SUPPORTING STATEMENT
Rule 248.30
Necessity for the Information Collection
Section 501 of the Gramm-Leach-Bliley Act (the “GLBA” or “Act”) (15 U.S.C. 6801) directs the Commission, and other federal financial regulators, to require that financial institutions establish appropriate administrative, technical, and physical safeguards to “insure the security and confidentiality of customer records and information,” “protect against any anticipated threats or hazards to the security and integrity” of those records, and protect against unauthorized access to or use of those records or information, which “could result in substantial harm or inconvenience to any customer.”1 Pursuant to this provision, the Commission adopted rule 248.30(a) (the “safeguard rule”) under Regulation S-P (17 CFR 248.30(a)) in 2000 and subsequently amended the rule in 2001 and 2004.2 The safeguard rule requires brokers, dealers, investment companies, and investment advisers registered with the Commission (“registered investment advisers”) (collectively “covered institutions”) to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information. The safeguards must be reasonably designed to meet the Act’s objectives.3
2. Purpose of the Information Collection
The safeguard rule’s requirement that covered institutions’ policies and procedures be in writing constitutes a “collection of information” requirement within the meaning of the Paperwork Reduction Act of 1995.4 The rule is designed to ensure that covered institutions maintain reasonable safeguard policies and procedures. Requiring written safeguard policies and procedures eliminates uncertainty as to what actions an employee must take to protect customer records and information and promotes more systematic and organized reviews of safeguard policies and procedures by institutions. The information collection also assists the Commission’s examination staff in assessing the existence and the adequacy of covered institutions’ safeguard policies and procedures.
3. Role of Improved Information Technology
The safeguard rule does not require the reporting of any information or the filing of any documents with the Commission. The rule requires covered institutions to maintain their safeguard policies and procedures in writing. The Electronic Signatures in Global and National Commerce Act5 and the interpretive guidance and conforming amendments to rules under the Exchange Act and the Investment Company Act permit broker-dealers and funds to maintain records electronically. The Commission also permits registered investment advisers to maintain the records required under rule 204-2 through electronic media.6
Efforts to Identify Duplication
The safeguard rule imposes a requirement that covered institutions maintain and document their safeguard policies and procedures in writing. Covered institutions are subject to similar requirements elsewhere in the federal securities laws and rules of the self-regulatory organizations that require them to adopt written policies and procedures.7 The safeguard rule, however, does not require covered institutions to maintain duplicate copies of records covered by the rule, and an institution’s safeguard policies and procedures do not have to be maintained in a single location. Moreover, although the safeguard rule requires broker-dealers and investment companies to keep certain records that may be required under the general recordkeeping provisions of rule 17a-3 under the Exchange Act8 and rule 31a-1 under the Investment Company Act,9 the overlap is limited and the Commission does not require a broker-dealer or investment company to maintain duplicate copies of the records. The staff believes, therefore, that any duplication of regulatory requirements is limited and does not impose significant additional costs on institutions.
5. Effect on Small Entities
Every covered institution, regardless of its size, is subject to the safeguard rule’s requirements. Regardless of the size of the entity, a covered entity could not reasonably manage the safeguarding of customer records and information without written policies and procedures. The safeguard rule requires covered institutions to adopt policies and procedures “reasonably designed” to protect customer information and records. Accordingly, the rule permits covered institutions to tailor their policies and procedures to the institution’s particular systems, methods of information gathering, and customer needs. Accordingly, a small institution with relatively simple policies and procedures reflecting simple business operations would likely take less time to document those policies and procedures than would a large institution with complex and very detailed policies and procedures. Exempting small entities from the safeguard rule, or otherwise changing the requirements of the rule would jeopardize the interests of investors who use these institutions’ services, and who need the same protections as the investors who use the services of large entities.
6. Consequences of Less Frequent Collection
The safeguard rule requires covered institutions to maintain written policies and procedures. These policies and procedures would have to be written when first adopted and revised only as the safeguard policies and procedures are changed. Thus, the collection of information is required only as necessary to reflect current policies and procedures.
7. Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
The safeguard rule requires covered institutions to maintain written safeguard policies and procedures on an ongoing basis. Although this period would exceed the three-year guideline for most kinds of records under 5 CFR 1320.5(d)(2)(iv), the staff believes that this is warranted because the rule assists in informing and training the institutions’ employees and contributes to the effectiveness of the Commission’s examination and inspection program.
8. Consultation Outside the Agency
The Commission requested public comment on the information collection requirement in the safeguard rule before it submitted this request for extension and approval to the Office of Management and Budget. The Commission received no comments to its request. The Commission and the staff of the Divisions of Investment Management and Trading and Markets participate in an ongoing dialogue with representatives of the industry through public conferences, meetings, and informal exchanges. These various forums provide the Commission and the staff with a means of ascertaining the magnitude of the paperwork burdens confronting the industry.
9. Payment or Gift to Respondents
Not applicable.
10. Assurance of Confidentiality
Not applicable.
11. Sensitive Questions
Not applicable.
Estimates of Hour Burden
The safeguard rule requires each covered institution to maintain written policies and procedures regarding the safeguarding of customer records and information. We believe that almost all covered institutions have already documented their safeguard policies and procedures in writing because this has been a requirement under the rule since July 1, 2005. In addition, these institutions have a strong interest in preventing security threats, such as identity theft or threats to their computer systems as a matter of good business practice and state law.
We estimate that as of the end of 2009, there are 5253 broker-dealers, 4522 investment companies, and 11,450 investment advisers currently registered with the Commission, for a total of 21,225 covered institutions. We believe that all of these covered institutions have already documented their safeguard policies and procedures in writing and therefore will incur no hourly burdens related to the initial documentation of policies and procedures.
However, we expect that approximately 10 percent of the 21,225 covered institutions currently registered with the Commission will review and update their policies and procedures each year, for a total of 2123 covered institutions that will spend time to update their policies and procedures. The amount of time spent reviewing and updating safeguard policies and procedures is likely to vary widely, based on the size of the entity, the complexity of its operations, and any significant changes in the security environment. We estimate that it will take a typical covered institution that reviews and updates its safeguard policies and procedures approximately 20 hours to complete such a review and document the results, for a total hourly burden for all institutions of 42,460 hours.10 We expect that half of such a review would be completed by counsel employed by the entity (“inside counsel”) at an hourly rate of $305, and half will be completed by compliance personnel at an hourly rate of $258,11 for a total cost of $11,952,490.12
Although existing covered institutions would not incur any initial hourly burden in complying with the safeguards rule, we expect that newly registered institutions would incur some hourly burdens associated with documenting their safeguard policies and procedures. We estimate that approximately 1500 broker-dealers, investment companies, or investment advisers register with the Commission annually. However, we also expect that approximately 70% of these newly registered covered institutions (1050)13 are affiliated with an existing covered institution, and will rely on an organization-wide set of previously documented safeguard policies and procedures created by their affiliates. We estimate that these affiliated newly registered covered institutions will incur a significantly reduced hourly burden in complying with the safeguards rule, as they will need only to review their affiliate’s existing policies and procedures, and identify and adopt the relevant policies for their business. Therefore, we expect that newly registered covered institutions with existing affiliates will incur an hourly burden of approximately 15 hours in identifying and adopting safeguard policies and procedures for their business, for a total hourly burden for all affiliated new institutions of 15,750 hours.14 We expect that half of this time would be incurred by inside counsel at an hourly rate of $305, and half would be by a compliance officer at an hourly rate of $258, for a total cost of $4,433,625.15
Finally, we expect that the 450 newly registered entities that are not affiliated with an existing institution will incur a significantly higher hourly burden in reviewing and documenting their safeguard policies and procedures. We expect that virtually all of the newly registered covered entities that do not have an affiliate are likely to be small entities and are likely to have smaller and less complex operations, with a correspondingly smaller set of safeguard policies and procedures to document, compared to other larger existing institutions with multiple affiliates. We estimate that it will take a typical newly registered unaffiliated institution approximately 65 hours to review, identify, and document their safeguard policies and procedures, for a total of 29,250 hours for all newly registered unaffiliated entities.16 We expect that half of this time would be incurred by inside counsel at an hourly rate of $305, and half would be by a compliance officer at an hourly rate of $258, for a total cost of $8,233,875.17
Therefore, we estimate that the total annual hourly burden associated with the safeguards rule is 87,460 hours at a total hourly cost of $24,619,990.18 We also estimate that all covered institutions will be respondents each year, for a total of 21,225 respondents.
13. Estimate of Total Annual Cost Burden
The staff estimates that the safeguard rule does not impose a material cost burden, apart from the cost of the burden hours identified in section 12, on covered institutions. Although these entities are likely to retain these records for as long as the institution maintains policies and procedures, these records could be maintained electronically and, even if maintained in hard copy, would not likely be extensive. The staff has not estimated a capital/startup cost in connection with the recordkeeping requirements because covered institutions would likely use existing recordkeeping systems to maintain the required compliance records.
14. Estimate of Cost to the Federal Government
There is no cost to the federal government of administering the information collection requirements in rule 248.30(a) under the GLBA.
15. Explanation of Changes in Burden
The decrease in estimated total annual burden hours from 91,575 hours to 87,460 hours is a result of changes in the staff’s estimated hourly burden for entities that update their policies and procedures and/or adopt new policies and procedures under the rule. The decrease is also attributable to a change in the staff’s method of calculating those hourly burdens and of calculating the effects of the different sizes of respondents on the hourly burden estimates. These estimates are based on an informal survey of less than 9 representatives from entities that must comply with rule 248.30(a).
16. Information Collection Planned for Statistical Purposes
Not applicable.
17. Approval to Not Display Expiration Date
Not applicable.
Exception to Certification Statement
Not applicable.
Not applicable.
1 See 15 U.S.C. 6801(b). See also section 505 of the GLBA (15 U.S.C. 6805), directing the Commission to enforce the Act’s safeguard requirements under the Securities Exchange Act of 1934 (15 U.S.C. 78a) (the “Exchange Act”), the Investment Company Act of 1940 (15 U.S.C. 80a) (the “Investment Company Act”), and the Investment Advisers Act of 1940 (15 U.S.C. 80b-1).
2 See Privacy of Consumer Financial Information (Regulation S-P), Investment Company Act Release No. 24543 (Jun. 22, 2000) [56 FR 40334 (Jun. 29, 2000)]; Registration of Broker-Dealers Pursuant to Section 15(b)(11) of the Securities Exchange Act of 1934, Exchange Act Release No. 44730 (Aug. 21, 2001) [66 FR 45237 (Aug. 27, 2001)] (permitting notice-registered broker-dealers to comply with Regulation S-P by complying with financial privacy rules adopted by the Commodity Futures Trading Commission); and Disposal of Consumer Report Information, Investment Company Act Release No. 26685 [69 FR 71329 (Dec. 8, 2004)] (“Disposal Rule Adopting Release”) (requiring that covered institutions’ safeguard policies and procedures be documented in writing).
3 In addition, section 216 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) (15 U.S.C. 1861w(a)(1)) directs the Commission and other federal agencies to adopt regulations for the proper disposal of consumer information, and provides that any person who maintains or possesses consumer report information or any compilation of consumer information derived from a consumer report for a business purpose must properly dispose of the information. The Commission implemented this provision by adopting rule 248.30(b) (the “disposal rule”) under Regulation S-P (17 CFR 248.30(b)) in 2004. See id. Disposal Rule Adopting Release. The disposal rule, however, does not impose any recordkeeping requirement or otherwise include any requirement that constitutes a “collection of information” as it is defined in the regulations implementing the Paperwork Reduction Act of 1995 (44 U.S.C. 3501).
4 The safeguard rule is currently approved under OMB control number 3235-0610.
5 15 U.S.C. 7001.
6 17 CFR 275.204(g).
7 See, e.g., 17 CFR 270.17j-1(c)(1) (requiring a fund and each investment adviser and principal underwriter of the fund to “adopt a written code of ethics containing provisions reasonably necessary to prevent” certain persons affiliated with the fund, its investment adviser or its principal underwriter from engaging in certain fraudulent, manipulative, and deceptive actions with respect to the fund); 15 U.S.C. 80b-4a (requiring each adviser registered with the Commission to have written policies and procedures reasonably designed to prevent the misuse of material non-public information by the adviser or persons associated with the adviser); and NASD Conduct Rule 3010 (requiring each broker-dealer to establish and maintain written procedures to supervise the types of business it is engaged in and to supervise the activities of registered representatives and associated persons).
8 17 CFR 240.17a-3 (requiring broker-dealers to make and keep, among other things, blotters or other records of original entry, securities position records, and order tickets).
9 17 CFR 270.31a-1(b)(4), 17 CFR 270.31a-1(b)(11) (requiring investment companies to maintain, among other things, minute books of directors’ meetings and “files of all advisory material received from the investment adviser”).
10 This estimate is based on the following calculation: 20 hours x 2123 covered institutions = 42,460 hours.
11 All hourly rates used in this analysis are derived from salaries reported in Securities Industry Association, Management and Professional Earnings in the Securities Industry (2008) modified to account for an 1800-hour work-year and multiplied by 5.35 to account for bonuses, firm size, employee benefits and overhead.
12 This estimate is based on the following calculation: 42,460 hours/ 2 = 21,230 hours; 21,230 hours x $305 per hour = $6,475,150; 21,230 hours x $258 per hour = $5,477,340; $5,477,340 + $6,475,150 = $11,952,490.
13 This estimate is based on the following calculations: 1500 newly registered entities x 70% with affiliates = 1050 affiliated entities; 1500 newly registered entities - 1050 affiliated entities = 450 unaffiliated new entities.
14 This estimate is based on the following calculation: 15 hours x 1050 covered institutions = 15,750 hours.
15 This estimate is based on the following calculations: 15,750 hours/ 2 = 7875 hours; 7875 hours x $305 per hour = $2,401,875; 7875 hours x $258 = $2,031,750; $2,401,875 + $2,031,750 = $4,433,625.
16 This estimate is based on the following calculation: 65 hours x 450 covered institutions = 29,250 hours.
17 This estimate is based on the following calculations: 29,250 hours/ 2 = 14,625 hours; 14,625 hours x $305 per hour = $4,460,625; 14,625 hours x $258 = $3,773,250; $4,460,625 + 3,773,250 = $8,233,875.
18 This estimate is based on the following calculations: 42,460 hours for updating policies and procedures + 15,750 hours for affiliated newly registered entities + 29,250 hours for unaffiliated newly registered entities = 87,460 total hours; $11,952,490 + $4,433,625 + $8,233,875 = $24,619,990.
File Type | application/msword |
File Title | SUPPORTING STATEMENT |
Last Modified By | abernethyd |
File Modified | 2010-02-16 |
File Created | 2010-01-21 |