Submission for OMB Review; Comment Request

Upon Written Request, Copies Available From: Securities and Exchange Commission, Office of FOIA Services, 100 F Street NE., Washington, DC 20549-2736.

Extension:

Regulation S-ID, SEC File No. 270-644, OMB Control No. 3235-0692.

Notice is hereby given that, pursuant to the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.), the Securities and Exchange Commission (the “Commission”) has submitted to the Office of Management and Budget a request for extension of the previously approved collection of information discussed below.

Regulation S-ID (17 CFR 248), including the information collection requirements thereunder, is designed to better protect investors from the risks of identity theft. Under Regulation S-ID, SEC-regulated entities are required to develop and implement reasonable policies and procedures to identify, detect, and respond to relevant red flags (the “Identity Theft Red Flags Rules”) and, in the case of entities that issue credit or debit cards, to assess the validity of, and communicate with cardholders regarding, address changes. Section 248.201 of Regulation S-ID includes the following information collection requirements for each SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation S-ID and that offers or maintains covered accounts: (i) Creation and periodic updating of an identity theft prevention program (“Program”) that is approved by the board of directors, an appropriate committee thereof, or a designated senior management employee; (ii) periodic staff reporting to the board of directors on compliance with the Identity Theft Red Flags Rules and related guidelines; and (iii) training of staff to implement the Program. Section 248.202 of Regulation S-ID includes the following information collection requirements for each SEC-regulated entity that is a credit or debit card issuer: (i) Establishment of policies and procedures that assess the validity of a change of address notification if a request for an additional or replacement card on the account follows soon after the address change; and (ii) notification of a cardholder, before issuance of an additional or replacement card, at the previous address or through some other previously agreed-upon form of communication, or alternatively, assessment of the validity of the address change request through the entity's established policies and procedures.

SEC staff estimates of the hour burdens associated with section 248.201 under Regulation S-ID include the one-time burden of complying with this section for newly-formed SEC-regulated entities, as well as the ongoing costs of compliance for all SEC-regulated entities. With respect to the one-time burden hours, staff estimates that each newly-formed financial institution or creditor would incur a burden of 2 hours to conduct an initial assessment of covered accounts. Staff estimates that approximately 644 SEC-regulated financial institutions and creditors are newly formed each year, and the total estimated one-time burden to initially assess covered accounts is therefore 1,288 hours. Staff also estimates that each financial institution or creditor that maintains covered accounts would incur an additional initial burden of 29 hours to develop and obtain board approval of a Program and to train the staff of the financial institution or creditor. Staff estimates that approximately 580 SEC-regulated financial institutions and creditors that maintain covered accounts are newly formed each year, and thus the total estimated one-time burden to develop and obtain board approval of a Program and train staff is 16,820 hours. Thus, the total initial estimated burden for all newly-formed SEC-regulated entities is 18,108 hours (1,288 hours + 16,820 hours).

With respect to ongoing annual burden hours, SEC staff estimates that each financial institution or creditor would incur a burden of 1 hour to periodically assess whether it offers or maintains covered accounts. Staff estimates that there are approximately 9,960 SEC-regulated entities that are either financial institutions or creditors, and the total estimated annual burden to periodically assess covered accounts is therefore 9,960 hours. Staff also estimates that each financial institution or creditor that maintains covered accounts would incur an additional annual burden of 9.5 hours to prepare and present an annual report to the board and to periodically review and update the Program. Staff estimates that there are approximately 8,964 SEC-regulated entities that are financial institutions or creditors that offer or maintain covered accounts, and thus the total estimated additional annual burden for these entities is 85,158 hours. Thus, the total ongoing annual estimated burden for all SEC-regulated entities is 95,118 hours (9,960 hours + 85,158 hours).

The collections of information required by section 248.202 under Regulation S-ID will apply only to SEC-regulated entities that issue credit or debit cards. SEC staff understands that SEC-regulated entities generally do not issue credit or debit cards, but instead partner with other entities, such as banks, that issue cards on their behalf. These other entities, which are not regulated by the SEC, are already subject to substantially similar change of address obligations pursuant to other federal regulators' identity theft red flags rules. Therefore, staff does not expect that any SEC-regulated entities will be subject to the information collection requirements of section 248.202, and accordingly, staff estimates that there is no hour burden related to section 248.202 for SEC-regulated entities.

In total, SEC staff estimates that the aggregate annual information collection burden of Regulation S-ID is 113,226 hours (18,108 hours + 95,118 hours). This estimate of burden hours is made solely for the purposes of the Paperwork Reduction Act and is not derived from a quantitative, comprehensive, or even representative survey or study of the burdens associated with Commission rules and forms. Compliance with Regulation S-ID, including compliance with the information collection requirements thereunder, is mandatory for each SEC-regulated entity that qualifies as a “financial institution” or “creditor” under Regulation S-ID (as discussed above, certain collections of information under Regulation S-ID are mandatory only for financial institutions or creditors that offer or maintain covered accounts). Responses will not be kept confidential. An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid control number.

The public may view the background documentation for this information collection at the following Web site: www.reginfo.gov. Comments should be directed to: (i) Desk Officer for the Securities and Exchange Commission, Office of Information and Regulatory Affairs, Office of Management and Budget, Room 10102, New Executive Office Building, Washington, DC 20503, or by sending an email to: Shagufta_Ahmed@omb.eop.gov; and (ii) Pamela Dyson, Director/Chief Information Officer, Securities and Exchange Commission, c/o Remi Pavlik-Simon, 100 F Street NE., Washington, DC 20549 or send an email to: PRA_Mailbox@sec.gov. Comments must be submitted to OMB within 30 days of this notice.