program. • The final rules clarify that a Program (including the Red Flags determined to be relevant) may be periodically, rather than continually, updated to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft. • The rules focus on consumer accounts, and require a Program to include only other accounts “for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft.” • The definition of “Red Flags” no longer includes reference to the “possible risk” of identity theft and no longer incorporates precursors to identity theft. • The final rules clarify that the Red Flags in Supplement A are examples rather than a mandatory checklist. • Supplement A includes a Red Flag for activity on an inactive account in place of a separate guideline. • The final rules clarify that the Board of Directors or a committee thereof must approve only the initial written Program. The rules provide a covered entity with the discretion to determine whether the Board or management will approve changes to the Program and the extent of Board involvement in oversight of the Program. • The final rules clarify that only relevant staff must be trained to implement the Program, as necessary. • Card issuers may satisfy the requirements of this section by verifying the address at the time the address change notification is received, whether or not the notification is linked to a request for an additional or replacement card—building on issuers' existing procedures. • Covered entities need not comply with the final rules until November 1, 2008. The Agencies did consider whether it would be appropriate to extend different treatment or exempt small covered entities from the requirements of this section of the final rulemaking. The Agencies note that identity theft can occur in small entities as well as large ones. The Agencies do not believe that an exemption for small entities is appropriate given the flexibility built into the final rules and guidelines and the importance of the statutory goals and mandate of section 114. As a result of the changes and clarifications noted above, this section of the final rule is far more flexible and less burdensome than that in the proposed rules while still fulfilling the statutory mandates enumerated in section 114. Moreover, OTS has concluded that the incremental cost of these final rules and guidelines will not impose undue costs and will not have a significant economic impact on a substantial number of small entities. Rules Implementing Section 315 The proposed regulations implementing section 315 required a user of consumer reports to have policies and procedures to enable the user to form a reasonable belief that it knows the identity of the consumer for whom it has obtained a consumer report. The proposed rules also required the user to furnish to the CRA from whom it received the notice of address discrepancy an address for the consumer that the user has reasonably confirmed is accurate when the user:
(1)Is able to form a reasonable belief that it knows the identity of the consumer for whom the consumer report was obtained;
(2)establishes *or* maintains a continuing relationship with the consumer; and
(3)regularly and in the ordinary course of business furnishes information to the CRA from which a notice of address discrepancy pertaining to the consumer was obtained. In connection with the proposed rulemaking OTS noted that the FACT Act already requires CRAs to provide notices of address discrepancy to users of credit reports. OTS stated that with respect to new accounts, a savings association already is required by the CIP rules to ensure that it knows the identity of a person opening a new account and to keep a record describing the resolution of any substantive discrepancy discovered during the verification process. OTS also stated that as a matter of good business practice, most savings associations currently have policies and procedures in place to respond to notices of address discrepancy when they are provided in connection with both new and existing accounts, by furnishing an address for the consumer that the association has reasonably confirmed is accurate to the CRA from which it received the notice of address discrepancy. OTS specifically requested comment on whether the proposed requirements differ from small savings associations' current practices and whether the proposed requirements on users of consumer reports to have policies and procedures to respond to the receipt of an address discrepancy could be altered to minimize any burden imposed to the extent consistent with the requirements of the FACT Act. Many suggestions received in response to this solicitation for comment would have required a statutory change. However, many commenters noted that section 315 does not require the reporting of a confirmed address to a CRA for a notice of address discrepancy received for an existing account. These commenters stated that the level of regulatory burden imposed by this requirement would be significant and would force users to reconcile and verify addresses millions of times a year in connection with routine account maintenance. Commenters maintained that this would result in enormous costs that provide relatively little benefit to consumers. The final rules address these comments and, accordingly, under the rules implementing section 315, a user is not obligated to furnish a confirmed address for the consumer to the CRA in connection with existing accounts. Although, a savings association will likely have to modify its existing procedures to add a new procedure for promptly reporting to CRAs the reconciled address for new deposit accounts, OTS has concluded that the final rules implementing section 315 will not impose undue costs on savings associations and will have not have a significant economic impact on a substantial number of small entities. Finally, as mentioned earlier, the final rules provide a transition period and do not require covered entities to fully comply with these requirements until November 1, 2008. *FTC:* The Regulatory Flexibility Act (“RFA”), 5 U.S.C. 601-612, requires that the Commission provide an Initial Regulatory Flexibility Analysis (“IRFA”) with a proposed rule and a Final Regulatory Flexibility Analysis (“FRFA”), if any, with the final rule, unless the Commission certifies that the rule will not have a significant economic impact on a substantial number of small entities. *See* 5 U.S.C. 603-605. The Commission hereby certifies that the final regulations will not have a significant economic impact on a substantial number of small business entities. The Commission recognizes that the final regulations will affect a substantial number of small businesses. We do not expect, however, that the final regulations will have a significant economic impact on these small entities. The Commission continues to believe that a precise estimate of the number of small entities that fall under the final regulations is not currently feasible. Based on changes made to the final regulations in response to comments received, however, and the Commission's own experience and knowledge of industry practices, the Commission also continues to believe that the cost and burden to small business entities of complying with the final regulations are minimal. Accordingly, this document serves as notice to the Small Business Administration of the agency's certification of no effect. Nonetheless, the Commission has decided to publish a FRFA with these final regulations. Therefore, the Commission has prepared the following analysis: 1. Need for and Objectives of the Rule The FTC is charged with enforcing the requirements of sections 114 and 315 of the Fair and Accurate Credit Transactions Act of 2003 (FACT Act) (15 U.S.C. §§ 1681m(e) and 1681c(h)(2)), which require the FTC to establish guidelines for financial institutions and creditors identifying patterns, practices, and specific forms of activity, that indicate the possible existence of identity theft, and regulations requiring each financial institution and creditor to establish policies and procedures for implementing the guidelines. In addition, section 114 requires credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request. Section 315 requires the FTC to develop policies and procedures that a user of consumer reports must employ when such a user receives a notice of address discrepancy from a consumer reporting agency described in section 603(p) of the FCRA. In this action, the FTC promulgates final rules that would implement these requirements of the FACT Act. 2. Significant Issues Received by Public Comment The Commission received a number of comments on the effect of the proposed regulations. Some of the comments addressed the effect of the proposed regulations on businesses generally, and did not identify small businesses as a particular category. The FTC staff, therefore, has included all comments in this FRFA that raised potentially significant compliance issues for small businesses, regardless of whether the commenter identified small businesses as being an affected category. In drafting its PRA analysis for the proposed regulations, FTC staff believed that because motor vehicle dealers' loans typically are financed by financial institutions also subject to those regulations, the dealers were likely to use the latter's programs as a basis to develop their own. Therefore, although subject to a high risk of identity theft, their burden would be less than other high-risk entities. Commenters, however, noted among other concerns that some motor vehicle dealers finance their own loans. Thus, FTC staff no longer is considering motor vehicle dealers separately from other high-risk entities. As noted in the PRA analysis, the Agencies continue to believe that many of the high-risk entities, as part of their usual and customary business practices, already take steps to minimize losses due to fraud. The final rulemaking clarifies that only relevant staff need be trained to implement the Program, as necessary—meaning, for example, that staff already trained as a part of a covered entity's anti-fraud prevention efforts do not need to be re-trained except as incrementally needed. Notwithstanding this clarification, in response to comments received, the Agencies are increasing the burden estimates attributable to training from two to four hours, as is the FTC for high-risk entities in their initial year of implementing the Program, but FTC staff continues to believe that one hour of recurring annual training remains a reasonable estimate. A few commenters believed that FTC staff had underestimated the amount of time it would take low-risk entities to comply with the proposed regulations. These commenters estimated that the amount of time would range from 6 to 20 hours to create a program and 1 hour each to train employees and draft the annual report. The FTC staff believes these estimates were based on a misunderstanding of the requirements of the proposed regulations, including that the list of 31 Red Flags in the proposed guidelines was intended to be a checklist. The final regulations clarify that the list of Red Flags is illustrative only. Moreover, the emphasis of the written Program, as required under the final regulations, is to identify risks of identity theft. To the extent that entities with consumer accounts determine that they have a minimal risk of identity theft, they would be tasked only with developing a streamlined Program. Therefore, FTC staff does not believe that it would take such an entity 6 to 20 hours to develop a Program, 1 hour to train employees, and 1 hour to draft an annual report on risks of identity theft which are minimal or non-existent. Nonetheless, FTC staff believes that it may have underestimated the time low-risk entities may need to initially apply the final rule to develop a Program. Thus, FTC staff has increased from 20 minutes to 1 hour its previously stated estimate for this activity. In addition, the final regulations have been revised from the proposed regulations to alleviate the burden of creating a written Program for entities that determine that they do not have any covered accounts. The FTC staff believes that entities subject to a low risk of identity theft, but not having consumer accounts, will likely determine that they do not have covered accounts. Such entities would not be required to develop a written Program. The FTC staff estimates that approximately 9,191,496 78 of the 10,813,525 low-risk entities subject to the requirement to create a written Program under the proposed regulations will not have covered accounts under the final rule. Therefore, although these 9,191,496 low-risk entities will have to conduct a periodic risk assessment to determine if they covered accounts, they will not be required to develop a written Program, thereby substantially reducing the original burden estimate in the NPRM for low-risk entities. 78 This estimate is derived from an analysis of a database of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers or other businesses, net of the number of creditors subject to the FTC's jurisdiction, an estimated subset of which comprise anticipated low-risk entities not having covered accounts under the final rule. The FTC received additional comments on its IRFA requesting that the FTC delay implementation of the final rules for small businesses by a minimum of six months, consider creating a certification form for low-risk entities, and develop a small business compliance guide. The Agencies have set a mandatory compliance deadline of November 1, 2008, thereby providing all entities with well over six months in which to implement the final regulations. The FTC staff will be developing a small business compliance guide prior to the mandatory compliance deadline of November 1, 2008. The FTC staff will consider whether to include any model forms in such guide. The FTC did not receive any comments on its IRFA for the proposed regulations implementing section 114 requiring credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request, including notifying the cardholder or using another means of assessing the validity of the change of address. The FTC staff does not believe that the changes made to the final regulation have altered its original burden estimates. The FTC did not receive any comments on its IRFA relating to the proposed regulations under section 315. 3. Small Entities to Which the Final Rule Will Apply The final regulations apply to a wide variety of business categories under the Small Business Size Standards. Generally, the final regulations would apply to financial institutions, creditors, and users of consumer reports. In particular, entities under FTC's jurisdiction covered by section 114 include State-chartered credit unions, non-bank lenders, mortgage brokers, automobile dealers, utility companies, telecommunications companies, and any other person that regularly participates in a credit decision, including setting the terms of credit. The section 315 requirements apply to State-chartered credit unions, non-bank lenders, insurers, landlords, employers, mortgage brokers, automobile dealers, collection agencies, and any other person who requests a consumer report from a consumer reporting agency described in section 603(p) of the FCRA. Given the coverage of the final rules, a very large number of small entities across almost every industry could be subject to the final rules. For the majority of these entities, a small business is defined by the Small Business Administration as one whose average annual receipts do not exceed $6.5 million or who have fewer than 500 employees. 79 79 These numbers represent the size standards for most retail and service industries ($6.5 million total receipts) and manufacturing industries (500 employees). A list of the SBA's size standards for all industries can be found at *http://www.sba.gov/size/summary-whatis.html* . *Section 114:* As discussed in the PRA section of this Notice, given the broad scope of section 114's requirements, it is difficult to determine with precision the number of financial institutions and creditors that are subject to the FTC's jurisdiction. There are numerous small businesses under the FTC's jurisdiction and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the final regulations implementing section 114 will affect over 3500 financial institutions and over 11 million creditors 80 subject to the FTC's jurisdiction, for a combined total of approximately 11.1 million affected entities. Of this total, the FTC staff expects that well over 90% of these firms qualify as small businesses under existing size standards ( *i.e.* , $165 million in assets for financial institutions and $6.5 million in sales for many creditors). 80 This estimate is derived from census data of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers and businesses. 2003 County Business Patterns, U.S. Census Bureau *(http://censtats.census.gov/cgi- bin/cbpnaic/cbpsel.pl);* and 2002 Economic Census, Bureau *(http://www.census.gov/econ/census02/)* . One commenter acknowledged that the FTC's estimates as to the number of small entities that will be affected were accurate, but did not provide precise numbers. The final regulations implementing section 114 also require credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request. Indeed, the final regulations require credit and debit card issuers to notify the cardholder or to use another means of assessing the validity of the change of address. FTC staff believes that there may be as many as 3,764 credit or debit card issuers that fall under the jurisdiction of the FTC and that well over 90% of these firms qualify as small businesses under existing size standards ( *i.e.* , $165 million in assets for financial institutions and $6.5 million in sales for many creditors). The Commission did not receive any comments to the IRFA on the latter credit or debit card issuers that would allow it to determine the precise number of small entities that will be affected. *Section 315:* As discussed in the PRA section of this Notice, given the broad scope of section 315's requirements, it is difficult to determine with precision the number of users of consumer reports that are subject to the FTC's jurisdiction. There are numerous small businesses under the FTC's jurisdiction and there is no formal way to track them; moreover, as a whole, the entities under the FTC's jurisdiction are so varied that there are no general sources that provide a record of their existence. Nonetheless, FTC staff estimates that the final regulations implementing section 315 will affect approximately 1.6 million users of consumer reports subject to the FTC's jurisdiction 81 and that well over 90% of these firms qualify as small businesses under existing size standards ( *i.e.* , $165 million in assets for financial institutions and $6.5 million in sales for many creditors). 81 This estimate is derived from census data of U.S. businesses based on NAICS codes for businesses that market goods or services to consumers and businesses. 2003 County Business Patterns, U.S. Census Bureau *(http://censtats.census.gov/cgi-bin/cbpnaic/cbpsel.pl);* and 2002 Economic Census, Bureau *(http://www.census.gov/econ/census02/).* The Commission did not receive any comments to the IRFA on the proposed regulations under Section 315 that would allow it to determine the precise number of small entities that will be affected. 4. Projected Reporting, Recordkeeping and Other Compliance Requirements The final requirements will involve some increased costs for affected parties. Most of these costs will be incurred by those required to conduct periodic risk assessments, and draft identity theft Programs and annual reports. There will also be costs associated with training, and for credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request. In addition, there will be costs related to developing reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency, and for furnishing an address that the user has reasonably confirmed is accurate. The Commission does not expect, however, that the increased costs associated with the final regulations will be significant as explained below. *Section 114:* The FTC staff estimates that there may be as many as 90% of the businesses affected by the proposed rules under section 114 that are subject to a high risk of identity theft that qualify as small businesses. It is likely that many such entities already engage in various activities to minimize losses due to fraud as part of their usual and customary business practices. Accordingly, the impact of the proposed requirements would be merely incremental and not significant. In particular, the rule will direct many of these entities to consolidate their existing policies and procedures into a written Program and may require some additional staff training. The FTC expects that well over 90% of the businesses affected by the proposed rules under section 114 that are subject to a low risk of identity theft qualify as small businesses under existing size standards ( *i.e.* , $165 million in assets for financial institutions and $6.5 million in sales for many creditors). The final requirements are drafted in a flexible manner that limits the burden on a substantial majority of low-risk entities to conducting periodic risk assessments for covered accounts, and allows the remaining minority of low-risk entities to develop and implement different types of programs based upon their size, complexity, and the nature and scope of their activities. As a result, the FTC staff expects that the burden on these low-risk entities will be minimal ( *i.e.* , not significant). The final regulations would require low-risk entities that have covered accounts that have no existing identity theft procedures to state in writing their low-risk of identity theft, train staff to be attentive to future risks of identity theft, and, if appropriate, prepare an annual report. The FTC staff believes that, for the affected low-risk entities, such activities will be not be complex or resource-intensive tasks. The final regulations implementing section 114 also require credit and debit card issuers to establish policies and procedures to assess the validity of a change of address request. It is likely that most of the entities have automated the process of notifying the cardholder or using other means to assess the validity of the change of address such that implementation will pose no further burden. For those that do not, the FTC staff expects that a small number of such entities
(100)will need to develop policies and procedures to assess the validity of a change of address request. The impacts on such entities should not be significant, however. In calculating the costs, FTC staff assumes that for all entities, professional technical personnel and/or managerial personnel will conduct the periodic risk assessment, create and implement the Program, prepare the annual report, train employees, and assess the validity of a change of address request. *Section 315:* The final regulations implementing section 315 provide guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a user receives a notice of address discrepancy from a consumer reporting agency. The final regulations also require a user of consumer reports to furnish an address that the user has reasonably confirmed is accurate to the consumer reporting agency from which it receives a notice of address discrepancy, but only to the extent that such user regularly and in the ordinary course of business furnishes information to such consumer reporting agency. The FTC staff believes that the impacts on users of consumer reports that are small businesses will not be significant. As discussed in the PRA section of the NPRM, the FTC staff believes that it will not take users of consumer reports under FTC jurisdiction a significant amount of time to develop policies and procedures that they will employ when they receive a notice of address discrepancy. FTC staff believes that only 10,000 of such users of consumer reports furnish information to consumer reporting agencies as part of their usual and customary business practices and that approximately 20% of these entities qualify as small businesses. Therefore, the staff estimates that 2,000 small businesses will be affected by this portion of the final regulation that requires furnishing the correct address. As discussed in the PRA section of this NPRM, FTC staff estimates that it will not take such users of consumer reports a significant amount of time to develop the policies and procedures for furnishing the correct address to the consumer reporting agencies pursuant to the final regulations for implementing section 315. The FTC staff estimates that the costs associated with these impacts will not be significant. In calculating these costs, FTC staff assumes that the policies and procedures for notice of address discrepancy and furnishing the correct address will be set up by administrative support personnel. 5. Steps Taken To Minimize Significant Economic Impact of the Rule on Small Entities The Commission considered whether any significant alternatives, consistent with the purposes of the FACT Act, could further minimize the final regulations' impact on small entities. The FTC asked for comment on this issue. The final requirements are drafted in a flexible manner that limits the burden on a substantial majority of low-risk entities to conducting periodic risk assessments for covered accounts and allows the remaining minority of low-risk entities to develop and implement different types of programs based upon their size, complexity, and the nature and scope of their activities. In addition, a commenter requested that the FTC delay implementation of the final rules for small businesses by a minimum of six months, produce a shortened Red Flags list, consider creating a certification form for low-risk entities, and develop a small business compliance guide. The Agencies have set a mandatory compliance deadline of November 1, 2008, thereby providing all entities with well over six months in which to implement the final regulations. As discussed in the PRA analysis *infra* , the Agencies have clarified that the Red Flags Supplement is illustrative only, and is not intended to be used as a checklist. Therefore, the Agencies did not consider it necessary to alter the Red Flags listed. The FTC staff will be developing a small business compliance guide prior to the mandatory compliance deadline of November 1, 2008. The FTC staff will consider whether to include any model forms in such guide. C. OCC and OTS Executive Order 12866 Determination The OCC and the OTS each have independently determined that the final rule is not a “significant regulatory action” as defined in Executive Order 12866 because the annual effect on the economy is less than $100 million. Accordingly, a regulatory assessment is not required. D. OCC and OTS Executive Order 13132 Determination The OCC and the OTS each has determined that these final rules do not have any federalism implications for purposes of Executive Order 13132. E. NCUA Executive Order 13132 Determination Executive Order 13132 encourages independent regulatory agencies to consider the impact of their actions on State and local interests. In adherence to fundamental federalism principles, the NCUA, an independent regulatory agency as defined in 44 U.S.C. 3502(5) voluntarily complies with the Executive Order. These final rules apply only to federally chartered credit unions and would not have substantial direct effects on the States, on the connection between the national government and the States, or on the distribution of power and responsibilities among the various levels of government. The NCUA has determined that these final rules do not constitute a policy that has federalism implications for purposes of the Executive Order. F. OCC and OTS Unfunded Mandates Reform Act of 1995 Determination Section 202 of the Unfunded Mandates Reform Act of 1995, Public Law 104-4 (Unfunded Mandates Act) requests that an agency prepare a budgetary impact statement before promulgating a rule that includes a federal mandate that may result in expenditure by State, local, and tribal governments, in the aggregate, or by the private section, of $100 million or more in any one year. If a budgetary impact statement is required, section 205, of the Unfunded Mandates Act also requires an agency to identify and consider a reasonable number of regulatory alternatives before promulgating a rule. The OCC and OTS each has determined that this rule will not result in expenditures by State, local, and tribal governments, or by the private sector, of $100 million or more. National banks and savings associations already employ a variety of measures that satisfy the requirements of the final rulemaking because, as described earlier, these are usual and customary business practices to minimize losses due to fraud, or because, as described earlier, they already comply with other existing regulations and guidance that relate to information security, authentication, identity theft, and response programs. Accordingly, neither the OCC not the OTS has prepared a budgetary impact statement or specifically addressed the regulatory alternatives considered. G. NCUA: The Treasury and General Government Appropriations Act, 1999—Assessment of Federal Regulations and Policies on Families The NCUA has determined that these final rules will not affect family well-being within the meaning of section 654 of the Treasury and General Government Appropriations Act, 1999, Pub. L. 105-277, 112 Stat. 2681 (1998). H. NCUA: Small Business Regulatory Enforcement Fairness Act of 1996 (SBREFA) Determination A SBREFA (Pub. L. 104-121) reporting requirement is triggered in instances where NCUA issues a final rule as defined by section 551 of the Administrative Procedure Act, 5 U.S.C. 551. NCUA has determined this final rule is not a major rule for purposes of SBREFA and the Office of Management and Budget
(OMB)has concurred. I. Plain Language Section 722 of the Gramm-Leach-Bliley Act (12 U.S.C. 4809) requires the Federal banking agencies and the NCUA to use “plain language” in all proposed and final rules published in the **Federal Register** . The Agencies received no comments on how to make the rules easier to understand, and believe the final rules are presented in a clear and straightforward manner. List of Subjects 12 CFR Part 41 Banks, banking, Consumer protection, National Banks, Reporting and recordkeeping requirements. 12 CFR Part 222 Banks, banking, Holding companies, state member banks. 12 CFR Part 334 Administrative practice and procedure, Bank deposit insurance, Banks, banking, Reporting and recordkeeping requirements, Safety and soundness. 12 CFR Part 364 Administrative practice and procedure, Bank deposit insurance, Banks, banking, Reporting and recordkeeping requirements, Safety and Soundness. 12 CFR Part 571 Consumer protection, Credit, Fair Credit Reporting Act, Privacy, Reporting and recordkeeping requirements, Savings associations. 12 CFR Part 717 Consumer protection, Credit unions, Fair credit reporting, Privacy, Reporting and recordkeeping requirements. 16 CFR Part 681 Fair Credit Reporting Act, Consumer reports, Consumer report users, Consumer reporting agencies, Credit, Creditors, Information furnishers, Identity theft, Trade practices. Department of the Treasury Office of the Comptroller of the Currency 12 CFR Chapter I Authority and Issuance For the reasons discussed in the joint preamble, the Office of the Comptroller of the Currency amends Part 41 of title 12, chapter I, of the Code of Federal Regulations as follows: PART 41—FAIR CREDIT REPORTING 1. The authority citation for part 41 continues to read as follows: Authority: 12 U.S.C. 1 *et seq.,* 24 (Seventh), 93a, 481, 484, and 1818; 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s-3, 1681t, 1681w, Sec. 214, Pub. L. 108-159, 117 Stat. 1952. Subpart A—General Provisions 2. Section 41.1 is added to read as follows: § 41.1 Purpose.
(a)*Purpose.* The purpose of this part is to establish standards for national banks regarding consumer report information. In addition, the purpose of this part is to specify the extent to which national banks may obtain, use, or share certain information. This part also contains a number of measures national banks must take to combat consumer fraud and related crimes, including identity theft.
(b)[Reserved] 3. Amend § 41.3 by revising the introductory text to read as follows: § 41.3 Definitions. For purposes of this part, unless explicitly stated otherwise: 4. Revise the heading for Subpart I to read as follows: Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal 5. Add § 41.82 to read as follows: § 41.82 Duties of users regarding address discrepancies.
(a)*Scope.* This section applies to a user of consumer reports
(user)that receives a notice of address discrepancy from a consumer reporting agency, and that is a national bank, Federal branch or agency of a foreign bank, or any of their operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b)*Definition.* For purposes of this section, a *notice of address discrepancy* means a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
(c)*Reasonable belief.*
(1)*Requirement to form a reasonable belief.* A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.
(2)*Examples of reasonable policies and procedures.*
(i)Comparing the information in the consumer report provided by the consumer reporting agency with information the user:
(A)Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Information Program
(CIP)rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);
(B)Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or
(C)Obtains from third-party sources; or
(ii)Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
(d)*Consumer's address.*
(1)*Requirement to furnish consumer's address to a consumer reporting agency.* A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i)Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
(ii)Establishes a continuing relationship with the consumer; and
(iii)Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
(2)*Examples of confirmation methods.* The user may reasonably confirm an address is accurate by:
(i)Verifying the address with the consumer about whom it has requested the report;
(ii)Reviewing its own records to verify the address of the consumer;
(iii)Verifying the address through third-party sources; or
(iv)Using other reasonable means.
(3)*Timing.* The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. 6. Add Subpart J to part 41 to read as follows: Subpart J—Identity Theft Red Flags Sec. 41.90 Duties regarding the detection, prevention, and mitigation of identity theft. 41.91 Duties of card issuers regarding changes of address. Subpart J—Identity Theft Red Flags § 41.90 Duties regarding the detection, prevention, and mitigation of identity theft.
(a)*Scope.* This section applies to a financial institution or creditor that is a national bank, Federal branch or agency of a foreign bank, and any of their operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b)*Definitions.* For purposes of this section and Appendix J, the following definitions apply:
(1)*Account* means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:
(i)An extension of credit, such as the purchase of property or services involving a deferred payment; and
(ii)A deposit account.
(2)The term *board of directors* includes:
(i)In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and
(ii)In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.
(3)*Covered account* means:
(i)An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
(ii)Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4)*Credit* has the same meaning as in 15 U.S.C. 1681a(r)(5).
(5)*Creditor* has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
(6)*Customer* means a person that has a covered account with a financial institution or creditor.
(7)*Financial institution* has the same meaning as in 15 U.S.C. 1681a(t).
(8)*Identity theft* has the same meaning as in 16 CFR 603.2(a).
(9)*Red Flag* means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
(10)*Service provider* means a person that provides a service directly to the financial institution or creditor.
(c)*Periodic Identification of Covered Accounts.* Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1)The methods it provides to open its accounts;
(2)The methods it provides to access its accounts; and
(3)Its previous experiences with identity theft.
(d)*Establishment of an Identity Theft Prevention Program.*
(1)*Program requirement.* Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
(2)*Elements of the Program.* The Program must include reasonable policies and procedures to:
(i)Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
(ii)Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
(iii)Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
(iv)Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
(e)*Administration of the Program.* Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(1)Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
(2)Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
(3)Train staff, as necessary, to effectively implement the Program; and
(4)Exercise appropriate and effective oversight of service provider arrangements.
(f)*Guidelines.* Each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix J of this part and include in its Program those guidelines that are appropriate. § 41.91 Duties of card issuers regarding changes of address.
(a)*Scope.* This section applies to an issuer of a debit or credit card (card issuer) that is a national bank, Federal branch or agency of a foreign bank, and any of their operating subsidiaries that are not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b)*Definitions.* For purposes of this section:
(1)*Cardholder* means a consumer who has been issued a credit or debit card.
(2)*Clear and conspicuous* means reasonably understandable and designed to call attention to the nature and significance of the information presented.
(c)*Address validation requirements.* A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer: (1)(i) Notifies the cardholder of the request:
(A)At the cardholder's former address; or
(B)By any other means of communication that the card issuer and the cardholder have previously agreed to use; and
(ii)Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or
(2)Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 41.90 of this part.
(d)*Alternative timing of address validation.* A card issuer may satisfy the requirements of paragraph
(c)of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
(e)*Form of notice.* Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder. Appendices D-I [Reserved] 7. Add and reserve appendices D through I to part 41. 8. Add Appendix J to part 41 to read as follows: Appendix J to Part 41—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation Section 41.90 of this part requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in § 41.90(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of § 41.90 of this part. I. The Program In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. II. Identifying Relevant Red Flags
(a)*Risk Factors* . A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1)The types of covered accounts it offers or maintains;
(2)The methods it provides to open its covered accounts;
(3)The methods it provides to access its covered accounts; and
(4)Its previous experiences with identity theft.
(b)*Sources of Red Flags* . Financial institutions and creditors should incorporate relevant Red Flags from sources such as:
(1)Incidents of identity theft that the financial institution or creditor has experienced;
(2)Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
(3)Applicable supervisory guidance.
(c)*Categories of Red Flags* . The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix J.
(1)Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
(2)The presentation of suspicious documents;
(3)The presentation of suspicious personal identifying information, such as a suspicious address change;
(4)The unusual use of, or other suspicious activity related to, a covered account; and
(5)Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. III. Detecting Red Flags The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(a)Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121); and
(b)Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts. IV. Preventing and Mitigating Identity Theft The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website. Appropriate responses may include the following:
(a)Monitoring a covered account for evidence of identity theft;
(b)Contacting the customer;
(c)Changing any passwords, security codes, or other security devices that permit access to a covered account;
(d)Reopening a covered account with a new account number;
(e)Not opening a new covered account;
(f)Closing an existing covered account;
(g)Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h)Notifying law enforcement; or
(i)Determining that no response is warranted under the particular circumstances. V. Updating the Program Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:
(a)The experiences of the financial institution or creditor with identity theft;
(b)Changes in methods of identity theft;
(c)Changes in methods to detect, prevent, and mitigate identity theft;
(d)Changes in the types of accounts that the financial institution or creditor offers or maintains; and
(e)Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. VI. Methods for Administering the Program
(a)*Oversight of Program.* Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:
(1)Assigning specific responsibility for the Program's implementation;
(2)Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 41.90 of this part; and
(3)Approving material changes to the Program as necessary to address changing identity theft risks.
(b)*Reports.*
(1)*In general.* Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with § 41.90 of this part.
(2)*Contents of report.* The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.
(c)*Oversight of service provider arrangements.* Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft. VII. Other Applicable Legal Requirements Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:
(a)For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;
(b)Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;
(c)Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and
(d)Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft. Supplement A to Appendix J In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in Appendix J of this part, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts: Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 41.82(b) of this part. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number
(SSN)has not been issued, or is listed on the Social Security Administration's Death Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or a prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. 18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments. 21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account. Notice From Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Financial Institution or Creditor 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. Board of Governors of the Federal Reserve System 12 CFR Chapter II. Authority and Issuance For the reasons set forth in the joint preamble, part 222 of title 12, chapter II, of the Code of Federal Regulations is amended as follows: PART 222—FAIR CREDIT REPORTING (REGULATION V) 1. The authority citation for part 222 continues to read as follows: Authority: 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s-2, 1681s-3, 1681t, and 1681w; Secs. 3 and 214, Pub. L. 108-159, 117 Stat. 1952. Subpart A—General Provisions 2. Section 222.3 is amended by revising the introductory text to read as follows: § 222.3 Definitions. For purposes of this part, unless explicitly stated otherwise: 3. The heading for Subpart I is revised to read as follows: Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal 4. A new § 222.82 is added to read as follows: § 222.82 Duties of users regarding address discrepancies.
(a)*Scope.* This section applies to a user of consumer reports
(user)that receives a notice of address discrepancy from a consumer reporting agency, and that is a member bank of the Federal Reserve System (other than a national bank) and its respective operating subsidiaries, a branch or agency of a foreign bank (other than a Federal branch, Federal agency, or insured State branch of a foreign bank), commercial lending company owned or controlled by a foreign bank, and an organization operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 *et seq.* , and 611 *et seq.* ).
(b)*Definition.* For purposes of this section, a *notice of address discrepancy* means a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
(c)*Reasonable belief.*
(1)*Requirement to form a reasonable belief.* A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.
(2)*Examples of reasonable policies and procedures.*
(i)Comparing the information in the consumer report provided by the consumer reporting agency with information the user:
(A)Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Information Program
(CIP)rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);
(B)Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or
(C)Obtains from third-party sources; or
(ii)Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
(d)*Consumer's address.*
(1)*Requirement to furnish consumer's address to a consumer reporting agency.* A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i)Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
(ii)Establishes a continuing relationship with the consumer; and
(iii)Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
(2)*Examples of confirmation methods.* The user may reasonably confirm an address is accurate by:
(i)Verifying the address with the consumer about whom it has requested the report;
(ii)Reviewing its own records to verify the address of the consumer;
(iii)Verifying the address through third-party sources; or
(iv)Using other reasonable means.
(3)*Timing.* The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. 5. A new Subpart J is added to part 222 to read as follows: Subpart J—Identity Theft Red Flags Sec. 222.90 Duties regarding the detection, prevention, and mitigation of identity theft. 222.91 Duties of card issuers regarding changes of address. Subpart J—Identity Theft Red Flags § 222.90 Duties regarding the detection, prevention, and mitigation of identity theft.
(a)*Scope.* This section applies to financial institutions and creditors that are member banks of the Federal Reserve System (other than national banks) and their respective operating subsidiaries, branches and agencies of foreign banks (other than Federal branches, Federal agencies, and insured State branches of foreign banks), commercial lending companies owned or controlled by foreign banks, and organizations operating under section 25 or 25A of the Federal Reserve Act (12 U.S.C. 601 *et seq.* , and 611 *et seq.* ).
(b)*Definitions.* For purposes of this section and Appendix J, the following definitions apply:
(1)*Account* means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:
(i)An extension of credit, such as the purchase of property or services involving a deferred payment; and
(ii)A deposit account.
(2)The term *board of directors* includes:
(i)In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and
(ii)In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.
(3)*Covered account* means:
(i)An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
(ii)Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4)*Credit* has the same meaning as in 15 U.S.C. 1681a(r)(5).
(5)*Creditor* has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
(6)*Customer* means a person that has a covered account with a financial institution or creditor.
(7)*Financial institution* has the same meaning as in 15 U.S.C. 1681a(t).
(8)*Identity theft* has the same meaning as in 16 CFR 603.2(a).
(9)*Red Flag* means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
(10)*Service provider* means a person that provides a service directly to the financial institution or creditor.
(c)*Periodic Identification of Covered Accounts.* Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1)The methods it provides to open its accounts;
(2)The methods it provides to access its accounts; and
(3)Its previous experiences with identity theft.
(d)*Establishment of an Identity Theft Prevention Program.*
(1)*Program requirement.* Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
(2)*Elements of the Program.* The Program must include reasonable policies and procedures to:
(i)Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
(ii)Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
(iii)Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
(iv)Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
(e)*Administration of the Program.* Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(1)Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
(2)Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
(3)Train staff, as necessary, to effectively implement the Program; and
(4)Exercise appropriate and effective oversight of service provider arrangements.
(f)*Guidelines.* Each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix J of this part and include in its Program those guidelines that are appropriate. § 222.91 Duties of card issuers regarding changes of address.
(a)*Scope.* This section applies to a person described in § 222.90(a) that issues a debit or credit card (card issuer).
(b)*Definitions.* For purposes of this section:
(1)*Cardholder* means a consumer who has been issued a credit or debit card.
(2)*Clear and conspicuous* means reasonably understandable and designed to call attention to the nature and significance of the information presented.
(c)*Address validation requirements.* A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer: (1)(i) Notifies the cardholder of the request:
(A)At the cardholder's former address; or
(B)By any other means of communication that the card issuer and the cardholder have previously agreed to use; and
(ii)Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or
(2)Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 222.90 of this part.
(d)*Alternative timing of address validation.* A card issuer may satisfy the requirements of paragraph
(c)of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
(e)*Form of notice.* Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder. Appendices D-I [Reserved] 6. Appendices D through I to part 222 are added and reserved. 7. A new Appendix J is added to part 222 to read as follows: Appendix J to Part 222—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation Section 222.90 of this part requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in § 222.90(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of § 222.90 of this part. I. The Program In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. II. Identifying Relevant Red Flags
(a)*Risk Factors.* A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1)The types of covered accounts it offers or maintains;
(2)The methods it provides to open its covered accounts;
(3)The methods it provides to access its covered accounts; and
(4)Its previous experiences with identity theft.
(b)*Sources of Red Flags.* Financial institutions and creditors should incorporate relevant Red Flags from sources such as:
(1)Incidents of identity theft that the financial institution or creditor has experienced;
(2)Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
(3)Applicable supervisory guidance.
(c)*Categories of Red Flags.* The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix J.
(1)Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
(2)The presentation of suspicious documents;
(3)The presentation of suspicious personal identifying information, such as a suspicious address change;
(4)The unusual use of, or other suspicious activity related to, a covered account; and
(5)Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. III. Detecting Red Flags The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(a)Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121); and
(b)Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts. IV. Preventing and Mitigating Identity Theft The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website. Appropriate responses may include the following:
(a)Monitoring a covered account for evidence of identity theft;
(b)Contacting the customer;
(c)Changing any passwords, security codes, or other security devices that permit access to a covered account;
(d)Reopening a covered account with a new account number;
(e)Not opening a new covered account;
(f)Closing an existing covered account;
(g)Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h)Notifying law enforcement; or
(i)Determining that no response is warranted under the particular circumstances. V. Updating the Program Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:
(a)The experiences of the financial institution or creditor with identity theft;
(b)Changes in methods of identity theft;
(c)Changes in methods to detect, prevent, and mitigate identity theft;
(d)Changes in the types of accounts that the financial institution or creditor offers or maintains; and
(e)Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. VI. Methods for Administering the Program
(a)*Oversight of Program.* Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:
(1)Assigning specific responsibility for the Program's implementation;
(2)Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 222.90 of this part; and
(3)Approving material changes to the Program as necessary to address changing identity theft risks.
(b)*Reports.*
(1)*In general.* Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with § 222.90 of this part.
(2)*Contents of report.* The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.
(c)*Oversight of service provider arrangements.* Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft. VII. Other Applicable Legal Requirements Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:
(a)For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;
(b)Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;
(c)Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and
(d)Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft. Supplement A to Appendix J In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in Appendix J of this part, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts: Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 222.82(b) of this part. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number
(SSN)has not been issued, or is listed on the Social Security Administration's Death Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or a prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. 18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments. 21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account. Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. Federal Deposit Insurance Corporation 12 CFR Chapter III Authority and Issuance For the reasons discussed in the joint preamble, the Federal Deposit Insurance Corporation is amending 12 CFR parts 334 and 364 of title 12, Chapter III, of the Code of Federal Regulations as follows: PART 334—FAIR CREDIT REPORTING 1. The authority citation for part 334 is revised to read as follows: Authority: 12 U.S.C. 1818, 1819 (Tenth) and 1831p-1; 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s-3, 1681t, 1681w, 6801 and 6805, Pub. L. 108-159, 117 Stat. 1952. Subpart A—General Provisions 2. Amend § 334.3 by revising the introductory text to read as follows: § 334.3 Definitions. For purposes of this part, unless explicitly stated otherwise: 3. Revise the heading for Subpart I as shown below. Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal 4. Add § 334.82 to read as follows: § 334.82 Duties of users regarding address discrepancies.
(a)*Scope.* This section applies to a user of consumer reports
(user)that receives a notice of address discrepancy from a consumer reporting agency and that is an insured state nonmember bank, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).
(b)*Definition.* For purposes of this section, a *notice of address discrepancy* means a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
(c)*Reasonable belief.*
(1)*Requirement to form a reasonable belief.* A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.
(2)*Examples of reasonable policies and procedures.*
(i)Comparing the information in the consumer report provided by the consumer reporting agency with information the user:
(A)Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Information Program
(CIP)rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);
(B)Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or
(C)Obtains from third-party sources; or
(ii)Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
(d)*Consumer's address.*
(1)*Requirement to furnish consumer's address to a consumer reporting agency.* A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i)Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
(ii)Establishes a continuing relationship with the consumer; and
(iii)Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
(2)*Examples of confirmation methods.* The user may reasonably confirm an address is accurate by:
(i)Verifying the address with the consumer about whom it has requested the report;
(ii)Reviewing its own records to verify the address of the consumer;
(iii)Verifying the address through third-party sources; or
(iv)Using other reasonable means.
(3)*Timing.* The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. 5. Add Subpart J to part 334 to read as follows: Subpart J—Identity Theft Red Flags Sec. 334.90 Duties regarding the detection, prevention, and mitigation of identity theft. 334.91 Duties of card issuers regarding changes of address. Subpart J—Identity Theft Red Flags § 334.90 Duties regarding the detection, prevention, and mitigation of identity theft.
(a)*Scope.* This section applies to a financial institution or creditor that is an insured state nonmember bank, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).
(b)*Definitions.* For purposes of this section and Appendix J, the following definitions apply:
(1)*Account* means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:
(i)An extension of credit, such as the purchase of property or services involving a deferred payment; and
(ii)A deposit account.
(2)The term *board of directors* includes:
(i)In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and
(ii)In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.
(3)*Covered account* means:
(i)An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
(ii)Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4)*Credit* has the same meaning as in 15 U.S.C. 1681a(r)(5).
(5)*Creditor* has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
(6)*Customer* means a person that has a covered account with a financial institution or creditor.
(7)*Financial institution* has the same meaning as in 15 U.S.C. 1681a(t).
(8)*Identity theft* has the same meaning as in 16 CFR 603.2(a).
(9)*Red Flag* means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
(10)*Service provider* means a person that provides a service directly to the financial institution or creditor.
(c)*Periodic Identification of Covered Accounts.* Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1)The methods it provides to open its accounts;
(2)The methods it provides to access its accounts; and
(3)Its previous experiences with identity theft.
(d)*Establishment of an Identity Theft Prevention Program* —(1) *Program requirement.* Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
(2)*Elements of the Program.* The Program must include reasonable policies and procedures to:
(i)Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
(ii)Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
(iii)Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
(iv)Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
(e)*Administration of the Program.* Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(1)Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
(2)Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
(3)Train staff, as necessary, to effectively implement the Program; and
(4)Exercise appropriate and effective oversight of service provider arrangements.
(f)*Guidelines.* Each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix J of this part and include in its Program those guidelines that are appropriate. § 334.91 Duties of card issuers regarding changes of address.
(a)*Scope.* This section applies to an issuer of a debit or credit card (card issuer) that is an insured state nonmember bank, insured state licensed branch of a foreign bank, or a subsidiary of such entities (except brokers, dealers, persons providing insurance, investment companies, and investment advisers).
(b)*Definitions.* For purposes of this section:
(1)*Cardholder* means a consumer who has been issued a credit or debit card.
(2)*Clear and conspicuous* means reasonably understandable and designed to call attention to the nature and significance of the information presented.
(c)*Address validation requirements.* A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer: (1)(i) Notifies the cardholder of the request:
(A)At the cardholder's former address; or
(B)By any other means of communication that the card issuer and the cardholder have previously agreed to use; and
(ii)Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or
(2)Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 334.90 of this part.
(d)*Alternative timing of address validation.* A card issuer may satisfy the requirements of paragraph
(c)of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
(e)*Form of notice.* Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder. Appendices D-I [Reserved] 6. Add and reserve appendices D through I to part 334. 7. Add Appendix J to part 334 to read as follows: Appendix J to Part 334—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation Section 334.90 of this part requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in § 334.90(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of § 334.90 of this part. I. The Program In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. II. Identifying Relevant Red Flags
(a)*Risk Factors.* A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1)The types of covered accounts it offers or maintains;
(2)The methods it provides to open its covered accounts;
(3)The methods it provides to access its covered accounts; and
(4)Its previous experiences with identity theft.
(b)*Sources of Red Flags.* Financial institutions and creditors should incorporate relevant Red Flags from sources such as:
(1)Incidents of identity theft that the financial institution or creditor has experienced;
(2)Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
(3)Applicable supervisory guidance.
(c)*Categories of Red Flags.* The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix J.
(1)Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
(2)The presentation of suspicious documents;
(3)The presentation of suspicious personal identifying information, such as a suspicious address change;
(4)The unusual use of, or other suspicious activity related to, a covered account; and
(5)Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. III. *Detecting Red Flags.* The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(a)Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l)(31 CFR 103.121); and
(b)Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts. IV. *Preventing and Mitigating Identity Theft.* The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent Web site. Appropriate responses may include the following:
(a)Monitoring a covered account for evidence of identity theft;
(b)Contacting the customer;
(c)Changing any passwords, security codes, or other security devices that permit access to a covered account;
(d)Reopening a covered account with a new account number;
(e)Not opening a new covered account;
(f)Closing an existing covered account;
(g)Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h)Notifying law enforcement; or
(i)Determining that no response is warranted under the particular circumstances. V. *Updating the Program.* Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:
(a)The experiences of the financial institution or creditor with identity theft;
(b)Changes in methods of identity theft;
(c)Changes in methods to detect, prevent, and mitigate identity theft;
(d)Changes in the types of accounts that the financial institution or creditor offers or maintains; and
(e)Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. VI. Methods for Administering the Program
(a)*Oversight of Program.* Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:
(1)Assigning specific responsibility for the Program's implementation;
(2)Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 334.90 of this part; and
(3)Approving material changes to the Program as necessary to address changing identity theft risks.
(b)*Reports.*
(1)*In general.* Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with § 334.90 of this part.
(2)*Contents of report.* The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.
(c)*Oversight of service provider arrangements.* Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft. VII. Other Applicable Legal Requirements Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:
(a)For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;
(b)Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;
(c)Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and
(d)Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft. Supplement A to Appendix J In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in Appendix J of this part, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts: Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) of this part. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number
(SSN)has not been issued, or is listed on the Social Security Administration's Death Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or a prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. 18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments. 21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account. Notice From Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Financial Institution or Creditor 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. PART 364—STANDARDS FOR SAFETY AND SOUNDNESS 8. The authority citation for part 364 is revised to read as follows: Authority: 12 U.S.C. 1818 and 1819 (Tenth), 1831p-1; 15 U.S.C. 1681b, 1681s, 1681w, 6801(b), 6805(b)(1). 9. Add the following sentence at the end of § 364.101(b): § 364.101 Standards for safety and soundness.
(b)* * * The interagency regulations and guidelines on identity theft detection, prevention, and mitigation prescribed pursuant to section 114 of the Fair and Accurate Credit Transactions Act of 2003, 15 U.S.C. 1681m(e), are set forth in §§ 334.90, 334.91, and Appendix J of part 334. DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Chapter V Authority and Issuance For the reasons discussed in the joint preamble, the Office of Thrift Supervision is amending part 571 of title 12, chapter V, of the Code of Federal Regulations as follows: PART 571—FAIR CREDIT REPORTING 1. Revise the authority citation for part 571 to read as follows: Authority: 12 U.S.C. 1462a, 1463, 1464, 1467a, 1828, 1831p-1, and 1881-1884; 15 U.S.C. 1681b, 1681c, 1681m, 1681s, 1681s-1, 1681t and 1681w; 15 U.S.C. 6801 and 6805; Sec. 214 Pub. L. 108-159, 117 Stat. 1952. Subpart A—General Provisions 2. Amend § 571.1 by revising paragraph (b)(9) and adding a new paragraph (b)(10) to read as follows: § 571.1 Purpose and Scope.
(b)*scope* . (9)(i) The scope of § 571.82 of Subpart I of this part is stated in § 571.82(a) of this part.
(ii)The scope of § 571.83 of Subpart I of this part is stated in § 571.83(a) of this part. (10)(i) The scope of § 571.90 of Subpart J of this part is stated in § 571.90(a) of this part.
(ii)The scope of § 571.91 of Subpart J of this part is stated in § 571.91(a) of this part. 3. Amend § 571.3 by: a. Removing paragraph (o); and b. Revising the introductory text to read as follows: § 571.3 Definitions. For purposes of this part, unless explicitly stated otherwise: 4. Revise the heading for Subpart I as shown below. Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal 5. Add § 571.82 to read as follows: § 571.82 Duties of users regarding address discrepancies.
(a)*Scope* . This section applies to a user of consumer reports
(user)that receives a notice of address discrepancy from a consumer reporting agency, and that is a savings association whose deposits are insured by the Federal Deposit Insurance Corporation or, in accordance with § 559.3(h)(1) of this chapter, a federal savings association operating subsidiary that is not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b)*Definition* . For purposes of this section, a *notice of address discrepancy* means a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
(c)*Reasonable belief* .
(1)*Requirement to form a reasonable belief* . A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.
(2)*Examples of reasonable policies and procedures.*
(i)Comparing the information in the consumer report provided by the consumer reporting agency with information the user:
(A)Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Information Program
(CIP)rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);
(B)Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or
(C)Obtains from third-party sources; or
(ii)Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
(d)*Consumer's address.*
(1)*Requirement to furnish consumer's address to a consumer reporting agency.* A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i)Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
(ii)Establishes a continuing relationship with the consumer; and
(iii)Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
(2)*Examples of confirmation methods.* The user may reasonably confirm an address is accurate by:
(i)Verifying the address with the consumer about whom it has requested the report;
(ii)Reviewing its own records to verify the address of the consumer;
(iii)Verifying the address through third-party sources; or
(iv)Using other reasonable means.
(3)*Timing.* The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. 6. Amend § 571.83 by: a. Redesignating paragraphs
(a)and
(b)as paragraphs
(b)and (c), respectively. b. Adding a new paragraph
(a)to read as follows: § 571.83 Disposal of consumer information.
(a)*Scope.* This section applies to savings associations whose deposits are insured by the Federal Deposit Insurance Corporation and federal savings association operating subsidiaries in accordance with § 559.3(h)(1) of this chapter (defined as “you”). 7. Add Subpart J to part 571 to read as follows: Subpart J—Identity Theft Red Flags Sec. 571.90 Duties regarding the detection, prevention, and mitigation of identity theft. 571.91 Duties of card issuers regarding changes of address. Subpart J—Identity Theft Red Flags § 571.90 Duties regarding the detection, prevention, and mitigation of identity theft.
(a)*Scope.* This section applies to a financial institution or creditor that is a savings association whose deposits are insured by the Federal Deposit Insurance Corporation or, in accordance with § 559.3(h)(1) of this chapter, a federal savings association operating subsidiary that is not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b)*Definitions.* For purposes of this section and Appendix J, the following definitions apply:
(1)*Account* means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:
(i)An extension of credit, such as the purchase of property or services involving a deferred payment; and
(ii)A deposit account.
(2)The term *board of directors* includes:
(i)In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and
(ii)In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.
(3)*Covered account* means:
(i)An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
(ii)Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4)*Credit* has the same meaning as in 15 U.S.C. 1681a(r)(5).
(5)*Creditor* has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
(6)*Customer* means a person that has a covered account with a financial institution or creditor.
(7)*Financial institution* has the same meaning as in 15 U.S.C. 1681a(t).
(8)*Identity theft* has the same meaning as in 16 CFR 603.2(a).
(9)*Red Flag* means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
(10)*Service provider* means a person that provides a service directly to the financial institution or creditor.
(c)*Periodic Identification of Covered Accounts.* Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1)The methods it provides to open its accounts;
(2)The methods it provides to access its accounts; and
(3)Its previous experiences with identity theft.
(d)*Establishment of an Identity Theft Prevention Program.*
(1)*Program requirement.* Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
(2)*Elements of the Program.* The Program must include reasonable policies and procedures to:
(i)Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
(ii)Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
(iii)Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
(iv)Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
(e)*Administration of the Program.* Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(1)Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
(2)Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
(3)Train staff, as necessary, to effectively implement the Program; and
(4)Exercise appropriate and effective oversight of service provider arrangements.
(f)*Guidelines.* Each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix J of this part and include in its Program those guidelines that are appropriate. § 571.91 Duties of card issuers regarding changes of address.
(a)*Scope.* This section applies to an issuer of a debit or credit card (card issuer) that is a savings association whose deposits are insured by the Federal Deposit Insurance Corporation or, in accordance with § 559.3(h)(1) of this chapter, a federal savings association operating subsidiary that is not functionally regulated within the meaning of section 5(c)(5) of the Bank Holding Company Act of 1956, as amended (12 U.S.C. 1844(c)(5)).
(b)*Definitions.* For purposes of this section:
(1)*Cardholder* means a consumer who has been issued a credit or debit card.
(2)*Clear and conspicuous* means reasonably understandable and designed to call attention to the nature and significance of the information presented.
(c)*Address validation requirements.* A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer: (1)(i) Notifies the cardholder of the request:
(A)At the cardholder's former address; or
(B)By any other means of communication that the card issuer and the cardholder have previously agreed to use; and
(ii)Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or
(2)Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 571.90 of this part.
(d)*Alternative timing of address validation.* A card issuer may satisfy the requirements of paragraph
(c)of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
(e)*Form of notice.* Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder. Appendices D-I [Reserved] 8. Add and reserve appendices D through I to part 571. 9. Add Appendix J to part 571 to read as follows: Appendix J to Part 571—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation Section 571.90 of this part requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in § 571.90(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of § 571.90 of this part. I. The Program In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. II. Identifying Relevant Red Flags
(a)*Risk Factors.* A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1)The types of covered accounts it offers or maintains;
(2)The methods it provides to open its covered accounts;
(3)The methods it provides to access its covered accounts; and
(4)Its previous experiences with identity theft.
(b)*Sources of Red Flags.* Financial institutions and creditors should incorporate relevant Red Flags from sources such as:
(1)Incidents of identity theft that the financial institution or creditor has experienced;
(2)Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
(3)Applicable supervisory guidance.
(c)*Categories of Red Flags.* The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix J.
(1)Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
(2)The presentation of suspicious documents;
(3)The presentation of suspicious personal identifying information, such as a suspicious address change;
(4)The unusual use of, or other suspicious activity related to, a covered account; and
(5)Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. III. Detecting Red Flags The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(a)Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121); and
(b)Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts. IV. Preventing and Mitigating Identity Theft The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website. Appropriate responses may include the following:
(a)Monitoring a covered account for evidence of identity theft;
(b)Contacting the customer;
(c)Changing any passwords, security codes, or other security devices that permit access to a covered account;
(d)Reopening a covered account with a new account number;
(e)Not opening a new covered account;
(f)Closing an existing covered account;
(g)Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h)Notifying law enforcement; or
(i)Determining that no response is warranted under the particular circumstances. V. Updating the Program Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:
(a)The experiences of the financial institution or creditor with identity theft;
(b)Changes in methods of identity theft;
(c)Changes in methods to detect, prevent, and mitigate identity theft;
(d)Changes in the types of accounts that the financial institution or creditor offers or maintains; and
(e)Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. VI. Methods for Administering the Program
(a)*Oversight of Program.* Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:
(1)Assigning specific responsibility for the Program's implementation;
(2)Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 571.90 of this part; and
(3)Approving material changes to the Program as necessary to address changing identity theft risks.
(b)*Reports.*
(1)*In general.* Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with § 571.90 of this part.
(2)*Contents of report.* The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.
(c)*Oversight of service provider arrangements.* Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft. VII. Other Applicable Legal Requirements Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:
(a)For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;
(b)Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;
(c)Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and
(d)Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft. Supplement A to Appendix J In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in Appendix J of this part, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts: Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 571.82(b) of this part. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number
(SSN)has not been issued, or is listed on the Social Security Administration's Death Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or a prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. 18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments. 21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account. Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Financial Institution or Creditor 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. National Credit Union Administration 12 CFR Chapter VII Authority and Issuance For the reasons discussed in the joint preamble, the National Credit Union Administration is amending part 717 of title 12, chapter VII, of the Code of Federal Regulations as follows: PART 717—FAIR CREDIT REPORTING 1. The authority citation for part 717 is revised to read as follows: Authority: 12 U.S.C. 1751 *et seq.* ; 15 U.S.C. 1681a, 1681b, 1681c, 1681m, 1681s, 1681s-1, 1681t, 1681w, 6801 and 6805, Pub. L. 108-159, 117 Stat. 1952. Subpart A—General Provisions 2. Amend § 717.3 by revising the introductory text to read as follows: § 717.3 Definitions. For purposes of this part, unless explicitly stated otherwise: 3. Revise the heading for Subpart I as shown below. Subpart I—Duties of Users of Consumer Reports Regarding Address Discrepancies and Records Disposal 4. Add § 717.82 to read as follows: § 717.82 Duties of users regarding address discrepancies.
(a)*Scope.* This section applies to a user of consumer reports
(user)that receives a notice of address discrepancy from a consumer reporting agency, and that is federal credit union.
(b)*Definition.* For purposes of this section, a *notice of address discrepancy* means a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
(c)*Reasonable belief* —(1) *Requirement to form a reasonable belief* . A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.
(2)*Examples of reasonable policies and procedures* .
(i)Comparing the information in the consumer report provided by the consumer reporting agency with information the user:
(A)Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Information Program
(CIP)rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);
(B)Maintains in its own records, such as applications, change of address notifications, other member account records, or retained CIP documentation; or
(C)Obtains from third-party sources; or
(ii)Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
(d)*Consumer's address* —(1) *Requirement to furnish consumer's address to a consumer reporting agency* . A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i)Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
(ii)Establishes a continuing relationship with the consumer; and
(iii)Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
(2)*Examples of confirmation methods* . The user may reasonably confirm an address is accurate by:
(i)Verifying the address with the consumer about whom it has requested the report;
(ii)Reviewing its own records to verify the address of the consumer;
(iii)Verifying the address through third-party sources; or
(iv)Using other reasonable means.
(3)*Timing* . The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. 5. Add Subpart J to part 717 to read as follows: Subpart J—Identity Theft Red Flags Sec. 717.90 Duties regarding the detection, prevention, and mitigation of identity theft. 717.91 Duties of card issuers regarding changes of address. Subpart J—Identity Theft Red Flags § 717.90 Duties regarding the detection, prevention, and mitigation of identity theft.
(a)*Scope* . This section applies to a financial institution or creditor that is a federal credit union.
(b)*Definitions.* For purposes of this section and Appendix J, the following definitions apply:
(1)*Account* means a continuing relationship established by a person with a federal credit union to obtain a product or service for personal, family, household or business purposes. Account includes:
(i)An extension of credit, such as the purchase of property or services involving a deferred payment; and
(ii)A share or deposit account.
(2)The term *board of directors* refers to a federal credit union's board of directors.
(3)*Covered account* means:
(i)An account that a federal credit union offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, checking account, or share account; and
(ii)Any other account that the federal credit union offers or maintains for which there is a reasonably foreseeable risk to members or to the safety and soundness of the federal credit union from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4)*Credit* has the same meaning as in 15 U.S.C. 1681a(r)(5).
(5)*Creditor* has the same meaning as in 15 U.S.C. 1681a(r)(5).
(6)*Customer* means a member that has a covered account with a federal credit union.
(7)*Financial institution* has the same meaning as in 15 U.S.C. 1681a(t).
(8)*Identity theft* has the same meaning as in 16 CFR 603.2(a).
(9)*Red Flag* means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
(10)*Service provider* means a person that provides a service directly to the federal credit union.
(c)*Periodic Identification of Covered Accounts.* Each federal credit union must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a federal credit union must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1)The methods it provides to open its accounts;
(2)The methods it provides to access its accounts; and
(3)Its previous experiences with identity theft.
(d)*Establishment of an Identity Theft Prevention Program* .
(1)*Program requirement.* Each federal credit union that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the federal credit union and the nature and scope of its activities.
(2)*Elements of the Program.* The Program must include reasonable policies and procedures to:
(i)Identify relevant Red Flags for the covered accounts that the federal credit union offers or maintains, and incorporate those Red Flags into its Program;
(ii)Detect Red Flags that have been incorporated into the Program of the federal credit union;
(iii)Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
(iv)Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to members and to the safety and soundness of the federal credit union from identity theft.
(e)*Administration of the Program.* Each federal credit union that is required to implement a Program must provide for the continued administration of the Program and must:
(1)Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
(2)Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
(3)Train staff, as necessary, to effectively implement the Program; and
(4)Exercise appropriate and effective oversight of service provider arrangements.
(f)*Guidelines.* Each federal credit union that is required to implement a Program must consider the guidelines in Appendix J of this part and include in its Program those guidelines that are appropriate. § 717.91 Duties of card issuers regarding changes of address.
(a)*Scope.* This section applies to an issuer of a debit or credit card (card issuer) that is a federal credit union.
(b)*Definitions.* For purposes of this section:
(1)*Cardholder* means a member who has been issued a credit or debit card.
(2)*Clear and conspicuous* means reasonably understandable and designed to call attention to the nature and significance of the information presented.
(c)*Address validation requirements.* A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a member's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer: (1)(i) Notifies the cardholder of the request:
(A)At the cardholder's former address; or
(B)By any other means of communication that the card issuer and the cardholder have previously agreed to use; and
(ii)Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or
(2)Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 717.90 of this part.
(d)*Alternative timing of address validation.* A card issuer may satisfy the requirements of paragraph
(c)of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
(e)*Form of notice.* Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder. Appendices D-I [Reserved] 6. Add and reserve appendices D through I to part 717. 7. Add Appendix J to part 717 to read as follows: Appendix J to Part 717—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation Section 717.90 of this part requires each federal credit union that offers or maintains one or more covered accounts, as defined in § 717.90(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist federal credit unions in the formulation and maintenance of a Program that satisfies the requirements of § 717.90 of this part. I. The Program In designing its Program, a federal credit union may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to members or to the safety and soundness of the federal credit union from identity theft. II. Identifying Relevant Red Flags
(a)*Risk Factors.* A federal credit union should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1)The types of covered accounts it offers or maintains;
(2)The methods it provides to open its covered accounts;
(3)The methods it provides to access its covered accounts; and
(4)Its previous experiences with identity theft.
(b)*Sources of Red Flags.* Federal credit unions should incorporate relevant Red Flags from sources such as:
(1)Incidents of identity theft that the federal credit union has experienced;
(2)Methods of identity theft that the federal credit union has identified that reflect changes in identity theft risks; and
(3)Applicable supervisory guidance.
(c)*Categories of Red Flags.* The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix J.
(1)Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
(2)The presentation of suspicious documents;
(3)The presentation of suspicious personal identifying information, such as a suspicious address change;
(4)The unusual use of, or other suspicious activity related to, a covered account; and
(5)Notice from members, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the federal credit union. III. Detecting Red Flags The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(a)Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121); and
(b)Authenticating members, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts. IV. Preventing and Mitigating Identity Theft The Program's policies and procedures should provide for appropriate responses to the Red Flags the federal credit union has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a federal credit union should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a member's account records held by the federal credit union or a third party, or notice that a member has provided information related to a covered account held by the federal credit union to someone fraudulently claiming to represent the federal credit union or to a fraudulent website. Appropriate responses may include the following:
(a)Monitoring a covered account for evidence of identity theft;
(b)Contacting the member;
(c)Changing any passwords, security codes, or other security devices that permit access to a covered account;
(d)Reopening a covered account with a new account number;
(e)Not opening a new covered account;
(f)Closing an existing covered account;
(g)Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h)Notifying law enforcement; or
(i)Determining that no response is warranted under the particular circumstances. V. Updating the Program Federal credit unions should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to members or to the safety and soundness of the federal credit union from identity theft, based on factors such as:
(a)The experiences of the federal credit union with identity theft;
(b)Changes in methods of identity theft;
(c)Changes in methods to detect, prevent, and mitigate identity theft;
(d)Changes in the types of accounts that the federal credit union offers or maintains; and
(e)Changes in the business arrangements of the federal credit union, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. VI. Methods for Administering the Program
(a)*Oversight of Program.* Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:
(1)Assigning specific responsibility for the Program's implementation;
(2)Reviewing reports prepared by staff regarding compliance by the federal credit union with § 717.90 of this part; and
(3)Approving material changes to the Program as necessary to address changing identity theft risks.
(b)*Reports.*
(1)*In general.* Staff of the federal credit union responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the federal credit union with § 717.90 of this part.
(2)*Contents of report.* The report should address material matters related to the Program and evaluate issues such as: the effectiveness of the policies and procedures of the federal credit union in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.
(c)*Oversight of service provider arrangements.* Whenever a federal credit union engages a service provider to perform an activity in connection with one or more covered accounts the federal credit union should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a federal credit union could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the federal credit union, or to take appropriate steps to prevent or mitigate identity theft. VII. Other Applicable Legal Requirements Federal credit unions should be mindful of other related legal requirements that may be applicable, such as:
(a)Filing a Suspicious Activity Report under 31 U.S.C. 5318(g) and 12 CFR 748.1(c);
(b)Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the federal credit union detects a fraud or active duty alert;
(c)Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and
(d)Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft. Supplement A to Appendix J In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in Appendix J of this part, each federal credit union may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts: Alerts, Notifications or Warnings From a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 717.82(b) of this part. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or member, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or member presenting the identification. 7. Other information on the identification is not consistent with information provided by the person opening a new covered account or member presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the federal credit union, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external information sources used by the federal credit union. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number
(SSN)has not been issued, or is listed on the Social Security Administration's Death Master File. 11. Personal identifying information provided by the member is not consistent with other personal identifying information provided by the member. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the federal credit union. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the federal credit union. For example: a. The address on an application is fictitious, a mail drop, or prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other persons opening an account or other members. 15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other members. 16. The person opening the covered account or the member fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with the federal credit union. 18. For federal credit unions that use challenge questions, the person opening the covered account or the member cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The member fails to make the first payment or makes an initial payment but no subsequent payments. 21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail sent to the member is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the member's covered account. 24. The federal credit union is notified that the member is not receiving paper account statements. 25. The federal credit union is notified of unauthorized charges or transactions in connection with a member's covered account. Notice From Members, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Federal Credit Union 26. The federal credit union is notified by a member, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. FEDERAL TRADE COMMISSION 16 CFR Part 681 Authority and Issuance For the reasons discussed in the joint preamble, the Commission is adding part 681 of title 16 of the Code of Federal Regulations as follows: PART 681—IDENTITY THEFT RULES Sec. 681.1 Duties of users of consumer reports regarding address discrepancies. 681.2 Duties regarding the detection, prevention, and mitigation of identity theft. 681.3 Duties of card issuers regarding changes of address. Appendix A to Part 681—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation Authority: Pub. L. 108-159, sec. 114 and sec. 315; 15 U.S.C. 1681m(e) and 15 U.S.C. 1681c(h). § 681.1 Duties of users regarding address discrepancies.
(a)*Scope.* This section applies to users of consumer reports that are subject to administrative enforcement of the FCRA by the Federal Trade Commission pursuant to 15 U.S.C. 1681s(a)(1) (users).
(b)*Definition.* For purposes of this section, a *notice of address discrepancy* means a notice sent to a user by a consumer reporting agency pursuant to 15 U.S.C. 1681c(h)(1), that informs the user of a substantial difference between the address for the consumer that the user provided to request the consumer report and the address(es) in the agency's file for the consumer.
(c)*Reasonable belief.*
(1)*Requirement to form a reasonable belief.* A user must develop and implement reasonable policies and procedures designed to enable the user to form a reasonable belief that a consumer report relates to the consumer about whom it has requested the report, when the user receives a notice of address discrepancy.
(2)*Examples of reasonable policies and procedures.*
(i)Comparing the information in the consumer report provided by the consumer reporting agency with information the user:
(A)Obtains and uses to verify the consumer's identity in accordance with the requirements of the Customer Information Program
(CIP)rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121);
(B)Maintains in its own records, such as applications, change of address notifications, other customer account records, or retained CIP documentation; or
(C)Obtains from third-party sources; or
(ii)Verifying the information in the consumer report provided by the consumer reporting agency with the consumer.
(d)*Consumer's address.*
(1)*Requirement to furnish consumer's address to a consumer reporting agency.* A user must develop and implement reasonable policies and procedures for furnishing an address for the consumer that the user has reasonably confirmed is accurate to the consumer reporting agency from whom it received the notice of address discrepancy when the user:
(i)Can form a reasonable belief that the consumer report relates to the consumer about whom the user requested the report;
(ii)Establishes a continuing relationship with the consumer; and
(iii)Regularly and in the ordinary course of business furnishes information to the consumer reporting agency from which the notice of address discrepancy relating to the consumer was obtained.
(2)*Examples of confirmation methods.* The user may reasonably confirm an address is accurate by:
(i)Verifying the address with the consumer about whom it has requested the report;
(ii)Reviewing its own records to verify the address of the consumer;
(iii)Verifying the address through third-party sources; or
(iv)Using other reasonable means.
(3)*Timing.* The policies and procedures developed in accordance with paragraph (d)(1) of this section must provide that the user will furnish the consumer's address that the user has reasonably confirmed is accurate to the consumer reporting agency as part of the information it regularly furnishes for the reporting period in which it establishes a relationship with the consumer. § 681.2 Duties regarding the detection, prevention, and mitigation of identity theft.
(a)*Scope.* This section applies to financial institutions and creditors that are subject to administrative enforcement of the FCRA by the Federal Trade Commission pursuant to 15 U.S.C. 1681s(a)(1).
(b)*Definitions.* For purposes of this section, and Appendix A, the following definitions apply:
(1)*Account* means a continuing relationship established by a person with a financial institution or creditor to obtain a product or service for personal, family, household or business purposes. Account includes:
(i)An extension of credit, such as the purchase of property or services involving a deferred payment; and
(ii)A deposit account.
(2)The term *board of directors* includes:
(i)In the case of a branch or agency of a foreign bank, the managing official in charge of the branch or agency; and
(ii)In the case of any other creditor that does not have a board of directors, a designated employee at the level of senior management.
(3)*Covered account* means:
(i)An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and
(ii)Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
(4)*Credit* has the same meaning as in 15 U.S.C. 1681a(r)(5).
(5)*Creditor* has the same meaning as in 15 U.S.C. 1681a(r)(5), and includes lenders such as banks, finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies.
(6)*Customer* means a person that has a covered account with a financial institution or creditor.
(7)*Financial institution* has the same meaning as in 15 U.S.C. 1681a(t).
(8)*Identity theft* has the same meaning as in 16 CFR 603.2(a).
(9)*Red Flag* means a pattern, practice, or specific activity that indicates the possible existence of identity theft.
(10)*Service provider* means a person that provides a service directly to the financial institution or creditor.
(c)*Periodic Identification of Covered Accounts.* Each financial institution or creditor must periodically determine whether it offers or maintains covered accounts. As a part of this determination, a financial institution or creditor must conduct a risk assessment to determine whether it offers or maintains covered accounts described in paragraph (b)(3)(ii) of this section, taking into consideration:
(1)The methods it provides to open its accounts;
(2)The methods it provides to access its accounts; and
(3)Its previous experiences with identity theft.
(d)*Establishment of an Identity Theft Prevention Program.*
(1)*Program requirement.* Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.
(2)*Elements of the Program.* The Program must include reasonable policies and procedures to:
(i)Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;
(ii)Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;
(iii)Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and
(iv)Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.
(e)*Administration of the Program.* Each financial institution or creditor that is required to implement a Program must provide for the continued administration of the Program and must:
(1)Obtain approval of the initial written Program from either its board of directors or an appropriate committee of the board of directors;
(2)Involve the board of directors, an appropriate committee thereof, or a designated employee at the level of senior management in the oversight, development, implementation and administration of the Program;
(3)Train staff, as necessary, to effectively implement the Program; and
(4)Exercise appropriate and effective oversight of service provider arrangements.
(f)*Guidelines.* Each financial institution or creditor that is required to implement a Program must consider the guidelines in Appendix A of this part and include in its Program those guidelines that are appropriate. § 681.3 Duties of card issuers regarding changes of address.
(a)*Scope.* This section applies to a person described in § 681.2(a) that issues a debit or credit card (card issuer).
(b)*Definitions.* For purposes of this section:
(1)*Cardholder* means a consumer who has been issued a credit or debit card.
(2)*Clear and conspicuous* means reasonably understandable and designed to call attention to the nature and significance of the information presented.
(c)*Address validation requirements.* A card issuer must establish and implement reasonable policies and procedures to assess the validity of a change of address if it receives notification of a change of address for a consumer's debit or credit card account and, within a short period of time afterwards (during at least the first 30 days after it receives such notification), the card issuer receives a request for an additional or replacement card for the same account. Under these circumstances, the card issuer may not issue an additional or replacement card, until, in accordance with its reasonable policies and procedures and for the purpose of assessing the validity of the change of address, the card issuer: (1)(i) Notifies the cardholder of the request:
(A)At the cardholder's former address; or
(B)By any other means of communication that the card issuer and the cardholder have previously agreed to use; and
(ii)Provides to the cardholder a reasonable means of promptly reporting incorrect address changes; or
(2)Otherwise assesses the validity of the change of address in accordance with the policies and procedures the card issuer has established pursuant to § 681.2 of this part.
(d)*Alternative timing of address validation.* A card issuer may satisfy the requirements of paragraph
(c)of this section if it validates an address pursuant to the methods in paragraph (c)(1) or (c)(2) of this section when it receives an address change notification, before it receives a request for an additional or replacement card.
(e)*Form of notice.* Any written or electronic notice that the card issuer provides under this paragraph must be clear and conspicuous and provided separately from its regular correspondence with the cardholder. Appendix A to Part 681—Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation Section 681.2 of this part requires each financial institution and creditor that offers or maintains one or more covered accounts, as defined in § 681.2(b)(3) of this part, to develop and provide for the continued administration of a written Program to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements of § 681.2 of this part. I. The Program In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft. II. Identifying Relevant Red Flags
(a)*Risk Factors.* A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1)The types of covered accounts it offers or maintains;
(2)The methods it provides to open its covered accounts;
(3)The methods it provides to access its covered accounts; and
(4)Its previous experiences with identity theft.
(b)*Sources of Red Flags.* Financial institutions and creditors should incorporate relevant Red Flags from sources such as:
(1)Incidents of identity theft that the financial institution or creditor has experienced;
(2)Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
(3)Applicable supervisory guidance.
(c)*Categories of Red Flags.* The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix A.
(1)Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
(2)The presentation of suspicious documents;
(3)The presentation of suspicious personal identifying information, such as a suspicious address change;
(4)The unusual use of, or other suspicious activity related to, a covered account; and
(5)Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor. III. Detecting Red Flags The Program's policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(a)Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules implementing 31 U.S.C. 5318(l) (31 CFR 103.121); and
(b)Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts. IV. Preventing and Mitigating Identity Theft The Program's policies and procedures should provide for appropriate responses to the Red Flags the financial institution or creditor has detected that are commensurate with the degree of risk posed. In determining an appropriate response, a financial institution or creditor should consider aggravating factors that may heighten the risk of identity theft, such as a data security incident that results in unauthorized access to a customer's account records held by the financial institution, creditor, or third party, or notice that a customer has provided information related to a covered account held by the financial institution or creditor to someone fraudulently claiming to represent the financial institution or creditor or to a fraudulent website. Appropriate responses may include the following:
(a)Monitoring a covered account for evidence of identity theft;
(b)Contacting the customer;
(c)Changing any passwords, security codes, or other security devices that permit access to a covered account;
(d)Reopening a covered account with a new account number;
(e)Not opening a new covered account;
(f)Closing an existing covered account;
(g)Not attempting to collect on a covered account or not selling a covered account to a debt collector;
(h)Notifying law enforcement; or
(i)Determining that no response is warranted under the particular circumstances. V. Updating the Program Financial institutions and creditors should update the Program (including the Red Flags determined to be relevant) periodically, to reflect changes in risks to customers or to the safety and soundness of the financial institution or creditor from identity theft, based on factors such as:
(a)The experiences of the financial institution or creditor with identity theft;
(b)Changes in methods of identity theft;
(c)Changes in methods to detect, prevent, and mitigate identity theft;
(d)Changes in the types of accounts that the financial institution or creditor offers or maintains; and
(e)Changes in the business arrangements of the financial institution or creditor, including mergers, acquisitions, alliances, joint ventures, and service provider arrangements. VI. Methods for Administering the Program
(a)*Oversight of Program.* Oversight by the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management should include:
(1)Assigning specific responsibility for the Program's implementation;
(2)Reviewing reports prepared by staff regarding compliance by the financial institution or creditor with § 681.2 of this part; and
(3)Approving material changes to the Program as necessary to address changing identity theft risks.
(b)*Reports.*
(1)*In general.* Staff of the financial institution or creditor responsible for development, implementation, and administration of its Program should report to the board of directors, an appropriate committee of the board, or a designated employee at the level of senior management, at least annually, on compliance by the financial institution or creditor with § 681.2 of this part.
(2)*Contents of report.* The report should address material matters related to the Program and evaluate issues such as: The effectiveness of the policies and procedures of the financial institution or creditor in addressing the risk of identity theft in connection with the opening of covered accounts and with respect to existing covered accounts; service provider arrangements; significant incidents involving identity theft and management's response; and recommendations for material changes to the Program.
(c)*Oversight of service provider arrangements.* Whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. For example, a financial institution or creditor could require the service provider by contract to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider's activities, and either report the Red Flags to the financial institution or creditor, or to take appropriate steps to prevent or mitigate identity theft. VII. Other Applicable Legal Requirements Financial institutions and creditors should be mindful of other related legal requirements that may be applicable, such as:
(a)For financial institutions and creditors that are subject to 31 U.S.C. 5318(g), filing a Suspicious Activity Report in accordance with applicable law and regulation;
(b)Implementing any requirements under 15 U.S.C. 1681c-1(h) regarding the circumstances under which credit may be extended when the financial institution or creditor detects a fraud or active duty alert;
(c)Implementing any requirements for furnishers of information to consumer reporting agencies under 15 U.S.C. 1681s-2, for example, to correct or update inaccurate or incomplete information, and to not report information that the furnisher has reasonable cause to believe is inaccurate; and
(d)Complying with the prohibitions in 15 U.S.C. 1681m on the sale, transfer, and placement for collection of certain debts resulting from identity theft. Supplement A to Appendix A In addition to incorporating Red Flags from the sources recommended in section II.b. of the Guidelines in Appendix A of this part, each financial institution or creditor may consider incorporating into its Program, whether singly or in combination, Red Flags from the following illustrative examples in connection with covered accounts: Alerts, Notifications or Warnings from a Consumer Reporting Agency 1. A fraud or active duty alert is included with a consumer report. 2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report. 3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 681.1(b) of this part. 4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as: a. A recent and significant increase in the volume of inquiries; b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently established credit relationships; or d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor. Suspicious Documents 5. Documents provided for identification appear to have been altered or forged. 6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification. 7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification. 8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check. 9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled. Suspicious Personal Identifying Information 10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number
(SSN)has not been issued, or is listed on the Social Security Administration's Death Master File. 11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth. 12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application. 13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or a prison; or b. The phone number is invalid, or is associated with a pager or answering service. 14. The SSN provided is the same as that submitted by other persons opening an account or other customers. 15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers. 16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete. 17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor. 18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report. Unusual Use of, or Suspicious Activity Related to, the Covered Account 19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account. 20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or b. The customer fails to make the first payment or makes an initial payment but no subsequent payments. 21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account. 22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors). 23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer's covered account. 24. The financial institution or creditor is notified that the customer is not receiving paper account statements. 25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer's covered account. Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Financial Institution or Creditor 26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft. Dated: October 5, 2007. John C. Dugan, Comptroller of the Currency. By order of the Board of Governors of the Federal Reserve System, October 29, 2007. Jennifer J. Johnson, Secretary of the Board. Dated at Washington, DC, this 16th day of October, 2007. By order of the Board of Directors. Federal Deposit Insurance Corporation. Robert E. Feldman, Executive Secretary. Dated: October 24, 2007. By the Office of Thrift Supervision. John M. Reich, Director. By order of the National Credit Union Administration Board, October 15, 2007. Mary Rupp, Secretary of the Board. By direction of the Commission. Donald S. Clark, Secretary. [FR Doc. 07-5453 Filed 11-8-07; 8:45 am]
Connectionstraces to 66
Traces to 66 documents
U.S. Code
79 references not yet in our index
  • Pub. L. 109-435
  • 120 Stat. 3198
  • 656 F.2d 754
  • 29 F.3d 886
  • 600 F.2d 844
  • 529 U.S. 120
  • 595 F.2d 207
  • 598 F.2d 915
  • 379 F. Supp. 503
  • 431 U.S. 99
  • 676 F.2d 352
  • 78 F.3d 620
  • 38 F. Supp. 2d 114
  • 39 CFR 3001.81
  • 39 CFR 3001
  • 39 CFR 3010
  • 39 CFR 3020
  • 39 CFR 3015
  • 49 CFR 1507
  • Pub. L. 08-458
  • 188 Stat. 3638
  • 477 F.3d 38
  • 435 F.3d 1125
  • 176 F.3d 1202
  • 790 F.2d 1553
  • 19 USC 2531-2533
  • 2 USC 1531-1538
  • 42 USC 4321-4347
  • Pub. L. 94-163
  • Pub. L. 108-458
  • 118 Stat. 3638
  • 49 CFR 1540.5
  • 6 CFR 5
  • 12 CFR 41
  • 12 CFR 222
  • 12 CFR 571
  • 12 CFR 717
  • 16 CFR 681
  • Pub. L. 108-159
  • Pub. L. 107-56
+ 39 more
Citation graph
cites case law
Rules and Regulations
Final rule
U.S.C.§ 3622
U.S.C.§ 553
U.S.C.§ 551
U.S.C.§ 503
U.S.C.§ 3653
U.S.C.§ 3642
U.S.C.§ 3652
U.S.C.§ 403
U.S.C.§ 404
F. App'x656 F.2d 754
F. App'x29 F.3d 886
F. App'x600 F.2d 844
Cites 145 · showing 12Cited by 0 across 0 sources
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.