Download:
pdf |
pdfSUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection Submission for Rule 18a-6
3235-0751
Proposed Partial Revision (in connection with Cybersecurity Risk Management Proposal)
This submission is being made pursuant to the Paperwork Reduction Act of 1995, 44
U.S.C. Section 3501 et seq.
A.
JUSTIFICATION
1.
Necessity of Information Collection
On July 21, 2010, President Obama signed the Dodd-Frank Wall Street Reform and
Consumer Protection Act (the “Dodd-Frank Act”) into law. 1 Section 764 of the Dodd-Frank Act
added section 15F to the Securities Exchange Act of 1934 (the “Exchange Act”), 2 which
provides that the Commission shall adopt rules governing reporting and recordkeeping for
security-based swap dealers (“SBSDs”) and major security-based swap participants
(“MSBSPs”). 3
Accordingly, on September 19, 2019, the Commission adopted amendments to its
recordkeeping and reporting rules for broker-dealers as well as new recordkeeping and reporting
rules for SBSDs and MSBSPs (the “SBS Recordkeeping Release”). 4 The SBS Recordkeeping
Release adopted Exchange Act Rule 18a-6 (in conjunction with Exchange Act Rule 18a-5) to
establish recordkeeping requirements applicable to stand-alone SBSDs, stand-alone MSBSPs,
bank SBSDs, and bank MSBSPs (collectively “SBS Entities”). 5 Rule 18a-6 is modeled on
Exchange Act Rule 17a-4, which applies to broker-dealers, but Rule 18a-6 does not include a
parallel requirement for every requirement in Rule 17a-4 because some of the requirements in
Rule 17a-4 relate to activities that are not expected or permitted of stand-alone SBSDs, standalone MSBSPs, bank SBSDs, and bank MSBSPs.
Rule 18a-6 establishes a number of new collections of information. 6 The table below
provides a summary of the new collections of information, noting the type of record that is
1
See Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, Public Law 111-203, 124 Stat.
1376 (2010).
2
See Public Law 111-203, § 764; 15 U.S.C. 78o-10.
3
See 15 U.S.C. 78o-10(f)(2).
4
See Recordkeeping and Reporting Requirements for Security-Based Swap Dealers, Major Security-Based
Swap Participants, and Broker-Dealers; Final Rules, Exchange Act Release No. 87005 (Sept. 19, 2019),
84 FR 68550 (Dec. 16, 2019).
5
See Recordkeeping and Reporting Requirements for Security-Based Swap Dealers, Major Security-Based
Swap Participants, and Broker-Dealers; Final Rules, Exchange Act Release No. 87005 (Sept. 19, 2019),
84 FR 68550 (Dec. 16, 2019).
6
In addition to the new collections of information established by the SBS Recordkeeping Release, additional
risk mitigation recordkeeping requirements for SBS Entities were adopted on December 18, 2019. See Risk
Mitigation Techniques for Uncleared Security-Based Swaps, Exchange Act Release No. 34-87782 (Dec.
�required to be created, the specific provision in the rule that requires the record to be created, and
the entity to which the provision in the rule applies.
Non-model stand-alone Model stand-alone
SBSDs
SBSDs
Records To Be Preserved for a Period of Not Less Than 6 Years
Trade blotters
Rule 18a-6(a)(1) citing Rule 18a-6(a)(1) citing
Rule 18a-5(a)(1)
Rule 18a-5(a)(1)
General ledger
Rule 18a-6(a)(1) citing Rule 18a-6(a)(1) citing
Rule 18a-5(a)(2)
Rule 18a-5(a)(2)
Ledgers for customer Rule 18a-6(a)(1) citing Rule 18a-6(a)(1) citing
and non-customer
Rule 18a-5(a)(3)
Rule 18a-5(a)(3)
accounts
Stock record
Rule 18a-6(a)(1) citing Rule 18a-6(a)(1) citing
Rule 18a-5(a)(4)
Rule 18a-5(a)(4)
Records To Be Preserved for a Period of Not Less Than 3 Years
Memoranda of
brokerage orders
Memoranda of
Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
proprietary orders
citing Rule 18a-5(a)(5) citing Rule 18a-5(a)(5)
Confirmations
Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
citing Rule 18a-5(a)(6) citing Rule 18a-5(a)(6)
Accountholder
Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
information
citing Rule 18a-5(a)(7) citing Rule 18a-5(a)(7)
Options positions
Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
citing Rule 18a-5(a)(8) citing Rule 18a-5(a)(8)
Trial balances and
Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
computation of net
citing Rule 18a-5(a)(9) citing Rule 18a-5(a)(9)
capital
Account equity and
Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
margin calculations
citing Rule
citing Rule
under Rule 18a-3
18a-5(a)(12)
18a-5(a)(12)
Possession or control Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
requirements under
citing Rule
citing Rule
Rule 18a-4
18a-5(a)(13)
18a-5(a)(13)
Customer reserve
Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
requirements under
citing Rule
citing Rule
Rule 18a-4
18a-5(a)(14)
18a-5(a)(14)
Unverified transactions Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
citing Rule
citing Rule
18a-5(a)(15)
18a-5(a)(15)
Political contributions Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
citing Rule
citing Rule
18a-5(a)(16)
18a-5(a)(16)
Bank SBSDs
Stand-alone MSBSPs
Rule 18a-6(a)(2) citing Rule 18a-6(a)(1) citing
Rule 18a-5(b)(1)
Rule 18a-5(a)(1)
Rule 18a-6(a)(1) citing
Rule 18a-5(a)(2)
Rule 18a-6(a)(2) citing Rule 18a-6(a)(1) citing
Rule 18a-5(b)(2)
Rule 18a-5(a)(3)
Rule 18a-6(a)(2) citing Rule 18a-6(a)(1) citing
Rule 18a-5(b)(3)
Rule 18a-5(a)(4)
Rule 18a-6(b)(2)(i)
citing Rule 18a-5(b)(4)
Rule 18a-6(b)(2)(i)
citing Rule 18a-5(b)(5)
Rule 18a-6(b)(2)(i)
citing Rule 18a-5(b)(6)
Rule 18a-6(b)(2)(i)
citing Rule 18a-5(b)(7)
Rule 18a-6(b)(2)(i)
citing Rule 18a-5(b)(9)
Rule 18a-6(b)(2)(i)
citing Rule
18a-5(b)(10)
Rule 18a-6(b)(2)(i)
citing Rule
18a-5(b)(11)
Rule 18a-6(b)(2)(i)
citing Rule
18a-5(b)(12)
Rule 18a-6(b)(1)(i)
citing Rule 18a-5(a)(5)
Rule 18a-6(b)(1)(i)
citing Rule 18a-5(a)(6)
Rule 18a-6(b)(1)(i)
citing Rule 18a-5(a)(7)
Rule 18a-6(b)(1)(i)
citing Rule 18a-5(a)(8)
Rule 18a-6(b)(1)(i)
citing Rule 18a-5(a)(9)
Rule 18a-6(b)(1)(i)
citing Rule
18a-5(a)(12)
Rule 18a-6(b)(1)(i)
citing Rule
18a-5(a)(15)
18, 2019), 85 FR 6359 (Feb. 4, 2020) (“Risk Mitigation Adopting Release”). The Commission amended
Rule 18a-6(b)(1)(i), (b)(2)(i), (d)(4), and (d)(5) to account for the security-based swap risk mitigation
activities of SBS Entities, by, among other things, requiring the preserving of any required records
regarding portfolio reconciliation (Rule 15Fi-3(a) and (b)), bilateral offsets (Rule 15Fi-4(a)(1)), bilateral or
multilateral portfolio compression (Rule 15Fi-4(b) and (c)), valuation disputes (Rule 15Fi-3(c)), and
written trading relationship documentation (Rule 15Fi-5). Rule 18a–6 does not require the firm to create
these records or perform the underlying task required by the Rule. Rather, the burden to create these
records and perform the underlying task is accounted for in Rule 15Fi-3 – 15Fi-5. Accordingly, the
burdens imposed by the requirements in 18a-6 are to ensure these records related to risk mitigation are
preserved for the requisite time period and produced when requested.
2
�Non-model stand-alone Model stand-alone
SBSDs
SBSDs
Compliance with
Rule 18a-6(b)(1)(i)
Rule 18a-6(b)(1)(i)
business conduct
citing Rule
citing Rule
requirements
18a-5(a)(17)
18a-5(a)(17)
Bank records
Rule 18a-6(b)(1)(ii)
Rule 18a-6(b)(1)(ii)
Bills
Rule 18a-6(b)(1)(iii) Rule 18a-6(b)(1)(iii)
Communications
Rule 18a-6(b)(1)(iv) Rule 18a-6(b)(1)(iv)
Trial balances
Rule 18a-6(b)(1)(v)
Rule 18a-6(b)(1)(v)
Account documents
Rule 18a-6(b)(1)(vi) Rule 18a-6(b)(1)(vi)
Written agreements
Rule 18a-6(b)(1)(vii) Rule 18a-6(b)(1)(vii)
Information supporting Rule 18a-6(b)(1)(viii) Rule 18a-6(b)(1)(viii)
financial reports
Rule 15c3-4 risk
Rule 18a-6(b)(1)(ix) Rule 18a-6(b)(1)(ix)
management records
Credit risk
Rule 18a-6(b)(1)(x)
determinations
Regulation SBSR
Rule 18a-6(b)(1)(xi) Rule 18a-6(b)(1)(xi)
information
Records relating to
Rule 18a-6(b)(1)(xii) Rule 18a-6(b)(1)(xii)
business conduct
standards
Special entity
Rule 18a-6(b)(1)(xiii) Rule 18a-6(b)(1)(xiii)
documents
Associated person’s
Rule 18a-6(d)(1)
Rule 18a-6(d)(1)
employment
application
Regulatory authority Rule 18a-6(d)(2)(i)
Rule 18a-6(d)(2)(i)
reports
Compliance,
Rule 18a-6(d)(3)(i)
Rule 18a-6(d)(3)(i)
supervisory, and
procedures manuals
Risk Mitigation
Rule 18a-6(b)(1)(i),
Rule 18a-6(b)(1)(i),
(d)(4) and (d)(5)
(d)(4) and (d)(5)
Life of the enterprise and of any successor enterprise
Corporate documents Rule 18a-6(c)
Rule 18a-6(c)
Bank SBSDs
Rule 18a-6(b)(2)(i)
citing Rule
18a-5(b)(13)
Rule 18a-6(b)(2)(ii)
Rule 18a-6(b)(2)(iii)
Rule 18a-6(b)(2)(iv)
Rule 18a-6(b)(2)(v)
Stand-alone MSBSPs
Rule 18a-6(b)(1)(i)
citing Rule
18a-5(a)(17)
Rule 18a-6(b)(1)(ii)
Rule 18a-6(b)(1)(iii)
Rule 18a-6(b)(1)(iv)
Rule 18a-6(b)(1)(v)
Rule 18a-6(b)(1)(vi)
Rule 18a-6(b)(1)(vii)
Rule 18a-6(b)(1)(viii)
Rule 18a-6(b)(1)(ix)
Rule 18a-6(b)(2)(vi)
Rule 18a-6(b)(1)(xi)
Rule 18a-6(b)(2)(vii)
Rule 18a-6(b)(1)(xii)
Rule 18a-6(b)(2)(viii) Rule 18a-6(b)(1)(xiii)
Rule 18a-6(d)(1)
Rule 18a-6(d)(1)
Rule 18a-6(d)(2)(ii)
Rule 18a-6(d)(2)(i)
Rule 18a-6(d)(3)(ii)
Rule 18a-6(d)(3)(i)
Rule 18a-6(b)(2)(i),
(d)(4) and (d)(5)
Rule 18a-6(b)(1)(i),
(d)(4) and (d)(5)
Rule 18a-6(c)
In October 2022, the Commission adopted amendments to the electronic recordkeeping
requirements for SBS Entities in Rule 18a-6. 7 The October 2022 amendments to Rule 18a-6(e)
added an audit-trail alternative to the current SBS Entity recordkeeping requirements. 8 The
Commission also amended the rule to require the SBS Entity either to include a backup set of
records or have other redundancy capabilities that are designed to ensure access to records
preserved on an electronic recordkeeping system. 9 The amendments to Rule 18a-6(e) also
establish a requirement that either a designated third party or a designated executive officer of
the SBS Entity with access to records maintained and preserved on the SBS Entity’s electronic
recordkeeping system execute undertakings to furnish promptly to the Commission and other
7
See Electronic Recordkeeping Requirements for Broker-Dealers, Security-Based Swap Dealers, and Major
Security-Based Swap Participants, Exchange Act Release No. 34-96034 (Oct. 12, 2022), 87 FR 66412
(Nov. 3, 2022) (“2022 Electronic Recordkeeping Adopting Release”).
8
See section II.D. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
9
See section II.E. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
3
�regulators access to requested records or the requested records themselves. 10 The amendments to
Rule 18a-6(g) also require a SBS Entity to furnish a record and its audit trail (if applicable)
preserved on an electronic recordkeeping system pursuant to Rules 18a-6(e), respectively, in a
reasonably usable electronic format, if requested by a representative of the Commission. 11 The
amendments to Rule 18a-6(f) provide an alternative undertaking for certain third-party electronic
recordkeeping service providers, in particular cloud service providers. 12 The information
collection associated with these amendments was previously approved by OMB on April 13,
2023.
Partial Revision to Collection of Information
In March 2023, the Commission proposed amendments to the recordkeeping
requirements of SBS Entities in Rule 18a-6 in connection with a proposed cybersecurity risk
management rule (“Rule 10”). 13 Rule 18a-6 would be amended to establish preservation and
maintenance requirements for the written policy and procedures, annual reports, Parts I and II of
proposed Form SCIR, and records required to be made pursuant to proposed Rule 10. The
proposed amendments would specify that the Rule 10 records must be retained for three years.
In the case of the written policies and procedures to address cybersecurity risks, the record would
need to be maintained until three years after the termination of the use of the policies and
procedures.
Specifically, proposed Rule 10 would require all SBS Entities (which are all Covered
Entities) to: (1) establish, maintain, and enforce reasonably designed policies and procedures to
address cybersecurity risks; (2) create written documentation of risk assessments; (3) create
written documentation of any cybersecurity incident, including its response to and recovery from
the incident; (4) prepare a written report each year describing its annual review of its policies and
procedures to address cybersecurity risks; (5) provide immediate written notice of a significant
cybersecurity incident; (6) report a significant cybersecurity incident on Part I of proposed Form
SCIR; and (7) provide a written disclosure about its cybersecurity risks and significant
cybersecurity incidents on Part II of proposed Form SCIR. 14 Consequently, proposed Rule 10
would require an SBS Entity to make several different types of records. The proposed
cybersecurity rule would not include requirements specifying how long these records would need
to be preserved and the manner in which they would need to be maintained. Instead, the
proposed amendments to Rule 18a-6 would specify that the Rule 10 records must be retained for
three years. In the case of the written policies and procedures to address cybersecurity risks, the
10
Id.
11
See section II.G. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
12
See section II.G. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
13
See Cybersecurity Risk Management Rule for Broker-Dealers, Clearing Agencies, Major Security-Based
Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer
Agents, Release No. 34-97142 (Mar. 15, 2023) [88 FR 20212 (Apr. 5, 2023)] (“Cybersecurity Risk
Management Rule Proposal”).
14
An information collection associated with proposed Rule 10 and Form SCIR was previously submitted to
OMB for review on April 12, 2023.
4
�record would need to be maintained until three years after the termination of the use of the
policies and procedures.
This Supporting Statement addresses the collections of information that were proposed to
be added as a result of the proposal of Rule 10 in March 2023 regarding the recordkeeping
requirements of SBS Entities.
2.
Purpose and Use of the Information Collection
The purpose of requiring stand-alone SBSDs, stand-alone MSBSPs, bank SBSDs, and
bank MSBSPs to maintain the records specified in Rule 18a-6 is to help ensure that examiners
and other representatives of the Commission and other applicable regulatory authorities have
access to the information and documents necessary to determine whether these entities are in
compliance with the Commission’s anti-fraud and anti-manipulation rules, financial
responsibility program, and other laws, rules, and regulations. Without Rule 18a-6, it would be
extremely difficult, if not impossible, for the Commission to determine whether stand-alone
SBSDs, stand-alone MSBSPs, bank SBSDs, and bank MSBSPs that chose not to preserve
records were in compliance with these rules. Such a situation would not be in the public interest
and would be detrimental to investors and the financial community as a whole.
3.
Consideration Given to Improved Information Technology
Rule 18a-6 specifically allows SBS Entities to use electronic storage media to comply
with the recordkeeping requirements under the Exchange Act. If such records are stored
electronically, they must meet certain requirements set forth in the rule. 15 Because it sets
minimum standards for the electronic storage media employed, Rule 18a-6 does not limit standalone SBSDs, stand-alone MSBSPs, bank SBSDs, and bank MSBSPs to using forms of
electronic storage which may become obsolete as new technology is developed. The
Commission believes that improvements in telecommunications and data processing technology
may reduce any burdens that result from Rule 18a-6. The audit trail alternative in the rule is
designed to account for technological advances in recordkeeping technologies.
4.
Duplication
Requiring SBS Entities to maintain the records specified in Rule 18a-6, as adopted, does
not duplicate requirements of any other rule. Moreover, the Commission has a substantial
interest in ensuring that stand-alone SBSDs, stand-alone MSBSPs, bank SBSDs, and bank
MSBSPs preserve the information required in Rule 18a-6, as adopted, in order to ensure
compliance with applicable Commission rules.
5.
Effects on Small Entities
Currently none of the SBS Entities registered with the Commission are “small entities”,
and based on feedback from industry participants about the security-based swap market, it is
15
See paragraph (e)(2) of Rule 18a-6.
5
�unlikely that any other entities that will register with the Commission in the future as SBSDs or
MSBSPs will be “small entities.” 16 Thus, it is unlikely that the requirements under Rule 18a–6
will affect small entities.
6.
Consequences of Not Conducting Collection
Rule 18a-6 is a record preservation rule. Without Rule 18a-6, it would be extremely
difficult, if not impossible, for the Commission to determine whether a stand-alone SBSD, standalone MSBSP, bank SBSD, or bank MSBSP that chose not to preserve records was in
compliance with the Commission’s antifraud and anti-manipulation rules, financial responsibility
program, and other laws, rules, and regulations. Such a situation would not be in the public
interest and would be detrimental to investors and the financial community as a whole.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
As summarized in section A1 of this supporting statement, certain provisions of Rule
18a-6 require respondents to retain records for more than three years. These extended retention
periods are necessary in order to provide regulators with sufficient time to conduct
comprehensive inspections and investigations. Due to budget constraints, regulators are
expected to examine SBSDs and MSBSPs and office locations only periodically. Further,
certain documents required to be retained under Rule 18a-6 do not become obsolete (e.g., certain
policies and procedures).
8.
Consultations Outside the Agency
The Commission requested comment on the partial revision to the collection of
information requirements when the amendments were proposed in March 2023. 17
9.
Payment or Gift
No payment or gift is provided to respondents.
10.
Confidentiality
Subject to the provisions of the Freedom of Information Act, 5 U.S.C. § 552, and the
Commission’s rules thereunder (17 CFR 200.80(b)(4)(iii)), the Commission generally does not
publish or make available information contained in reports, summaries, analyses, letters, or
16
Section 601(b) of the Regulatory Flexibility Act (“RFA”) defines the term “small entity.” The statute,
however, permits agencies to formulate their own definitions. The Commission has adopted definitions for
the term “small entity” for the purposes of Commission rulemaking in accordance with the RFA. Those
definitions, as relevant to this rulemaking, are set forth in 17 CFR 240.0-10. See Statement of Management
on Internal Accounting Control, Exchange Act Release No. 18451 (Jan. 28, 1982), 47 FR 5215 (Feb. 4,
1982).
17
See Cybersecurity Risk Management Rule Proposal.
6
�memoranda arising out of, in anticipation of, or in connection with an examination or inspection
of the books and records of any person or any other investigation.
11.
Sensitive Questions
The information collection does not collect information about individuals, therefore, a PIA,
SORN, and PAS are not required.
12.
Burden of Information Collection
Currently Approved Burdens
Stand-Alone SBSDs and Stand-Alone MSBSPs: Rule 18a–6 requires 27 types of records
to be preserved by stand-alone SBSDs and stand-alone MSBSPs.18 Rule 18a–6 does not require the
firm to create these records or perform the underlying task, so the burdens imposed by these
requirements are to provide adequate physical space and computer hardware and software for
storage, preserve these records for the requisite time period, and produce them when requested.19
The Commission estimates that the record preservation requirements applicable to stand-alone
SBSDs and stand-alone MSBSPs impose an initial burden of 364 hours and an ongoing annual
burden of 280 hours per firm (including the first year). The Commission estimates that there are 10
respondents (six stand-alone SBSDs and four stand-alone MSBSPs), resulting in an estimated
industry-wide initial burden of 3,640 hours, 20 and an industry-wide ongoing annual burden of
18
See Rule 18a–6 (paragraph (a)(1), cross-referencing paragraph (a)(1) of Rule 18a–5 (trade blotters);
paragraph (a)(1), cross-referencing paragraph (a)(2) of Rule 18a– 5 (general ledgers); paragraph (a)(1),
cross-referencing paragraph (a)(3) of Rule 18a– 5 (ledgers of customer and non-customer accounts);
paragraph (a)(1), cross-referencing paragraph (a)(4) of Rule 18a–5 (stock record); paragraph (a)(1), crossreferencing paragraph (a)(5) of Rule 18a–5 (memoranda of proprietary orders); paragraph (a)(1), crossreferencing paragraph (a)(6) of Rule 18a–5 (confirmations); paragraph (a)(1), cross-referencing paragraph
(a)(7) of Rule 18a–5 (accountholder information); paragraph (a)(1), cross-referencing paragraph (a)(8) of
Rule 18a–5 (options positions); paragraph (a)(1), cross-referencing paragraph (a)(9) of Rule 18a–5 (trial
balances and computation of net capital); paragraph (a)(1), cross-referencing paragraph (a)(12) of Rule
18a–5 (Rule 18a–3 calculations); paragraph (a)(1), cross-referencing paragraph (a)(15) of Rule 18a–5
(unverified transactions); paragraph (a)(1), cross-referencing paragraph (a)(17) of Rule 18a–5 (compliance
with business conduct standards); paragraph (b)(1)(ii) (bank records); paragraph (b)(1)(iii) (bills);
paragraph (b)(1)(iv) (communications); paragraph (b)(1)(v) (trial balances); paragraph (b)(1)(vi) (account
documents); paragraph (b)(1)(vii) (written agreements); paragraph (b)(1)(viii) (information supporting
financial reports); paragraph (b)(1)(ix) (Rule 15c3–4 risk management records); paragraph (b)(1)(xi)
(Regulation SBSR information); paragraph (b)(1)(xii) (records relating to business conduct standards);
paragraph (b)(1)(xiii) (special entity documents); paragraph (c) (corporate documents); paragraph (d)(1)
(associated person’s employment application); paragraph (d)(2)(i) (regulatory authority reports); and
paragraph (d)(3)(i) (compliance, supervisory, and procedures manuals)).
19
Entities that would register as stand-alone SBSDs and stand-alone MSBSPs likely make and keep some
records today as a matter of routine business practice, but which records such entities make is not available
to the Commission. Therefore, the PRA burden estimate for these entities is based on the assumption that
they currently keep no records.
20
364 hours x 10 stand-alone SBSDs and stand-alone MSBSPs = 3,640 hours.
7
�2,800hours (including the first year). 21 Over a three year period, the total estimated industry
burden is 12,040 hours,22 or 4,013 hours when annualized.23
Stand-Alone SBSDs: Rule 18a–6 requires three types of records to be preserved by
stand-alone SBSDs. 24 Because the burden to create these records is accounted for in the PRA
estimate for Rule 18a–5, the burdens imposed by these requirements are to ensure there is
adequate physical space and computer hardware and software for storage, ensure these records
are preserved for the requisite time period, and produce them when requested. The Commission
estimates that the relevant portions of paragraph (b)(1)(i) of Rule 18a–6 impose an initial burden
of 44 hours per firm, and an ongoing annual burden of 30 hours per firm (including the first
year). The Commission estimates that there are six stand-alone SBSDs, resulting in an industrywide initial burden of 264 hours 25 and an industry-wide ongoing annual burden of 180hours
(including the first year). 26 Over a three year period, the total estimated industry burden is 804
hours, 27 or 268 hours when annualized.28
Model Stand-Alone SBSDs: Rule 18a–6 requires records relating to credit risk
determinations to be preserved by stand-alone SBSDs authorized to use models. 29 Because the
burden of actually performing the underlying task and creating the written record is already
accounted for in the PRA estimate for Rule 18a–1, the burden is the requirement to preserve
these records for at least three years. The Commission estimates that paragraph (b)(1)(x)
imposes an initial burden of 18 hours and an ongoing annual burden of 10 hours per stand-alone
SBSD authorized to use models (including the first year). The Commission estimates that there
are four stand-alone SBSDs authorized to use models, resulting in an industry-wide initial burden
of 72 hours 30 and an industry-wide ongoing annual burden of 40 hours (including the first
year). 31 Over a three year period, the total estimated industry burden is 192 hours, 32 or 64
hours when annualized.33
21
280 hours x 10 stand-alone SBSDs and stand-alone MSBSPs = 2,800 hours.
22
(3,640 hours + 2,800 hours) + 2,800 hours + 2,800 hours = 12,040 hours.
23
12,040 hours / 3 years = 4,013.33 hours per year.
24
See paragraph (b)(1)(i) of Rule 18a–6 (cross-referencing paragraph (a)(13) of Rule 18a-5 (compliance with
Rule 18a–4 possession or control requirements); paragraph (a)(14) of Rule 18a–5 (Rule 18a–4 reserve
account computations); and paragraph (a)(16) of Rule 18a–5 (political contributions)).
25
44 hours x 6 stand-alone SBSDs = 264 hours.
26
30 hours x 6 stand-alone SBSDs = 180 hours.
27
(264 hours + 180 hours) + 180 hours + 180 hours = 804 hours.
28
804 hours / 3 years = 268 hours per year.
29
See Rule 18a–6 (paragraph (b)(1)(x) (credit risk determinations)).
30
18 hours x 4 stand-alone SBSDs authorized to use models = 72 hours.
31
10 hours x 4 stand-alone SBSDs authorized to use models = 40 hours.
32
(72 hours + 40 hours) + 40 hours + 40 hours = 192 hours.
33
192 hours / 3 years = 64 hours per year.
8
�Bank SBSDs and Bank MSBSPs: Rule 18a–6 requires 18 types of records to be
preserved by bank SBSDs and bank MSBSPs, all of which are limited to the firm’s business as
an SBSD or MSBSP. 34 Rule 18a–6 does not require the firm to create these records or perform
the underlying task, so the burdens imposed by these requirements are to ensure there is adequate
physical space and computer hardware and software for storage, ensure these records are
preserved for the requisite time period, and produce them when requested. Therefore, after
consideration of the similar burdens imposed by Rule 17a–4, as amended, the Commission
estimates that Rule 18a–6 imposes on bank SBSDs and bank MSBSPs an initial burden of 247
hours per firm and an ongoing burden of 190 hours per firm (including the first year). The
Commission estimates that there are 25 respondents (25 bank SBSDs and no bank MSBSPs),
resulting in an estimated industry-wide initial burden of 6,175 hours 35 and an industry-wide
ongoing annual burden of 4,750 hours (including the first year). 36 Over a three year period, the
total estimated industry burden is 20,425 hours, 37 or 6,808 hours when annualized.38
Bank SBSDs: Rule 18a–6 requires four types of records to be preserved by bank
SBSDs, all of which are limited to the firm’s business as an SBSD. 39 Because the burden to
perform the underlying task or create these records is accounted for in the PRA estimates for
Rule 18a–4 and Rule 18a–5, the burdens imposed by these new requirements are to ensure there
is adequate physical space and computer hardware and software for storage, ensure these records
are preserved for the requisite time period, and produce them when requested. The Commission
estimates that paragraphs (b)(2)(i) and (b)(2)(v) of Rule 18a–6 impose an initial burden of 57
hours per firm and an ongoing annual burden of 40 hours per firm. The Commission estimates
34
See Rule 18a–6 (paragraph (a)(2), cross-referencing paragraph (b)(1) of Rule 18a–5 (trade blotters);
paragraph (a)(2), cross-referencing paragraph (b)(2) of Rule 18a–5 (ledgers of security-based swap
customers and non-customers); paragraph (a)(2), cross-referencing paragraph (b)(3) of Rule 18a–5 (stock
records); paragraph (b)(2)(i), cross-referencing paragraph (b)(4) of Rule 18a–5 (memoranda of brokerage
orders); paragraph (b)(2)(i), cross-referencing paragraph (b)(5) of Rule 18a–5 (memoranda of proprietary
orders); paragraph (b)(2)(i), cross-referencing paragraph (b)(6) of Rule 18a–5 (confirmations); paragraph
(b)(2)(i), cross-referencing paragraph (b)(7) of Rule 18a–5 (accountholder information); paragraph
(b)(2)(i), cross-referencing paragraph (b)(11) of Rule 18a–5 (unverified transactions); paragraph (b)(2)(i),
cross-referencing paragraph (b)(13) of Rule 18a–5 (compliance with business conduct requirements);
paragraph (b)(2)(ii) (communications); paragraph (b)(2)(iii) (account documents); paragraph (b)(2)(iv)
(written agreements); paragraph (b)(2)(vi) (Regulation SBSR information); paragraph (b)(2)(vii) (records
relating to business conduct standards); paragraph (b)(2)(viii) (special entity documents); paragraph (d)(1)
(associated person’s employment application); paragraph (d)(2)(ii) (regulatory authority reports); paragraph
(d)(3)(ii) (compliance, supervisory, and procedures manuals)).
35
247 hours x 25 bank SBSDs = 6,175 hours.
36
190 hours x 25 bank SBSDs = 4,750 hours.
37
(6,175 hours + 4,750 hours) + 4,750 hours + 4,750 hours = 20,425 hours.
38
20,425 hours / 3 years = 6,808.33 hours per year.
39
See Rule 18a–6 (paragraph (b)(2)(i), cross-referencing paragraph (b)(9) (compliance with Rule 18a–4
possession or control requirements) of Rule 18a–5; paragraph (b)(2)(i), cross-referencing paragraph (b)(10)
(Rule 18a–4 reserve account computations) of Rule 18a–5; paragraph (b)(2)(i), cross-referencing paragraph
(b)(12) (political contributions) of Rule 18a–5; and paragraph (b)(2)(v) (Rule 18a–4 reserve account
computations)).
9
�that there are 25 bank SBSDs, resulting in an industry-wide initial burden of 1,425 hours 40 and
an industry-wide ongoing annual burden of 1,000 hours. 41 Over a three year period, the total
estimated industry burden is 4,425 hours, 42 or 1,475 hours when annualized. 43
Third-Party Custodians: Paragraph (f) of Rule 18a–6 requires third-party custodians
for non-broker-dealer SBSDs and non-broker-dealer MSBSPs to file with the Commission a
written undertaking and surrender the SBSD or MSBSP’s records upon the Commission’s
request. 44 The obligation to provide documents upon the Commission’s request does not impose
a new burden, since this requirement merely changes the respondent’s identity rather than adding
to the quantity of burdens. Thus, the burden is the requirement is to prepare and file a written
undertaking. The Commission estimates that 50% of the 35 non-broker-dealer SBSDs and nonbroker-dealer MSBSPs retain a third-party custodian, resulting in 19 written undertakings. The
Commission estimates paragraph (f) of Rule 18a–6 imposes an ongoing annual burden of two
hours per written undertaking, resulting in an industry-wide ongoing burden of 35 hours per
year. 45
Risk Mitigation Activities: The Commission amended Rule 18a-6(b)(1)(i), (b)(2)(i),
(d)(4), and (d)(5) to account for the security-based swap risk mitigation activities of SBS
Entities, by, among other things, requiring the preserving of any required records regarding
portfolio reconciliation (Rule 15Fi-3(a) and (b)), bilateral offsets (Rule 15Fi-4(a)(1)), bilateral or
multilateral portfolio compression (Rule 15Fi-4(b) and (c)), valuation disputes (Rule 15Fi-3(c)),
and written trading relationship documentation (Rule 15Fi-5). Rule 18a–6 does not require the
firm to create these records or perform the underlying task required by the Rule. Rather, the
burden to create these records and perform the underlying task is accounted for in Rule 15Fi-3 –
15Fi-5. 46 Accordingly, the burdens imposed by the requirements in 18a-6 are to ensure these
records related to risk mitigation are preserved for the requisite time period and produced when
requested. The Commission estimates that these recordkeeping requirements will impose an
initial burden of 60 hours per firm for updating the applicable policies and systems required to
account for capturing the additional records made pursuant to Rule 15Fi–3 through 15Fi–5, and
an ongoing annual burden of 75 hours per firm for maintaining such records as well as to make
additional updates to the applicable recordkeeping policies and systems to account for the new
rules. The Commission estimates that there are 38 SBS Entity respondents, for a total average
initial annual burden for all respondents of 2,280 hours 47 and a total ongoing average
annual burden of 2,850 hours. 48
40
57 hours x 25 bank SBSDs = 1,425 hours.
41
40 hours x 25 bank SBSDs = 1,000 hours.
42
(1,425 hours + 1,000 hours) + 1,000 hours + 1,000 hours = 4,425 hours.
43
4,425 hours / 3 years = 1,475 hours per year.
44
See paragraph (f) of Rule 18a–6, as adopted.
45
2 hours × 17.5 written undertakings = 35 hours per year.
46
See Risk Mitigation Adopting Release, 85 FR at 6389.
47
One-time initial reporting burden for 38 SBS Entities (60 hour x 38 SBS Entities) = 2,280 hours.
48
75 hour x 38 SBS Entities = 2,850 hours.
10
�October 2022 Amendments: The October 2022 amendments to Rule 18a-6(e) added an
audit-trail alternative to the current SBS Entity recordkeeping requirements. 49 The Commission
also amended the rule to require the SBS Entity either to include a backup set of records or have
other redundancy capabilities that are designed to ensure access to records preserved on an
electronic recordkeeping system. 50 The amendments to Rule 18a-6(e) also establish a
requirement that either a designated third party or a designated executive officer of the SBS
Entity with access to records maintained and preserved on the SBS Entity’s electronic
recordkeeping system execute undertakings to furnish promptly to the Commission and other
regulators access to requested records or the requested records themselves. 51 The amendments to
Rule 18a-6(g) also require a SBS Entity to furnish a record and its audit trail (if applicable)
preserved on an electronic recordkeeping system pursuant to Rules 18a-6(e), respectively, in a
reasonably usable electronic format, if requested by a representative of the Commission. 52 The
amendments to Rule 18a-6(f) provide an alternative undertaking for certain third-party electronic
recordkeeping service providers, in particular cloud service providers. 53
The Commission estimates that the establishment of a designated third party or
designated executive officer undertakings requirement for the 19 SBS Entities subject to the rule
will result in an annual burden of one hour per firm, for a total of 19 hours under Rule 18a6(e). 54 In addition, the Commission estimates that the alternative electronic recordkeeper
undertaking will result in a one-time initial burden of 1 hour per affected SBS Entity, for a total
of 10 hours. 55 Finally, the Commission estimates that the need for the five cloud service
providers to review and execute the Alternative Undertaking will result in a one-time initial
burden of 1 hours per provider, for a total of 5 hours. 56
Total Industry Hour Burden: The total annualized burden is estimated to be
16,272.67 hours.
Summary of Hourly Burdens
A.
B.
C.
D.
E.
F.
G.
49
See section II.D. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
50
See section II.E. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
51
Id.
52
See section II.G. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
53
See section II.G. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
54
One-time initial reporting burden for 19 SBS Entities (1 hour x 19 SBS Entities) = 19 hours.
55
One-time initial recordkeeping burden for 10 SBS Entities (1 hour x 10 SBS Entities) = 10 hours.
56
One-time initial reporting burden for five cloud service providers: (1 hour x five cloud service providers) =
5 hours.
11
�Name of Information
Collection
Type of
Burden
Number
of Entities
Impacted
Annual
Responses
per Entity
Initial
Burden per
Entity per
Response
Initial Burden
Annualized
per Entity per
Response
Ongoing
Burden per
Entity per
Response
[C ÷ 3 years]
Annual
Burden Per
Entity per
Response
Total Annual
Burden Per
Entity
Total Industry
Burden
Small
Business
Entities
Affected
[ D + E]
[F * B]
[G * A]
[A * 0 %]
Stand-alone SBSDs and
stand-alone MSBSPs:
Paragraphs (a)(1),
(b)(1)(ii) (b)(1)(ix),
(b)(1)(xi) (b)(1)(xiii),
(c), (d)(1), (d)(2)(i), and
(d)(3)(i)
Recordkeeping
10
1
364.00
121.33
280.00
401.33
401.33
4,013.33
0.00
Stand-alone SBSDs:
Paragraphs (b)(1)(i),
(a)(14), and (a)(16)
Recordkeeping
6
1
44.00
14.67
30.00
44.67
44.67
268
0.00
Model stand-alone
SBSDs: Paragraph
(b)(1)(x)
Recordkeeping
4
1
18.00
6.00
10.00
16.00
16.00
64.00
0.00
Bank SBSDs and bank
MSBSPs: Paragraphs
(a)(2), (b)(2)(i)
(b)(2)(iv), (b(2)(vi)(viii), (d)(1),(d)(2)(ii),
(d)(3)(ii)
Recordkeeping
25
1
247.00
82.33
190.00
272.33
272.33
6,808.33
0.00
Bank SBSDs:
Paragraph (b)(2)(i) and
(b)(2)(v)
Recordkeeping
25
1
57.00
19.00
40.00
59.00
59.00
1,475.00
0.00
Third-Party Custodians
Recordkeeping
17
1
0.00
0.00
2.00
2.00
2.00
35.00 57
0.00
Recordkeeping
38
1
60
20
75
95
95
3,610
0.00
Recordkeeping
19
1
0
0
1
1
1
19
0.00
Recordkeeping
10
1
1
1
1
1
1
10
0.00
Reporting
5
1
1
1
1
1
1
5
0.00
TOTAL HOURLY BURDEN FOR ALL RESPONDENTS
16,272.67
Rule 18a-6(b)(1)(i),
(b)(2)(i), (d)(4) and
(d)(5) SBS Entities
(Risk Mitigation
Activities)
Rule 18a-6(e) – Third
Party or Designated
Executive Officer
Undertaking
amendment
Alternative undertaking
– SBS Entities
Alternative undertaking
– Cloud Service
Providers
PARTIAL REVISIONS: New Burdens Associated with the Cybersecurity Risk
Management Rule Proposal
In March 2023, the Commission proposed amendments to the recordkeeping
requirements of SBS Entities in Rule 18a-6 in connection with proposed Rule 10. Specifically,
Rule 18a-6 would be amended to establish preservation and maintenance requirements for the
written policy and procedures, annual reports, Parts I and II of proposed Form SCIR, and records
required to be made pursuant to proposed Rule 10. The proposed amendments would specify
that the Rule 10 records must be retained for three years. In the case of the written policies and
procedures to address cybersecurity risks, the record would need to be maintained until three
years after the termination of the use of the policies and procedures.
57
This number is 36 hours in ROCIS because the calculation for the number of estimates respondents (50
percent of non-broker-dealer SBSDs and MBSDs) resulted in a fractional number and ROCIS will only
accept a whole number of respondents.
12
�As of January 2023, there were 50 SBS Entities registered with the Commission. 58 The
Commission has made certain estimates of the burdens associated with the proposed record
preservation requirements. The table below summarizes the initial and ongoing annual burden
with the additional recordkeeping requirements.
Summary of Hourly Burdens
Name of Information
Collection
Type of
Burden
A.
B.
C.
D.
E.
F.
G.
Number
of Entities
Impacted
Annual
Responses
per Entity
Initial
Burden per
Entity per
Response
Initial Burden
Annualized
per Entity per
Response
Ongoing
Burden per
Entity per
Response
Annual
Burden Per
Entity per
Response
Total Annual
Burden Per
Entity
Total Industry
Burden
Small
Business
Entities
Affected
[ D + E]
[F * B]
[G * A]
[A * 0 %]
[C ÷ 3 years]
SBS Entities Retention of
cybersecurity policies
and procedures
Recordkeeping
50
1
0
0
1
1
1
50
0.00
SBS Entities –
Retention of written
report documenting
annual review
Recordkeeping
50
1
0
0
1
1
1
50
0.00
SBS Entities –
Retention of copy of
any Form SCIR or
immediate notice to the
Commission
Recordkeeping
50
1
0
0
1
1
1
50
0.00
SBS Entities –
Retention of records
documenting a
cybersecurity incident
Recordkeeping
50
1
0
0
1
1
1
50
0.00
SBS Entities –
Retention of records
documenting a Covered
Entity’s cybersecurity
risk assessment
Recordkeeping
50
1
0
0
1
1
1
50
0.00
SBS Entities –
Retention of copy of
any public disclosures
Recordkeeping
50
1
0
0
1
1
1
50
0.00
TOTAL HOURLY BURDEN FOR ALL RESPONDENTS
300
58
See List of Registered Security-Based Swap Dealers and Major Security-Based Swap Participants,
available at: https://www.sec.gov/tm/List-of-SBS-Dealers-and-Major-SBS-Participants.
13
�13.
Costs to Respondents
The following chart summarizes the costs that are currently approved for this collection.
A description of each cost follows the chart:
Summary of Dollar Costs
Name of Information
Collection
Type of
Burden
A.
B.
C.
D.
E.
F.
G.
Number
of Entities
Impacted
Annual
Responses
per Entity
Initial Cost
per Entity
per
Response
Initial Cost
Annualized
per Entity per
Response
Ongoing
Cost per
Entity per
Response
Annual Cost
Per Entity
per Response
Total Annual
Cost Per
Entity
Total Industry
Cost
Small
Business
Entities
Affected
[ D + E]
[F * B]
[G * A]
[A * 0 %]
[C ÷ 3 years]
Stand-alone SBSDs and
stand-alone MSBSPs:
Paragraphs (a)(1),
(b)(1)(ii) (b)(1)(ix),
(b)(1)(xi) (b)(1)(xiii),
(c), (d)(1), (d)(2)(i), and
(d)(3)(i)
Recordkeeping
10
1
$0.00
$0.00
$5,720.00
$5,720.00
$5,720.00
$57,200.00
0.00
Stand-alone SBSDs:
Paragraphs (b)(1)(i),
(a)(14), and (a)(16)
Recordkeeping
6
1
$0.00
$0.00
$360.00
$360.00
$360.00
$2,160.00
0.00
Model stand-alone
SBSDs: Paragraph
(b)(1)(x)
Recordkeeping
4
1
$0.00
$0.00
$120.00
$120.00
$120.00
$480.00
0.00
Bank SBSDs and bank
MSBSPs: Paragraphs
(a)(2), (b)(2)(i)
(b)(2)(iv), (b(2)(vi)(viii), (d)(1),(d)(2)(ii),
(d)(3)(ii)
Recordkeeping
25
1
$0.00
$0.00
$4,520.00
$4,520.00
$4,520.00
$113,000.00
0.00
Bank SBSDs:
Paragraph (b)(2)(i) and
(b)(2)(v)
Recordkeeping
25
1
$0.00
$0.00
$480.00
$480.00
$480.00
$12,000.00
0.00
Recordkeeping
2
1
$1,000,000
$333,333
$120,000
$453,333
$453,333
$906,666
0.00
Recordkeeping
2
1
$250,000
$83,333
$30,000
$113,333
$113,333
$226,666
0.00
Recordkeeping
19
1
$497
$165.67
$497
$662.67
$662.67
$12,590.73
0.00
Recordkeeping
10
1
$497
$165.67
$0
$165.67
$165.67
$1,656.70
0.00
Reporting
5
1
$497
$165.67
$0
$165.67
$165.67
$828.35
0.00
TOTAL HOURLY COST FOR ALL RESPONDENTS
$1,333,247.78
Rule 18a-6(e) – Audit
trail alternative to
WORM for SBS
Entities
Rule 18a-6(e) – Backup
Recordkeeping Systems
for SBSDs
Rule 18a-6(e)
– Third party or
Designated Executive
Officer Undertaking
Alternative undertaking
– SBS Entities
Alternative undertaking
– Cloud Service
Providers
Stand-Alone SBSDs and Stand-Alone MSBSPs: The Commission estimates that Rule
18a-6 imposes an ongoing annual cost of approximately $5,720 per stand-alone SBSD or standalone MSBSP. The Commission estimates that there are 10 respondents (nine stand-alone
14
�SBSDs and four stand-alone MSBSPs), resulting in an estimated industry-wide ongoing
annual cost of $57,200 per year. 59
Stand-Alone SBSDs: The Commission estimates that Rule 18a-6 imposes an ongoing
annual cost of approximately $360 per stand-alone SBSD. The Commission estimates that there
are six respondents, resulting in an estimated industry-wide ongoing annual cost of $2,160 per
year. 60
Model Stand-Alone SBSDs: The Commission estimates that Rule 18a-6 imposes an
ongoing annual cost of approximately $120 per stand-alone SBSD authorized to use models.
The Commission estimates that there are four respondents, resulting in an estimated industrywide ongoing annual cost of $480 per year. 61
Bank SBSDs and Bank MSBSPs: The Commission estimates that Rule 18a-6 imposes
an ongoing annual cost of approximately $4,520 per bank SBSD or bank MSBSP. The
Commission estimates that there are 25 respondents (25 bank SBSDs and no bank MSBSPs),
resulting in an estimated industry-wide ongoing annual cost of $113,000 per year. 62
Bank SBSDs: The Commission estimates that Rule 18a-6 imposes an ongoing annual
cost of approximately $480 per bank SBSD. The Commission estimates that there are 25
respondents, resulting in an estimated industry-wide ongoing annual cost of $12,000 per
year. 63
October 2022 Amendments: The October 2022 amendments to Rule 18a-6(e) added an
audit-trail alternative to the existing SBS Entity recordkeeping requirements. 64 The Commission
amended this paragraph to require an SBS Entity either to include a backup set of records or
have other redundancy capabilities that are designed to ensure access to records preserved on an
electronic recordkeeping system. 65 The amendments to Rule 18a-6(e) also establish a
requirement that either a designated third party or a designated executive officer of the SBS
Entity with access to records maintained and preserved on the SBS Entity’s electronic
recordkeeping system execute undertakings to furnish promptly to the Commission and other
regulators access to requested records or the requested records themselves. 66 The amendments to
Rule 18a-6(g) also require a SBS Entity to furnish a record and its audit trail (if applicable)
preserved on an electronic recordkeeping system pursuant to Rules 18a-6(e), respectively, in a
59
$5,720 per firm x 13 stand-alone SBSDs and stand-alone MSBSPs = $74,360 per year.
60
$360 per firm x 6 stand-alone SBSDs = $2,160 per year.
61
$120 per firm x 4 stand-alone SBSDs authorized to use models = $480 per year.
62
$4,520 per firm x 25 bank SBSDs and bank MSBSPs = $113,000 per year.
63
$480 per firm x 25 bank SBSDs = $12,000 per year.
64
See section II.D. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
65
See section II.E. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
66
Id.
15
�reasonably usable electronic format, if requested by a representative of the Commission. 67 The
amendments to Rule 18a-6(f) provide an alternative undertaking for certain third-party electronic
recordkeeping service providers, in particular cloud service providers. 68
Based upon information provided to the Commission by the securities industry, the
Commission estimates that the initial cost to build and implement a WORM-compliant electronic
recordkeeping system for an SBS Entity is $10 million, with an additional cost of $1.2 million
annually to maintain the system. 69 Based on feedback from the securities industry, the
Commission believes that the initial cost to build and implement an electronic recordkeeping
system that meets the audit-trail requirements and the ongoing cost to maintain the system will
be substantially lower than the analogous costs that are incurred with respect to a WORMcompliant system. 70 Consequently, the Commission estimates that the initial cost to build and
implement an electronic recordkeeping system that meets the audit-trail requirement for an SBS
Entity is $1,000,000 ($333,333 of annualized initial cost), with an additional cost of $120,000
annually to maintain the system. There are 2 SBS Entities registered with the Commission that
will be subject to paragraph (e)(2) of Rule 18a-6. The Commission does not believe either of
these firms will elect to build a WORM-compliant electronic recordkeeping system. Moreover,
the Commission estimates that both of these firms have electronic recordkeeping systems that
can meet the audit-trail requirement or that can be configured to meet that requirement without
the need to build a new system. The Commission does not believe that either of these firms will
elect to build a new electronic recordkeeping system to meet the audit-trail requirement.
The Commission believes the initial and ongoing costs to meet the requirement that an
SBS Entity electing to use an electronic recordkeeping system either: (1) include a backup
electronic recordkeeping system that meets the other requirements for electronic recordkeeping
systems and that retains the records required to be maintained and preserved pursuant to Rules
18a-5 and 18a-6 in accordance with the relevant rules in a manner that will serve as a redundant
set of records if the original electronic recordkeeping system is temporarily or permanently
inaccessible; or (2) have other redundancy capabilities that are designed to ensure access to the
records required to be maintained and preserved pursuant to Rules 18a-5 and 18a-6 will be
substantially less than the costs of the primary electronic recordkeeping systems because of the
benefit of economies of scale for the backup system whereby common technology and personnel
could be used for both systems. The Commission estimates that the costs for the 2 SBS Entities
that are subject to paragraph (e)(2) of Rule 18a-6 will be $250,000 in initial costs ($83,333 of
annualized initial cost) and $30,000 in annual burdens and costs. Further, the Commission
expects that the SBS Entities that have electronic recordkeeping systems that could meet the
audit-trail requirement or that could be configured to meet that requirement without the need to
build a new system also maintain backup recordkeeping systems for business continuity
67
See section II.G. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
68
See section II.G. of the 2022 Electronic Recordkeeping Adopting Release (discussing this amendment).
69
See Petition 4-713 (Nov. 14, 2017) filed by the Securities Industry Financial Markets Association,
Financial Services Roundtable, Futures Industry Association, International Swaps Derivatives Association,
and Financial Services Institute available at https://www.sec.gov/rules/petitions/2017/petn4-713.pdf (“Rule
17a-4(f) Rulemaking Petition”). at 4-5.
70
See e.g. Rule 17a-4(f) Rulemaking Petition at 6-7.
16
�purposes. Therefore, the initial and annual costs will be incurred by the 2 firms that elect to
build a new electronic recordkeeping system that meets the audit-trail requirement.
Consequently, the Commission estimates that the industry-wide costs and burdens for these firms
will be $500,000 in initial costs ($166,667 of annualized initial cost) and $60,000 in annual
costs.
The amendments to Rule 18a-6 add a requirement that either a Designated Third Party or
a Designated Executive Officer complete the access and undertakings requirements in a manner
analogous to the requirements of Rule 17a-4(f), as amended. The Commission estimates that the
addition of a senior officer or third-party undertakings requirement for SBS Entities will result in
a one-time initial cost of $9,443 for SBS Entities under Rule 18a-6(e). 71 The Commission also
believes that the Designated Third Party or Designated Executive Officer undertakings
requirement will add an annual cost of $9,443 for SBS Entities, collectively. 72
The Commission estimates that the alternative electronic recordkeeping undertaking will
result in a one-time initial cost to affected SBS Entities of $4,970. 73 Finally, the Commission
estimates that the need for the five cloud service providers to review and execute the Alternative
Undertaking will result in a one-time initial cost of $2,485. 74
Total Industry Costs Burden: Therefore, the total currently-approved annual
recordkeeping cost of Rule 18a-6 is estimated to be $1,333,247.78 per year.
PARTIAL REVISIONS: New Costs Associated with the Cybersecurity Risk Management
Rule Proposal
The Commission does not anticipate any additional external costs associated with the
amendments to 18a-6 pursuant to the Cybersecurity Risk Management Proposal. All costs to
comply with the proposed record retention requirements are estimated to be in-house at the SBS
Entity.
14.
Cost to Federal Government
The federal government does not incur a cost for this collection of information since it
relates to a recordkeeping burden for the respondents.
15.
Changes in Burden
All changes in hourly burdens are as a result of the amendments to Rule 18a-6 that were
proposed in the Cybersecurity Risk Management Rule Proposal.
71
19 hours x $497 per hour (at the controller hourly rate) = $9,443.
72
19 hours x $497 per hour (at the controller hourly rate) = $9,443.
73
One-time initial recordkeeping cost for 10 SBS Entities (1 hour x 10 SBS Entities) x $497 per hour (at the
controller hourly rate) = $4,970.
74
One-time initial reporting cost for five cloud service providers: (2 hours x five cloud service providers) x
$497 per hour (at the controller hourly rate) = $2,485.
17
�Summary of Change in Hourly Burden (Annual)
Name of
Information
Collection
SBS Entities Retention of
cybersecurity
policies and
procedures
SBS Entities –
Retention of
written report
documenting
annual review
SBS Entities –
Retention of
copy of any
Form SCIR or
immediate
notice to the
Commission
SBS Entities –
Retention of
records
documenting a
cybersecurity
incident
SBS Entities –
Retention of
records
documenting a
Covered
Entity’s
cybersecurity
risk assessment
SBS Entities –
Retention of
copy of any
public
disclosures
Previously
Reviewed
Burden
0
0
0
0
0
0
New
Estimated
Burden
(Industry
Wide)
50
Change in
Burden
Reason for the Change
50
Creation of this new
requirement (proposed under
the Cybersecurity Risk
Management Rule Proposal)
50
50
Creation of this new
requirement (proposed under
the Cybersecurity Risk
Management Rule Proposal)
50
50
Creation of this new
requirement (proposed under
the Cybersecurity Risk
Management Rule Proposal)
50
50
Creation of this new
requirement (proposed under
the Cybersecurity Risk
Management Rule Proposal)
50
50
Creation of this new
requirement (proposed under
the Cybersecurity Risk
Management Rule Proposal)
50
50
Creation of this new
requirement (proposed under
the Cybersecurity Risk
Management Rule Proposal)
TOTAL CHANGE IN BURDEN
18
300
�As noted above, the Commission does not anticipate any change in the cost burdens for
18a-6 as a result of the amendments pursuant to the Cybersecurity Risk Management Rule
Proposal.
16.
Information Collection Planned for Statistical Purposes
Not applicable. The information collection is not used for statistical purposes.
17.
date.
OMB Expiration Date Display Approval
The Commission is not seeking approval to not display the OMB approval expiration
18.
Exceptions to Certification for Paperwork Reduction Act Submissions
This collection complies with the requirements in 5 CFR 1320.9.
B.
COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL
METHODS
This collection does not involve statistical methods.
19
�
| File Type | application/pdf |
| File Title | Amendments to the Books and Records Rules |
| File Modified | 2023-06-22 |
| File Created | 2023-06-22 |