Download:
pdf |
pdfSUPPORTING STATEMENT
for the Paperwork Reduction Act Information Collection for
“Rule 248.30”
A.
JUSTIFICATION
1.
Information Collection Necessity
Section 501 of the Gramm-Leach-Bliley Act (the “GLBA” or “Act”) (15 U.S.C.
6801) directs the Commission, and other federal financial regulators, to require that
financial institutions establish appropriate administrative, technical, and physical
safeguards to “insure the security and confidentiality of customer records and
information,” “protect against any anticipated threats or hazards to the security and
integrity” of those records, and protect against unauthorized access to or use of those
records or information, which “could result in substantial harm or inconvenience to any
customer.” 1
Pursuant to this provision, the Commission adopted rule 248.30(a) (the “safeguard
rule”) under Regulation S-P (17 CFR 248.30(a)) in 2000. 2 The safeguard rule requires
brokers, dealers, investment companies, and investment advisers registered with the
Commission (“registered investment advisers”) (collectively “covered institutions”) to
adopt written policies and procedures for administrative, technical, and physical
safeguards to protect customer records and information. The safeguards must be
reasonably designed to meet the Act’s objectives.
1
See 15 U.S.C. 6801(b). See also section 505 of the GLBA (15 U.S.C. 6805), directing
the Commission to enforce the Act’s safeguard requirements under the Securities
Exchange Act of 1934 (15 U.S.C. 78a) (the “Exchange Act”), the Investment Company
Act of 1940 (15 U.S.C. 80a) (the “Investment Company Act”), and the Investment
Advisers Act of 1940 (15 U.S.C. 80b-1).
2
See Privacy of Consumer Financial Information (Regulation S-P), Investment Company
Act Release No. 24543 (Jun. 22, 2000) [56 FR 40334 (Jun. 29, 2000)].
Other than the safeguard rule, rule 248.30 does not impose any recordkeeping
requirement or otherwise include any requirement that constitutes a “collection of
information” as it is defined in the regulations implementing the Paperwork Reduction
Act of 1995 (44 U.S.C. 3501).
2.
Information Collection Purpose
The safeguard rule’s requirement that covered institutions’ policies and
procedures be in writing constitutes a “collection of information” requirement within the
meaning of the Paperwork Reduction Act of 1995. 3 The rule is designed to ensure that
covered institutions maintain reasonable safeguard policies and procedures. Requiring
written safeguard policies and procedures eliminates uncertainty as to what actions an
employee must take to protect customer records and information and promotes more
systematic and organized reviews of safeguard policies and procedures by institutions.
The information collection also assists the Commission’s examination staff in assessing
the existence and the adequacy of covered institutions’ safeguard policies and procedures.
3.
Consideration Given to Information Technology
The safeguard rule does not require the reporting of any information or the filing
of any documents with the Commission. The rule requires covered institutions to
maintain their safeguard policies and procedures in writing. The Electronic Signatures in
Global and National Commerce Act 4 and the interpretive guidance and conforming
amendments to rules under the Exchange Act and the Investment Company Act permit
broker-dealers and funds to maintain records electronically. The Commission also
3
The safeguard rule is currently approved under OMB control number 3235-0610.
4
15 U.S.C. 7001.
2
permits registered investment advisers to maintain the records required under rule 204-2
through electronic media. 5
4.
Duplication
The safeguard rule imposes a requirement that covered institutions maintain and
document their safeguard policies and procedures in writing. Covered institutions are
subject to similar requirements elsewhere in the federal securities laws and rules of the
self-regulatory organizations that require them to adopt written policies and procedures. 6
The safeguard rule, however, does not require covered institutions to maintain duplicate
copies of records covered by the rule, and an institution’s safeguard policies and
procedures do not have to be maintained in a single location. Moreover, although the
safeguard rule requires broker-dealers and investment companies to keep certain records
that may be required under the general recordkeeping provisions of rule 17a-3 under the
Exchange Act 7 and rule 31a-1 under the Investment Company Act, 8 the overlap is limited
and the Commission does not require a broker-dealer or investment company to maintain
5
17 CFR 275.204(g).
6
See, e.g., 17 CFR 270.17j-1(c)(1) (requiring a fund and each investment adviser and
principal underwriter of the fund to “adopt a written code of ethics containing provisions
reasonably necessary to prevent” certain persons affiliated with the fund, its investment
adviser or its principal underwriter from engaging in certain fraudulent, manipulative,
and deceptive actions with respect to the fund); 15 U.S.C. 80b-4a (requiring each adviser
registered with the Commission to have written policies and procedures reasonably
designed to prevent the misuse of material non-public information by the adviser or
persons associated with the adviser); and NASD Conduct Rule 3010 (requiring each
broker-dealer to establish and maintain written procedures to supervise the types of
business it is engaged in and to supervise the activities of registered representatives and
associated persons).
7
17 CFR 240.17a-3 (requiring broker-dealers to make and keep, among other things,
blotters or other records of original entry, securities position records, and order tickets).
8
17 CFR 270.31a-1(b)(4), 17 CFR 270.31a-1(b)(11) (requiring investment companies to
maintain, among other things, minute books of directors’ meetings and “files of all
advisory material received from the investment adviser”).
3
duplicate copies of the records. The staff believes, therefore, that any duplication of
regulatory requirements is limited and does not impose significant additional costs on
institutions.
5.
Effect on Small Entities
Every covered institution, regardless of its size, is subject to the safeguard rule’s
requirements. Regardless of the size of the entity, a covered entity could not reasonably
manage the safeguarding of customer records and information without written policies
and procedures. The safeguard rule requires covered institutions to adopt policies and
procedures “reasonably designed” to protect customer information and records.
Accordingly, the rule permits covered institutions to tailor their policies and procedures
to the institution’s particular systems, methods of information gathering, and customer
needs. Accordingly, a small institution with relatively simple policies and procedures
reflecting simple business operations would likely take less time to document those
policies and procedures than would a large institution with complex and very detailed
policies and procedures. Exempting small entities from the safeguard rule, or otherwise
changing the requirements of the rule would jeopardize the interests of investors who use
these institutions’ services, and who need the same protections as the investors who use
the services of large entities.
6.
Consequences of Less Frequent Collection
The safeguard rule requires covered institutions to maintain written policies and
procedures. These policies and procedures would have to be written when first adopted
and revised only as the safeguard policies and procedures are changed. Thus, the
4
collection of information is required only as necessary to reflect current policies and
procedures.
7.
Inconsistencies with Guidelines in 5 CFR 1320.5(d)(2)
The safeguard rule requires covered institutions to maintain written safeguard
policies and procedures on an ongoing basis. Although this period would exceed the
three-year guideline for most kinds of records under 5 CFR 1320.5(d)(2)(iv), the staff
believes that this is warranted because the rule assists in informing and training the
institutions’ employees and contributes to the effectiveness of the Commission’s
examination and inspection program.
8.
Consultation Outside the Agency
The Commission requested public comment on the information collection
requirement in the safeguard rule before it submitted this request for extension and
approval to the Office of Management and Budget. The Commission received no
comments to its request. The Commission and the staff of the Divisions of Investment
Management and Trading and Markets participate in an ongoing dialogue with
representatives of the industry through public conferences, meetings, and informal
exchanges. These various forums provide the Commission and the staff with a means of
ascertaining the magnitude of the paperwork burdens confronting the industry.
9.
Payment or Gift
Not applicable.
10.
Confidentiality
Not applicable.
5
11.
Sensitive Questions
Not applicable.
12.
Estimates of Time Burden
The safeguard rule requires each covered institution to maintain written policies
and procedures regarding the safeguarding of customer records and information. We
believe that almost all covered institutions have already documented their safeguard
policies and procedures in writing because this has been a requirement under the rule
since July 1, 2005. In addition, these institutions have a strong interest in preventing
security threats, such as identity theft or threats to their computer systems as a matter of
good business practice and state law.
We estimate that as of the end of 2011, there are 4695 broker-dealers, 4203
investment companies, and 11,658 investment advisers registered with the Commission,
for a total of 20,556 covered institutions. We believe that all of these covered institutions
have already documented their safeguard policies and procedures in writing and therefore
will incur no hourly burdens related to the initial documentation of policies and
procedures.
Although existing covered institutions would not incur any initial hourly burden
in complying with the safeguards rule, we expect that newly registered institutions would
incur some hourly burdens associated with documenting their safeguard policies and
procedures. We estimate that approximately 1500 broker-dealers, investment companies,
or investment advisers register with the Commission annually. However, we also expect
6
that approximately 70% of these newly registered covered institutions (1050) 9 are
affiliated with an existing covered institution, and will rely on an organization-wide set of
previously documented safeguard policies and procedures created by their affiliates. We
estimate that these affiliated newly registered covered institutions will incur a
significantly reduced hourly burden in complying with the safeguards rule, as they will
need only to review their affiliate’s existing policies and procedures, and identify and
adopt the relevant policies for their business. Therefore, we expect that newly registered
covered institutions with existing affiliates will incur an hourly burden of approximately
15 hours in identifying and adopting safeguard policies and procedures for their business,
for a total hourly burden for all affiliated new institutions of 15,750 hours. 10 We expect
that half of this time would be incurred by inside counsel at an hourly rate of $378, and
half would be by a compliance officer at an hourly rate of $322, for a total cost of
$5,512,500. 11
Finally, we expect that the 450 newly registered entities that are not affiliated with
an existing institution will incur a significantly higher hourly burden in reviewing and
documenting their safeguard policies and procedures. We expect that virtually all of the
newly registered covered entities that do not have an affiliate are likely to be small
9
This estimate is based on the following calculations: 1500 newly registered entities x
70% with affiliates = 1050 affiliated entities; 1500 newly registered entities - 1050
affiliated entities = 450 unaffiliated new entities.
10
This estimate is based on the following calculation: 15 hours x 1050 covered institutions
= 15,750 hours.
11
This estimate is based on the following calculations: 15,750 hours/ 2 = 7875 hours; 7875
hours x $378 per hour = $2,976,750; 7875 hours x $322 = $2,535,750; $2,976,750 +
$2,535,750 = $5,512,500. Hourly wages are from SIFMA's Management & Professional
Earnings in the Securities Industry 2011, modified by Commission staff to account for an
1800-hour work-year and multiplied by 5.35 to account for bonuses, firm size, employee
benefits, and overhead.
7
entities and are likely to have smaller and less complex operations, with a
correspondingly smaller set of safeguard policies and procedures to document, compared
to other larger existing institutions with multiple affiliates. We estimate that it will take a
typical newly registered unaffiliated institution approximately 60 hours to review,
identify, and document their safeguard policies and procedures, for a total of 27,000
hours for all newly registered unaffiliated entities. 12 We expect that half of this time
would be incurred by inside counsel at an hourly rate of $378, and half would be by a
compliance officer at an hourly rate of $322, for a total cost of $9,450,000. 13
Therefore, we estimate that the total annual hourly burden associated with the
safeguards rule is 42,750 hours at a total hourly cost of $14,962,500. 14 We also estimate
that all covered institutions will be respondents each year, for a total of 20,556
respondents.
13.
Total Annual Cost Burden
The staff estimates that the safeguard rule does not impose a material cost burden,
apart from the cost of the burden hours identified in section 12, on covered institutions.
Although these entities are likely to retain these records for as long as the institution
maintains policies and procedures, these records could be maintained electronically and,
even if maintained in hard copy, would not likely be extensive. The staff has not
estimated a capital/startup cost in connection with the recordkeeping requirements
12
This estimate is based on the following calculation: 60 hours x 450 covered institutions =
27,000 hours.
13
This estimate is based on the following calculations: 27,000 hours / 2 = 13,500 hours;
13,500 hours x $378 per hour = $5,103,000; 13,500 hours x $322 = $4,347,000;
$5,103,000 + $4,347,000 = $9,450,000.
14
This estimate is based on the following calculations: 15,750 hours for affiliated newly
registered entities + 27,000 hours for unaffiliated newly registered entities = 42,750 total
hours; $5,512,500 + $9,450,000 = $14,962,500.
8
because covered institutions would likely use existing recordkeeping systems to maintain
the required compliance records.
14.
Cost to the Federal Government
There is no cost to the federal government of administering the information
collection requirements in rule 248.30(a) under the GLBA.
15.
Changes in Burden
The decrease in estimated total annual burden hours from 87,460 hours to 42,750
hours reflects the elimination of the staff’s estimated hourly burden for entities that
update their policies and procedures under the rule. 15 The decrease is also attributable to
a decrease in the staff’s estimated hourly burden for entities that adopt new policies and
procedures under the rule.
16.
Information Collection Planned for Statistical Purposes
Not applicable.
17.
Approval to Omit the OMB Expiration Date
Not applicable.
18.
Exception to Certification Statement
Not applicable.
B.
COLLECTION OF INFORMATION EMPLOYING STATISTICAL METHODS
Not applicable.
15
The staff is no longer including these activities in its burden estimates because such updates are
not required by the rule. For purposes of our analysis, hourly burdens and external costs
associated with voluntary actions that are not required by the rule are not considered to be part of
the compliance burden of the rule.
9
File Type | application/pdf |
File Modified | 2013-10-24 |
File Created | 2013-10-24 |