[Federal Register Volume 80, Number 239 (Monday, December 14, 2015)]
[Notices]
[Pages 77397-77398]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-31361]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
Proposed Collection; Comment Request
Upon Written Request, Copies Available From: Securities and Exchange
Commission, Office of FOIA Services, 100 F Street NE., Washington, DC
20549-2736.
Extension:
Regulation S-ID, OMB Control No. 3235-0692, SEC File No. 270-
644.
Notice is hereby given that, pursuant to the Paperwork Reduction
Act of 1995 (44 U.S.C. 3501 et seq.), the Securities and Exchange
Commission (the ``Commission'') is soliciting comments on the
collection of information summarized below. The Commission plans to
submit this existing collection of information to the Office of
Management and Budget for extension and approval.
Regulation S-ID (17 CFR 248), including the information collection
requirements thereunder, is designed to better protect investors from
the risks of identity theft. Under Regulation S-ID, SEC-regulated
entities are required to develop and implement reasonable policies and
procedures to identify, detect, and respond to relevant red flags (the
``Identity Theft Red Flags Rules'') and, in the case of entities that
issue credit or debit cards, to assess the validity of, and communicate
with cardholders regarding, address changes. Section 248.201 of
Regulation S-ID includes the following information collection
requirements for each SEC-regulated entity that qualifies as a
``financial institution'' or ``creditor'' under Regulation S-ID and
that offers or maintains covered accounts: (i) Creation and periodic
updating of an identity theft prevention program (``Program'') that is
approved by the board of directors, an appropriate committee thereof,
or a designated senior management employee; (ii) periodic staff
reporting to the board of directors on compliance with the Identity
Theft Red Flags Rules and related guidelines; and (iii) training of
staff to implement the Program. Section 248.202 of Regulation S-ID
includes the following information collection requirements for each
SEC-regulated entity that is a credit or debit card issuer: (i)
Establishment of policies and procedures that assess the validity of a
change of address notification if a request for an additional or
replacement card on the account follows soon after the address change;
and (ii) notification of a cardholder, before issuance of an additional
or replacement card, at the previous address or through some other
previously agreed-upon form of communication, or alternatively,
assessment of the validity of the address change request through the
entity's established policies and procedures.
SEC staff estimates of the hour burdens associated with section
248.201 under Regulation S-ID include the one-time burden of complying
with this section for newly-formed SEC-regulated entities, as well as
the ongoing costs of compliance for all SEC-regulated entities. With
respect to the one-time burden hours, staff estimates that each newly-
formed financial institution or creditor would incur a burden of 2
hours to conduct an initial assessment of covered accounts. Staff
estimates that approximately 644 SEC-regulated financial institutions
and creditors are newly formed each year, and the total estimated one-
time burden to initially assess covered accounts is therefore 1,288
hours. Staff also estimates that each financial institution or creditor
that maintains covered accounts would incur an additional initial
burden of 29 hours to develop and obtain board approval of a Program
and to train the staff of the financial institution or creditor. Staff
estimates that approximately 580 SEC-regulated financial institutions
and creditors that maintain covered accounts are newly formed each
year, and thus the total estimated one-time burden to develop
[[Page 77398]]
and obtain board approval of a Program and train staff is 16,820 hours.
Thus, the total initial estimated burden for all newly-formed SEC-
regulated entities is 18,108 hours (1,288 hours + 16,820 hours).
With respect to ongoing annual burden hours, SEC staff estimates
that each financial institution or creditor would incur a burden of 1
hour to periodically assess whether it offers or maintains covered
accounts. Staff estimates that there are approximately 9,960 SEC-
regulated entities that are either financial institutions or creditors,
and the total estimated annual burden to periodically assess covered
accounts is therefore 9,960 hours. Staff also estimates that each
financial institution or creditor that maintains covered accounts would
incur an additional annual burden of 9.5 hours to prepare and present
an annual report to the board and to periodically review and update the
Program. Staff estimates that there are approximately 8,964 SEC-
regulated entities that are financial institutions or creditors that
offer or maintain covered accounts, and thus the total estimated
additional annual burden for these entities is 85,158 hours. Thus, the
total ongoing annual estimated burden for all SEC-regulated entities is
95,118 hours (9,960 hours + 85,158 hours).
The collections of information required by section 248.202 under
Regulation S-ID will apply only to SEC-regulated entities that issue
credit or debit cards. SEC staff understands that SEC-regulated
entities generally do not issue credit or debit cards, but instead
partner with other entities, such as banks, that issue cards on their
behalf. These other entities, which are not regulated by the SEC, are
already subject to substantially similar change of address obligations
pursuant to other federal regulators' identity theft red flags rules.
Therefore, staff does not expect that any SEC-regulated entities will
be subject to the information collection requirements of section
248.202, and accordingly, staff estimates that there is no hour burden
related to section 248.202 for SEC-regulated entities.
In total, SEC staff estimates that the aggregate annual information
collection burden of Regulation S-ID is 113,226 hours (18,108 hours +
95,118 hours). This estimate of burden hours is made solely for the
purposes of the Paperwork Reduction Act and is not derived from a
quantitative, comprehensive, or even representative survey or study of
the burdens associated with Commission rules and forms. Compliance with
Regulation S-ID, including compliance with the information collection
requirements thereunder, is mandatory for each SEC-regulated entity
that qualifies as a ``financial institution'' or ``creditor'' under
Regulation S-ID (as discussed above, certain collections of information
under Regulation S-ID are mandatory only for financial institutions or
creditors that offer or maintain covered accounts). Responses will not
be kept confidential. An agency may not conduct or sponsor, and a
person is not required to respond to, a collection of information
unless it displays a currently valid control number.
Written comments are invited on: (i) Whether the proposed
collection of information is necessary for the proper performance of
the functions of the agency, including whether the information will
have practical utility; (ii) the accuracy of the agency's estimate of
the burden of the collection of information; (iii) ways to enhance the
quality, utility, and clarity of the information collected; and (iv)
ways to minimize the burden of the collection of information on
respondents, including through the use of automated collection
techniques or other forms of information technology. Consideration will
be given to comments and suggestions submitted in writing within 60
days of this publication.
Please direct your written comments to Pamela Dyson, Director/Chief
Information Officer, Securities and Exchange Commission, C/O Remi
Pavlik-Simon, 100 F Street NE., Washington, DC 20549; or send an email
to: [email protected].
All submissions should refer to File Number 270-644. This file
number should be included on the subject line if email is used. The
Commission will post all comments on the Commission's Internet Web site
(http://www.sec.gov). All comments received will be posted without
change; we do not edit personal identifying information from
submissions. You should submit only information that you wish to make
available publicly.
Dated: December 8, 2015.
Brent J. Fields,
Secretary.
[FR Doc. 2015-31361 Filed 12-11-15; 8:45 am]
BILLING CODE 8011-01-P