
[Federal Register Volume 84, Number 32 (Friday, February 15, 2019)]
[Notices]
[Pages 4549-4551]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-01368]


=======================================================================
-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION


Proposed Collection; Comment Request

Upon Written Request, Copies Available From: Securities and Exchange 
Commission, Office of FOIA Services, 100 F Street NE, Washington, DC 
20549-2736.

Extension:
    Regulation S-ID, SEC File No. 270-644, OMB Control No. 3235-0692

    Notice is hereby given that, pursuant to the Paperwork Reduction 
Act of 1995 (44 U.S.C. 3501 et seq.), the Securities and Exchange 
Commission (the ``Commission'') is soliciting comments on the 
collection of information summarized below. The Commission plans to 
submit this existing collection of information to the Office of 
Management and Budget for extension and approval.
    Regulation S-ID (17 CFR 248), including the information collection 
requirements thereunder, is designed to better protect investors from 
the risks of identity theft. Under Regulation S-ID, SEC-regulated 
entities are required to develop and implement reasonable policies and 
procedures to identify, detect, and respond to relevant red flags (the 
``Identity Theft Red Flags Rules'') and, in the case of entities that 
issue credit or debit cards, to assess the validity of, and communicate 
with cardholders regarding, address changes. Section 248.201 of 
Regulation S-ID includes the following information collection 
requirements for each SEC-regulated entity that qualifies as a 
``financial institution'' or ``creditor'' under Regulation S-ID and 
that offers or maintains covered accounts: (i) Creation and periodic 
updating of an identity theft prevention program (``Program'') that is 
approved by the board of directors, an appropriate committee thereof, 
or a designated senior management employee; (ii) periodic staff 
reporting to the board of directors on compliance with the Identity 
Theft Red Flags Rules and related guidelines; and (iii) training of 
staff to implement the Program. Section 248.202 of Regulation S-ID 
includes the following information collection requirements for each 
SEC-regulated entity that is a credit or debit card issuer: (i) 
Establishment of policies and procedures that assess the validity of a 
change of address notification if a request for an additional or 
replacement card on the account follows soon after the address change; 
and (ii) notification of a cardholder, before issuance of an additional 
or replacement card, at the previous address or through some other 
previously agreed-upon form of communication, or alternatively, 
assessment of the validity of the address change request through the 
entity's established policies and procedures.
    SEC staff estimates of the hour burdens associated with section 
248.201 under Regulation S-ID include the one-time burden of complying 
with this section for newly-formed SEC-regulated entities, as well as 
the ongoing costs of compliance for all SEC-regulated entities.
    All newly-formed financial institutions and creditors would be 
required to conduct an initial assessment of covered accounts, which 
SEC staff estimates would entail a one-time burden of 2 hours. Staff 
estimates that this burden would result in a cost of $802 to each 
newly-formed financial institution or creditor.\1\ To the extent a 
financial institution or creditor offers or maintains covered accounts, 
SEC staff estimates that the financial institution or creditor also 
would also incur a one-time burden of 25 hours to develop and obtain 
board approval of a Program, and a one-time burden of 4 hours to train 
the financial institution's or creditor's staff, for a total of 29 
additional burden hours. Staff estimates that these burdens would 
result in additional costs of $14,266 for each financial institution or 
creditor that offers or maintains covered accounts.\2\
---------------------------------------------------------------------------

    \1\ This estimate is based on the following calculation: 2 hours 
x $401 (hourly rate for internal counsel) = $802. See infra note 2 
(discussing the methodology for estimating the hourly rate for 
internal counsel).
    \2\ SEC staff estimates that, of the 29 hours incurred to 
develop and obtain board approval of a Program and train the 
financial institution's or creditor's staff, 10 hours will be spent 
by internal counsel at an hourly rate of $401, 17 hours will be 
spent by administrative assistants at an hourly rate of $78, and 2 
hours will be spent by the board of directors as a whole at an 
hourly rate of $4,465. Thus, the estimated $13,858 in additional 
costs is based on the following calculation: (10 hours x $401 = 
$4,010) + (17 hours x $78 = $1,326) + (2 hours x $4,465 = $8,930) = 
$14,266.
     The cost estimate for internal counsel is derived from SIFMA's 
Management & Professional Earnings in the Securities Industry 2013, 
modified to account for an 1800-hour work-year and multiplied by 
5.35 to account for bonuses, entity size, employee benefits, and 
overhead, and adjusted for inflation. The cost estimate for 
administrative assistants is derived from SIFMA's Office Salaries in 
the Securities Industry 2013, modified to account for an 1800-hour 
work-year and multiplied by 2.93 to account for bonuses, entity 
size, employee benefits, and overhead, and adjusted for inflation. 
The cost estimate for the board of directors is derived from 
estimates made by SEC staff regarding typical board size and 
compensation that is based on information received from fund 
representatives and publicly-available sources, and adjusted for 
inflation.

---------------------------------------------------------------------------

[[Page 4550]]

    SEC staff estimates that approximately 613 SEC-regulated financial 
institutions and creditors are newly formed each year.\3\ Each of these 
613 entities will need to conduct an initial assessment of covered 
accounts, for a total of 1,226 hours at a total cost of $491,626.\4\ Of 
these 613 entities, staff estimates that approximately 90% (or 552) 
maintain covered accounts.\5\ Accordingly, staff estimates that the 
additional initial burden for SEC-regulated entities that are likely to 
qualify as financial institutions or creditors and maintain covered 
accounts is 16,008 hours at an additional cost of $7,874,832.\6\ Thus, 
the total initial estimated burden for all newly-formed SEC-regulated 
entities is 17,234 hours at a total estimated cost of $8,366,458.\7\
---------------------------------------------------------------------------

    \3\ Based on a review of new registrations typically filed with 
the SEC each year, SEC staff estimates that approximately 1,218 
investment advisers, 109 broker dealers, 96 investment companies, 
and 2 ESCs typically apply for registration with the SEC or 
otherwise are newly formed each year, for a total of 1,425 entities 
that could be financial institutions or creditors. Of these, staff 
estimates that all of the investment companies, ESCs, and broker-
dealers are likely to qualify as financial institutions or 
creditors, and 33% of investment advisers (or 406) are likely to 
qualify. See Adopting Release, supra note at n.190 (discussing the 
staff's analysis supporting its estimate that 33% of investment 
advisers are likely to qualify as financial institutions or 
creditors). We therefore estimate that a total of 613 total 
financial institutions or creditors will bear the initial one-time 
burden of assessing covered accounts under Regulation S-ID.
    \4\ These estimates are based on the following calculations: 613 
entities x 2 hours = 1,226 hours; 613 entities x $802 = $491,626.
    \5\ In the Proposing Release, the SEC requested comment on the 
estimate that approximately 90% of all financial institutions and 
creditors maintain covered accounts; the SEC received no comments on 
this estimate.
    \6\ These estimates are based on the following calculations: 552 
financial institutions and creditors that maintain covered accounts 
x 29 hours = 16,008 hours; 552 financial institutions and creditors 
that maintain covered accounts x $14,266 = $7,874,832.
    \7\ These estimates are based on the following calculations: 
1,226 hours + 16,008 hours = 17,234 hours; $491,626 + $7,874,832 = 
$8,366,458.
---------------------------------------------------------------------------

    Each financial institution and creditor would be required to 
conduct periodic assessments to determine if the entity offers or 
maintains covered accounts, which SEC staff estimates would entail an 
annual burden of 1 hour per entity. Staff estimates that this burden 
would result in an annual cost of $401 to each financial institution or 
creditor.\8\ To the extent a financial institution or creditor offers 
or maintains covered accounts, staff estimates that the financial 
institution or creditor also would incur an annual burden of 2.5 hours 
to prepare and present an annual report to the board, and an annual 
burden of 7 hours to periodically review and update the Program 
(including review and preservation of contracts with service providers, 
as well as review and preservation of any documentation received from 
service providers). Staff estimates that these burdens would result in 
additional annual costs of $7,874 for each financial institution or 
creditor that offers or maintains covered accounts.\9\
---------------------------------------------------------------------------

    \8\ This estimate is based on the following calculation: 1 hour 
x $401 (hourly rate for internal counsel) = $401. See supra note 2 
(discussing the methodology for estimating the hourly rate for 
internal counsel).
    \9\ Staff estimates that, of the 9.5 hours incurred to prepare 
and present the annual report to the board and periodically review 
and update the Program, 8.5 hours will be spent by internal counsel 
at an hourly rate of $401, and 1 hour will be spent by the board of 
directors as a whole at an hourly rate of $4,465. Thus, the 
estimated $7,874 in additional annual costs is based on the 
following calculation: (8.5 hours x $401 = $3,409) + (1 hour x 
$4,465 = $4,465) = $7,874. See supra note 2 (discussing the 
methodology for estimating the hourly rate for internal counsel and 
the board of directors).
---------------------------------------------------------------------------

    SEC staff estimates that there are 9,922 SEC-regulated entities 
that are either financial institutions or creditors, and that all of 
these will be required to periodically review their accounts to 
determine if they offer or maintain covered accounts, for a total of 
9,922 hours for these entities at a total cost of $3,978,722.\10\ Of 
these 9,922 entities, staff estimates that approximately 90 percent, or 
8,930, maintain covered accounts, and thus will need the additional 
burdens related to complying with the rules.\11\ Accordingly, staff 
estimates that the additional annual burden for SEC-regulated entities 
that qualify as financial institutions or creditors and maintain 
covered accounts is 84,835 hours at an additional cost of 
$70,314,820.\12\ Thus, the total estimated ongoing annual burden for 
all SEC-regulated entities is 94,757 hours at a total estimated annual 
cost of $74,293,542.\13\
---------------------------------------------------------------------------

    \10\ Based on a review of entities that the SEC regulates, SEC 
staff estimates that, as of September 1, 2018, there are 
approximately 13,181 investment advisers, 3,839 broker-dealers, 
1,589 active open-end investment companies, and 100 ESCs. Of these, 
staff estimates that all of the broker-dealers, open-end investment 
companies and ESCs are likely to qualify as financial institutions 
or creditors. We also estimate that approximately 33% of investment 
advisers, or 4,394 investment advisers, are likely to qualify. See 
Adopting Release, supra note at n.190 (discussing the staff's 
analysis supporting its estimate that 33% of investment advisers are 
likely to qualify as financial institutions or creditors). We 
therefore estimate that a total of 9,922 financial institutions or 
creditors will bear the ongoing burden of assessing covered accounts 
under Regulation S-ID. (The SEC staff estimates that the other types 
of entities that are covered by the scope of the SEC's rules will 
not be financial institutions or creditors and therefore will not be 
subject to the rules' requirements.)
     The estimates of 9,922 hours and $3,784,800 are based on the 
following calculations: 9,922 financial institutions and creditors x 
1 hour = 9,922 hours; 9,922 financial institutions and creditors x 
$401 = $3,978,722.
    \11\ See supra note 5 and accompanying text. If a financial 
institution or creditor does not maintain covered accounts, there 
would be no ongoing annual burden for purposes of the PRA.
    \12\ These estimates are based on the following calculations: 
8,930 financial institutions and creditors that maintain covered 
accounts x 9.5 hours = 84,835 hours; 8,930 financial institutions 
and creditors that maintain covered accounts x $7,874 = $70,314,820.
    \13\ These estimates are based on the following calculations: 
9,922 hours + 84,835 hours = 94,757 hours; $3,978,722 + $70,314,820 
= $74,293,542.
---------------------------------------------------------------------------

    The collections of information required by section 248.202 under 
Regulation S-ID will apply only to SEC-regulated entities that issue 
credit or debit cards. SEC staff understands that SEC-regulated 
entities generally do not issue credit or debit cards, but instead 
partner with other entities, such as banks, that issue cards on their 
behalf. These other entities, which are not regulated by the SEC, are 
already subject to substantially similar change of address obligations 
pursuant to other federal regulators' identity theft red flags rules. 
Therefore, staff does not expect that any SEC-regulated entities will 
be subject to the information collection requirements of section 
248.202, and accordingly, staff estimates that there is no hour burden 
related to section 248.202 for SEC-regulated entities.
    In total, SEC staff estimates that the aggregate annual information 
collection burden of Regulation S-ID is 111,991 hours (17,234 hours + 
94,757 hours). This estimate of burden hours is made solely for the 
purposes of the Paperwork Reduction Act and is not derived from a 
quantitative, comprehensive, or even representative survey or study of 
the burdens associated with Commission rules and forms. Compliance with

[[Page 4551]]

Regulation S-ID, including compliance with the information collection 
requirements thereunder, is mandatory for each SEC-regulated entity 
that qualifies as a ``financial institution'' or ``creditor'' under 
Regulation S-ID (as discussed above, certain collections of information 
under Regulation S-ID are mandatory only for financial institutions or 
creditors that offer or maintain covered accounts). Responses will not 
be kept confidential. An agency may not conduct or sponsor, and a 
person is not required to respond to, a collection of information 
unless it displays a currently valid control number.
    Written comments are invited on: (i) Whether the proposed 
collection of information is necessary for the proper performance of 
the functions of the agency, including whether the information will 
have practical utility; (ii) the accuracy of the agency's estimate of 
the burden of the collection of information; (iii) ways to enhance the 
quality, utility, and clarity of the information collected; and (iv) 
ways to minimize the burden of the collection of information on 
respondents, including through the use of automated collection 
techniques or other forms of information technology. Consideration will 
be given to comments and suggestions submitted in writing within 60 
days of this publication.
    Please direct your written comments to Charles Riddle, Acting 
Director/Chief Information Officer, Securities and Exchange Commission, 
C/O Candace Kenner, 100 F Street NE, Washington, DC 20549; or send an 
email to: PRA_Mailbox@sec.gov.

    Dated: February 1, 2019.
Eduardo A. Aleman,
Deputy Secretary.
[FR Doc. 2019-01368 Filed 2-14-19; 8:45 am]
 BILLING CODE 8011-01-P


