Mar. 31, 2023
March 31, 2023 This ill-conceived proposal recklessly and needlessly threatens the safety and confidentiality of the personal information and financial data of tens of thousands of employees, spouses, minor children, elderly grandparents, and others by using a third-party to gather and collect their data. At the same time, the release fails to articulate benefits sufficient to justify the risks. Why is the OEC seeking to rely upon a 3rd party vendor to collect the financial data of its employees? What is the benefit to Commission employees? According to the release, the benefit of this amendment is to \"reduce the burden on employees and compliance staff, and improve data accuracy and completeness by replacing the requirements for manually submitted account statements and manual transaction confirmations. It would also facilitate compliance by allowing the OEC to independently verify employee holdings and transactions. Further, it would reduce the risk of human error or oversight in reporting and reviewing of securities holdings and transactions.\" None of these purported benefits are supported by the release. The release fails to present any evidence of these benefits against a baseline so that the magnitude of the asserted benefits can be measured. Even if it did present a baseline, there would be no material benefit of using a 3rd party service provider that would justify the potential costs and risks to this highly confidential data and personal information of thousands of people. Purported Burden Reduction: What is the current burden on employees? The release does not describe, quantify, or define this burden. What is a burden? How many employees were consulted to determine the scope of the burden of the current rule? What is the average amount of time it takes per employee to comply with the current rule? What is the financial cost to comply? Have employees complained about the compliance burden? If yes, how many? While the release presents no facts to support the asserted reduction, based on communications with actual employees (and not members of OEC), the current burden is de minimis. Uploading of statements once per year is not time consuming and removing this requirement is not a material benefit sufficient to justify the costs. Employees would rather continue with this current burden than have their information collected by and stored in a 3rd party environment over which the SEC has no control and increases the risks of employee and family PII and e conomic records being stolen and/or misused. Purported Improvement of Data Accuracy and Completeness: The release fails to present any evidence of current levels of data accuracy or completeness. What are current data accuracy levels? What are current data completeness levels? How many account statements are manually submitted to OEC, on average, per year or month? How many trading confirmations are manually submitted to OEC, on average, per year or month? What data supports the statement that there will be an improvement in data completeness or accuracy if a 3rd party vendor is used to collect the information directly from broker-dealers as opposed to the current manual submission process? How many more account statements or confirmations does OEC estimate it would receive through a 3rd party vendor? Assuming employees are complying with their obligations, and there is no reason to assume otherwise, there will be no difference between what OEC currently receives from the manual transmission process and what OEC would receive from the 3rd party vendor. SEC employees diligently comply with their reporting obligations. OEC currently receives all the information it proposes to have collected by the 3rd party. Thus, this proposed vendor process presents no material improvement to data accuracy or completeness over the current process and the risks of outsourcing to a 3rd party are not justified. Purported Facilitation of Compliance by Allowing Independent Verification of Holdings/Transactions. The release asserts that the amendment will facilitate compliance by allowing independent verification of holdings/transactions. Given the lack of detail, it is not clear what this benefit is over the baseline or the scope of the benefit. The current system allows for independent verification of trading activity. Specifically, the employee submits the account statements to OEC and OEC can verify the accuracy and completeness of the trading activity. Given OECs current ability to verify holdings and transactions, one wonders if the OEC is looking to require the vendor to collect more or different information than it currently collects. This point is unclear because the release is woefully short on details regarding the vendor relationship. All that we know is that the vendor will collect information. What information will be collected by the vendor from broker-dealers or investment advisers? How often will information be collected by the vendor? How will OEC access this information? Can OEC request the vendor get information from broker-dealers or investment advisers? What are the security protocols in place at the vendor to prevent unauthorized access to the information or theft? Who and how many people at the vendor will have access to the information? Will the information be stored in the cloud? Will the vendor use Amazon Web Services? These are important questions that have not been addressed in the release and do not seem t o have been thought through. Moving the personal and financial data of thousands of employees, including the Chair and Commissioners, to an outside vendor presents serious risks to personal privacy and data, and it should not be adopted. To the extent that the Commission adopts the vendor provision, the Commission must clearly define the scope of the vendors obligations and responsibilities. The rule should make clear what information will be collected by the vendor, how often information will be collected, where/how it will be store, how long it will be stored and who can access the information. The Commission must clearly define the security measures that must be applied so that SEC employees and their families are assured that their data is safe and secure. The Commission must clearly define what the vendor must do in the event of a breach. Additionally, given the risk that outsourcing presents, the SEC Chair, the full Commission, and/or the SECs CCO should annually review the security measures of the vendor and certify that vendor is in full compliance with applicable security protocols. Purported Reduction of Risk of Human Error or Oversight in Reporting. The release does not present any evidence of errors/oversight in employee reporting or evidence of the risk of errors/oversight in employee reporting. Based on its due diligence, how often does OEC find that employees have failed to seek approval for transactions? This data is surely knowable by OEC. It could compare the trade approval/confirmations with year-end consolidated statements showing all trading activity and analyze how many times employees failed to submit approval requests for trades. However, no such data is presented in the release and thus there is nothing to support this purported reduction in error or oversight. With respect to confirming transactions or submitting account statements, how often does the OEC find that employees have failed to comply with these requirements? No data is provided. That said, it seems difficult to understand how there can be errors or oversight with respect to the s ubmission of the confirmations of trades or the submission of the account statements because the electronic PCTS system repeatedly reminds employees to submit the information. The proposed vendor requirement does not therefore reduce the risk of errors or oversight because the current system ensures compliance. The proposal to use a vendor to collect employee data is legally deficient and should not be adopted.