Federal Deposit
Insurance Corporation

Ms. Valerie J. Best
Assistant Executive Secretary
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington. DC 20429

Re: Proposed Rules for Customer Identification

Dear Ms. Best:

Discover Bank appreciates the opportunity to comment on the joint notice of proposed rulemaking regarding "Customer Identification Programs for Banks, Savings Associations, and Credit Unions" (67 Fed. Reg. 48290), the purpose of which is to solicit input on the agencies' proposed regulation (to be codified at 31 C.F.R. part 103.121) implementing Section 326 of the USA Patriot Act (31 U.S.C. § 5318(l)).

Discover Bank is the issuer of the popular Discover Card and other major credit card brands. We fully support the need to enact regulations that limit access to the banking system by terrorists. However, in light of our immense customer base of approximately 46 million persons (based on primary accountholders), we are vitally interested in ensuring that the federal banking agencies heed Congress' mandate that the new regulatory requirements for verifying the identities of persons seeking to open accounts be both reasonable and practicable. To this end, in assessing the relative merits of potential rules, we respectfully ask that the agencies carefully weigh the gains for law enforcement, particularly when they are marginal, against the compliance costs that would be borne by the subject institutions. Moreover, in deciding on the effective date of the final regulation, we further ask that the agencies give due consideration to the major changes that institutions would need to make in their computer systems and operating procedures in order to accommodate significantly greater Bank Secrecy Act compliance obligations such as those proposed.

1. Authorized Users of Credit Cards Should Not Be Deemed Customers.

As defined in subpart 103.121(a)(3) of the proposed rule, the term "customer" includes: "(i) any person seeking to open a new account; and (ii) any signatory on the account at the time the account is opened, and any new signatory added thereafter." (67 Fed. Reg. 48,298.) The term "signatory" is not defined in the proposed regulation. However, the agencies' Section-by-Section Analysis of the regulation provides the example that "an individual with signing authority over a corporate account" would be considered a signatory and hence, a customer. (67 Fed. Reg. 48,292.)

An authorized user of a consumer credit account should not be included within the proposed definition of "consumer". An authorized user is a person whom the cardmember has: (1) authorized to transact on his or her credit card account and (2) registered with the card issuer. Discover Bank, as is the standard industry practice, currently records the name of the requested authorized user and consults the OFAC and published terrorist lists before issuing a plastic card in that name. However, requiring card issuers to collect, verify, and store the name, residence, mailing address, and tax ID number of all authorized users to comply with the Patriot Act would be misguided for a number of reasons.

First and foremost, requiring banks to obtain further information on authorized users would do little, if anything, to further the purposes of the Patriot Act. Due, in large part, to the credit card industry's intensive fraud screening and strict limitations on cash transactions, credit cards are not readily used to facilitate money laundering in the U.S. This fact is supported in the GAO's recently released Report to Congress on the money laundering risks posed by credit cards, as follows:

Most law enforcement officials we met with were unable to cite any specific cases of credit card-facilitated money laundering in U.S. based financial institutions. Further, a FinCen analysis of its database of SARs filed by U.S. based financial institutions revealed very little evidence of potential money laundering through credit cards. GAO Report No. 02-670, July 2002, p. 3.

Requiring card issuers to obtain more information on authorized users could have unintended negative consequences for law enforcement. The flexibility of transacting with a credit card (e.g., in-person, over the phone, through the mail, by ATM, and online) distinguishes a credit card account from an ordinary bank account. This ease of conducting transactions, especially on a blind basis, such as the ever increasing use of credit cards on the Internet, renders it virtually impossible for issuers to police cardholder-authorized third parties. If we were to impose a more cumbersome and invasive process for registering authorized users (i.e., the cardmember may neither readily know nor wish to divulge the requested information), cardmembers could easily evade the process by simply sharing their cards, passwords, and account information without telling us. The likelihood for such avoidance is strongly hinted by the unprecedented, overwhelmingly negative public reaction to the agencies' December 1998 "Know Your Customer" proposals, which were ultimately withdrawn. (63 Fed. Reg. 67,529). Obviously, if fewer cardholders were to register authorized users for privacy and other reasons, the body of identifying information available to law enforcement would be diminished instead of enhanced.

In any event, information on authorized users is of little value in preventing terrorism. The account records for a credit card account typically consist of an application. This contrasts with the records of loans secured by real estate or personal property, which might include verification of assets, pay stubs, and other documents that could prove useful to law enforcement. Moreover, regardless of how much information exists on authorized users, we can not identify whether an authorized user, the cardmember, or some other third party initiated a given transaction.

Further, it would be difficult to verify the extra information. When processing an application for a Discover Card, we have the ability to obtain a credit bureau report. This report allows us to independently verify information. However, we have no course of dealing with authorized users, who have no contractual relationship with us and accordingly, can neither request a change in loan terms. In short, from either a legal or a practical perspective, these persons are not customers "seeking to open an account." (31 U.S.C. § 5318(l)(2)(A). Because an authorized user is not a "customer" in the true sense, but would only be treated as a customer for purposes of part 103, the Fair Credit Reporting Act would require us to obtain the user's express approval as a prerequisite to verifying their identity through a credit bureau report. (This is not an issue in the case of cardmembers, for whom we have clear authority under the FCRA to request bureau reports.) The need to obtain such approvals from authorized users would by itself, increase our annual operations costs by approximately $2.8 million.

Developing the ability to keep records on authorized users as though they were customers, as proposed, would be a complicated and costly undertaking. To begin with, all of our existing written applications would have to be discarded and reprinted, and our mailing costs associated with applications would increase. In addition, new data entry fields would need to be added to both internal and external telemarketing screens. Plus, telemarketing scripts would require revision and telemarketing employees and vendors would have to be trained in the new requirements. Modifications would also have to be made to our website in order to allow authorized user information to be entered. Moreover, as noted above, because credit bureau reports may not be a feasible option, we may need to develop a special process for verifying the collected information. Finally, our computer systems would have to be modified to accommodate new data storage and retrieval demands.

Based on our existing customer volume, we estimate that we would incur approximately $8.4 million per year in additional expenses (not including training costs) as a direct result of the new requirements. In addition, we would incur single time computer programming costs of approximately $4.6 million. In our opinion, these monies could be far better spent, among other things, on further improving fraud detection systems.

In sum, treating authorized users as customers for purposes of part 103 is unnecessary, and would prove both ineffective and unduly expensive. Consistent with the clear directive of Section 326, the agencies' implementing regulations should focus on "financial institutions and their customers" (31 U.S.C. § 5318(l)(1) (emphasis added) and should not attempt to pull-in agents of customers under these circumstances. We, therefore, strongly urge the agencies to specifically exclude authorized users of credit card accounts in their final definition of the term "customer."

2. Banks Should Be Permitted to Rely on Alternative Sources of Identifying Information.

As proposed, subpart 103.121(b)(2)(i)(A) states that a bank's Customer Identification Program must "specify the identifying information that the bank must obtain from each customer (emphasis added)." The subpart then lists the minimum information that must be obtained. Because many customers who are willing to give out their name and address, balk at providing their social security number, it would be helpful if this subpart were to clarify that the requisite information may be obtained from other reliable sources, such as credit bureaus and public databases, as an alternative to receiving it directly from the customer. This change would mirror subpart 103.121(b)(2)(ii)(B), which clarifies that such sources may be relied upon in verifying identities. Further, from the perspective of law enforcement, it should make no difference whether the information emanated from the customer or an alternative reliable source.

3. The Customer Notice Should Not Disclose Procedures Used to Verify Identities.

As proposed, subpart 103.121(b)(5) states that: "the [Customer Identification] Program must include procedures for providing customers with adequate notice that the bank is requesting information to verify their identity." This language essentially mirrors the text of Section 326 and is not objectionable. However, in their Section-by-Section Analysis of the proposed regulation, the agencies opine that: "a bank may satisfy the notice requirement by generally notifying its customers about the procedures the bank must comply with to verify their identities." (67 Fed. Reg. 48295) (emphasis added.) While we don't object to providing a general notice, furnishing customers with any information as to how we go about verifying identities could provide a "roadmap" to evasion and strikes us as patently at odds with the Patriot Act's goal of combating terrorism. Communicating the simple fact that we verify ought to suffice.

This subpart would be much more helpful if it were to provide guidance as to what constitutes adequate notice, e.g., by incorporating the examples that appear in the Section-by-Section Analysis. (Id.) In this regard, a preprinted disclosure on a customer billing statement and/or cardmember agreement ought to be recognized along with those examples as an acceptable means of fulfilling the notice requirement. Furthermore, consistent with the agencies' respective privacy regulations and both Reg. B and Reg. Z, the subpart should state that it shall be deemed adequate for an institution to provide notice to just the primary accountholder.

4. Existing Subpart 103.34(a) Should Not Be Repealed In Its Entirety.

In their discussion of "Conforming Amendments to 31 C.F.R. § 103.34," the agencies focus exclusively on the inconsistencies with the Patriot Act that are presented by the first portion of subpart 103.34(a)(1), which provides, in pertinent part, that a bank need take no further action besides documenting its inability to obtain the customer's tax ID after expending reasonable efforts. (67 Fed. Reg. 48,295.) However, the last three sentences of subpart 103.34(a)(1) describe an additional rule that allows a bank to rely on another bank's verification of a customer's identity in connection with the customer's indirect purchases or redemptions of certificates of deposit. This last portion of the subpart states as follows:

A bank acting as an agent for another person in the purchase or redemption of a certificate of deposit issued by another bank is responsible for obtaining and recording the required taxpayer identification, as well as for maintaining the records referred to in paragraphs (b)(11) and (12) of this section. The issuing bank can satisfy the record-keeping requirement by recording the name and address of the agent together with a description of the instrument and the date of the transaction. Where a person is a nonresident alien, the bank shall also record the person's passport number or a description of some other government document used to verify his identity. 31 C.F.R. § 103.34(a)(1).

The FDIC's Bank Secrecy Act Examination Manual further elaborates on the ability of a bank to rely on the customer identification efforts of another financial institution in connection with payable through accounts, as follows:

The traditional use of PTA [payable through accounts] by financial organizations in the United States (i.e., credit union and investment companies) has not been a cause for concern by regulators. These organizations are regulated by federal or state agencies, or are otherwise subject to established industry standards. They also appear to have adopted adequate policies and procedures to establish the identity, and monitor the activity, of sub-account holders-in essence, the credit union's depositors or the investment company's mutual fund account holders. The same types of safeguards do not appear to be present in some U.S. banking entities that provide payable through account services to foreign banks.

We can find nothing in the Patriot Act, including the provisions dealing with Interbank Accounts and Concentration Accounts (§§ 319 and 325, respectively), that could reasonably be construed as presenting a conflict with the ability of a bank to rely on the customer identification and verification efforts of another regulated financial institution. As long as both institutions are subject to substantially equivalent BSA requirements (i.e., if the customer's agent is regulated by any of the four federal banking agencies or the SEC, NCUA, or CFTC), requiring dual efforts on the part of both institutions would serve no useful law enforcement or other purpose. This would especially be true where the institutions in question are affiliates, and hence, intimately familiar with each other's BSA procedures.

In addition to retaining the above-referenced rule of subpart 103.34(a)(1), the agencies should retain unchanged the exemptions that appear in subpart 103.34(3), with the possible exception of the exemptions which address aliens residing in the United States-subsections (iii), (iv), (v), (vi), and (x). A continuation of the exemptions for agencies and instrumentalities of the government, courts holding custodial property, students participating in a school savings programs, etc., would not run counter to the purposes of the Patriot Act, as none of these various situations involves a plausible vehicle for funding terrorist activity.

5. The Effective Date Should Be Delayed for One Year.