2012 SP Supporting Statement

SUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection Submission
Regulation S-P
A. Justification
1.

Necessity of Information Collection

Subtitle A of Title V of the Gramm-Leach-Bliley Act (“GLBA”), captioned
Disclosure of Nonpublic Personal Information (“Title V”), limits the instances in which a
financial institution may disclose nonpublic personal information about a consumer to
nonaffiliated third parties, and requires a financial institution to disclose to all of its
customers the institution’s privacy policies and practices with respect to information
sharing with both affiliates and nonaffiliated third parties. Title V also required the
Securities and Exchange Commission (“SEC”), together with the Office of the
Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the
Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the Secretary of
the Treasury, the National Credit Union Administration, and the Federal Trade
Commission (collectively the “other agencies”), in consultation with representatives of
State insurance authorities designated by the National Association of Insurance
Commissioners, to prescribe regulations necessary to carry out the purposes of Title V.
SEC representatives participated with representatives from the other agencies in
drafting rules to implement Title V. As required by the GLBA, the rules adopted by the
SEC, now codified as Regulation S-P, are, to the extent possible, consistent with and
comparable to the rules adopted by the other agencies. Regulation S-P, which applies to
broker-dealers, investment companies, and federally registered investment advisers
(“covered entities”), contains rules of general applicability that are substantially similar to
the rules adopted by the other agencies. See Release Nos. 34-42974, IC-24543, IA-1883
(June 22, 2000), 65 FR 40333 (June 29, 2000).
Regulation S-P implements the requirements of Title V of the GLBA, which
include the requirement that at the time of establishing a customer relationship with a
consumer and not less than annually during the continuation of such relationship, a
financial institution shall provide a clear and conspicuous disclosure to such consumer of
such financial institution’s policies and practices with respect to disclosing nonpublic
personal information to affiliates and nonaffiliated third parties (“privacy notice”). Title
V of the GLBA also provides that, unless an exception applies, a financial institution may
not disclose nonpublic personal information of a consumer to a nonaffiliated third party
unless the financial institution clearly and conspicuously discloses to the consumer that
such information may be disclosed to such third party; the consumer is given the
opportunity, before the time that such information is initially disclosed, to direct that such
information not be disclosed to such third party; and the consumer is given an explanation
of how the consumer can exercise that nondisclosure option (“opt out notice”).

The privacy notices required by Regulation S-P are mandatory. The opt out
notices are not mandatory for financial institutions that do not share nonpublic personal
information with nonaffiliated third parties except as permitted under one of Regulation
S-P exceptions from the opt out requirements. The provisions of Regulation S-P
implementing the GLBA’s privacy notice and opt out notice requirements (the “Rule”)
apply to broker-dealers, SEC-registered investment advisers, and investment companies
(“covered entities”).
In 2004, the SEC amended Regulation S-P to implement the provision in section
216 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) requiring
proper disposal of consumer report information and records. Section 216 of the FACT
Act directed the SEC and other federal agencies to adopt regulations requiring that any
person who maintains or possesses consumer report information or any compilation of
consumer report information derived from a consumer report for a business purpose must
properly dispose of the information. The amendments also required the safeguard
policies and procedures required by Regulation S-P to be in writing. The SEC submitted
this proposed, separate collection of information to the OMB for review in accordance
with 44 U.S.C. 3507(d) and 5 CFR 1320.11 (see Release Nos. 34–50781, IA–2332, IC–
26685 (December 2, 2004), 69 FR 71321, 71326 (December 8, 2004)) and the collection
was approved, with an expiration date of November 30, 2007, and most recently renewed
with an expiration date of August 31, 2013, under OMB Control No. 3235-0610.
In 2009, the SEC amended Regulation S-P to, together with seven other federal
agencies, adopt a model privacy form designed to make it easier for consumers to
understand how financial institutions collect and share their personal financial
information and to compare different institutions’ information practices. Covered entities
that customize the two-page form consistent with its instructions may rely on their use of
the form as a safe harbor to comply with the Rule’s notice requirements.
2.

Purpose and Use of the Information Collection

The Rule implements provisions of Title V of the GLBA, which, as explained
above, require the provision to consumers of privacy and opt out notices. The notices
describe covered entities’ information-sharing practices and inform consumers of their
right to opt out of certain of these practices. Although the notices are not provided to the
SEC, the SEC uses copies of the notices and records of their having been provided to
consumers in its examinations and investigations of covered entities to monitor their
compliance with the consumer financial privacy requirements of the GLBA and
Regulation S-P.
3.

Consideration Given to Information Technology

The Rule allows for the provision of privacy and opt out notices by electronic
means. In addition, as noted above, in 2009 the SEC adopted a two-page model privacy
form that covered entities may customize and use to comply with the Rule’s notice

requirements. The SEC has made the model privacy form available on its website as a
template, and has provided a link on its website to an online model privacy form builder,
which should reduce the burden on covered entities of ensuring that their privacy and opt
out notices comply with the Rule’s requirements.
4.

Duplication

In a release entitled Registration of Broker-Dealers Pursuant to Section 15(b)(11)
of the Securities Exchange Act of 1934, Release No. 34-44730 (Aug. 21, 2001), 66 FR
45137 (Aug. 27, 2001), the SEC adopted amendments to Regulation S-P in light of
Section 124 of the Commodity Futures Modernization Act (“CFMA”), which makes the
privacy provisions of the GLBA applicable to activity regulated by the Commodity
Futures Trading Commission (“CFTC”). These amendments permit CFTC-regulated
futures commission merchants and introducing brokers that are registered by notice as
broker-dealers to comply with Regulation S-P by complying with the CFTC’s financial
privacy rules.
5.

Effect on Small Entities

The burden of the Rule’s requirements on smaller covered entities should be
minimized by the SEC’s provision of a model privacy form and a link on its website to an
online model privacy form builder. In addition, the SEC’s website provides a small entity
compliance guide prepared by SEC staff, which should help smaller covered entities
make use of the model privacy form.
6.

Consequences of Not Conducting Collection

The information collection associated with the Rule involves not a reporting
burden, but a third-party disclosure burden. Covered entities are required by the GLBA
and the Rule to provide privacy notices to their customers not less frequently than
annually, and to ensure that their privacy notices are accurate, which may require a
covered entity to provide revised privacy notices if it changes its privacy policies or
practices. Covered entities are also required to provide opt out notices to their consumers
before making certain types of disclosures of nonpublic personal information about a
consumer to a nonaffiliated third party. These are statutory requirements, and a covered
entity would fail to comply with them if it failed to provide to its consumers privacy
notices and opt out notices when required by the GLBA and the Rule.
7.

Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)

There are no special circumstances. This collection is consistent with the
guidelines in 5 CFR 1320.5(d)(2).

8.

Consultations Outside the Agency

The required Federal Register notice with a 60-day comment period soliciting
comments on this collection of information was published. No public comments were
received.
9.

Payment or Gift
No payment of gift is provided to respondents.

10. Confidentiality
No assurance of confidentiality is provided.
11. Sensitive Questions
Not applicable; no information of a sensitive nature is required.
12. Burden of Information Collection
SEC staff estimates that, as of early May, 2012, the Rule’s information collection
burden applies to approximately 21,500 covered entities (approximately 4,700 brokerdealers, 12,600 SEC-registered investment advisers, and 4,200 investment companies).
In view of (a) the minimal recordkeeping burden imposed by the Rule (since the Rule has
no recordkeeping requirement and records relating to customer communications already
must be made and retained pursuant to other SEC rules); (b) the summary fashion in
which information must be provided to customers in the privacy and opt out notices
required by the Rule (the model privacy form adopted by the SEC and the other agencies
in 2009, designed to serve as both a privacy notice and an opt out notice, is only two
pages); (c) the availability to covered entities of the model privacy form and online model
privacy form builder; and (d) the experience of covered entities’ staff with the notices,
SEC staff estimates that covered entities will each spend an average of approximately 12
hours per year complying with the Rule, for a total of approximately 258,000 annual
burden-hours (12 x 21,500 = 258,000). SEC staff understands that the vast majority of
covered entities deliver their privacy and opt out notices with other communications such
as account opening documents and account statements. Because the other
communications are already delivered to consumers, adding a brief privacy and opt out
notice should not result in added costs for processing or for postage and materials. Also,
privacy and opt out notices may be delivered electronically to consumers who have
agreed to electronic communications, which further reduces the costs of delivery.
Because SEC staff assumes that most paper copies of privacy and opt out notices are
combined with other required mailings, the burden-hour estimates above are based on
resources required to integrate the privacy and opt notices into another mailing, rather
than on the resources required to create and send a separate mailing. SEC staff estimates
that, of the estimated 12 annual burden-hours incurred, approximately 8 hours would be

spent by administrative assistants at an hourly rate of $65, and approximately 4 hours
would be spent by internal counsel at an hourly rate of $378, for a total annualized cost of
$2,032 for each of the covered entities (8 x $65 = $520; 4 x $378 = $1,512; $520 +
$1,512 = $2,032). Hourly cost estimates for personnel time are derived from the
Securities Industry and Financial Markets Association’s Management & Professional
Earnings in the Securities Industry 2011, modified by SEC staff to account for an 1800hour work-year and multiplied by 5.35 to account for bonuses, firm size, employee
benefits, and overhead. Accordingly, SEC staff estimates that the total annualized cost
for the estimated total hour burden for the approximately 21,500 covered entities subject
to the Rule is approximately $43,688,000 ($2,032 x 21,500 = $43,688,000).
13. Costs to Respondents
The information collection is not estimated to impose any burdens other than
those discussed in item 12 above.
14. Costs to Federal Government
The information collection does not impose any additional costs on the Federal
government.
15. Changes in Burden
The 1,435-hour increase in estimated total annual burden-hours was due to an
increase in the estimated number of respondents. In 2009 SEC staff estimated the total
annual burden-hours at 240,780, calculated using an estimated average of 12 burdenhours for each covered entity and an estimated 20,065 covered entities (12 x 20,065 =
240,780).
16. Information Collection Planned for Statistical Purposes
Not applicable. The information collection is not used for statistical purposes.
17. Approval to Display OMB Expiration Date
The Commission is not seeking approval from OMB.
18. Exceptions to Certification
This collection complies with the requirements in 5 CFR 1320.9.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable. The information collection is not used for statistical purposes.