SUPPORTING STATEMENT
PROCEDURES FOR MONITORING BANK PROTECTION ACT COMPLIANCE
(OMB No. 3064‑0095)
INTRODUCTION
The FDIC is requesting OMB approval of a three‑year extension, without change, of the collection of information entitled “ Procedures for Monitoring Bank Protection Act Compliance This collection is imposed on insured nonmember banks as a result 12 CFR Part 326, subpart A ‑‑ MINIMUM SECURITY DEVICES AND PROCEDURES FOR INSURED NONMEMBER BANKS.
A. JUSTIFICATION
1. Circumstances and Need
The Bank Protection Act of 1968 (12 USC 1881‑1884) requires each Federal supervisory agency to promulgate rules establishing minimum standards for security devices and procedures to discourage financial crime and to assist in the identification of persons who commit such crimes.
To avoid the necessity of constantly updating a technology‑based regulation, the FDIC takes a flexible approach to implementing this statute. It requires each insured nonmember bank to designate a security officer who will administer a written security program. The security program shall: (1) establish procedures for opening and closing for business and for safekeeping valuables; (2) establish procedures that will assist in identifying persons committing crimes against the bank; (3) provide for initial and periodic training of employees in their responsibilities under the security program; and (4) provide for selecting, testing, operating and maintaining security devices as prescribed in the regulation. In addition, the FDIC requires the security officer to report at least annually to the bank's board of directors on the effectiveness of the security program.
2. Use of Information Collected
The information is used by FDIC bank examiners to assure that insured nonmember banks comply with 12 CFR 326, which implements the Bank Protection Act of 1968, and to review bank security programs.
3. Use of Technology to Reduce Burden
The FDIC has created an interactive Website, FDICconnect, between FDIC insured institutions and the FDIC. All PRA collections are reviewed to determine if converting to electronic collection is cost beneficial. In this case, however, updates to the written security program and training materials are not required to be submitted to the FDIC. Institutions need only maintain the records for review during on-site examinations and, therefore, may use technology to the extent deemed feasible and appropriate to maintain and update the required documents.
4. Efforts to Identify Duplication
The information is collected from insured nonmember banks and does not duplicate information available within other government agencies nor in other FDIC collections.
5. Minimizing the Burden on Small Banks
The establishment of a written security program and developing training materials are one‑time requirements. Updating and maintaining the program and training materials should not involve more than a minimal burden.
6. Consequences of Less Frequent Collection
The only periodic recordkeeping requirement is the security officer's annual report to the board of directors, the completion of which is in most cases a small burden. Less frequent reporting would create a risk of inadequate security systems in insured nonmember banks.
7. Circumstances Inconsistent with 5 CFR 1320.6
The recordkeeping requirements of 12 CFR 326 are not inconsistent with 5 CFR 1320.6.
8. Consultation with Persons Outside the FDIC
On January 25, 2022, FDIC published a Federal Register notice seeking public comment for a 60-day period (87 FR 3806). No comments were received.
9. Payment or Gift to Respondents
None.
Confidentiality
All information required by this recordkeeping is retained by the bank for review by FDIC bank examiners. Information obtained thereby would be exempt from public disclosure under the Freedom of Information Act, 5 USC §552(b)(8).
11. Information of a Sensitive Nature
No information of a sensitive nature is collected.
12. Estimate of Annual Burden
The FDIC estimates that the annual recordkeeping burden of approximately 3,200 FDIC supervised institutions will vary, depending on the size, complexity, and type of bank. FDIC believes that the recordkeeping requirement in Section 326, subpart A would pose an implementation burden for new FDIC-supervised depository institutions and for those depository institutions that have undergone a significant change in structure due to mergers. The FDIC assumes a lesser ongoing burden for FDIC-supervised IDIs that have previously developed a security program and are merely revising said programs due to changed operational circumstances.
The burden is estimated as follows:
Table 1. Summary of Estimated Annual Burdens (OMB No. 3064-0095) |
||||||
IC Description |
Type of Burden (Obligation to Respond) |
Frequency of Response |
Number of Respondents |
Number of Responses per Respondent |
Hours per Response |
Annual Burden (Hours) |
Implementation Burden: |
||||||
Bank Protection Act Compliance Program – Institutions with an Asset Size Less than $500 million |
Recordkeeping (Mandatory) |
Annually |
35 |
1 |
50 |
1,750 |
Bank Protection Act Compliance Program – Medium-Sized Institutions ($500 million - $10 billion) |
Recordkeeping (Mandatory) |
Annually |
57 |
1 |
300 |
17,100 |
Bank Protection Act Compliance Program – Large Institutions (Over $10 billion) |
Recordkeeping (Mandatory) |
Annually |
12 |
1 |
500 |
6,000 |
Ongoing Burden: |
||||||
Bank Protection Act Compliance Program – Routine Revisions |
Recordkeeping (Mandatory) |
Annually |
2,880 |
1 |
5 |
14,400 |
Bank Protection Act Compliance Program – Significant Revisions |
Recordkeeping (Mandatory) |
Annually |
320 |
1 |
35 |
11,200 |
Total Annual Burden Hours: |
50,450 |
|||||
Source: FDIC. |
||||||
Estimated Number of Respondents.
Based on supervisory experience, the FDIC believes that the implementation burden for this information collection is directly related to the asset size of the FDIC-supervised institution (IDI). Accordingly, FDIC splits the estimated number of respondents into three groups: small, medium and large institutions based on whether the IDI’s asset size is: less than $500 million (small institutions), between $500 million and $10 billion (medium-sized institutions), or over $10 billion (large institutions). Using supervisory data, determined the number of new FDIC-supervised IDIs in the years 2018, 2019, and 2020 to be 8, 12, and 6, respectively. Based on the asset value reported on the earliest available Call Report data for each new FDIC-supervised IDI, all 26 institutions were institutions with an asset size less than $500 million. Thus, the average number of new FDIC-supervised IDIs over the three years is equal to 26 total institutions divided by three, or approximately nine institutions per year after rounding. Further, the implementation burden could also be borne by entities that have recently merged. Using supervisory data, FDIC determined the number of mergers1 that resulted in FDIC-supervised institutions in the years 2018, 2019, and 2020. The number of mergers resulting in FDIC-supervised institutions with an asset size less than $500 million in the years 2018, 2019, and 2020, were 28, 28, and 21, respectively, with an average of 26 (after rounding) over the three-year period. The number of mergers resulting in medium-sized FDIC-supervised institutions in the years 2018, 2019, and 2020, were 61, 64, 44, respectively, with an average of 57 (after rounding) over the three-year period. For large FDIC-supervised institutions, the counts for the years 2018, 2019, and 2020, are 11, 15, and 8, respectively, with an average of 12 (after rounding) over the three year-period. Thus, for this ICR, FDIC estimates respondent counts of 35 institutions with an asset size less than $500 million (26 + 9), 57 medium-sized institutions, and 12 large institutions. These are likely conservative estimates because an FDIC-supervised institution that is in the same asset size category as the related merging institutions may not incur an implementation burden.
Based on supervisory experience, the FDIC believes that the ongoing burden is related to the extent of the revisions to the security program that institutions make each year. The FDIC splits the estimated number of respondents into two groups depending on whether an IDI is assumed to make routine revisions to its security program, or significant revisions (e.g., when the IDI updates the security procedures and the security program after opening new branches, after adding ATMs in non-bank locations such as grocery stores, etc.). The FDIC assumes that approximately 90 percent of FDIC-supervised IDIs would make routine revisions, while the remaining ten percent would make significant revisions. For the estimated number of respondents for the ongoing burden, FDIC uses the counts of institutions the FDIC supervises from the most recent data and uses 2,880 (or 90 percent of 3,200 FDIC-supervised IDIs) for institutions that make routine revisions to the security program, and 320 (ten percent of 3,200) for institutions that make significant revisions.2
Overall, the total estimated number of respondents for this ICR, 3,200, represents a decrease of 333 respondents from the 2019 ICR estimate. The change in the estimated number of respondents reflects the drop in the number of FDIC-supervised IDIs in recent years.
Frequency of Responses and Estimated Responses per Respondent.
Part 326 requires that the security officer report, at least annually, to the bank's board of directors on the implementation, administration, and effectiveness of the security program. FDIC supervisory experience confirms that each FDIC-supervised institution’s board of directors receives one annual report from the security officer, pursuant to the requirements in Section 326, subpart A. Accordingly, FDIC uses one as the estimated annual number of responses per respondent.
Estimated Time per Response,
In the 2019 ICR, the FDIC estimated that each FDIC-supervised IDI would take approximately 0.5 hours per response to respond to the recordkeeping requirements in Part 326. Based on supervisory experience, the FDIC is adjusting its estimate of the “Time per Response” for the implementation burden that new FDIC-supervised IDIs could incur to be 50 hours for institutions with an asset size less than $500 million, 300 hours for medium-sized institutions, and 500 hours for large institutions. The FDIC is also adjusting its estimate of the “Time per Response” for the ongoing burden FDIC-supervised IDIs that make routine revisions to the security program could incur to be five hours, and 35 hours for IDIs that make significant revisions.
The estimated annual burden for each line item in this IC, in hours, is the product of the estimated number of respondents per year, number of responses per respondent per year, and the hours per response, as summarized in Table 1 above. The total estimated annual burden for this information collection is 50,450 hours, which is 48,683 hours higher than the previously approved IC of 1,767 hours. As the estimated number of respondents in this ICR decreased from the 2019 ICR, the change in the total estimated annual burden hours can be attributed to the increase in the estimated time per response.
Total Estimated Hourly Labor Compensation Rates
To estimate the weighted average hourly cost of compensation, FDIC uses the 75th percentile hourly wages reported by the BLS National Industry-Specific Occupational Employment and Wage Estimates for the relevant occupations in the Depository Credit Intermediation sector, as of May 2020.3
The reported hourly wage rates do not include non-monetary compensation. According to the June 2021 Employer Cost of Employee Compensation data, compensation rates for health and other benefits are 33.3 percent of total compensation. To account for non-monetary compensation, FDIC divides the hourly wage rates reported by BLS by (1 – 0.333).4 FDIC also adjusts the hourly wage by 5.97 percent based on changes in the Consumer Price Index for Urban Consumers (CPI-U) from May 2020 to June 2021 to account for inflation and ensure that the wage information is contemporaneous with the non-monetary compensation statistic.5
After calculating these adjustments, FDICI weights the total hourly compensation for the two occupations shown in the table, using FDIC’s estimated allocation of labor for each IC to find the estimated hourly cost of complying with this ICR.6
Table 2: Summary of Hourly Burden Cost Estimate (OMB No. 3064-0095) |
|||
Estimated Category of Personnel Responsible for Complying with the PRA Burden |
Total Estimated Hourly Compensation |
Estimated Weights |
Weighted Hourly Compensation |
Compliance Officer7 |
$69.38 |
95% |
$65.91 |
Clerical8 |
$35.62 |
5% |
$1.78 |
Weighted Average |
|
100% |
$67.699 |
Source: BLS: "National Industry-Specific Occupational Employment and Wage Estimates: Credit Intermediation and Related Activities (5221 And 5223 only)" (May 2020), Employer Cost of Employee Compensation (June 2021), Consumer Price Index (June 2021). |
|||
Total Estimated Compliance Cost
Using the estimated hour burden, and the wage estimates, the total cost burden for the ICR (OMB No. 3064-0095) is 50,450 hours / year X $67.69 / hours = $3,414,960.50 per year. The estimated cost burden is higher than the 2019 ICR by $3,297,260.50. As discussed previously, the increase is driven mainly by the increase in the revision of the estimated time per response for this IC.
13. Capital, Start-up, Operating, and Maintenance Cost Burden
None.
14. Estimated Annual Cost to Federal Government
None.
15. Reason for Change in Burden
There is no change in the method or substance of the collection. The 48,683 increase in burden hours is the result of the agency re-evaluating the time it takes for recordkeeping and reporting associated with the rule, and including new implementation burdens for new entities and entities reviewing their policies in light of mergers and other organizational changes. See discussion in Section 12 above.
16. Publication
The information is retained at the bank for review by FDIC examiners to verify compliance with regulatory requirements. No publication is made of the records.
17. Display of Expiration Date
Not applicable.
18. Exceptions to Certification
None.
B. STATISTICAL METHODS
Not applicable.
1 FDIC excludes cases of voluntary liquidation, credit union acquisition, or other voluntary closures that do not involve an acquiring FDIC-insured institution.
2 Call Report data, June 30, 2021.
3 BLS: "National Industry-Specific Occupational Employment and Wage Estimates: Industry: Credit Intermediation and Related Activities (5221 And 5223 only)" (May 2020).
4 BLS: Employer Cost of Employee Compensation (June 2021).
5 BLS: Consumer Price Index (June 2021).
6 The occupational categories and allocations of labor represent a change from the 2019 ICR. The 2019 ICR used a weighted average of three occupations: Top Executives, Compliance Officers, and Office and Administrative Support. However, the weighted average wage calculated in the 2019 ICR ($66.61 per hour) is similar to the wage rate calculated in the current ICR.
7 Occupation (SOC Code): Compliance Officers (131040).
8 Occupation (SOC Code): Office and Administrative Support Occupations (430000).
9 Total may not appear to sum precisely due to rounding.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2022-03-23 |