Download:
pdf |
pdfSUPPORTING STATEMENT
Regulation S-ID
A.
JUSTIFICATION
1.
Necessity for the Information Collection
Proposed Regulation S-ID1 would require SEC-regulated entities to develop and
implement reasonable policies and procedures to identify, detect and respond to relevant red flags
and, in the case of entities that issue credit or debit cards, to assess the validity of, and
communicate with cardholders regarding, address changes. Proposed § 248.201 of Regulation
S-ID would include the following “collections of information” by SEC-regulated entities that are
financial institutions or creditors if the entity maintains covered accounts: (1) creation and
periodic updating of a Program that is approved by the board of directors; (2) periodic staff
reporting on compliance with the identify theft red flags rules and guidelines, as required to be
considered by section VI of the proposed guidelines; and (3) training of staff to implement the
Program. Proposed § 248.202 of Regulation S-ID would include the following “collections of
information” by any SEC-regulated entities that are credit or debit card issuers: (1) establishment
of policies and procedures that assess the validity of a change of address notification if a request
for an additional card on the account follows soon after the address change, (2) notification of a
cardholder, before issuance of an additional or replacement card, at the previous address or
through some other previously agreed-upon form of communication, or alternatively, assessment
of the validity of the address change request through the entity’s established policies and
procedures.
�-22.
Purpose of the Information Collection
Regulation S-ID, and the information collection it requires, is designed to better protect
consumers from the risks of identity theft. The regulation requires entities that are subject to the
Commission’s jurisdiction to address identity theft in two ways. First, the proposed rules and
guidelines would require financial institutions and creditors to develop and implement a written
identity theft prevention program designed to detect, prevent, and mitigate identity theft in
connection with certain existing accounts or the opening of new accounts. Second, the proposed
rules would establish special requirements for any credit and debit card issuers that are subject to
the Commissions’ jurisdiction, to assess the validity of notifications of changes of address under
certain circumstances.
3.
Role of Improved Information Technology
The Commission’s Electronic Data Gathering, Analysis and Retrieval System
(“EDGAR”) provides for the automated filing, processing, and dissemination of full disclosure
filings. The automation provides for speed, accuracy and public availability of information,
generating benefits to investors and financial markets. While EDGAR currently is limited to
disclosure and fund deregistration filings, EDGAR may be used in the future to obtain other
types of information from sources outside the Commission. The Electronic Signatures in Global
and National Commerce Act (15 U.S.C. 7001) and the conforming amendments to
recordkeeping rules under the Investment Company Act permit funds to maintain records
electronically.
1
Identity Theft Red Flags, IC Release No. 29969 (Feb. 28, 2012) [77 FR 13450 (Mar. 6.
�-34.
Efforts to Identify Duplication
The Commission sought to avoid duplication of requirements imposed under CFTC and
other agencies rules. For example, proposed Regulation S-ID is limited to entities under the
Commission’s jurisdiction, and although substantially similar to regulations issued in 2007 by
the FTC and the federal banking agencies (collectively, the “Agencies”),2 does not apply to
entities regulated by other agencies. In addition, the identity theft prevention program that would
be required by Regulation S-ID may be integrated into other identity theft prevention or privacy
programs that the financial institution or creditor may already have.
5.
Effect on Small Entities
The information collection requirements of Regulation S-ID apply to all entities subject
to the SEC’s jurisdiction, including those that are small entities. The Commission believes that
the costs of complying with the rule would be minimal and do not impose a significant burden on
small entities.
6.
Consequences of Less Frequent Collection
Less frequent collection would not be consistent with the Commission’s investor
protection objectives.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
None.
2012)].
2
See Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate
Credit Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007) (“2007 Adopting
Release”).
�-48.
Consultation Outside the Agency
Regulation S-ID was proposed jointly with the CFTC. The Commission also consulted
with the Agencies, which earlier adopted substantially similar rules, in crafting Regulation S-ID.
The Commission requested public comment on the collection of information requirements in
Regulation S-ID before it submitted this request for approval to the Office of Management and
Budget. The Commission has not yet received any comments in response to its request related to
the Paperwork Reduction Act.
In addition, the Commission and its staff participate in an ongoing dialogue with
representatives of the fund industry through public conferences, meetings and informal
exchanges. These various forums provide the Commission and the staff with a means of
ascertaining and acting upon paperwork burdens confronting the industry.
9.
Payment or Gift to Respondents
Not applicable.
10.
Assurance of Confidentiality
Not applicable.
11.
Sensitive Questions
Not applicable.
12.
Estimate of Hour Burden
SEC staff expects that SEC-regulated entities that would comply with the collections of
information required by proposed Regulation S-ID should already be fully in compliance with the
identity theft red flags rules and guidelines that the Agencies jointly adopted in 2007 and began
�-5enforcing on December 31, 2010. The requirements of those rules and guidelines are
substantially similar and comparable to the requirements of proposed Regulation S-ID.3
In addition, SEC staff understands that most SEC-regulated entities that are financial
institutions or creditors would likely already have in place many of the protections regarding
identity theft and changes of address that the proposed regulations would require because they are
usual and customary business practices that they engage in to minimize losses from fraud.
Furthermore, SEC staff believes that many of them are likely to have already effectively
implemented most of the proposed requirements as a result of having to comply (or an affiliate
having to comply) with other, existing regulations and guidance, such as the Customer
Identification Program regulations implementing section 326 of the USA PATRIOT Act,4 the
Federal Information Processing Standards that implement section 501(b) of the Gramm-LeachBliley Act,5 section 216 of the FACT Act,6 and guidance issued by the federal banking agencies
or the Federal Financial Institutions Examination Council regarding information security,
authentication, identity theft, and response programs.7
As a result, SEC staff estimates of time and cost burdens here represent the incremental
one-time burden of complying with proposed Regulation S-ID for newly formed SEC-regulated
3
See “FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule” at
http://www.ftc.gov/opa/2010/05/redflags.shtm.
4
31 U.S.C. 5318(l) (requiring verification of the identity of persons opening new
accounts).
5
15 U.S.C. 6801.
6
15 U.S.C. 1681w.
�-6entities, and the incremental ongoing costs of compliance for all SEC-regulated entities.8 SEC
staff estimates also attribute all burdens to covered entities, which are entities directly subject to
the requirements of the proposed rulemaking. A covered entity that outsources activities to an
affiliate or a third-party service provider is, in effect, reallocating to that affiliate or service
provider the burden that it would otherwise have carried itself. Under these circumstances, the
burden is, by contract, shifted from the covered entity to the service provider, but the total
amount of burden is not increased. Thus, affiliate and third-party service provider burdens are
already included in the burden estimates provided for covered entities. The time and cost
estimates made here are based on conversations with industry representatives and on a review of
the estimates made in the regulatory analyses of the identity theft red flags rules and guidelines
previously issued by the Agencies.
The collections of information required by proposed § 248.201 would apply to
SEC-regulated entities that are financial institutions or creditors.9 As stated above, SEC staff
expects that all existing SEC-regulated entities would already have incurred one-time burdens
7
See 2007 Adopting Release, supra note 2, at 72 FR 63740 nn.55-57 (describing
applicable regulations and guidance).
8
Based on discussions with industry representatives and a review of applicable law, SEC
staff expects that, of the SEC-regulated entities that fall within the scope of proposed
Regulation S-ID, most broker-dealers, many investment companies (including almost all
open-end investment companies and employees’ securities companies (“ESCs”)), and
some registered investment advisers would likely qualify as financial institutions or
creditors. SEC staff expects that most other SEC-regulated entities described in the scope
section of proposed Regulation S-ID, such as transfer agents, NRSROs, SROs, and
clearing agencies are unlikely to be financial institutions or creditors as defined in the
proposed rule, and therefore we do not include these entities in our estimates.
9
Proposed § 248.201(a).
�-7associated with compliance with proposed Regulation S-ID because they should already be in
compliance with the substantially identical requirements of the Agencies’ red flags rules and
guidelines. Therefore, any initial or one-time burdens associated with compliance with
§ 248.201 of proposed Regulation S-ID would apply only to newly formed entities. The ongoing
burden would apply to all SEC-regulated entities that are financial institutions or creditors.
Initial Burden
SEC staff estimates that the incremental one-time burden of compliance with proposed
§ 248.201 for SEC-regulated financial institutions and creditors with covered accounts would be:
(i) 25 hours to develop and obtain board approval of a Program, (ii) 4 hours to train staff, and
(iii) 2 hours to conduct an initial assessment of covered accounts, for a total of 31 hours.10 SEC
staff estimates that, of the 31 hours incurred, 12 hours would be spent by internal counsel at an
hourly rate of $354, 17 hours would be spent by administrative assistants at an hourly rate of $66,
and 2 hours would be spent by the board of directors as a whole at an hourly rate of $4000, for a
total cost of $13,370 per entity for entities that need to come into compliance with proposed
Regulation S-ID.11
10
Unless otherwise stated, all cost estimates for personnel time are derived from SIFMA’s
Management & Professional Earnings in the Securities Industry 2010, modified to
account for an 1800-hour work-year and multiplied by 5.35 to account for bonuses, firm
size, employee benefits, and overhead.
11
This estimate is based on the following calculations: $354 x 12 hours = $4248; $66 x 17
= $1,122; $4000 x 2 = $8000; $4248 + $1,122 + $8000 = $13,370.
�-8SEC staff estimates that approximately 517 SEC-regulated financial institutions and
creditors are newly formed each year.12 Each of these 517 entities would need to conduct an
initial assessment of covered accounts, for a total of 1034 hours at a total cost of $366,036.13 Of
these, SEC staff estimates that approximately 90% (or 465) maintain covered accounts.
Accordingly, SEC staff estimates that the total one-time burden for the 465 entities would be
14,415 hours at a total cost of $6,217,050, and the total one-time burden for all SEC regulated
entities would be 15,449 hours at a total cost of $6,583,086.14
Ongoing Burden
SEC staff estimates that the incremental ongoing burden of compliance with proposed
§ 248.201 would include: (i) 2 hours to periodically review and update the Program, review and
12
Based on a review of new registrations typically filed with the SEC each year, SEC staff
estimates that approximately 900 investment advisers, 300 broker dealers, 117 open-end
investment companies and 10 employees’ securities companies typically apply for
registration with the SEC or otherwise are newly formed each year, for a total of 1327
entities that would be financial institutions or creditors. The staff estimate of 900
investment advisers is made in light of the recently adopted amendments to rules under
the Investment Advisers Act that carry out requirements of the Dodd-Frank Act to
transfer oversight of certain investment advisers from the SEC to state regulators and to
require certain investment advisers to private funds to register with the SEC. See Rules
Implementing Amendments to the Investment Advisers Act of 1940, Investment Advisers
Act Release No. 3221 (June 22, 2011) [76 FR 42950 (July 19, 2011)]. Of these, SEC
staff estimates that all of the investment companies and broker-dealers are likely to
qualify as financial institutions or creditors, and 10% (or 90) of investment advisers are
likely to also qualify, for a total of 517 total newly formed financial institutions or
creditors that would bear the initial one-time burden of compliance with proposed
Regulation S-ID.
13
This estimate is based on the following calculations: 517 entities x 2 hours = 1034 hours;
1034 hours x $354 = $366,036.
�-9preserve contracts with service providers, and review and preserve any documentation received
from service providers, (ii) 4 hours to prepare and present an annual report to the board, and
(iii) 2 hours to conduct periodic assessments to determine if the entity offers or maintains
covered accounts, for a total of 8 hours. SEC staff estimates that of the 8 hours incurred, 7 hours
would be spent by internal counsel at an hourly cost of $354 and 1 hour would be spent by the
board of directors as a whole at an hourly cost of $4000.
SEC staff estimates that there are 7978 SEC regulated entities that are either financial
institutions or creditors, and that all of these would be required to periodically review their
accounts to determine if they offer or maintain covered accounts, for a total of 15,956 hours for
these entities at a total cost of $5,648,424.15 Of these 7978 entities, SEC staff estimates that
14
These estimates are based on the following calculations: 465 entities x 31 hours = 14,415
hours; 465 entities x $13,370 = $6,217,050, 14,415 hours + 1034 hours = 15,449 hours;
$6,217,050, + $366,036 = $6,583,086.
15
Based on a review of entities that the SEC regulates, SEC staff estimates that, as of the
end of December 2010, there are approximately 5063 broker-dealers, 1790 active openend investment companies and 150 employees’ securities companies. In light of recently
adopted amendments to rules under the Investment Advisers Act that carry out
requirements of the Dodd-Frank Act to transfer oversight of certain investment advisers
from the SEC to state regulators and to require certain investment advisers to private
funds to register with the SEC, SEC staff estimates that, when these amendments become
effective, there will be approximately 9750 investment advisers registered with the SEC.
Of these, SEC staff estimates that all of the broker-dealers, open-end investment
companies and employees’ securities companies are likely to qualify as financial
institutions or creditors, and 10% (or 975) of investment advisers are likely to qualify, for
a total of 7978 total financial institutions or creditors that would bear the ongoing burden
of compliance with proposed Regulation S-ID. The SEC staff estimates that the other
types of entities that are covered by the scope of the SEC’s proposed rule would not be
financial institutions or creditors that maintain covered accounts. See proposed
§ 248.201(a). This estimate is based on the following calculation: (7978 entities x 2
hours = 15,956 hours).
�- 10 approximately 90 percent, or 7180, maintain covered accounts, and thus would need to bear the
additional burdens related to complying with the rule.16 Accordingly, SEC staff estimates that
the total ongoing burden for the 7180 entities to be 43,080 hours at a total cost of $41,428,600,17
and the total ongoing burden for all SEC-regulated entities as a whole to be 59,036 hours at total
cost of $46,077,024.18
Proposed § 248.202 (duties of card issuers regarding changes of address).
The collections of information required by proposed § 248.202 would apply only to SECregulated entities that issue credit or debit cards.19 SEC staff understands that SEC-regulated
entities generally do not issue credit or debit cards, but instead partner with other entities, such as
banks, that issue cards on their behalf. These partner entities, which are not regulated by the
SEC, are already subject to substantially similar change of address obligations pursuant to the
Agencies’ identity theft red flags rules and guidelines. In addition, SEC staff understands that
card issuers already assess the validity of change of address requests and, for the most part, have
automated the process of notifying the cardholder or using other means to assess the validity of
changes of address. Therefore, implementation of this requirement would pose no further
burden.
16
If a financial institution or creditor does not maintain covered accounts, there would be no
ongoing annual burden for purposes of the PRA.
17
This estimate is based on the following calculation: 7180 entities x $5770 per entity (5
hours at $354 + 1 hour at $4000) = $41,428,600.
18
These estimates are based on the following calculations: (7180 entities x 6 hours =
43,080 hours; 43,080 hours + 15,956 hours = 59,036 hours).
19
Proposed § 248.202(a).
�- 11 SEC staff does not expect that any SEC-regulated entities would be subject to the
information collection requirements of proposed § 248.202. Accordingly, SEC staff estimates
that there will be no hourly or cost burden for SEC-regulated entities related to proposed
§ 248.202.20
13.
Estimate of Total Annual Cost Burden
The rule is not estimated to impose any burdens other than those discussed in item 12
above.
14.
Estimate of Cost to the Federal Government
The rule does not impose any additional costs on the Federal government.
15.
Explanation of Changes in Burden
Not applicable.
16.
Information Collection Planned for Statistical Purposes
Not applicable.
17.
Approval to not Display Expiration Date
Not applicable.
18.
Exceptions to Certification Statement
Not applicable.
20
When the Agencies adopted their red flags rules, they estimated that it would require
approximately 4 hours to develop policies and procedures to assess the validity of
changes of address, and that there would be no burden associated with notifying
cardholders because all entities already have such a process in place. See 2007 Adopting
Release, supra note 2. SEC staff estimates that if any SEC-regulated entities do issue
cards, the burden for complying with proposed § 248.202 would be comparable to the
Agencies’ estimates.
�- 12 B.
COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable.
�
| File Type | application/pdf |
| File Title | SUPPORTING STATEMENT |
| File Modified | 2012-03-26 |
| File Created | 2012-03-26 |