Rule 17i-4: Internal Risk Management Control Systems Requirements for Supervised Investment Bank Holding Companies
SUPPORTING STATEMENT
A. Justification
1. Necessity For Information Collection
Section 231 of the Gramm-Leach-Bliley Act of 19991 (the “GLBA”) amended Section 17 of the Securities Exchange Act of 1934 (the “Exchange Act” or the “Act”) to create a regulatory framework under which a holding company of a broker-dealer may voluntarily be supervised by the Commission as a supervised investment bank holding company (or “SIBHC”).2 In 2004, the Commission promulgated rules, including Rule 17i-4, to create a framework for the Commission to supervise SIBHCs.3 This framework includes qualification criteria for investment bank holding companies (“IBHCs”) that file notices of intention to be supervised by the Commission, as well as recordkeeping and reporting requirements for SIBHCs. Taken as a whole, the SIBHC framework permits the Commission to better monitor the financial condition, risk management, and activities of a broker-dealer’s parent and affiliates on a group-wide basis. In particular, it creates a formal process through which the Commission can access important information regarding activities of a broker-dealer’s affiliates that could impair the financial and operational stability of the broker-dealer or the SIBHC.
In addition, securities firms that do business in the European Union (“EU”) have indicated that they may need to demonstrate that they have consolidated supervision at the holding company level that is “equivalent” to EU consolidated supervision.4 The enactment of Section 17(i) of the Exchange Act was also intended to address this concern.5 This regulatory framework for SIBHCs is intended to provide a basis for non-U.S. financial regulators to treat the Commission as the principal U.S. consolidated, home-country supervisor for SIBHCs and their affiliated broker-dealers.6 This would minimize duplicative regulatory burdens on broker-dealers that are active in the EU and in other jurisdictions that may have similar laws.
Rule 17i-4 requires an SIBHC to comply with present Exchange Act Rule 15c3-47 as though it were a broker-dealer, which requires that the firm establish, document and maintain a system of internal risk management controls to assist it in managing the risks associated with its business activities (including market, credit, operational, funding, and legal risks). In addition, Rule 17i-4 requires that an SIBHC establish, document, and maintain procedures for the detection and prevention of money laundering and terrorist financing as part of its internal risk management control system. Finally, Rule 17i-4 requires that an SIBHC periodically review its internal risk management control system for integrity of the risk measurement, monitoring, and management process, and accountability, at the appropriate organizational level, for defining the permitted scope of activity and level of risk.
The collection of information required pursuant to Rule 17i-4 is needed so that the Commission can adequately supervise the activities of these SIBHCs. In addition, the collection of information included in Rule 17i-4 is necessary to allow the Commission to effectively determine whether supervision of an IBHC as an SIBHC is necessary or appropriate in furtherance of the purposes of Section 17 of the Act. Generally, the SIBHC framework of rules enhances the Commission’s supervision of an SIBHCs’ subsidiary broker-dealers through collection of additional information and inspections of affiliates of those broker-dealers.
2. Purpose of, and Consequences of Not Requiring, the Information Collection
Rule 17i-4 requires that an SIBHC develop strong internal controls to manage its risks, and to adequately document those controls so they can be examined. The Commission will use any information collected under the Rule to monitor the SIBHC’s systems for monitoring and controlling financial and operational risks and to determine whether supervision of the SIBHC is necessary or appropriate in furtherance of the purposes of § 17 of the Act.
Without this information, the Commission would be unable to adequately supervise the SIBHC as provided for under the Exchange Act.
3. Role of Improved Information Technology and Obstacles to Reducing Burden
Rule 17i-4 does not prevent an SIBHC from using computers or other mechanical devices to document its internal risk management control system.
4. Efforts To Identify Duplication
No duplication is apparent.
5. Effects On Small Entities
An IBHC can apply to become an SIBHC only if it is not affiliated with an insured bank or a savings association,8 (ii) a foreign bank, foreign company, or a company that is described in section 8(a) of the International Banking Act of 1978, or (iii) a foreign bank that controls a corporation chartered under section 25A of the Federal Reserve Act.9 In addition, pursuant to paragraph (d)(2)(i)(B) of Rule 17i-2, the Commission would not consider such supervision necessary or appropriate unless the investment bank holding company demonstrates that it owns or controls a broker or dealer that has a substantial presence in the securities business, which may be demonstrated by a showing that the broker or dealer maintains tentative net capital of $100 million or more. Accordingly, neither an IBHC nor an SIBHC could be a small entity.10
6. Consequences of Less Frequent Collection
If the SIBHC failed to make the records it is required to make pursuant to Rule 17i-4, it would be more difficult for the SIBHC to implement and enforce its internal risk management control system, and it would be difficult for internal and external auditors and Commission examiners to test the SIBHC’s internal risk management control system.
7. Inconsistencies With Guidelines In 5 CFR 1320.5(d)(2)
The collection of information is not inconsistent with 5 CFR 1320.5(d)(2).
8. Consultations Outside the Agency
All Commission rule proposals are published in the Federal Register for public comment. This comment period is generally thirty days (but for Rule 17i-4 it was 90 days), which affords the public an opportunity to respond to the proposed rule changes.
9. Payment or Gift to Respondents
Not applicable.
10. Assurance of Confidentiality
Pursuant to Exchange Act § 17(j)11 and Section 552(b)(3)(B) of the Freedom of Information Act,12 notwithstanding any other provision of law, the Commission cannot be compelled to disclose any information required to be reported under §17(i). Section 17(j) states, [f]or purposes of section 522 of title 5 United States Code [commonly referred to as the Freedom of Information Act (“FOIA”)], this subsection shall be considered a statute described in subsection (b)(3)(B) of section 552,” and “the Commission shall designate information described in or obtained pursuant to this section as confidential information for purposes of Exchange Act § 24(b)(2).”13 Further, paragraph (d) of Rule 17i-5 states that all information created pursuant to this section and obtained by the Commission from the SIBHC (including, as set forth in paragraph (b)(5) of 17i-5, records documenting the system of internal risk management controls required to be established pursuant to § 17i-4) shall be accorded confidential treatment.
In addition, pursuant to other Commission’s Rules,14 the Commission does not generally publish or make available information contained in reports, summaries, analyses, letters, or memoranda arising out of, in anticipation of, or in connection with an examination or inspection of the books and records of any person or any other investigation.
11. Sensitive Questions
Not applicable. Questions of a sensitive nature are not asked.
12. Estimate of Respondent Reporting Burden
As of October 15, 2009 the Commission supervises one firm registered as an SIBHC. When the SIBHC rule framework was finalized in 2004, the Commission estimated that three IBHCs would file notices of intent to be supervised by the Commission as SIBHCs. The Commission still believes that additional IBHCs will file such Notices and therefore maintains the estimate of three firm respondents.
An SIBHC will require, on average, about 3,600 hours to assess its present structure, businesses, and controls, and establish and document its risk management control system. In addition, an SIBHC will require, on average, approximately 250 hours each year to maintain its risk management control system. Consequently, the total initial burden for all SIBHCs is approximately 10,800 hours15 and the continuing annual burden is about 750 hours.16
Thus, the total burden relating to Rule 17i-4 for all SIBHCs is approximately 11,550 hours17 in the first year, and approximately 750 hours each year thereafter.18
Internationally active firms generally already have in place risk management practices, and will generally review and improve their risk management practices in the near future despite these rules. However, we recognize that, to the extent an IBHC presently has a group-wide internal risk management control system, those systems may not take into account all of the elements and issues required by Rule 17i-4. In addition, these firms may not have documented their consideration of these elements and issues, or other aspects of their internal risk management control systems.
We estimate that the one-time cost for an SIBHC to assess its present structure, businesses, and controls, and establish, document and maintain a risk management control system would be approximately $928,80019 and, in aggregate, about $1.8 million for all SIBHCs.20 We estimate that an SIBHC would incur a cost of approximately $64,500 associated with maintaining its risk management control system each year21 or, in aggregate, approximately $193,500 for all three SIBHCs.22 Consequently, we estimate that the total dollar cost of the one-time and ongoing paperwork burden associated with Rule 17i-4 for all SIBHCs would be approximately $2,051,100.23
13. Estimate of Total Annualized Cost Burden
The information technology (“IT”) systems used by IBHCs to manage risk, make and retain records and reports, and calculate capital differ widely based on the types of business and the size of the IBHC. We believe that an IBHC will upgrade its IT systems with relation to four of the SIBHC framework Rules: Rule 17i-4 (requires an SIBHC to document its internal risk management control systems), Rule 17i-5 (requires an SIBHC to create and maintain records), Rule 17i-6 (requires an SIBHC to create and make reports to the Commission), and Rule 17i-7 (requires that an SIBHC compute allowable capital and allowances for market, credit, and operational risk). It is impossible to determine what percentage of these IT systems costs may be attributable to any particular SIBHC framework Rule, so we will allocate them equally (i.e., 25% of the total cost to each of these four Rules). We believe the costs to upgrade IT systems would be one-time costs.
These IBHCs’ IT systems may be in varying stages of readiness to meet the requirements of the rules. The staff estimated, when these rules were proposed, that it would cost an IBHC between $1 million and $10 million to upgrade its IT systems to comply with the SIBHC framework of rules, depending on the state of development of its IT systems. We believe this estimate to be fairly sound because no commenter disagreed with it. Thus, on average, it would cost each of the three SIBHCs about $5.5 million to upgrade their IT systems, or approximately $16.5 million in total. As described above, we allocate approximately 25% of this cost, or $4,125,000, as attributable to Rule 17i-4.
14. Estimate of Cost to Federal Government
There would be no additional costs to the Federal Government.
15. Explanation of Changes in Burden
There are no changes in the burden estimates.
16. Information Collection Planned for Statistical Purposes
Not applicable. There is no intention to publish the information for any purpose.
17. Explanation as to Why Expiration Date Will Not Be Displayed
Not applicable.
18. Exceptions to Certification
Not applicable.
B. Collection of Information Employing Statistical Methods
The collection of information does not employ statistical methods, nor would the implementation of such methods reduce the burden or improve the accuracy of results.
1 Pub. L. No. 106-102, 113 Stat. 1338 (1999).
2 See 15 U.S.C. 78q(i).
3 See Exchange Act Release No. 49831 (Jun. 8, 2004), 69 FR 34472 (Jun. 21, 2004).
4 See “Directive 2002/87/EC of the European Parliament and of the Council of 16 December 2002.”
5 See H.R. Conf. Rep. No. 106-434, 165 (1999).
6 See Exchange Act Release No. 49831, at 6 (Jun. 8, 2004), 69 FR 34472, at 34473 (Jun. 21, 2004).
7 17 CFR 240.15c3-4.
8 Exchange Act Section 17(i)(1)(A)(i) [15 U.S.C. 78q(i)(1)(A)(i)].
9 Federal Reserve Act § 25A [12 U.S.C. 611].
10 See 17 CFR 240.0-10(c).
11 15 U.S.C. 78o(j).
12 5 U.S.C. 552(b)(3)(B).
13 15 U.S.C. 78x(b)(2).
14 See, e.g., 17 CFR 200.80(b)(4)(iii).
15 (3,600 hours x 3 SIBHCs) = 10,800 hours.
16 (250 hours per year x 3 SIBHCs) = 750 hours per year.
17 (3,600 hours x 3 SIBHCs) + (250 hours per year x 3 SIBHCs) =11,550 hours.
18 (250 hours per year x 3 SIBHCs).
19 We believe an SIBHC would have a Compliance Manager assess its present structure, businesses, and controls, and establish, document and maintain a risk management control system According to the Securities Industry and Financial Markets Association (or “SIFMA”), the hourly cost of a Compliance Manager is $258, as reflected in the SIFMA’s Report on Management and Professional Earnings in the Securities Industry for 2008. ($258 x 3,600 hours) = $928,800.
20 ($928,800 per SIBHC x 2 SIBHCs) = $1,857,600.
21 We believe an SIBHC would have a Compliance Manager assess its present structure, businesses, and controls, and establish, document and maintain a risk management control system. As noted above in note 19, the hourly cost of a Compliance Manager is $258. (250 hours x $258) = $64,500.
22 ($64,500 x 3 SIBHCs) = $193,500.
23 ($1,857,600 + $193,500) = $2,051,100.
| File Type | application/msword |
| File Title | SUPPORTING STATEMENT |
| Author | U.S. |
| Last Modified By | Donna M. Chambers |
| File Modified | 2009-10-29 |
| File Created | 2009-10-29 |