Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations |
|||
FDIC Federal Register Citations |
September 6, 2002 Ms. Valerie J. Best Re: Proposed Rules for Customer Identification Dear Ms. Best: Discover Bank appreciates the opportunity to comment on the joint notice of proposed rulemaking regarding "Customer Identification Programs for Banks, Savings Associations, and Credit Unions" (67 Fed. Reg. 48290), the purpose of which is to solicit input on the agencies' proposed regulation (to be codified at 31 C.F.R. part 103.121) implementing Section 326 of the USA Patriot Act (31 U.S.C. § 5318(l)). Discover Bank is the issuer of the popular Discover Card and other major credit card brands. We fully support the need to enact regulations that limit access to the banking system by terrorists. However, in light of our immense customer base of approximately 46 million persons (based on primary accountholders), we are vitally interested in ensuring that the federal banking agencies heed Congress' mandate that the new regulatory requirements for verifying the identities of persons seeking to open accounts be both reasonable and practicable. To this end, in assessing the relative merits of potential rules, we respectfully ask that the agencies carefully weigh the gains for law enforcement, particularly when they are marginal, against the compliance costs that would be borne by the subject institutions. Moreover, in deciding on the effective date of the final regulation, we further ask that the agencies give due consideration to the major changes that institutions would need to make in their computer systems and operating procedures in order to accommodate significantly greater Bank Secrecy Act compliance obligations such as those proposed. 1. Authorized Users of Credit Cards Should Not Be Deemed Customers. As defined in subpart 103.121(a)(3) of the proposed rule, the term "customer" includes: "(i) any person seeking to open a new account; and (ii) any signatory on the account at the time the account is opened, and any new signatory added thereafter." (67 Fed. Reg. 48,298.) The term "signatory" is not defined in the proposed regulation. However, the agencies' Section-by-Section Analysis of the regulation provides the example that "an individual with signing authority over a corporate account" would be considered a signatory and hence, a customer. (67 Fed. Reg. 48,292.) An authorized user of a consumer credit account should not be included within the proposed definition of "consumer". An authorized user is a person whom the cardmember has: (1) authorized to transact on his or her credit card account and (2) registered with the card issuer. Discover Bank, as is the standard industry practice, currently records the name of the requested authorized user and consults the OFAC and published terrorist lists before issuing a plastic card in that name. However, requiring card issuers to collect, verify, and store the name, residence, mailing address, and tax ID number of all authorized users to comply with the Patriot Act would be misguided for a number of reasons. First and foremost, requiring banks to obtain further information on authorized users would do little, if anything, to further the purposes of the Patriot Act. Due, in large part, to the credit card industry's intensive fraud screening and strict limitations on cash transactions, credit cards are not readily used to facilitate money laundering in the U.S. This fact is supported in the GAO's recently released Report to Congress on the money laundering risks posed by credit cards, as follows:
Requiring card issuers to obtain more information on authorized users could have unintended negative consequences for law enforcement. The flexibility of transacting with a credit card (e.g., in-person, over the phone, through the mail, by ATM, and online) distinguishes a credit card account from an ordinary bank account. This ease of conducting transactions, especially on a blind basis, such as the ever increasing use of credit cards on the Internet, renders it virtually impossible for issuers to police cardholder-authorized third parties. If we were to impose a more cumbersome and invasive process for registering authorized users (i.e., the cardmember may neither readily know nor wish to divulge the requested information), cardmembers could easily evade the process by simply sharing their cards, passwords, and account information without telling us. The likelihood for such avoidance is strongly hinted by the unprecedented, overwhelmingly negative public reaction to the agencies' December 1998 "Know Your Customer" proposals, which were ultimately withdrawn. (63 Fed. Reg. 67,529). Obviously, if fewer cardholders were to register authorized users for privacy and other reasons, the body of identifying information available to law enforcement would be diminished instead of enhanced. In any event, information on authorized users is of little value in preventing terrorism. The account records for a credit card account typically consist of an application. This contrasts with the records of loans secured by real estate or personal property, which might include verification of assets, pay stubs, and other documents that could prove useful to law enforcement. Moreover, regardless of how much information exists on authorized users, we can not identify whether an authorized user, the cardmember, or some other third party initiated a given transaction. Further, it would be difficult to verify the extra information. When processing an
application for a Discover Card, we have the ability to obtain a credit bureau report.
This report allows us to independently verify information. However, we have no course of
dealing with authorized users, who have no contractual relationship with us and
accordingly, can neither request a change in loan terms. In short, from either a legal or
a practical perspective, these persons are not customers "seeking to open an
account." (31 U.S.C. § 5318(l)(2)(A). Because an authorized user is not a
"customer" in the true sense, but would only be treated as a customer for
purposes of part 103, the Fair Credit Reporting Act would require us to obtain the user's
express approval as a prerequisite to verifying their identity through a credit bureau
report. (This is not an issue in the case of cardmembers, for whom we have clear authority
under the FCRA to request bureau reports.) The need to obtain such approvals from
authorized users would by itself, increase our annual operations costs by approximately
$2.8 million. Developing the ability to keep records on authorized users as though they were customers, as proposed, would be a complicated and costly undertaking. To begin with, all of our existing written applications would have to be discarded and reprinted, and our mailing costs associated with applications would increase. In addition, new data entry fields would need to be added to both internal and external telemarketing screens. Plus, telemarketing scripts would require revision and telemarketing employees and vendors would have to be trained in the new requirements. Modifications would also have to be made to our website in order to allow authorized user information to be entered. Moreover, as noted above, because credit bureau reports may not be a feasible option, we may need to develop a special process for verifying the collected information. Finally, our computer systems would have to be modified to accommodate new data storage and retrieval demands. Based on our existing customer volume, we estimate that we would incur approximately
$8.4 million per year in additional expenses (not including training costs) as a direct
result of the new requirements. In addition, we would incur single time computer
programming costs of approximately $4.6 million. In our opinion, these monies could be far
better spent, among other things, on further improving fraud detection systems. In sum, treating authorized users as customers for purposes of part 103 is unnecessary,
and would prove both ineffective and unduly expensive. Consistent with the clear directive
of Section 326, the agencies' implementing regulations should focus on "financial
institutions and their customers" (31 U.S.C. § 5318(l)(1) (emphasis
added) and should not attempt to pull-in agents of customers under these circumstances.
We, therefore, strongly urge the agencies to specifically exclude authorized users of
credit card accounts in their final definition of the term "customer." 2. Banks Should Be Permitted to Rely on Alternative Sources of Identifying Information. As proposed, subpart 103.121(b)(2)(i)(A) states that a bank's Customer Identification Program must "specify the identifying information that the bank must obtain from each customer (emphasis added)." The subpart then lists the minimum information that must be obtained. Because many customers who are willing to give out their name and address, balk at providing their social security number, it would be helpful if this subpart were to clarify that the requisite information may be obtained from other reliable sources, such as credit bureaus and public databases, as an alternative to receiving it directly from the customer. This change would mirror subpart 103.121(b)(2)(ii)(B), which clarifies that such sources may be relied upon in verifying identities. Further, from the perspective of law enforcement, it should make no difference whether the information emanated from the customer or an alternative reliable source. 3. The Customer Notice Should Not Disclose Procedures Used to Verify
Identities. This subpart would be much more helpful if it were to provide guidance as to what constitutes adequate notice, e.g., by incorporating the examples that appear in the Section-by-Section Analysis. (Id.) In this regard, a preprinted disclosure on a customer billing statement and/or cardmember agreement ought to be recognized along with those examples as an acceptable means of fulfilling the notice requirement. Furthermore, consistent with the agencies' respective privacy regulations and both Reg. B and Reg. Z, the subpart should state that it shall be deemed adequate for an institution to provide notice to just the primary accountholder. 4. Existing Subpart 103.34(a) Should Not Be Repealed In Its Entirety. In their discussion of "Conforming Amendments to 31 C.F.R. § 103.34," the agencies focus exclusively on the inconsistencies with the Patriot Act that are presented by the first portion of subpart 103.34(a)(1), which provides, in pertinent part, that a bank need take no further action besides documenting its inability to obtain the customer's tax ID after expending reasonable efforts. (67 Fed. Reg. 48,295.) However, the last three sentences of subpart 103.34(a)(1) describe an additional rule that allows a bank to rely on another bank's verification of a customer's identity in connection with the customer's indirect purchases or redemptions of certificates of deposit. This last portion of the subpart states as follows:
The FDIC's Bank Secrecy Act Examination Manual further elaborates on the ability of a bank to rely on the customer identification efforts of another financial institution in connection with payable through accounts, as follows:
We can find nothing in the Patriot Act, including the provisions dealing with Interbank
Accounts and Concentration Accounts (§§ 319 and 325, respectively), that could
reasonably be construed as presenting a conflict with the ability of a bank to rely on the
customer identification and verification efforts of another regulated financial
institution. As long as both institutions are subject to substantially equivalent BSA
requirements (i.e., if the customer's agent is regulated by any of the four federal
banking agencies or the SEC, NCUA, or CFTC), requiring dual efforts on the part of both
institutions would serve no useful law enforcement or other purpose. This would especially
be true where the institutions in question are affiliates, and hence, intimately familiar
with each other's BSA procedures. 5. The Effective Date Should Be Delayed for One Year. Due in large part to the complexity created by categorizing authorized users as
"customers", we estimate that we would require a minimum of twelve months to
implement and test the various computer programming and operational changes that would be
necessary to comply with Subpart 103.121 as proposed. However, if the changes we have
suggested are adopted, we believe that we can meet the goals of the Patriot Act in a
shorter period of time. |
Last Updated 09/11/2002 | regs@fdic.gov |