REG S-ID SUPPORTING STATEMENT - Adoption v2

REG S-ID SUPPORTING STATEMENT - Adoption v2.docx

Regulation S-ID- Identity Theft Red Flags Rules

OMB: 3235-0692

Document [docx]
Download: docx | pdf



SUPPORTING STATEMENT

for the Paperwork Reduction Act Information Collection Submission for

Regulation S-ID”

  1. JUSTIFICATION

1. Necessity for the Information Collection

Under Regulation S-ID,1 SEC-regulated entities are required to develop and implement reasonable policies and procedures to identify, detect and respond to relevant red flags and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding, address changes. Section 248.201 of Regulation S‑ID includes the following “collections of information” by SEC-regulated entities that are financial institutions or creditors if the entity maintains covered accounts: (1) creation and periodic updating of an identity theft prevention program (“Program”) that is approved by the board of directors, an appropriate committee thereof, or a designated senior management employee; (2) periodic staff reporting on compliance with the identify theft red flags rules and guidelines, as required to be considered by section VI of the guidelines; and (3) training of staff to implement the Program. Section 248.202 of Regulation S‑ID includes the following “collections of information” by SEC-regulated entities that are credit or debit card issuers: (1) establishment of policies and procedures that assess the validity of a change of address notification if a request for an additional or replacement card on the account follows soon after the address change; and (2) notification of a cardholder, before issuance of an additional or replacement card, at the previous address or through some other previously agreed-upon form of communication, or alternatively, assessment of the validity of the address change request through the entity’s established policies and procedures.

2. Purpose of the Information Collection

Regulation S-ID, and the information collection it requires, is designed to better protect consumers from the risks of identity theft. The regulation requires entities that are subject to the Commission’s jurisdiction to address identity theft in two ways. First, the rules and guidelines require financial institutions and creditors that offer or maintain certain accounts to develop and implement a written identity theft prevention program designed to detect, prevent, and mitigate identity theft in connection with existing accounts or the opening of new accounts. Second, the rules establish special requirements for credit and debit card issuers that are subject to the Commission’s jurisdiction, to assess the validity of notifications of changes of address under certain circumstances.

3. Consideration Given to Information Technology

The Commission’s Electronic Data Gathering, Analysis and Retrieval System (“EDGAR”) provides for the automated filing, processing, and dissemination of full disclosure filings. The automation provides for speed, accuracy and public availability of information, generating benefits to investors and financial markets. While EDGAR currently is limited to disclosure and fund deregistration filings, EDGAR may be used in the future to obtain other types of information from sources outside the Commission. The Electronic Signatures in Global and National Commerce Act (15 U.S.C. 7001) and the conforming amendments to recordkeeping rules under the Investment Company Act of 1940 (15 U.S.C. 80a) permit funds to maintain records electronically.

4. Duplication

The Commission sought to avoid duplication of requirements imposed under other agencies’ rules. For example, Regulation S-ID is limited to entities under the Commission’s jurisdiction, and although substantially similar to regulations issued in 2007 by the Federal Trade Commission, the federal banking agencies, and the National Credit Union Association (collectively, the “Agencies”), does not apply to entities regulated by other agencies. 2 In addition, the identity theft prevention program required by Regulation S-ID may be integrated into other identity theft prevention or privacy programs that the financial institution or creditor may already have.

5. Effect on Small Entities

The information collection requirements of Regulation S-ID apply to all covered entities subject to the SEC’s jurisdiction, including those that are small entities. Because all SEC-regulated entities, including small entities, should already be in compliance with substantially similar identity theft red flags rules adopted by the Agencies, the Commission believes that the costs of complying with the rules will be minimal and do not impose a significant burden on small entities.

6. Consequences of Less Frequent Collection

Less frequent collection would not be consistent with the Commission’s investor protection objectives.

7. Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)

None.

8. Consultation Outside the Agency

Regulation S-ID was jointly adopted with the CFTC’s rules on identity theft red flags. The Commission also consulted with the Agencies, which earlier adopted substantially similar rules, in crafting Regulation S-ID. The Commission requested public comment on the collection of information requirements in Regulation S-ID when it was proposed. Comments on the proposal, including comments referenced in this release, are available on the SEC’s website at http://www.sec.gov/comments/s7-02-12/s70212.shtml. The Commission received one comment in response to its request related to the Paperwork Reduction Act.3

In addition, the Commission and its staff participate in an ongoing dialogue with representatives of the fund industry through public conferences, meetings and informal exchanges. These various forums provide the Commission and the staff with a means of ascertaining and acting upon paperwork burdens confronting the industry.

9. Payment or Gift

Not applicable.

10. Confidentiality

Not applicable.

11. Sensitive Questions

Not applicable.

12. Estimate of Hour Burden

SEC regulated entities that must comply with the collections of information required by Regulation S-ID should already be in compliance with the identity theft red flags rules that the Agencies jointly adopted in 2007.4 The requirements of those rules are substantially similar and comparable to the requirements of Regulation S-ID.5

In addition, SEC staff understands that most SEC-regulated entities that are financial institutions or creditors may otherwise have in place many of the protections regarding identity theft and changes of address that Regulation S-ID requires because they are usual and customary business practices that they engage in to minimize losses from fraud. Furthermore, SEC staff believes that many of them are likely to have already effectively implemented most of the requirements as a result of having to comply (or an affiliate having to comply) with other, existing statutes, regulations and guidance, such as the federal customer identification program rules implementing section 326 of the USA PATRIOT Act,6 the Interagency Guidelines Establishing Information Security Standards that implement section 501(b) of the Gramm Leach Bliley Act (GLBA),7 section 216 of the Fair and Accurate Credit Transactions Act of 2003,8 and guidance issued by the Agencies or the Federal Financial Institutions Examination Council regarding information security, authentication, identity theft, and response programs.9

SEC staff estimates of time and cost burdens represent the one time burden of complying with Regulation S-ID for newly formed SEC-regulated entities, and the ongoing costs of compliance for all SEC-regulated entities.10 SEC staff estimates also attribute all burdens to entities that are directly subject to the requirements of the rulemaking. An entity directly subject to Regulation S-ID that outsources activities to a service provider is, in effect, shifting to that service provider the burden that it would otherwise have carried itself. Under these circumstances, the burden is, by contract, shifted from the entity that is directly subject to Regulation S-ID to the service provider, but the total amount of burden is not increased. Thus, service provider burdens are already included in the burden estimates provided for entities that are directly subject to Regulation S-ID. The time and cost estimates made here are based on conversations with industry representatives and on a review of comments received on the proposed rules as well as the estimates made in the regulatory analyses of the identity theft red flags rules previously issued by the Agencies.

§ 248.201 (duties regarding detection, prevention, and mitigation of identity theft)

The collections of information required by section 248.201 apply to SEC‑regulated entities that are financial institutions or creditors.11 As stated above, SEC staff expects that existing SEC‑regulated entities should already have incurred initial or one‑time burdens associated with compliance with Regulation S‑ID because they should already be in compliance with the substantially identical requirements of the Agencies’ identity theft red flags rules.12 Any initial or one‑time burden estimates associated with compliance with section 248.201 of Regulation S‑ID apply only to newly‑formed entities. The ongoing burden estimates apply to all SEC‑regulated entities that are financial institutions or creditors. Existing entities subject to Regulation S-ID should already bear, and will continue to be subject to, this burden. In the Proposing Release, the SEC solicited comment on its estimates of the burdens associated with the collections of information required by section 248.201; one commenter raised concerns with the estimates in the Proposing Release, arguing that actual burdens could be greater than estimated.13

Initial Burden

SEC staff estimates that the one-time burden of compliance with section 248.201 for SEC-regulated financial institutions and creditors with covered accounts is: (i) 25 hours to develop and obtain board approval of a Program; (ii) 4 hours to train staff; and (iii) 2 hours to conduct an initial assessment of covered accounts, for a total of 31 hours.14 SEC staff estimates that, of the 31 hours incurred, 12 hours will be spent by internal counsel at an hourly rate of $378, 17 hours will be spent by administrative assistants at an hourly rate of $65, and 2 hours will be spent by the board of directors as a whole at an hourly rate of $4500, for a total cost of $14,641 per newly formed entity.15

SEC staff estimates that approximately 668 SEC-regulated financial institutions and creditors are newly formed each year.16 Each of these 668 entities will need to conduct an initial assessment of covered accounts, for a total of 1336 hours at a total cost of $505,008.17 Of these 668 entities, SEC staff estimates that approximately 90% (or 601) maintain covered accounts.18 Accordingly, SEC staff estimates that the total initial burden for the 601 newly formed SEC-regulated entities that are likely to qualify as financial institutions or creditors and maintain covered accounts is 18,631 hours at a total cost of $8,799,241, and the total initial burden for all newly formed SEC-regulated entities is 18,765 hours at a total cost of $8,849,893.19

Ongoing Burden

SEC staff estimates that the ongoing burden of compliance with section 248.201 includes: (i) 2 hours to conduct periodic assessments to determine if the entity offers or maintains covered accounts; (ii) 4 hours to prepare and present an annual report to the board; and (iii) 2 hours to periodically review and update the Program, including review and preservation of contracts with service providers, and review and preservation of any documentation received from service providers, for a total of 8 hours. SEC staff estimates that of the 8 hours incurred, 7 hours will be spent by internal counsel at an hourly cost of $378 and 1 hour will be spent by the board of directors as a whole at an hourly cost of $4500.

SEC staff estimates that there are 10,339 SEC-regulated entities that are either financial institutions or creditors, and that all of these will be required to periodically review their accounts to determine if they offer or maintain covered accounts, for a total of 20,678 hours for these entities at a total cost of $7,816,284.20 Of these 10,339 entities, SEC staff estimates that approximately 90 percent, or 9305, maintain covered accounts, and thus will need the additional burdens related to complying with the rules.21 Accordingly, SEC staff estimates that the total ongoing burden for these 9305 financial institutions and creditors that maintain covered accounts will be 74,440 hours at a total cost of $66,493,530.22 The estimated total ongoing burden for the 10,339 SEC-regulated entities that are financial institutions or creditors covered by Regulation S-ID will be 76,508 hours at total cost of $67,275,234.23

§ 248.202 (duties of card issuers regarding changes of address).

The collections of information required by section 248.202 will apply only to SEC-regulated entities that issue credit or debit cards.24 SEC staff understands that SEC-regulated entities generally do not issue credit or debit cards, but instead partner with other entities, such as banks, that issue cards on their behalf. These other entities, which are not regulated by the SEC, are already subject to substantially similar change of address obligations pursuant to the Agencies’ identity theft red flags rules. In addition, SEC staff understands that card issuers already assess the validity of change of address requests and, for the most part, have automated the process of notifying the cardholder or using other means to assess the validity of changes of address. Therefore, implementation of this requirement poses no further burden.

SEC staff does not expect that any SEC-regulated entities will be subject to the information collection requirements of section 248.202. Accordingly, SEC staff estimates that there is no hourly or cost burden for SEC-regulated entities related to section 248.202. In the Proposing Release, the SEC solicited comment on this same estimate of the burdens associated with the collections of information required by section 248.202 and received no comments on its burden estimate.

13. Estimate of Total Annual Cost Burden

The rule is not estimated to impose any burdens other than those discussed in item 12 above.

14. Estimate of Cost to the Federal Government

The rule does not impose any additional costs on the Federal government.

15. Changes in Burden

Not applicable.

16. Information Collection Planned for Statistical Purposes

Not applicable.

17. Approval to Omit OMB Expiration Date

Not applicable.

18. Exceptions to Certification Statement

Not applicable.

  1. Collections of information employing statistical methods

Not applicable.

1 Identity Theft Red Flags, Investment Company Act Release No. 30456 (Apr. 10, 2013) (“Adopting Release”); Identity Theft Red Flags, Investment Company Act Release No. 29969 (Feb. 28, 2012) [77 FR 13450 (Mar. 6. 2012)] (“Proposing Release”).

2 See Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007) (“2007 Adopting Release”). In addition, the Commodity Futures Trading Commission (“CFTC”) adopted rules for the entities it regulates at the same time the Commission adopted Regulation S-ID. See Adopting Release, supra note 1.

3 See Comment Letter of the Financial Services Roundtable and the Securities Industry and Financial Markets Association (May 2, 2012) (“FSR/SIFMA Comment Letter”).  The commenter raised concerns with the cost estimates in the Proposing Release, and argued that the actual costs of compliance could be much greater than estimated.  See infra note 13.



4 SEC staff, however, understands that a number of investment advisers may not currently have identity theft red flags programs. Under the new guidance, for entities having now determined that they should comply with Regulation S-ID, the collections of information required by Regulation S-ID and the estimates of time and costs discussed below may be new. As discussed further below, SEC staff estimates that there are approximately 3791 investment advisers that are currently registered with the SEC and are likely to qualify as financial institutions or creditors. SEC staff is unable to estimate how many of these investment advisers previously complied with the Agencies’ identity theft red flags rules.

5 See 2007 Adopting Release, supra note 2, at Section VI.A (discussing the Paperwork Reduction Act (“PRA”) analysis with respect to the Agencies’ identity theft red flags rules); “FTC Extends Enforcement Deadline for Identity Theft Red Flags Rule,” at http://www.ftc.gov/opa/2010/05/redflags.shtm.

6 31 U.S.C. 5318(l) (requiring verification of the identity of persons opening accounts).

7 15 U.S.C. 6801.

8 15 U.S.C. 1681w.

9 See 2007 Adopting Release, supra note 2, at nn.55–57 (describing applicable statutes, regulations, and guidance).

10 Based on discussions with industry representatives and a review of applicable law, SEC staff expects that, of the SEC-regulated entities that fall within the scope of Regulation S-ID, most broker-dealers, many investment companies (including almost all open-end investment companies and employees’ securities companies (“ESCs”)), and some registered investment advisers will likely qualify as financial institutions or creditors. SEC staff expects that other SEC regulated entities described in the scope section of Regulation S-ID, such as business development companies, transfer agents, nationally recognized statistical rating organizations, self-regulatory organizations, and clearing agencies may be less likely to be financial institutions or creditors as defined in the rules, and therefore we do not include these entities in our estimates.

11 § 248.201(a).


12 See 2007 Adopting Release, supra note 2, at Section VI.A (discussing the PRA analysis with respect to the Agencies’ identity theft red flags rules). Because the requirements of Regulation S-ID are substantially identical to the requirements of the Agencies’ identity theft red flags rules, the SEC staff took the Agencies’ PRA analysis into account in estimating the regulatory burdens of Regulation S-ID.

13 See FSR/SIFMA Comment Letter, supra note 3. FSR/SIFMA estimated that “the initial compliance burden to implement the [proposed rules] would average 2,000 hours for each line of business conducted by a large, complex financial institution …” and that “the continuing compliance monitoring for a large, complex financial institution … would average 400 hours annually.” FSR/SIFMA also noted that “financial institutions with an existing Red Flags program would experience an incremental burden” in connection with the SEC’s rules.

In its estimates, FSR/SIFMA focused on large, complex financial institutions. Regulation S‑ID requires each financial institution and creditor to tailor its Program to its size and complexity, and to the nature and scope of its activities. Our estimates take into account the hour burdens for small financial institutions and creditors, which we understand, based on discussions with industry representatives, to be significantly less than the estimates provided by this commenter.

14 The cost estimate for internal counsel is derived from SIFMA’s Management & Professional Earnings in the Securities Industry 2011, modified to account for an 1800 hour work year and multiplied by 5.35 to account for bonuses, entity size, employee benefits, and overhead. The cost estimate for administrative assistants is derived from SIFMA’s Office Salaries in the Securities Industry 2011, modified to account for an 1800‑hour work‑year and multiplied by 2.93 to account for bonuses, entity size, employee benefits, and overhead. The cost estimate for the board of directors is derived from estimates made by SEC staff regarding typical board size and compensation that is based on information received from fund representatives and publicly available sources.

15 This estimate is based on the following calculations: $378 x 12 hours = $4536; $65 x 17 = $1,105; $4500 x 2 = $9000; $4536 + $1,105 + $9000 = $14,641.

16 Based on a review of new registrations typically filed with the SEC each year, SEC staff estimates that approximately 900 investment advisers, 231 broker dealers, 139 investment companies, and 1 ESC typically apply for registration with the SEC or otherwise are newly formed each year, for a total of 1271 entities that could be financial institutions or creditors. Of these, SEC staff estimates that all of the investment companies, ESCs, and broker-dealers are likely to qualify as financial institutions or creditors, and 33% (or 297) of investment advisers are likely to qualify, for a total of 668 total financial institutions or creditors that will bear the initial one time burden of assessing covered accounts under Regulation S-ID. Information regarding the method used to estimate that 33% of investment advisers are likely to qualify as financial institutions or creditors can be found in note 20 below.

17 These estimates are based on the following calculations: 668 entities x 2 hours = 1336 hours; $378 x 1336 = $505,008.

18 In the Proposing Release, the SEC requested comment on the estimate that approximately 90% of all financial institutions and creditors maintain covered accounts; the SEC received no comments on this estimate.

19 These estimates are based on the following calculations: 601 financial institutions and creditors that maintain covered accounts x 31 hours = 18,631 hours; 601 x $14,641 = $8,799,241; 17,429 hours (601 financial institutions and creditors that maintain covered accounts x 29 hours) + 1336 hours (burden for all SEC regulated entities that are financial institutions or creditors to conduct an initial assessment of covered accounts) = 18,765 hours; ($378 x 10 hours) + ($65 x 17) + ($4500 x 2) = $13,885; $378 x 2 = $756; (601 x $13,885) + (668 x $756) = $8,849,893.

20 Based on a review of entities that the SEC regulates, SEC staff estimates that, as of July 1, 2012, there are approximately 11,622 investment advisers, 4706 broker‑dealers, 1692 active open‑end investment companies, and 150 ESCs. Of these, SEC staff estimates that all of the broker‑dealers, open‑end investment companies and ESCs are likely to qualify as financial institutions or creditors, and approximately 3791 investment advisers (or about 33%, as explained further below) are likely to qualify, for a total of 10,339 total financial institutions or creditors that will bear the ongoing burden of assessing covered accounts under Regulation S‑ID. (The SEC staff estimates that the other types of entities that are covered by the scope of the SEC’s rules will not be financial institutions or creditors and therefore will not be subject to the rules’ requirements.) The total hours estimate is based on the following calculation: 10,339 entities x 2 hours = 20,678 hours. The total cost estimate is based on the following calculation: 10,339 + ($378 x 2) = $7,816,284.

The SEC staff estimate that 33% of SEC‑registered investment advisers will be subject to the requirements of Regulation S‑ID is based on the following calculation. According to Investment Adviser Registration Depository (IARD) data, there are approximately 11,622 investment advisers registered with the SEC as of July 1, 2012. Of these advisers, approximately 7327 could potentially be subject to the rule as financial institutions because they indicate they have customers who are natural persons. We estimate that approximately 16%, or 1202 of these 7327 advisers, hold transaction accounts belonging to natural persons and therefore would qualify as financial institutions under the rule. Additionally, 4055 of the 11,622 advisers registered with the SEC have private fund clients. We expect that most of the funds advised by these advisers would have at least one natural person investor, and thus they could potentially meet the definition of “financial institution.” In addition, some of these private fund advisers may engage in lending activities that would also qualify them as creditors under the rule. In order to avoid duplication, however, we are deducting 1466 private fund advisers from the total number of advisers we estimate will be subject to the rule, because they also indicated on Form ADV that they have individual or high net worth clients and are already accounted for in our estimates above. Accordingly, the staff estimates that approximately 3791 (i.e., 1202 + 4055 – 1466) advisers registered with the SEC will be subject to the rule. These 3791 advisers are about 33% of the 11,622 SEC‑registered advisers.

21 See supra note 18 and accompanying text. If a financial institution or creditor does not maintain covered accounts, there would be no ongoing annual burden for purposes of the PRA.

22 These estimates are based on the following calculations: 9305 financial institutions and creditors that maintain covered accounts x 8 hours = 74,440 hours; ($378 x 7) + $4500 = $7146; 9305 x $7146 = $66,493,530.

23 These estimates are based on the following calculations: 20,678 hours (10,339 financial institutions and creditors x 2 hours (for review of accounts)) + 55,830 hours (9305 financial institutions and creditors that maintain covered accounts x 6 hours (for report to board, and review and update of Program)) = 76,508 hours; (10,339 x ($378 x 2)) + (9305 x (($378 x 5) + $4500)) = $67,275,234.

24 § 248.202(a).


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2021-01-29
© 2024 OMB.report | Privacy Policy