2015-31361. Proposed Collection; Comment Request  

Upon Written Request, Copies Available From: Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE., Washington, DC 20549-2736.

Extension:

Regulation S-ID, OMB Control No. 3235-0692, SEC File No. 270-644.

Notice is hereby given that, pursuant to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.), the Securities and Exchange Commission (the “Commission”) is soliciting comments on the collection of information summarized below. The Commission plans to submit this existing collection of information to the Office of Management and Budget for extension and approval.

Regulation S-ID (17 CFR 248), including the information collection requirements thereunder, is designed to better protect investors from the risks of identity theft. Under Regulation S-ID, SEC-regulated entities are required to develop and implement reasonable policies and procedures to identify, detect, and respond to relevant red flags (the “Identity Theft Red Flags Rules”) and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding, address changes. Section 248.201 of Regulation S-ID includes the following information collection requirements for each SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation S-ID and that offers or maintains covered accounts: (i) Creation and periodic updating of an identity theft prevention program (“Program”) that is approved by the board of directors, an appropriate committee thereof, or a designated senior management employee; (ii) periodic staff reporting to the board of directors on compliance with the Identity Theft Red Flags Rules and related guidelines; and (iii) training of staff to implement the Program. Section 248.202 of Regulation S-ID includes the following information collection requirements for each SEC-regulated entity that is a credit or debit card issuer: (i) Establishment of policies and procedures that assess the validity of a change of address notification if a request for an additional or replacement card on the account follows soon after the address change; and (ii) notification of a cardholder, before issuance of an additional or replacement card, at the previous address or through some other previously agreed-upon form of communication, or alternatively, assessment of the validity of the address change request through the entity's established policies and procedures.

SEC staff estimates of the hour burdens associated with section 248.201 under Regulation S-ID include the one-time burden of complying with this section for newly-formed SEC-regulated entities, as well as the ongoing costs of compliance for all SEC-regulated entities. With respect to the one-time burden hours, staff estimates that each newly-formed financial institution or creditor would incur a burden of 2 hours to conduct an initial assessment of covered accounts. Staff estimates that approximately 644 SEC-regulated financial institutions and creditors are newly formed each year, and the total estimated one-time burden to initially assess covered accounts is therefore 1,288 hours. Staff also estimates that each financial institution or creditor that maintains covered accounts would incur an additional initial burden of 29 hours to develop and obtain board approval of a Program and to train the staff of the financial institution or creditor. Staff estimates that approximately 580 SEC-regulated financial institutions and creditors that maintain covered accounts are newly formed each year, and thus the total estimated one-time burden to develop Start Printed Page 77398and obtain board approval of a Program and train staff is 16,820 hours. Thus, the total initial estimated burden for all newly-formed SEC-regulated entities is 18,108 hours (1,288 hours + 16,820 hours).

With respect to ongoing annual burden hours, SEC staff estimates that each financial institution or creditor would incur a burden of 1 hour to periodically assess whether it offers or maintains covered accounts. Staff estimates that there are approximately 9,960 SEC-regulated entities that are either financial institutions or creditors, and the total estimated annual burden to periodically assess covered accounts is therefore 9,960 hours. Staff also estimates that each financial institution or creditor that maintains covered accounts would incur an additional annual burden of 9.5 hours to prepare and present an annual report to the board and to periodically review and update the Program. Staff estimates that there are approximately 8,964 SEC-regulated entities that are financial institutions or creditors that offer or maintain covered accounts, and thus the total estimated additional annual burden for these entities is 85,158 hours. Thus, the total ongoing annual estimated burden for all SEC-regulated entities is 95,118 hours (9,960 hours + 85,158 hours).

The collections of information required by section 248.202 under Regulation S-ID will apply only to SEC-regulated entities that issue credit or debit cards. SEC staff understands that SEC-regulated entities generally do not issue credit or debit cards, but instead partner with other entities, such as banks, that issue cards on their behalf. These other entities, which are not regulated by the SEC, are already subject to substantially similar change of address obligations pursuant to other federal regulators' identity theft red flags rules. Therefore, staff does not expect that any SEC-regulated entities will be subject to the information collection requirements of section 248.202, and accordingly, staff estimates that there is no hour burden related to section 248.202 for SEC-regulated entities.

In total, SEC staff estimates that the aggregate annual information collection burden of Regulation S-ID is 113,226 hours (18,108 hours + 95,118 hours). This estimate of burden hours is made solely for the purposes of the Paperwork Reduction Act and is not derived from a quantitative, comprehensive, or even representative survey or study of the burdens associated with Commission rules and forms. Compliance with Regulation S-ID, including compliance with the information collection requirements thereunder, is mandatory for each SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation S-ID (as discussed above, certain collections of information under Regulation S-ID are mandatory only for financial institutions or creditors that offer or maintain covered accounts). Responses will not be kept confidential. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number.

Written comments are invited on: (i) Whether the proposed collection of information is necessary for the proper performance of the functions of the agency, including whether the information will have practical utility; (ii) the accuracy of the agency's estimate of the burden of the collection of information; (iii) ways to enhance the quality, utility, and clarity of the information collected; and (iv) ways to minimize the burden of the collection of information on respondents, including through the use of automated collection techniques or other forms of information technology. Consideration will be given to comments and suggestions submitted in writing within 60 days of this publication.

Please direct your written comments to Pamela Dyson, Director/Chief Information Officer, Securities and Exchange Commission, C/O Remi Pavlik-Simon, 100 F Street NE., Washington, DC 20549; or send an email to: PRA_Mailbox@sec.gov.

All submissions should refer to File Number 270-644. This file number should be included on the subject line if email is used. The Commission will post all comments on the Commission's Internet Web site (http://www.sec.gov). All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly.