Rule 248.30 Supporting Statement-2022

Rule 248.30 Supporting Statement-2022.pdf

Rule 248.30; 17 C.F.R Sec. 248.30, Procedures to safegard customer records and information; disposal of consumer report information.

OMB: 3235-0610

Document [pdf]
Download: pdf | pdf
OMB CONTROL NUMBER: 3235-0610

SUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection for
Rule 248.30
A.

JUSTIFICATION
1.

Necessity for the Information Collection

Section 501 of the Gramm-Leach-Bliley Act (the “GLBA” or “Act”) (15 U.S.C.
6801) directs the Commission, and other federal financial regulators, to require that
financial institutions establish appropriate administrative, technical, and physical
safeguards to “insure the security and confidentiality of customer records and
information,” “protect against any anticipated threats or hazards to the security and
integrity” of those records, and protect against unauthorized access to or use of those
records or information, which “could result in substantial harm or inconvenience to any
customer.” 1
Pursuant to this provision, the Commission adopted rule 248.30(a) (the “safeguard
rule”) under Regulation S-P (17 CFR 248.30(a)) in 2000. 2 The safeguard rule requires
brokers, dealers, investment companies, and investment advisers registered with the
Commission (“registered investment advisers”) (collectively “covered institutions”) to
adopt written policies and procedures for administrative, technical, and physical

1

See 15 U.S.C. 6801(b). See also section 505 of the GLBA (15 U.S.C. 6805), directing the
Commission to enforce the Act’s safeguard requirements under the Securities Exchange Act of
1934 (15 U.S.C. 78a) (the “Exchange Act”), the Investment Company Act of 1940 (15 U.S.C.
80a) (the “Investment Company Act”), and the Investment Advisers Act of 1940 (15 U.S.C. 80b1).

2

See Privacy of Consumer Financial Information (Regulation S-P), Investment Company Act
Release No. 24543 (Jun. 22, 2000) [56 FR 40334 (Jun. 29, 2000)] (adopting the safeguard rule);
Disposal of Consumer Report Information, Investment Company Act Release No. 26685 (Dec. 2,
2004) [69 FR 71329 (Dec. 8, 2004)] (amending the safeguard rule to require that safeguard
policies and procedures be documented in writing).

safeguards to protect customer records and information. The safeguards must be
reasonably designed to meet the Act’s objectives.
Other than the safeguard rule, rule 248.30 does not impose any recordkeeping
requirement or otherwise include any requirement that constitutes a “collection of
information” as it is defined in the regulations implementing the Paperwork Reduction
Act of 1995 (44 U.S.C. 3501).
2.

Purpose and Use of the Information Collection

The safeguard rule’s requirement that covered institutions’ policies and
procedures be in writing constitutes a “collection of information” requirement within the
meaning of the Paperwork Reduction Act of 1995. 3 The rule is designed to ensure that
covered institutions maintain reasonable safeguard policies and procedures. Requiring
written safeguard policies and procedures eliminates uncertainty as to what actions an
employee must take to protect customer records and information and promotes more
systematic and organized reviews of safeguard policies and procedures by institutions.
The information collection also assists the Commission’s examination staff in assessing
the existence and the adequacy of covered institutions’ safeguard policies and procedures.
3.

Consideration Given to Information Technology

The safeguard rule does not require the reporting of any information or the filing
of any documents with the Commission. The rule requires covered institutions to
maintain their safeguard policies and procedures in writing. The Electronic Signatures in
Global and National Commerce Act 4 and the interpretive guidance and conforming
amendments to rules under the Exchange Act and the Investment Company Act permit
3

The safeguard rule is currently approved under OMB control number 3235-0610.

4

15 U.S.C. 7001.

2

broker-dealers and funds to maintain records electronically. The Commission also
permits registered investment advisers to maintain the records required under rule 204-2
through electronic media. 5
4.

Duplication

The safeguard rule imposes a requirement that covered institutions maintain and
document their safeguard policies and procedures in writing. Covered institutions are
subject to similar requirements elsewhere in the federal securities laws and rules of the
self-regulatory organizations that require them to adopt written policies and procedures. 6
The safeguard rule, however, does not require covered institutions to maintain duplicate
copies of records covered by the rule, and an institution’s safeguard policies and
procedures do not have to be maintained in a single location. Moreover, although the
safeguard rule requires broker-dealers and investment companies to keep certain records
that may be required under the general recordkeeping provisions of rule 17a-3 under the
Exchange Act 7 and rule 31a-1 under the Investment Company Act, 8 the overlap is limited
and the Commission does not require a broker-dealer or investment company to maintain

5

17 CFR 275.204(g).

6

See, e.g., 17 CFR 270.17j-1(c)(1) (requiring a fund and each investment adviser and principal
underwriter of the fund to “adopt a written code of ethics containing provisions reasonably
necessary to prevent” certain persons affiliated with the fund, its investment adviser or its
principal underwriter from engaging in certain fraudulent, manipulative, and deceptive actions
with respect to the fund); 15 U.S.C. 80b-4a (requiring each adviser registered with the
Commission to have written policies and procedures reasonably designed to prevent the misuse of
material non-public information by the adviser or persons associated with the adviser); and
FINRA Rule 3110 (requiring each broker-dealer to establish and maintain written procedures to
supervise the types of business it is engaged in and to supervise the activities of registered
representatives and associated persons).

7

17 CFR 240.17a-3 (requiring broker-dealers to make and keep, among other things, blotters or
other records of original entry, securities position records, and order tickets).

8

17 CFR 270.31a-1(b)(4), 17 CFR 270.31a-1(b)(11) (requiring investment companies to maintain,
among other things, minute books of directors’ meetings and “files of all advisory material
received from the investment adviser”).

3

duplicate copies of the records. The staff believes, therefore, that any duplication of
regulatory requirements is limited and does not impose significant additional costs on
institutions.
5.

Effect on Small Entities

Every covered institution, regardless of its size, is subject to the safeguard rule’s
requirements. Regardless of the size of the entity, a covered entity could not reasonably
manage the safeguarding of customer records and information without written policies
and procedures. The safeguard rule requires covered institutions to adopt policies and
procedures “reasonably designed” to protect customer information and records.
Accordingly, the rule permits covered institutions to tailor their policies and procedures
to the institution’s particular systems, methods of information gathering, and customer
needs. Accordingly, a small institution with relatively simple policies and procedures
reflecting simple business operations would likely take less time to document those
policies and procedures than would a large institution with complex and very detailed
policies and procedures. Exempting small entities from the safeguard rule, or otherwise
changing the requirements of the rule would jeopardize the interests of investors who use
these institutions’ services, and who need the same protections as the investors who use
the services of large entities.
6.

Consequences of Not Conducting Collection

The safeguard rule requires covered institutions to maintain written policies and
procedures. These policies and procedures would have to be written when first adopted
and revised only as the safeguard policies and procedures are changed. Thus, the

4

collection of information is required only as necessary to reflect current policies and
procedures.
7.

Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)

The safeguard rule requires covered institutions to maintain written safeguard
policies and procedures on an ongoing basis. Although this period would exceed the
three-year guideline for most kinds of records under 5 CFR 1320.5(d)(2)(iv), the staff
believes that this is warranted because the rule assists in informing and training the
institutions’ employees and contributes to the effectiveness of the Commission’s
examination and inspection program.
8.

Consultation Outside the Agency

The Commission requested public comment on the information collection
requirement in the safeguard rule before it submitted this request for extension and
approval to the Office of Management and Budget. The Commission received no
comments to its request. The Commission and the staff of the Divisions of Investment
Management and Trading and Markets participate in an ongoing dialogue with
representatives of the industry through public conferences, meetings, and informal
exchanges. These various forums provide the Commission and the staff with a means of
ascertaining the magnitude of the paperwork burdens confronting the industry.
9.

Payment or Gift

Not applicable.
10.

Confidentiality

Not applicable.

5

11.

Sensitive Questions

No information of a sensitive nature, including social security numbers, will be
required under this collection of information. The information collection does not collect
personally identifiable information (PII). The agency has determined that a system of
records notice (SORN) and privacy impact assessment (PIA) are not required in
connection with the collection of information.
12.

Burden of Information Collection

The safeguard rule requires each covered institution to maintain written policies
and procedures regarding the safeguarding of customer records and information. We
believe that almost all covered institutions have already documented their safeguard
policies and procedures in writing because this has been a requirement under the rule
since July 1, 2005. In addition, these institutions have a strong interest in preventing
security threats, such as identity theft or threats to their computer systems as a matter of
good business practice and state law.
We estimate that as of the end of 2020, there are 3,681 broker-dealers, 2,840
investment companies, and 13,788 investment advisers registered with the Commission,
for a total of 20,309 covered institutions. We believe that all of these covered institutions
have already documented their safeguard policies and procedures in writing and therefore
will incur no hourly burdens related to the initial documentation of policies and
procedures.
Although existing covered institutions would not incur any initial hourly burden
in complying with the safeguards rule, we expect that newly registered institutions would
incur some hourly burdens associated with documenting their safeguard policies and

6

procedures. We estimate that approximately 1,375 broker-dealers, investment
companies, or investment advisers register with the Commission annually. 9 However, we
also expect that approximately 20% of these newly registered covered institutions, or 372
institutions, are affiliated with an existing covered institution, and will rely on an
organization-wide set of previously documented safeguard policies and procedures
created by their affiliates. 10 We estimate that these affiliated newly registered covered
institutions will incur a significantly reduced hourly burden in complying with the
safeguards rule, as they will need only to review their affiliate’s existing policies and
procedures, and identify and adopt the relevant policies for their business. Therefore, we
expect that newly registered covered institutions with existing affiliates will incur an
hourly burden of approximately 15 hours in identifying and adopting safeguard policies
and procedures for their business, for a total hourly burden for all affiliated new
institutions of 5,580 hours. 11 We expect that half of this time would be incurred by inside
counsel at an hourly rate of $455, and half would be by a compliance officer at an hourly
rate of $400, for a total cost of $2,385,450. 12

9

This estimate is based on review of filings on Forms ADV (Item 5D, Schedule 7A), Form BD, and
Form N-CEN (Item C.15).

10

The estimate that 20% of newly registered covered institutions are affiliated with an existing
covered institution is based on statistics reported on Form ADV and Form BD, as well as analysis
of new investment companies filing on Form N-CEN.

11

This estimate is based on the following calculation: 15 hours x 372 covered institutions = 5,580
hours.

12

This estimate is based on the following calculations: 5,580/ 2 = 2,790 hours; 2,790 hours x $455
per hour = $1,269,450; 2,790 hours x $400 = $1,116,000; $1,269,450 + $1,116,000 = $2,385.450.
Hourly wages are from SIFMA's Management & Professional Earnings in the Securities Industry
2013, modified by Commission staff to account for an 1800-hour work-year and inflation and
multiplied by 5.35 to account for bonuses, firm size, employee benefits, and overhead.

7

Finally, we expect that the 1,003 newly registered entities that are not affiliated
with an existing institution 13 will incur a significantly higher hourly burden in reviewing
and documenting their safeguard policies and procedures. We expect that virtually all of
the newly registered covered entities that do not have an affiliate are likely to be small
entities and are likely to have smaller and less complex operations, with a
correspondingly smaller set of safeguard policies and procedures to document, compared
to other larger existing institutions with multiple affiliates. We estimate that it will take a
typical newly registered unaffiliated institution approximately 60 hours to review,
identify, and document their safeguard policies and procedures, for a total of 60,180
hours for all newly registered unaffiliated entities. 14 We expect that half of this time
would be incurred by inside counsel at an hourly rate of $455, and half would be by a
compliance officer at an hourly rate of $400, for a total cost of $25,726,950. 15
Therefore, we estimate that the total annual hourly burden associated with the
safeguards rule is 65,760 hours at a total hourly cost of $28,112,400. 16 We also estimate
that all covered institutions will be respondents each year, for a total of 20,309
respondents.

13

Of the 1,375 covered institutions that register annually, the Commission estimates 372 are
affiliated with an existing covered institution. 1,375 – 372 = 1,003 unaffiliated, covered
institutions.

14

This estimate is based on the following calculation: 60 hours x 1,003 covered institutions = 60,180
hours.

15

This estimate is based on the following calculations: 60,180 hours / 2 = 30,090 hours; 30,090
hours x $455 per hour = $13,690,950; 30,090 hours x $400 = $12,036,000; $13,690,950 +
$12,036,000 = $25,726,950.

16

This estimate is based on the following calculations: 5,580 hours for affiliated newly registered
entities + 60,180 hours for unaffiliated newly registered entities = 65,760 total hours; $2,385,450+
$25,726,950 = $28,112,400.

8

Table 1: Summary of Revised Annual Responses, Burden Hours, and Burden
Hour Costs Estimates for Each Information Collection

Rule 248.30

Annual No. of Responses
Previously
approved

Requested

Safeguard policies and procedures

21,251

TOTAL

21,251

13.

Annual Time Burden (Hrs.)

Change

Previously
approved

Requested

20,309

-942

47,565

20,309

-942

47,565

Cost Burden ($)

Change

Previously
approved

Requested

Change

65,760

+18,195

17,908,223

28,112,400

+10,204,177

65,760

+18,195

17,908,223

28,112,400

+10,204,177

Cost to Respondents

The staff estimates that the safeguard rule does not impose a material cost burden,
apart from the cost of the burden hours identified in section 12, on covered institutions.
Although these entities are likely to retain these records for as long as the institution
maintains policies and procedures, these records could be maintained electronically and,
even if maintained in hard copy, would not likely be extensive. The staff has not
estimated a capital/startup cost in connection with the recordkeeping requirements
because covered institutions would likely use existing recordkeeping systems to maintain
the required compliance records.

14.

Cost to the Federal Government

There is no cost to the federal government of administering the information
collection requirements in rule 248.30(a) under the GLBA.

9

15.

Changes in Burden

The increase in estimated total annual burden hours from 47,565 to 65,760 is
attributable to an increase in the staff’s estimate of the number of newly registered
entities that are unaffiliated with an existing institution.
16.

Information Collection Planned for Statistical Purposes

Not applicable.
17.

Approval to Omit the OMB Expiration Date

Not applicable.
18.

Exception to Certification Statement for Paperwork Reduction Act
Submissions

Not applicable.
B.

COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS

Not applicable.

10


File Typeapplication/pdf
File TitleSUPPORTING STATEMENT
File Modified2022-03-02
File Created2022-03-02

© 2024 OMB.report | Privacy Policy