SUPPORTING STATEMENT
Rule 248.30
Necessity for the Information Collection
Section 501 of the Gramm-Leach-Bliley Act (the “GLBA” or “Act”) (15 U.S.C. 6801) directs the Commission, and other federal financial regulators, to require that financial institutions establish appropriate administrative, technical, and physical safeguards to “insure the security and confidentiality of customer records and information,” “protect against any anticipated threats or hazards to the security and integrity” of those records, and protect against unauthorized access to or use of those records or information, which “could result in substantial harm or inconvenience to any customer.”1 Pursuant to this provision, the Commission adopted rule 248.30(a) (the “safeguard rule”) under Regulation S-P (17 CFR 248.30(a)) in 2000 and subsequently amended the rule in 2001 and 2004.2 The safeguard rule requires brokers, dealers, investment companies, and investment advisers registered with the Commission (“registered investment advisers”) (collectively “covered institutions”) to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information. The safeguards must be reasonably designed to meet the Act’s objectives.3
2. Purposes of the Information Collection
The safeguard rule’s requirement that covered institutions’ policies and procedures be in writing constitutes a “collection of information” requirement within the meaning of the Paperwork Reduction Act of 1995.4 The rule is designed to ensure that covered institutions maintain reasonable safeguard policies and procedures. Requiring written safeguard policies and procedures eliminates uncertainty as to what actions an employee must take to protect customer records and information and promotes more systematic and organized reviews of safeguard policies and procedures by institutions. The information collection also assists the Commission’s examination staff in assessing the existence and the adequacy of covered institutions’ safeguard policies and procedures.
3. Role of Improved Information Technology
The safeguard rule does not require the reporting of any information or the filing of any documents with the Commission. The rule requires covered institutions to maintain their safeguard policies and procedures in writing. The Electronic Signatures in Global and National Commerce Act5 and the interpretive guidance and conforming amendments to rules under the Exchange Act and the Investment Company Act permit broker-dealers and funds to maintain records electronically. The Commission also permits registered investment advisers to maintain the records required under rule 204-2 through electronic media.6
Efforts to Identify Duplication
The safeguard rule imposes a requirement that covered institutions maintain and document their safeguard policies and procedures in writing. Covered institutions are subject to similar requirements elsewhere in the federal securities laws and rules of the self-regulatory organizations that require them to adopt written policies and procedures.7 The safeguard rule, however, does not require covered institutions to maintain duplicate copies of records covered by the rule, and an institution’s safeguard policies and procedures do not have to be maintained in a single location. Moreover, although the safeguard rule requires broker-dealers and investment companies to keep certain records that may be required under the general recordkeeping provisions of rule 17a-3 under the Exchange Act8 and rule 31a-1 under the Investment Company Act,9 the overlap is limited and the Commission does not require a broker-dealer or investment company to maintain duplicate copies of the records. The staff believes, therefore, that any duplication of regulatory requirements is limited and does not impose significant additional costs on institutions.
5. Effect on Small Entities
Every covered institution, regardless of its size, is subject to the safeguard rule’s requirements. We strongly question whether an institution of any size and complexity of operations could reasonably manage to safeguard customer records and information without written policies and procedures. The safeguard rule requires covered institutions to adopt policies and procedures “reasonably designed” to protect customer information and records. Accordingly, the rule permits covered institutions to tailor their policies and procedures to the institution’s particular systems, methods of information gathering, and customer needs. We believe that almost all covered institutions have already documented their policies and procedures in writing to comply with Regulation S-P and as a matter of good business practice. The amount of time it will take entities, including new institutions, that do not have written policies and procedures will vary based on the extent and complexity of the policies and procedures the institution has adopted.
Accordingly, a small institution with relatively simple policies and procedures reflecting simple business operations would likely take less time to document those policies and procedures than would a large institution with complex and very detailed policies and procedures. Thus, the Commission believes that the safeguard rule does not inappropriately burden small entities. We also believe that we could not adjust the safeguard rule to lessen the burden on small entities without jeopardizing the interests of investors who use these institutions’ services, and who need the same protections as the investors who use the services of large entities.
6. Consequences of Less Frequent Collection
The safeguard rule requires covered institutions to maintain written policies and procedures. These policies and procedures would have to be written when first adopted and revised only as the safeguard policies and procedures are changed. Thus, the collection of information is required only as necessary to reflect current policies and procedures.
7. Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
The safeguard rule requires covered institutions to maintain written safeguard policies and procedures on an ongoing basis. Although this period would exceed the three-year guideline for most kinds of records under 5 CFR 1320.5(d)(2)(iv), the staff believes that this is warranted because the rule assists in informing and training the institutions’ employees and contributes to the effectiveness of the Commission’s examination and inspection program.
8. Consultations Outside the Agency
The Commission requested public comment on the information collection requirement in the safeguard rule before it submitted this request for extension and approval to the Office of Management and Budget. The Commission received no comments to its request. The Commission and the staff of the Divisions of Investment Management and Market Regulation participate in an ongoing dialogue with representatives of the industry through public conferences, meetings, and informal exchanges. These various forums provide the Commission and the staff with a means of ascertaining the magnitude of the paperwork burdens confronting the industry.
9. Payment or Gift to Respondents
Not applicable.
10. Assurance of Confidentiality
Not applicable.
11. Sensitive Questions
Not applicable.
Estimates of Hour Burden
The safeguard rule requires each covered institution to maintain written policies and procedures regarding the safeguarding of customer records and information. We believe that almost all covered institutions have documented their safeguard policies and procedures in writing because this has been a requirement under the rule since July 1, 2005. In addition, these institutions have a strong interest in preventing security threats, such as identity theft or threats to their computer systems as a matter of good business practice and state law.
In preparing this submission for OMB review, we estimate that there are 6,016 broker-dealers, 4,920 investment companies, and 9,860 registered investment advisers, or 20,796 covered institutions in total. We assume that 70 percent of these institutions have one or more financial affiliates (whether these institutions are regulated by the Commission or other federal financial regulators).10 Thus, we estimate that approximately 70 percent of the 20,796 institutions subject to the safeguard rule, or 14,557 institutions, have a corporate affiliate.11 We assume, for purposes of the PRA, that each of the affiliated institutions has one corporate affiliate. We also assume that institutions with one or more financial affiliates are likely to have developed safeguard policies and procedures on an organization-wide basis, rather than each affiliate developing policies and procedures on its own. We therefore estimate that half of affiliated institutions, or 7,279 institutions, have developed and documented policies and procedures, while the other half instead used the policies and procedures developed and documented by their affiliate.12 Therefore, we estimate that a total of 13,518 institutions have already developed and documented safeguard policies and procedures in accordance with the rule.13 In our 2004 PRA estimate we amortized our total estimate of start-up burden hours over three years (631,925 total hours, or 210,642 hours per year). Because we assume that almost all institutions incurred these one-time costs in the years 2004, 2005, and 2006, we have not included these initial burden estimates in this estimate of current burden hours.
For purposes of the PRA, we estimate that on average approximately 1,527 new broker-dealers, investment companies, and registered investment advisers will register with the Commission annually.14 As with the existing registrants, we estimate that 70 percent of these new registrants, or 1,069 institutions are affiliated with another financial institution that has adopted safeguard policies and procedures.15 We also assume that half of these new registrants, or 535 institutions, will adopt the safeguard policies and procedures already developed and documented by their affiliate, while the other half will develop and document their own policies and procedures. We also assume that the remaining 30 percent of new registrants, or 458 institutions, will develop and document their own safeguard policies and procedures. Thus, we anticipate that each year the rule is in effect, the annual number of new respondents will be 992.16
We expect that some of these new respondents will be small entities. Of the institutions currently registered with the Commission, we estimate that 8,151 are smaller entities that are likely to have 10 or fewer employees, or 39 percent of all covered institutions.17 We assume that the proportion of new respondents that are small entities will equal the proportion of covered institutions that are currently small entities. Therefore, we estimate that 389 of the new respondents will be small entities.18 For purposes of the PRA, we estimate that the average amount of time a smaller institution would take to develop and document its safeguard policies and procedures would range from 6 hours to 24 hours with an average of 15 hours. Thus, we estimate a one-time hour burden for these new, smaller entities of 5,835 hours.19
Other new institutions, such as large investment company complexes or clearing broker-dealers, may require more time to document extensive policies and procedures. We assume that 10 percent of these, or 60 institutions, would not already have written polices and procedures as a matter of good business practice.20 For purposes of the PRA, we estimate that the average amount of time these larger institutions would take to develop and document their safeguard policies and procedures would range from 30 hours to 1,400 hours with an average of 715 hours per institution. Thus, we estimate a total one-time burden for the remaining 60 institutions of 42,900 hours.21 Combined with the burden for small entities, we estimate a total one-time burden of 48,735 hours.22 For purposes of the PRA, we estimate that an attorney, at an hourly wage of $292, including benefits, would perform half of these burden hours at small institutions.23 We estimate that a senior database administrator, at an hourly wage of $269, including benefits, would perform the remaining 50 percent of the burden hours of work at these smaller institutions.24 We estimate that an attorney, at an hourly wage of $292, including benefits, would perform 100 percent of the burden hours for large institutions.25 Thus, we estimate the aggregated cost of the annual burden hours associated with the documentation requirement is $14.2 million.26
In addition, we estimate that 10 percent of the 20,796 covered institutions currently registered with the Commission will review and update their policies and procedures each year, or 2,080 institutions. We estimate that 815 will be smaller institutions that are likely to have 10 or fewer employees.27 For purposes of the PRA, we estimate that the average amount of time a smaller institution would take to review and update its safeguard policies and procedures would range from 2 hours to 10 hours with an average of 6 hours. Thus, we estimate an annual hour burden for these smaller entities of 4,890 hours.28 We estimate that 1,265 larger institutions will review and update their policies and procedures each year.29 For purposes of the PRA, we estimate that the average amount of time a larger institution would take to review and update its safeguard policies and procedures would range from 10 hours to 50 hours with an average of 30 hours. We estimate an annual hour burden for the larger institutions of 37,950 hours.30 The staff estimates, therefore, that the annual burden for covered institutions to review and update their policies and procedures is 42,840 hours at a cost of $12,453,045.31 Thus, we estimate the total annual burden is 91,575 hours at a cost of $26.62 million.32
These estimates are made solely for the purposes of the PRA. They are not derived from a comprehensive or even representative survey or study of the costs of Commission rules. The number of burden hours associated with the information collections is likely to vary depending on the nature of the regulated institution.
13. Estimate of Total Annual Cost Burden
The staff estimates that the safeguard rule does not impose a material cost burden, apart from the cost of the burden hours, on covered institutions. Although these entities are likely to retain these records for as long as the institution maintains policies and procedures, these records could be maintained electronically and, even if maintained in hard copy, would not likely be voluminous. The staff has not estimated a capital/startup cost in connection with the recordkeeping requirements because covered institutions would likely use existing recordkeeping systems to maintain the required compliance records.
14. Estimate of Cost to the Federal Government
There is no cost to the federal government of administering the information collection requirements in rule 248.30(a) under the GLBA.
15. Explanation of Changes in Burden
The decrease in estimated total annual burden hours from 276,780 hours to 91,575 hours is based on the elimination of the start-up burden hours that were included in our previous estimate. As noted above, we assume that almost all institutions incurred these costs in previous years.
16. Information Collection Planned for Statistical Purposes
Not applicable.
17. Approval to Not Display Expiration Date
Not applicable.
Exception to Certification Statement
Not applicable.
Not applicable.
1 See 15 U.S.C. 6801(b). See also section 505 of the GLBA (15 U.S.C. 6805), directing the Commission to enforce the Act’s safeguard requirements under the Securities Exchange Act of 1934 (15 U.S.C. 78a) (the “Exchange Act”), the Investment Company Act of 1940 (15 U.S.C. 80a) (the “Investment Company Act”), and the Investment Advisers Act of 1940 (15 U.S.C. 80b-1).
2 See Privacy of Consumer Financial Information (Regulation S-P), Investment Company Act Release No. 24543 (Jun. 22, 2000) [56 FR 40334 (Jun. 29, 2000)]; Registration of Broker-Dealers Pursuant to Section 15(b)(11) of the Securities Exchange Act of 1934, Exchange Act Release No. 44730 (Aug. 21, 2001) [66 FR 45237 (Aug. 27, 2001)] (permitting notice-registered broker-dealers to comply with Regulation S-P by complying with financial privacy rules adopted by the Commodity Futures Trading Commission); and Disposal of Consumer Report Information, Investment Company Act Release No. 26685 [69 FR 71329 (Dec. 8, 2004)] (“Disposal Rule Adopting Release”) (requiring that covered institutions’ safeguard policies and procedures be documented in writing).
3 In addition, section 216 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) (15 U.S.C. 1861w(a)(1)) directs the Commission and other federal agencies to adopt regulations for the proper disposal of consumer information, and provides that any person who maintains or possesses consumer report information or any compilation of consumer information derived from a consumer report for a business purpose must properly dispose of the information. The Commission implemented this provision by adopting rule 248.30(b) (the “disposal rule”) under Regulation S-P (17 CFR 248.30(b)) in 2004. See id. Disposal Rule Adopting Release. The disposal rule, however, does not impose any recordkeeping requirement or otherwise include any requirement that constitutes a “collection of information” as it is defined in the regulations implementing the Paperwork Reduction Act of 1995 (44 U.S.C. 3501).
4 The safeguard rule is currently approved under OMB control number 3235-0610.
5 15 U.S.C. 7001.
6 17 CFR 275.204(g).
7 17 CFR 270.17j-1(c)(1) (requiring a fund and each investment adviser and principal underwriter of the fund to “adopt a written code of ethics containing provisions reasonably necessary to prevent” certain persons affiliated with the fund, its investment adviser or its principal underwriter from engaging in certain fraudulent, manipulative, and deceptive actions with respect to the fund); 15 U.S.C. 80b-4a (requiring each adviser registered with the Commission to have written policies and procedures reasonably designed to prevent the misuse of material non-public information by the adviser or persons associated with the adviser); and NASD Conduct Rule 3010 (requiring each broker-dealer to establish and maintain written procedures to supervise the types of business it is engaged in and to supervise the activities of registered representatives and associated persons).
8 17 CFR 240.17a-3 (requiring broker-dealers to make and keep, among other things, blotters or other records of original entry, securities position records, and order tickets).
9 17 CFR 270.31a-1(b)(4), 17 CFR 270.31a-1(b)(11) (requiring investment companies to maintain, among other things, minute books of directors’ meetings and “files of all advisory material received from the investment adviser”).
10 The estimate that 70 percent of registrants have an affiliate is based upon statistics reported on Form ADV, the Universal Application for Investment Adviser Registration, which contains specific questions regarding affiliations between investment advisers and other persons in the financial industry. We estimate that other institutions subject to the safeguard rule would report a rate of affiliation similar to that reported by registered investment advisers.
11 This estimate is based on the following calculation: 20,796 x 0.7 = 14,557.2.
12 This estimate is based on the following calculations: 14,557.2 ÷ 2 = 7,278.6.
13 This estimate is based on the following calculation: (20,796 – 14,557) + 7,279 = 13,518.
14 This estimate is based on annual filings with the Commission for the calendar years 2004, 2005, and 2006.
15 This estimate is based on the following calculation: 1,527 x 0.7 = 1,068.9.
16 This estimate is based on the following calculation: (1,069 - 535) + 458 = 992.
17 We estimate that 7,030 registered investment advisers have 10 or fewer employees. See Investment Counsel Association of America, Evolution Revolution, A Profile of the Investment Advisory Profession (July 2006). We estimate that 1,121 broker-dealers and funds are small entities, and are likely to have no more than 10 employees. Under the Exchange Act, a “small entity” is a broker or dealer that had total capital of less than $500,000 on the date of its prior fiscal year and is not affiliated with any person that is not a small entity. 17 CFR 270.0-10. Under the Investment Company Act a small entity is an investment company that, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year. 17 CFR 270.0-10. Thus, this estimate is based on the following calculation: 8,151 ÷ 20,796 = 0.392.
18 This estimate is based on the following calculation: 992 x .392 = 388.81.
19 This estimate is based on the following calculation: 389 x 15 = 5,835.
20 This estimate is based on the following calculation: (992 – 389) x 0.10 = 60.3.
21 This estimate is based on the following calculation: 60 x 715 = 42,900.
22 This estimate is based on the following calculation: 42,900 + 5,835 = 48,735.
23 The $292 per hour figure, and all hourly rates used in this analysis, are based on salary information compiled by the Securities Industry Association. The Commission staff has modified this information to account for an 1,800-hour work year and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead. See Securities Industry Association, Report on Management and Professional Earnings in the Securities Industry (2006).
24 Id.
25 Id.
26 This estimate is based on the following calculation: (42,900 x $292) + (5,835 x 0.5 x $292) + (5,835 x 0.5 x $269) = $14,163,517.50.
27 This estimate is based on the following calculation: 8,151 ÷ 20,796 = 0.392; 2,080 x 0.392 = 815.36.
28 This estimate is based on the following calculation: 815 x 6 = 4,890.
29 This estimate is based on the following calculation: 2,080 – 815 = 1,265.
30 This estimate is based on the following calculation: 1,265 x 30 = 37,950.
31 This estimate is based on the following calculations: 37,950 + 4,890 = 42,840; (37,950 x $292) + (4,890 x 0.5 x $292) + (4,890 x 0.5 x $269) = $12,453,045.
32 These estimates are based on the following calculations: 48,735 + 42,840 = 91,575; $14,163,517.50 + $12,453,045 = $26,616,562.50.
| File Type | application/msword |
| File Title | SUPPORTING STATEMENT |
| Last Modified By | martinsons |
| File Modified | 2007-05-30 |
| File Created | 2007-05-30 |