
[Federal Register Volume 81, Number 34 (Monday, February 22, 2016)]
[Notices]
[Pages 8765-8766]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-03519]


=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION


Submission for OMB Review; Comment Request

Upon Written Request, Copies Available From: Securities and Exchange 
Commission, Office of FOIA Services, 100 F Street NE., Washington, DC 
20549-2736.

Extension:
    Regulation S-ID, SEC File No. 270-644, OMB Control No. 3235-
0692.

    Notice is hereby given that, pursuant to the Paperwork Reduction 
Act of 1995 (44 U.S.C. 3501 et seq.), the Securities and Exchange 
Commission (the ``Commission'') has submitted to the Office of 
Management and Budget a request for extension of the previously 
approved collection of information discussed below.
    Regulation S-ID (17 CFR 248), including the information collection 
requirements thereunder, is designed to better protect investors from 
the risks of identity theft. Under Regulation S-ID, SEC-regulated 
entities are required to develop and implement reasonable policies and 
procedures to identify, detect, and respond to relevant red flags (the 
``Identity Theft Red Flags Rules'') and, in the case of entities that 
issue credit or debit cards, to assess the validity of, and communicate 
with cardholders regarding, address changes. Section 248.201 of 
Regulation S-ID includes the following information collection 
requirements for each SEC-regulated entity that qualifies as a 
``financial institution'' or ``creditor'' under Regulation S-ID and 
that offers or maintains covered accounts: (i) Creation and periodic 
updating of an identity theft prevention program (``Program'') that is 
approved by the board of directors, an appropriate committee thereof, 
or a designated senior management employee; (ii) periodic staff 
reporting to the board of directors on compliance with the Identity 
Theft Red Flags Rules and related guidelines; and (iii) training of 
staff to implement the Program. Section 248.202 of Regulation S-ID 
includes the following information collection requirements for each 
SEC-regulated entity that is a credit or debit card issuer: (i) 
Establishment of policies and procedures that assess the validity of a 
change of address notification if a request for an additional or 
replacement card on the account follows soon after the address change; 
and (ii) notification of a cardholder, before issuance of an additional 
or replacement card, at the previous address or through some other 
previously agreed-upon form of communication, or alternatively, 
assessment of the validity of the address change request through the 
entity's established policies and procedures.
    SEC staff estimates of the hour burdens associated with section 
248.201 under Regulation S-ID include the one-time burden of complying 
with this section for newly-formed SEC-regulated entities, as well as 
the ongoing costs of compliance for all SEC-regulated entities. With 
respect to the one-time burden hours, staff estimates that each newly-
formed financial institution or creditor would incur a burden of 2 
hours to conduct an initial assessment of covered accounts. Staff 
estimates that approximately 644 SEC-regulated financial institutions 
and creditors are newly formed each year, and the total estimated one-
time burden to initially assess covered accounts is therefore 1,288 
hours. Staff also estimates that each financial institution or creditor 
that maintains covered accounts would incur an additional initial 
burden of 29 hours to develop and obtain board approval of a Program 
and to train the staff of the financial institution or creditor. Staff 
estimates that approximately 580 SEC-regulated financial institutions 
and creditors that maintain covered accounts are newly formed each 
year, and thus the total estimated one-time burden to develop and 
obtain board approval of a Program and train staff is 16,820 hours. 
Thus, the total initial estimated burden for all newly-formed SEC-
regulated entities is 18,108 hours (1,288 hours + 16,820 hours).
    With respect to ongoing annual burden hours, SEC staff estimates 
that each financial institution or creditor would incur a burden of 1 
hour to periodically assess whether it offers or maintains covered 
accounts. Staff estimates that there are approximately 9,960 SEC-
regulated entities that are either financial institutions or creditors, 
and the total estimated annual burden to periodically assess covered 
accounts is therefore 9,960 hours. Staff also estimates that each 
financial institution or creditor that maintains covered accounts would 
incur an additional annual burden of 9.5 hours to prepare and present 
an annual report to the board and to periodically review and update the 
Program. Staff estimates that there are approximately 8,964 SEC-
regulated entities that are financial institutions or creditors that 
offer or maintain covered accounts, and thus the total estimated 
additional annual burden for these entities is 85,158 hours. Thus, the 
total ongoing annual estimated burden for all SEC-regulated entities is 
95,118 hours (9,960 hours + 85,158 hours).
    The collections of information required by section 248.202 under 
Regulation S-ID will apply only to SEC-regulated entities that issue 
credit or debit cards. SEC staff understands that SEC-regulated 
entities generally do not issue credit or debit cards, but instead 
partner with other entities, such as banks, that issue cards on their 
behalf. These other entities, which are not regulated by the SEC, are 
already subject to substantially similar change of address obligations 
pursuant to other federal regulators' identity theft red flags rules. 
Therefore, staff does not expect that any SEC-regulated entities will 
be subject to the information collection requirements of section 
248.202, and accordingly, staff estimates that there is no hour burden 
related to section 248.202 for SEC-regulated entities.
    In total, SEC staff estimates that the aggregate annual information 
collection burden of Regulation S-ID is 113,226 hours (18,108 hours + 
95,118 hours). This estimate of burden hours is made solely for the 
purposes of the Paperwork Reduction Act and is not derived from a 
quantitative, comprehensive, or even representative survey or study of 
the burdens associated with Commission rules and forms. Compliance with 
Regulation S-ID, including compliance with the information collection 
requirements thereunder, is mandatory for each SEC-regulated entity 
that

[[Page 8766]]

qualifies as a ``financial institution'' or ``creditor'' under 
Regulation S-ID (as discussed above, certain collections of information 
under Regulation S-ID are mandatory only for financial institutions or 
creditors that offer or maintain covered accounts). Responses will not 
be kept confidential. An agency may not conduct or sponsor, and a 
person is not required to respond to, a collection of information 
unless it displays a currently valid control number.
    The public may view the background documentation for this 
information collection at the following Web site: www.reginfo.gov. 
Comments should be directed to: (i) Desk Officer for the Securities and 
Exchange Commission, Office of Information and Regulatory Affairs, 
Office of Management and Budget, Room 10102, New Executive Office 
Building, Washington, DC 20503, or by sending an email to: 
Shagufta_Ahmed@omb.eop.gov; and (ii) Pamela Dyson, Director/Chief 
Information Officer, Securities and Exchange Commission, c/o Remi 
Pavlik-Simon, 100 F Street NE., Washington, DC 20549 or send an email 
to: PRA_Mailbox@sec.gov. Comments must be submitted to OMB within 30 
days of this notice.

    Dated: February 16, 2016.
 Brent J. Fields,
Secretary.
[FR Doc. 2016-03519 Filed 2-19-16; 8:45 am]
 BILLING CODE 8011-01-P


