Download:
pdf |
pdfOMB CONTROL NUMBER: 3235-0692
SUPPORTING STATEMENT
For the Paperwork Reduction Act Information Collection Submission for
Regulation S-ID
A.
JUSTIFICATION
1.
Necessity for the Information Collection
Under Regulation S-ID, 1 SEC-regulated entities are required to develop and implement
reasonable policies and procedures to identify, detect, and respond to relevant red flags (the
“Identity Theft Red Flags Rules”) and, in the case of entities that issue credit or debit cards, to
assess the validity of, and communicate with cardholders regarding, address changes.
Section 248.201 of Regulation S-ID includes the following “collection of information”
requirements for each SEC-regulated entity that qualifies as a “financial institution” or “creditor”
under Regulation S-ID and that offers or maintains covered accounts: (1) creation and periodic
updating of an identity theft prevention program (“Program”) that is approved by the board of
directors, an appropriate committee thereof, or a designated senior management employee;
(2) periodic staff reporting to the board of directors on compliance with the Identity Theft Red
Flags Rules and related Guidelines (this reporting requirement is set forth in the Guidelines and
thus is required to be considered by an entity subject to the Program requirement); 2 and
1
Identity Theft Red Flags, Investment Company Act Release No. 30456 (Apr. 10, 2013)
(“Adopting Release”); Identity Theft Red Flags, Investment Company Act Release No. 29969
(Feb. 28, 2012) [77 FR 13450 (Mar. 6. 2012)] (“Proposing Release”). Regulation S-ID includes
section 248.201 (“Duties regarding the detection, prevention, and mitigation of identity theft”),
section 248.202 (“Duties of card issuers regarding change of address”), and Appendix A
(“Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation”) (the
“Guidelines”).
2
Under section 248.201(f) of Regulation S-ID, each entity that is required to implement an identity
theft red flags program under section 248.201 must consider the Guidelines and incorporate them
into its program, as appropriate.
�-2(3) training of staff to implement the Program. Section 248.202 of Regulation S-ID includes the
following “collection of information” requirements for each SEC-regulated entity that is a credit
or debit card issuer: (1) establishment of policies and procedures that assess the validity of a
change of address notification if a request for an additional or replacement card on the account
follows soon after the address change; and (2) notification of a cardholder, before issuance of an
additional or replacement card, at the previous address or through some other previously
agreed-upon form of communication, or alternatively, assessment of the validity of the address
change request through the entity’s established policies and procedures.
2.
Purpose and Use of the Information Collection
Regulation S-ID, including the information collection requirements thereunder, is
designed to better protect investors from the risks of identity theft. The regulation requires
entities that are subject to the Commission’s jurisdiction to address identity theft in two ways.
First, the Identity Theft Red Flags Rules and related Guidelines require financial institutions and
creditors that offer or maintain certain accounts to develop and implement a written identity theft
prevention program designed to detect, prevent, and mitigate identity theft in connection with
existing accounts or the opening of new accounts. Second, Regulation S-ID establishes special
requirements for credit and debit card issuers that are subject to the Commission’s jurisdiction, to
assess the validity of notifications of changes of address under certain circumstances.
3.
Consideration Given to Information Technology
The Commission’s Electronic Data Gathering, Analysis and Retrieval System
(“EDGAR”) provides for the automated filing, processing, and dissemination of full disclosure
filings. The automation provides for speed, accuracy, and public availability of information,
�-3generating benefits to investors and financial markets. While EDGAR currently is limited to
disclosure and fund deregistration filings, EDGAR may be used in the future to obtain other
types of information from sources outside the Commission. The Electronic Signatures in Global
and National Commerce Act (15 U.S.C. 7001) and the conforming amendments to
recordkeeping rules under the Investment Company Act of 1940 (15 U.S.C. 80a) permit funds to
maintain records electronically.
4.
Duplication
In adopting Regulation S-ID, the Commission sought to avoid duplication of
requirements imposed under other agencies’ rules. For example, Regulation S-ID is limited to
entities under the Commission’s jurisdiction, and although substantially similar to regulations
issued in 2007 by the Federal Trade Commission, the federal banking agencies, and the National
Credit Union Association (collectively, the “Agencies”), does not apply to entities regulated by
other agencies. 3 In addition, the Program required under Regulation S-ID may be integrated into
other identity theft prevention or privacy programs that the financial institution or creditor may
already have.
5.
Effect on Small Entities
The information collection requirements of Regulation S-ID apply to all covered entities
subject to the SEC’s jurisdiction, including those that are small entities. The information
collection requirements of Regulation S-ID are necessary to help further the investor protection
goals of this regulation, and the Commission therefore believes that imposing different
3
See Identity Theft Red Flags and Address Discrepancies Under the Fair and Accurate Credit
Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007) (“2007 Adopting Release”). In addition,
the Commodity Futures Trading Commission (“CFTC”) adopted rules for the entities it regulates
at the same time the Commission adopted Regulation S-ID. See Adopting Release, supra note 1.
�-4requirements on smaller entities would not be consistent with investor protection and the
purposes of Regulation S-ID.
6.
Consequences of Not Conducting Collection
Less frequent collection would not be consistent with the Commission’s investor
protection objectives.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
None.
8.
Consultation Outside the Agency
Regulation S-ID was jointly adopted with the CFTC’s rules on identity theft red flags.
The Commission also consulted with the Agencies, which earlier adopted substantially similar
rules, in crafting Regulation S-ID. In addition, the Commission and its staff participate in an
ongoing dialogue with representatives of the fund industry through public conferences, meetings,
and informal exchanges. These various forums provide the Commission and the staff with a
means of ascertaining and acting upon paperwork burdens confronting the industry.
The Commission requested public comment on the information collection requirement
with respect to Regulation S-ID before submitting this request for extension to the Office of
Management and Budget. The Commission received no comments in response to its request.
9.
Payment or Gift
Not applicable.
10.
Confidentiality
Not applicable.
�-511.
Sensitive Questions
No information of a sensitive nature, including social security numbers, will be required
under this collection of information. The information collection does not collect personally
identifiable information (PII). The agency has determined that a system of records notice
(SORN) and privacy impact assessment (PIA) are not required in connection with the collection
of information.
12.
Burden of Information Collection
The following estimates of average burden hours and costs are made solely for purposes
of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) and are not derived from a
quantitative, comprehensive, or even representative survey or study of the burdens associated
with Commission rules and forms. Compliance with Regulation S-ID is mandatory for each
SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation
S-ID, and certain collections of information under Regulation S-ID are mandatory for financial
institutions or creditors that offer or maintain covered accounts.
SEC staff estimates of time and cost burdens represent the one-time burden of complying
with Regulation S-ID for newly-formed SEC-regulated entities and the ongoing costs of
compliance for all SEC-regulated entities. 4 Staff estimates also attribute all burdens to entities
4
Based on discussions with industry representatives and a review of applicable law, SEC staff
expects that, of the SEC-regulated entities that fall within the scope of Regulation S-ID, most
broker-dealers, many investment companies (including almost all open-end investment
companies and employees’ securities companies (“ESCs”)), and some registered investment
advisers will likely qualify as financial institutions or creditors. Staff expects that other
SEC-regulated entities described in the scope section of Regulation S-ID, such as business
development companies, transfer agents, nationally recognized statistical rating organizations,
self-regulatory organizations, and clearing agencies may be less likely to be financial institutions
or creditors as defined in the rules, and therefore we do not include these entities in our estimates.
�-6that are directly subject to the requirements of the rulemaking. An entity directly subject to
Regulation S-ID that outsources activities to a service provider is, in effect, shifting to that
service provider the burden that it would otherwise have carried itself. Under these
circumstances, the burden is, by contract, shifted from the entity that is directly subject to
Regulation S-ID to the service provider, but the total amount of burden is not increased. Thus,
service provider burdens are already included in the burden estimates provided for entities that
are directly subject to Regulation S-ID. The time and cost estimates made here are based on
conversations with industry representatives and on a review of comments received on Regulation
S-ID when it was proposed, as well as the estimates made in the regulatory analyses of the
identity theft red flags rules previously issued by the Agencies.
§ 248.201 (duties regarding detection, prevention, and mitigation of identity theft)
The collections of information required by section 248.201 apply to SEC-regulated
entities that are financial institutions or creditors. 5
Initial Burden
All newly-formed financial institutions and creditors would be required to conduct an
initial assessment of covered accounts, which SEC staff estimates would entail a one-time
burden of 2 hours. Staff estimates that this burden would result in a cost of $910 to each
newly-formed financial institution or creditor. 6 To the extent a financial institution or creditor
offers or maintains covered accounts, SEC staff estimates that the financial institution or creditor
5
§ 248.201(a).
6
This estimate is based on the following calculation: 2 hours x $455 (hourly rate for internal
counsel) = $910. See infra note 7 (discussing the methodology for estimating the hourly rate for
internal counsel).
�-7would also incur a one-time burden of 25 hours to develop and obtain board approval of a
Program, and a one-time burden of 4 hours to train the financial institution’s or creditor’s staff,
for a total of 29 additional burden hours. Staff estimates that these burdens would result in
additional costs of $15,603 for each financial institution or creditor that offers or maintains
covered accounts. 7
SEC staff estimates that approximately 571 SEC-regulated financial institutions and
creditors are newly formed each year. 8 Each of these 571 entities will need to conduct an initial
7
SEC staff estimates that, of the 29 hours incurred to develop and obtain board approval of a
Program and train the financial institution’s or creditor’s staff, 10 hours will be spent by internal
counsel at an hourly rate of $455, 17 hours will be spent by administrative assistants at an hourly
rate of $89, and 2 hours will be spent by the board of directors as a whole at an hourly rate of
$4,770. Thus, the estimated $15,603 in additional costs is based on the following calculation: (10
hours x $455 = $4,550) + (17 hours x $89 = $1,513) + (2 hours x $4,770 = $9,540) = $15,603.
The cost estimate for internal counsel is derived from SIFMA’s Management & Professional
Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and
multiplied by 5.35 to account for bonuses, entity size, employee benefits, and overhead, and
adjusted for inflation. The cost estimate for administrative assistants is derived from SIFMA’s
Office Salaries in the Securities Industry 2013, modified to account for an 1800-hour work-year
and multiplied by 2.93 to account for bonuses, entity size, employee benefits, and overhead, and
adjusted for inflation. The cost estimate for the board of directors is derived from estimates made
by SEC staff regarding typical board size and compensation that is based on information received
from fund representatives and publicly-available sources, and adjusted for inflation.
8
Based on a review of new registrations typically filed with the SEC each year, SEC staff
estimates that approximately 1,277 investment advisers, 109 broker dealers, 34 investment
companies, and 2 ESCs typically apply for registration with the SEC or otherwise are newly
formed each year, for a total of 1,422 entities that could be financial institutions or creditors. Of
these, staff estimates that all of the investment companies, ESCs, and broker-dealers are likely to
qualify as financial institutions or creditors, and 33% of investment advisers (or 426) are likely to
qualify. See Adopting Release, supra note 1, at n.190 (discussing the staff’s analysis supporting
its estimate that 33% of investment advisers are likely to qualify as financial institutions or
creditors). We therefore estimate that a total of 571 total financial institutions or creditors will
bear the initial one-time burden of assessing covered accounts under Regulation S-ID.
�-8assessment of covered accounts, for a total of 1,142 hours at a total cost of $519,610. 9 Of these
571 entities, staff estimates that approximately 90% (or 514) maintain covered accounts. 10
Accordingly, staff estimates that the additional initial burden for SEC-regulated entities that are
likely to qualify as financial institutions or creditors and maintain covered accounts is 14,906
hours at an additional cost of $8,019,942. 11 Thus, the total initial estimated burden for all
newly-formed SEC-regulated entities is 16,048 hours at a total estimated cost of $8,539,552. 12
Ongoing Burden
Each financial institution and creditor would be required to conduct periodic assessments
to determine if the entity offers or maintains covered accounts, which SEC staff estimates would
entail an annual burden of 1 hour per entity. Staff estimates that this burden would result in an
annual cost of $455 to each financial institution or creditor. 13 To the extent a financial institution
or creditor offers or maintains covered accounts, staff estimates that the financial institution or
creditor also would incur an annual burden of 2.5 hours to prepare and present an annual report
9
These estimates are based on the following calculations: 571 entities x 2 hours = 1,142 hours;
571 entities x $910 = $519,610.
10
In the Proposing Release, the SEC requested comment on the estimate that approximately 90% of
all financial institutions and creditors maintain covered accounts; the SEC received no comments
on this estimate.
11
These estimates are based on the following calculations: 514 financial institutions and creditors
that maintain covered accounts x 29 hours = 14,906 hours; 514 financial institutions and creditors
that maintain covered accounts x $15,603 = $8,019,942.
12
These estimates are based on the following calculations: 1,142 hours + 14,906 hours = 16,048
hours; $519,610 + $8,019,942 = $8,539,552.
13
This estimate is based on the following calculation: 1 hour x $455 (hourly rate for internal
counsel) = $455. See supra note 7 (discussing the methodology for estimating the hourly rate for
internal counsel).
�-9to the board, and an annual burden of 7 hours to periodically review and update the Program
(including review and preservation of contracts with service providers, as well as review and
preservation of any documentation received from service providers). Staff estimates that these
burdens would result in additional annual costs of $8,638 for each financial institution or creditor
that offers or maintains covered accounts. 14
SEC staff estimates that there are 9,915 SEC-regulated entities that are either financial
institutions or creditors, and that all of these will be required to periodically review their
accounts to determine if they offer or maintain covered accounts, for a total of 9,915 hours for
these entities at a total cost of $4,511,325. 15 Of these 9,915 entities, staff estimates that
approximately 90 percent, or 8,924, maintain covered accounts, and thus will need the additional
14
Staff estimates that, of the 9.5 hours incurred to prepare and present the annual report to the board
and periodically review and update the Program, 8.5 hours will be spent by internal counsel at an
hourly rate of $455, and 1 hour will be spent by the board of directors as a whole at an hourly rate
of $4,770. Thus, the estimated $7,874 in additional annual costs is based on the following
calculation: (8.5 hours x $455 = $3,868) + (1 hour x $4,770 = $4,770) = $8,638. See supra note 7
(discussing the methodology for estimating the hourly rate for internal counsel and the board of
directors).
15
Based on a review of entities that the SEC regulates, SEC staff estimates that, as of September 30,
2021, there are approximately 14,705 investment advisers, 3,533 broker-dealers, 1,380 active
open-end investment companies, and 100 ESCs. Of these, staff estimates that all of the
broker-dealers, open-end investment companies and ESCs are likely to qualify as financial
institutions or creditors. We also estimate that approximately 33% of investment advisers, or
4,902 investment advisers, are likely to qualify. See Adopting Release, supra note 1, at n.190
(discussing the staff’s analysis supporting its estimate that 33% of investment advisers are likely
to qualify as financial institutions or creditors). We therefore estimate that a total of 9,915
financial institutions or creditors will bear the ongoing burden of assessing covered accounts
under Regulation S-ID. (The SEC staff estimates that the other types of entities that are covered
by the scope of the SEC’s rules will not be financial institutions or creditors and therefore will not
be subject to the rules’ requirements.)
The estimates of 9,915 hours and $3,784,800 are based on the following calculations: 9,915
financial institutions and creditors x 1 hour = 9,915 hours; 9,915 financial institutions and
creditors x $455 = $4,511,325.
�- 10 burdens related to complying with the rules. 16 Accordingly, staff estimates that the additional
annual burden for SEC-regulated entities that qualify as financial institutions or creditors and
maintain covered accounts is 84,778 hours at an additional cost of $77,085,512. 17 Thus, the total
estimated ongoing annual burden for all SEC-regulated entities is 94,693 hours at a total
estimated annual cost of $81,596,837. 18
§ 248.202 (duties of card issuers regarding changes of address).
The collections of information required by section 248.202 will apply only to
SEC-regulated entities that issue credit or debit cards. 19 SEC staff understands that
SEC-regulated entities generally do not issue credit or debit cards, but instead partner with other
entities, such as banks, that issue cards on their behalf. These other entities, which are not
regulated by the SEC, are already subject to substantially similar change of address obligations
pursuant to the Agencies’ identity theft red flags rules. Therefore, staff does not expect that any
SEC-regulated entities will be subject to the information collection requirements of
section 248.202, and accordingly, staff estimates that there is no hour or cost burden for SECregulated entities related to section 248.202.
As displayed in the table below, we estimate the total annual burden for all SECregulated entities is 110,741 hours at a total annual cost of $90,136,389.
16
See supra note 10 and accompanying text. If a financial institution or creditor does not maintain
covered accounts, there would be no ongoing annual burden for purposes of the PRA.
17
These estimates are based on the following calculations: 8,924 financial institutions and creditors
that maintain covered accounts x 9.5 hours = 84,778 hours; 8,924 financial institutions and
creditors that maintain covered accounts x $8,638 = $77,085,512.
18
These estimates are based on the following calculations: 9,915 hours + 84,778 hours = 94,693
hours; $4,511,325+ $77,085,512 = $81,596,837.
19
§ 248.202(a).
�- 11 Table: Summary of Revised Annual Responses, Burden Hours, and
Burden Hour Costs for Each Information Collection
IC Title
Annual No. of Responses
Previously
Requested
Change
approved
Regulation
S-ID
10,535
13.
10,486
Annual Time Burden (Hrs.)
Previously Requested Change
approved
-49
111,991
110,741
-1,250
Burden Hour Cost to Respondents ($)
Previously
Requested
Change
approved
$82,660,000
$90,136,389
+$7,476,389
Cost to Respondents
The rule is not estimated to impose any burdens other than those discussed in Item 12
above.
14.
Cost to the Federal Government
The rule does not impose any additional costs on the federal government.
15.
Changes in Burden
The estimated total annual burden hours decreased 1,250 hours, from 111,991 hours to
110,741 hours. This change in burden hours is primarily attributable to changes in the staff’s
estimates of the number of entities that could be financial institutions or creditors.
16.
Information Collection Planned for Statistical Purposes
Not applicable.
17.
Approval to Omit OMB Expiration Date
Not applicable.
18.
Exceptions to Certification Statement for Paperwork Reduction Act
Submission
Not applicable.
�- 12 B.
COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable.
�
| File Type | application/pdf |
| File Title | SUPPORTING STATEMENT |
| File Modified | 2022-02-10 |
| File Created | 2022-02-10 |