Securities and Exchange Commission: Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

B-336427

June 18, 2024

The Honorable Sherrod Brown
Chairman
The Honorable Tim Scott
Ranking Member
Committee on Banking, Housing, and Urban Affairs
United States Senate

The Honorable Patrick McHenry
Chairman
The Honorable Maxine Waters
Ranking Member
Committee on Financial Services
House of Representatives

Subject: Securities and Exchange Commission: Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Securities and Exchange Commission (SEC) entitled “Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information”
(RIN: 3235-AN26). We received the rule on May 21, 2024. It was published in the Federal Register as a final rule on June 3, 2024. 89 Fed. Reg. 47688. The effective date of the rule is August 2, 2024.

This final rule adopts amendments that will require brokers and dealers, investment companies, investment advisers registered with SEC, funding portals, and transfer agents registered with SEC or another appropriate regulatory agency to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. In addition, the rule extends the application of requirements to safeguard customer records and information to transfer agents, broadens the scope of information covered by the requirements for safeguarding customer records and information and for properly disposing of consumer report information, imposes requirements to maintain written records documenting compliance with the amended rules, and conforms annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act.

Enclosed is our assessment of SEC’s compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Charlie McKiver, Assistant General Counsel, at (202) 512-5992.

Shirley A. Jones
Managing Associate General Counsel

Enclosure

cc: Vanessa A. Countryman
Secretary
Securities and Exchange Commission

ENCLOSURE

REPORT UNDER 5 U.S.C. § 801(a)(2)(A) ON A MAJOR RULE
ISSUED BY THE
SECURITIES AND EXCHANGE COMMISSION
ENTITLED
“REGULATION S-P: PRIVACY OF CONSUMER FINANCIAL INFORMATION
AND SAFEGUARDING CUSTOMER INFORMATION”
(RIN: 3235-AN26)

(i) Cost-benefit analysis

The Securities and Exchange Commission (SEC) conducted an economic analysis of this final rule. This analysis included addressing the likely economic effects of the rule, including the anticipated and estimated benefits and costs of the amendments and their likely effects on efficiency, competition, and capital formation. According to SEC, the main economic effects of the rule will result from the notification and incident response program requirements applicable to all covered institutions. SEC also noted that the main economic benefits of the final notification and incident response program requirements, as well as the extension of Regulation S-P to include all transfer agents, will result from enhanced protection of customer information. SEC stated that the main economic costs of the rule will be compliance costs, reputational costs borne by firms that would not otherwise have notified customers of a data breach, and other indirect costs. SEC also discussed the potential economic effects of certain alternatives to the approaches taken in the rule.

(ii) Agency actions relevant to the Regulatory Flexibility Act (RFA), 5 U.S.C. §§ 603–605, 607, and 609

SEC prepared a Final Regulatory Flexibility Analysis. The analysis included (1) a statement of the need for and objectives of this final rule, (2) a description of significant issues raised by public comments, (3) a description of small entities subject to the rule, (4) projected reporting, recordkeeping, and other compliance requirements, and (5) a description of agency action to minimize effects on small entities.

(iii) Agency actions relevant to sections 202–205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. §§ 1532–1535

As an independent regulatory agency, SEC is not subject to the Act.

(iv) Agency actions relevant to the Administrative Pay-As-You-Go-Act of 2023, Pub. L.
No. 118-5, div. B, title III, 137 Stat 31 (June 3, 2023)

Section 270 of the Administrative Pay-As-You-Go-Act of 2023 amended 5 U.S.C. § 801(a)(2)(A) to require GAO to assess agency compliance with the Act, which establishes requirements for administrative actions that affect direct spending, in GAO’s major rule reports. In guidance to Executive Branch agencies, issued on September 1, 2023, the Office of Management and Budget (OMB) instructed that agencies should include a statement explaining that either: “the Act does not apply to this rule because it does not increase direct spending; the Act does not apply to this rule because it meets one of the Act’s exemptions (and specifying the relevant exemption); the OMB Director granted a waiver of the Act’s requirements pursuant to section 265(a)(1) or (2) of the Act; or the agency has submitted a notice or written opinion to the OMB Director as required by section 263(a) or (b) of the Act” in their submissions of rules to GAO under the Congressional Review Act. OMB, Memorandum for the Heads of Executive Departments and Agencies, Subject: Guidance for Implementation of the Administrative
Pay-As-You-Go Act of 2023, M-23-21 (Sept. 1, 2023), at 11–12. OMB also states that directives in the memorandum that supplement the requirements in the Act do not apply to proposed rules that have already been submitted to the Office of Information and Regulatory Affairs, however agencies must comply with any applicable requirements of the Act before finalizing such rules.

As an independent regulatory agency, SEC is not subject to the Act.

(v) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. §§ 551 et seq.

On April 6, 2023, SEC published a proposed rule. 88 Fed. Reg. 20616. SEC noted that it received comment letters from a variety of commenters, including services firms and their service providers, law firms, investor advocacy groups, professional and trade associations, public policy research institutes, academics, and interested individuals. According to SEC, it has modified the rule from the proposed rule to address comments.

Paperwork Reduction Act (PRA), 44 U.S.C. §§ 3501–3520

SEC determined that this final rule contains information collection requirements (ICRs) under the Act. SEC noted that it is submitting the final ICRs to OMB for review. According to SEC, amendments to the “safeguards rule” and the “disposal rule” contained within the rule will have an effect on the currently approved existing ICR under OMB Control No. 3235-0610. SEC determined that the total estimated internal burden totals 1,229,871 hours annualized over a three-year period, with an estimated cost of $529,110,279. SEC also estimated a total annual external cost burden of $85,315,296.

Statutory authorization for the rule

SEC promulgated this final rule pursuant to sections 17, 17A, 23, and 36 of the Securities Exchange Act of 1934, sections 31 and 38 of the Investment Company Act of 1940, sections 204, 204A, and 211 of the Investment Advisers Act of 1940, section 628(a) of the Fair Credit Reporting Act, and sections 501, 504, 505, and 525 of the Gramm-Leach-Bliley Act. 15 U.S.C. §§ 78q, 78q-1, 78w, 78mm; 15 U.S.C. §§ 80a-30, 80a-37; 15 U.S.C. §§ 80b-4, 80b‑4a, 80b-11; 15 U.S.C. § 1681w(a); 15 U.S.C. § 6801, 6804, 6805, 6825.

Executive Order No. 12866 (Regulatory Planning and Review)

As an independent regulatory agency, SEC is not subject to the Order.

Executive Order No. 13132 (Federalism)

As an independent regulatory agency, SEC is not subject to the Order.