Skip to Content
Proposed Rule

Disposal of Consumer Report Information

Action

Proposed Rule.

Summary

The Securities and Exchange Commission (“Commission”) is publishing for comment amendments to the rule under Regulation S-P requiring financial institutions to adopt policies and procedures to safeguard customer information (“safeguard rule”). The proposed amendments would implement the provision in section 216 of the Fair and Accurate Credit Transactions Act of 2003 requiring proper disposal of consumer report information and records. Section 216 directs the Commission and other federal agencies to adopt regulations requiring that any person who maintains or possesses a consumer report or consumer information derived from a consumer report for a business purpose must properly dispose of the information. The proposed amendments also would require the policies and procedures adopted under the safeguard rule to be in writing.

Unified Agenda

Disposal of Consumer Report Information

7 actions from July 14th, 2004 to April 2009

  • July 14th, 2004
  • August 13th, 2004
    • NPRM Comment Period End
  • September 20th, 2004
  • October 20th, 2004
    • Second NPRM Comment Period End
  • December 8th, 2004
  • January 11th, 2005
    • Final Rule Effective
  • April 2009
    • Final Action
 

Table of Contents Back to Top

DATES: Back to Top

Comments should be received on or before October 20, 2004.

ADDRESSES: Back to Top

Comments may be submitted by any of the following methods:

Electronic Comments

Paper Comments

  • Send paper comments in triplicate to Jonathan G. Katz, Secretary, Securities and Exchange Commission, 450 Fifth Street, NW., Washington, DC 20549-0609.

All submissions should refer to File Number S7-33-04. This file number should be included on the subject line if e-mail is used. To help us process and review your comments more efficiently, please use only one method. The Commission will post all comments on the Commission's Internet Web site (http://www.sec.gov/rules/proposed/shtml). Comments will also be available for public inspection and copying in the Commission's Public Reference Room, 450 Fifth Street, NW., Washington, DC 20549. All comments received will be posted without change; we do not edit personal identifying information from submissions. You should submit only information that you wish to make available publicly.

FOR FURTHER INFORMATION CONTACT: Back to Top

For information regarding the proposed rule amendments as they relate to brokers or dealers, contact Catherine McGuire, Chief Counsel, Brian Bussey, Assistant Chief Counsel, or Tara Prigge, Attorney, Office of Chief Counsel, at the Division of Market Regulation, (202) 942-0073; as they relate to transfer agents registered with the Commission, contact Jerry Carpenter, Assistant Director, or David Karasik, Special Counsel, Office of Clearance and Settlement, at the Division of Market Regulation, (202) 942-4187; or as they relate to investment companies or to investment advisers registered with the Commission, contact Penelope W. Saltzman, Branch Chief, or Vincent M. Meehan, Attorney, Office of Regulatory Policy, at the Division of Investment Management, (202) 942-0690, Securities and Exchange Commission, 450 Fifth Street, NW., Washington, DC 20549.

SUPPLEMENTARY INFORMATION: Back to Top

The Commission is requesting public comment on proposed amendments to Regulation S-P under section 501(b) of the Gramm-Leach Bliley Act (“GLBA”) [15 U.S.C. 6801(b)], section 216 of the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act” or “Act”) [15 U.S.C. 1681w], the Securities Exchange Act of 1934 (the “Exchange Act”) [15 U.S.C. 78], the Investment Company Act of 1940 (the “Investment Company Act”) [15 U.S.C. 80a], and the Investment Advisers Act of 1940 (the “Investment Advisers Act”) [15 U.S.C. 80b].

Table of Contents Back to Top

I. Background

II. Discussion

A. Proposed Rule 248.30(b): Disposal of consumer report information and records

B. Proposed Rule 248.30(a): Procedures to safeguard customer records and information

III. General Request for Comment

IV. Cost-Benefit Analysis

V. Paperwork Reduction Act

VI. Initial Regulatory Flexiblity Analysis

VII. Analysis of Effects on Efficiency, Competition and Capital Formation

VIII. Statutory Authority

Text of Proposed Rules

I. Background Back to Top

Section 216 of the FACT Act adds a new section 628 to the Fair Credit Reporting Act (“FCRA”). [1] The section is intended to prevent unauthorized disclosure of information contained in a consumer report and to reduce the risk of fraud or related crimes, including identity theft, by ensuring that records containing sensitive financial or personal information are appropriately redacted or destroyed before being discarded. [2] Section 216 of the FACT Act requires the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision (collectively, the “Banking Agencies”), the National Credit Union Administration, the Federal Trade Commission (“FTC”) (collectively with the Banking Agencies, the “Agencies”), and the Commission to issue regulations requiring “any person that maintains or otherwise possesses consumer information, or any compilation of consumer information, derived from consumer reports for a business purpose, to properly dispose of any such information or compilation.” [3] The Agencies and the Commission are required to consult and coordinate with each other so that, to the extent possible, regulations implementing this section are consistent and comparable. In addition, section 216 requires that the regulations must be consistent with the GLBA and other provisions of Federal law. The Commission staff has coordinated with the Agencies to develop a proposal regarding the disposal of consumer report information, and the Commission is now requesting public comment on that proposal. [4]

The Commission's safeguard rule, section 30 of Regulation S-P, [5] was adopted in 2000 pursuant to section 501(b) of the GLBA. The rule requires brokers, dealers, and investment companies, as well as investment advisers registered with the Commission (“registered investment advisers”) to adopt policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. Because the proper disposal of information is one aspect of an information safeguard program, we are proposing to place the “disposal rule” as paragraph (b) of section 248.30. [6] The existing safeguard rule would be re-designated as paragraph (a). [7]

The Commission also is taking this opportunity to propose another amendment to the safeguard rule to address weaknesses the staff has seen in the documentation of safeguarding policies and procedures. Since 2001, our staff has examined brokers, dealers, investment companies, and registered investment advisers for their compliance with the safeguard rule. In the course of these examinations, our staff has identified firms that lack written policies and procedures that address the safeguarding of customer information and records. Our proposal today would address this weakness by specifying that information safeguard policies and procedures must be “written.”

II. Discussion Back to Top

A. Proposed Rule 248.30(b): Disposal of Consumer Report Information and Records

1. Proposed Section 248.30(b)(1): Definitions

The proposed disposal rule would be part of Regulation S-P. [8] Accordingly, the definitions set forth in Regulation S-P also would apply to terms used in the proposed rule. As discussed below, however, proposed section 248.30(b) would include definitions of additional terms used in the proposed disposal rule.

Proposed section 248.30(b)(1)(i) defines the term “consumer report” to have the same meaning as in section 603(d) of the FCRA. [9] Proposed section 248.30(b)(1)(ii) defines “consumer report information” as any record about an individual, whether in paper, electronic, or other form, that is a consumer report or is derived from a consumer report. This definition would incorporate the FCRA meaning of “consumer,” which is simply “an individual,” without regard to the nature of any product or service involved or how it is used. [10] A broad definition of the term, which includes all types of records that are consumer reports, or contain information derived from consumer reports, may best effectuate the purpose of the FACT Act.

Under this definition, however, information that is derived from consumer reports but does not identify any particular individual would not be covered under the proposed rule. Limiting “consumer report information” to information that identifies particular individuals is consistent with current law relating to the scope of the term “consumer report” under section 603(d) of the FCRA and with the purposes of section 216 of the FACT Act. [11] The Commission requests comment on this proposed definition. Should it be broader or narrower? The Commission also seeks comment on whether the definition of “consumer report information” should be further clarified, by example or otherwise.

Proposed section 248.30(b)(1)(iii) defines “disposal” to mean the discarding or abandonment of consumer report information, as well as the sale, donation, or transfer of any medium, including computer equipment, upon which consumer report information is stored. The sale, donation, or transfer, as opposed to the discarding or abandonment, of consumer report information would not be considered a “disposal” under the proposed rule. For example, an entity subject to the proposed disposal rule that transfers consumer report information to a third party for marketing purposes would not be discarding the information for purposes of the proposed disposal rule. [12] If the entity donates computer equipment on which consumer report information is stored, however, the donation would be considered a disposal under the proposal. The Commission requests comment on the proposed definition of “disposal.” Does it appropriately reflect the scope of the FACT Act? Should it be narrower or broader?

Proposed section 248.30(b)(1)(iv) defines “notice-registered broker-dealers” to mean a broker or dealer registered by notice with the Commission under section 15(b)(11) of the Exchange Act. [13]

Proposed section 248.30(b)(1)(v) defines “transfer agent” to have the same meaning as in section 3(a)(25) of the Exchange Act. [14] The Commission requests comment on these proposed definitions.

2. Proposed Section 248.30(b)(2)(i): Proper Disposal of Consumer Report Information

Maintaining or Possessing Information for a Business Purpose. The proposed disposal rule would require brokers and dealers (other than brokers and dealers registered by notice with the Commission under section 15(b)(11) of the Exchange Act for the purpose of conducting business in security futures products (“notice-registered broker-dealers”)), investment companies, registered investment advisers, and transfer agents registered with the Commission (“registered transfer agents” and, collectively, with brokers, dealers, investment companies, and registered investment advisers, “covered entities”) to dispose properly of consumer report information, or any compilation of consumer report information, if the entity maintains or otherwise possesses the information for a business purpose. This language, which tracks the language of section 216 of the FACT Act, creates two criteria for determining whether a covered entity would be required to comply with the proposed rule. First, does the information being disposed of contain consumer report information, or any compilation of consumer report information? Second, does the entity maintain or otherwise possess the consumer report information for a business purpose?

As to the first criterion, the FACT Act and proposed disposal rule make clear that the disposal requirements apply not only to consumer reports, but also to records containing “consumer information, or any compilation of consumer information, derived from consumer reports.” [15] The Commission believes that the phrase “derived from consumer reports” covers all of the information about an individual that is taken from a consumer report, including information that results in whole or in part from manipulation of information from a consumer report or information from a consumer report that has been combined with other types of information. Thus, any covered entity that possesses such information, including an affiliate that has received it under section 603(d)(2)(A)(iii) of the FCRA, would be obligated to properly dispose of it. [16]

As to the second criterion, “for a business purpose” includes all business reasons for which a covered entity may possess or maintain consumer report information. [17] Covered entities that possess consumer report information in connection with the provision of services to another entity would also be directly covered by the proposed rule to the extent that they dispose of the consumer report information.

The Commission requests comment on the scope of the proposed rule. The Commission also requests comment on whether there are any “persons or classes of persons” covered by the proposed disposal rule that it should consider exempting from the rule's application. [18]

Reasonable Measures. The proposed disposal rule would require that any covered entity that maintains or otherwise possesses consumer report information “take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.” [19] The Commission recognizes that there are few foolproof methods of record destruction. Accordingly, the proposed rule would not require covered entities to ensure perfect destruction of consumer report information in every instance; rather, it would require covered entities to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

In determining what measures are “reasonable” under the proposed disposal rule, we expect that entities covered by the rule would consider the sensitivity of the consumer report information, the size of the entity and the complexity of its operations, the costs and benefits of different disposal methods, and relevant technological changes. “Reasonable measures” may require elements such as the establishment of policies and procedures governing disposal, as well as appropriate employee training.

The flexible standard for disposal in the proposed rule would allow covered entities to make decisions appropriate to their particular circumstances and should minimize the disruption of existing practices to the extent that they already provide appropriate protections for consumer report information. The standard also is intended to minimize the burden of compliance for smaller entities. In addition, a “reasonable measures” standard would harmonize the proposed disposal rule with the Commission's safeguard rule, which incorporates a “reasonable design” standard in the requirement for policies and procedures to safeguard consumer information. This is designed to prevent covered entities from being subject to conflicting standards. [20]

We recognize that in some circumstances, “customer records and information” subject to the safeguard rule may overlap with “consumer report information” subject to the proposed disposal rule. To the extent there is overlap, customer records and information would be subject to the proposed disposal rule. We expect, however, that a covered entity subject to the safeguard rule would already have addressed the disposal of customer records and information as one part of its overall safeguard policies and procedures. These procedures must be reasonably designed to insure the security and confidentiality of customer records and information, and protect against unauthorized access to or use of customer records or information that could result in substantial harm or inconvenience to any customer. [21] In other words, the Commission believes that proper disposal policies and procedures are encompassed within, and should be a part of, the overall policies and procedures required under the safeguard rule. Accordingly, a covered entity could comply with the proposed disposal rule by applying its policies and procedures under the safeguard rule, including methods for the proper disposal of customer information, to consumer report information or any compilation of that information.

Despite the benefits of a flexible “reasonableness” standard, the Commission recognizes that such a standard could leave covered entities with some uncertainty about compliance. While each covered entity would have to evaluate what is appropriate for its size and the complexity of its operations, we believe that “reasonable” disposal measures for purposes of the proposed disposal rule could include:

  • Implementing and monitoring compliance with policies and procedures that require the burning, pulverizing, or shredding of papers containing consumer report information so that the information cannot practicably be read or reconstructed;
  • Implementing and monitoring compliance with policies and procedures that require the destruction or erasure of electronic media containing consumer report information so that the information cannot practicably be read or reconstructed; and
  • After due diligence, entering into and monitoring compliance with a written contract with another party engaged in the business of record destruction to dispose of consumer report information in a manner that is consistent with this rule. [22]

We invite comment on the proposed standard for disposal. In particular, we seek comment on whether commenters believe the proposed “reasonableness” standard provides sufficient guidance to covered entities. We also seek comment on whether the proposed disposal rule should include alternative standards, specify particular disposal methods, or should provide examples, and what those examples should be. Finally, we seek comment on whether the disposal rule should require disposal measures to be in writing.

3. Proposed Section 248.30(b)(2)(ii): Relation to Other Laws

This section makes clear that nothing in the proposed disposal rule is intended to create a requirement that a covered entity maintain or destroy any record pertaining to an individual. Nor is the rule intended to affect any requirement imposed under any other provision of law to maintain or destroy such records.

4. Scope of the Proposed Disposal Rule

The FACT Act differs in scope from the GLBA. Accordingly, Regulation S-P (including the safeguard rule) and the proposed disposal rule have some differences in scope with respect both to the information and entities that are subject to the respective rules. [23] Four provisions in the proposal would clarify these differences. First, the proposal would amend section 248.1(b) of Regulation S-P to except the proposed disposal rule from the provision that describes the scope of information subject to the Regulation S-P. [24] Second, the proposal would revise section 248.2(b) to except the proposed disposal rule from the provision in Regulation S-P that permits notice-registered broker-dealers to comply with Regulation S-P by complying with financial privacy rules adopted by the Commodity Futures Trading Commission. [25] Third, as noted above, the proposed disposal rule would exclude notice-registered broker-dealers from its application. [26] Fourth, unlike most of the privacy rules under Regulation S-P, the proposed disposal rule would apply to transfer agents. [27] We request comment on these proposed provisions.

B. Proposed Rule 248.30(a): Procedures To Safeguard Customer Records and Information

The current safeguard rule requires brokers, dealers, investment companies, and registered investment advisers to adopt policies and procedures to safeguard customer information. These procedures must be reasonably designed to:

  • Insure the security and confidentiality of customer records and information;
  • Protect against any anticipated threats or hazards to the security and integrity of those records; and
  • Protect against unauthorized access to or use of those records or information which could result in substantial harm or inconvenience to any customer.

As noted above, some firms our staff has examined lack written policies and procedures that address these requirements. In the absence of reasonable documentation, it is difficult to identify these policies and procedures and test for compliance with the safeguard rule. In addition, we strongly question whether an organization of any size and complexity could reasonably manage to safeguard customer records and information without written policies and procedures. Finally, we note that the Agencies have required written policies and procedures. [28] Therefore, to ensure reasonable protection for customer records and information, and to permit compliance oversight by our examiners, we are proposing to require that policies and procedures under the safeguard rule must be written. We believe that this amendment, if adopted, would impose no significant burden on the firms subject to the safeguard rule because they have been required to have reasonable policies and procedures since 2001. The amendment we propose today only requires them to document those policies and procedures. We do not believe that the documentation of existing policies and procedures would impose a significant burden.

We note that our examiners have inspected many firms that have already adopted such written policies and procedures. In large and complex organizations, with thousands of employees and multiple offices, these written policies and procedures generally address procedures at several levels, going from an organization-wide policy statement down to detailed procedures addressing particular controls. [29] This comprehensive approach to safeguarding is consistent with widely accepted standards adopted by government and private sector standard-setting bodies and professional literature and generally leads to reasonable written policies and procedures. [30]

We recognize that many firms subject to the safeguard rule are small and simple organizations, with few employees and only one office. Nonetheless, we believe these firms would benefit from recording their policies and procedures in writing as a reference for employees. In every case, the written policies and procedures should be reasonably designed, within the circumstances of each particular institution, to achieve the goals set forth in the rule. We ask for comment on our proposal to require that policies and procedures under the safeguard rule must be written.

When we adopted the safeguard rule, we believed that brokers, dealers, investment companies, and registered investment advisers should have the flexibility to tailor their policies and procedures to their own organization's specific circumstances. Thus, our proposal noted that:

We have not prescribed specific policies or procedures that financial institutions must adopt. Rather, we believe it more appropriate for each institution to tailor its policies and procedures to its own systems of information gathering and transfer and the needs of its customers. [31]

We continue to believe that this approach is appropriate. Therefore, we are not proposing specific policies and procedures that all firms subject to the rule must implement. Nevertheless, we seek comment on ways to maintain a flexible approach, while establishing certain elements in the rule that a firm must include in its policies and procedures. For example, the FTC's Safeguard Rule, which applies to a diverse range of financial institutions, requires that financial institutions subject to the rule adopt a written information security program “appropriate to [the institution's] size and complexity, the nature and scope of [its] activities, and the sensitivity of any customer information at issue.” [32] The rule specifies certain elements each program must have, such as identifying certain reasonably foreseeable internal and external risks to the security of customer information, while allowing the institution to determine the particular risks likely to threaten its operations. We seek comment on whether the Commission should propose to amend its safeguard rule in a similar way. Delineating elements would establish more specific standards for safeguarding customer information consistent with the goals of the GLBA. Would it assist financial institutions in developing or reviewing appropriate policies and procedures to safeguard customer information? Would requiring certain elements similar to those established in the FTC Safeguarding Rule preserve flexibility for financial institutions adopting safeguard rules? If the Commission proposed elements, should those elements be limited to those listed in the FTC's Safeguard Rule? Are there other elements that the safeguard rule should include, such as an information security governance framework, including approval and oversight of the safeguard policies and procedures by the institution's board of directors?

III. General Request for Comment Back to Top

We request comment on all of the provisions of the proposed disposal rule described above and on the proposed amendments to the safeguard rule and to the scope provisions of Regulation S-P. We seek suggestions for additional provisions or changes, and comments on other matters that might have an effect on the proposed disposal rule and proposed amendments. We encourage commenters to provide data to support their views.

IV. Cost-Benefit Analysis Back to Top

The Commission is sensitive to the costs and benefits imposed by its rules. As discussed above, the proposed amendments to Regulation S-P would: (i) Implement section 216 of the FACT Act by requiring covered entities that maintain or possess consumer report information derived from a consumer report for a business purpose to properly dispose of the information; and (ii) require that an institution's safeguarding policies and procedures be in writing.

A. Benefits

The purpose of section 216 of the FACT Act is to prevent unauthorized disclosure of information contained in a consumer report and to reduce the risk of fraud or related crimes, including identity theft. [33] One recent report estimated that, with respect to identity theft alone, 27.3 million Americans had been victimized during a five-year period. [34] In a single year, identity theft losses to businesses and financial institutions totaled $47.6 billion, and consumer victims reported $5 billion in out-of-pocket expenses. [35] The proposed rule would address this problem by requiring that all of the approximately 6,768 broker-dealers, 5,182 investment companies, 7,977 registered investment advisers, and 814 registered transfer agents [36] that could be subject to the rule take reasonable measures to protect against unauthorized access to consumer report information during its disposal. This should benefit covered entities that do not currently have adequate methods for disposing of consumer report information and benefit their consumers by reducing the incidence of identity theft losses.

With respect to the safeguarding amendment, as noted above, we believe it is very unlikely that a firm of any size and complexity could adequately safeguard customer information and records without written policies and procedures. At a minimum, we believe the proposed amendment would benefit firms because written policies and procedures will (i) eliminate uncertainty as to what actions an employee must take to protect customer records and information, and (ii) promote more systematic and organized reviews of safeguard policies and procedures by firms. Some firms and their customers may benefit further from the proposal if the firm develops more comprehensive and effective policies as it translates informal, unwritten policies into writing.

As noted above, it is extremely difficult to test the adequacy of unwritten policies and to ensure that they are in compliance with the requirements in the safeguarding rule. Requiring that a firm's policies and procedures be in writing should benefit investors by enhancing the ability of our examiners to conduct compliance oversight.

B. Costs

We believe that both the proposed disposal rule and the safeguarding rule amendment will impose minimal costs on firms. The proposed disposal rule does not establish any specific requirements for the disposal of consumer report information. In cases in which a firm is already providing adequate protections for consumer report information in conjunction with the existing requirement to protect consumer records and information, no additional actions would have to be taken by the firm. In other cases, a firm, depending on its particular circumstances, may have to provide employee training, or establish clear procedures for consumer report information disposal. Costs to firms that are not already in compliance will vary depending on the size of the firm, the adequacy of its existing disposal policy, and the nature of the firm's operation. As noted above, the flexible standard in the proposed disposal rule is specifically designed to minimize the burden of compliance for smaller entities. The emphasis on performance rather than design standards in the proposed rule takes account of the small entity's size, operations, and sophistication, as well as the costs and benefits of alternative disposal methods. In addition, the “reasonable measures” standard in the proposed rule is consistent with the current safeguard rule. Therefore, it should be relatively easy for a firm that does not currently have policies and procedures that could apply to consumer report information to address the disposal of that information by adopting it as one part of its overall safeguarding policies and procedures.

Similarly, we expect any costs associated with the proposed safeguarding rule amendment to be minimal. Firms have been required to have reasonable polices and procedures in place since 2001. As part of this requirement and as a good business practice, we believe that most firms have already established their policies in writing. For the minority of firms that have clear but unwritten policies, the sole cost would involve transcribing what is understood and accepted practice. If a firm has not given significant thought to the safeguarding of customer records and information, the firm may incur additional costs if it develops more comprehensive and effective policies in the course of documentation.

C. Request for Comment

We request comment on the potential costs and benefits identified in the proposal and any other costs and benefits that may result from the proposed disposal rule and safeguard rule amendment. In particular, we invite comment on the costs and benefits of the proposed standards in the disposal rule and the costs and benefits of any alternative standards. For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996, the Commission also requests information regarding the impact of the proposed rule on the economy on an annual basis. Commenters are requested to provide data to support their views.

V. Paperwork Reduction Act Back to Top

In accordance with the Paperwork Reduction Act of 1995 (“PRA”), [37] the Commission has reviewed the proposed amendments. The proposed disposal rule explicitly provides that it is not intended “(1) to require a person to maintain or destroy any record pertaining to a consumer that is not imposed under other law; or (2) to alter or affect any requirement imposed under any other provision of law to maintain or destroy such a record.” As such, the proposed disposal rule would not impose any recordkeeping requirement or otherwise constitute a “collection of information” as it is defined in the regulations implementing the PRA. [38]

Certain provisions of the proposed amendment to the safeguard rule may constitute a “collection of information” within the meaning of the Paperwork Reduction Act of 1995, 44 U.S.C. 3501 et seq. The Commission has submitted the proposed collection of information to the Office of Management and Budget (“OMB”) for review in accordance with 44 U.S.C. 3507(d) and 5 CFR 1320.11. The title for the collection of information is “Procedures to safeguard customer records and information; disposal of consumer report information.” An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number.

Summary of Collection of Information

Brokers, dealers, investment companies, and registered investment advisers are required to adopt policies and procedures to safeguard customer information. The proposed amendment to the safeguard rule would require each of these institutions to document those policies and procedures in writing.

Proposed Use of Information

The proposed amendment to the safeguard rule is intended to ensure reasonable protection for customer records and information, and to permit Commission staff to identify and test effectively for compliance with the rule. In addition, we believe the requirement to document policies and procedures in writing will (i) eliminate uncertainty as to what actions an employee must take to protect customer records and information, and (ii) promote more systematic and organized reviews of safeguard policies and procedures by firms.

Respondents

According to Commission filings, there are approximately 6,768 broker-dealers, 5,182 investment companies, and 7,977 registered investment advisers. Although each of these entities must comply with the safeguard rule, we believe that institutions with one or more financial affiliates (whether they are institutions regulated by the Commission or by other Federal financial regulators) are likely to have developed safeguard policies and procedures on an organization-wide basis, rather than each affiliate having developed policies and procedures on its own.

Based on a review of forms filed with the Commission, we estimate that approximately 70 percent of institutions subject to the safeguard rule, or 13,949 institutions, have a corporate affiliate. [39] We assume that affiliated institutions have developed policies and procedures on an organization-wide basis. For purposes of the PRA, we assume that each of the affiliated institutions has one corporate affiliate. We therefore estimate that only half of affiliated institutions, or 6,974 institutions, have developed policies and procedures, while the other half (6,974 institutions) have not developed their own policies and procedures, but instead use the policies and procedures developed and documented by their affiliate. Thus, we estimate that a total of 12,953 institutions would develop and document safeguard policies and procedures. [40]

We also believe that most institutions we regulate would adopt safeguard policies and procedures and document those policies and procedures as a matter of good business practice, regardless of the Commission's safeguard rule. We expect these institutions have a strong interest apart from our rule in preventing security threats, such as identity theft or threats to the computer system that would allow unauthorized persons to obtain information about the firms' customers and their business. For purposes of the PRA, we estimate that 10 percent of these institutions have not already documented their policies and procedures. Thus, we estimate that, if the proposed rule amendment is adopted, 1,295 institutions would have to document policies and procedures in response to the proposed rule in the first year after adoption.

In addition to existing registrants, we estimate that, on average, approximately 1,475 new broker-dealers, investment companies and registered investment advisers register with the Commission each year. [41] As with existing registrants, we estimate that 70 percent of these registrants, or 1,033 entities are affiliated with another financial institution that has adopted safeguard policies and procedures. We assume that all new registrants affiliated with another financial institution would adopt the same policies, procedures and documentation already established by the affiliated institution. Of the remaining 30 percent of new registrants, or 442 institutions, we assume that 90 percent would develop and document their safeguard policies and procedures as a matter of good business practice. Accordingly, we expect that after the first year the rule is in effect, the annual number of respondents would be 44. [42]

Total Annual Reporting and Recordkeeping Burdens

As noted above, we expect that the policies and procedures adopted by the responding institutions will vary considerably depending on the size of the institution, the way in which it collects information, the number and types of entities to which it transfers information, and the ways in which it stores, transfers, and disposes of customer information. Thus, for example, a small registered investment adviser with fewer than 10 employees may require a limited number of policies and procedures to address a limited scope of information transfer, storage and disposal. A large broker-dealer or fund complex with many affiliated entities, on the other hand, is more likely to have developed extensive policies and procedures on an organization-wide basis that address many different levels of control. The documentation of these policies and procedures will vary widely in length and complexity of the documentation and will correspond to the range and complexity of the institution's policies and procedures.

Of the institutions registered with the Commission, we estimate that 5,424 investment advisers have 10 or fewer employees. [43] We estimate that 1,041 broker-dealers and investment companies are small entities, and are likely to have no more than 10 employees. [44] Consistent with our estimate above, we assume that 50 percent of these smaller institutions with an affiliate, and 30 percent of these smaller institutions that are not affiliated with another financial institution (4,202 institutions) would adopt and document their own policies and procedures. [45] Of that 30 percent, we assume that only 10 percent, or 420 small entities, would not already have documented policies and procedures as a good business practice. For purposes of the PRA, we estimate that the amount of time a smaller entity would take to document the safeguard policies and procedures they have adopted would range from 6 hours to 24 hours with an average of 15 hours. Accordingly, we estimate a one-time hour burden for these smaller entities of 6,300 hours.

Other institutions, such as large fund complexes or clearing broker-dealers, may require more time to document extensive policies and procedures that apply to all the institutions in the complex. We assume that 10 percent of these, or 875 institutions would not already have written policies and procedures in compliance with the proposed rule. [46] For purposes of the PRA, we estimate that the amount of time these institutions would take to document their safeguard rules would range from 30 hours to 1,400 hours with an average of 715 hours. Thus, we estimate a total one-time burden for these institutions of 625,625 hours. [47] Combined with the burden for smaller institutions, we estimate a total annual one-time burden of 631,925 hours. [48] Amortized over three years, we estimate an annual burden of 210,642 hours.

In addition to existing registrants, as noted above, we estimate that 44 new registrants would not have already documented their safeguard policies and procedures as a matter of good business practice. Of these, we estimate that 14 will be smaller institutions. [49] Thus, we estimate that the annual burden for new small entities would be 210 hours. [50] We estimate that the annual burden for other new institutions would be 715 hours, with a total annual burden for all new registrants of 21,660 hours. [51]

Going forward, we estimate that 10 percent of the 19,927 registered institutions will review and update their policies and procedures each year. For purposes of the PRA, we estimate that 638 of these will be smaller institutions that would take between 2 and 10 hours, with an average of 6 hours each, to review and update their safeguard policies and procedures. Thus, we estimate an annual burden for these smaller institutions of 3,828 hours. [52] For purposes of the PRA, we estimate that 1,355 larger institutions will take between 10 and 50 hours, with an average of 30 hours each, to review and update their safeguard policies and procedures. We estimate an annual burden for the larger institutions of 40,650 hours, and combined with smaller institutions, an annual burden of 44,478 hours. [53] Thus, we estimate the total annual burden to be 276,780 hours. [54]

Retention Period for Recordkeeping Requirements

The proposed rules do not contain express provisions governing the retention of records related to the policies and procedures. Nevertheless, an institution subject to the safeguard rule is likely to retain the documentation in order to assist in informing and training employees, in reviewing the policies for their effectiveness, and to demonstrate compliance with the rule to the Commission's inspections staff. These records would not have to be retained for any particular period, but are likely to be retained as long as the institution maintains policies and procedures.

Collection of Information is Mandatory

Broker-dealers, investment companies and registered investment advisers all are required to comply with the safeguard rule and would be required to comply with the proposed amendment.

Responses to Collection of Information Will Not Be Kept Confidential

Under the proposal, the written safeguard policies and procedures would not be filed with or otherwise submitted to the Commission. Accordingly, we make no assurance of confidentiality with respect to the collections of information.

Request for Comment

Pursuant to 44 U.S.C. 3506(c)(2)(B), the Commission solicits comment to:

(i) Evaluate whether the proposed collection of information is necessary for the proper performance of the functions of the Commission, including whether the information will have practical utility;

(ii) Evaluate the accuracy of the Commission's estimate of the burden of the proposed collection of information;

(iii) Determine whether there are ways to enhance the quality, utility, and clarity of the information to be collected; and

(iv) Determine whether there are ways to minimize the burden of the collection of information on those who are to respond, including through the use of automated collection techniques or other forms of information technology.

Persons wishing to submit comments on the collection of information requirements should direct them to the following persons: (i) Desk Officer for the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 3208, New Executive Office Building, Washington, DC 20503; and (ii) Jonathan G. Katz, Secretary, Securities and Exchange Commission, 450 Fifth Street, NW., Washington, DC 20549. Any comments should make reference to File Number S7-33-04. OMB is required to make a decision concerning the collection of information between 30 and 60 days after publication, so a comment to OMB is best assured of having its full effect if OMB receives it within 30 days after publication. Requests for materials submitted to OMB by the Commission with regard to this collection of information should be made in writing, should refer to File Number S7_04, and should be submitted to the Securities and Exchange Commission, Records Management, Office of Filings and Information Services, 450 Fifth Street, NW., Washington, DC 20549.

VI. Initial Regulatory Flexiblity Analysis Back to Top

This Initial Regulatory Flexibility Analysis (“IRFA”) has been prepared in accordance with 5 U.S.C. 603. It relates to the proposed disposal rule, which requires that reasonable measures be taken to protect against unauthorized access to consumer report information during its disposal. It also relates to the proposed amendment to the safeguard rule that would require financial institutions to document policies and procedures to safeguard customer information in writing.

A. Reasons for the Proposed Rule

Section 216 of the FACT Act requires the Commission to issue regulations regarding the proper disposal of consumer report information in order to prevent sensitive financial and personal information from falling into the hands of identity thieves or others who might use the information to victimize consumers. The requirements of the proposed rule are intended to fulfill the obligations imposed by section 216.

As discussed above, the proposed amendment to the safeguard rule would require entities subject to the safeguard rule to document their policies and procedures in writing. The proposed amendment is intended to ensure reasonable protection for customer records and information, and to permit compliance oversight by our examiners.

B. Statement of Objectives and Legal Basis

The objectives of the proposed disposal rule and the proposed amendment to the safeguard rule are discussed above. The legal basis for the proposed disposal rule is section 216 of the FACT Act. The legal basis for the proposed amendment to the safeguard rule is section 501(b) of the GLBA, sections 17 and 23 of the Exchange Act, sections 31 and 38 of the Investment Company Act, and sections 204 and 211 of the Investment Advisers Act.

C. Description of Small Entities to Which the Proposed Rule Will Apply

The proposed disposal rule, which tracks the language of section 216 of the FACT Act, would apply to brokers and dealers (other than notice-registered broker-dealers), investment companies, registered investment advisers, and registered transfer agents that maintain or otherwise possess consumer information, or any compilation of consumer information, for a business purpose. [55] Institutions covered by the proposed amendment to the safeguard rule would include brokers and dealers (other than notice-registered broker-dealers), investment companies, and registered investment advisers. Of the entities registered with the Commission, 808 broker-dealers, 233 investment companies, 592 registered investment advisers, and 170 registered transfer agents are considered small entities. [56]

We invite comment from small entities that would be subject to the proposed disposal rule and amendment to the safeguard rule. We invite comment generally regarding information that would help us to quantify the number of small entities that may be affected by the proposal.

D. Projected Reporting, Recordkeeping and Other Compliance Requirements

The proposed disposal rule would not impose any reporting or any specific recordkeeping requirements within the meaning of the Paperwork Reduction Act, discussed above. The proposed disposal rule would require covered entities, when disposing of consumer report information, to take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal. What is considered “reasonable” will vary according to an entity's size and the complexity of its operations, the costs and benefits of available disposal methods, and the sensitivity of the information involved. This flexibility is intended to reduce the burden that might otherwise be imposed on small entities by a more rigid, prescriptive rule. The Commission is concerned about the potential impact of the proposed rule on small entities, and invites comment on the costs of compliance for such parties.

With respect to the proposed amendment to the safeguard rule, we note that firms are already required to have policies and procedures that address the safeguarding of customer information and records. As noted above, this requirement provides a flexible standard that allows each firm to tailor these policies and procedures to the firm's particular systems, methods of information gathering, and customer needs. We assume that most institutions have already documented these policies and procedures, but the proposed amendment would require all entities to put their policies and procedures in writing. Nevertheless, the amount of time it will take entities that do not have written policies and procedures will vary based upon the extent and complexity of the policies and procedures the entity has adopted. Accordingly, a small entity with complex and very detailed policies and procedures would likely take more time to document those policies and procedures than would a small entity with relatively simple undocumented policies and procedures.

E. Identification of Other Duplicative, Overlapping, or Conflicting Federal Rules

We have not identified any other federal statutes, rules, or policies that would conflict with the proposed disposal rule's requirement (i) that covered persons take reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal or (ii) that safeguarding policies and procedures must be in writing. However, we request comment on the extent to which other federal standards involving privacy or security of information may duplicate, satisfy, or inform the proposal's requirements. We also seek comment and information about any statutes or rules that may conflict with the proposed disposal rule requirements, as well as any other state, local, or industry rules or policies that require covered entities to implement practices that comport with the requirements of the proposed rule.

F. Discussion of Significant Alternatives

The Regulatory Flexibility Act directs the Commission to consider significant alternatives that would accomplish the stated objectives while minimizing any significant adverse impact on small businesses. In connection with the proposal, the Commission considered the following alternatives: (i) The establishment of differing compliance or reporting requirements or timetables that take into account the resources available to small entities; (ii) the clarification, consolidation, or simplification of compliance and reporting requirements under the proposed rules for small entities; (iii) the use of performance rather than design standards; and (iv) an exemption from coverage of the proposed rules, or any part thereof, for small entities.

With respect to the proposed disposal rule, the Commission does not presently believe that an exemption from coverage or special compliance or reporting requirements for small entities would be consistent with the mandates of the FACT Act. In addition, the Commission does not presently believe that clarification, consolidation, or simplification of the proposed amendment for small entities is feasible or necessary. Section 216 of the FACT Act addresses the protection of consumer privacy, and consumer privacy concerns do not depend on the size of the entity involved. However, we have endeavored throughout the proposed disposal rule to minimize the regulatory burden on all covered entities, including small entities, while meeting the statutory requirements. Small entities should benefit from the flexible standards in the proposed disposal rule. In addition, existing emphasis on performance rather than design standards in the proposed rule take account of the covered entity's size and sophistication, as well as the costs and benefits of alternative disposal methods. The Commission welcomes comment on any alternative system that would be consistent with the FACT Act but would minimize the impact on small entities. Comments should describe the nature of any impact on small entities and provide empirical data.

With respect to the proposed amendment to the safeguard rule, we do not presently believe that an exemption from coverage or special reporting or compliance requirements for small entities is feasible or necessary. The requirement that covered entities document their safeguard policies and procedures in writing is necessary to promote systematic and organized reviews of these policies and procedures by the entity, as well as to allow Commission staff to identify and test effectively for compliance with the safeguard rule.

Similarly, the Commission does not presently believe that clarification, consolidation, or simplification of the proposed amendment for small entities is feasible or necessary. The proposed requirement that the safeguard policies and procedures be in writing, as discussed above, is essential to allowing both the entity and Commission staff to review the entity's policies and procedures.

The safeguard rule embodies performance rather than design standards. It affords each firm the flexibility to adopt and implement policies and procedures that are appropriate in light of the institution's size and the complexity of its operations. The documentation of the policies and procedures would reflect these performance standards. Accordingly, the writing required under the proposed amendment would only be as technical or complex as the policies and procedures required to be documented.

We encourage written comments on matters discussed in the IRFA. In particular, the Commission seeks comment on: (i) The number of small entities that would be affected by the proposed rule; and (ii) the impact of the proposed rule on small entities. Commentators are asked to describe the nature of any impact and provide empirical data supporting the extent of the impact.

VII. Analysis of Effects on Efficiency, Competition and Capital Formation Back to Top

Section 3(f) of the Exchange Act and section 2(c) of the Investment Company Act require the Commission, whenever it engages in rulemaking and must consider or determine if an action is necessary or appropriate in the public interest, to consider, in addition to the protection of investors, whether the action would promote efficiency, competition, and capital formation. Moreover, section 23(a)(2) of the Exchange Act requires the Commission, when proposing rules under the Exchange Act, to consider the impact the proposed rules may have upon competition. Section 23(a)(2) of the Exchange Act prohibits the Commission from adopting any rule that would impose a burden on competition that is not necessary or appropriate in furtherance of the purposes of the Exchange Act.

We do not believe that the proposed disposal rule will have an anti-competitive impact. The proposed disposal rule applies to all brokers and dealers (other than notice-registered broker-dealers), investment companies, registered investment advisers, and registered transfer agents. Each of these institutions must take reasonable measures to properly dispose of consumer report information.

Other financial institutions will be subject to substantially similar disposal requirements under rules proposed by the Agencies. Under the FACT Act, the Agencies and the Commission have worked in consultation and coordination with one another to ensure the consistency and comparability of the proposed regulations. Therefore, all financial institutions would have to bear the costs of implementing the rules or substantially similar rules. Although these costs would vary among entities subject to the proposed rule, we do not believe that the costs would be significantly greater for any particular entity or entities when calculated as a percentage of overall costs.

Furthermore, we believe the proposed disposal rule would have little effect on efficiency and capital formation. The proposed rule will result in some additional costs for some entities, particularly those entities that do not currently take reasonable measures to properly dispose of consumer report information. However, we believe the additional costs are small enough that they would not affect the efficiency of these entities.

With respect to the proposed amendment to the safeguard rule, we do not believe the proposed amendment will have an anti-competitive impact. As noted above, we believe that most brokers, dealers, investment companies, and registered investment advisers already have written safeguard policies and procedures. To the extent some do not, those firms would have to conform to standards that many firms have met voluntarily. This proposed amendment also would be consistent with the requirement under the Interagency Guidelines and the FTC's Safeguard Rule that financial institutions they regulate must document their policies and procedures in writing. [57] Firms that do not have currently written policies and procedures would incur costs of documentation already borne by firms that have written policies and procedures. Although these costs would vary among institutions subject to the proposed amendment, we do not believe that the costs would be significantly greater for any particular firm or firms when calculated as a percentage of overall costs.

Furthermore, we believe the proposed amendment would have little effect on efficiency and capital formation. We expect the proposal will increase efficiency among those firms that do not currently have written policies and procedures because it should promote more systematic and organized reviews of these policies and procedures. The proposed amendment will result in some additional costs for firms that do not currently have written policies and procedures. However, we believe the additional costs are small enough that they would not affect the efficiency of these firms.

The Commission seeks comment regarding the impact of the proposed rules on efficiency, competition, and capital formation. For purposes of the Small Business Regulatory Enforcement Fairness Act of 1996, the Commission also requests information regarding the potential effect of the proposed rules on the U.S. economy on an annual basis. Commentators are requested to provide empirical data to support their views.

VIII. Statutory Authority Back to Top

The Commission is proposing amendments to Regulation S-P pursuant to the authority set forth in section 501(b) of the GLBA [15 U.S.C. 6801(b)], section 216 of the FACT Act [15 U.S.C. 1681w], sections 17 and 23 of the Exchange Act [15 U.S.C. 78q and 78w], sections 31(a) and 38 of the Investment Company Act [15 U.S.C. 80a-30(a) and 80a-37], and sections 204 and 211 of the Investment Advisers Act [15 U.S.C. 80b-4 and 80b-11].

List of Subjects in 17 CFR Part 248 Back to Top

Text of Proposed Rules Back to Top

For the reasons set out in the preamble, title 17, chapter II of the Code of Federal Regulations is proposed to be amended as follows:

begin regulatory text

PART 248—REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION Back to Top

1. The authority citation for part 248 is revised to read as follows:

Authority:

15 U.S.C. 6801-6809; 15 U.S.C.1681w; 15 U.S.C. 78q, 78w, 78mm, 80a-30(a), 80a-37, 80b-4, and 80b-11.

§ 248.1 [Amended]

2. Section 248.1, the first sentence of paragraph (b) is amended by revising the phrase “This part” to read “Except with respect to § 248.30(b), this part”.

§ 248.2 [Amended]

3. Section 248.2, paragraph (b) is amended by revising the phrase “Any futures commission merchant” to read “Except with respect to § 248.30(b), any futures commission merchant”.

4. Section 248.30 is amended as follows:

a. Revise the section heading;

b. Introductory text, paragraphs (a), (b), and (c) are redesignated as paragraphs (a) introductory text, (a)(1), (a)(2), and (a)(3) respectively;

c. In the newly redesignated introductory text of paragraph (a), add the word “written” before the phrase “policies and procedures” in the first and second sentences; and

d. Add paragraph (b).

The revision and addition read as follows:

§ 248.30 Procedures to safeguard customer records and information; disposal of consumer report information.

* * * * *

(b) Disposal of consumer report information and records—(1) Definitions—(i) Consumer report has the same meaning as in section 603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).

(ii) Consumer report information means any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report.

(iii) Disposal means:

(A) The discarding or abandonment of consumer report information; and

(B) The sale, donation, or transfer of any medium, including computer equipment, on which consumer report information is stored.

(iv) Notice-registered broker-dealers means a broker or dealer registered by notice with the Commission under section 15(b)(11) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).

(v) Transfer agent has the same meaning as in section 3(a)(25) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).

(2) Proper disposal requirements—(i) Standard. Every broker and dealer other than notice-registered broker-dealers, every investment company, and every investment adviser and transfer agent registered with the Commission, that maintains or otherwise possesses consumer report information or any compilation of consumer report information for a business purpose must properly dispose of the information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

(ii) Relation to other laws. Nothing in this section shall be construed:

(A) To require any broker, dealer, or investment company, or any investment adviser or transfer agent registered with the Commission to maintain or destroy any record pertaining to an individual that is not imposed under other law; or

(B) To alter or affect any requirement imposed under any provision of law to maintain or destroy any of those records.

By the Commission.

Dated: September 14, 2004.

Margaret H. McFarland,

Deputy Secretary.

end regulatory text

[FR Doc. 04-21031 Filed 9-17-04; 8:45 am]

BILLING CODE 8010-01-P

Footnotes Back to Top

1. 15 U.S.C. 1681. The FACT Act was signed into law on December 4, 2003. Pub. L. No. 108-159, 117 Stat. 1952 (2003). Section 628 is codified at 15 U.S.C. 1681w.

Back to Context

2. See 108 Cong. Rec. S13,889 (Nov. 4, 2003) (statement of Sen. Nelson).

Back to Context

3. The regulations must be issued in final form by December 4, 2004.

Back to Context

4. The Banking Agencies have proposed to implement section 216 of the FACT Act by amending their existing guidelines on safeguarding customer information. See Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003, 69 FR 31913 (June 8, 2004). The National Credit Union Administration has published a similar proposal. See Fair Credit Reporting—Proper Disposal of Consumer Information Under the Fair and Accurate Credit Transactions Act of 2003, 69 FR 30601 (May 28, 2004). The FTC has proposed a separate rule to implement section 216 of the Act. See Disposal of Consumer Report Information and Records, 69 FR 21388 (April 20, 2004) (“FTC Proposal”).

Back to Context

6. See text accompanying and following note 21 infra.

Back to Context

7. See proposed rule 248.30(a).

Back to Context

9. The FCRA defines “consumer report” to mean “* * *any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living which is used or expected to be used or collected in whole or in part for the purpose of serving as a factor in establishing the consumer's eligibility for (A) credit or insurance to be used primarily for personal, family, or household purposes; (B) employment purposes; or (C) any other purpose authorized under section 604” of the FCRA. See 15 U.S.C. 1681a(d)(1). A “consumer reporting agency” is defined as “any person which, for monetary fees, dues, or on a cooperative nonprofit basis, regularly engages in whole or in part in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties, and which uses any means or facility of interstate commerce for the purpose of preparing or furnishing consumer reports.”See 15 U.S.C. 1681a(f). The statute also provides exclusions from the definition, which include: “any (i) report containing information solely as to transactions or experiences between the consumer and the person making the report; (ii) communication of that information among persons related by common ownership or affiliated by corporate control; or (iii) communication of other information among persons related by common ownership or affiliated by corporate control, if it is clearly and conspicuously disclosed to the consumer that the information may be communicated among such persons and the consumer is given the opportunity, before the time that the information is initially communicated, to direct that such information not be communicated among such persons* * *”See 15 U.S.C. 1681a(d)(2).

Back to Context

10. See 15 U.S.C. 1681a(c). The definition of “consumer” in the FCRA is broader than the meaning of “consumer” in section 248.3(g) of Regulation S-P and in the GLBA, which define the term as an individual who obtains, from a financial institution, financial products or services that are to be used primarily for personal, family or household purposes. See 17 CFR 248.3(g); 15 U.S.C. 6809(8). Thus, the proposed disposal rule would follow the FCRA in defining the phrase “consumer report information” to mean information about any individual derived from a consumer report. The term “consumer” for purposes of the remainder of Regulation S-P would continue to have the meaning set forth in section 248.3(g).

Back to Context

12. The ability of the entity to transfer information to a third party may, however, be limited by other laws, such as the GLBA and Regulation S-P.

Back to Context

15. FACT Act, § 216 (adding § 628(a)(1) to the FCRA).

Back to Context

16. Information that does not identify particular individuals would not be covered, even if the information were originally “derived from consumer reports,” because that information would no longer be “about a consumer” (i.e., an individual).

Back to Context

17. Among the entities that possess or maintain consumer report information for a business purpose are lenders, employers, and other users of consumer reports. These entities could include a broker-dealer that provides margin accounts or sells variable annuity products, or a covered entity that uses consumer reports for employment purposes. Consistent with the FTC's interpretation, the Commission views a “business purpose” as broader than a “permissible purpose” as defined in section 604 of the FCRA (see 15 U.S.C. 1681b) (outlining permissible uses of consumer reports). See FTC Proposal, supra note 4. Although “permissible purposes” are generally “business purposes,” there are a variety of business purposes for which persons maintain or possess “consumer report information” beyond those listed as “permissible” for users of consumer reports.

Back to Context

18. Section 628(a)(3) of the FCRA, as added to section 216 of the FACT Act, provides that, in issuing regualtions under the section, an agency “may exempt any persons or class of persons from application of those regulations as such agency deems appropriate to carry out the purpose of th[e] section.”

Back to Context

19. Proposed rule 248.30(b)(2)(i).

Back to Context

20. The safeguard rule applies to “customer records and information” and the proposed disposal rule applies to “consumer report information.”See 17 CFR 248.3(j) (defining “customer”); proposed rule 248.30(b)(1)(iii) (defining “consumer report information” for purposes of the proposed disposal requirements). These terms refer to two different (though overlapping) sets of information.

Back to Context

22. In this context, due diligence could include reviewing an independent audit of the disposal company's operations and/or its compliance with this rule, obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company's information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.

Back to Context

23. The FACT Act does not specifically identify which entities will be subject to the rules prescribed by the Commission. Section 216 of the FACT Act states that implementing regulations must be prescribed by the “Federal banking agencies, the National Credit Union Administration, and the [Federal Trade] Commission with respect to the entities that are subject to their respective enforcement authority under Section 621 of the Fair Credit Reporting Act and the Securities and Exchange Commission * * * ” Section 621 of the FCRA grants enforcement authority to the FTC for all persons subject to FCRA “except to the extent that enforcement * * * is specifically committed to some other government agency under subsection (b)” of section 621. 15 U.S.C. 1681s. The Commission is not one of the agencies included under subsection (b). 15 U.S.C. 1681s(b). The Commission was added to the list of federal agencies required to adopt implementing regulations under sections 214 and 216 of the FACT Act in conference committee. There is no legislative history on this issue. As discussed in our recent proposal for rules implementing section 214 of the FACT Act, Congress' inclusion of the Commission as one of the agencies required to adopt implementing regulations suggests that Congress intended that our rules apply to brokers, dealers, investment companies, registered investment advisers, and registered transfer agents. Consistent with that proposal, however, notice-registered broker-dealers would be excluded from the scope of the proposed disposal rule. See Securities Exchange Act Release No. 49985 (July 8, 2004) [69 FR 42302 (July 14, 2004) (“Proposed Regulation S-AM”)].

Back to Context

24. See proposed amended rule 248.1(b). The scope provision of Regulation S-P provides that it applies to “nonpublic personal information about individuals who obtain financial products or services primarily for personal, family, or household purposes.”See 17 CFR 248.1(b). As discussed above, the proposed disposal rule applies to a different, but overlapping set of information. See supra note 20.

Back to Context

25. See proposed amended rule 248.1(b). Regulation S-P currently allows notice-registered broker-dealers to comply with the financial privacy rules of the Commodity Futures Trading Commission (“CFTC”) as a substitute for compliance with Regulation S-P. See 17 CFR 248.2(b). This provision acknowledges that notice-registered broker-dealers are subject to primary oversight by the CFTC and are exempted from all but the core provisions of the laws administered by the Commission. This substituted compliance provision could not apply to the disposal rule, however, because Congress did not include the CFTC among the financial regulators required to adopt implementing regulations under section 216 of the FACT Act.

Back to Context

26. See 248.30(b)(2)(i). As discussed in our recent proposal for rules implementing section 214 of the FACT Act, we interpret Congress' exclusion of the CFTC from the list of financial regulators required to adopt implementing regulations under section 216 of the FACT Act to mean that Congress did not intend for the Commission's rules under the FACT Act to apply to entities subject to primary oversight by the CFTC. See Proposed Regulation S-AM, supra note 22.

Back to Context

27. See 248.30(b)(2)(i). The GLBA did not grant authority to the Commission to promulgate privacy rules in Regulation S-P with respect to transfer agents. Accordingly, transfer agents fall within the residual jurisdiction of the FTC. See supra note 23.

Back to Context

28. See Federal Reserve System, Federal Deposit Insurance Corporation, Department of the Treasury Office of Thrift Supervision, and Department of Treasury Office of the Comptroller of the Currency, Interagency Guidelines Establishing Standards for Safeguarding Customer Information, 66 FR 8616 (Feb. 1, 2001) (“Interagency Guidelines”); Federal Trade Commission, Standards for Safeguarding Customer Information, 67 FR 36484 (May 23, 2002) (“FTC Safeguard Rule”).

Back to Context

29. At one level, the highest levels of management approve an organization-wide policy statement. At another level, more specific policies and procedures address separate areas of safeguarding risk. At a final level, detailed procedures set out the controls, management checks and balances, audit trail functions, and other actions needed to ensure that the firm's safeguarding program is reasonably effective and verifiable by senior management. These written policies and procedures also generally designate a specialized staff of information security professionals to manage the organization's day-to-day safeguarding operations, and an information security governance framework, to ensure that the information security policy is adequately supported throughout the enterprise. Finally, these written policies and procedures generally make provision for measures to verify the safeguarding program's effectiveness, including risk assessments; independent audits and penetration tests; and active monitoring, surveillance, and detection programs.

Back to Context

30. See, e.g., Generally Accepted Principles and Practices for Securing Information Technology Systems, National Institute of Standards and Technology (“NIST”) (September 1996), available at: http://csrc.nist.gov/publications/nistpubs/800-14/800-14.pdf; the Federal Information System Controls Audit Manual, known as “FISCAM,” GAO/AIMD-12.19.6 (January 1999), available at: http://www.gao.gov/special.pubs/ai12.19.6.pdf; BS ISO/IEC 17799, Code of Practice For Information Security Management (December 2000) (formerly British Standards Institution BS 7799), available at: http://www.standardsdirect.org/iso17799.htm; and Control Objectives for Information and Related Technology, known as “COBIT”, available at http://www.isaca.org. See also Interagency Guidelines; FTC Safeguard Rule, supra note 28.

Back to Context

31. Privacy of Consumer Financial Information (Regulation S-P), Securities Exchange Act Release No. 42484 (Mar. 2, 2000) [65 FR 12354 (Mar. 8, 2000)].

Back to Context

33. See supra note 2 and accompanying text.

Back to Context

34. See Federal Trade Commission—Identity Theft Survey Report (Sept. 2003), available at: http://www.ftc.gov/os/2003/09/synovatereport.pdf.

Back to Context

36. These figures are based on Commission filings.

Back to Context

39. This estimate is based on the following calculation: (6,768 + 5,182 + 7,977) × 0.7 = 13,948.9. The estimate that 70 percent of registrants have an affiliate is based upon statistics reported on Form ADV, the Universal Application for Investment Adviser Registration, which contains specific questions regarding affiliations between investment advisers and other persons in the financial industry. We estimate that other institutions subject to the safeguard rule would report a rate of affiliation similar to that reported by registered investment advisers.

Back to Context

40. This estimate is based on the following calculation: (13,949 × 0.5) + (19,927 × 0.3) = 12,952.6.

Back to Context

41. This estimate is based on annual filings with the Commission for the calendar years 2001, 2002, and 2003.

Back to Context

42. This estimate is based on the following calculation: 442 new registrants × 0.1 = 44.2.

Back to Context

43. See Investment Counsel Association of America, Evolution Revolution, A Profile of the Investment Advisory Profession (May 2004) (available at http://www.icaa.org/public/evolution_revolution-2004.pdf).

Back to Context

44. As noted below, 808 broker-dealers and 233 investment companies are considered small entities. See infra note and accompanying text.

Back to Context

45. This estimate is based on the following calculation: (6,465 × 0.7 × 0.5) + (6,465 × 0.3) = 4,202.25.

Back to Context

46. This estimate is based on the following calculation: 1,295 − 420 = 875.

Back to Context

47. This estimate is based on the following calculation: 875 × 715 = 625,625.

Back to Context

48. This estimate of hour burden for these institutions is based on the following calculation: 625,625 + 6,300 = 631,925.

Back to Context

49. We estimate that the percentage of new institutions registering that are smaller entities would be similar to the percent of currently registered institutions that are smaller institutions, as described above. See supra notes 43-44 and accompanying text. The calculations for this estimate are: 6,465/19,927 = 0.032; 44 × 0.32 = 14.08.

Back to Context

50. This estimate is based on the following calculation: 14 × 15 = 210.

Back to Context

51. This estimate is based on the following calculation: (30 × 715) + 210 = 21,660.

Back to Context

52. These estimates are based on the following calculations: 6,465/19,927 = 0.32; 1,993 × 0.32 = 637.7; 638 × 6 = 3,828.

Back to Context

53. These estimates are based on the following calculations: 1,993 − 638 = 1,355; 1,355 × 30 = 40,650.

Back to Context

54. This estimate is based on the following calculation: 210,642 + 21,660 + 44,478 = 276,780.

Back to Context

55. Proposed rule 248.30(b)(2)(i).

Back to Context

56. For purposes of the Regulatory Flexibility Act, under the Exchange Act a small entity is a broker or dealer that had total capital of less than $500,000 on the date of its prior fiscal year and is not affiliated with any person that is not a small entity. 17 CFR 270.0-10. Under the Investment Company Act a “small entity” is an investment company that, together with other investment companies in the same group of related investment companies, has net assets of $50 million or less as of the end of its most recent fiscal year. 17 CFR 270.0-10. Under the Investment Advisers Act, a small entity is an investment adviser that “(i) manages less than $25 million in assets, (ii) has total assets of less than $5 million on the last day of its most recent fiscal year, and (iii) does not control, is not controlled by, and is not under common control with another investment adviser that manages $25 million or more in assets, or any person that had total assets of $5 million or more on the last day of the most recent fiscal year.” 17 CFR 275.0-7. A small entity in the transfer agent context is defined to be any transfer agent that (i) received less than 500 items for transfer and less than 500 items for processing during the preceding six months; (ii) transferred only items of issuers that would be deemed “small businesses” or “small organizations” under rule 0-10 under the Exchange Act; (iii) maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts at all times during the preceding fiscal year; and (iv) is not affiliated with any person (other than a natural person) that is not a small business or small organization under rule 0-10. 17 CFR 240.0-10.

Back to Context

57. See supra note 28.

Back to Context
Site Feedback