[Federal Register Volume 90, Number 58 (Thursday, March 27, 2025)]
[Notices]
[Pages 13936-13938]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2025-05198]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
[OMB Control No. 3235-0692]
Proposed Collection; Comment Request; Extension: Regulation S-ID
Upon Written Request, Copies Available From: Securities and Exchange
Commission, Office of FOIA Services, 100 F Street NE, Washington, DC
20549-2736
Notice is hereby given that, pursuant to the Paperwork Reduction
Act of 1995 (44 U.S.C. 3501 et seq.), the Securities and Exchange
Commission (the ``Commission'') is soliciting comments on the
collection of information summarized below. The Commission plans to
submit this existing collection of information to the Office of
Management and Budget for extension and approval.
Regulation S-ID (17 CFR 248), including the information collection
requirements thereunder, is designed to better protect investors from
the risks of identity theft. Under Regulation S-ID, SEC-regulated
entities are required to develop and implement reasonable policies and
procedures to identify, detect, and respond to relevant red flags (the
``Identity Theft Red Flags Rules'') and, in the case of entities that
issue credit or debit cards, to assess the validity of, and communicate
with cardholders regarding, address changes. Section 248.201 of
Regulation S-ID includes the following information collection
requirements for each SEC-regulated entity that qualifies as a
``financial institution'' or ``creditor'' under Regulation S-ID and
that offers or maintains covered accounts: (i) creation and periodic
updating of an identity theft prevention program (``Program'') that is
approved by the board of directors, an appropriate committee thereof,
or a designated senior management employee; (ii) periodic staff
reporting to the board of directors on compliance with the Identity
Theft Red Flags Rules and related guidelines; and (iii) training of
staff to implement the Program. Section 248.202 of Regulation S-ID
includes the following information collection requirements for each
SEC-regulated entity that is a credit or debit card issuer: (i)
establishment of policies and procedures that assess the validity of a
change of address notification if a request for an additional or
replacement card on the account follows soon after the address change;
and (ii) notification of a cardholder, before issuance of an additional
or replacement card, at the previous address or through some other
previously agreed-upon form of communication, or alternatively,
assessment of the validity of the address change request through the
entity's established policies and procedures.
SEC staff estimates of the hour burdens associated with section
248.201 under Regulation S-ID include the one-time burden of complying
with this section for newly-formed SEC-regulated entities, as well as
the ongoing costs of compliance for all SEC-regulated entities. All
newly-formed financial institutions and creditors would be required to
conduct an initial assessment of covered accounts, which SEC staff
estimates would entail a one-time burden of 2 hours. Staff estimates
that this burden would result in a cost of $1,022 to each newly-formed
financial institution or creditor.\1\ To the extent a financial
institution or creditor offers or maintains covered accounts, SEC staff
estimates that the financial institution or creditor would also incur a
one-time burden of 25 hours to develop and obtain board approval of a
Program, and a one-time burden of 4 hours to train the financial
institution's or creditor's staff, for a total of 29 additional burden
hours. Staff estimates that these burdens would result in additional
costs of $16,980 for each financial institution or creditor that offers
or maintains covered accounts.\2\
---------------------------------------------------------------------------
\1\ This estimate is based on the following calculation: 2 hours
x $511 (hourly rate for internal counsel) = $1,022; see infra note 2
(discussing the methodology for estimating the hourly rate for
internal counsel).
\2\ SEC staff estimates that, of the 29 hours incurred to
develop and obtain board approval of a Program and train the
financial institution's or creditor's staff, 10 hours will be spent
by internal counsel at an hourly rate of $511, 17 hours will be
spent by administrative assistants at an hourly rate of $100, and 2
hours will be spent by the board of directors as a whole at an
hourly rate of $5,085; thus, the estimated $16,980 in additional
costs is based on the following calculation: (10 hours x $511 =
$5,110) + (17 hours x $100 = $1,700) + (2 hours x $5,085 = $10,170)
= $16,980.
---------------------------------------------------------------------------
SEC staff estimates that approximately 539 SEC-regulated financial
institutions and creditors are newly formed each year.\3\ Each of these
539 entities will
[[Page 13937]]
need to conduct an initial assessment of covered accounts, for a total
of 1,078 hours at a total cost of $550,858.\4\ Of these 539 entities,
staff estimates that approximately 90% (or 485) maintain covered
accounts.\5\ Accordingly, staff estimates that the additional initial
burden for SEC-regulated entities that are likely to qualify as
financial institutions or creditors and maintain covered accounts is
14,065 hours at an additional cost of $8,235,300.\6\ Thus, the total
initial estimated burden for all newly-formed SEC-regulated entities is
15,143 hours at a total estimated cost of $8,786,158.\7\
---------------------------------------------------------------------------
\3\ Based on a review of new registrations typically filed with
the SEC each year, SEC staff estimates that approximately 1,228
investment advisers, 108 broker dealers, 24 investment companies,
and 2 ESCs typically apply for registration with the SEC or
otherwise are newly formed each year, for a total of 1,362 entities
that could be financial institutions or creditors; of these, staff
estimates that all of the investment companies, ESCs, and broker-
dealers are likely to qualify as financial institutions or
creditors, and 33% of investment advisers (or 405) are likely to
qualify; see Identity Theft Red Flags, Investment Company Act
Release No. 30456 (Apr. 10, 2013) (``Adopting Release'') at n.190
(discussing the staff's analysis supporting its estimate that 33% of
investment advisers are likely to qualify as financial institutions
or creditors); we therefore estimate that a total of 539 total
financial institutions or creditors will bear the initial one-time
burden of assessing covered accounts under Regulation S-ID.
\4\ These estimates are based on the following calculations: 539
entities x 2 hours = 1,078 hours; 539 entities x $1,022 = $550,858.
\5\ In the Proposing Release, the SEC requested comment on the
estimate that approximately 90% of all financial institutions and
creditors maintain covered accounts; the SEC received no comments on
this estimate.
\6\ These estimates are based on the following calculations: 485
financial institutions and creditors that maintain covered accounts
x 29 hours = 14,065 hours; 485 financial institutions and creditors
that maintain covered accounts x $16,980 = $8,235,300.
\7\ These estimates are based on the following calculations:
1,078 hours + 14,065 hours = 15,143 hours; $550,858 + $8,235,300 =
$8,786,158.
---------------------------------------------------------------------------
Each financial institution and creditor would be required to
conduct periodic assessments to determine if the entity offers or
maintains covered accounts, which SEC staff estimates would entail an
annual burden of 1 hour per entity. Staff estimates that this burden
would result in an annual cost of $511 to each financial institution or
creditor.\8\ To the extent a financial institution or creditor offers
or maintains covered accounts, staff estimates that the financial
institution or creditor also would incur an annual burden of 2.5 hours
to prepare and present an annual report to the board, and an annual
burden of 7 hours to periodically review and update the Program
(including review and preservation of contracts with service providers,
as well as review and preservation of any documentation received from
service providers). Staff estimates that these burdens would result in
additional annual costs of $9,429 for each financial institution or
creditor that offers or maintains covered accounts.\9\
---------------------------------------------------------------------------
\8\ This estimate is based on the following calculation: 1 hour
x $511 (hourly rate for internal counsel) = $511; see supra note 2
(discussing the methodology for estimating the hourly rate for
internal counsel).
\9\ Staff estimates that, of the 9.5 hours incurred to prepare
and present the annual report to the board and periodically review
and update the Program, 8.5 hours will be spent by internal counsel
at an hourly rate of $511, and 1 hour will be spent by the board of
directors as a whole at an hourly rate of $5,085; thus, the
estimated $9,429 in additional annual costs is based on the
following calculation: (8.5 hours x $511 = $4,344) + (1 hour x
$5,085 = $5,085) = $9,429; see supra note 2 (discussing the
methodology for estimating the hourly rate for internal counsel and
the board of directors).
---------------------------------------------------------------------------
SEC staff estimates that there are 10,055 SEC-regulated entities
that are either financial institutions or creditors, and that all of
these will be required to periodically review their accounts to
determine if they offer or maintain covered accounts, for a total of
10,055 hours for these entities at a total cost of $5,138,105.\10\ Of
these 10,055 entities, staff estimates that approximately 90 percent,
or 9,050, maintain covered accounts, and thus will need the additional
burdens related to complying with the rules.\11\ Accordingly, staff
estimates that the additional annual burden for SEC-regulated entities
that qualify as financial institutions or creditors and maintain
covered accounts is 85,975 hours at an additional cost of
$85,332,450.\12\ Thus, the total estimated ongoing annual burden for
all SEC-regulated entities is 96,030 hours at a total estimated annual
cost of $90,470,555.\13\
---------------------------------------------------------------------------
\10\ Based on a review of entities that the SEC regulates, SEC
staff estimates that, as of September 30, 2024, there are
approximately 15,968 investment advisers, 3,380 broker-dealers,
1,359 active open-end investment companies, and 47 ESCs; of these,
staff estimates that all of the broker-dealers, open-end investment
companies and ESCs are likely to qualify as financial institutions
or creditors; we also estimate that approximately 33% of investment
advisers, or 5,269 investment advisers, are likely to qualify; see
Adopting Release, supra note Error! Bookmark not defined., at n.190
(discussing the staff's analysis supporting its estimate that 33% of
investment advisers are likely to qualify as financial institutions
or creditors); we therefore estimate that a total of 10,055
financial institutions or creditors will bear the ongoing burden of
assessing covered accounts under Regulation S-ID (the SEC staff
estimates that the other types of entities that are covered by the
scope of the SEC's rules will not be financial institutions or
creditors and therefore will not be subject to the rules'
requirements.)
\11\ See supra note 5 and accompanying text; if a financial
institution or creditor does not maintain covered accounts, there
would be no ongoing annual burden for purposes of the PRA.
\12\ These estimates are based on the following calculations:
9,050 financial institutions and creditors that maintain covered
accounts x 9.5 hours = 85,975 hours; 9,050 financial institutions
and creditors that maintain covered accounts x $9,429 = $85,332,450.
\13\ These estimates are based on the following calculations:
10,055 hours + 85,975 hours = 96,030 hours; $5,138,105 + $85,332,450
= $90,470,555.
---------------------------------------------------------------------------
The collections of information required by section 248.202 will
apply only to SEC-regulated entities that issue credit or debit
cards.\14\ SEC staff understands that SEC-regulated entities generally
do not issue credit or debit cards, but instead partner with other
entities, such as banks, that issue cards on their behalf. These other
entities, which are not regulated by the SEC, are already subject to
substantially similar change of address obligations pursuant to the
Agencies' identity theft red flags rules. Therefore, staff does not
expect that any SEC-regulated entities will be subject to the
information collection requirements of section 248.202, and
accordingly, staff estimates that there is no hour or cost burden for
SEC-regulated entities related to section 248.202.
---------------------------------------------------------------------------
\14\ Sec. 248.202(a).
---------------------------------------------------------------------------
In total, SEC staff estimates that the aggregate annual information
collection burden of Regulation S-ID is 111,173 hours (15,143 hours +
96,030 hours). This estimate of burden hours is made solely for the
purposes of the Paperwork Reduction Act and is not derived from a
quantitative, comprehensive, or even representative survey or study of
the burdens associated with Commission rules and forms. Compliance with
Regulation S-ID, including compliance with the information collection
requirements thereunder, is mandatory for each SEC-regulated entity
that qualifies as a ``financial institution'' or ``creditor'' under
Regulation S-ID (as discussed above, certain collections of information
under Regulation S-ID are mandatory only for financial institutions or
creditors that offer or maintain covered accounts). Responses will not
be kept confidential. An agency may not conduct or sponsor, and a
person is not required to respond to, a collection of information
unless it displays a currently valid control number.
An agency may not conduct or sponsor, and a person is not required
to respond to, a collection of information unless it displays a
currently valid OMB Control Number.
Written comments are invited on: (a) whether the proposed
collection of information is necessary for the proper performance of
the functions of the Commission, including whether the information
shall have practical utility; (b) the accuracy of the Commission's
estimate of the burden of the collection of information; (c) ways to
enhance the quality, utility, and clarity of the information collected;
and (d) ways to minimize the burden of the collection of information on
respondents, including
[[Page 13938]]
through the use of automated collection techniques or other forms of
information technology. Consideration will be given to comments and
suggestions submitted by May 27, 2025.
An agency may not conduct or sponsor, and a person is not required
to respond to, a collection of information under the PRA unless it
displays a currently valid OMB control number.
Please direct your written comment to Austin Gerig, Director/Chief
Data Officer, Securities and Exchange Commission, c/o Tanya Ruttenberg,
100 F Street NE, Washington, DC 20549 or send an email to:
[email protected].
Dated: March 21, 2025.
Stephanie J. Fouse,
Assistant Secretary.
[FR Doc. 2025-05198 Filed 3-26-25; 8:45 am]
BILLING CODE 8011-01-P