September 6, 2002
Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room
Mailstop 1-5
Washington, DC 20219
Attention: Docket No. 02-11
|
Federal Deposit
Insurance Corporation
550 17th Street, NW
Washington, DC 20429
Executive Secretary
Attention: Comments/OES |
Secretary
Board of Governors of the
Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551
Docket No. R-1127 |
Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: Docket No. 2002-27 |
FinCEN
Section 326 Bank Rule Comments
P.O. Box 39
Vienna, VA 22183
Attention: Section 326 Bank Rule Comments
Re:
Section 326 USA PATRIOT Act Proposed Rules
Ladies and Gentlemen:
This comment letter is submitted on behalf of Visa U.S.A. in
response to the Secretary of the Treasury's ("Treasury") request for comments on
a proposed rule to implement section 326 of the USA PATRIOT Act ("Act"). Visa
appreciates the opportunity to provide written comment on this important matter.
The Visa Payment System, of which Visa U.S.A.1 is a part, is the largest
consumer payment system in the world, with more volume than all other major payment cards
combined. There are more than one billion Visa-branded cards, and they are accepted at
more than 24 million physical locations in more than 130 countries. Visa plays a pivotal
role in advancing new payment products and technologies, including information security
initiatives, to benefit its 21,000 member financial institutions and their millions of
cardholders worldwide. In 2002, well over $2 trillion in goods and services will be
purchased using Visa products.
Visa also is the leading consumer e-commerce payment system in the world. Payment cards
presently account for nearly 95 percent of online consumer transactions, and Visa card
transactions account for 53 percent of that payment card portion. Moreover, we expect ten
percent of Visa's overall transaction volume to come from Internet purchases by 2003, up
from two percent today.
Section 326 of the Act requires the Treasury to prescribe regulations for financial
institutions setting forth minimum standards for establishing the identity of their
customers in connection with the opening of accounts and the establishment of other
customer relationships. Under the Act, the Treasury is required to take into consideration
the various types of accounts, the various methods of account opening, and the various
types of identifying information available. The Department of the Treasury, through the
Financial Crimes Enforcement Network, together with the Office of the Comptroller of the
Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit
Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union
Administration (collectively, the "Agencies") jointly released a proposed rule
to implement section 326 of the Act ("Proposed Rule"), which would require a
covered financial institution to establish a program ("Program") to verify the
identity of customers.
While, in part, the Proposed Rule attempts to provide desirable flexibility by permitting
an institution to implement a program that is appropriate given the bank's size, location,
and type of business, the Proposed Rule, nevertheless, includes a number of specific
requirements that would significantly increase the cost of opening credit card accounts,
while not yielding corresponding benefits in terms of verifying the identity of persons
seeking to open a credit card account. In addition, many of the requirements of the
Proposed Rule need clarification. We encourage the Agencies to consider or reconsider the
types of systems that are already in place at many financial institutions to identify
customers or prospective customers, and the natural market incentives that financial
institutions already have to properly identify their customers.
Finally, and perhaps most importantly, depending on the specific revisions that are
incorporated into the final rule, financial institutions will require substantial
implementation time-up to 18 months-before the final rule becomes effective in order to
modify their systems to obtain and to verify the information required to establish the
identity of new customers. Even if the Agencies adopt a final rule that incorporates the
recommended revisions, a delay in the mandatory compliance date-at least six months-would
be necessary to establish a Program that would include procedures for verifying a
customer's identity. However, if the final rule is substantially similar to the Proposed
Rule, the minimum time necessary for institutions to develop, implement, and test systems
would be 18 months.
General Comments.
Existing Incentives Have Lead to Appropriate Identification
Procedures.
As an initial matter, we appreciate the flexibility that is built into the Proposed Rule
and the recognition that Programs should be tailored to the bank's size, location, and
type of business. However, we believe that the Proposed Rule does not adequately recognize
the significant differences that currently exist in the various procedures and the
inherent incentives that financial institutions have to identify customers and prospective
customers, depending on the type of account relationship. For example, in extensions of
credit, financial institutions have an even greater incentive to verify accurately the
identity of their borrower than they do in the case of deposit accounts because a
misidentification of a customer for a loan is likely to lead to a loss on the loan.
Further, accounts that involve ongoing contact between the financial institution and the
customer, such as the mailing of monthly statements and the receipt of customer service
calls, tend to verify the identity of the customer through repeated communication with the
customer at a specific address or a particular phone number. This verification is
strongest in those cases where the customer routinely responds to that contact in a timely
manner, such as by paying a monthly bill.
In the case of credit card accounts, in particular, we believe that the inherent
incentives of the credit card issuer to minimize fraud, assure payment for authorized
charges and to maintain and to grow the customer relationship, lead the card issuer to
establish customer identification and verification procedures that result in a high level
of reliability in the identification process. In addition, the existing identification
procedures developed by card issuers are the most cost-effective procedures for receiving
and processing customer applications and opening new accounts. Because these procedures
are continually being tested by efforts to obtain credit fraudulently, including through
identity theft, these procedures are continually evolving to meet these
challenges?challenges that typically are not present, for example, with respect to deposit
accounts. Thus, credit card issuers increasingly are relying on private services that
specialize in helping to identify customers, as well as consumer reports and other means
of customer identification and verification.
Despite this strong correlation between the incentives of credit card issuers for customer
identification and the purposes of the Proposed Rule, the Proposed Rule includes a
significant number of requirements that do not correspond to current credit card issuer
practices. And, because card issuers already employ effective identification and
anti-fraud procedures, these proposed requirements will result in an increase in
regulatory-imposed costs, with no corresponding increase in the level of identification of
customers and persons seeking to open accounts. In this regard, it is important to note
that the recent GAO Report "Money Laundering: Extent of Money Laundering through
Credit Cards is Unknown" ("Report") states that the regulators themselves
believe that anti-money laundering examination resources should be dedicated to
higher-risk areas of the bank, such as private banking, correspondent banking, or wire
transfers, rather than credit card accounts. GAO-02-670 (July 22, 2002). Moreover, even
though the body of the Report suggests that money laundering through the use of credit
cards is possible, the Report still does not identify customer identification procedures
as an important tool in reducing the likelihood of such an event. Accordingly, Visa
believes that the Agencies should reconsider the specific requirements included in the
Proposed Rule in favor of more flexible requirements that will allow the rapidly
developing, market driven, account opening procedures to continue to shape identification
programs where, as in the case of credit card accounts, those procedures have demonstrated
that they will lead to a high level of customer identification.
Definition of Bank.
Exclude Foreign Offices.
Proposed Section 103.121(a)(2) would define "bank" to include virtually all of
the financial institutions regulated by the Agencies, including foreign branches of an
insured bank. The supplemental information to the Proposed Rule states that the regulation
must be implemented throughout the bank no matter where its offices are located. Many
countries have money laundering laws and regulations, as well as consumer protection and
privacy laws, that govern how information should be collected and for what purposes. The
Proposed Rule, which includes specific information collection and verification
requirements, may conflict with these laws. As in the case of domestic transactions,
foreign transactions already are designed to identify customers consistent with local laws
and practices. Accordingly, imposing U.S. specific requirements on foreign offices will
not only entail increased costs and burdens but will also place U.S. institutions at a
competitive disadvantage with foreign institutions.
Definition of Account.
Clarify Definition.
Proposed section 103.121(a)(1) defines an account to mean "each formal banking or
business relationship established to provide ongoing services, dealings, or other
financial transactions." Visa understands that the Agencies based the proposed
definition on the statutory definition of "account" provided in section 311 of
the Act. Visa believes that even though the definition is limited appropriately to
relationships that involve ongoing services, thus excluding an infrequent or a one time
transaction involving a payment product (i.e., stored-value cards), in some situations the
proposed definition is overly inclusive and, as proposed, could include bank relationships
that do not play a roll in money laundering or terrorist financing. For example, the
proposed definition is not clearly limited to financial transactions. Instead, the
definition of account could be interpreted to include non-transactional services, such as
advisory services, data processing services, or other relationships or services that do
not involve financial transactions.
In order to avoid imposing unnecessary regulatory requirements on transactions and
relationships that do not pose a threat of money laundering or terrorist financing, Visa
recommends that the definition be revised to include only those types of accounts that are
established on an ongoing basis to provide customers of a financial institution with the
ability to conduct financial transactions-such as transactions conducted in a deposit
account or a credit account. Such a definition would exclude an institution's relationship
with vendors or other entities that provide servicing or processing on the institution's
behalf.
Definition of Customer.
Section 103.121(a)(3) of the Proposed Rule would define "customer" to include
any person seeking to open a new account, any signatory on the account at the time that
the account is opened, and any new signatory thereafter. The inclusion of applicants and
signatories within the definition of customer is wholly inconsistent with current
practices and makes many of the requirements of the Proposed Rule impossible, or
commercially impracticable, to meet.
Limit the Requirements for Applicants.
While Visa understands that the statute makes specific reference to persons "seeking
to open an account," we believe that the Proposed Rule should focus on customers with
ongoing account relationships, not on persons seeking to open an account. In this regard,
a common reason for not opening an account is that the person seeking to open the account
fails to provide requested information. In addition, any information that is provided on
such persons may indicate that further processing of an application would not be warranted
because the application is sure to be denied; therefore, it makes little sense to require
an institution to seek additional information on someone who will never become its
customer.
For example, it would be a useless expense to obtain a credit report on an applicant, or
to verify information already obtained, where the face of the application shows that the
consumer will not qualify for credit, and, thus, there is no justification for continuing
the application process. The final rule should clarify that the verification and
identification requirements do not apply to individuals for which accounts are not opened.
Moreover, often the account opening procedures provide no practical means to obtain
omitted information about an applicant, such as when the application is submitted by mail.
Even where applications are submitted through an interactive process, there is no means to
compel applicants to provide information, other than to deny them the requested service.
For these reasons, in the case of persons seeking to open an account, the final rule
should merely provide that the financial institution should retain any identifying
information that has been provided in connection with the application process for an
appropriate period of time.
In this regard, Visa recommends that the Agencies revise the Proposed Rule to clarify that
a person merely "inquiring" about an account would not be a customer. The
Federal Reserve Board's Official Staff Commentary to Regulation B, which implements the
Equal Credit Opportunity Act ("ECOA"), distinguishes between an application and
an inquiry. Consistent with Regulation B Comment 202.2(f)-4, we recommend that the
Agencies specifically clarify that a customer merely calling or requesting information,
without completing an application, is not seeking to open an account and thereby is not a
customer under the rule. |
Exclude "Signatories" on Credit Card Accounts.
The Proposed Rule's reference to signatories in the definition of customer also would make
it difficult, if not impossible, to meet many of the requirements of the Proposed Rule.
Although the term "signatory" is not defined in the proposal itself, the
supplementary information accompanying the Proposed Rule states that "for example, an
individual with signing authority over a corporate account is a 'customer' within the
meaning of the proposed rule." Visa strongly recommends that, in the case of credit
card accounts, the definition or scope of the term "signatory" in the final rule
be clarified to apply only to account holders and not to other individuals who may be
permitted to use an account. Specifically, for example, the final rule should make it
clear that the identification and verification requirements do not apply to individuals
simply authorized to use a credit card issued to another individual or to a business.
First of all, while the example of a signatory in the supplementary information to the
Proposed Rule is based on a corporate account, the language of the Proposed Rule is not so
limited, raising the specter that "signatory" could include individuals who
simply are permitted to use credit cards issued to others, including spouses and children
of account holders. Further, in the context of credit cards issued to a corporation for
use by corporate employees for business purposes, the Proposed Rule could be read to
result in all such employees being considered signatories on the account and, therefore,
customers subject to the identification and verification requirements, because those
employees were authorized by the corporation to enter into transactions on behalf of the
corporation. Such an interpretation could destroy corporate account programs as they are
structured today.
In this regard, individuals with credit card accounts often authorize other individuals to
use their accounts. The authorization may be more formal, as when a corporate card is
issued in the name of the user; or the authorization may be very informal, as when the
credit card or a credit card number is "loaned" to a spouse, child, or other
person. In either case, the account holder is the customer (that is, the person liable on
the account), and the card issuer is likely to have no direct contact with, and often no
knowledge of, the user. In these circumstances, it is impossible for the card issuer
itself to collect and verify information about the user. For example, in the case of
individual accounts, while the card issuer could request card holders to supply
information about individuals who will receive a card bearing their name, it would be
impossible to verify the information through documents, because there would be no
face-to-face contact, or through consumer reports because, under federal law, a consumer
report would not be available to the issuer unless the user was liable on the account.
Less formal user arrangements present even greater difficulties in verifying the identity
of such users.
To the extent that the corporation is liable on the accounts, the terms of that liability
are governed by the terms of the agreement between the corporation and the card issuer.
Since the corporation stands behind all authorized use of its cards, typically the only
focus of the card issuer is how the card user's name is spelled on the card. On such
accounts, fraud control is usually performed by evaluation of transaction patterns, rather
than reliance on signature comparison or other means of identifying the individual
presenting the card. As in the case of cards issued to individuals, where the user is not
listed on the account, a consumer report would not be available. The cost required to
obtain the required information could be significant, particularly if the issuer could not
rely on the corporate customer to obtain and to verify the information on its own behalf.
Without a consumer report and without direct contact with the card user, a card issuer
would be forced to rely solely on non-consumer-reporting-agency identification services to
identify tens of thousands, if not millions, of users at greatly increased cost and
without a corresponding benefit.
Visa urges the Agencies to clarify that only individual account holders, in the case of
individual accounts, and corporate officers with complete authority over the account, in
the case of corporate accounts, such as those individuals with the authority to authorize
card use by employees, are considered signatories to the account. Similarly, the Agencies
should clarify that individuals with payment cards, such as those that are funded by an
employee's payroll account held by a corporation, are not customers and, thereby, are not
covered under the rule. Such payment cards are typically provided to consumers by the
consumer's employer. As in the case of corporate credit cards, the card issuer's
relationship is with the corporation, rather than the individual users, and there is no
ready mechanism for the bank to obtain and verify information about the users directly.
Changes in Terms are Not New Accounts.
The customer identification requirements of the Proposed Rule, fortunately, do not apply
to existing customers, therefore, avoiding the Herculean task of obtaining additional
information about those customers, verifying the information, reconciling discrepancies,
and maintaining records. However, under the Proposed Rule, the coverage of customers that
request or receive a credit line increase is unclear. In many instances, existing
customers in good standing with an institution periodically will receive a line increase,
such as at account renewal, and often the line increase is not requested, but expected.
Visa recommends that the Agencies clarify, either in the supplementary information or in
the definition of account or customer, that an existing customer who receives an increase
in his or her credit line, whether or not that line increase is requested, and who would
not previously have been verified under the rule, would not be covered under the rule. A
contrary rule would discourage card issuers from granting line increases because the
process would trigger the requirements of the Proposed Rule to customers with line
increases.
Similarly, customers with existing deposit accounts may be provided additional features on
the account. For example, institutions may provide customers with a debit card, ATM card,
or other device that provides access to the customer's already existing deposit account.
Visa recommends that the Agencies make clear that providing individuals with an additional
feature, such as a debit card, is not opening an account under the rule.
Identity Verification Procedures.
Information Required by the Proposed Rule is not Collected Today.
Proposed section 103.121(b)(2) would require institutions to establish procedures that
specify the identifying information that an institution must obtain from a customer. At a
minimum, prior to the opening of an account, or adding of a signatory to an account, this
information must include certain specific information, such as the name, date of birth,
residence, and, if different, mailing address and taxpayer identification number. For
persons other than individuals, the principal place of business or mailing address must
also be obtained.
Currently, most credit card issuers do not obtain all of this information. For example,
some issuers only require a customer's name and mailing address to open an account. Also,
many card issuers do not currently ask for age, because such "protected
criteria" can raise fair lending issues under existing federal law. Most card issuers
currently do require a social security number or a government-issued number for anti-fraud
and other identification purposes, but typically issuers will open an account if the
customer cannot provide such a number -- provided that the issuer can otherwise verify the
individual's identity and credit worthiness -- based on other information provided by the
individual or by a joint account holder. The need for, or corresponding benefit of,
certain additional information required under the Proposed Rule is not clear. Also, some
institutions do not obtain certain information, such as a taxpayer identification number,
until after the account is opened. Requiring that this information be obtained before,
instead of after the account is opened, would create additional costs with no additional
benefit in terms of combating money laundering or detecting terrorist financing.
Money laundering is not a new issue in banking; financial institutions have long
maintained procedures, as required under the Bank Secrecy Act, designed to identify
suspicious financial transactions. Absent the availability of a standardized methodology
to identify accurately financial institution customers, the Agencies should not require
institutions to collect new information without first determining and articulating its
benefit. Today, identification verification is achieved by producing enough evidence to
conclude with a high degree of certainty that the person is who she or he says she or he
is. Some of the information that institutions would be required to obtain under the
Proposed Rule would have no commercial value and would go beyond information that
institutions already are collecting in connection with their existing money laundering and
fraud-alert programs. Moreover, it is not clear that such information would enhance the
ability of financial institutions to identify their customers. For example, with respect
to individuals, the Proposed Rule would require institutions to begin obtaining the
customer's date of birth without any indication of the need for such information.
Although, in some cases, date of birth may distinguish fathers from sons, generally, it is
not an important identifying characteristic and, as indicated above, can lead to fair
lending and other discrimination issues.
Similarly, in many instances, institutions would be required to obtain two addresses: a
mailing address and, if different, a residential address. Currently, many financial
institutions collect, and only have one field in their automated system for, a single
customer address. This field is used for a mailing address to which account statements are
sent. The card issuer has no need for a residential address. While we understand that a
residential address, if different from the mailing address, may help law enforcement
"stake out" a suspected money launderer or terrorist, the practical problems
associated with collecting and potentially verifying multiple addresses are enormous. In
addition to the difficulty institutions would have in changing systems to accommodate two
addresses, applicants are likely to resist providing more than one address as an
unnecessary intrusion into their privacy. Also, financial institutions may not know that
the address provided is not a residential address unless the address provided is a post
office box. Even if a residential address is obtained, it may be impossible to verify that
the individual actually resides there, as opposed to using that address as a mail drop or
as a vacation home.
For these reasons, Visa recommends that the Proposed Rule be revised to provide
institutions who already have systems in place to identify their customers and to detect
suspicious transactions with flexibility in determining what information and supporting
information is necessary to identify their customers. In other words, for example, in the
case of credit card accounts, the Proposed Rule should be revised only to require the
collection of information that a card issuer deems necessary and appropriate to identify
customers.
In addition, regardless of whether the final rule requires the collection of specific
information, the final rule clearly and specifically should provide that any state law
that precludes a financial institution from collecting or obtaining information in order
to comply with its identification program under the final rule is preempted. Such a
clarification would ensure that individual states or local governments do not enact
well-intentioned statutes designed to protect consumer privacy or prevent identity theft
but that have the unintended consequence of interfering with customer identification
programs.
Customer Notice.
Permit a Simple Notice.
Proposed section 103.121(b)(5) would require a financial institution to include in its
Program procedures for providing its customers with "adequate notice" that the
bank is requesting information to verify his or her identity. The supplementary
information to the Proposed Rule states that a bank may satisfy the notice requirement by
generally notifying its customers about the procedures with which the bank must comply to
verify their identities. Such procedures are likely to be lengthy and confusing. We
believe that a simple sentence explaining that certain information will be used to verify
the customer's identity on an application or other account opening documents should be
adequate. Accordingly, we recommend that the Agencies clarify, in the supplemental
information or in the text of the rule, that the notice may be combined with other
information or forms provided in connection with the account, and that a brief notice, as
opposed to an explanation of verification procedures, is sufficient.
Verification.
Verify Identities, Not Information.
Proposed section 103.121(b)(2)(ii) would require institutions to establish procedures for
verifying the information that a bank obtains when a customer is seeking to open an
account. In contrast, section 103.121(b)(ii)(A) and 103.121(b)(ii)(B) refer to verifying
identity. Verification of the information obtained and verification of identity can be
very different. Visa believes that institutions should only be required to verify the
identity of the customer.
The Proposed Rule appears to contemplate that institutions would seek to verify each piece
of information that is obtained from a customer. When verification of identity is
accomplished through the use of consumer reports and identity verification services, the
identity of an individual often is verified by comparing a number of different pieces of
information and making a judgment, often using artificial intelligence, to determine the
identity of a specific individual. Often, this process does not involve definitively
verifying individual pieces of information or resolving discrepancies between particular
pieces of information. For example, a financial institution might be perfectly satisfied
that an individual who recently moved has provided the correct address, because other
information provided by the applicant matched the information obtained from the applicant.
However, the address may be difficult to verify given the fact that the consumer just
recently moved and the credit report, for example, reflects the customer's previous
address. Similarly, a card issuer may request information, such as date of birth or age,
that is used for verification of an individual's identity only in particular
circumstances, such as when it is necessary to distinguish a father from a son. There is
no reason to verify this information when, in fact, the institution has already or
otherwise successfully verified the identity of the individual. For the same reasons, Visa
recommends that the Agencies clarify that institutions are not required to resolve
discrepancies in information obtained, as long as the institution believes that it has
verified the identity of the customer.
In addition, the operation of the Fair Credit Reporting Act ("FCRA") and ECOA in
collecting certain verifying information is unclear. For instance, under the Proposed
Rule, institutions may request additional information to verify a customer's identity. In
this regard, identification services have been developed to aid financial institutions in
identifying customers. However, in some cases, the information provided by the services
may be limited by concerns that providing certain information, such as information about
accounts at other financial institutions, may lead to that identity verification service
becoming a consumer reporting agency under the FCRA. The Agencies should clarify that to
the extent that information obtained in connection with the rule is used to
"assist" an institution in verifying the identity of a customer for purposes of
the customer identification program and not the customer's eligibility for credit, the
information would not be considered "consumer report" information under the
FCRA-that is, information bearing on a consumer's credit worthiness, credit standing,
character, such as income, or credit score-even if the institution decides not to open an
account because the applicant fails to provide verifiable information.
Clarify Relationship Between Collection, Verification and Adverse
Action.
We also urge the Agencies to clarify the relationship between the collection and
verification of information for purposes of the customer identification program and
"adverse action" under other laws. For example, if a lender may request
information for purposes of the Program, the inability to obtain that information and the
refusal to open an account on that basis could trigger the adverse action requirements
contained in both the FCRA and the ECOA. Visa believes that institutions should be
permitted to use the information to alert institutions as to matters that the institution
will further investigate. However, to the extent that such further investigations result
in the failure to open, or the closure of, an account, such actions should not trigger
FCRA or ECOA requirements.
In addition, there is a drafting error in proposed section 103.121(b)(2)(ii)(B), which
sets forth the "non-documentary" requirements that institutions must employ when
an individual is unable to present actual documents. The Proposed Rule refers to
"independently" verifying "documentary" information, using credit
bureau reports and other means. The Agencies should make clear that such non-documentary
means can be used to verify the identity of a customer and that documentary means are not
required.
Recordkeeping.
Reduce the Information that Must be Retained.
Section 103.121(b)(3) of the Proposed Rule would require an institution to include in its
Program a record of the identifying information provided by the customer. Specifically,
the records would have to be retained for five years after the account is closed and would
have to include all identifying information provided by the customer, a "copy"
of any document that was relied upon, the methods and results of any measures undertaken
to verify the customer's identity, and the institution's resolution of any discrepancy in
the identifying information obtained.
The types of records obtained in connection with credit card lending are significantly
different from those obtained in connection with records obtained in connection with other
financial products. With respect to credit card lending, the records would typically
consist of the application and other information relied upon in identifying the customer.
There is little value in maintaining copies of credit reports, for example, and other
information that an institution might use in identifying the customer. We see no reason to
retain credit report information, for example, when the correspondence between the
applicant's self-reported information and the credit report information, rather than the
credit report information itself, form the basis for the conclusion that the customer's
identity has been verified. Nor do we see why a bank should retain a record of the
processes the bank uses to verify customer identity on a customer-by-customer basis, if
the processes and verification standards do not vary from customer to customer.
Visa recommends that the Proposed Rule be revised to provide financial institutions with
the flexibility to retain the information that the institution deems necessary to readily
identify the customer. Such a revision would avoid having financial institutions retain
and make copies of valueless documents.
Shorten the Record Retention Period.
Furthermore, the record retention standard should be consistent with existing regulations.
The period of retention for any documents or other materials should be no greater than
that of any record retention requirement that already applies to such documents or other
materials. In the case of credit card accounts, "[a] creditor shall retain evidence
of compliance with [Regulation Z, implementing the Truth in Lending Act] for 2 years after
the date disclosures are required to be made or action is required to be taken." 12
C.F.R. § 226.25(a). The Proposed Rule should parallel this and other existing
requirements in establishing the time period for retaining information collected in
connection with the performance of the customer information program. Disparate retention
requirements for different information are likely to be difficult to administer, possibly
leading to the retention of all information for excessive periods, while yielding
unnecessary costs. Further, particular information, including information in credit
reports and about residence, will change over time. Some credit card accounts have been
open for decades. Most of the information collected when these accounts were opened has no
relevance for money laundering, terrorist financing, or credit purposes today.
Clarify Retrieval is Not Required.
The Agencies should clarify that institutions are not required to be able to retrieve
information retained in any particular way. Instead, institutions should be able to
organize and to access their customer data bases in a variety of ways. Specifically, an
institution should not be required to establish a system that would generate information
by the consumer's name, date of birth, mailing address, account number, or by any type of
information. Such a requirement would be particularly problematic for information that is
required to be maintained on applicants where the information is of no ongoing use to the
institution.
Finally, the Agencies should clarify that records may be retained electronically in any
form that allows the institution to reconstruct accurately or reproduce the records.
Once again, we appreciate the opportunity to comment on this important matter. If you have
any questions concerning these comments, or if we may otherwise be of assistance in
connection with this matter, please do not hesitate to contact me at (415) 932-2178.
__________________________________
1 Visa U.S.A. is a membership organization comprised of U.S. financial
institutions licensed to use the Visa service marks in connection with payment systems.
Sincerely,
Russell W. Schrader
Senior Vice President and Assistant
Visa U.S.A.
|