Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations |
|||
FDIC Federal Register Citations |
Board of Governors of the Federal Reserve
System Federal Deposit Insurance Corporation RE: Customer Identification Program Regulation Docket No. R-1127 Gentlemen: Jefferson State Bank is a $500 million bank with eight offices in San Antonio, Texas. We estimate that our approximately 27,000 accounts reflect relationships with 15,000 individuals. We have less than 98 persons who are not U. S. Persons as currently defined by the Internal Revenue Service. On consumer accounts, our current identification requirements consist of government issued photo ID on at least one of the signatories. We record the information from the ID, but do not retain a copy. On business or entity accounts, our documentation requirements relative to identification consist of a copy of a "Doing Business As" certificate from the state or county or calling the Secretary of State to verify the existence of the entity, as appropriate. We do not obtain identification from all signatories on entity accounts. Our comments will follow the order of the proposed regulation. Definitions Account – This definition essentially tracks the statute. It would be helpful if it provided more clarification of the types of activities that can constitute an account. For example, does the term "account" also include a stored value card issued by a bank, an electronic benefit account, a mortgage loan, safe deposit box, or a trust account? It would appear each of these is banking or business relationship involving financial transactions. However, the safe deposit box relationship is a landlord/tenant one. If all of these are indeed "accounts", please consider adding them to the list of examples. Presumably, the list in the statute is not exclusive but illustrative. However, this needs to be clarified. Customer – Because this term is defined to include any signatory, does that mean it would also include a person acting under a power of attorney or a deputy or designated signor listed for a safe deposit box? There are many situations in which a non-owner may have signing authority. Verification – one of the problems that has developed in Texas is a limitation found in the Texas Motor Vehicle Code, which prohibits the use of drivers license magnetic stripe information except for "government" purposes. We believe that verifying identification for purposes of the Bank Secrecy Act or preparation of suspicious activity reports is a "government purpose" since it is required by law. However, the Attorney General disagrees. Meanwhile, financial institutions are not permitted to determine whether or not a driver’s license is in fact valid by comparing the information on the magnetic stripe to the information on the front of the card. This facilitates the use of forged driver’s licenses in Texas and makes verification of identity difficult. We believe that the requirements of a CIP should satisfy the "government purpose" required by Texas law for use of the driver’s license magnetic stripe and allow institutions to verify whether drivers licenses are indeed valid through this simple mechanism. It would be helpful if this point were addressed in the regulation or the preamble to the regulation. In addition, because of our long border with Mexico, there are many resident aliens from Mexico living in Texas, as well as Mexican citizens who regularly cross the border for a variety of business transactions. Some banks have begun a practice of using the matricula consular card plus an additional method of identification such as a Mexican voter registration card. It would be helpful if this issue were addressed in either commentary or the regulation due to the prevalence of Mexican nationals in various communities throughout the United States. It would also be helpful if other methods of identification were discussed. For example, some entities use utility bills that are addressed to the same physical address and name of the person seeking the account as a method of verifying identity and location. Library cards are sometimes used as well. Either commentary or discussion of this sort of technique would be beneficial. Another issue of concern is which address to use for persons who are temporarily in a location. For example, some cities have large numbers of college students. Should the bank require the college students to use their local address or their "permanent address"? The same issue comes up for temporary workers such as oil field workers who are in a location working on a project for a given period of time, but will be moving. Texas, like Florida, also has large numbers of "snow birds" who spend the winter in the South. Should the bank require both a permanent address and a temporary address? Finally, it would be helpful if the regulators spoke to the value of using verification techniques such as checking location on the U. S. Postal Service zip code site. How much reliance can be placed on this? If it is indeed a good method of verifying a recognizable address, then it might be helpful to identify this approach either in commentary or the regulation. The regulation provides that a bank need not verify the information about an existing customer seeking to open a new account or who becomes a signatory on an account if the bank previously verified the customer’s identity in accordance with the procedures consistent with this section, and continues to have a reasonable belief that it knows the true identity of the customer. Additional clarity would be helpful in this area as every institution has thousands of existing accounts with identities verified in accordance with the "know your customer" requirements of prior law. The requirement that the bank continue to have "reasonable belief" that it knows the "true identity" of the customer is rather subjective. Further explanation of this in the preamble or comments would be helpful. Furthermore, perhaps a better test would be that the bank has not been put on notice that the identity is suspect would be more reasonable until these new requirements go into effect. In other words, for accounts in existence on October 26, banks should be held to a slightly different standard – a lack of affirmative notice of deficiency in the identity processes. The regulations go on to provide that a bank may verify through non-documentary processes including obtaining a financial statement on a customer. Clarification would be helpful as to how a financial statement itself would constitute verification of identity. Furthermore, it would be helpful if guidance were provided on the privacy implications of obtaining the financial statement. There was no guidance in the regulation with regard to opening accounts on the Internet. Many banks, including even small community banks, now have transactional capability over the Internet and can and do open customer accounts using the World Wide Web. Guidance would be helpful as to appropriate identification methods that would be acceptable for an Internet based account. While these comments may seem to request a certain degree of specificity and detail rather than generalities and flexibility, for the community bank with limited resources, specific recommendations can be extremely beneficial to assure better compliance with the regulations. Auditing Processes A good compliance program will of necessity include appropriate training and internal auditing processes. Some recommendations regarding audit methodology to be followed as part of the internal review would be beneficial. Model Language Establish specific, objective criteria in the final regulations for the content and timing of the required notice to customers, including model language deemed to be in compliance with the regulation. A number of regulations require banks to post public notices on their premises. Generally, those requirements are very specific and compliance can be evaluated objectively. While the proposal’s flexibility is intended to benefit the banks, its lack of an objective standard introduces a probability that individual examiners would feel comfortable imposing their personal opinion as to a notice’s adequacy. Oral disclosure would be the worst choice for the bank as it would be impossible to verify compliance, the wording of the "disclosure" would vary greatly between employees and it is the method most likely to generate a series of follow-up questions by the customer. A timing/placement requirement might be: "The notice is to be posted where it is likely to be seen by a customer prior to opening or requesting a change to an account." There will be customer resistance to the identification requirements. The more consistently they are communicated to the public and the more obvious it is that they are required by law, the more readily they will be accepted as a routine part of opening a bank account. Also, no purpose is served by leaving the specific wording of the notice to individual institutions, but it should be permissible for them to add additional information to any model language that might be provided. A model notice might read: "In order to prevent the use of the U. S. banking system in terrorist and other illegal activity, federal regulations require all financial institutions to obtain, verify, and record identification from all persons opening new accounts or being added as signatories to existing accounts. This institution cannot waive these requirements. – U. S. Treasury" Record keeping The record keeping requirements make it clear that records may not be used to violate the Equal Credit Opportunity Act. It would be helpful if some additional clarification were provided in this regard. Even an observation that copying and retaining drivers license information is not per se a violation of the Equal Credit Opportunity Act unless a loan officer obtains a copy of that information in evaluating a loan would be helpful. Effective Date Immediately after this comment period ends, announce that compliance with the final regulations will not be mandatory until 90 days after their publication in the Federal Register. The clear language of the USA Patriot Act indicates these regulations are to be effective October 25, 2002. However, this proposal was not published until July 23 and the comment period does not end until September 6. Even if the agencies spend very little time reviewing and discussing the comments received, the best case scenario is that final regulations will be issued very close to their effective date. The conclusion reached in the proposal that the new requirements have a minimal effect on small institutions is obviously not true in our case. The regulations will greatly increase the amount of identification we must obtain. It will be necessary for us to update procedures, determine how the information can be stored, but still be available to all of our offices and draft amendments to our existing BSA policy for the board to approve at a regularly scheduled meeting. We cannot complete any of those tasks until we see the final regulation. Having advance knowledge of exactly how much time we will have is important to our ability to perform the task well. Thank you for the opportunity to comment. Sincerely, |
Last Updated 09/05/2002 | regs@fdic.gov |