[Federal Register Volume 69, Number 181 (Monday, September 20, 2004)]
[Proposed Rules]
[Pages 56304-56314]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-21031]



[[Page 56303]]

-----------------------------------------------------------------------

Part III





Securities and Exchange Commission





-----------------------------------------------------------------------



17 CFR Part 248



Disposal of Consumer Report Information; Proposed Rule

  Federal Register / Vol. 69, No. 181 / Monday, September 20, 2004 / 
Proposed Rules  

[[Page 56304]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 248

[Release Nos. 34-50361, IA-2293, IC-26596; File No. S7-33-04]
RIN 3235-AJ24


Disposal of Consumer Report Information

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is 
publishing for comment amendments to the rule under Regulation S-P 
requiring financial institutions to adopt policies and procedures to 
safeguard customer information (``safeguard rule''). The proposed 
amendments would implement the provision in section 216 of the Fair and 
Accurate Credit Transactions Act of 2003 requiring proper disposal of 
consumer report information and records. Section 216 directs the 
Commission and other federal agencies to adopt regulations requiring 
that any person who maintains or possesses a consumer report or 
consumer information derived from a consumer report for a business 
purpose must properly dispose of the information. The proposed 
amendments also would require the policies and procedures adopted under 
the safeguard rule to be in writing.

DATES: Comments should be received on or before October 20, 2004.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (http://www.sec.gov/rules/proposed.shtml); or
     Send an e-mail to [email protected]. Please include 
File Number S7-33-04 on the subject line; or
     Use the Federal eRulemaking Portal (http://www.regulations.gov). Follow the instructions for submitting comments.

Paper Comments

     Send paper comments in triplicate to Jonathan G. Katz, 
Secretary, Securities and Exchange Commission, 450 Fifth Street, NW., 
Washington, DC 20549-0609.
    All submissions should refer to File Number S7-33-04. This file 
number should be included on the subject line if e-mail is used. To 
help us process and review your comments more efficiently, please use 
only one method. The Commission will post all comments on the 
Commission's Internet Web site (http://www.sec.gov/rules/proposed/shtml). Comments will also be available for public inspection and 
copying in the Commission's Public Reference Room, 450 Fifth Street, 
NW., Washington, DC 20549. All comments received will be posted without 
change; we do not edit personal identifying information from 
submissions. You should submit only information that you wish to make 
available publicly.

FOR FURTHER INFORMATION CONTACT: For information regarding the proposed 
rule amendments as they relate to brokers or dealers, contact Catherine 
McGuire, Chief Counsel, Brian Bussey, Assistant Chief Counsel, or Tara 
Prigge, Attorney, Office of Chief Counsel, at the Division of Market 
Regulation, (202) 942-0073; as they relate to transfer agents 
registered with the Commission, contact Jerry Carpenter, Assistant 
Director, or David Karasik, Special Counsel, Office of Clearance and 
Settlement, at the Division of Market Regulation, (202) 942-4187; or as 
they relate to investment companies or to investment advisers 
registered with the Commission, contact Penelope W. Saltzman, Branch 
Chief, or Vincent M. Meehan, Attorney, Office of Regulatory Policy, at 
the Division of Investment Management, (202) 942-0690, Securities and 
Exchange Commission, 450 Fifth Street, NW., Washington, DC 20549.

SUPPLEMENTARY INFORMATION: The Commission is requesting public comment 
on proposed amendments to Regulation S-P under section 501(b) of the 
Gramm-Leach Bliley Act (``GLBA'') [15 U.S.C. 6801(b)], section 216 of 
the Fair and Accurate Credit Transactions Act of 2003 (``FACT Act'' or 
``Act'') [15 U.S.C. 1681w], the Securities Exchange Act of 1934 (the 
``Exchange Act'') [15 U.S.C. 78], the Investment Company Act of 1940 
(the ``Investment Company Act'') [15 U.S.C. 80a], and the Investment 
Advisers Act of 1940 (the ``Investment Advisers Act'') [15 U.S.C. 80b].

Table of Contents

I. Background
II. Discussion
    A. Proposed Rule 248.30(b): Disposal of consumer report 
information and records
    B. Proposed Rule 248.30(a): Procedures to safeguard customer 
records and information
III. General Request for Comment
IV. Cost-Benefit Analysis
V. Paperwork Reduction Act
VI. Initial Regulatory Flexiblity Analysis
VII. Analysis of Effects on Efficiency, Competition and Capital 
Formation
VIII. Statutory Authority
Text of Proposed Rules

I. Background

    Section 216 of the FACT Act adds a new section 628 to the Fair 
Credit Reporting Act (``FCRA'').\1\ The section is intended to prevent 
unauthorized disclosure of information contained in a consumer report 
and to reduce the risk of fraud or related crimes, including identity 
theft, by ensuring that records containing sensitive financial or 
personal information are appropriately redacted or destroyed before 
being discarded.\2\ Section 216 of the FACT Act requires the Office of 
the Comptroller of the Currency, the Board of Governors of the Federal 
Reserve System, the Federal Deposit Insurance Corporation, the Office 
of Thrift Supervision (collectively, the ``Banking Agencies''), the 
National Credit Union Administration, the Federal Trade Commission 
(``FTC'') (collectively with the Banking Agencies, the ``Agencies''), 
and the Commission to issue regulations requiring ``any person that 
maintains or otherwise possesses consumer information, or any 
compilation of consumer information, derived from consumer reports for 
a business purpose, to properly dispose of any such information or 
compilation.''\3\ The Agencies and the Commission are required to 
consult and coordinate with each other so that, to the extent possible, 
regulations implementing this section are consistent and comparable. In 
addition, section 216 requires that the regulations must be consistent 
with the GLBA and other provisions of Federal law. The Commission staff 
has coordinated with the Agencies to develop a proposal regarding the 
disposal of consumer report information, and the Commission is now 
requesting public comment on that proposal.\4\
---------------------------------------------------------------------------

    \1\ 15 U.S.C. 1681. The FACT Act was signed into law on December 
4, 2003. Pub. L. No. 108-159, 117 Stat. 1952 (2003). Section 628 is 
codified at 15 U.S.C. 1681w.
    \2\ See 108 Cong. Rec. S13,889 (Nov. 4, 2003) (statement of Sen. 
Nelson).
    \3\ The regulations must be issued in final form by December 4, 
2004.
    \4\ The Banking Agencies have proposed to implement section 216 
of the FACT Act by amending their existing guidelines on 
safeguarding customer information. See Proper Disposal of Consumer 
Information Under the Fair and Accurate Credit Transactions Act of 
2003, 69 FR 31913 (June 8, 2004). The National Credit Union 
Administration has published a similar proposal. See Fair Credit 
Reporting--Proper Disposal of Consumer Information Under the Fair 
and Accurate Credit Transactions Act of 2003, 69 FR 30601 (May 28, 
2004). The FTC has proposed a separate rule to implement section 216 
of the Act. See Disposal of Consumer Report Information and Records, 
69 FR 21388 (April 20, 2004) (``FTC Proposal'').

---------------------------------------------------------------------------

[[Page 56305]]

    The Commission's safeguard rule, section 30 of Regulation S-P,\5\ 
was adopted in 2000 pursuant to section 501(b) of the GLBA. The rule 
requires brokers, dealers, and investment companies, as well as 
investment advisers registered with the Commission (``registered 
investment advisers'') to adopt policies and procedures that address 
administrative, technical, and physical safeguards for the protection 
of customer records and information. Because the proper disposal of 
information is one aspect of an information safeguard program, we are 
proposing to place the ``disposal rule'' as paragraph (b) of section 
248.30.\6\ The existing safeguard rule would be re-designated as 
paragraph (a).\7\
---------------------------------------------------------------------------

    \5\ 17 CFR 248.30.
    \6\ See text accompanying and following note 21 infra.
    \7\ See proposed rule 248.30(a).
---------------------------------------------------------------------------

    The Commission also is taking this opportunity to propose another 
amendment to the safeguard rule to address weaknesses the staff has 
seen in the documentation of safeguarding policies and procedures. 
Since 2001, our staff has examined brokers, dealers, investment 
companies, and registered investment advisers for their compliance with 
the safeguard rule. In the course of these examinations, our staff has 
identified firms that lack written policies and procedures that address 
the safeguarding of customer information and records. Our proposal 
today would address this weakness by specifying that information 
safeguard policies and procedures must be ``written.''

II. Discussion

A. Proposed Rule 248.30(b): Disposal of Consumer Report Information and 
Records

1. Proposed Section 248.30(b)(1): Definitions
    The proposed disposal rule would be part of Regulation S-P.\8\ 
Accordingly, the definitions set forth in Regulation S-P also would 
apply to terms used in the proposed rule. As discussed below, however, 
proposed section 248.30(b) would include definitions of additional 
terms used in the proposed disposal rule.
---------------------------------------------------------------------------

    \8\ See 17 CFR Part 248.
---------------------------------------------------------------------------

    Proposed section 248.30(b)(1)(i) defines the term ``consumer 
report'' to have the same meaning as in section 603(d) of the FCRA.\9\ 
Proposed section 248.30(b)(1)(ii) defines ``consumer report 
information'' as any record about an individual, whether in paper, 
electronic, or other form, that is a consumer report or is derived from 
a consumer report. This definition would incorporate the FCRA meaning 
of ``consumer,'' which is simply ``an individual,'' without regard to 
the nature of any product or service involved or how it is used.\10\ A 
broad definition of the term, which includes all types of records that 
are consumer reports, or contain information derived from consumer 
reports, may best effectuate the purpose of the FACT Act.
---------------------------------------------------------------------------

    \9\ The FCRA defines ``consumer report'' to mean ``* * *any 
written, oral, or other communication of any information by a 
consumer reporting agency bearing on a consumer's credit worthiness, 
credit standing, credit capacity, character, general reputation, 
personal characteristics, or mode of living which is used or 
expected to be used or collected in whole or in part for the purpose 
of serving as a factor in establishing the consumer's eligibility 
for (A) credit or insurance to be used primarily for personal, 
family, or household purposes; (B) employment purposes; or (C) any 
other purpose authorized under section 604'' of the FCRA. See 15 
U.S.C. 1681a(d)(1). A ``consumer reporting agency'' is defined as 
``any person which, for monetary fees, dues, or on a cooperative 
nonprofit basis, regularly engages in whole or in part in the 
practice of assembling or evaluating consumer credit information or 
other information on consumers for the purpose of furnishing 
consumer reports to third parties, and which uses any means or 
facility of interstate commerce for the purpose of preparing or 
furnishing consumer reports.'' See 15 U.S.C. 1681a(f). The statute 
also provides exclusions from the definition, which include: ``any 
(i) report containing information solely as to transactions or 
experiences between the consumer and the person making the report; 
(ii) communication of that information among persons related by 
common ownership or affiliated by corporate control; or (iii) 
communication of other information among persons related by common 
ownership or affiliated by corporate control, if it is clearly and 
conspicuously disclosed to the consumer that the information may be 
communicated among such persons and the consumer is given the 
opportunity, before the time that the information is initially 
communicated, to direct that such information not be communicated 
among such persons* * *'' See 15 U.S.C. 1681a(d)(2).
    \10\ See 15 U.S.C. 1681a(c). The definition of ``consumer'' in 
the FCRA is broader than the meaning of ``consumer'' in section 
248.3(g) of Regulation S-P and in the GLBA, which define the term as 
an individual who obtains, from a financial institution, financial 
products or services that are to be used primarily for personal, 
family or household purposes. See 17 CFR 248.3(g); 15 U.S.C. 
6809(8). Thus, the proposed disposal rule would follow the FCRA in 
defining the phrase ``consumer report information'' to mean 
information about any individual derived from a consumer report. The 
term ``consumer'' for purposes of the remainder of Regulation S-P 
would continue to have the meaning set forth in section 248.3(g).
---------------------------------------------------------------------------

    Under this definition, however, information that is derived from 
consumer reports but does not identify any particular individual would 
not be covered under the proposed rule. Limiting ``consumer report 
information'' to information that identifies particular individuals is 
consistent with current law relating to the scope of the term 
``consumer report'' under section 603(d) of the FCRA and with the 
purposes of section 216 of the FACT Act.\11\ The Commission requests 
comment on this proposed definition. Should it be broader or narrower? 
The Commission also seeks comment on whether the definition of 
``consumer report information'' should be further clarified, by example 
or otherwise.
---------------------------------------------------------------------------

    \11\ See 15 U.S.C. 1681a(d).
---------------------------------------------------------------------------

    Proposed section 248.30(b)(1)(iii) defines ``disposal'' to mean the 
discarding or abandonment of consumer report information, as well as 
the sale, donation, or transfer of any medium, including computer 
equipment, upon which consumer report information is stored. The sale, 
donation, or transfer, as opposed to the discarding or abandonment, of 
consumer report information would not be considered a ``disposal'' 
under the proposed rule. For example, an entity subject to the proposed 
disposal rule that transfers consumer report information to a third 
party for marketing purposes would not be discarding the information 
for purposes of the proposed disposal rule.\12\ If the entity donates 
computer equipment on which consumer report information is stored, 
however, the donation would be considered a disposal under the 
proposal. The Commission requests comment on the proposed definition of 
``disposal.'' Does it appropriately reflect the scope of the FACT Act? 
Should it be narrower or broader?
---------------------------------------------------------------------------

    \12\ The ability of the entity to transfer information to a 
third party may, however, be limited by other laws, such as the GLBA 
and Regulation S-P.
---------------------------------------------------------------------------

    Proposed section 248.30(b)(1)(iv) defines ``notice-registered 
broker-dealers'' to mean a broker or dealer registered by notice with 
the Commission under section 15(b)(11) of the Exchange Act.\13\
---------------------------------------------------------------------------

    \13\ 15 U.S.C. 78o(b)(11).
---------------------------------------------------------------------------

    Proposed section 248.30(b)(1)(v) defines ``transfer agent'' to have 
the same meaning as in section 3(a)(25) of the Exchange Act.\14\ The 
Commission requests comment on these proposed definitions.
---------------------------------------------------------------------------

    \14\ 15 U.S.C. 78c(a)(25).
---------------------------------------------------------------------------

2. Proposed Section 248.30(b)(2)(i): Proper Disposal of Consumer Report 
Information
    Maintaining or Possessing Information for a Business Purpose. The 
proposed disposal rule would require brokers and dealers (other than 
brokers and dealers registered by notice with the Commission under 
section 15(b)(11) of the Exchange Act for the purpose of conducting 
business in security futures products (``notice-registered broker-
dealers'')), investment companies, registered investment advisers, and

[[Page 56306]]

transfer agents registered with the Commission (``registered transfer 
agents'' and, collectively, with brokers, dealers, investment 
companies, and registered investment advisers, ``covered entities'') to 
dispose properly of consumer report information, or any compilation of 
consumer report information, if the entity maintains or otherwise 
possesses the information for a business purpose. This language, which 
tracks the language of section 216 of the FACT Act, creates two 
criteria for determining whether a covered entity would be required to 
comply with the proposed rule. First, does the information being 
disposed of contain consumer report information, or any compilation of 
consumer report information? Second, does the entity maintain or 
otherwise possess the consumer report information for a business 
purpose?
    As to the first criterion, the FACT Act and proposed disposal rule 
make clear that the disposal requirements apply not only to consumer 
reports, but also to records containing ``consumer information, or any 
compilation of consumer information, derived from consumer reports.'' 
\15\ The Commission believes that the phrase ``derived from consumer 
reports'' covers all of the information about an individual that is 
taken from a consumer report, including information that results in 
whole or in part from manipulation of information from a consumer 
report or information from a consumer report that has been combined 
with other types of information. Thus, any covered entity that 
possesses such information, including an affiliate that has received it 
under section 603(d)(2)(A)(iii) of the FCRA, would be obligated to 
properly dispose of it.\16\
---------------------------------------------------------------------------

    \15\ FACT Act, Sec.  216 (adding Sec.  628(a)(1) to the FCRA).
    \16\ Information that does not identify particular individuals 
would not be covered, even if the information were originally 
``derived from consumer reports,'' because that information would no 
longer be ``about a consumer'' (i.e., an individual).
---------------------------------------------------------------------------

    As to the second criterion, ``for a business purpose'' includes all 
business reasons for which a covered entity may possess or maintain 
consumer report information.\17\ Covered entities that possess consumer 
report information in connection with the provision of services to 
another entity would also be directly covered by the proposed rule to 
the extent that they dispose of the consumer report information.
---------------------------------------------------------------------------

    \17\ Among the entities that possess or maintain consumer report 
information for a business purpose are lenders, employers, and other 
users of consumer reports. These entities could include a broker-
dealer that provides margin accounts or sells variable annuity 
products, or a covered entity that uses consumer reports for 
employment purposes. Consistent with the FTC's interpretation, the 
Commission views a ``business purpose'' as broader than a 
``permissible purpose'' as defined in section 604 of the FCRA (see 
15 U.S.C. 1681b) (outlining permissible uses of consumer reports). 
See FTC Proposal, supra note 4. Although ``permissible purposes'' 
are generally ``business purposes,'' there are a variety of business 
purposes for which persons maintain or possess ``consumer report 
information'' beyond those listed as ``permissible'' for users of 
consumer reports.
---------------------------------------------------------------------------

    The Commission requests comment on the scope of the proposed rule. 
The Commission also requests comment on whether there are any ``persons 
or classes of persons'' covered by the proposed disposal rule that it 
should consider exempting from the rule's application.\18\
---------------------------------------------------------------------------

    \18\ Section 628(a)(3) of the FCRA, as added to section 216 of 
the FACT Act, provides that, in issuing regualtions under the 
section, an agency ``may exempt any persons or class of persons from 
application of those regulations as such agency deems appropriate to 
carry out the purpose of th[e] section.''
---------------------------------------------------------------------------

    Reasonable Measures. The proposed disposal rule would require that 
any covered entity that maintains or otherwise possesses consumer 
report information ``take reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal.''\19\ The Commission recognizes that there are few foolproof 
methods of record destruction. Accordingly, the proposed rule would not 
require covered entities to ensure perfect destruction of consumer 
report information in every instance; rather, it would require covered 
entities to take reasonable measures to protect against unauthorized 
access to or use of the information in connection with its disposal.
---------------------------------------------------------------------------

    \19\ Proposed rule 248.30(b)(2)(i).
---------------------------------------------------------------------------

    In determining what measures are ``reasonable'' under the proposed 
disposal rule, we expect that entities covered by the rule would 
consider the sensitivity of the consumer report information, the size 
of the entity and the complexity of its operations, the costs and 
benefits of different disposal methods, and relevant technological 
changes. ``Reasonable measures'' may require elements such as the 
establishment of policies and procedures governing disposal, as well as 
appropriate employee training.
    The flexible standard for disposal in the proposed rule would allow 
covered entities to make decisions appropriate to their particular 
circumstances and should minimize the disruption of existing practices 
to the extent that they already provide appropriate protections for 
consumer report information. The standard also is intended to minimize 
the burden of compliance for smaller entities. In addition, a 
``reasonable measures'' standard would harmonize the proposed disposal 
rule with the Commission's safeguard rule, which incorporates a 
``reasonable design'' standard in the requirement for policies and 
procedures to safeguard consumer information. This is designed to 
prevent covered entities from being subject to conflicting 
standards.\20\
---------------------------------------------------------------------------

    \20\ The safeguard rule applies to ``customer records and 
information'' and the proposed disposal rule applies to ``consumer 
report information.'' See 17 CFR 248.3(j) (defining ``customer''); 
proposed rule 248.30(b)(1)(iii) (defining ``consumer report 
information'' for purposes of the proposed disposal requirements). 
These terms refer to two different (though overlapping) sets of 
information.
---------------------------------------------------------------------------

    We recognize that in some circumstances, ``customer records and 
information'' subject to the safeguard rule may overlap with ``consumer 
report information'' subject to the proposed disposal rule. To the 
extent there is overlap, customer records and information would be 
subject to the proposed disposal rule. We expect, however, that a 
covered entity subject to the safeguard rule would already have 
addressed the disposal of customer records and information as one part 
of its overall safeguard policies and procedures. These procedures must 
be reasonably designed to insure the security and confidentiality of 
customer records and information, and protect against unauthorized 
access to or use of customer records or information that could result 
in substantial harm or inconvenience to any customer.\21\ In other 
words, the Commission believes that proper disposal policies and 
procedures are encompassed within, and should be a part of, the overall 
policies and procedures required under the safeguard rule. Accordingly, 
a covered entity could comply with the proposed disposal rule by 
applying its policies and procedures under the safeguard rule, 
including methods for the proper disposal of customer information, to 
consumer report information or any compilation of that information.
---------------------------------------------------------------------------

    \21\ See 17 CFR 248.30.
---------------------------------------------------------------------------

    Despite the benefits of a flexible ``reasonableness'' standard, the 
Commission recognizes that such a standard could leave covered entities 
with some uncertainty about compliance. While each covered entity would 
have to evaluate what is appropriate for its size and the complexity of 
its operations, we believe that ``reasonable'' disposal measures for 
purposes of the proposed disposal rule could include:

[[Page 56307]]

     Implementing and monitoring compliance with policies and 
procedures that require the burning, pulverizing, or shredding of 
papers containing consumer report information so that the information 
cannot practicably be read or reconstructed;
     Implementing and monitoring compliance with policies and 
procedures that require the destruction or erasure of electronic media 
containing consumer report information so that the information cannot 
practicably be read or reconstructed; and
     After due diligence, entering into and monitoring 
compliance with a written contract with another party engaged in the 
business of record destruction to dispose of consumer report 
information in a manner that is consistent with this rule.\22\
---------------------------------------------------------------------------

    \22\ In this context, due diligence could include reviewing an 
independent audit of the disposal company's operations and/or its 
compliance with this rule, obtaining information about the disposal 
company from several references or other reliable sources, requiring 
that the disposal company be certified by a recognized trade 
association or similar third party, reviewing and evaluating the 
disposal company's information security policies or procedures, or 
taking other appropriate measures to determine the competency and 
integrity of the potential disposal company.
---------------------------------------------------------------------------

    We invite comment on the proposed standard for disposal. In 
particular, we seek comment on whether commenters believe the proposed 
``reasonableness'' standard provides sufficient guidance to covered 
entities. We also seek comment on whether the proposed disposal rule 
should include alternative standards, specify particular disposal 
methods, or should provide examples, and what those examples should be. 
Finally, we seek comment on whether the disposal rule should require 
disposal measures to be in writing.
3. Proposed Section 248.30(b)(2)(ii): Relation to Other Laws
    This section makes clear that nothing in the proposed disposal rule 
is intended to create a requirement that a covered entity maintain or 
destroy any record pertaining to an individual. Nor is the rule 
intended to affect any requirement imposed under any other provision of 
law to maintain or destroy such records.
4. Scope of the Proposed Disposal Rule
    The FACT Act differs in scope from the GLBA. Accordingly, 
Regulation S-P (including the safeguard rule) and the proposed disposal 
rule have some differences in scope with respect both to the 
information and entities that are subject to the respective rules.\23\ 
Four provisions in the proposal would clarify these differences. First, 
the proposal would amend section 248.1(b) of Regulation S-P to except 
the proposed disposal rule from the provision that describes the scope 
of information subject to the Regulation S-P.\24\ Second, the proposal 
would revise section 248.2(b) to except the proposed disposal rule from 
the provision in Regulation S-P that permits notice-registered broker-
dealers to comply with Regulation S-P by complying with financial 
privacy rules adopted by the Commodity Futures Trading Commission.\25\ 
Third, as noted above, the proposed disposal rule would exclude notice-
registered broker-dealers from its application.\26\ Fourth, unlike most 
of the privacy rules under Regulation S-P, the proposed disposal rule 
would apply to transfer agents.\27\ We request comment on these 
proposed provisions.
---------------------------------------------------------------------------

    \23\ The FACT Act does not specifically identify which entities 
will be subject to the rules prescribed by the Commission. Section 
216 of the FACT Act states that implementing regulations must be 
prescribed by the ``Federal banking agencies, the National Credit 
Union Administration, and the [Federal Trade] Commission with 
respect to the entities that are subject to their respective 
enforcement authority under Section 621 of the Fair Credit Reporting 
Act and the Securities and Exchange Commission * * * '' Section 621 
of the FCRA grants enforcement authority to the FTC for all persons 
subject to FCRA ``except to the extent that enforcement * * * is 
specifically committed to some other government agency under 
subsection (b)'' of section 621. 15 U.S.C. 1681s. The Commission is 
not one of the agencies included under subsection (b). 15 U.S.C. 
1681s(b). The Commission was added to the list of federal agencies 
required to adopt implementing regulations under sections 214 and 
216 of the FACT Act in conference committee. There is no legislative 
history on this issue. As discussed in our recent proposal for rules 
implementing section 214 of the FACT Act, Congress' inclusion of the 
Commission as one of the agencies required to adopt implementing 
regulations suggests that Congress intended that our rules apply to 
brokers, dealers, investment companies, registered investment 
advisers, and registered transfer agents. Consistent with that 
proposal, however, notice-registered broker-dealers would be 
excluded from the scope of the proposed disposal rule. See 
Securities Exchange Act Release No. 49985 (July 8, 2004) [69 FR 
42302 (July 14, 2004) (``Proposed Regulation S-AM'')].
    \24\ See proposed amended rule 248.1(b). The scope provision of 
Regulation S-P provides that it applies to ``nonpublic personal 
information about individuals who obtain financial products or 
services primarily for personal, family, or household purposes.'' 
See 17 CFR 248.1(b). As discussed above, the proposed disposal rule 
applies to a different, but overlapping set of information. See 
supra note 20.
    \25\ See proposed amended rule 248.1(b). Regulation S-P 
currently allows notice-registered broker-dealers to comply with the 
financial privacy rules of the Commodity Futures Trading Commission 
(``CFTC'') as a substitute for compliance with Regulation S-P. See 
17 CFR 248.2(b). This provision acknowledges that notice-registered 
broker-dealers are subject to primary oversight by the CFTC and are 
exempted from all but the core provisions of the laws administered 
by the Commission. This substituted compliance provision could not 
apply to the disposal rule, however, because Congress did not 
include the CFTC among the financial regulators required to adopt 
implementing regulations under section 216 of the FACT Act.
    \26\ See 248.30(b)(2)(i). As discussed in our recent proposal 
for rules implementing section 214 of the FACT Act, we interpret 
Congress' exclusion of the CFTC from the list of financial 
regulators required to adopt implementing regulations under section 
216 of the FACT Act to mean that Congress did not intend for the 
Commission's rules under the FACT Act to apply to entities subject 
to primary oversight by the CFTC. See Proposed Regulation S-AM, 
supra note 22.
    \27\ See 248.30(b)(2)(i). The GLBA did not grant authority to 
the Commission to promulgate privacy rules in Regulation S-P with 
respect to transfer agents. Accordingly, transfer agents fall within 
the residual jurisdiction of the FTC. See supra note 23.
---------------------------------------------------------------------------

B. Proposed Rule 248.30(a): Procedures To Safeguard Customer Records 
and Information

    The current safeguard rule requires brokers, dealers, investment 
companies, and registered investment advisers to adopt policies and 
procedures to safeguard customer information. These procedures must be 
reasonably designed to:
     Insure the security and confidentiality of customer 
records and information;
     Protect against any anticipated threats or hazards to the 
security and integrity of those records; and
     Protect against unauthorized access to or use of those 
records or information which could result in substantial harm or 
inconvenience to any customer.
    As noted above, some firms our staff has examined lack written 
policies and procedures that address these requirements. In the absence 
of reasonable documentation, it is difficult to identify these policies 
and procedures and test for compliance with the safeguard rule. In 
addition, we strongly question whether an organization of any size and 
complexity could reasonably manage to safeguard customer records and 
information without written policies and procedures. Finally, we note 
that the Agencies have required written policies and procedures.\28\ 
Therefore, to ensure reasonable protection for customer records and 
information, and to permit compliance oversight by our examiners, we 
are proposing to require that policies and procedures under the 
safeguard rule must be written. We believe that this amendment, if 
adopted, would impose no significant burden on the firms

[[Page 56308]]

subject to the safeguard rule because they have been required to have 
reasonable policies and procedures since 2001. The amendment we propose 
today only requires them to document those policies and procedures. We 
do not believe that the documentation of existing policies and 
procedures would impose a significant burden.
---------------------------------------------------------------------------

    \28\ See Federal Reserve System, Federal Deposit Insurance 
Corporation, Department of the Treasury Office of Thrift 
Supervision, and Department of Treasury Office of the Comptroller of 
the Currency, Interagency Guidelines Establishing Standards for 
Safeguarding Customer Information, 66 FR 8616 (Feb. 1, 2001) 
(``Interagency Guidelines''); Federal Trade Commission, Standards 
for Safeguarding Customer Information, 67 FR 36484 (May 23, 2002) 
(``FTC Safeguard Rule'').
---------------------------------------------------------------------------

    We note that our examiners have inspected many firms that have 
already adopted such written policies and procedures. In large and 
complex organizations, with thousands of employees and multiple 
offices, these written policies and procedures generally address 
procedures at several levels, going from an organization-wide policy 
statement down to detailed procedures addressing particular 
controls.\29\ This comprehensive approach to safeguarding is consistent 
with widely accepted standards adopted by government and private sector 
standard-setting bodies and professional literature and generally leads 
to reasonable written policies and procedures.\30\
---------------------------------------------------------------------------

    \29\ At one level, the highest levels of management approve an 
organization-wide policy statement. At another level, more specific 
policies and procedures address separate areas of safeguarding risk. 
At a final level, detailed procedures set out the controls, 
management checks and balances, audit trail functions, and other 
actions needed to ensure that the firm's safeguarding program is 
reasonably effective and verifiable by senior management. These 
written policies and procedures also generally designate a 
specialized staff of information security professionals to manage 
the organization's day-to-day safeguarding operations, and an 
information security governance framework, to ensure that the 
information security policy is adequately supported throughout the 
enterprise. Finally, these written policies and procedures generally 
make provision for measures to verify the safeguarding program's 
effectiveness, including risk assessments; independent audits and 
penetration tests; and active monitoring, surveillance, and 
detection programs.
    \30\ See, e.g., Generally Accepted Principles and Practices for 
Securing Information Technology Systems, National Institute of 
Standards and Technology (``NIST'') (September 1996), available at: 
http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf; the 
Federal Information System Controls Audit Manual, known as 
``FISCAM,'' GAO/AIMD-12.19.6 (January 1999), available at: http://www.gao.gov/special.pubs/ai12.19.6.pdf; BS ISO/IEC 17799, Code of 
Practice For Information Security Management (December 2000) 
(formerly British Standards Institution BS 7799), available at: 
http://www.standardsdirect.org/iso17799.htm; and Control Objectives 
for Information and Related Technology, known as ``COBIT'', 
available at http://www.isaca.org. See also Interagency Guidelines; 
FTC Safeguard Rule, supra note 28.
---------------------------------------------------------------------------

    We recognize that many firms subject to the safeguard rule are 
small and simple organizations, with few employees and only one office. 
Nonetheless, we believe these firms would benefit from recording their 
policies and procedures in writing as a reference for employees. In 
every case, the written policies and procedures should be reasonably 
designed, within the circumstances of each particular institution, to 
achieve the goals set forth in the rule. We ask for comment on our 
proposal to require that policies and procedures under the safeguard 
rule must be written.
    When we adopted the safeguard rule, we believed that brokers, 
dealers, investment companies, and registered investment advisers 
should have the flexibility to tailor their policies and procedures to 
their own organization's specific circumstances. Thus, our proposal 
noted that:

    We have not prescribed specific policies or procedures that 
financial institutions must adopt. Rather, we believe it more 
appropriate for each institution to tailor its policies and 
procedures to its own systems of information gathering and transfer 
and the needs of its customers.\31\
---------------------------------------------------------------------------

    \31\ Privacy of Consumer Financial Information (Regulation S-P), 
Securities Exchange Act Release No. 42484 (Mar. 2, 2000) [65 FR 
12354 (Mar. 8, 2000)].

    We continue to believe that this approach is appropriate. 
Therefore, we are not proposing specific policies and procedures that 
all firms subject to the rule must implement. Nevertheless, we seek 
comment on ways to maintain a flexible approach, while establishing 
certain elements in the rule that a firm must include in its policies 
and procedures. For example, the FTC's Safeguard Rule, which applies to 
a diverse range of financial institutions, requires that financial 
institutions subject to the rule adopt a written information security 
program ``appropriate to [the institution's] size and complexity, the 
nature and scope of [its] activities, and the sensitivity of any 
customer information at issue.'' \32\ The rule specifies certain 
elements each program must have, such as identifying certain reasonably 
foreseeable internal and external risks to the security of customer 
information, while allowing the institution to determine the particular 
risks likely to threaten its operations. We seek comment on whether the 
Commission should propose to amend its safeguard rule in a similar way. 
Delineating elements would establish more specific standards for 
safeguarding customer information consistent with the goals of the 
GLBA. Would it assist financial institutions in developing or reviewing 
appropriate policies and procedures to safeguard customer information? 
Would requiring certain elements similar to those established in the 
FTC Safeguarding Rule preserve flexibility for financial institutions 
adopting safeguard rules? If the Commission proposed elements, should 
those elements be limited to those listed in the FTC's Safeguard Rule? 
Are there other elements that the safeguard rule should include, such 
as an information security governance framework, including approval and 
oversight of the safeguard policies and procedures by the institution's 
board of directors?
---------------------------------------------------------------------------

    \32\ 16 CFR 314.3(a).
---------------------------------------------------------------------------

III. General Request for Comment

    We request comment on all of the provisions of the proposed 
disposal rule described above and on the proposed amendments to the 
safeguard rule and to the scope provisions of Regulation S-P. We seek 
suggestions for additional provisions or changes, and comments on other 
matters that might have an effect on the proposed disposal rule and 
proposed amendments. We encourage commenters to provide data to support 
their views.

IV. Cost-Benefit Analysis

    The Commission is sensitive to the costs and benefits imposed by 
its rules. As discussed above, the proposed amendments to Regulation S-
P would: (i) Implement section 216 of the FACT Act by requiring covered 
entities that maintain or possess consumer report information derived 
from a consumer report for a business purpose to properly dispose of 
the information; and (ii) require that an institution's safeguarding 
policies and procedures be in writing.

A. Benefits

    The purpose of section 216 of the FACT Act is to prevent 
unauthorized disclosure of information contained in a consumer report 
and to reduce the risk of fraud or related crimes, including identity 
theft.\33\ One recent report estimated that, with respect to identity 
theft alone, 27.3 million Americans had been victimized during a five-
year period.\34\ In a single year, identity theft losses to businesses 
and financial institutions totaled $47.6 billion, and consumer victims 
reported $5 billion in out-of-pocket expenses.\35\ The proposed rule 
would address this problem by requiring that all of the approximately 
6,768 broker-dealers, 5,182 investment companies, 7,977 registered 
investment advisers, and 814 registered transfer agents \36\ that could 
be subject to the rule take reasonable measures to protect

[[Page 56309]]

against unauthorized access to consumer report information during its 
disposal. This should benefit covered entities that do not currently 
have adequate methods for disposing of consumer report information and 
benefit their consumers by reducing the incidence of identity theft 
losses.
---------------------------------------------------------------------------

    \33\ See supra note 2 and accompanying text.
    \34\ See Federal Trade Commission--Identity Theft Survey Report 
(Sept. 2003), available at: http://www.ftc.gov/os/2003/09/synovatereport.pdf.
    \35\ Id.
    \36\ These figures are based on Commission filings.
---------------------------------------------------------------------------

    With respect to the safeguarding amendment, as noted above, we 
believe it is very unlikely that a firm of any size and complexity 
could adequately safeguard customer information and records without 
written policies and procedures. At a minimum, we believe the proposed 
amendment would benefit firms because written policies and procedures 
will (i) eliminate uncertainty as to what actions an employee must take 
to protect customer records and information, and (ii) promote more 
systematic and organized reviews of safeguard policies and procedures 
by firms. Some firms and their customers may benefit further from the 
proposal if the firm develops more comprehensive and effective policies 
as it translates informal, unwritten policies into writing.
    As noted above, it is extremely difficult to test the adequacy of 
unwritten policies and to ensure that they are in compliance with the 
requirements in the safeguarding rule. Requiring that a firm's policies 
and procedures be in writing should benefit investors by enhancing the 
ability of our examiners to conduct compliance oversight.

B. Costs

    We believe that both the proposed disposal rule and the 
safeguarding rule amendment will impose minimal costs on firms. The 
proposed disposal rule does not establish any specific requirements for 
the disposal of consumer report information. In cases in which a firm 
is already providing adequate protections for consumer report 
information in conjunction with the existing requirement to protect 
consumer records and information, no additional actions would have to 
be taken by the firm. In other cases, a firm, depending on its 
particular circumstances, may have to provide employee training, or 
establish clear procedures for consumer report information disposal. 
Costs to firms that are not already in compliance will vary depending 
on the size of the firm, the adequacy of its existing disposal policy, 
and the nature of the firm's operation. As noted above, the flexible 
standard in the proposed disposal rule is specifically designed to 
minimize the burden of compliance for smaller entities. The emphasis on 
performance rather than design standards in the proposed rule takes 
account of the small entity's size, operations, and sophistication, as 
well as the costs and benefits of alternative disposal methods. In 
addition, the ``reasonable measures'' standard in the proposed rule is 
consistent with the current safeguard rule. Therefore, it should be 
relatively easy for a firm that does not currently have policies and 
procedures that could apply to consumer report information to address 
the disposal of that information by adopting it as one part of its 
overall safeguarding policies and procedures.
    Similarly, we expect any costs associated with the proposed 
safeguarding rule amendment to be minimal. Firms have been required to 
have reasonable polices and procedures in place since 2001. As part of 
this requirement and as a good business practice, we believe that most 
firms have already established their policies in writing. For the 
minority of firms that have clear but unwritten policies, the sole cost 
would involve transcribing what is understood and accepted practice. If 
a firm has not given significant thought to the safeguarding of 
customer records and information, the firm may incur additional costs 
if it develops more comprehensive and effective policies in the course 
of documentation.

C. Request for Comment

    We request comment on the potential costs and benefits identified 
in the proposal and any other costs and benefits that may result from 
the proposed disposal rule and safeguard rule amendment. In particular, 
we invite comment on the costs and benefits of the proposed standards 
in the disposal rule and the costs and benefits of any alternative 
standards. For purposes of the Small Business Regulatory Enforcement 
Fairness Act of 1996, the Commission also requests information 
regarding the impact of the proposed rule on the economy on an annual 
basis. Commenters are requested to provide data to support their views.

V. Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act of 1995 
(``PRA''),\37\ the Commission has reviewed the proposed amendments. The 
proposed disposal rule explicitly provides that it is not intended 
``(1) to require a person to maintain or destroy any record pertaining 
to a consumer that is not imposed under other law; or (2) to alter or 
affect any requirement imposed under any other provision of law to 
maintain or destroy such a record.'' As such, the proposed disposal 
rule would not impose any recordkeeping requirement or otherwise 
constitute a ``collection of information'' as it is defined in the 
regulations implementing the PRA.\38\
---------------------------------------------------------------------------

    \37\ 44 U.S.C. 3506.
    \38\ See 5 CFR 1320.3(c).
---------------------------------------------------------------------------

    Certain provisions of the proposed amendment to the safeguard rule 
may constitute a ``collection of information'' within the meaning of 
the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. The 
Commission has submitted the proposed collection of information to the 
Office of Management and Budget (``OMB'') for review in accordance with 
44 U.S.C. 3507(d) and 5 CFR 1320.11. The title for the collection of 
information is ``Procedures to safeguard customer records and 
information; disposal of consumer report information.'' An agency may 
not conduct or sponsor, and a person is not required to respond to, a 
collection of information unless it displays a currently valid OMB 
control number.

Summary of Collection of Information

    Brokers, dealers, investment companies, and registered investment 
advisers are required to adopt policies and procedures to safeguard 
customer information. The proposed amendment to the safeguard rule 
would require each of these institutions to document those policies and 
procedures in writing.

Proposed Use of Information

    The proposed amendment to the safeguard rule is intended to ensure 
reasonable protection for customer records and information, and to 
permit Commission staff to identify and test effectively for compliance 
with the rule. In addition, we believe the requirement to document 
policies and procedures in writing will (i) eliminate uncertainty as to 
what actions an employee must take to protect customer records and 
information, and (ii) promote more systematic and organized reviews of 
safeguard policies and procedures by firms.

Respondents

    According to Commission filings, there are approximately 6,768 
broker-dealers, 5,182 investment companies, and 7,977 registered 
investment advisers. Although each of these entities must comply with 
the safeguard rule, we believe that institutions with one or more 
financial affiliates (whether they are institutions regulated by the 
Commission or by other Federal financial regulators) are likely to have 
developed safeguard policies and

[[Page 56310]]

procedures on an organization-wide basis, rather than each affiliate 
having developed policies and procedures on its own.
    Based on a review of forms filed with the Commission, we estimate 
that approximately 70 percent of institutions subject to the safeguard 
rule, or 13,949 institutions, have a corporate affiliate.\39\ We assume 
that affiliated institutions have developed policies and procedures on 
an organization-wide basis. For purposes of the PRA, we assume that 
each of the affiliated institutions has one corporate affiliate. We 
therefore estimate that only half of affiliated institutions, or 6,974 
institutions, have developed policies and procedures, while the other 
half (6,974 institutions) have not developed their own policies and 
procedures, but instead use the policies and procedures developed and 
documented by their affiliate. Thus, we estimate that a total of 12,953 
institutions would develop and document safeguard policies and 
procedures.\40\
---------------------------------------------------------------------------

    \39\ This estimate is based on the following calculation: (6,768 
+ 5,182 + 7,977) x 0.7 = 13,948.9. The estimate that 70 percent of 
registrants have an affiliate is based upon statistics reported on 
Form ADV, the Universal Application for Investment Adviser 
Registration, which contains specific questions regarding 
affiliations between investment advisers and other persons in the 
financial industry. We estimate that other institutions subject to 
the safeguard rule would report a rate of affiliation similar to 
that reported by registered investment advisers.
    \40\ This estimate is based on the following calculation: 
(13,949 x 0.5) + (19,927 x 0.3) = 12,952.6.
---------------------------------------------------------------------------

    We also believe that most institutions we regulate would adopt 
safeguard policies and procedures and document those policies and 
procedures as a matter of good business practice, regardless of the 
Commission's safeguard rule. We expect these institutions have a strong 
interest apart from our rule in preventing security threats, such as 
identity theft or threats to the computer system that would allow 
unauthorized persons to obtain information about the firms' customers 
and their business. For purposes of the PRA, we estimate that 10 
percent of these institutions have not already documented their 
policies and procedures. Thus, we estimate that, if the proposed rule 
amendment is adopted, 1,295 institutions would have to document 
policies and procedures in response to the proposed rule in the first 
year after adoption.
    In addition to existing registrants, we estimate that, on average, 
approximately 1,475 new broker-dealers, investment companies and 
registered investment advisers register with the Commission each 
year.\41\ As with existing registrants, we estimate that 70 percent of 
these registrants, or 1,033 entities are affiliated with another 
financial institution that has adopted safeguard policies and 
procedures. We assume that all new registrants affiliated with another 
financial institution would adopt the same policies, procedures and 
documentation already established by the affiliated institution. Of the 
remaining 30 percent of new registrants, or 442 institutions, we assume 
that 90 percent would develop and document their safeguard policies and 
procedures as a matter of good business practice. Accordingly, we 
expect that after the first year the rule is in effect, the annual 
number of respondents would be 44.\42\
---------------------------------------------------------------------------

    \41\ This estimate is based on annual filings with the 
Commission for the calendar years 2001, 2002, and 2003.
    \42\ This estimate is based on the following calculation: 442 
new registrants x 0.1 = 44.2.
---------------------------------------------------------------------------

Total Annual Reporting and Recordkeeping Burdens

    As noted above, we expect that the policies and procedures adopted 
by the responding institutions will vary considerably depending on the 
size of the institution, the way in which it collects information, the 
number and types of entities to which it transfers information, and the 
ways in which it stores, transfers, and disposes of customer 
information. Thus, for example, a small registered investment adviser 
with fewer than 10 employees may require a limited number of policies 
and procedures to address a limited scope of information transfer, 
storage and disposal. A large broker-dealer or fund complex with many 
affiliated entities, on the other hand, is more likely to have 
developed extensive policies and procedures on an organization-wide 
basis that address many different levels of control. The documentation 
of these policies and procedures will vary widely in length and 
complexity of the documentation and will correspond to the range and 
complexity of the institution's policies and procedures.
    Of the institutions registered with the Commission, we estimate 
that 5,424 investment advisers have 10 or fewer employees.\43\ We 
estimate that 1,041 broker-dealers and investment companies are small 
entities, and are likely to have no more than 10 employees.\44\ 
Consistent with our estimate above, we assume that 50 percent of these 
smaller institutions with an affiliate, and 30 percent of these smaller 
institutions that are not affiliated with another financial institution 
(4,202 institutions) would adopt and document their own policies and 
procedures.\45\ Of that 30 percent, we assume that only 10 percent, or 
420 small entities, would not already have documented policies and 
procedures as a good business practice. For purposes of the PRA, we 
estimate that the amount of time a smaller entity would take to 
document the safeguard policies and procedures they have adopted would 
range from 6 hours to 24 hours with an average of 15 hours. 
Accordingly, we estimate a one-time hour burden for these smaller 
entities of 6,300 hours.
---------------------------------------------------------------------------

    \43\ See Investment Counsel Association of America, Evolution 
Revolution, A Profile of the Investment Advisory Profession (May 
2004) (available at http://www.icaa.org/public/evolution_revolution-2004.pdf).
    \44\ As noted below, 808 broker-dealers and 233 investment 
companies are considered small entities. See infra note and 
accompanying text.
    \45\ This estimate is based on the following calculation: (6,465 
x 0.7 x 0.5) + (6,465 x 0.3) = 4,202.25.
---------------------------------------------------------------------------

    Other institutions, such as large fund complexes or clearing 
broker-dealers, may require more time to document extensive policies 
and procedures that apply to all the institutions in the complex. We 
assume that 10 percent of these, or 875 institutions would not already 
have written policies and procedures in compliance with the proposed 
rule.\46\ For purposes of the PRA, we estimate that the amount of time 
these institutions would take to document their safeguard rules would 
range from 30 hours to 1,400 hours with an average of 715 hours. Thus, 
we estimate a total one-time burden for these institutions of 625,625 
hours.\47\ Combined with the burden for smaller institutions, we 
estimate a total annual one-time burden of 631,925 hours.\48\ Amortized 
over three years, we estimate an annual burden of 210,642 hours.
---------------------------------------------------------------------------

    \46\ This estimate is based on the following calculation: 1,295 
- 420 = 875.
    \47\ This estimate is based on the following calculation: 875 x 
715 = 625,625.
    \48\ This estimate of hour burden for these institutions is 
based on the following calculation: 625,625 + 6,300 = 631,925.
---------------------------------------------------------------------------

    In addition to existing registrants, as noted above, we estimate 
that 44 new registrants would not have already documented their 
safeguard policies and procedures as a matter of good business 
practice. Of these, we estimate that 14 will be smaller 
institutions.\49\

[[Page 56311]]

Thus, we estimate that the annual burden for new small entities would 
be 210 hours.\50\ We estimate that the annual burden for other new 
institutions would be 715 hours, with a total annual burden for all new 
registrants of 21,660 hours.\51\
---------------------------------------------------------------------------

    \49\ We estimate that the percentage of new institutions 
registering that are smaller entities would be similar to the 
percent of currently registered institutions that are smaller 
institutions, as described above. See supra notes 43-44 and 
accompanying text. The calculations for this estimate are: 6,465/
19,927 = 0.032; 44 x 0.32 = 14.08.
    \50\ This estimate is based on the following calculation: 14 x 
15 = 210.
    \51\ This estimate is based on the following calculation: (30 x 
715) + 210 = 21,660.
---------------------------------------------------------------------------

    Going forward, we estimate that 10 percent of the 19,927 registered 
institutions will review and update their policies and procedures each 
year. For purposes of the PRA, we estimate that 638 of these will be 
smaller institutions that would take between 2 and 10 hours, with an 
average of 6 hours each, to review and update their safeguard policies 
and procedures. Thus, we estimate an annual burden for these smaller 
institutions of 3,828 hours.\52\ For purposes of the PRA, we estimate 
that 1,355 larger institutions will take between 10 and 50 hours, with 
an average of 30 hours each, to review and update their safeguard 
policies and procedures. We estimate an annual burden for the larger 
institutions of 40,650 hours, and combined with smaller institutions, 
an annual burden of 44,478 hours.\53\ Thus, we estimate the total 
annual burden to be 276,780 hours.\54\
---------------------------------------------------------------------------

    \52\ These estimates are based on the following calculations: 
6,465/19,927 = 0.32; 1,993 x 0.32 = 637.7; 638 x 6 = 3,828.
    \53\ These estimates are based on the following calculations: 
1,993 - 638 = 1,355; 1,355 x 30 = 40,650.
    \54\ This estimate is based on the following calculation: 
210,642 + 21,660 + 44,478 = 276,780.
---------------------------------------------------------------------------

Retention Period for Recordkeeping Requirements

    The proposed rules do not contain express provisions governing the 
retention of records related to the policies and procedures. 
Nevertheless, an institution subject to the safeguard rule is likely to 
retain the documentation in order to assist in informing and training 
employees, in reviewing the policies for their effectiveness, and to 
demonstrate compliance with the rule to the Commission's inspections 
staff. These records would not have to be retained for any particular 
period, but are likely to be retained as long as the institution 
maintains policies and procedures.

Collection of Information is Mandatory

    Broker-dealers, investment companies and registered investment 
advisers all are required to comply with the safeguard rule and would 
be required to comply with the proposed amendment.

Responses to Collection of Information Will Not Be Kept Confidential

    Under the proposal, the written safeguard policies and procedures 
would not be filed with or otherwise submitted to the Commission. 
Accordingly, we make no assurance of confidentiality with respect to 
the collections of information.

Request for Comment

    Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits 
comment to:
    (i) Evaluate whether the proposed collection of information is 
necessary for the proper performance of the functions of the 
Commission, including whether the information will have practical 
utility;
    (ii) Evaluate the accuracy of the Commission's estimate of the 
burden of the proposed collection of information;
    (iii) Determine whether there are ways to enhance the quality, 
utility, and clarity of the information to be collected; and
    (iv) Determine whether there are ways to minimize the burden of the 
collection of information on those who are to respond, including 
through the use of automated collection techniques or other forms of 
information technology.
    Persons wishing to submit comments on the collection of information 
requirements should direct them to the following persons: (i) Desk 
Officer for the Securities and Exchange Commission, Office of 
Information and Regulatory Affairs, Office of Management and Budget, 
Room 3208, New Executive Office Building, Washington, DC 20503; and 
(ii) Jonathan G. Katz, Secretary, Securities and Exchange Commission, 
450 Fifth Street, NW., Washington, DC 20549. Any comments should make 
reference to File Number S7-33-04. OMB is required to make a decision 
concerning the collection of information between 30 and 60 days after 
publication, so a comment to OMB is best assured of having its full 
effect if OMB receives it within 30 days after publication. Requests 
for materials submitted to OMB by the Commission with regard to this 
collection of information should be made in writing, should refer to 
File Number S7--04, and should be submitted to the Securities and 
Exchange Commission, Records Management, Office of Filings and 
Information Services, 450 Fifth Street, NW., Washington, DC 20549.

VI. Initial Regulatory Flexiblity Analysis

    This Initial Regulatory Flexibility Analysis (``IRFA'') has been 
prepared in accordance with 5 U.S.C. 603. It relates to the proposed 
disposal rule, which requires that reasonable measures be taken to 
protect against unauthorized access to consumer report information 
during its disposal. It also relates to the proposed amendment to the 
safeguard rule that would require financial institutions to document 
policies and procedures to safeguard customer information in writing.

A. Reasons for the Proposed Rule

    Section 216 of the FACT Act requires the Commission to issue 
regulations regarding the proper disposal of consumer report 
information in order to prevent sensitive financial and personal 
information from falling into the hands of identity thieves or others 
who might use the information to victimize consumers. The requirements 
of the proposed rule are intended to fulfill the obligations imposed by 
section 216.
    As discussed above, the proposed amendment to the safeguard rule 
would require entities subject to the safeguard rule to document their 
policies and procedures in writing. The proposed amendment is intended 
to ensure reasonable protection for customer records and information, 
and to permit compliance oversight by our examiners.

B. Statement of Objectives and Legal Basis

    The objectives of the proposed disposal rule and the proposed 
amendment to the safeguard rule are discussed above. The legal basis 
for the proposed disposal rule is section 216 of the FACT Act. The 
legal basis for the proposed amendment to the safeguard rule is section 
501(b) of the GLBA, sections 17 and 23 of the Exchange Act, sections 31 
and 38 of the Investment Company Act, and sections 204 and 211 of the 
Investment Advisers Act.

C. Description of Small Entities to Which the Proposed Rule Will Apply

    The proposed disposal rule, which tracks the language of section 
216 of the FACT Act, would apply to brokers and dealers (other than 
notice-registered broker-dealers), investment companies, registered 
investment advisers, and registered transfer agents that maintain or 
otherwise possess consumer information, or any compilation of consumer 
information, for a business purpose.\55\ Institutions covered by the 
proposed amendment to the safeguard rule would include brokers and 
dealers (other than notice-registered broker-dealers), investment 
companies, and registered investment advisers. Of the

[[Page 56312]]

entities registered with the Commission, 808 broker-dealers, 233 
investment companies, 592 registered investment advisers, and 170 
registered transfer agents are considered small entities.\56\
---------------------------------------------------------------------------

    \55\ Proposed rule 248.30(b)(2)(i).
    \56\ For purposes of the Regulatory Flexibility Act, under the 
Exchange Act a small entity is a broker or dealer that had total 
capital of less than $500,000 on the date of its prior fiscal year 
and is not affiliated with any person that is not a small entity. 17 
CFR 270.0-10. Under the Investment Company Act a ``small entity'' is 
an investment company that, together with other investment companies 
in the same group of related investment companies, has net assets of 
$50 million or less as of the end of its most recent fiscal year. 17 
CFR 270.0-10. Under the Investment Advisers Act, a small entity is 
an investment adviser that ``(i) manages less than $25 million in 
assets, (ii) has total assets of less than $5 million on the last 
day of its most recent fiscal year, and (iii) does not control, is 
not controlled by, and is not under common control with another 
investment adviser that manages $25 million or more in assets, or 
any person that had total assets of $5 million or more on the last 
day of the most recent fiscal year.'' 17 CFR 275.0-7. A small entity 
in the transfer agent context is defined to be any transfer agent 
that (i) received less than 500 items for transfer and less than 500 
items for processing during the preceding six months; (ii) 
transferred only items of issuers that would be deemed ``small 
businesses'' or ``small organizations'' under rule 0-10 under the 
Exchange Act; (iii) maintained master shareholder files that in the 
aggregate contained less than 1,000 shareholder accounts at all 
times during the preceding fiscal year; and (iv) is not affiliated 
with any person (other than a natural person) that is not a small 
business or small organization under rule 0-10. 17 CFR 240.0-10.
---------------------------------------------------------------------------

    We invite comment from small entities that would be subject to the 
proposed disposal rule and amendment to the safeguard rule. We invite 
comment generally regarding information that would help us to quantify 
the number of small entities that may be affected by the proposal.

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

    The proposed disposal rule would not impose any reporting or any 
specific recordkeeping requirements within the meaning of the Paperwork 
Reduction Act, discussed above. The proposed disposal rule would 
require covered entities, when disposing of consumer report 
information, to take reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal. What is considered ``reasonable'' will vary according to an 
entity's size and the complexity of its operations, the costs and 
benefits of available disposal methods, and the sensitivity of the 
information involved. This flexibility is intended to reduce the burden 
that might otherwise be imposed on small entities by a more rigid, 
prescriptive rule. The Commission is concerned about the potential 
impact of the proposed rule on small entities, and invites comment on 
the costs of compliance for such parties.
    With respect to the proposed amendment to the safeguard rule, we 
note that firms are already required to have policies and procedures 
that address the safeguarding of customer information and records. As 
noted above, this requirement provides a flexible standard that allows 
each firm to tailor these policies and procedures to the firm's 
particular systems, methods of information gathering, and customer 
needs. We assume that most institutions have already documented these 
policies and procedures, but the proposed amendment would require all 
entities to put their policies and procedures in writing. Nevertheless, 
the amount of time it will take entities that do not have written 
policies and procedures will vary based upon the extent and complexity 
of the policies and procedures the entity has adopted. Accordingly, a 
small entity with complex and very detailed policies and procedures 
would likely take more time to document those policies and procedures 
than would a small entity with relatively simple undocumented policies 
and procedures.

E. Identification of Other Duplicative, Overlapping, or Conflicting 
Federal Rules

    We have not identified any other federal statutes, rules, or 
policies that would conflict with the proposed disposal rule's 
requirement (i) that covered persons take reasonable measures to 
protect against unauthorized access to or use of the information in 
connection with its disposal or (ii) that safeguarding policies and 
procedures must be in writing. However, we request comment on the 
extent to which other federal standards involving privacy or security 
of information may duplicate, satisfy, or inform the proposal's 
requirements. We also seek comment and information about any statutes 
or rules that may conflict with the proposed disposal rule 
requirements, as well as any other state, local, or industry rules or 
policies that require covered entities to implement practices that 
comport with the requirements of the proposed rule.

F. Discussion of Significant Alternatives

    The Regulatory Flexibility Act directs the Commission to consider 
significant alternatives that would accomplish the stated objectives 
while minimizing any significant adverse impact on small businesses. In 
connection with the proposal, the Commission considered the following 
alternatives: (i) The establishment of differing compliance or 
reporting requirements or timetables that take into account the 
resources available to small entities; (ii) the clarification, 
consolidation, or simplification of compliance and reporting 
requirements under the proposed rules for small entities; (iii) the use 
of performance rather than design standards; and (iv) an exemption from 
coverage of the proposed rules, or any part thereof, for small 
entities.
    With respect to the proposed disposal rule, the Commission does not 
presently believe that an exemption from coverage or special compliance 
or reporting requirements for small entities would be consistent with 
the mandates of the FACT Act. In addition, the Commission does not 
presently believe that clarification, consolidation, or simplification 
of the proposed amendment for small entities is feasible or necessary. 
Section 216 of the FACT Act addresses the protection of consumer 
privacy, and consumer privacy concerns do not depend on the size of the 
entity involved. However, we have endeavored throughout the proposed 
disposal rule to minimize the regulatory burden on all covered 
entities, including small entities, while meeting the statutory 
requirements. Small entities should benefit from the flexible standards 
in the proposed disposal rule. In addition, existing emphasis on 
performance rather than design standards in the proposed rule take 
account of the covered entity's size and sophistication, as well as the 
costs and benefits of alternative disposal methods. The Commission 
welcomes comment on any alternative system that would be consistent 
with the FACT Act but would minimize the impact on small entities. 
Comments should describe the nature of any impact on small entities and 
provide empirical data.
    With respect to the proposed amendment to the safeguard rule, we do 
not presently believe that an exemption from coverage or special 
reporting or compliance requirements for small entities is feasible or 
necessary. The requirement that covered entities document their 
safeguard policies and procedures in writing is necessary to promote 
systematic and organized reviews of these policies and procedures by 
the entity, as well as to allow Commission staff to identify and test 
effectively for compliance with the safeguard rule.
    Similarly, the Commission does not presently believe that 
clarification, consolidation, or simplification of the proposed 
amendment for small entities is feasible or necessary. The proposed 
requirement that the safeguard policies and procedures be in writing, 
as discussed above, is essential to allowing

[[Page 56313]]

both the entity and Commission staff to review the entity's policies 
and procedures.
    The safeguard rule embodies performance rather than design 
standards. It affords each firm the flexibility to adopt and implement 
policies and procedures that are appropriate in light of the 
institution's size and the complexity of its operations. The 
documentation of the policies and procedures would reflect these 
performance standards. Accordingly, the writing required under the 
proposed amendment would only be as technical or complex as the 
policies and procedures required to be documented.
    We encourage written comments on matters discussed in the IRFA. In 
particular, the Commission seeks comment on: (i) The number of small 
entities that would be affected by the proposed rule; and (ii) the 
impact of the proposed rule on small entities. Commentators are asked 
to describe the nature of any impact and provide empirical data 
supporting the extent of the impact.

VII. Analysis of Effects on Efficiency, Competition and Capital 
Formation

    Section 3(f) of the Exchange Act and section 2(c) of the Investment 
Company Act require the Commission, whenever it engages in rulemaking 
and must consider or determine if an action is necessary or appropriate 
in the public interest, to consider, in addition to the protection of 
investors, whether the action would promote efficiency, competition, 
and capital formation. Moreover, section 23(a)(2) of the Exchange Act 
requires the Commission, when proposing rules under the Exchange Act, 
to consider the impact the proposed rules may have upon competition. 
Section 23(a)(2) of the Exchange Act prohibits the Commission from 
adopting any rule that would impose a burden on competition that is not 
necessary or appropriate in furtherance of the purposes of the Exchange 
Act.
    We do not believe that the proposed disposal rule will have an 
anti-competitive impact. The proposed disposal rule applies to all 
brokers and dealers (other than notice-registered broker-dealers), 
investment companies, registered investment advisers, and registered 
transfer agents. Each of these institutions must take reasonable 
measures to properly dispose of consumer report information.
    Other financial institutions will be subject to substantially 
similar disposal requirements under rules proposed by the Agencies. 
Under the FACT Act, the Agencies and the Commission have worked in 
consultation and coordination with one another to ensure the 
consistency and comparability of the proposed regulations. Therefore, 
all financial institutions would have to bear the costs of implementing 
the rules or substantially similar rules. Although these costs would 
vary among entities subject to the proposed rule, we do not believe 
that the costs would be significantly greater for any particular entity 
or entities when calculated as a percentage of overall costs.
    Furthermore, we believe the proposed disposal rule would have 
little effect on efficiency and capital formation. The proposed rule 
will result in some additional costs for some entities, particularly 
those entities that do not currently take reasonable measures to 
properly dispose of consumer report information. However, we believe 
the additional costs are small enough that they would not affect the 
efficiency of these entities.
    With respect to the proposed amendment to the safeguard rule, we do 
not believe the proposed amendment will have an anti-competitive 
impact. As noted above, we believe that most brokers, dealers, 
investment companies, and registered investment advisers already have 
written safeguard policies and procedures. To the extent some do not, 
those firms would have to conform to standards that many firms have met 
voluntarily. This proposed amendment also would be consistent with the 
requirement under the Interagency Guidelines and the FTC's Safeguard 
Rule that financial institutions they regulate must document their 
policies and procedures in writing.\57\ Firms that do not have 
currently written policies and procedures would incur costs of 
documentation already borne by firms that have written policies and 
procedures. Although these costs would vary among institutions subject 
to the proposed amendment, we do not believe that the costs would be 
significantly greater for any particular firm or firms when calculated 
as a percentage of overall costs.
---------------------------------------------------------------------------

    \57\ See supra note 28.
---------------------------------------------------------------------------

    Furthermore, we believe the proposed amendment would have little 
effect on efficiency and capital formation. We expect the proposal will 
increase efficiency among those firms that do not currently have 
written policies and procedures because it should promote more 
systematic and organized reviews of these policies and procedures. The 
proposed amendment will result in some additional costs for firms that 
do not currently have written policies and procedures. However, we 
believe the additional costs are small enough that they would not 
affect the efficiency of these firms.
    The Commission seeks comment regarding the impact of the proposed 
rules on efficiency, competition, and capital formation. For purposes 
of the Small Business Regulatory Enforcement Fairness Act of 1996, the 
Commission also requests information regarding the potential effect of 
the proposed rules on the U.S. economy on an annual basis. Commentators 
are requested to provide empirical data to support their views.

VIII. Statutory Authority

    The Commission is proposing amendments to Regulation S-P pursuant 
to the authority set forth in section 501(b) of the GLBA [15 U.S.C. 
6801(b)], section 216 of the FACT Act [15 U.S.C. 1681w], sections 17 
and 23 of the Exchange Act [15 U.S.C. 78q and 78w], sections 31(a) and 
38 of the Investment Company Act [15 U.S.C. 80a-30(a) and 80a-37], and 
sections 204 and 211 of the Investment Advisers Act [15 U.S.C. 80b-4 
and 80b-11].

List of Subjects in 17 CFR Part 248

    Brokers, Dealers, Investment advisers, Investment companies, 
Privacy, Reporting and recordkeeping requirements, Transfer agents.

Text of Proposed Rules

    For the reasons set out in the preamble, title 17, chapter II of 
the Code of Federal Regulations is proposed to be amended as follows:

PART 248--REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION

    1. The authority citation for part 248 is revised to read as 
follows:

    Authority: 15 U.S.C. 6801-6809; 15 U.S.C.1681w; 15 U.S.C. 78q, 
78w, 78mm, 80a-30(a), 80a-37, 80b-4, and 80b-11.


Sec.  248.1  [Amended]

    2. Section 248.1, the first sentence of paragraph (b) is amended by 
revising the phrase ``This part'' to read ``Except with respect to 
Sec.  248.30(b), this part''.


Sec.  248.2  [Amended]

    3. Section 248.2, paragraph (b) is amended by revising the phrase 
``Any futures commission merchant'' to read ``Except with respect to 
Sec.  248.30(b), any futures commission merchant''.
    4. Section 248.30 is amended as follows:
    a. Revise the section heading;
    b. Introductory text, paragraphs (a), (b), and (c) are redesignated 
as

[[Page 56314]]

paragraphs (a) introductory text, (a)(1), (a)(2), and (a)(3) 
respectively;
    c. In the newly redesignated introductory text of paragraph (a), 
add the word ``written'' before the phrase ``policies and procedures'' 
in the first and second sentences; and
    d. Add paragraph (b).
    The revision and addition read as follows:


Sec.  248.30  Procedures to safeguard customer records and information; 
disposal of consumer report information.

* * * * *
    (b) Disposal of consumer report information and records--(1) 
Definitions--(i) Consumer report has the same meaning as in section 
603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).
    (ii) Consumer report information means any record about an 
individual, whether in paper, electronic or other form, that is a 
consumer report or is derived from a consumer report.
    (iii) Disposal means:
    (A) The discarding or abandonment of consumer report information; 
and
    (B) The sale, donation, or transfer of any medium, including 
computer equipment, on which consumer report information is stored.
    (iv) Notice-registered broker-dealers means a broker or dealer 
registered by notice with the Commission under section 15(b)(11) of the 
Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).
    (v) Transfer agent has the same meaning as in section 3(a)(25) of 
the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).
    (2) Proper disposal requirements--(i) Standard. Every broker and 
dealer other than notice-registered broker-dealers, every investment 
company, and every investment adviser and transfer agent registered 
with the Commission, that maintains or otherwise possesses consumer 
report information or any compilation of consumer report information 
for a business purpose must properly dispose of the information by 
taking reasonable measures to protect against unauthorized access to or 
use of the information in connection with its disposal.
    (ii) Relation to other laws. Nothing in this section shall be 
construed:
    (A) To require any broker, dealer, or investment company, or any 
investment adviser or transfer agent registered with the Commission to 
maintain or destroy any record pertaining to an individual that is not 
imposed under other law; or
    (B) To alter or affect any requirement imposed under any provision 
of law to maintain or destroy any of those records.

    By the Commission.

    Dated: September 14, 2004.
Margaret H. McFarland,
Deputy Secretary.
[FR Doc. 04-21031 Filed 9-17-04; 8:45 am]
BILLING CODE 8010-01-P