Document

Proposed Collection; Comment Request; Extension: Regulation S-ID

Securities and Exchange Commission [SEC File No. 270-644, OMB Control No. 3235-0692] Notice is hereby given that, pursuant to the Paperwork Reduction Act of 1995 ( 44 U.S.C. 350...

PDF version Source Record

Securities and Exchange Commission

[SEC File No. 270-644, OMB Control No. 3235-0692]

Notice is hereby given that, pursuant to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.), the Securities and Exchange Commission (the “Commission”) is soliciting comments on the collection of information summarized below. The Commission plans to submit this existing collection of information to the Office of Management and Budget for extension and approval.

Regulation S-ID (17 CFR 248), including the information collection requirements thereunder, is designed to better protect investors from the risks of identity theft. Under Regulation S-ID, SEC-regulated entities are required to develop and implement reasonable policies and procedures to identify, detect, and respond to relevant red flags (the “Identity Theft Red Flags Rules”) and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding, address changes. Section 248.201 of Regulation S-ID includes the following information collection requirements for each SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation S-ID and that offers or maintains covered accounts: (i) Creation and periodic updating of an identity theft prevention program (“Program”) that is approved by the board of directors, an appropriate committee thereof, or a designated senior management employee; (ii) periodic staff reporting to the board of directors on compliance with the Identity Theft Red Flags Rules and related guidelines; and (iii) training of staff to implement the Program. Section 248.202 of Regulation S-ID includes the following information collection requirements for each SEC-regulated entity that is a credit or debit card issuer: (i) Establishment of policies and procedures that assess the validity of a change of address notification if a request for an additional or replacement card on the account follows soon after the address change; and (ii) notification of a cardholder, before issuance of an additional or replacement card, at the previous address or through some other previously agreed-upon form of communication, or alternatively, assessment of the validity of the address change request through the entity's established policies and procedures.

SEC staff estimates of the hour burdens associated with section 248.201 under Regulation S-ID include the one-time burden of complying with this section for newly-formed SEC-regulated entities, as well as the ongoing costs of compliance for all SEC-regulated entities.

All newly-formed financial institutions and creditors would be required to conduct an initial assessment of covered accounts, which SEC staff estimates would entail a one-time burden of 2 hours. Staff estimates that this burden would result in a cost of $910 to each newly-formed financial institution or creditor.^[1] To the extent a financial institution or creditor offers or maintains covered accounts, SEC staff estimates that the financial institution or creditor would also incur a one-time burden of 25 hours to develop and obtain board approval of a Program, and a one-time burden of 4 hours to train the financial institution's or creditor's staff, for a total of 29 additional burden hours. Staff estimates that these burdens would result in additional costs of $15,603 for each financial institution or creditor that offers or maintains covered accounts.^[2]

SEC staff estimates that approximately 571 SEC-regulated financial institutions and creditors are newly formed each year.^[3] Each of these 571 entities will need to conduct an initial assessment of covered accounts, for a total of 1,142 hours at a total cost of $519,610.^[4] Of these 571 entities, staff estimates that approximately 90% (or 514) maintain covered accounts.^[5] Accordingly, staff estimates that the additional initial burden for SEC-regulated entities that are likely to qualify as financial institutions or creditors and maintain covered accounts is 14,906 hours at an ( printed page 14306) additional cost of $8,019,942.^[6] Thus, the total initial estimated burden for all newly-formed SEC-regulated entities is 16,048 hours at a total estimated cost of $8,539,552.^[7]

Each financial institution and creditor would be required to conduct periodic assessments to determine if the entity offers or maintains covered accounts, which SEC staff estimates would entail an annual burden of 1 hour per entity. Staff estimates that this burden would result in an annual cost of $455 to each financial institution or creditor.^[8] To the extent a financial institution or creditor offers or maintains covered accounts, staff estimates that the financial institution or creditor also would incur an annual burden of 2.5 hours to prepare and present an annual report to the board, and an annual burden of 7 hours to periodically review and update the Program (including review and preservation of contracts with service providers, as well as review and preservation of any documentation received from service providers). Staff estimates that these burdens would result in additional annual costs of $8,638 for each financial institution or creditor that offers or maintains covered accounts.^[9]

SEC staff estimates that there are 9,915 SEC-regulated entities that are either financial institutions or creditors, and that all of these will be required to periodically review their accounts to determine if they offer or maintain covered accounts, for a total of 9,915 hours for these entities at a total cost of $4,511,325.^[10] Of these 9,915 entities, staff estimates that approximately 90 percent, or 8,924, maintain covered accounts, and thus will need the additional burdens related to complying with the rules.^[11] Accordingly, staff estimates that the additional annual burden for SEC-regulated entities that qualify as financial institutions or creditors and maintain covered accounts is 84,778 hours at an additional cost of $77,085,512.^[12] Thus, the total estimated ongoing annual burden for all SEC-regulated entities is 94,693 hours at a total estimated annual cost of $81,596,837.^[13]

The collections of information required by section 248.202 will apply only to SEC-regulated entities that issue credit or debit cards.^[14] SEC staff understands that SEC-regulated entities generally do not issue credit or debit cards, but instead partner with other entities, such as banks, that issue cards on their behalf. These other entities, which are not regulated by the SEC, are already subject to substantially similar change of address obligations pursuant to the Agencies' identity theft red flags rules. Therefore, staff does not expect that any SEC-regulated entities will be subject to the information collection requirements of section 248.202, and accordingly, staff estimates that there is no hour or cost burden for SEC-regulated entities related to section 248.202.

In total, SEC staff estimates that the aggregate annual information collection burden of Regulation S-ID is 110,741 hours (16,048 hours + 94,693 hours). This estimate of burden hours is made solely for the purposes of the Paperwork Reduction Act and is not derived from a quantitative, comprehensive, or even representative survey or study of the burdens associated with Commission rules and forms. Compliance with Regulation S-ID, including compliance with the information collection requirements thereunder, is mandatory for each SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation S-ID (as discussed above, certain collections of information under Regulation S-ID are mandatory only for financial institutions or creditors that offer or maintain covered accounts). Responses will not be kept confidential. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number.

Written comments are invited on: (i) Whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (ii) the accuracy of the agency's estimate of the burden of the collection of information; (iii) ways to enhance the quality, utility, and clarity of the information collected; and (iv) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology. Consideration will be given to comments and suggestions submitted in writing within 60 days of this publication May 13, 2022.

Please direct your written comments to David Bottom, Director/Chief Information Officer, Securities and Exchange Commission, C/O John R. Pezzullo, 100 F Street NE, Washington, DC 20549; or send an email to: PRA_Mailbox@sec.gov.

Upon Written Request, Copies Available From: Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 20549-2736.

Dated: March 9, 2022.

J. Matthew DeLesDernier,

Assistant Secretary.

Footnotes

1. This estimate is based on the following calculation: 2 hours × $455 (hourly rate for internal counsel) = $910. See infra note 2 (discussing the methodology for estimating the hourly rate for internal counsel).

Back to Citation

2. SEC staff estimates that, of the 29 hours incurred to develop and obtain board approval of a Program and train the financial institution's or creditor's staff, 10 hours will be spent by internal counsel at an hourly rate of $455, 17 hours will be spent by administrative assistants at an hourly rate of $89, and 2 hours will be spent by the board of directors as a whole at an hourly rate of $4,770. Thus, the estimated $15,603 in additional costs is based on the following calculation: (10 hours × $455 = $4,550) + (17 hours × $89 = $1,513) + (2 hours × $4,770 = $9,540) = $15,603.

The cost estimate for internal counsel is derived from SIFMA's Management & Professional Earnings in the Securities Industry 2013, modified to account for an 1800-hour work-year and multiplied by 5.35 to account for bonuses, entity size, employee benefits, and overhead, and adjusted for inflation. The cost estimated for administrative assistants is derived from SIFMA's Office Salaries in the Securities Industry 2013, modified to account for an 1800-hour work-year and multiplied by 2.93 to account for bonuses, entity size, employee benefits and overhead, and adjusted for inflation. The cost estimate for the board of directors is derived from estimates made by SEC staff regarding typical board size and compensation that is based on information received from fund representatives and publicly available sources, and adjusted for inflation.

Back to Citation

3. Based on a review of new registrations typically filed with the SEC each year, SEC staff estimates that approximately 1,277 investment advisers, 109 broker dealers, 34 investment companies, and 2 ESCs typically apply for registration with the SEC or otherwise are newly formed each year, for a total of 1,422 entities that could be financial institutions or creditors. Of these, staff estimates that all of the investment companies, ESCs, and broker-dealers are likely to qualify as financial institutions or creditors, and 33% of investment advisers (or 426) are likely to qualify. See Identity Theft Red Flags, Investment Company Act Release No. 30456 (Apr. 10, 2013) (“Adopting Release”) at n.190 (discussing the staff's analysis supporting its estimate that 33% of investment advisers are likely to qualify as financial institutions or creditors). We therefore estimate that a total of 571 total financial institutions or creditors will bear the initial one-time burden of assessing covered accounts under Regulation S-ID.

Back to Citation

4. These estimates are based on the following calculations: 571 entities × 2 hours = 1,142 hours; 571 entities × $910 = $519,610.

Back to Citation

5. In the Proposing Release, the SEC requested comment on the estimate that approximately 90% of all financial institutions and creditors maintain covered accounts; the SEC received no comments on this estimate.

Back to Citation

6. These estimates are based on the following calculations: 514 financial institutions and creditors that maintain covered accounts × 29 hours = 14,906 hours; 514 financial institutions and creditors that maintain covered accounts × $15,603 = $8,019,942.

Back to Citation

7. These estimates are based on the following calculations: 1,142 hours + 14,906 hours = 16,048 hours; $519,610 + $8,019,942 = $8,539,552.

Back to Citation

8. This estimate is based on the following calculation: 1 hour × $455 (hourly rate for internal counsel) = $455. See supra note 2 (discussing the methodology for estimating the hourly rate for internal counsel).

Back to Citation

9. Staff estimates that, of the 9.5 hours incurred to prepare and present the annual report to the board and periodically review and update the Program, 8.5 hours will be spent by internal counsel at an hourly rate of $455, and 1 hour will be spent by the board of directors as a whole at an hourly rate of $4,770. Thus, the estimated $7,874 in additional annual costs is based on the following calculation: (8.5 hours × $455 = $3,868) + (1 hour × $4,770 = $4,770) = $8,638. See supra note 2 (discussing the methodology for estimating the hourly rate for internal counsel and the board of directors).

Back to Citation

10. Based on a review of entities that the SEC regulates, SEC staff estimates that, as of September 30, 2021, there are approximately 14,705 investment advisers, 3,533 broker-dealers, 1,380 active open-end investment companies, and 100 ESCs. Of these, staff estimates that all of the broker-dealers, open-end investment companies and ESCs are likely to qualify as financial institutions or creditors. We also estimate that approximately 33% of investment advisers, or 4,902 investment advisers, are likely to qualify. See Adopting Release, supra note 3, at n.190 (discussing the staff's analysis supporting its estimate that 33% of investment advisers are likely to qualify as financial institutions or creditors). We therefore estimate that a total of 9,915 financial institutions or creditors will bear the ongoing burden of assessing covered accounts under Regulation S-ID. (The SEC staff estimates that the other types of entities that are covered by the scope of the SEC's rules will not be financial institutions or creditors and therefore will not be subject to the rules' requirements.)

The estimates of 9,915 hours and $3,784,800 are based on the following calculations: 9,915 financial institutions and creditors × 1 hour = 9,915 hours; 9,915 financial institutions and creditors × $455 = $4,511,325.

Back to Citation

11. See supra note 5 and accompanying text. If a financial institution or creditor does not maintain covered accounts, there would be no ongoing annual burden for purposes of the PRA.

Back to Citation

12. These estimates are based on the following calculations: 8,924 financial institutions and creditors that maintain covered accounts × 9.5 hours = 84,778 hours; 8,924 financial institutions and creditors that maintain covered accounts × $8,638 = $77,085,512.

Back to Citation

13. These estimates are based on the following calculations: 9,915 hours + 84,778 hours = 94,693 hours; $4,511,325 + $77,085,512 = $81,596,837.

Back to Citation

14. § 248.202(a).

Back to Citation

[FR Doc. 2022-05350 Filed 3-11-22; 8:45 am]

BILLING CODE 8011-01-P

Legal Citation

Federal Register Citation

Use this for formal legal and research references to the published document.

87 FR 14305

Web Citation

Suggested Web Citation

Use this when citing the archival web version of the document.

“Proposed Collection; Comment Request; Extension: Regulation S-ID,” thefederalregister.org (March 14, 2022), https://thefederalregister.org/documents/2022-05350/proposed-collection-comment-request-extension-regulation-s-id.