2009 S-P - Supporting Statement

A. Justification

1. Necessity of Information Collection

Subtitle A of Title V of the Gramm-Leach-Bliley Act (“GLBA”), captioned Disclosure of Nonpublic Personal Information (“Title V”), limits the instances in which a financial institution may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and requires a financial institution to disclose to all of its customers the institution’s privacy policies and practices with respect to information sharing with both affiliates and nonaffiliated third parties. Title V also required the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the Secretary of the Treasury, the National Credit Union Administration, the Federal Trade Commission (collectively the “other agencies”), and the Commission, after consulting with representatives of State insurance authorities designated by the National Association of Insurance Commissioners, to prescribe regulations necessary to carry out the purposes of Title V.

Commission representatives participated with representatives from the other agencies in drafting rules to implement Title V. As required by the GLBA, the rules adopted by the Commission, now codified as Regulation S‑P, are, to the extent possible, consistent with and comparable to the rules adopted by the other agencies. Regulation S‑P, which applies to broker-dealers, investment companies, and federally registered investment advisers (“covered entities”), contains rules of general applicability that are substantially similar to the rules adopted by the other agencies. See Release Nos. 34‑42974, IC‑24543, IA‑1883 (June 22, 2000), 65 FR 40333 (June 29, 2000) (adopting the rules).

Regulation S‑P implements the requirements of Title V of the GLBA, which include the requirement that at the time of establishing a customer relationship with a consumer and not less than annually during the continuation of such relationship, a financial institution shall provide a clear and conspicuous disclosure to such consumer of such financial institution’s policies and practices with respect to disclosing nonpublic personal information to affiliates and nonaffiliated third parties (“privacy notice”). Title V of the GLBA also provides that, unless an exception applies, a financial institution may not disclose nonpublic personal information of a consumer to a nonaffiliated third party unless the financial institution clearly and conspicuously discloses to the consumer that such information may be disclosed to such third party; the consumer is given the opportunity, before the time that such information is initially disclosed, to direct that such information not be disclosed to such third party; and the consumer is given an explanation of how the consumer can exercise that nondisclosure option (“opt out notice”).

In 2004, the Commission amended Regulation S‑P to implement the provision in section 216 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) requiring proper disposal of consumer report information and records. Section 216 of the FACT Act directed the Commission and other federal agencies to adopt regulations requiring that any person who maintains or possesses consumer report information or any compilation of consumer report information derived from a consumer report for a business purpose must properly dispose of the information. The amendments also required the safeguard policies and procedures required by Regulation S‑P to be in writing. The Commission submitted this proposed, separate collection of information to the OMB for review in accordance with 44 U.S.C. 3507(d) and 5 CFR 1320.11 (see Release Nos. 34–50781, IA–2332, IC–26685 (December 2, 2004), 69 FR 71321, 71326 (December 8, 2004)) and the collection was approved, with an expiration date of November 30, 2007, and renewed, with an expiration date of November 30, 2010, under OMB Control No. 3235-0610.

The privacy notices required by the GLBA are mandatory. The opt out notices are not mandatory for financial institutions that do not share nonpublic personal information with nonaffiliated third parties except as permitted under an exception to the statute’s opt out provisions. Regulation S‑P implements the statute’s requirements with respect to broker-dealers, investment companies, and registered investment advisers (“covered entities”). The GLBA and Regulation S‑P also contain consumer reporting requirements. In order for consumers to opt out, they must respond to opt out notices. At any time during their continued relationship, consumers have the right to change or update their opt out status. Most covered entities do not share nonpublic personal information with nonaffiliated third parties and therefore are not required to provide opt out notices to consumers under Regulation S‑P. Therefore, few consumers are required to respond to opt out notices under the rule.

2. Purpose of, and Consequences of Not Requiring, the Information Collection

Regulation S‑P implements Title V of the GLBA, which, as noted above, requires the provision to consumers of privacy notices. The privacy notices inform consumers about financial institutions’ privacy policies and practices, and allow consumers to compare the policies and practices of different financial institutions. Covered entities not providing privacy notices as required by Regulation S‑P would not be in compliance with the consumer financial privacy notice requirements of the GLBA. The privacy notices required by the GLBA and Regulation S‑P are provided to consumers, and covered entities are not required to be submitted to the Commission.

2. Role of Improved Information Technology and Obstacles to Reducing Burden

It does not seem likely that improved information technology will in the near future measurably reduce the burden of drafting and (if necessary) revising privacy notices that describe the privacy policies of covered entities. Regulation S‑P allows for the provision of privacy notices by electronic means, but this does not reduce the burden of drafting and revising privacy notices. The tasks that covered entities must perform to ensure that their privacy notices comply with the GLBA’s requirements, including the requirements that the notices be clear, conspicuous, and accurate, are primarily analytical, and their accomplishment is therefore unlikely to soon benefit from more than marginal efficiencies from improved information technology.

2. Efforts to Identify Duplication

In a release entitled Registration of Broker-Dealers Pursuant to Section 15(b)(11) of the Securities Exchange Act of 1934, Release No. 34-44730 (Aug. 21, 2001), 66 FR 45137 (Aug. 27, 2001), the Commission adopted amendments to Regulation S‑P in light of Section 124 of the Commodity Futures Modernization Act (“CFMA”), which makes the privacy provisions of the GLBA applicable to activity regulated by the Commodity Futures Trading Commission (“CFTC”). These amendments conformed the definitions of the terms “federal functional regulator” and “financial institution” in Regulation S‑P to the new meanings section 124 of the CFMA gives the corresponding terms in Title V of the GLBA by amending the definitions of those terms in Regulation S‑P, at 17 CFR 248.3(m) and 17 CFR 248(n). The amendments also permit futures commission merchants and introducing brokers that are registered by notice as broker-dealers to comply with Regulation S‑P by complying with the CFTC’s financial privacy rules. The amendments parallel a similar provision in the financial privacy rules adopted by the CFTC. See 17 CFR 160(b)(1); see also Privacy of Consumer Financial Information, 66 FR 21236 (Apr. 27, 2001).

2. Effect on Small Entities

The rule requirements are not unduly burdensome on smaller covered entities.

2. Consequences of Less Frequent Collection

Covered entities are required by the GLBA to provide privacy notices to their customers not less frequently than annually, and to ensure that their privacy notices are accurate, which may require a covered entity to provide revised privacy notices if it changes its privacy policies or practices. These are statutory requirements, and a covered entity would fail to comply with them if it failed to failed to revise (or draft) and provide to its consumers accurate privacy notices as required by the GLBA and Regulation S‑P. The Commission does not collect privacy notices from covered entities, so it could not collect them less frequently.

2. Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)

Regulation S‑P does not involve the collection of information in a manner that is inconsistent with 5 CFR 1320.5(d)(2).

2. Consultations Outside the Agency

Before adoption, Commission rules are published for notice and comment. Also, as noted above, Commission staff consulted with staff from other agencies in drafting rules to implement Title V of the GLBA.

2. Payment or Gift to Respondents

Not applicable.

2. Assurance of Confidentiality

No assurances of confidentiality are provided in the rule.

2. Sensitive Questions

Not applicable; no information of a sensitive nature is required under the rule.

2. Estimate of Respondent Reporting Burden

The Commission estimates that approximately 20,065 covered entities (approximately 5,326 registered broker-dealers, 4,571 investment companies, and, out of a total of 11,266 registered investment advisers, 10,168 registered investment advisers that are not also registered broker-dealers) that must prepare or revise their annual and initial privacy notices will spend an average of approximately 12 hours per year complying with Regulation S-P. Thus, the total compliance burden is estimated to be approximately 240,780 burden-hours per year.

2. Estimate of total annualized cost burden

Not applicable. It is not anticipated that covered entities will need to incur any capital or start-up cost to comply with Regulation S‑P, and it is not anticipated that they will need to incur any additional operational or maintenance cost (other than as described in Item 12 above) to comply.

2. Estimate of Cost to Federal Government

Not applicable.

2. Explanation of Changes in Burden

Estimates of burden hours and dollar costs have been conformed to recent wage estimates calculated by the Department of Labor’s Bureau of Labor Statistics, adjusted for inflation, and updated to reflect current information on the numbers of the various types of covered entities to which Regulation S‑P applies.

2. Information Collection Planned for Statistical Purposes

Not applicable. Privacy notices are not collected by the Commission and there is no intention to publish the information they contain for any purpose.

2. Explanation as to Why Expiration Date Will Not be Displayed

Not applicable.

2. Exceptions to Certification

Not applicable.

2. Collection of Information Employing Statistical Methods

Not applicable. Regulation S‑P does not involve the collection of information employing statistical methods, and the implementation of such methods would not reduce any burden or improve the accuracy of any results.