2018 SP Supporting Statement

SUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection Submission for
Regulation S-P
A. JUSTIFICATION
1.

Necessity of Information Collection

Subtitle A of Title V of the Gramm-Leach-Bliley Act (“GLBA”), captioned Disclosure of
Nonpublic Personal Information (“Title V”), limits the instances in which a financial institution
may disclose nonpublic personal information about a consumer to nonaffiliated third parties, and
requires a financial institution to disclose to all of its customers the institution’s privacy policies
and practices with respect to information sharing with both affiliates and nonaffiliated third
parties. Title V also required the Securities and Exchange Commission (“SEC”), together with
the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve
System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, the
Secretary of the Treasury, the National Credit Union Administration, and the Federal Trade
Commission (collectively the “other agencies”), in consultation with representatives of State
insurance authorities designated by the National Association of Insurance Commissioners, to
prescribe regulations necessary to carry out the purposes of Title V.
SEC representatives participated with representatives from the other agencies in drafting
rules to implement Title V. As required by the GLBA, the rules adopted by the SEC, now
codified as Regulation S-P, are, to the extent possible, consistent with and comparable to the
rules adopted by the other agencies. Regulation S-P, which applies to broker-dealers, investment
companies, and federally registered investment advisers (“covered entities”), contains rules of
general applicability that are substantially similar to the rules adopted by the other agencies. See
Release Nos. 34-42974, IC-24543, IA-1883 (June 22, 2000), 65 FR 40333 (June 29, 2000).
Regulation S-P implements the requirements of Title V of the GLBA, which include the
requirement that at the time of establishing a customer relationship with a consumer and not less
than annually during the continuation of such relationship, a financial institution shall provide a
clear and conspicuous disclosure to such consumer of such financial institution’s policies and
practices with respect to disclosing nonpublic personal information to affiliates and nonaffiliated
third parties (“privacy notice”). Title V of the GLBA also provides that, unless an exception
applies, a financial institution may not disclose nonpublic personal information of a consumer to
a nonaffiliated third party unless the financial institution clearly and conspicuously discloses to
the consumer that such information may be disclosed to such third party; the consumer is given
the opportunity, before the time that such information is initially disclosed, to direct that such
information not be disclosed to such third party; and the consumer is given an explanation of
how the consumer can exercise that nondisclosure option (“opt out notice”).
The privacy notices required by Regulation S-P are mandatory. The opt out notices are
not mandatory for financial institutions that do not share nonpublic personal information with
nonaffiliated third parties except as permitted under one of Regulation S-P exceptions from the

opt out requirements. The provisions of Regulation S-P implementing the GLBA’s privacy
notice and opt out notice requirements (the “Rule”) apply to broker-dealers, SEC-registered
investment advisers, and investment companies (“covered entities”).
In 2004, the SEC amended Regulation S-P to implement the provision in section 216 of
the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) requiring proper disposal
of consumer report information and records. Section 216 of the FACT Act directed the SEC and
other federal agencies to adopt regulations requiring that any person who maintains or possesses
consumer report information or any compilation of consumer report information derived from a
consumer report for a business purpose must properly dispose of the information. The
amendments also required the safeguard policies and procedures required by Regulation S-P to
be in writing. The SEC submitted this proposed, separate collection of information to the OMB
for review in accordance with 44 U.S.C. 3507(d) and 5 CFR 1320.11 (see Release Nos. 34–
50781, IA–2332, IC–26685 (December 2, 2004), 69 FR 71321, 71326 (December 8, 2004)) and
the collection was approved, with an expiration date of November 30, 2007, and most recently
renewed with an expiration date of October 31, 2016, under OMB Control No. 3235-0610.
In 2009, the SEC amended Regulation S-P to, together with seven other federal agencies,
adopt a model privacy form designed to make it easier for consumers to understand how financial
institutions collect and share their personal financial information and to compare different
institutions’ information practices. Covered entities that customize the two-page form consistent
with its instructions may rely on their use of the form as a safe harbor to comply with the Rule’s
notice requirements.
2.

Purpose and Use of the Information Collection

The Rule implements provisions of Title V of the GLBA, which, as explained above,
require the provision to consumers of privacy and opt out notices. The notices describe covered
entities’ information-sharing practices and inform consumers of their right to opt out of certain of
these practices. Although the notices are not provided to the SEC, the SEC uses copies of the
notices and records of their having been provided to consumers in its examinations and
investigations of covered entities to monitor their compliance with the consumer financial
privacy requirements of the GLBA and Regulation S-P.
3.

Consideration Given to Information Technology

The Rule allows for the provision of privacy and opt out notices by electronic means. In
addition, as noted above, in 2009 the SEC adopted a two-page model privacy form that covered
entities may customize and use to comply with the Rule’s notice requirements. The SEC has
made the model privacy form available on its website as a template, and has provided a link on
its website to an online model privacy form builder, which should reduce the burden on covered
entities of ensuring that their privacy and opt out notices comply with the Rule’s requirements.

2

4.

Duplication

In a release entitled Registration of Broker-Dealers Pursuant to Section 15(b)(11) of the
Securities Exchange Act of 1934, Release No. 34-44730 (Aug. 21, 2001), 66 FR 45137 (Aug. 27,
2001), the SEC adopted amendments to Regulation S-P in light of Section 124 of the Commodity
Futures Modernization Act (“CFMA”), which makes the privacy provisions of the GLBA
applicable to activity regulated by the Commodity Futures Trading Commission (“CFTC”).
These amendments permit CFTC-regulated futures commission merchants and introducing
brokers that are registered by notice as broker-dealers to comply with Regulation S-P by
complying with the CFTC’s financial privacy rules.
5.

Effect on Small Entities

The burden of the Rule’s requirements on smaller covered entities should be minimized
by the SEC’s provision of a model privacy form and a link on its website to an online model
privacy form builder. In addition, the SEC’s website provides a small entity compliance guide
prepared by SEC staff, which should help smaller covered entities make use of the model privacy
form.
6.

Consequences of Not Conducting Collection

The information collection associated with the Rule involves not a reporting burden, but a
third-party disclosure burden. Covered entities are required by the GLBA and the Rule to
provide privacy notices to their customers not less frequently than annually, and to ensure that
their privacy notices are accurate, which may require a covered entity to provide revised privacy
notices if it changes its privacy policies or practices. Covered entities are also required to
provide opt out notices to their consumers before making certain types of disclosures of
nonpublic personal information about a consumer to a nonaffiliated third party. These are
statutory requirements, and a covered entity would fail to comply with them if it failed to provide
to its consumers privacy notices and opt out notices when required by the GLBA and the Rule.
7.

Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)

There are no special circumstances. This collection is consistent with the guidelines in 5
CFR 1320.5(d)(2).
8.

Consultations Outside the Agency

The required Federal Register notice with a 60-day comment period soliciting comments
on this collection of information was published. No public comments were received.
9.

Payment or Gift
No payment or gift is provided to respondents.

3

10. Confidentiality
No assurance of confidentiality is provided.
11. Sensitive Questions
No questions of a sensitive nature are asked. The information collection does not collect
any Personally Identifiable Information (PII).
12. Burden of Information Collection
SEC staff estimates that, as of March 31, 2018, the Rule’s information collection burden
applies to approximately 20,465 covered entities (approximately 3,857 broker-dealers, 12,643
SEC-registered investment advisers, and 3,965 investment companies). In view of (a) the
minimal recordkeeping burden imposed by the Rule (since the Rule has no recordkeeping
requirement and records relating to customer communications already must be made and retained
pursuant to other SEC rules); (b) the summary fashion in which information must be provided to
customers in the privacy and opt out notices required by the Rule (the model privacy form
adopted by the SEC and the other agencies in 2009, designed to serve as both a privacy notice
and an opt out notice, is only two pages); (c) the availability to covered entities of the model
privacy form and online model privacy form builder; and (d) the experience of covered entities’
staff with the notices, SEC staff estimates that covered entities will each spend an average of
approximately 12 hours per year complying with the Rule, for a total of approximately 245,580
annual third-party disclosure burden-hours (12 x 20,465 = 245,580). SEC staff understands that
the vast majority of covered entities deliver their privacy and opt out notices with other
communications such as account opening documents and account statements. Because the other
communications are already delivered to consumers, adding a brief privacy and opt out notice
should not result in added costs for processing or for postage and materials. Also, privacy and
opt out notices may be delivered electronically to consumers who have agreed to electronic
communications, which further reduces the costs of delivery. Because SEC staff assumes that
most paper copies of privacy and opt out notices are combined with other required mailings, the
burden-hour estimates above are based on resources required to integrate the privacy and opt
notices into another mailing, rather than on the resources required to create and send a separate
mailing. SEC staff estimates that, of the estimated 12 annual third-party disclosure burden-hours
incurred, approximately 8 hours would be spent by administrative assistants at an hourly rate of
$82 and approximately 4 hours would be spent by internal counsel at an hourly rate of $422 for a
total annualized internal cost of compliance of $2,344 for each of the covered entities (8 x $82 =
$656; 4 x $422 = $1,688; $656 + $1,688 = $2,344). Hourly compliance cost estimates for
administrative assistant time are derived from the Securities Industry and Financial Markets
Association’s Office Salaries in the Securities Industry 2013, modified by SEC staff to account
for an 1,800-hour work-year and multiplied by 2.93 to account for bonuses, firm size, employee
benefits and overhead. Hourly compliance cost estimates for internal counsel time are derived
from the Securities Industry and Financial Markets Association’s Management & Professional
Earnings in the Securities Industry 2013, modified by SEC staff to account for an 1,800-hour
work-year and multiplied by 5.35 to account for bonuses, firm size, employee benefits, and
4

overhead. Accordingly, SEC staff estimates that the total annualized internal cost of compliance
for the estimated total hour burden for the approximately 20,465 covered entities subject to the
Rule is approximately $47,969,960 ($2,344 x 20,465 = $47,969,960).
13. Costs to Respondents
The information collection is not estimated to impose any burdens other than those
discussed in item 12 above.
14. Costs to Federal Government
The information collection does not impose any additional costs on the Federal
government.
15. Changes in Burden
The 7,068-hour increase in estimated total annual burden-hours was due to an increase in
the estimated number of respondents. In 2015, SEC staff estimated the total annual burden-hours
at approximately 238,512, calculated using an estimated average of 12 burden-hours for each
covered entity and an estimated 19,876 covered entities (12 x 19,876 = 238,512). The current
estimate of approximately 245,580 annual burden-hours results from using the same estimated
average of 12 burden hours for each covered entity and a higher estimated number of respondents
of 20,465 (12 x 20,465 = 245,580); and the result is an increase of 7,068 in estimated total annual
burden-hours (245,580 - 238,512 = 7,068).
16. Information Collection Planned for Statistical Purposes
Not applicable. The information collection is not used for statistical purposes.
17. Approval to Omit OMB Expiration Date
The Commission is not seeking approval to omit the expiration date.
18. Exceptions to Certification for Paperwork Reduction Act Submissions
This collection complies with the requirements in 5 CFR 1320.9.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
This collection does not involve statistical methods.

5