Federal Register, Volume 84 Issue 144 (Friday, July 26, 2019) 
[Federal Register Volume 84, Number 144 (Friday, July 26, 2019)]
[Pages 36086-36088]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-15933]



Agency Information Collection Activities: Notice of Intent To
Renew Collection Number 3038-0067, Protection of Consumer Information
Under the Fair Credit Reporting Act

AGENCY: Commodity Futures Trading Commission.

ACTION: Notice.


SUMMARY: The Commodity Futures Trading Commission (``CFTC'' or
``Commission'') is announcing an opportunity for public comment on the
proposed renewal of a collection of certain information by the agency.
This notice solicits comments on the collections of information
mandated by the Commission's regulations (Protection of Consumer
Information under the Fair Credit Reporting Act).

DATES: Comments must be submitted on or before September 24, 2019.

ADDRESSES: You may submit comments, identified by ``Part 162--
Protection of Consumer Information under the Fair Credit Reporting
Act,'' and OMB Control No. 3038-0067 by any of the following methods:
     The Agency's website, at http://comments.cftc.gov/. Follow
the instructions for submitting comments through the website.
     Mail: Christopher Kirkpatrick, Secretary of the
Commission, Commodity Futures Trading Commission, Three Lafayette
Centre, 1155 21st Street NW, Washington, DC 20581.
     Hand Delivery/Courier: Same as Mail above.
    Please submit your comments using only one method. All comments
must be submitted in English, or if not, accompanied by an English
translation. Comments will be posted as received to http://www.cftc.gov.

FOR FURTHER INFORMATION CONTACT:  Jacob Chachkin, Special Counsel,
Division of Swap Dealer and Intermediary Oversight, Commodity Futures
Trading Commission, (202) 418-5496, email: [email protected].

SUPPLEMENTARY INFORMATION: Under the Paperwork Reduction Act \1\
(``PRA''), Federal agencies must obtain approval from the Office of
Management and Budget (``OMB'') for each collection of information they
conduct or sponsor. ``Collection of Information'' is defined in 44
U.S.C. 3502(3) and 5 CFR 1320.3 and includes agency requests or
requirements that members of the public submit reports, keep records,
or provide information to a third party. Section 3506(c)(2)(A) of the
PRA, 44 U.S.C. 3506(c)(2)(A), requires Federal agencies to provide a
60-day notice in the Federal Register concerning each proposed
collection of information, including each proposed extension of an
existing collection of information, before submitting the collection to
OMB for approval. To comply with this requirement, the CFTC is
publishing notice of the proposed collection of information listed

    \1\ 44 U.S.C. 3501 et seq.

    Title: Part 162--Protection of Consumer Information under the Fair
Credit Reporting Act (OMB Control No. 3038-0067). This is a request for
an extension of a currently approved information collection.
    Abstract: On July 21, 2010, President Obama signed into law the
Dodd-Frank Wall Street Reform and Consumer Protection Act (``Dodd-Frank
Act'').\2\ Title X of the Dodd-Frank Act, which is titled the Consumer
Financial Protection Act of 2010 (``CFP Act''), amends a number of
federal consumer protection laws enacted prior to the Dodd-Frank Act
including, in relevant part, the Fair Credit Reporting Act

[[Page 36087]]

(``FCRA'') \3\ and the Fair and Accurate Credit Transactions Act of
2003 (``FACT Act'').\4\ Specifically, Section 1088 of the CFP Act sets
out certain amendments to the FCRA and the FACT Act directing the
Commission to promulgate regulations that are intended to provide
privacy protections to certain consumer information held by an entity
that is subject to the jurisdiction of the Commission.

    \2\ Public Law 111-203, 124 Stat. 1376 (2010).
    \3\ 15 U.S.C. 1681-1681x.
    \4\ Public Law 108-159, 117 Stat. 1952, 1980 (2003).

    Section 1088 amends section 214(b) of the FACT Act--which added
section 624 to the FCRA in 2003--and directs the Commission to
implement the provisions of section 624 of the FCRA with respect to
persons that are subject to the Commission's enforcement jurisdiction.
Section 624 of the FCRA gives a consumer the right to block affiliates
of an entity subject to the Commission's jurisdiction from using
certain information obtained from such entity to make solicitations to
that consumer (hereinafter referred to as the ``affiliate marketing
rules'').\5\ Under the affiliate marketing rules, the entities covered
by the regulations are expected to prepare and provide clear,
conspicuous and concise opt-out notices to any consumers with whom such
entities have a pre-existing business relationship. A covered entity
only has to provide an opt-out notice to the extent that an affiliate
of the covered entity plans to make a solicitation to any of the
covered entity's consumers. The purpose of the opt-out notice is to
provide consumers with the ability to prohibit marketing solicitations
from affiliate businesses that do not have a pre-existing business
relationship with the consumers, but that do have access to such
consumers' nonpublic, personal information. A covered entity is
required to send opt-out notices at the maximum of once every five

    \5\ The affiliate marketing rules are found in part 162, subpart
A (Business Affiliate Marketing Rules) of the CFTC's regulations. 17
CFR part 162, subpart A.

    Section 1088 of the CFP Act also amends section 628 of the FCRA and
mandates that the Commission implement regulations requiring persons
subject to the Commission's jurisdiction who possess or maintain
consumer report information in connection with their business
activities to properly dispose of that information (hereinafter
referred to as the ``disposal rules'').\6\ Under the disposal rules,
the entities covered by the regulations are expected to develop and
implement a written disposal plan with respect to any consumer
information within such entities' possession. The regulations provide
that a covered entity develop a written disposal plan that is tailored
to the size and complexity of such entity's business. The purpose of
the written disposal plan is to establish a formal plan for the
disposal of nonpublic, consumer information, which otherwise could be
illegally confiscated and used by unauthorized third parties. Under the
rules, a covered entity is required to develop a written disposal plan
only once, but may subsequently amend such plan from time to time.

    \6\ The disposal rules are found in part 162, subpart B
(Disposal Rules) of the CFTC's regulations. 17 CFR part 162, subpart

    In addition, Section 1088 of the CFP Act amended the FCRA by adding
the CFTC and the Securities and Exchange Commission (``SEC,'' together
with the CFTC, the ``Commissions'') to the list of federal agencies
required to jointly prescribe and enforce identity theft red flags
rules and guidelines and card issuer rules. Thus, the Dodd-Frank Act
provides for the transfer of rulemaking responsibility and enforcement
authority to the CFTC and SEC with respect to the entities under their
respective jurisdiction. Accordingly, the Commissions have issued final
rules and guidelines (hereinafter referred to as the ``identity theft
rules'') \7\ to implement new statutory provisions enacted by the CFP
Act that amend section 615(e) of the FCRA and direct the Commissions to
prescribe rules requiring entities that are subject to the Commissions'
jurisdiction to address identity theft. Under the identity theft rules,
entities covered by the regulation are required to develop and
implement reasonable policies and procedures to identify, detect, and
respond to relevant red flags for identity theft that are appropriate
to the size and complexity of such entity's business and, in the case
of entities that issue credit or debit cards, to assess the validity
of, and communicate with cardholders regarding, address changes.\8\
They are also required to provide for the continued administration of
identity theft policies and procedures.

    \7\ The CFTC's identity theft rules are found in part 162,
subpart C (Identity Theft Red Flags) of the CFTC's regulations. 17
CFR part 162, subpart C.
    \8\ The CFTC understands that CFTC-regulated entities generally
do not issue credit or debit cards, but instead may partner with
other entities, such as banks, that issue cards on their behalf.
These other entities, which are not regulated by the CFTC, are
already subject to substantially similar change of address
obligations pursuant to other federal regulators' identity theft red
flags rules. Therefore, the CFTC does not expect that any CFTC-
regulated entities will be subject to the related information
collection requirements under the CFTC's identity theft rules.

    With respect to the collection of information, the CFTC invites
comments on:
     Whether the proposed collection of information is
necessary for the proper performance of the functions of the
Commission, including whether the information will have a practical
     The accuracy of the Commission's estimate of the burden of
the proposed collection of information, including the validity of the
methodology and assumptions used;
     Ways to enhance the quality, usefulness, and clarity of
the information to be collected; and
     Ways to minimize the burden of collection of information
on those who are to respond, including through the use of appropriate
automated electronic, mechanical, or other technological collection
techniques or other forms of information technology; e.g., permitting
electronic submission of responses.
    You should submit only information that you wish to make available
publicly. If you wish the Commission to consider information that you
believe is exempt from disclosure under the Freedom of Information Act,
a petition for confidential treatment of the exempt information may be
submitted according to the procedures established in Sec.  145.9 of the
Commission's regulations.\9\

    \9\ 17 CFR 145.9.

    The Commission reserves the right, but shall have no obligation, to
review, pre-screen, filter, redact, refuse or remove any or all of your
submission from http://www.cftc.gov that it may deem to be
inappropriate for publication, such as obscene language. All
submissions that have been redacted or removed that contain comments on
the merits of the information collection request will be retained in
the public comment file and will be considered as required under the
Administrative Procedure Act and other applicable laws, and may be
accessible under the Freedom of Information Act.
    Burden Statement: The Commission is revising its burden estimate
for this collection to reflect its estimate of the current number of
CFTC registrants subject to the requirements of part 162 regulations.
In addition, this burden estimate reflects the total burden hours from
the affiliate marketing rules (subpart A), the disposal rules (subpart
B), and the identity theft rules (subpart C)--the first two categories
of which were inadvertently omitted from previous renewals. Thus the
current renewal aims to correct past omissions by including burden
calculations from all three categories under part 162.

[[Page 36088]]

    Accordingly, the respondent burden for this collection is estimated
to be as follows:
    Estimated Number of Respondents: 4,488.
    Estimated Average Burden Hours per Respondent: 13.25.\10\

    \10\ This number reflects the average aggregate burden hours,
per respondent, in response to: (a) Disclosure (1 hr.) and
recordkeeping requirements (3.5 hrs) under the affiliate marketing
rules, (b) recordkeeping requirements under the disposal rules (5.9
hrs), and (c) recordkeeping requirements under the identity theft
rules (2.85 hrs).

    Estimated Total Annual Burden Hours: 59,459.
    Frequency of Collection: As applicable.
    There are no capital costs or operating and maintenance costs
associated with this collection.

    Authority:  44 U.S.C. 3501 et seq.

     Dated: July 23, 2019.
Robert Sidman,
Deputy Secretary of the Commission.
[FR Doc. 2019-15933 Filed 7-25-19; 8:45 am]