REG S-ID SUPPORTING STATEMENT - new

REG S-ID SUPPORTING STATEMENT - new.pdf

Regulation S-ID, Identity Theft Red Flags Rules

OMB: 3235-0692

Document [pdf]
Download: pdf | pdf
SUPPORTING STATEMENT
For the Paperwork Reduction Act Information Collection Submission for
Regulation S-ID
A.

JUSTIFICATION
1.

Necessity for the Information Collection

Under Regulation S-ID, 1 SEC-regulated entities are required to develop and implement
reasonable policies and procedures to identify, detect, and respond to relevant red flags (the
“Identity Theft Red Flags Rules”) and, in the case of entities that issue credit or debit cards, to
assess the validity of, and communicate with cardholders regarding, address changes.
Section 248.201 of Regulation S-ID includes the following “collection of information”
requirements for each SEC-regulated entity that qualifies as a “financial institution” or “creditor”
under Regulation S-ID and that offers or maintains covered accounts: (1) creation and periodic
updating of an identity theft prevention program (“Program”) that is approved by the board of
directors, an appropriate committee thereof, or a designated senior management employee;
(2) periodic staff reporting to the board of directors on compliance with the Identity Theft Red
Flags Rules and related Guidelines (this reporting requirement is set forth in the Guidelines and
thus is required to be considered by an entity subject to the Program requirement); 2 and
(3) training of staff to implement the Program. Section 248.202 of Regulation S-ID includes the
1

Identity Theft Red Flags, Investment Company Act Release No. 30456 (Apr. 10, 2013)
(“Adopting Release”); Identity Theft Red Flags, Investment Company Act Release No. 29969
(Feb. 28, 2012) [77 FR 13450 (Mar. 6. 2012)] (“Proposing Release”). Regulation S-ID includes
section 248.201 (“Duties regarding the detection, prevention, and mitigation of identity theft”),
section 248.202 (“Duties of card issuers regarding change of address”), and Appendix A
(“Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation”) (the
“Guidelines”).

2

Under section 248.201(f) of Regulation S-ID, each entity that is required to implement an identity
theft red flags program under section 248.201 must consider the Guidelines and incorporate them
into its program, as appropriate.

-2following “collection of information” requirements for each SEC-regulated entity that is a credit
or debit card issuer: (1) establishment of policies and procedures that assess the validity of a
change of address notification if a request for an additional or replacement card on the account
follows soon after the address change; and (2) notification of a cardholder, before issuance of an
additional or replacement card, at the previous address or through some other previously
agreed-upon form of communication, or alternatively, assessment of the validity of the address
change request through the entity’s established policies and procedures.
2.

Purpose and Use of the Information Collection

Regulation S-ID, including the information collection requirements thereunder, is
designed to better protect investors from the risks of identity theft. The regulation requires
entities that are subject to the Commission’s jurisdiction to address identity theft in two ways.
First, the Identity Theft Red Flags Rules and related Guidelines require financial institutions and
creditors that offer or maintain certain accounts to develop and implement a written identity theft
prevention program designed to detect, prevent, and mitigate identity theft in connection with
existing accounts or the opening of new accounts. Second, Regulation S-ID establishes special
requirements for credit and debit card issuers that are subject to the Commission’s jurisdiction, to
assess the validity of notifications of changes of address under certain circumstances.
3.

Consideration Given to Information Technology

The Commission’s Electronic Data Gathering, Analysis and Retrieval System
(“EDGAR”) provides for the automated filing, processing, and dissemination of full disclosure
filings. The automation provides for speed, accuracy, and public availability of information,
generating benefits to investors and financial markets. While EDGAR currently is limited to

-3disclosure and fund deregistration filings, EDGAR may be used in the future to obtain other
types of information from sources outside the Commission. The Electronic Signatures in Global
and National Commerce Act (15 U.S.C. 7001) and the conforming amendments to
recordkeeping rules under the Investment Company Act of 1940 (15 U.S.C. 80a) permit funds to
maintain records electronically.
4.

Duplication

In adopting Regulation S-ID, the Commission sought to avoid duplication of
requirements imposed under other agencies’ rules. For example, Regulation S-ID is limited to
entities under the Commission’s jurisdiction, and although substantially similar to regulations
issued in 2007 by the Federal Trade Commission, the federal banking agencies, and the National
Credit Union Association (collectively, the “Agencies”), does not apply to entities regulated by
other agencies. 3 In addition, the Program required under Regulation S-ID may be integrated into
other identity theft prevention or privacy programs that the financial institution or creditor may
already have.
5.

Effect on Small Entities

The information collection requirements of Regulation S-ID apply to all covered entities
subject to the SEC’s jurisdiction, including those that are small entities. The information
collection requirements of Regulation S-ID are necessary to help further the investor protection
goals of this regulation, and the Commission therefore believes that imposing different
3

See Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit
Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007) (“2007 Adopting Release”). In addition,
the Commodity Futures Trading Commission (“CFTC”) adopted rules for the entities it regulates
at the same time the Commission adopted Regulation S-ID. See Adopting Release, supra note 1.

-4requirements on smaller entities would not be consistent with investor protection and the
purposes of Regulation S-ID.
6.

Consequences of Not Conducting Collection

Less frequent collection would not be consistent with the Commission’s investor
protection objectives.
7.

Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)

None.
8.

Consultation Outside the Agency

Regulation S-ID was jointly adopted with the CFTC’s rules on identity theft red flags.
The Commission also consulted with the Agencies, which earlier adopted substantially similar
rules, in crafting Regulation S-ID. In addition, the Commission and its staff participate in an
ongoing dialogue with representatives of the fund industry through public conferences, meetings,
and informal exchanges. These various forums provide the Commission and the staff with a
means of ascertaining and acting upon paperwork burdens confronting the industry.
The Commission requested public comment on the information collection requirement
with respect to Regulation S-ID before submitting this request for extension to the Office of
Management and Budget. The Commission received no comments in response to its request.
9.

Payment or Gift

Not applicable.
10.

Confidentiality

Not applicable.

-511.

Sensitive Questions

No information of a sensitive nature, including social security numbers, will be required
under this collection of information. The information collection does not collect personally
identifiable information (PII). The agency has determined that a system of records notice
(SORN) and privacy impact assessment (PIA) are not required in connection with the collection
of information.
12.

Burden of Information Collection

The following estimates of average burden hours and costs are made solely for purposes
of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) and are not derived from a
quantitative, comprehensive, or even representative survey or study of the burdens associated
with Commission rules and forms. Compliance with Regulation S-ID is mandatory for each
SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation
S-ID, and certain collections of information under Regulation S-ID are mandatory for financial
institutions or creditors that offer or maintain covered accounts.
SEC staff estimates of time and cost burdens represent the one-time burden of complying
with Regulation S-ID for newly-formed SEC-regulated entities and the ongoing costs of
compliance for all SEC-regulated entities. 4 Staff estimates also attribute all burdens to entities

4

Based on discussions with industry representatives and a review of applicable law, SEC staff
expects that, of the SEC-regulated entities that fall within the scope of Regulation S-ID, most
broker-dealers, many investment companies (including almost all open-end investment
companies and employees’ securities companies (“ESCs”)), and some registered investment
advisers will likely qualify as financial institutions or creditors. Staff expects that other
SEC-regulated entities described in the scope section of Regulation S-ID, such as business
development companies, transfer agents, nationally recognized statistical rating organizations,

-6that are directly subject to the requirements of the rulemaking. An entity directly subject to
Regulation S-ID that outsources activities to a service provider is, in effect, shifting to that
service provider the burden that it would otherwise have carried itself. Under these
circumstances, the burden is, by contract, shifted from the entity that is directly subject to
Regulation S-ID to the service provider, but the total amount of burden is not increased. Thus,
service provider burdens are already included in the burden estimates provided for entities that
are directly subject to Regulation S-ID. The time and cost estimates made here are based on
conversations with industry representatives and on a review of comments received on Regulation
S-ID when it was proposed, as well as the estimates made in the regulatory analyses of the
identity theft red flags rules previously issued by the Agencies.
§ 248.201 (duties regarding detection, prevention, and mitigation of identity theft)
The collections of information required by section 248.201 apply to SEC-regulated
entities that are financial institutions or creditors. 5
Initial Burden
All newly-formed financial institutions and creditors would be required to conduct an
initial assessment of covered accounts, which SEC staff estimates would entail a one-time
burden of 2 hours. Staff estimates that this burden would result in a cost of $802 to each

self-regulatory organizations, and clearing agencies may be less likely to be financial institutions
or creditors as defined in the rules, and therefore we do not include these entities in our estimates.
5

§ 248.201(a).

-7newly-formed financial institution or creditor. 6 To the extent a financial institution or creditor
offers or maintains covered accounts, SEC staff estimates that the financial institution or creditor
also would also incur a one-time burden of 25 hours to develop and obtain board approval of a
Program, and a one-time burden of 4 hours to train the financial institution’s or creditor’s staff,
for a total of 29 additional burden hours. Staff estimates that these burdens would result in
additional costs of $14,266 for each financial institution or creditor that offers or maintains
covered accounts. 7
SEC staff estimates that approximately 613 SEC-regulated financial institutions and
creditors are newly formed each year. 8 Each of these 613 entities will need to conduct an initial

6

This estimate is based on the following calculation: 2 hours x $401 (hourly rate for internal
counsel) = $802. See infra note 7 (discussing the methodology for estimating the hourly rate for
internal counsel).

7

SEC staff estimates that, of the 29 hours incurred to develop and obtain board approval of a
Program and train the financial institution’s or creditor’s staff, 10 hours will be spent by internal
counsel at an hourly rate of $401, 17 hours will be spent by administrative assistants at an hourly
rate of $78, and 2 hours will be spent by the board of directors as a whole at an hourly rate of
$4,465. Thus, the estimated $13,858 in additional costs is based on the following calculation: (10
hours x $401 = $4,010) + (17 hours x $78 = $1,326) + (2 hours x $4,465 = $8,930) = $14,266.
The cost estimate for internal counsel is derived from SIFMA’s Management & Professional
Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and
multiplied by 5.35 to account for bonuses, entity size, employee benefits, and overhead, and
adjusted for inflation. The cost estimate for administrative assistants is derived from SIFMA’s
Office Salaries in the Securities Industry 2013, modified to account for an 1800-hour work-year
and multiplied by 2.93 to account for bonuses, entity size, employee benefits, and overhead, and
adjusted for inflation. The cost estimate for the board of directors is derived from estimates made
by SEC staff regarding typical board size and compensation that is based on information received
from fund representatives and publicly-available sources, and adjusted for inflation.

8

Based on a review of new registrations typically filed with the SEC each year, SEC staff
estimates that approximately 1,218 investment advisers, 109 broker dealers, 96 investment
companies, and 2 ESCs typically apply for registration with the SEC or otherwise are newly
formed each year, for a total of 1,425 entities that could be financial institutions or creditors. Of
these, staff estimates that all of the investment companies, ESCs, and broker-dealers are likely to
qualify as financial institutions or creditors, and 33% of investment advisers (or 406) are likely to

-8assessment of covered accounts, for a total of 1,226 hours at a total cost of $491,626. 9 Of these
613 entities, staff estimates that approximately 90% (or 552) maintain covered accounts. 10
Accordingly, staff estimates that the additional initial burden for SEC-regulated entities that are
likely to qualify as financial institutions or creditors and maintain covered accounts is 16,008
hours at an additional cost of $7,874,832. 11 Thus, the total initial estimated burden for all
newly-formed SEC-regulated entities is 17,234 hours at a total estimated cost of $8,366,458. 12
Ongoing Burden
Each financial institution and creditor would be required to conduct periodic assessments
to determine if the entity offers or maintains covered accounts, which SEC staff estimates would
entail an annual burden of 1 hour per entity. Staff estimates that this burden would result in an
annual cost of $401 to each financial institution or creditor. 13 To the extent a financial institution
or creditor offers or maintains covered accounts, staff estimates that the financial institution or
qualify. See Adopting Release, supra note 1, at n.190 (discussing the staff’s analysis supporting
its estimate that 33% of investment advisers are likely to qualify as financial institutions or
creditors). We therefore estimate that a total of 613 total financial institutions or creditors will
bear the initial one-time burden of assessing covered accounts under Regulation S-ID.
9

These estimates are based on the following calculations: 613 entities x 2 hours = 1,226 hours;
613 entities x $802 = $491,626.

10

In the Proposing Release, the SEC requested comment on the estimate that approximately 90% of
all financial institutions and creditors maintain covered accounts; the SEC received no comments
on this estimate.

11

These estimates are based on the following calculations: 552 financial institutions and creditors
that maintain covered accounts x 29 hours = 16,008 hours; 552 financial institutions and creditors
that maintain covered accounts x $14,266 = $7,874,832.

12

These estimates are based on the following calculations: 1,226 hours + 16,008 hours = 17,234
hours; $491,626 + $7,874,832 = $8,366,458.

13

This estimate is based on the following calculation: 1 hour x $401 (hourly rate for internal
counsel) = $401. See supra note 7 (discussing the methodology for estimating the hourly rate for
internal counsel).

-9creditor also would incur an annual burden of 2.5 hours to prepare and present an annual report
to the board, and an annual burden of 7 hours to periodically review and update the Program
(including review and preservation of contracts with service providers, as well as review and
preservation of any documentation received from service providers). Staff estimates that these
burdens would result in additional annual costs of $7,874 for each financial institution or creditor
that offers or maintains covered accounts. 14
SEC staff estimates that there are 9,922 SEC-regulated entities that are either financial
institutions or creditors, and that all of these will be required to periodically review their
accounts to determine if they offer or maintain covered accounts, for a total of 9,922 hours for
these entities at a total cost of $3,978,722. 15 Of these 9,922 entities, staff estimates that
14

Staff estimates that, of the 9.5 hours incurred to prepare and present the annual report to the board
and periodically review and update the Program, 8.5 hours will be spent by internal counsel at an
hourly rate of $401, and 1 hour will be spent by the board of directors as a whole at an hourly rate
of $4,465. Thus, the estimated $7,874 in additional annual costs is based on the following
calculation: (8.5 hours x $401 = $3,409) + (1 hour x $4,465 = $4,465) = $7,874. See supra note 7
(discussing the methodology for estimating the hourly rate for internal counsel and the board of
directors).

15

Based on a review of entities that the SEC regulates, SEC staff estimates that, as of September 1,
2018, there are approximately 13,181 investment advisers, 3,839 broker-dealers, 1,589 active
open-end investment companies, and 100 ESCs. Of these, staff estimates that all of the
broker-dealers, open-end investment companies and ESCs are likely to qualify as financial
institutions or creditors. We also estimate that approximately 33% of investment advisers, or
4,394 investment advisers, are likely to qualify. See Adopting Release, supra note 1, at n.190
(discussing the staff’s analysis supporting its estimate that 33% of investment advisers are likely
to qualify as financial institutions or creditors). We therefore estimate that a total of 9,922
financial institutions or creditors will bear the ongoing burden of assessing covered accounts
under Regulation S-ID. (The SEC staff estimates that the other types of entities that are covered
by the scope of the SEC’s rules will not be financial institutions or creditors and therefore will not
be subject to the rules’ requirements.)
The estimates of 9,922 hours and $3,784,800 are based on the following calculations: 9,922
financial institutions and creditors x 1 hour = 9,922 hours; 9,922 financial institutions and
creditors x $401 = $3,978,722.

- 10 approximately 90 percent, or 8,930, maintain covered accounts, and thus will need the additional
burdens related to complying with the rules. 16 Accordingly, staff estimates that the additional
annual burden for SEC-regulated entities that qualify as financial institutions or creditors and
maintain covered accounts is 84,835 hours at an additional cost of $70,314,820. 17 Thus, the total
estimated ongoing annual burden for all SEC-regulated entities is 94,757 hours at a total
estimated annual cost of $74,293,542. 18
§ 248.202 (duties of card issuers regarding changes of address).
The collections of information required by section 248.202 will apply only to
SEC-regulated entities that issue credit or debit cards. 19 SEC staff understands that
SEC-regulated entities generally do not issue credit or debit cards, but instead partner with other
entities, such as banks, that issue cards on their behalf. These other entities, which are not
regulated by the SEC, are already subject to substantially similar change of address obligations
pursuant to the Agencies’ identity theft red flags rules. Therefore, staff does not expect that any
SEC-regulated entities will be subject to the information collection requirements of
section 248.202, and accordingly, staff estimates that there is no hour or cost burden for SECregulated entities related to section 248.202.

16

See supra note 10 and accompanying text. If a financial institution or creditor does not maintain
covered accounts, there would be no ongoing annual burden for purposes of the PRA.

17

These estimates are based on the following calculations: 8,930 financial institutions and creditors
that maintain covered accounts x 9.5 hours = 84,835 hours; 8,930 financial institutions and
creditors that maintain covered accounts x $7,874 = $70,314,820.

18

These estimates are based on the following calculations: 9,922 hours + 84,835 hours = 94,757
hours; $3,978,722 + $70,314,820 = $74,293,542.

19

§ 248.202(a).

- 11 As displayed in the table below, we estimate the total annual burden for all SECregulated entities is 111,991 hours at a total annual cost of $82,660,000.
Table: Summary of Annual Responses, Burden Hours, and Burden Hour Costs Estimates
for Each Regulation S-ID Information Collection (“IC”)

IC

Regulation S-ID IC Description

No. of Responses

Burden
Hours

Burden
Hour Costs

IC1 Initial Burden for Newly-Formed SECRegulated Entities

613 (of which 552
maintain covered
accounts)

17,234

$8,366,458

IC2 Ongoing Burden for All SEC-Regulated
Entities

9,922 (of which
8,930 maintain
covered accounts)

94,757

$74,293,542

10,535 (of which
9,482 maintain
covered accounts)

111,991

$82,660,000

Totals for all ICs

13.

Cost to Respondents

The rule is not estimated to impose any burdens other than those discussed in Item 12
above.
14.

Cost to the Federal Government

The rule does not impose any additional costs on the federal government.

- 12 15.

Changes in Burden

The estimated total annual burden hours decreased 1,235 hours, from 113,226 hours to
111,991 hours. This change in burden hours is primarily attributable to changes in the staff’s
estimates of the number of entities that could be financial institutions or creditors.
16.

Information Collection Planned for Statistical Purposes

Not applicable.
17.

Approval to Omit OMB Expiration Date

Not applicable.
18.

Exceptions to Certification Statement for Paperwork Reduction Act

Submission
Not applicable.
B.

COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable.


File Typeapplication/pdf
File Modified2019-05-23
File Created2019-05-23

© 2024 OMB.report | Privacy Policy