AGENCY:
Securities and Exchange Commission.
ACTION:
Final rule.
SUMMARY:
The Securities and Exchange Commission (“Commission”) is adopting amendments to the rule under Regulation S-P requiring financial institutions to adopt policies and procedures to safeguard customer information. The amended rule implements the provision in section 216 of the Fair and Accurate Credit Transactions Act of 2003 requiring proper disposal of consumer report information and records. Section 216 directs the Commission and other federal agencies to adopt regulations requiring that any person who maintains or possesses consumer report information or any compilation of consumer report information derived from a consumer report for a business purpose must properly dispose of the information. The amendments also require the policies and procedures adopted under the safeguard rule to be in writing.
DATES:
Effective Date: January 11, 2005.
Compliance Date: July 1, 2005. Existing contracts with service providers for services involving the disposal or destruction of consumer report information must comply with § 248.30(b) by July 1, 2006.
FOR FURTHER INFORMATION CONTACT:
For information regarding the rule amendments as they relate to investment companies or to investment advisers registered with the Commission, contact Penelope W. Saltzman, Branch Chief, or Vincent M. Meehan, Attorney, Office of Regulatory Policy, at the Division of Investment Management, (202) 942-0690, as they relate to brokers or dealers, Catherine McGuire, Chief Counsel, Brian Bussey, Assistant Chief Counsel, or Tara Prigge, Attorney, Office of Chief Counsel, at the Division of Market Regulation, (202) 942-0073, or as they relate to transfer agents registered with the Commission contact Jerry Carpenter, Assistant Director, or David Karasik, Special Counsel, Office of Clearance and Settlement, at the Division of Market Regulation, (202) 942-4187, Securities and Exchange Commission, 450 Fifth Street, NW., Washington, DC 20549.
SUPPLEMENTARY INFORMATION:
The Commission is adopting amendments to Regulation S-P under section 501(b) of the Gramm-Leach Bliley Act (“GLBA”) [15 U.S.C. 6801(b)], section 216 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act” or “Act”) [Pub. L. 108-159, 117 Stat. 152 (2003)], the Securities Exchange Act of 1934 (the “Exchange Act”) [15 U.S.C. 78], the Investment Company Act of 1940 (the “Investment Company Act”) [15 U.S.C. 80a], and the Investment Advisers Act of 1940 (the “Investment Advisers Act”) [15 U.S.C. 80b].
Table of Contents
I. Background
II. Discussion
A. Rule 30(b): Disposal of consumer report information and records.
B. Rule 30(a): Procedures to safeguard customer records and information.
C. Effective Date; Compliance Date.
III. Cost-Benefit Analysis
IV. Paperwork Reduction Act
V. Final Regulatory Flexibility Analysis
VI. Consideration of Promotion of Efficiency, Competition, and Capital Formation
VII. Statutory Authority
I. Background
Section 216 of the FACT Act amended the Fair Credit Reporting Act (“FCRA”), by imposing a new requirement on persons who possess or maintain, for a business purpose, consumer information derived from consumer reports. The provision is designed, in general, to protect a consumer against the risks associated with unauthorized access to information about the consumer contained in a consumer report, such as fraud and related crimes, including identity theft. The FACT Act requires that “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose[,] properly dispose of any such information or compilation.”
15 U.S.C. 1681. The FACT Act was signed into law on December 4, 2003. Pub. L. No. 108-159, 117 Stat. 1952 (2003). Section 216 of the FACT Act adds a new section 628 of the FCRA, which is codified at 15 U.S.C. 1681w.
FACT Act § 216 (codified at 15 U.S.C. 1681w(a)(1)).
The FACT Act requires the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision (collectively, the “Banking Agencies”), the National Credit Union Administration, the Federal Trade Commission (“FTC”) (collectively with the Banking Agencies, the “Agencies”), and the Commission to consult and coordinate with each other in order that, to the extent possible, regulations implementing section 216 are consistent and comparable. This provision also requires that the regulations must be consistent with the GLBA and other provisions of Federal law. Commission staff has coordinated with the Agencies to ensure that the regulations implementing section 216 are consistent and comparable with each other and with the GLBA.
The FTC has adopted a separate rule to implement section 216 of the Act. See Disposal of Consumer Report Information and Records, 69 FR 68690 (Nov. 24, 2004) (“FTC Rule”). The National Credit Union Administration implemented section 216 of the FACT Act by amending its existing rule governing security programs and guidelines regarding the rule. See Fair Credit Reporting—Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003, 69 FR 69269 (Nov. 29, 2004). The Banking Agencies have proposed to implement section 216 by amending their guidelines establishing safeguards for customer information. See Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003, 69 FR 31913 (June 8, 2004).
On September 14, 2004, the Commission proposed rule amendments to implement the requirements of section 216 of the FACT Act. We proposed to implement section 216 by adopting an amendment, set forth as paragraph (b) (the “disposal rule”), to rule 30 of Regulation S-P. We also proposed to amend our “safeguard rule,” which we adopted in 2000 pursuant to section 501 of the GLBA, and redesignate this provision as paragraph (a) of rule 30. The safeguard rule requires that brokers, dealers, and investment companies, as well as investment advisers registered with the Commission (“registered investment advisers”) adopt policies and procedures to address administrative, technical, and physical safeguards for the protection of customer records and information. We proposed to require that these policies and procedures be “written.”
See Disposal of Consumer Report Information, Investment Company Act Release No. 26596 (Sept. 14, 2004) [69 FR 56304 (Sept. 20, 2004)] (“Proposing Release”).
See Proposing Release, supra note 4. Regulation S-P is set forth in 17 CFR part 248. Unless otherwise noted, all references to rule 30 or any paragraph of the rule will be to 17 CFR 248.30, as amended.
See Proposing Release, supra note 4. See also Privacy of Consumer Financial Information (Regulation S-P), Securities Exchange Act Release No. 42974 (June 22, 2000) [65 FR 40334 (June 29, 2000)] (“Privacy Release”).
II. Discussion
Firms regulated by the Commission may maintain or possess consumer reports or information derived or compiled from consumer reports for a variety of business purposes. For example, a broker-dealer may possess the information in connection with margin accounts or the sale of variable annuities, an investment adviser may obtain a client's consumer report in connection with providing financial planning services, and any of these firms may possess the information in connection with making employment decisions. Our proposed rule to implement section 216 of the FACT Act would apply to brokers and dealers (other than brokers and dealers registered by notice with the Commission under section 15(b)(11) of the Exchange Act for the purpose of conducting business in security futures products (“notice-registered broker-dealers”), investment companies, registered investment advisers, and transfer agents registered with the Commission (“registered transfer agents” and, collectively, with brokers-dealers other than notice-registered broker-dealers, investment companies, and registered investment advisers, “covered entities”). The proposed disposal rule would require that covered entities that possess such information for a business purpose take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
The term “investment company” is defined for purposes of the disposal rule in Regulation S-P. See 17 CFR 248.3(r). See also section II.A.1. The definition in Regulation S-P incorporates the definition of “investment company” under the Investment Company Act, including an investment company that is not registered with the Commission. See 15 U.S.C. 80a-3. Accordingly, a business development company, which is an investment company but is not required to register with the Commission, would be subject to the disposal rule. See Privacy Release, supra note 6, at n.74 and accompanying text.
We received seven comment letters in response to our proposal, which generally supported a rule providing for the proper disposal of consumer report information. We are adopting the amendments to Regulation S-P substantially as proposed. Comments on specific provisions in the amendments are discussed below.
Commenters included two individuals and associations representing investment advisers, investment companies, securities firms, the information destruction industry, and information management professionals.
A. Rule 30(b): Disposal of Consumer Report Information and Records
1. Rule 30(b)(1): Definitions
Amended rule 30 is part of Regulation S-P and, therefore, the definitions set forth in Regulation S-P apply to terms used in the amended rule. The disposal rule also includes definitions of additional terms used in that rule.
See rule 30(b)(1).
Consumer report. Rule 30(b)(1)(i) defines the term “consumer report” to have the same meaning as in section 603(d) of the FCRA. We received no comments suggesting changes to this definition, and we are adopting it as proposed.
The FCRA defines “consumer report” to mean “* * * any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 604” of the FCRA. See 15 U.S.C. 1681a(d)(1). A “consumer reporting agency” is defined as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.” See 15 U.S.C. 1681a(f). The statute also provides exclusions from the definition, which include: “any (i) report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) communication of that information among persons related by common ownership or affiliated by corporate control; or (iii) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons * * * .” See 15 U.S.C. 1681a(d)(2).
Consumer report information. The proposed disposal rule defined “consumer report information” as any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. The Proposing Release stated that the phrase “derived from consumer reports” would cover all of the information about a consumer that is derived from any consumer report(s), including information taken from a consumer report, information that results in whole or in part from manipulation of information taken from a consumer report, and information that has been combined with other types of information. The Proposing Release further explained that because the definition of “consumer report information” refers to records “about an individual,” information that does not identify particular consumers would not be covered under the proposed disposal rule. Commenters generally supported the proposed definition, although some requested clarification or modification of the definition of consumer report information.
See Proposing Release, supra note 4, at n.16 and text preceding and accompanying n.16.
See id., at n.11 and accompanying text.
One commenter noted that the term “consumer report information” does not appear in section 216 of the FACT Act, and that the definition of the term does not follow the language set forth in section 216. We believe that the definition of “consumer report information” is consistent with the statutory language. Nevertheless, consistent with the FTC Rule, we have modified the definition of “consumer report information” to include compilations of information derived from a consumer report. Although the proposed rule covered compilations of this information, the revised definition more closely follows the statutory language of section 216, and makes the definition clearer.
Section 216 requires a person that possesses “consumer information, or any compilation of consumer information derived from consumer reports” for a business purpose to properly dispose of the information. See supra note 2 and accompanying text. Information that is derived from a consumer report would include the consumer report itself.
The disposal rule uses the term “consumer report information” rather than “consumer information” (the term used in section 216 of the FACT Act) to reduce potential confusion with the terms “consumer financial information” and “customer information,” which are used in connection with the other provisions of Regulation S-P adopted under the GLBA. As noted in the Proposing Release, consumer or customer information subject to the GLBA and other sections of Regulation S-P and consumer report information subject to the FACT Act and rule 30(b) are separate, but overlapping, sets of information. See Proposing Release, supra note 4, at n.20.
See Proposing Release, supra note 4 (proposed rule 30(b)(2) set forth the standards for disposal of consumer report information or any compilation of that information).
Several commenters specifically supported the application of the proposed disposal rule only to information that identifies particular individuals, and requested that the disposal rule be more explicit on this point. In response to those comments, and in order to provide additional guidance and clarity, we have added language emphasizing that information that does not identify individuals, such as aggregate information or blind data, is not covered by the definition of “consumer report information.”
The terms “aggregate information” and “blind data” as used in the disposal rule are intended to have the same meaning as in § 248.3(u)(2)(ii)(B). 17 CFR 248.3(u)(2)(ii)(B).
One commenter also sought guidance on the kinds of information that would be considered subject to the proposed rule. We note that any information derived from a consumer report that identifies an individual, including a person's name and a variety of other personal identifiers, would bring information within the scope of the disposal rule. These identifiers include, but are not limited to, a social security number, phone number, physical address, and e-mail address. We have not included a rigid definition in the disposal rule, however, because, depending on the circumstances, items of information that are not inherently identifying can, in combination, identify particular individuals.
Disposal. Proposed rule 30(b)(1)(iii) defined “disposal” to mean the (i) discarding or abandonment of consumer report information, as well as the (ii) sale, donation, or transfer of any medium, including computer equipment, on which consumer report information is stored. The Proposing Release noted that the sale, donation, or transfer of consumer report information, by itself, would not be considered “disposal” under this definition. For example, an entity subject to the disposal rule that transfers consumer report information to a third party for marketing purposes would not be discarding the information for purposes of the disposal rule. Commenters generally supported the two meanings, and we have adopted this definition substantially as proposed. In addition, consistent with the FTC's final rule, the disposal rule makes clear that disposal means either (i) the discarding or abandonment of consumer report information, or (ii) the sale, donation, or transfer of any medium, including computer equipment, on which consumer report information is stored. Although one commenter requested the rule text provide additional clarification, we believe our statements above, and in the Proposing Release are sufficiently clear that the sale of consumer report information in connection with a business transaction or the transfer of that information for marketing purposes would not be considered “disposal.”
See Proposing Release, supra note 4, at text preceding n.12.
The ability of the entity to transfer information to a third party may, however, be limited by other laws and regulations, such as the GLBA and Regulation S-P.
See supra note 17 and accompanying text; Proposing Release, supra note 4, at text preceding n.12.
Notice-registered broker-dealers. Proposed rule 30(b) also included definitions of “notice-registered broker-dealers” and “transfer agent.” We received no comments on those definitions and are adopting them as proposed.
2. Rule 30(b)(2)(i): Proper Disposal of Consumer Report Information
The disposal rule requires covered entities that maintain or possess “consumer report information” for a business purpose to take “reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” Recognizing that there are few foolproof methods of record destruction, the Proposing Release stated that the proposed disposal rule would not require covered entities to ensure perfect destruction of consumer report information in every instance; rather, it would require covered entities to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. In determining what measures are “reasonable” under the disposal rule, we stated that we expect covered entities to consider the sensitivity of the consumer report information, the nature and size of the entity's operations, the costs and benefits of different disposal methods, and relevant technological changes. We also noted that “reasonable measures” are very likely to require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training.
The majority of commenters supported this flexible standard for disposal, and no commenter opposed the standard. One commenter, however, suggested that recipients of information about consumers may not always know whether the information they receive was derived from a consumer report. The commenter suggested, therefore, that only if a recipient knows or should have known it has received consumer report information should it be required to dispose of the information in compliance with the disposal rule.
We note that the protections mandated by the FACT Act and disposal rule do not assume knowledge by covered entities, and knowledge is not an element or a prerequisite to enforcement under either the Act or the rule. Nevertheless, we also note that in most, if not all, circumstances covered by the rule, covered entities will or should know if they possess consumer report information.
In order to provide additional clarity, the Proposing Release included examples intended to provide guidance on disposal measures that would be deemed reasonable under the disposal rule. Commenters that mentioned the examples found them to be helpful, but did not advocate that they be included in the rule text. One commenter requested that the examples be included in the final release. Accordingly, we note that, while each covered entity would have to evaluate what is appropriate for its size and the complexity of its operations, reasonable disposal measures for purposes of the disposal rule could include:
(i) Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer report information so that the information cannot practicably be read or reconstructed;
(ii) Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer report information so that the information cannot practicably be read or reconstructed;
(iii) After due diligence, entering into a contract with another party engaged in the business of record destruction to dispose of material, specifically identified as consumer report information, in a manner consistent with the disposal rule. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with the disposal rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company;
(iv) For covered entities that maintain or otherwise possess consumer report information through their provision of services directly to a person subject to the disposal rule, implementing and monitoring compliance with policies and procedures that protect against unauthorized or unintentional disposal of consumer report information, and disposing of the information in accordance with the first two examples; and
(v) For covered entities subject to the GLBA and the Commission's safeguard rule, incorporating the proper disposal of consumer report information as required by the disposal rule into the safeguard policies and procedures required by the safeguard rule.
We have revised the third example and added a fourth example to clarify the “reasonable measures” standard requirements when information is transferred or otherwise provided to service providers. We revised the third example so that it explicitly contemplates that a record owner will tell a service provider when it is providing the service provider with consumer report information. The revised example is intended clearly to illustrate that, if a covered entity transfers or otherwise provides consumer report information to a service provider, the “reasonable measures” standard will generally require the covered entity to take reasonable steps to select and retain a service provider that is capable of properly disposing of the consumer report information at issue; notify the service provider that the information is consumer report information; and enter into a contract that requires the service provider to dispose of the information in accordance with the disposal rule. The fourth example is intended to clarify that covered entities have responsibilities with respect to service providers while also ensuring that covered entities that act as service providers have sufficient information so that they can make the arrangements needed to fulfill their responsibilities to properly dispose of consumer report information.
Although the example involves a disposal service provider, the measures it contemplates would also generally be reasonable with respect to other types of services providers.
We have also added a fifth example to reflect our discussion in the Proposing Release regarding the relationship between the disposal rule and the safeguard rule. In the Proposing Release, we recognized that in some circumstances, “customer records and information” subject to the safeguard rule may overlap with “consumer report information” subject to the disposal rule. To the extent there is overlap, customer records and information would be subject to the disposal rule. We explained that proper disposal policies and procedures are encompassed within, and should be a part of, the overall policies and procedures required under the safeguard rule. Accordingly, a covered entity could comply with the disposal rule by applying its policies and procedures under the safeguard rule, including methods for the proper disposal of customer information, consumer report information or any compilation of that information. We note, however, that in those circumstances, the disposal methods applied under the safeguard rule would have to satisfy the standards for proper disposal set forth in the disposal rule.
See Proposing Release, supra note 4, at text following n.21.
3. Rule 30(b)(2)(ii): Relation to Other Laws
Proposed rule 30(b)(2)(ii) made clear that nothing in the disposal rule was intended to create a requirement that a person maintain or destroy any record pertaining to a consumer. The Proposing Release also stated that the proposed disposal rule is not intended to affect any requirement imposed under any other provision of law to maintain or destroy such records. We are adopting the provision substantially as proposed; we are adding the word “other” before the word “provision” in paragraph (b)(2)(ii)(B) consistent with the statutory language.
4. Scope of the Disposal Rule
The FACT Act differs in scope from the GLBA. As discussed in the Proposing Release, Regulation S-P (including the safeguard rule) and the disposal rule have some differences in scope with respect both to the information and entities that are subject to the respective rules. Our proposal contained four provisions to address those differences. First, we proposed to amend § 248.1(b) of Regulation S-P to except the disposal rule from the provision that describes the scope of information subject to Regulation S-P. Second, we proposed to revise § 248.2(b) to except the disposal rule from the provision in Regulation S-P that permits notice-registered broker-dealers to comply with the regulation by complying with financial privacy rules adopted by the Commodity Futures Trading Commission. Third, the proposed disposal rule would exclude notice-registered broker-dealers from its application. Finally, the proposed disposal rule would apply to transfer agents registered with the Commission.
See Proposing Release, supra note 4, section II.A.4. See also supra note 13.
See Proposing Release, supra note 4, at section II.A.4.
See amended rules 1(b), 2(b); 30(b)(2) [17 CFR 248.1(b); 248.2(b); 248.30(b)(2)].
We received no comments on these provisions. Accordingly, we are adopting them as proposed.
B. Rule 30(a): Procedures To Safeguard Customer Records and Information
The Proposing Release also contained a proposed amendment to the safeguard rule. As discussed in more detail in the Proposing Release, our staff found that some firms it examined lack written policies and procedures that address the safeguard requirements. We noted that in the absence of reasonable documentation it is difficult to identify these policies and procedures and test for compliance with the safeguard rule. We also questioned whether an organization of any size and complexity could reasonably manage to safeguard customer records and information without written policies and procedures. To help ensure reasonable protection for customer records and information, and to permit compliance oversight by our examiners, we proposed to require that policies and procedures under the safeguard rule be written. Commenters supported the proposed amendment, and we are adopting it as proposed.
Our Proposing Release also asked for comment on ways to maintain a flexible approach to the safeguard rule, while establishing certain elements that firms would be required to consider in developing their policies and procedures. We specifically asked for comment on whether the safeguard rule should adopt similar standards as those set forth in the FTC's safeguard rule. The commenters that specifically addressed the issue opposed requiring elements that each safeguard program should address. We will take these comments into consideration in the event we propose any further amendments to the safeguard rule. We are not adopting any additional changes to the safeguard rule today.
See Federal Trade Commission, Standards for Safeguarding Customer Information, 67 FR 36484 (May 23, 2002) (“FTC Safeguard Rule”).
C. Effective Date; Compliance Date
The amendments will become effective on January 11, 2005. Two commenters requested we require compliance after the effective date in order to allow covered entities to evaluate how the rule applies to current business practices and to develop and implement disposal policies. These commenters suggested we require compliance 180 days and 24 months after adoption of the amendments. As we noted in the Proposing Release, we believe that most firms have policies and procedures for disposal of customer information as part of the policies and procedures required under the safeguard rule that could be applied to consumer report information. In addition, it should be relatively easy for a covered entity that does not currently have policies and procedures that could apply to consumer report information to address the disposal of that information by adopting policies and procedures as one part of its overall safeguarding program. Accordingly, we are requiring that covered entities comply with the amendments no later than July 1, 2005.
As discussed above, the policies and procedures applied under the safeguard rule would have to satisfy the standard set forth in the disposal rule for disposing of consumer report information.
We also received a request that we exempt information that is disposed under existing service contracts from the standards for disposal of consumer report information. We do not believe that an exemption is necessary if covered entities are given a longer period in which to amend these contracts. Accordingly, we are requiring covered entities to bring any existing contracts with service providers for services involving the disposal or destruction of consumer report information into compliance with rule 30(b) by July 1, 2006.
III. Cost-Benefit Analysis
We are sensitive to the costs and benefits that result from our rules. As discussed above, the amendments implement section 216 of the FACT Act by requiring covered entities that maintain or possess consumer report information for a business purpose to properly dispose of the information. The amendments also require that an institution's safeguarding policies and procedures be in writing. In the Proposing Release, we requested comment and specific data regarding the costs and benefits of the proposed amendments. We received one comment that generally supported our analysis in the Proposing Release, and we received no comments that provided specific data on the costs and benefits of the proposed amendments.
See Proposing Release, supra note 4, at section IV.C.
A. Benefits
The disposal rule seeks to prevent the unauthorized disclosure of information contained in consumer reports and reduce the risk of fraud and related crimes, including identity theft. The unauthorized disclosure of this information results in significant expense for the consumers, businesses and financial institutions that are the victims of these crimes. Requiring covered entities to take reasonable measures to protect against unauthorized access to consumer report information during its disposal will benefit consumers and covered entities by reducing the incidence of identity theft and lessening related losses.
The amendment to the safeguard rule will benefit firms because written policies and procedures will eliminate uncertainty for employees and promote more systematic and organized reviews of the firms' own safeguard policies and procedures. Firms and their customers may also benefit from the amendment if firms develop more comprehensive and effective policies as they translate informal, unwritten policies into writing. Moreover, investors should benefit from our examiners' enhanced ability to conduct compliance oversight. The Commission has no way of quantifying these benefits.
B. Costs
We believe that the disposal rule and the safeguard rule amendment will impose minimal costs on firms. The disposal rule does not establish specific requirements for the disposal of consumer report information, and it will only affect firms that do not currently provide adequate protections for the disposal of consumer report information as a part of the existing requirement to protect customer records and information. Covered entities, depending on their particular circumstances, may have to provide employee training, or establish clear procedures for consumer report information disposal. Costs to firms that are not already in compliance will vary depending on the size of the firm, the adequacy of its existing disposal policy, and the nature of the firm's operation. As noted above, the flexible standard in the disposal rule is specifically designed to minimize the burden of compliance for smaller entities. The emphasis on performance rather than design standards in the rule takes account of the entity's size, operations, and sophistication, as well as the costs and benefits of alternative disposal methods. In addition, the “reasonable measures” standard in the rule is consistent with the current safeguard rule. Therefore, it should be relatively easy for a firm that does not currently have policies and procedures that could apply to consumer report information to address the disposal of that information by adopting reasonable disposal measures as one part of its overall safeguarding policies and procedures.
Similarly, we do not anticipate that drafting or implementing the safeguard rule amendment's requirement to document policies and procedures in writing will be costly. Firms have been required to have reasonable polices and procedures in place since 2001. As part of this requirement and as a good business practice, we believe that most firms have already established their policies in writing. For the minority of firms that have unwritten policies, the cost will involve transcribing what is understood and accepted practice. If a firm has not given significant thought to the safeguarding of customer records and information, the firm may incur additional costs if it develops more comprehensive and effective policies in the course of documentation.
IV. Paperwork Reduction Act
As discussed in the Proposing Release, the disposal rule does not impose any recordkeeping requirement or otherwise constitute a “collection of information” as it is defined in the regulations implementing the Paperwork Reduction Act of 1995 (“PRA”). As discussed further in the Proposing Release, however, the safeguard rule amendment contains a “collection of information” within the meaning of the PRA.
Today we are adopting the amendment to the safeguard rule substantially as proposed. To aid our compliance examiners to determine whether institutions have met the safeguard requirements, the amendment requires that policies and procedures under the safeguard rule be written. As we stated in the Proposing Release, while we believe that most of the institutions that we regulate have adopted written safeguard policies and procedures as a matter of good business practice, those that have not already documented their policies and procedures will be required to do so. We published notice soliciting comments on the collection of information requirement in the Proposing Release and submitted the proposed collection of information to the Office of Management and Budget (“OMB”) for review in accordance with 44 U.S.C. 3507(d) and 5 CFR 1320.11. None of the commenters addressed the PRA burden associated with this amendment. The new information collection requirement is mandatory. Under the amendment, the written safeguard policies and procedures will not be filed with or otherwise submitted to the Commission. Accordingly, we make no assurance of confidentiality with respect to the collection of information.
In the Proposing Release, we estimated that the aggregate burden for all covered entities in the first year after adoption would be 631,925 hours. We further estimated that the average weighted annual burden for all covered entities over the three-year period for which we requested approval of the information collection burden would be approximately 276,780 hours. See Proposing Release, supra note 4, at section V.
The title for the collection of information is “Procedures to safeguard customer records and information; disposal of consumer report information.” An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.
V. Final Regulatory Flexibility Analysis
This Final Regulatory Flexibility Analysis has been prepared in accordance with 5 U.S.C. 604. It relates to the disposal rule, which requires that reasonable measures be taken to protect against unauthorized access to consumer report information during its disposal. It also relates to the amendment to the safeguard rule that requires financial institutions to document policies and procedures to safeguard customer information in writing. The Initial Regulatory Flexibility Analysis (“IRFA”), which was prepared in accordance with 5 U.S.C. 603, was published in the Proposing Release.
See Proposing Release, supra note 4, at section VI.
A. Reasons for the Rule Amendments
As described more fully in section I of this Release, section 216 of the FACT Act requires the Commission to issue regulations regarding the proper disposal of consumer report information in order to prevent sensitive financial and personal information from falling into the hands of identity thieves or others who might use the information to victimize consumers. The disposal rule is intended to implement the requirements of section 216.
As discussed above, the amendment to the safeguard rule requires entities subject to the rule to document their policies and procedures in writing. The amendment is intended to ensure reasonable protection for customer records and information and to permit compliance oversight by our examiners.
B. Significant Issues Raised by Public Comment
In the IRFA, we requested comment on any aspect of the IRFA and specifically requested comment on the number of small entities that would be affected by the proposed amendments and the likely impact of the proposal on small entities. We received no comments on the IRFA. The commenters generally supported the Commission's proposal to implement section 216 of the FACT Act. Three of the commenters supported the proposed amendment to the safeguard rule. No commenters opposed the amendments.
C. Small Entities Subject to the Amendments
The disposal rule applies to brokers and dealers (other than notice-registered broker-dealers), investment companies, registered investment advisers, and registered transfer agents that maintain or otherwise possess consumer report information for a business purpose. Institutions covered by the amendment to the safeguard rule will include brokers and dealers (other than notice-registered broker-dealers), investment companies, and registered investment advisers. Of the entities registered with the Commission, 906 broker-dealers, 233 investment companies, 592 registered investment advisers, and 170 registered transfer agents are considered small entities.
For purposes of the Regulatory Flexibility Act, under the Exchange Act a small entity is a broker or dealer that had total capital of less than $500,000 on the date of its prior fiscal year and is not affiliated with any person that is not a small entity. 17 CFR 240.0-10. Under the Investment Company Act a “small entity” is an investment company that, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year. 17 CFR 270.0-10. Under the Investment Advisers Act, a small entity is an investment adviser that “(i) manages less than $25 million in assets, (ii) has total assets of less than $5 million on the last day of its most recent fiscal year, and (iii) does not control, is not controlled by, and is not under common control with another investment adviser that manages $25 million or more in assets, or any person that had total assets of $5 million or more on the last day of the most recent fiscal year.” 17 CFR 275.0-7. A small entity in the transfer agent context is defined to be any transfer agent that (i) received less than 500 items for transfer and less than 500 items for processing during the preceding six months; (ii) transferred only items of issuers that would be deemed “small businesses” or “small organizations” under rule 0-10 under the Exchange Act; (iii) maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts at all times during the preceding fiscal year; and (iv) is not affiliated with any person (other than a natural person) that is not a small business or small organization under rule 0-10. 17 CFR 240.0-10.
D. Reporting, Recordkeeping, and Other Compliance Requirements
As discussed above, the disposal rule does not impose any reporting or any specific recordkeeping requirements within the meaning of the Paperwork Reduction Act. The rule requires covered entities, when disposing of consumer report information, to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. What is considered “reasonable” will vary according to an entity's nature and size, the costs and benefits of available disposal methods, and the sensitivity of the information involved. In formulating the disposal rule, we considered alternatives to this approach, and determined that the flexibility afforded by the rule reduces the burden that might otherwise be imposed on small entities by a more rigid, prescriptive rule.
With regard to the amendment to the safeguard rule, we note that firms are already required to have policies and procedures that address the safeguarding of customer information and records. This requirement provides a flexible standard that allows each firm to tailor these policies and procedures to the firm's particular systems, methods of information gathering, and customer needs. We assume that most institutions have already documented these policies and procedures, but the amendment requires all institutions to put their policies and procedures in writing. The amount of time it will take institutions that do not have written policies and procedures will vary based on the extent and complexity of the policies and procedures the institution has adopted.
E. Commission Action To Minimize Effect on Small Entities
The Regulatory Flexibility Act directs us to consider significant alternatives that would accomplish the stated objective, while minimizing any significant adverse impact on small entities. Alternatives in this category would include: (i) The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (ii) the clarification, consolidation, or simplification of compliance and reporting requirements under the rules for small entities; (iii) the use of performance rather than design standards; and (iv) an exemption from coverage of the rules, or any part thereof, for small entities.
With respect to the disposal rule, the Commission does not believe that an exemption from coverage or special compliance or reporting requirements for small entities would be consistent with the mandates of the FACT Act. In addition, the Commission does not believe that clarification, consolidation, or simplification of the amendment for small entities is feasible or necessary. Section 216 of the FACT Act addresses the protection of consumer privacy, and consumer privacy concerns do not depend on the size of the entity involved. Nevertheless, we have endeavored throughout the disposal rule to minimize the regulatory burden on all covered entities, including small entities, while meeting the statutory requirements. Small entities should benefit from the flexible standards in the disposal rule. In addition, the emphasis on performance rather than design standards in the rule takes account of the covered entity's size and sophistication, as well as the costs and benefits of alternative disposal methods.
With respect to the amendment to the safeguard rule, we do not believe that an exemption from coverage or special reporting or compliance requirements for small entities is feasible or necessary. The requirement that covered entities document their safeguard policies and procedures in writing is necessary to promote systematic and organized reviews of these policies and procedures by the entity, as well as to allow Commission staff to identify and test effectively for compliance with the safeguard rule.
Similarly, the Commission does not believe that clarification, consolidation, or simplification of the amendment for small entities is feasible or necessary. The requirement that safeguard policies and procedures be in writing, as discussed above, is essential to allowing both the entity and Commission staff to review the entity's policies and procedures.
The safeguard rule embodies performance rather than design standards. It affords each institution the flexibility to adopt and implement policies and procedures that are appropriate in light of the institution's size and the complexity of its operations. The documentation of the policies and procedures will reflect these performance standards. Accordingly, the writing required under the amendment will only be as technical or complex as the policies and procedures required to be documented.
VI. Consideration of Promotion of Efficiency, Competition, and Capital Formation
Section 3(f) of the Exchange Act and section 2(c) of the Investment Company Act mandate that the Commission, when engaging in rulemaking that requires it to consider or determine whether an action is necessary or appropriate in the public interest, to consider, in addition to the protection of investors, whether the action will promote efficiency, competition, and capital formation. Section 23(a)(2) of the Exchange Act prohibits the Commission from adopting any rule under the Exchange Act that would impose a burden on competition that is not necessary or appropriate in furtherance of the purposes of the Exchange Act.
We do not believe that the disposal rule will have an anti-competitive impact. The disposal rule applies to all brokers and dealers (other than notice-registered broker-dealers), investment companies, registered investment advisers, and registered transfer agents. Each of these entities must take reasonable measures to properly dispose of consumer report information.
Other entities will be subject to substantially similar disposal requirements under the Agencies' rules. As directed by the FACT Act, the Agencies and the Commission have worked in consultation and coordination with one another to ensure the consistency and comparability of the regulations. Therefore, all financial institutions will have to bear the costs of implementing the rules or substantially similar rules. Although these costs will vary among entities subject to the rule, we do not believe that the costs will be significantly greater for any particular entity or entities when calculated as a percentage of overall costs.
Furthermore, we believe the disposal rule will have little effect on efficiency and capital formation. The rule will result in some additional costs for some entities, particularly those entities that do not currently take reasonable measures to properly dispose of consumer report information. However, we believe the additional costs are small enough that they will not affect the efficiency of these entities. We also believe that any effect the disposal rule may have on capital formation will be positive. To the extent that the disposal rule gives investors greater confidence in the security of information possessed by covered entities, investors may be more likely to invest their assets in the capital markets through covered entities.
With respect to the amendment to the safeguard rule, we do not believe the amendment will have an anti-competitive impact. As noted above, we believe that most brokers, dealers, investment companies, and registered investment advisers already have written safeguard policies and procedures. To the extent some do not, those firms will have to conform to standards that many firms have met voluntarily. This amendment also will be consistent with the guidelines issued by the Banking Agencies regarding the safeguarding of customer records and information and the FTC's Safeguard Rule, which require that the financial institutions the Agencies regulate document their policies and procedures in writing. Firms that currently do not have written policies and procedures will incur costs of documentation already borne by firms that have written policies and procedures. Although these costs will vary among institutions subject to the amendment, we do not believe that the costs will be significantly greater for any particular firm or firms when calculated as a percentage of overall costs.
See Federal Reserve System, Federal Deposit Insurance Corporation, Department of the Treasury Office of Thrift Supervision, and Department of the Treasury Office of the Comptroller of the Currency, Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 66 FR 8616 (Feb. 1, 2001); FTC Safeguard Rule, supra note 24.
Furthermore, we believe the amendment will have little effect on efficiency and capital formation. We expect the amended rule will increase efficiency among those firms that do not currently have written policies and procedures because it should promote more systematic and organized reviews of these policies and procedures. The amendment will result in some additional costs for firms that do not currently have written policies and procedures. However, we believe the additional costs are small enough that they will not affect the efficiency of these firms. To the extent there is any effect, the amendment may foster capital formation. Our experience is that covered entities with effective safeguard programs that are documented in writing and communicated to all employees are less likely to violate the safeguard rule and harm to investors is less likely to result. To the extent this type of environment increases investor confidence in covered entities, investors and clients are more likely to make assets available through these entities for investment in the capital markets.
In the Proposing Release, we solicited comment on our analysis of the impact of these amendments on efficiency, competition and capital formation. We did not receive any comment on our analysis.
VII. Statutory Authority
The Commission is amending Regulation S-P pursuant to the authority set forth in section 501(b) of the GLBA [15 U.S.C. 6801(b)], section 628 of the FCRA [15 U.S.C. 1681w], sections 17, 23, and 36 of the Exchange Act [15 U.S.C. 78q, 78w, and 78mm], sections 31(a) and 38 of the Investment Company Act [15 U.S.C. 80a-30(a) and 80a-37], and sections 204 and 211 of the Investment Advisers Act [15 U.S.C. 80b-4 and 80b-11].
List of Subjects in 17 CFR Part 248
- Brokers
- Dealers
- Investment advisers
- Investment companies
- Privacy
- Reporting and recordkeeping requirements
- Transfer agents
Text of Rules
For the reasons set out in the preamble, title 17, chapter II of the Code of Federal Regulations is amended as follows:
PART 248—REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION
1. The authority citation for part 248 is revised to read as follows:
Authority: 15 U.S.C. 6801-6809; 15 U.S.C. 1681w; 15 U.S.C. 78q, 78w, 78mm, 80a-30(a), 80a-37, 80b-4, and 80b-11.
2. Section 248.1, the first sentence of paragraph (b) is amended by revising the phrase “This part” to read “Except with respect to § 248.30(b), this part”.
3. Section 248.2, paragraph (b) is amended by revising the phrase “Any futures commission merchant” to read “Except with respect to § 248.30(b), any futures commission merchant”.
4. Section 248.30 is amended as follows:
a. Revise the section heading;
b. Introductory text, paragraphs (a), (b), and (c) are redesignated as paragraphs (a) introductory text, (a)(1), (a)(2), and (a)(3) respectively;
c. In the newly redesignated introductory text of paragraph (a), add the word “written” before the phrase “policies and procedures” in the first and second sentences; and
d. Add new paragraph (b).
The revision and addition read as follows:
(b) Disposal of consumer report information and records—(1) Definitions (i) Consumer report has the same meaning as in section 603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).
(ii) Consumer report information means any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report. Consumer report information also means a compilation of such records. Consumer report information does not include information that does not identify individuals, such as aggregate information or blind data.
(iii) Disposal means:
(A) The discarding or abandonment of consumer report information; or
(B) The sale, donation, or transfer of any medium, including computer equipment, on which consumer report information is stored.
(iv) Notice-registered broker-dealers means a broker or dealer registered by notice with the Commission under section 15(b)(11) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).
(v) Transfer agent has the same meaning as in section 3(a)(25) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).
(2) Proper disposal requirements—(i) Standard. Every broker and dealer other than notice-registered broker-dealers, every investment company, and every investment adviser and transfer agent registered with the Commission, that maintains or otherwise possesses consumer report information for a business purpose must properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.
(ii) Relation to other laws. Nothing in this section shall be construed:
(A) To require any broker, dealer, or investment company, or any investment adviser or transfer agent registered with the Commission to maintain or destroy any record pertaining to an individual that is not imposed under other law; or
(B) To alter or affect any requirement imposed under any other provision of law to maintain or destroy any of those records.
By the Commission.
Dated: December 2, 2004.
Margaret H. McFarland,
Deputy Secretary.
[FR Doc. 04-26878 Filed 12-7-04; 8:45 am]
BILLING CODE 8010-01-P