Download:
pdf |
pdfOMB CONTROL NUMBER: 3235-0278
SUPPORTING STATEMENT
For the Paperwork Reduction Act Information Collection Submission for
Amendments to Rule 204-2 under the Investment Advisers Act of 1940
A. JUSTIFICATION
1.
Necessity for the Information Collection
Section 204 of the Investment Advisers Act of 1940 (the “Advisers Act”) provides
that investment advisers required to register with the Securities and Exchange
Commission (the “Commission” or “SEC”) must make and keep certain records for
prescribed periods, and make and disseminate certain reports. 1 Advisers Act rule
204-2 sets forth mandatory requirements for maintaining and preserving specified
books and records. 2 The records that an adviser must keep in accordance with rule
204-2 must generally be retained for not less than five years. 3 These requirements
constitute a mandatory “collection of information,” within the meaning of the
Paperwork Reduction Act.
On February 9, 2022, the Commission proposed rules related to cybersecurity
risk management for registered investment advisers, registered investment
companies, and business development companies as well as amendments to certain
rules that govern investment adviser and fund disclosures under the Advisers Act and
the Investment Company Act of 1940. 4 As part of the proposed cybersecurity risk
1
15 U.S.C. 80b-4.
2
17 CFR 275.204-2.
3
See id., at 275.204-2(e). The standard retention period required for books and records under rule
204-2 is five years, in an easily accessible place, the first two years in an appropriate office of the
investment adviser.
4
Cybersecurity Risk Governance and Incident Disclosure, Securities Act Release No. 11028 (Feb.
9, 2022) available at https://www.sec.gov/rules/proposed/2022/33-11028.pdf (“Cybersecurity Risk
Governance and Incident Disclosure Proposal”).
�management rules, the Commission proposed corresponding amendments to rule
204-2, the books and records rule. The proposed amendments would require
advisers to retain: (1) a copy of their cybersecurity policies and procedures
formulated pursuant to proposed rule 206(4)-9 that is in effect, or at any time within
the past five years was in effect; (2) a copy of the adviser’s written report
documenting the annual review of its cybersecurity policies and procedures pursuant
to proposed rule 206(4)-9 in the last five years; (3) a copy of any Form ADV-C filed
by the adviser under rule 204-6 in the last 5 years; (4) records documenting the
occurrence of any cybersecurity incident, as defined in rule 206(4)-9(c), occurring in
the last five years, including records related to any response and recovery from such
an incident; and (5) records documenting any risk assessment conducted pursuant to
the cybersecurity policies and procedures required by rule 206(4)-9(a)(1) in the last
five years. 5 These proposed amendments would help facilitate the Commission’s
inspection and enforcement capabilities. The information generally is kept
confidential subject to the applicable law. 6
The collection has been previously approved and subsequently extended under
Office of Management and Budget (“OMB”) control number 3235- 0278 (expiring
October 31, 2022), and it is found at 17 CFR 275.204-2. An agency may not conduct
or sponsor, and a person is not required to respond to, a collection of information
unless it displays a currently valid OMB number.
5
See proposed rule 204-2(a)(17)(i) through (vii).
6
See section 210(b) of the Advisers Act (15 U.S.C. 80b-10(b)).
2
�2.
Purpose and Use of the Information Collection
The purpose of the information collection in rule 204-2 is to assist the
Commission’s examination and oversight program. Requiring the creation,
maintenance and retention of the above records as part of rule 204-2 would facilitate
the Commission’s ability to inspect for and enforce compliance with firms’
obligations with respect to the proposed cybersecurity risk management rules.
The respondents to the rule are investment advisers registered with the
Commission. Responses provided to the Commission in the context of its
examination and oversight program are generally kept confidential subject to the
applicable law. 7 This collection of information is found at 17 CFR 275.204-2 and is
mandatory.
3.
Consideration Given to Information Technology
The Commission’s use of computer technology in connection with this
information collection, which has been previously approved by OMB, would not
change. The Commission currently permits advisers to maintain records required by
the rule through electronic media. 8
4.
Efforts to Identify Duplication
The collection of information requirements of the rule, including the
amendments, are not duplicated elsewhere. The Commission periodically evaluates
7
See section 210(b) of the Advisers Act [15 U.S.C. 80b-10(b)].
8
See Electronic Recordkeeping by Investment Companies and Investment Advisers, Investment
Advisers Act Release No. 1945 (May 24, 2001) 66 FR 29224 (May 30, 2001).
3
�rule-based reporting and recordkeeping requirements for duplication, and reevaluates
these requirements whenever it adopts amendments to its rules.
5.
Effect on Small Entities
The requirements of the rule are the same for all investment advisers registered
with the Commission, including those that are small entities. The requirements of the
amendments to rule 204-2 will not distinguish between small entities and other
investment advisers because the protections of the Advisers Act are intended to apply
equally to retail investor clients of both large and small firms. OMB has previously
approved the effect of this collection on all investment advisers in general, including
advisers that are small entities. Moreover, it would defeat the purpose of the rule to
exempt small entities from these requirements. The Commission reviews all rules
periodically, as required by the Regulatory Flexibility Act, to identify methods to
minimize recordkeeping or reporting requirements affecting small businesses.
6.
Consequences of Not Conducting Collection
Less frequent information collection will be incompatible with the objectives of
the rule and would hinder the Commission’s oversight and examination program for
investment advisers and thereby reduce the protection to investors.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
The collection requirements under rule 204-2 generally require advisers to
maintain documents for five years, and in some cases longer. The retention period
will not be affected by the amendments to the rule. Although this period exceeds the
three-year guideline for most kinds of records under 5 CFR 1320.5(d)(2)(iv), OMB
has previously approved the collection with this retention period. The retention
4
�periods in rule 204-2 are warranted because the recordkeeping requirements in rule
204-2 of the Advisers Act are designed to contribute to the effectiveness of the
Commission’s examination and inspection program. Because the period between
examinations may be as long as five years, it is important that the Commission have
access to records that cover the entire period between examinations.
8.
Consultation Outside the Agency
The Commission and the staff of the Division of Investment Management
participate in an ongoing dialogue with representatives of the investment
management industry through public conferences, meetings, and informal
exchanges. These various forums provide the Commission and staff with a means of
ascertaining and acting upon paperwork burdens confronting the industry. In
addition, the Commission has requested public comment on the proposed
amendments to rule 204-2, including the collection of information requirements
resulting from the proposed amendments. Before adopting these amendments, the
Commission will receive and evaluate public comments on the proposed
amendments and their associated collection of information requirements.
9.
Payment or Gift
None.
10.
Confidentiality
Responses provided to the Commission pursuant to rule 204-2 in the context of
the Commission’s examination and oversight program are generally kept confidential
subject to the applicable law.
5
�11.
Sensitive Questions
No information of a sensitive nature, including social security numbers, will be
required under this collection of information. The information collection collects
basic Personally Identifiable Information (PII) that may include names, job titles,
work addresses, and phone numbers. However, the agency has determined that the
information collection does not constitute a system of record for purposes of the
Privacy Act. Information is not retrieved by a personal identifier.
12.
Estimate of Hour and Cost Burden of Information Collection
The following estimates of average burden hours and costs are made solely for
purposes of the Paperwork Reduction Act of 1995 9 and are not derived from a
comprehensive or even representative survey or study of the cost of Commission
rules and forms.
The respondents to this collection of information are investment advisers
registered or required to be registered with the Commission. All such advisers will be
subject to the proposed amendments to rule 204-2. As of October 31, 2021, there
were 14,774 advisers that would be subject to these requirement. In our most recent
Paperwork Reduction Act submission for rule 204-2, we estimated for rule 204-2 a
total annual aggregate hour burden of 2,764,563 hours, and the total annual
aggregate external cost burden is $175,980,426. 10 The table below summarizes the
9
44 U.S.C. 3501 et seq.
10
Supporting Statement for the Paperwork Reduction Act Information Collection Submission for
Revisions to Rule 204-2, OMB Report, OMB 3235-0278 (Aug. 2021).
6
�initial and ongoing annual burden estimates associated with the proposed
amendments to rule 204-2. 11
11
We estimate the hourly wage rate for compliance clerk is $70 and a general clerk is $62. The
hourly wages used are from the SIFMA Wage Report.
7
�Table 1: Rule 204-2 PRA Estimates
Internal Hour
Burden
Wage Rate
Internal Time Costs
Annual External
Cost Burden
PROPOSED ESTIMATES FOR RULE 204-2 AMENDMENTS
Retention of
cybersecurity policies
and procedures
1
×
$68
(blended rate for
general clerk and
compliance clerk)
Total burden per adviser
$68
$0
$68
$0
Total number of
affected advisers
× 14,774
× 14,774
$0
Sub-total burden
14,774 hours
$1,004,632
$0
Retention of written
report documenting
annual review
1
$68
$0
Total annual burden per
adviser
1
$68
$0
Total number of
affected advisers
× 14,774
× 14,774
Sub-total burden
14,774 hours
×
$68
(blended rate for
general clerk and
compliance clerk)
$1,004,632
$68
(blended rate for
general clerk and
compliance clerk)
1
Total annual burden per
adviser
1
$68
Total number of
affected advisers
× 14,774
× 14,774
Sub-total burden
14,774 hours
$68
$1,004,632
$68
(blended rate for
general clerk and
compliance clerk)
1
Total annual burden per
adviser
1
$68
Total number of
affected advisers
× 14,774
× 14,774
Sub-total burden
14,774 hours
$1,004,632
Retention of records
documenting an
adviser’s cybersecurity
risk assessment
1
Total annual burden per
adviser
1
$68
Total number of
affected advisers
× 14,774
× 14,774
Sub-total burden
14,774 hours
$1,004,632
Total annual aggregate
burden of rule 204-2
amendments per adviser
5 hours
$340
Current annual
estimated aggregate
burden of rule 204-2
2,764,563 hours
$175,980,426
Total annual aggregate
burden of rule 204-2
3,049,945 hours
$194,470,162
×
$68
(blended rate for
general clerk and
compliance clerk)
8
$0
$0
$0
$0
Retention of records
documenting a
cybersecurity incident
×
$0
$0
Retention of copy of any
Form ADV-C filed in
last 5 years
×
$0
$68
$0
$0
$0
$0
$68
$0
$0
$0
$0
$0
$0
�The approved annual aggregate burden for rule 204-2 is currently 2,764,563 hours, based on an estimate of 13,724 registered
advisers, or 201.44 hours per registered adviser. We estimate that the proposed amendments to the recordkeeping rule will result in
an aggregate increase in the collection of information burden estimate by 5 hours for each of the estimated 14,774 registered
advisers, resulting in a total of 206.44 hours per adviser, for a new total annual burden of 3,049,945 in the aggregate.
The Cybersecurity Risk Governance and Incident Disclosure Proposal PRA estimated that the new total annual burden would be
2,838,433 in the aggregate. As noted in the chart above, we have revised this estimate to 3,049,945 to reflect that the hour burden per
adviser (206.44) would apply to the updated adviser estimate (14,774). The 2,838,433 estimate in the Cybersecurity Risk Governance
and Incident Disclosure Proposal PRA added the total annual aggregate burden of the rule 204-2 amendments (73,870 hours or 5
hours per 14,774) to the currently approved estimated aggregate burden of rule 204-2 (2,764,563). This generated the 2,838,433
estimate, which we have proposed to correct herein.
The approved annual aggregate internal monetized cost burden for rule 204-2 is currently $175,980,426, based on an estimate of
13,724 registered advisers, or approximately $12,823 per registered adviser. We estimate that the proposed amendments to the
recordkeeping rule will result in an aggregate increase in the collection of information internal monetized cost by $340 for each of the
estimated 14,774 registered advisers, resulting in a total of $13,163 per adviser, for a new total internal monetized cost of
$194,470,162.
The Cybersecurity Risk Governance and Incident Disclosure Proposal PRA estimated that the new total annual internal monetized
costs would be $181,003,586 in the aggregate. As noted in the chart above, we have revised this estimate to $194,470,162 to reflect
that the internal cost per adviser ($13,163) would apply to the updated adviser estimate (14,774). The $181,003,586 estimate in the
Cybersecurity Risk Governance and Incident Disclosure Proposal PRA added the total annual internal cost of the rule 204-2
amendments ($5,023,160 or $340 per 14,774) to the currently approved estimated aggregate internal monetized cost of rule 204-2
(2,764,563). This generated the $181,003,586 estimate, which we have proposed to correct herein.
13.
Cost to Respondents
Cost burden is the cost of goods and services purchased to meet the requirements
of rule 204-2, such as for the services of outside counsel. The cost burden does not
include the hour burden discussed in Item 12 above. Estimates are based on the
Commission’s experience.
As summarized in Table 1 above, we estimate that the annual external cost
associated with the proposed amendments to rule 204-2 is $0.
14.
Cost to the Federal Government
There are no additional costs to the federal government directly attributable to
rule 204-2.
9
�15.
Change in Burden
We estimate that amendments to rule 204-2 will result in a revised annual
aggregate burden of 3,049,945 hours per year, with a monetized value of
$194,470,162. This would be an aggregate increase of 285,382 hours, or $18,489,736
in the monetized value of the hour burden, from the currently approved annual
aggregate burden estimates. The changes are due to proposed amendments and
updated data. The external cost burden associated with rule 204-2 ($0) has not
changed.
16.
Information Collection Planned for Statistical Purposes
None.
17.
Approval to Omit OMB Expiration Date
Not Applicable.
18.
Exceptions to Certification Statement for Paperwork Reduction Act
Submission
Not Applicable.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
The collection of information will not employ statistical methods.
10
�
| File Type | application/pdf |
| Author | Nixon, Naseem |
| File Modified | 2022-05-23 |
| File Created | 2022-05-23 |