Upon Written Request, Copies Available From: Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549-2736
Notice is hereby given that, pursuant to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq. ), the Securities and Exchange Commission (the “Commission”) has submitted to the Office of Management and Budget a request for extension of the previously approved collection of information discussed below.
Regulation S-ID (17 CFR 248), including the information collection requirements thereunder, is designed to better protect investors from the risks of identity theft. Under Regulation S-ID, SEC-regulated entities are required to develop and implement reasonable policies and procedures to identify, detect, and respond to relevant red flags (the “Identity Theft Red Flags Rules”) and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding, address changes. Section 248.201 of Regulation S-ID includes the following information collection requirements for each SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation S-ID and that offers or maintains covered accounts: (i) Creation and periodic updating of an identity theft prevention program (“Program”) that is approved by the board of directors, an appropriate committee thereof, or a designated senior management employee; (ii) periodic staff reporting to the board of directors on compliance with the Identity Theft Red Flags Rules and related guidelines; and (iii) training of staff to implement the Program. Section 248.202 of Regulation S-ID includes the following information collection requirements for each SEC-regulated entity that is a credit or debit card issuer: (i) Establishment of policies and procedures that assess the validity of a change of address notification if a request for an additional or replacement card on the account follows soon after the address change; and (ii) notification of a cardholder, before issuance of an additional or replacement card, at the previous address or through some other previously agreed-upon form of communication, or alternatively, assessment of the validity of the address change request through the entity's established policies and procedures.
SEC staff estimates of the hour burdens associated with section 248.201 under Regulation S-ID include the one-time burden of complying with this section for newly-formed SEC-regulated entities, as well as the ongoing costs of compliance for all SEC-regulated entities. All newly-formed financial institutions and creditors would be required to conduct an initial assessment of covered accounts, which SEC staff estimates would entail a one-time burden of 2 hours. Staff estimates that this burden would result in a cost of $910 to each newly-formed financial institution or creditor. To the extent a financial institution or creditor offers or maintains covered accounts, SEC staff estimates that the financial institution or creditor would also incur a one-time burden of 25 hours to develop and obtain board approval of a Program, and a one-time burden of 4 hours to train the financial institution's or creditor's staff, for a total of 29 additional burden hours. Staff estimates that these burdens would result in additional costs of $15,603 for each financial institution or creditor that offers or maintains covered accounts.
This estimate is based on the following calculation: 2 hours × $455 (hourly rate for internal counsel) = $910. See infra note 2 (discussing the methodology for estimating the hourly rate for internal counsel).
SEC staff estimates that, of the 29 hours incurred to develop and obtain board approval of a Program and train the financial institution's or creditor's staff, 10 hours will be spent by internal counsel at an hourly rate of $455, 17 hours will be spent by administrative assistants at an hourly rate of $89, and 2 hours will be spent by the board of directors as a whole at an hourly rate of $4,770. Thus, the estimated $15,603 in additional costs is based on the following calculation: (10 hours × $455 = $4,550) + (17 hours × $89 = $1,513) + (2 hours × $4,770 = $9,540) = $15,603.
The cost estimate for internal counsel is derived from SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and multiplied by 5.35 to account for bonuses, entity size, employee benefits, and overhead, and adjusted for inflation. The cost estimate for administrative assistants is derived from SIFMA's Office Salaries in the Securities Industry 2013, modified to account for an 1800-hour work-year and multiplied by 2.93 to account for bonuses, entity size, employee benefits, and overhead, and adjusted for inflation. The cost estimate for the board of directors is derived from estimates made by SEC staff regarding typical board size and compensation that is based on information received from fund representatives and publicly-available sources, and adjusted for inflation.
SEC staff estimates that approximately 571 SEC-regulated financial institutions and creditors are newly formed each year. Each of these 571 entities will need to conduct an initial assessment of covered accounts, for a total of 1,142 hours at a total cost of $519,610. Of these 571 entities, staff estimates that approximately 90% (or 514) maintain covered accounts. Accordingly, staff estimates that the additional initial burden for SEC-regulated entities that are likely to qualify as financial institutions or creditors and maintain covered accounts is 14,906 hours at an additional cost of $8,019,942. Thus, the total initial estimated burden for all newly-formed SEC-regulated entities is 16,048 hours at a total estimated cost of $8,539,552.
Based on a review of new registrations typically filed with the SEC each year, SEC staff estimates that approximately 1,277 investment advisers, 109 broker dealers, 34 investment companies, and 2 ESCs typically apply for registration with the SEC or otherwise are newly formed each year, for a total of 1,422 entities that could be financial institutions or creditors. Of these, staff estimates that all of the investment companies, ESCs, and broker-dealers are likely to qualify as financial institutions or creditors, and 33% of investment advisers (or 426) are likely to qualify. See Identity Theft Red Flags, Investment Company Act Release No. 30456 (Apr. 10, 2013) (“Adopting Release”) at n.190 (discussing the staff's analysis supporting its estimate that 33% of investment advisers are likely to qualify as financial institutions or creditors). We therefore estimate that a total of 571 total financial institutions or creditors will bear the initial one-time burden of assessing covered accounts under Regulation S-ID.
These estimates are based on the following calculations: 571 entities × 2 hours = 1,142 hours; 571 entities × $910 = $519,610.
In the Proposing Release, the SEC requested comment on the estimate that approximately 90% of all financial institutions and creditors maintain covered accounts; the SEC received no comments on this estimate.
These estimates are based on the following calculations: 514 financial institutions and creditors that maintain covered accounts × 29 hours = 14,906 hours; 514 financial institutions and creditors that maintain covered accounts × $15,603 = $8,019,942.
These estimates are based on the following calculations: 1,142 hours + 14,906 hours = 16,048 hours; $519,610 + $8,019,942 = $8,539,552.
Each financial institution and creditor would be required to conduct periodic assessments to determine if the entity offers or maintains covered accounts, which SEC staff estimates would entail an annual burden of 1 hour per entity. Staff estimates that this burden would result in an annual cost of $455 to each financial institution or creditor. To the extent a financial institution or creditor offers or maintains covered accounts, staff estimates that the financial institution or creditor also would incur an annual burden of 2.5 hours to prepare and present an annual report to the board, and an annual burden of 7 hours to periodically review and update the Program (including review and preservation of contracts with service providers, as well as review and preservation of any documentation received from service providers). Staff estimates that these burdens would result in additional annual costs of $8,638 for each financial institution or creditor that offers or maintains covered accounts.
This estimate is based on the following calculation: 1 hour × $455 (hourly rate for internal counsel) = $455. See supra note 2 (discussing the methodology for estimating the hourly rate for internal counsel).
Staff estimates that, of the 9.5 hours incurred to prepare and present the annual report to the board and periodically review and update the Program, 8.5 hours will be spent by internal counsel at an hourly rate of $455, and 1 hour will be spent by the board of directors as a whole at an hourly rate of $4,770. Thus, the estimated $7,874 in additional annual costs is based on the following calculation: (8.5 hours × $455 = $3,868) + (1 hour × $4,770 = $4,770) = $8,638. See supra note 2 (discussing the methodology for estimating the hourly rate for internal counsel and the board of directors).
SEC staff estimates that there are 9,915 SEC-regulated entities that are either financial institutions or creditors, and that all of these will be required to periodically review their accounts to determine if they offer or maintain covered accounts, for a total of 9,915 hours for these entities at a total cost of $4,511,325. Of these 9,915 entities, staff estimates that approximately 90 percent, or 8,924, maintain covered accounts, and thus will need the additional burdens related to complying with the rules. Accordingly, staff estimates that the additional annual burden for SEC-regulated entities that qualify as financial institutions or creditors and maintain covered accounts is 84,778 hours at an additional cost of $77,085,512. Thus, the total estimated ongoing annual burden for all SEC-regulated entities is 94,693 hours at a total estimated annual cost of $81,596,837.
Based on a review of entities that the SEC regulates, SEC staff estimates that, as of September 30, 2021, there are approximately 14,705 investment advisers, 3,533 broker-dealers, 1,380 active open-end investment companies, and 100 ESCs. Of these, staff estimates that all of the broker-dealers, open-end investment companies and ESCs are likely to qualify as financial institutions or creditors. We also estimate that approximately 33% of investment advisers, or 4,902 investment advisers, are likely to qualify. See Adopting Release, supra note 3, at n.190 (discussing the staff's analysis supporting its estimate that 33% of investment advisers are likely to qualify as financial institutions or creditors). We therefore estimate that a total of 9,915 financial institutions or creditors will bear the ongoing burden of assessing covered accounts under Regulation S-ID. (The SEC staff estimates that the other types of entities that are covered by the scope of the SEC's rules will not be financial institutions or creditors and therefore will not be subject to the rules' requirements.)
The estimates of 9,915 hours and $3,784,800 are based on the following calculations: 9,915 financial institutions and creditors × 1 hour = 9,915 hours; 9,915 financial institutions and creditors × $455 = $4,511,325.
See supra note 5 and accompanying text. If a financial institution or creditor does not maintain covered accounts, there would be no ongoing annual burden for purposes of the PRA.
These estimates are based on the following calculations: 8,924 financial institutions and creditors that maintain covered accounts × 9.5 hours = 84,778 hours; 8,924 financial institutions and creditors that maintain covered accounts × $8,638 = $77,085,512.
These estimates are based on the following calculations: 9,915 hours + 84,778 hours = 94,693 hours; $4,511,325 + $77,085,512 = $81,596,837.
The collections of information required by section 248.202 will apply only to SEC-regulated entities that issue credit or debit cards. SEC staff understands that SEC-regulated entities generally do not issue credit or debit cards, but instead partner with other entities, such as banks, that issue cards on their behalf. These other entities, which are not regulated by the SEC, are already subject to substantially similar change of address obligations pursuant to the Agencies' identity theft red flags rules. Therefore, staff does not expect that any SEC-regulated entities will be subject to the information collection requirements of section 248.202, and accordingly, staff estimates that there is no hour or cost burden for SEC-regulated entities related to section 248.202.
§ 248.202(a).
In total, SEC staff estimates that the aggregate annual information collection burden of Regulation S-ID is 110,741 hours (16,048 hours + 94,693 hours). This estimate of burden hours is made solely for the purposes of the Paperwork Reduction Act and is not derived from a quantitative, comprehensive, or even representative survey or study of the burdens associated with Commission rules and forms. Compliance with Regulation S-ID, including compliance with the information collection requirements thereunder, is mandatory for each SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation S-ID (as discussed above, certain collections of information under Regulation S-ID are mandatory only for financial institutions or creditors that offer or maintain covered accounts). Responses will not be kept confidential. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number.
The public may view the background documentation for this information collection at the following website, www.reginfo.gov. Comments should be directed to: (i) Desk Officer for the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10102, New Executive Office Building, Washington, DC 20503, or by sending an email to: Lindsay.M.Abate@omb.eop.gov; and (ii) David Bottom, Director/Chief Information Officer, Securities and Exchange Commission, c/o John R. Pezzullo, 100 F Street NE, Washington, DC 20549 or send an email to: PRA_Mailbox@sec.gov. Written comments and recommendations for the proposed information collection should be sent within 30 days of publication June 21, 2022 of this notice to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting “Currently under 30-day Review—Open for Public Comments” or by using the search function.
Dated: May 16, 2022.
J. Matthew DeLesDernier,
Assistant Secretary.
[FR Doc. 2022-10814 Filed 5-19-22; 8:45 am]
BILLING CODE 8011-01-P