Rule 248.30 Supporting Statement

Rule 248.30 Supporting Statement.pdf

Rule 248.30; 17 C.F.R Sec. 248.30, Procedures to safegard customer records and information; disposal of consumer report information.

OMB: 3235-0610

Document [pdf]
Download: pdf | pdf
SUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection for
Rule 248.30
A.

JUSTIFICATION
1.

Information Collection Necessity

Section 501 of the Gramm-Leach-Bliley Act (the “GLBA” or “Act”) (15 U.S.C.
6801) directs the Commission, and other federal financial regulators, to require that
financial institutions establish appropriate administrative, technical, and physical
safeguards to “insure the security and confidentiality of customer records and
information,” “protect against any anticipated threats or hazards to the security and
integrity” of those records, and protect against unauthorized access to or use of those
records or information, which “could result in substantial harm or inconvenience to any
customer.” 1
Pursuant to this provision, the Commission adopted rule 248.30(a) (the “safeguard
rule”) under Regulation S-P (17 CFR 248.30(a)) in 2000. 2 The safeguard rule requires
brokers, dealers, investment companies, and investment advisers registered with the
Commission (“registered investment advisers”) (collectively “covered institutions”) to
adopt written policies and procedures for administrative, technical, and physical
safeguards to protect customer records and information. The safeguards must be
reasonably designed to meet the Act’s objectives.

1

See 15 U.S.C. 6801(b). See also section 505 of the GLBA (15 U.S.C. 6805), directing the
Commission to enforce the Act’s safeguard requirements under the Securities Exchange Act of
1934 (15 U.S.C. 78a) (the “Exchange Act”), the Investment Company Act of 1940 (15 U.S.C.
80a) (the “Investment Company Act”), and the Investment Advisers Act of 1940 (15 U.S.C. 80b1).

2

See Privacy of Consumer Financial Information (Regulation S-P), Investment Company Act
Release No. 24543 (Jun. 22, 2000) [56 FR 40334 (Jun. 29, 2000)].

Other than the safeguard rule, rule 248.30 does not impose any recordkeeping
requirement or otherwise include any requirement that constitutes a “collection of
information” as it is defined in the regulations implementing the Paperwork Reduction
Act of 1995 (44 U.S.C. 3501).
2.

Information Collection Purpose

The safeguard rule’s requirement that covered institutions’ policies and
procedures be in writing constitutes a “collection of information” requirement within the
meaning of the Paperwork Reduction Act of 1995. 3 The rule is designed to ensure that
covered institutions maintain reasonable safeguard policies and procedures. Requiring
written safeguard policies and procedures eliminates uncertainty as to what actions an
employee must take to protect customer records and information and promotes more
systematic and organized reviews of safeguard policies and procedures by institutions.
The information collection also assists the Commission’s examination staff in assessing
the existence and the adequacy of covered institutions’ safeguard policies and procedures.
3.

Consideration Given to Information Technology

The safeguard rule does not require the reporting of any information or the filing
of any documents with the Commission. The rule requires covered institutions to
maintain their safeguard policies and procedures in writing. The Electronic Signatures in
Global and National Commerce Act 4 and the interpretive guidance and conforming
amendments to rules under the Exchange Act and the Investment Company Act permit
broker-dealers and funds to maintain records electronically. The Commission also

3

The safeguard rule is currently approved under OMB control number 3235-0610.

4

15 U.S.C. 7001.

2

permits registered investment advisers to maintain the records required under rule 204-2
through electronic media. 5
4.

Duplication

The safeguard rule imposes a requirement that covered institutions maintain and
document their safeguard policies and procedures in writing. Covered institutions are
subject to similar requirements elsewhere in the federal securities laws and rules of the
self-regulatory organizations that require them to adopt written policies and procedures. 6
The safeguard rule, however, does not require covered institutions to maintain duplicate
copies of records covered by the rule, and an institution’s safeguard policies and
procedures do not have to be maintained in a single location. Moreover, although the
safeguard rule requires broker-dealers and investment companies to keep certain records
that may be required under the general recordkeeping provisions of rule 17a-3 under the
Exchange Act 7 and rule 31a-1 under the Investment Company Act, 8 the overlap is limited
and the Commission does not require a broker-dealer or investment company to maintain
duplicate copies of the records. The staff believes, therefore, that any duplication of
regulatory requirements is limited and does not impose significant additional costs on
5

17 CFR 275.204(g).

6

See, e.g., 17 CFR 270.17j-1(c)(1) (requiring a fund and each investment adviser and principal
underwriter of the fund to “adopt a written code of ethics containing provisions reasonably
necessary to prevent” certain persons affiliated with the fund, its investment adviser or its
principal underwriter from engaging in certain fraudulent, manipulative, and deceptive actions
with respect to the fund); 15 U.S.C. 80b-4a (requiring each adviser registered with the
Commission to have written policies and procedures reasonably designed to prevent the misuse of
material non-public information by the adviser or persons associated with the adviser); and NASD
Conduct Rule 3010 (requiring each broker-dealer to establish and maintain written procedures to
supervise the types of business it is engaged in and to supervise the activities of registered
representatives and associated persons).

7

17 CFR 240.17a-3 (requiring broker-dealers to make and keep, among other things, blotters or
other records of original entry, securities position records, and order tickets).

8

17 CFR 270.31a-1(b)(4), 17 CFR 270.31a-1(b)(11) (requiring investment companies to maintain,
among other things, minute books of directors’ meetings and “files of all advisory material
received from the investment adviser”).

3

institutions.
5.

Effect on Small Entities

Every covered institution, regardless of its size, is subject to the safeguard rule’s
requirements. Regardless of the size of the entity, a covered entity could not reasonably
manage the safeguarding of customer records and information without written policies
and procedures. The safeguard rule requires covered institutions to adopt policies and
procedures “reasonably designed” to protect customer information and records.
Accordingly, the rule permits covered institutions to tailor their policies and procedures
to the institution’s particular systems, methods of information gathering, and customer
needs. Accordingly, a small institution with relatively simple policies and procedures
reflecting simple business operations would likely take less time to document those
policies and procedures than would a large institution with complex and very detailed
policies and procedures. Exempting small entities from the safeguard rule, or otherwise
changing the requirements of the rule would jeopardize the interests of investors who use
these institutions’ services, and who need the same protections as the investors who use
the services of large entities.
6.

Consequences of Less Frequent Collection

The safeguard rule requires covered institutions to maintain written policies and
procedures. These policies and procedures would have to be written when first adopted
and revised only as the safeguard policies and procedures are changed. Thus, the
collection of information is required only as necessary to reflect current policies and
procedures.

4

7.

Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)

The safeguard rule requires covered institutions to maintain written safeguard
policies and procedures on an ongoing basis. Although this period would exceed the
three-year guideline for most kinds of records under 5 CFR 1320.5(d)(2)(iv), the staff
believes that this is warranted because the rule assists in informing and training the
institutions’ employees and contributes to the effectiveness of the Commission’s
examination and inspection program.
8.

Consultation Outside the Agency

The Commission requested public comment on the information collection
requirement in the safeguard rule before it submitted this request for extension and
approval to the Office of Management and Budget. The Commission received no
comments to its request. The Commission and the staff of the Divisions of Investment
Management and Trading and Markets participate in an ongoing dialogue with
representatives of the industry through public conferences, meetings, and informal
exchanges. These various forums provide the Commission and the staff with a means of
ascertaining the magnitude of the paperwork burdens confronting the industry.
9.

Payment or Gift

Not applicable.
10.

Confidentiality

Not applicable.

5

11.

Sensitive Questions

The safeguard rule does not require the collection of personally identifiable
information or Social Security Numbers.
12.

Estimates of Time Burden

The safeguard rule requires each covered institution to maintain written policies
and procedures regarding the safeguarding of customer records and information. We
believe that almost all covered institutions have already documented their safeguard
policies and procedures in writing because this has been a requirement under the rule
since July 1, 2005. In addition, these institutions have a strong interest in preventing
security threats, such as identity theft or threats to their computer systems as a matter of
good business practice and state law.
We estimate that as of the end of 2015, there are 4,176 broker-dealers, 4,041
investment companies, and 11,956 investment advisers registered with the Commission,
for a total of 20,173 covered institutions. We believe that all of these covered institutions
have already documented their safeguard policies and procedures in writing and therefore
will incur no hourly burdens related to the initial documentation of policies and
procedures.
Although existing covered institutions would not incur any initial hourly burden
in complying with the safeguards rule, we expect that newly registered institutions would
incur some hourly burdens associated with documenting their safeguard policies and
procedures. We estimate that approximately 1200 broker-dealers, investment companies,
or investment advisers register with the Commission annually. However, we also expect

6

that approximately 70% of these newly registered covered institutions (840) 9 are
affiliated with an existing covered institution, and will rely on an organization-wide set of
previously documented safeguard policies and procedures created by their affiliates. We
estimate that these affiliated newly registered covered institutions will incur a
significantly reduced hourly burden in complying with the safeguards rule, as they will
need only to review their affiliate’s existing policies and procedures, and identify and
adopt the relevant policies for their business. Therefore, we expect that newly registered
covered institutions with existing affiliates will incur an hourly burden of approximately
15 hours in identifying and adopting safeguard policies and procedures for their business,
for a total hourly burden for all affiliated new institutions of 12,600 hours. 10 We expect
that half of this time would be incurred by inside counsel at an hourly rate of $380, and
half would be by a compliance officer at an hourly rate of $334, for a total cost of
$4,498,200. 11
Finally, we expect that the 360 newly registered entities that are not affiliated with
an existing institution will incur a significantly higher hourly burden in reviewing and
documenting their safeguard policies and procedures. We expect that virtually all of the
newly registered covered entities that do not have an affiliate are likely to be small
entities and are likely to have smaller and less complex operations, with a

9

This estimate is based on the following calculations: 1200 newly registered entities x 70% with
affiliates = 840 affiliated entities; 1200 newly registered entities - 840 affiliated entities = 360
unaffiliated new entities.

10

This estimate is based on the following calculation: 15 hours x 840 covered institutions = 12,600
hours.

11

This estimate is based on the following calculations: 12,600 hours/ 2 = 6,300 hours; 6300 hours x
$380 per hour = $2,394,000; 6300 hours x $334 = $2,104,200; $2,394,000 + $2,104,200 =
$4,498,200. Hourly wages are from SIFMA's Management & Professional Earnings in the
Securities Industry 2013, modified by Commission staff to account for an 1800-hour work-year
and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead.

7

correspondingly smaller set of safeguard policies and procedures to document, compared
to other larger existing institutions with multiple affiliates. We estimate that it will take a
typical newly registered unaffiliated institution approximately 60 hours to review,
identify, and document their safeguard policies and procedures, for a total of 21,600
hours for all newly registered unaffiliated entities. 12 We expect that half of this time
would be incurred by inside counsel at an hourly rate of $380, and half would be by a
compliance officer at an hourly rate of $334, for a total cost of $7,711,200. 13
Therefore, we estimate that the total annual hourly burden associated with the
safeguards rule is 34,200 hours at a total hourly cost of $12,209,400. 14 We also estimate
that all covered institutions will be respondents each year, for a total of 20,173
respondents.
13.

Total Annual Cost Burden

The staff estimates that the safeguard rule does not impose a material cost burden,
apart from the cost of the burden hours identified in section 12, on covered institutions.
Although these entities are likely to retain these records for as long as the institution
maintains policies and procedures, these records could be maintained electronically and,
even if maintained in hard copy, would not likely be extensive. The staff has not
estimated a capital/startup cost in connection with the recordkeeping requirements

12

This estimate is based on the following calculation: 60 hours x 360 covered institutions = 21,600
hours.

13

This estimate is based on the following calculations: 21,600 hours / 2 = 10,800 hours; 10,800
hours x $380 per hour = $4,104,000; 10,800 hours x $334 = $3,607,200; $4,104,000 + $3,607,200
= $7,711,200.

14

This estimate is based on the following calculations: 12,600 hours for affiliated newly registered
entities + 21,600 hours for unaffiliated newly registered entities = 34,200 total hours; $4,498,200
+ $7,711,200 = $12,209,400.

8

because covered institutions would likely use existing recordkeeping systems to maintain
the required compliance records.
14.

Cost to the Federal Government

There is no cost to the federal government of administering the information
collection requirements in rule 248.30(a) under the GLBA.
15.

Changes in Burden

The decrease in estimated total annual burden hours from 42,750 to 34,200 is
attributable to a decrease in the staff’s estimate of the total number of broker-dealers,
investment companies, and investment advisers that register with the Commission
annually.
16.

Information Collection Planned for Statistical Purposes

Not applicable.
17.

Approval to Omit the OMB Expiration Date

The Commission is not seeking approval to omit the OMB expiration date
18.

Exception to Certification Statement

Not applicable.
B.

COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS

Not applicable.

9


File Typeapplication/pdf
File Modified2016-09-14
File Created2016-09-14

© 2024 OMB.report | Privacy Policy