[Federal Register Volume 80, Number 239 (Monday, December 14, 2015)]
[Notices]
[Pages 77397-77398]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-31361]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION


Proposed Collection; Comment Request

Upon Written Request, Copies Available From: Securities and Exchange 
Commission, Office of FOIA Services, 100 F Street NE., Washington, DC 
20549-2736.

Extension:
    Regulation S-ID, OMB Control No. 3235-0692, SEC File No. 270-
644.

    Notice is hereby given that, pursuant to the Paperwork Reduction 
Act of 1995 (44 U.S.C. 3501 et seq.), the Securities and Exchange 
Commission (the ``Commission'') is soliciting comments on the 
collection of information summarized below. The Commission plans to 
submit this existing collection of information to the Office of 
Management and Budget for extension and approval.
    Regulation S-ID (17 CFR 248), including the information collection 
requirements thereunder, is designed to better protect investors from 
the risks of identity theft. Under Regulation S-ID, SEC-regulated 
entities are required to develop and implement reasonable policies and 
procedures to identify, detect, and respond to relevant red flags (the 
``Identity Theft Red Flags Rules'') and, in the case of entities that 
issue credit or debit cards, to assess the validity of, and communicate 
with cardholders regarding, address changes. Section 248.201 of 
Regulation S-ID includes the following information collection 
requirements for each SEC-regulated entity that qualifies as a 
``financial institution'' or ``creditor'' under Regulation S-ID and 
that offers or maintains covered accounts: (i) Creation and periodic 
updating of an identity theft prevention program (``Program'') that is 
approved by the board of directors, an appropriate committee thereof, 
or a designated senior management employee; (ii) periodic staff 
reporting to the board of directors on compliance with the Identity 
Theft Red Flags Rules and related guidelines; and (iii) training of 
staff to implement the Program. Section 248.202 of Regulation S-ID 
includes the following information collection requirements for each 
SEC-regulated entity that is a credit or debit card issuer: (i) 
Establishment of policies and procedures that assess the validity of a 
change of address notification if a request for an additional or 
replacement card on the account follows soon after the address change; 
and (ii) notification of a cardholder, before issuance of an additional 
or replacement card, at the previous address or through some other 
previously agreed-upon form of communication, or alternatively, 
assessment of the validity of the address change request through the 
entity's established policies and procedures.
    SEC staff estimates of the hour burdens associated with section 
248.201 under Regulation S-ID include the one-time burden of complying 
with this section for newly-formed SEC-regulated entities, as well as 
the ongoing costs of compliance for all SEC-regulated entities. With 
respect to the one-time burden hours, staff estimates that each newly-
formed financial institution or creditor would incur a burden of 2 
hours to conduct an initial assessment of covered accounts. Staff 
estimates that approximately 644 SEC-regulated financial institutions 
and creditors are newly formed each year, and the total estimated one-
time burden to initially assess covered accounts is therefore 1,288 
hours. Staff also estimates that each financial institution or creditor 
that maintains covered accounts would incur an additional initial 
burden of 29 hours to develop and obtain board approval of a Program 
and to train the staff of the financial institution or creditor. Staff 
estimates that approximately 580 SEC-regulated financial institutions 
and creditors that maintain covered accounts are newly formed each 
year, and thus the total estimated one-time burden to develop

[[Page 77398]]

and obtain board approval of a Program and train staff is 16,820 hours. 
Thus, the total initial estimated burden for all newly-formed SEC-
regulated entities is 18,108 hours (1,288 hours + 16,820 hours).
    With respect to ongoing annual burden hours, SEC staff estimates 
that each financial institution or creditor would incur a burden of 1 
hour to periodically assess whether it offers or maintains covered 
accounts. Staff estimates that there are approximately 9,960 SEC-
regulated entities that are either financial institutions or creditors, 
and the total estimated annual burden to periodically assess covered 
accounts is therefore 9,960 hours. Staff also estimates that each 
financial institution or creditor that maintains covered accounts would 
incur an additional annual burden of 9.5 hours to prepare and present 
an annual report to the board and to periodically review and update the 
Program. Staff estimates that there are approximately 8,964 SEC-
regulated entities that are financial institutions or creditors that 
offer or maintain covered accounts, and thus the total estimated 
additional annual burden for these entities is 85,158 hours. Thus, the 
total ongoing annual estimated burden for all SEC-regulated entities is 
95,118 hours (9,960 hours + 85,158 hours).
    The collections of information required by section 248.202 under 
Regulation S-ID will apply only to SEC-regulated entities that issue 
credit or debit cards. SEC staff understands that SEC-regulated 
entities generally do not issue credit or debit cards, but instead 
partner with other entities, such as banks, that issue cards on their 
behalf. These other entities, which are not regulated by the SEC, are 
already subject to substantially similar change of address obligations 
pursuant to other federal regulators' identity theft red flags rules. 
Therefore, staff does not expect that any SEC-regulated entities will 
be subject to the information collection requirements of section 
248.202, and accordingly, staff estimates that there is no hour burden 
related to section 248.202 for SEC-regulated entities.
    In total, SEC staff estimates that the aggregate annual information 
collection burden of Regulation S-ID is 113,226 hours (18,108 hours + 
95,118 hours). This estimate of burden hours is made solely for the 
purposes of the Paperwork Reduction Act and is not derived from a 
quantitative, comprehensive, or even representative survey or study of 
the burdens associated with Commission rules and forms. Compliance with 
Regulation S-ID, including compliance with the information collection 
requirements thereunder, is mandatory for each SEC-regulated entity 
that qualifies as a ``financial institution'' or ``creditor'' under 
Regulation S-ID (as discussed above, certain collections of information 
under Regulation S-ID are mandatory only for financial institutions or 
creditors that offer or maintain covered accounts). Responses will not 
be kept confidential. An agency may not conduct or sponsor, and a 
person is not required to respond to, a collection of information 
unless it displays a currently valid control number.
    Written comments are invited on: (i) Whether the proposed 
collection of information is necessary for the proper performance of 
the functions of the agency, including whether the information will 
have practical utility; (ii) the accuracy of the agency's estimate of 
the burden of the collection of information; (iii) ways to enhance the 
quality, utility, and clarity of the information collected; and (iv) 
ways to minimize the burden of the collection of information on 
respondents, including through the use of automated collection 
techniques or other forms of information technology. Consideration will 
be given to comments and suggestions submitted in writing within 60 
days of this publication.
    Please direct your written comments to Pamela Dyson, Director/Chief 
Information Officer, Securities and Exchange Commission, C/O Remi 
Pavlik-Simon, 100 F Street NE., Washington, DC 20549; or send an email 
to: [email protected].
    All submissions should refer to File Number 270-644. This file 
number should be included on the subject line if email is used. The 
Commission will post all comments on the Commission's Internet Web site 
(http://www.sec.gov). All comments received will be posted without 
change; we do not edit personal identifying information from 
submissions. You should submit only information that you wish to make 
available publicly.

    Dated: December 8, 2015.
Brent J. Fields,
Secretary.
[FR Doc. 2015-31361 Filed 12-11-15; 8:45 am]
 BILLING CODE 8011-01-P