Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.
Federal Register Publications

FDIC Federal Register Citations



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations


From: Ken Golliher
Sent: Sunday, August 25, 2002 9:57 AM
To: regcomments@fincen.treas.gov
Subject: Attention: Section 326 Bank Rule Comments

Attention: Section 326 Bank Rule Comments

These comments incorporate my experience as a banker, consultant and attorney. However, they are largely driven by my experiences as a trainer for financial institution and regulatory personnel for the last 18 years.

In some instances, my observations reflect concern that the Bank Secrecy Act's "safety and soundness" status in the on-site examination process increasingly makes it the subject of interpretation by divergent examination procedures and philosophies held by individual examiners rather than uniform legal requirements. Other observations are based on the appearance that the proposal seems to include new requirements being grafted onto, rather than merged with, existing requirements. Finally, some of my observations might reflect the concerns of small to medium sized community financial institutions - very few of which are likely to comment on this proposal.

It is worth noting that the USA Patriot Act was prompted by the actions of foreign, not domestic terrorists. Nevertheless, this proposal does nothing to require or facilitate better identification of nonresident aliens - BSA regulations already require banks to obtain evidence of foreign citizenship and record the information. It is Kafkaesque that our country's attempt to keep international terrorists out of the banking system is entirely focused on getting better identification from U.S. citizens.

Suggestion: Immediately after this comment period ends, announce that compliance with the final regulations will not be mandatory until 90 days after their publication in the Federal Register.

The clear language of the USA Patriot Act indicates these regulations are to be effective October 25, 2002. However, this proposal was not published until July 23 and the comment period does not end until September 6. Most banks would have no more than 1 or 2 board meetings in which they could approve a CIP between September 6 and October 25. (That observation assumes the final regulations would be issued immediately after the end of the comment period.) Even if the agencies allow themselves very little time to seriously review and discuss the comments received, the best case scenario is that final regulations will be issued very close to their effective date.

The conclusion reached in the proposal, that the new requirements have a minimal effect on most institutions, is simply incorrect - small financial institutions in particular do not obtain the amount of identification this proposal requires. Oftentimes, they have no verification procedures at all. Their identification requirements have legitimately evolved as a function of risk management with the perceived risk being fraud, not homeland security. It is likely that commentators from institutions of all sizes will request a reasonable period of time to design and implement their CIP.

If compliance is mandatory on October 25, any bank that does not have a CIP approved by the board before that date has an automatic violation of law, easily proven by reference to board minutes. The violation would not be cured by the subsequent adoption of a CIP. Federal law requires the functional regulators to cite any BSA violation in their written report of examination. Hundreds, perhaps thousands, of banks will be affected.

If the proposal had been issued 180 days after the statute was passed and the comment and review periods in combination had not exceeded 90 days, the banks would had the final regulations in time to build their programs. However, if compliance is mandatory on October 25, the failure to publish this proposed regulation well in advance of the effective date will generate wholesale violations.

Suggestion: Revise the program regulations to make specific reference to the operation of an anti-money laundering (AML) program in conjunction with a BSA compliance program.

The proposal indicates an expectation that the final regulations will be accompanied by "cross references" in what are generally referred to as the "program" regulations. These regulations were promulgated under 12 U.S.C. 1818(s) and 12 U.S.C. 1786(q)(1) some years ago. They reflect the federal functional regulators' requirements that banks develop a formal program for compliance with BSA's reporting and record retention requirements. The program regulations exist because of an explicit statutory direction to the regulators that they issue regulations assuring compliance with subchapter II of chapter 53 of title 31. The program regulations make no mention of an anti-money laundering (AML) program.

Yet, the proposal indicates: "The Program must be a part of the bank's anti-money laundering program required under the regulations implementing 31 U.S.C.5318(h), 12 U.S.C. 1818(s), and 12 U.S.C. 1786(q)(1)."

The Patriot Act's Section 352 (31 U.S.C.5318(h)) does require all financial institutions, including banks, to develop and implement such programs. However, interpretive regulations issued under this section indicate a bank is exempt from such requirements as long as it "...implements and maintains an anti-money laundering program that complies with the regulation of its Federal functional regulator governing such programs."

Again, the federal functional regulators have no such regulations; their only requirements regarding AML emanate from examination procedures and official correspondence to the institutions they supervise. For whatever reason, the agencies abandoned uniform examination procedures - they are now unique to each agency. Official communications to supervised institutions are also unique to each agency. In combination, none of this reaches the level of a consistent, objective legal requirement applied to all banks.

The flawed mechanism only works because BSA is classified as a "safety and soundness" topic. The agencies rely on their plenary power to require banks to implement AML programs on a case by case basis. However, AML requirements are not consistently described or enforced among the agencies or among banks supervised by the same agency. Accordingly, some, but certainly not all, banks actually have tangible AML programs. (They appear to be the most common in banks supervised by the OCC.)

A specific reference to AML responsibilities in the program regulations is necessary to make it plain that all banks are required to institute such efforts. It will also assist in making the testimony previously offered to Congress (that banks already have AML programs) accurate.

In addition, if the plain language of the regulations makes it clear that AML is a subset of BSA compliance and CIP is a subset of AML, it will be obvious to banks that a single written policy covering all three issues is appropriate. Their compliance programs can use common resources and procedures to achieve common goals.

Suggestion: Word the regulation to indicate that what the Board of Directors is to approve is a broad policy which generally incorporates the three procedures enumerated in the statute 1) identification and verification; 2) record retention and 3) comparison to government lists. However, make it clear in the supplementary information that the board is not required to approve the specific methods used to identify and verify customers, keep records and conduct comparisons to government lists.

Most businesses, banks in particular, make significant distinctions between policies and procedures. Banks use policies to establish goals. They use procedures to indicate how those goals are to be accomplished. Unfortunately, the statute makes a specific reference to required "procedures" and, the proposal tracks that language, pointing out that the board of directors must approve the CIP and that CIPs will vary greatly between banks. Examiners could reasonably interpret the language of the proposal to say that the board must approve the specific details of the CIP. This interpretation will interfere with the operation of an effective program.

First, designing or critiquing operating procedures requires knowledge and skills that most board members do not have and could not be reasonably expected to develop. The best case scenario would be that their vote on operating procedures would be a "rubber stamp." The worst case scenario would be that they would want to actively participate in designing procedures. Second, if the bank incorporates detailed procedures into a document requiring board approval, future changes to those procedures will also require board approval. An operating procedure that should be dynamic and capable of responding to change will remain static due to the bureaucratic process necessary to alter it.

Obviously, the agencies cannot change or ignore the wording of the statute. However, supplementary information accompanying the final regulation could make it plain that board approval is required for a policy specifically incorporating the broad procedures listed in the statute, not of the detailed procedures the bank must develop to carry out the program.

Suggestion: Establish specific, objective criteria for the content and timing of the required notice to customers, including model language deemed to be in compliance with the regulation.

A number of regulations require banks to post public notices on their premises. Generally, those requirements are very specific and compliance can be evaluated objectively. While the proposal's flexibility is intended benefit the banks, its lack of an objective standard introduces a probability that individual examiners would feel comfortable imposing their personal opinion as to a notice's adequacy. Oral disclosure would be the worst choice for the bank as it would be impossible to verify compliance, the wording of the "disclosure" would vary greatly between employees and it is the method most likely to generate a series of follow-up questions by the customer.

There will be customer resistance to the identification requirements. The more consistently the identification requirements are communicated to the public and the more obvious it is that they are required by law, the more readily they will be accepted by the public as a routine part of opening a bank account. Also, no purpose is served by leaving the specific wording of the notice to individual institutions; model language should be provided.

An objective timing/placement requirement might be: "The notice is to be posted where it would be likely be seen by a customer prior to opening or adding a new signatory to an account."

A model notice might read: "In order to prevent the use of the U.S. banking system in terrorist and other illegal activity, federal regulations require all financial institutions to obtain, verify, and record identification from all persons opening new accounts or being added as signatories to existing accounts. This institution cannot waive these requirements. - Financial Crimes Enforcement Network

Suggestion: Revise the concept of "opening a new account" to include the circumstance where an individual is already required by existing law or regulation to provide additional documentation.

For example, under current IRS regulations, nonresident aliens must execute a form W-8BEN to claim exemption from information reporting and backup withholding at the time an interest bearing account is opened. The form is valid for four calendar years. Banks routinely correspond with customers to obtain a replacement form prior to expiration. The regulations should treat this or an analogous event as the opening of a new account triggering identification requirements unless the bank already has identification on file.

The purpose of the requirement is to identify accounts currently held by nonresident aliens that are poorly documented. This goal is on point with the objectives of the USA Patriot Act and the tragedy that gave rise to it. Assuming these regulations will limit criminal access to the banking system, foreclosing money launderers and terrorists from opening new accounts accomplishes nothing if they have accounts opened prior to the regulation?s existence. Those accounts can simply be "taken over" by a person who is not the original customer, a technique actually used by the 9/11 terrorists.

The claim made in the opening paragraph, that the recommendations made in this comment letter might reflect the perspectives of community financial institutions does not necessarily apply to this suggestion. Few banks with significant numbers of NRA customers would support this idea due to the amount of effort it would require.

Suggestion: Eliminate 31CFR103.34(a)(1), (2) & (3).

As noted, the proposed regulations are more specific and encompass any information paragraph (1) would require. Paragraph (2) discusses an exemption that is meaningless without paragraph (1). Several elements of paragraph (3) depend on fact based decision-making, using facts the bank can only obtain from the customer. Two exclusions require the bank to project the amount of interest income an account might earn. In short, they are antiquated.

The clear conclusion offered by the final regulations should be, "No TIN, no account," unless you can demonstrate * foreign citizenship or * a pending TIN application.

Suggestion: Use the same definition of "U.S. person" as that used by the Internal Revenue Service for information reporting purposes.

The proposal limits "U.S. Person" to U.S. citizens or entities organized in the U.S. The Internal Revenue Service?s definition for information reporting purposes expands it to include resident aliens. (The reference can be found in resources as common as IRS form W-9 that indicates a resident alien is a U.S. person.) Resident aliens can obtain U.S. issued identification numbers, either an ITIN or SSN, depending on their circumstances. Conforming the definition to that used by the IRS would no effect on CIP requirements, but would eliminate confusion among bankers.

It is worth noting that banks are only aware that they are dealing with a non-citizen when the customer claims that status to avoid information reporting and backup withholding. If an individual provides a state issued drivers license and a valid or apparently valid Social Security number (SSN), the bank has no reason to inquire as to citizenship in connection with a deposit account. As written, this proposal does nothing more than allow for alternative identification as a nonresident alien if a customer does not have an SSN - there is no explicit requirement that a bank inquire about citizenship.

If this suggestion is not accepted, it will be necessary to delete "individual taxpayer identification number" as an example of a taxpayer identification number a U.S. Person may have in proposed 103.121(b)(4). A U.S. citizen cannot obtain an individual taxpayer identification number. (See IRS form W-7)

Suggestion: Treasury should promptly complete and publish the study mandated by Section 326 of the USA Patriot Act. Hopefully, one of the alternatives it will advocate is that a U.S. bank account cannot be opened using only foreign identification when a U.S. address is used. Another would be that the "highly secure" bank - Treasury communications system required by Section 362 of the USA Patriot Act should have the capacity to allow banks to verify the identity of nonresident aliens.

The Congressionally mandated study of the identification issues presented by those who are not U.S. persons (which was to be published approximately four months ago) would be a tremendous resource to banks developing CIP programs right now. As it is, the CIP's verification processes are an "impossibility" for nonresident alien accounts - only the address information is capable of verification.

It would be appropriate if the study supports a specific requirement that anyone opening a bank account using a U.S. location as a residential or mailing address must present U.S. or state issued identification. For example, an individual non U.S. person who is a student with a valid VISA would not need state identification to be in the U.S. to obtain an education. He would need it to open a bank account. Banks would then be in a position to rely on the state's verification of identity.

Such a requirement would probably raise the ire of untold bureaucracies. However, it would also establish that it is the state and federal governments, not the banks, who have the responsibility and should have the expertise to analyze foreign identification.

It would also be helpful if the study concluded that the bank - Treasury communications system required by Section 362 of the Patriot Act should include a mechanism whereby banks could verify the identity of nonresident aliens by reference to a U.S. assigned number. An unsecure query of Treasury's web site using that number would generate a photograph which could be used for positive identification and, if the person's presence in the U.S. was no longer legal, a required notification by the bank to proper authorities. U.S. immigration policy is beyond my comprehension, but is axiomatic that if someone is in the U.S. illegally it should be impossible for him to open a bank account here.

Suggestion: Amend the definition of customer to exclude any named owner of a time deposit other than the customer whose SSN is to be used for information reporting, if the bank does not normally require signatures from any other owners. As a part of the same suggestion, amend existing 31 CFR 103.34 (12) to indicate that the bank is to obtain the information required by its CIP under 31 CFR 103.121 from any customer redeeming a time deposit unless the bank already has that information on file.

Banks routinely title time deposits in the name of multiple individuals without obtaining signatures or identification on all parties. For example, a grandmother purchasing a time deposit with survivorship interests for her two grandchildren might title the account, "Jane Alexander or Kevin Alexander or Marcus Alexander." The co-owners may have no knowledge of the time deposit's existence and may not even be adults.

Anything affecting this practice will have widespread ramifications without any corresponding benefit to BSA's law enforcement purposes. The requirement that the information be obtained at maturity if the instrument is redeemed by one of the other customers should assure that this cannot become an untraceable method for transferring funds. It is also a minor variation on an existing requirement. The current requirement, obtaining a TIN from a person redeeming a certificate of deposit, has no value - the bank would never have reason to know if the TIN was correct. Also, its reference to a "certificate of deposit" is dated and unclear. Changing the requirements at redemption of a time deposit has no retroactive effect.

Suggestion: Amend the proposed definition of "customer" at 103.121(3) to place "(iii)" in front of "any signatory added thereafter."

The change is intended only to make the paragraph more readable and emphasize the fact identification is required for all signatories.

Suggestion: In the supplementary information explaining "customer" indicate how banks should handle accounts under relationships that do not meet the definition of "person" under 31 CFR 103.11(z).

How should banks handle accounts where one of the "persons" involved may be under a legal disability such as guardianships, conservatorships, attorneys-in-fact, nursing home patient funds, or representative payees? Also, what about arrangements where the "persons" may be known, but they are not signatories. Examples would be escrows, Uniform Transfers to Minors Act accounts and Funeral Trusts. Also common are club accounts where there is no legal entity, just an informal group with a common interest.

Suggestion: Amend the current definition of "established customer" to indicate it is a "customer" from whom the bank has obtained the information required by its CIP under 31 CFR 103.121. Amend existing 31 CFR 103.29 to replace references to "deposit account holder" and "person who has a deposit account" with "established customer." Amend proposed 31 CFR 103.121(b)(2)(ii) to remove the reference to an undefined term, "existing customer" and replace it with "established customer." Thereafter, indicate the bank is not required to verify information about an "established customer" as long as it continues to have a reasonable belief that it knows the true identity of the customer.

The net effect of this change is to homogenize references made in different parts of the regulation that were written at different times with different purposes. The end result would be the existence of "customer" as defined in the proposal and an "established customer" as one who had fulfilled the CIP. In candor, I am too tired at this moment to be assured that I have thought of all the ramifications, so read carefully. However, once a customer passes the CIP, there should not be any other hurdles to jump just because he wants to send or receive a wire transfer or purchase an official check for cash. It would have been better if this homogenization had been part of the proposal, but I see no retroactive effect. It will have an effect on future wire transfers and official check sales that no reading of the proposal would have divined.

Suggestion: Keep the definition of "account" as proposed, but eliminate the suggestion from the supplementary information that frequent non-contractual dealings might rise to the level of an "account."

In attempting to show the definition's precision, the supplementary information indicates it

"...is limited to banking and business relationships established to provide "ongoing" services, dealings or other financial transactions to make it clear that this term is not intended to cover infrequent transactions such as the occasional purchase of a money order."

Unfortunately, the implication is quite clear that frequently purchasing official checks or sending wire transfers might be the equivalent of having an "account." Examiners may exploit the ambiguity in their criticisms. Please do not leave a loophole that suggests banks should monitor the number of official checks sold to a noncustomer regardless of amount.

Alternatively, if the reference is intentional because the agencies do not want banks to become "MSB's in fact," change the definition of "customer" to include someone with identifiable, repetitive contacts. It simply makes no sense to imply someone has an "account" because she purchases a lot of official checks. However, it is difficult to assert that she is not a customer.

If the agencies think it appropriate (I do), they should say plainly that banks should voluntarily limit their dealings with those who are not "established customers" as defined in BSA regulations, particularly in the area of wire transfers. Any exceptions made by banks should involve nominal amounts and be solely to benefit the "unbanked" portion of the population.

Suggestion: Expand supplementary information regarding 103.121(b)(2)(i)(A) to indicate whether adding a new signatory triggers a requirement to obtain the information on all signatories or just the one being added.

For example, ABC Inc.'s account has four signatories and was established before the effective date of the regulation. The company presents a resolution adding a fifth signatory. Clearly, the bank is required to obtain information on the new signer, but does the addition of a new signer trigger a requirement to get the information on the previous signatories as well as the company? (Based on the overall purpose of the regulation, my assumption is that adding a signatory triggers a "fresh look" at the account and information on all signatories and the company is required.)

Suggestion: Add paragraph 103.121(b)(2)(i)(A)(5), "Occupation, profession or business."

This is the only additional information the bank would need in order to file a Currency Transaction or Suspicious Activity report on this customer. Having it in its files could avoid a number of potentially difficult situations and put the bank in a better position to provide required information. An industry group included "occupation" in its recommendation for required information, so there is obviously broader support for the idea.

Perhaps the original suggestion was not accepted because occupations can change after the time an account is opened. However, the bank would only rely on this information to fill out the form if it is unable to obtain more current information. More to the point, this information is usually provided by the customer orally in response to an oral request - there is never any guarantee of its accuracy. So, the fact that it might have aged has no tangible effect on its reliability. In addition, the fact that the customer tells you one occupation at account opening and something else when a CTR is filed might actually be of interest.

Clearly, banks could require "occupation" based on policy rather than regulatory requirements.

Suggestion: Delete "...a copy of the application..." in 103.121(b)(2)(i)(B) and replace it with: "...an IRS Form W-9 completed according to its instructions as an Awaiting TIN Certificate."

The IRS already has procedures for a situation when a deposit account is interest bearing, but no TIN is provided at account opening. They call for filling out a Form W-9 with the notation "applied for" in the TIN field. (See the instructions to IRS Form W-9). The simplest thing would be to expand that mechanism to all circumstances where an EIN application is pending. There is no point creating duplicative procedures, one for the Treasury and one for its proteges at the IRS because of a missing EIN. (FYI, the Certificate is valid for 60 days.)

Suggestion: Expand supplementary information regarding 103.121(b)(2)(i)(B) to indicate that the IRS has a program for obtaining EIN's by phone or fax in a relatively short period of time.

This exception in the proposal is useful when an entity has already applied for an EIN by mail when it comes to the bank to open an account. However, many businesses, estates, etc. attempt to open an account before applying for an EIN. Often, banks keep copies of IRS Form SS-4, which is used to apply for an EIN, at the new account desk. They provide customers with a copy and highlight the instructions regarding the "tele-TIN" program. Encouraging banks to make customers aware of the program would be helpful.

Suggestion: In 103.121(b)(2)(ii)(A)(2), delete the word "registered" insert the word "certified" and delete the references to partnership agreements and trust instruments as evidence of existence. Mandate only that documentation consist of evidence that businesses are either publicly traded on a major exchange or are authorized to do business in a state or the United States and that fiduciary relationships be documented in accordance with state law.

Copies of articles of incorporation have value when the copy provided is "certified" by the Secretary or Department of State in the state of their incorporation as a true, correct and complete copy of those filed with the state. Banks routinely obtain copies of the articles in lending related activities so they can confirm borrowing authority. However, in deposit related activities it is usually assumed the bank has no need to verify specific provisions; the preference is for less bulky and expensive documents (certified copies must be purchased from the state).

Examples are a "certificate of existence" or "certificate of good standing" issued by the state to establish the existence of an entity that is a "creature of statute;" e.g. corporation, limited partnership or LLC. Increasingly, states have web sites where corporate existence can be verified instantly and, in some states, at no cost the inquiring party. Examples are: http://www.sunbiz.org/ (Florida) and : http://www.nol.org/ (Nebraska).

The names of key documents evidencing existence of fiduciary relationships vary from state to state. In Kentucky, a personal representative for an estate a trust established by a will needs an "order of appointment" issued by a court in order to act. In Texas, the same document is referred to as "Letters Testamentary." Some states, California and Texas for example, allow banks to accept and rely on a "trust certification" in lieu of obtaining a copy of the trust. In other states there may be no statutory guidance, but banks have chosen to accept certifications with varying language or even selected portions of the trust as evidence of its existence. It would be wise to not to use terms or documentation references that vary substantially from state to state in the regulation.

General partnership agreements and trust instruments carry no imprimatur of authenticity - they can be easily manufactured using software purchased at business supply stores and generally are not recorded as a public document. Except in lending related activity, banks usually avoid obtaining copy of either document - knowledge of its content can impute to the bank a realization that fiduciaries were acting contrary to their charge or partners were violating their agreement.

The documentation that the bank should have for a business entity should be the same as already required for Phase I and II exemptions under 31 CFR 103.22(d)(2). That is, evidence that they are either publicly traded on a major exchange or are authorized to do business in a state or the United States. The general operating concept is that documentation is simply some form of government acknowledgement, ranging from certificates of good standing to "assumed name" registrations required by state law, that the business really exists. Both examiners and bankers have been able to deal with the lack of specificity in current regulations and can do the same here.

Suggestion: Expand the supplementary information accompanying 103.121(b)(2)(ii)(A) to indicate that the value of documentary verification is enhanced by redundancy. For example, a requirement that a customer produce at least two pieces of identification at account opening, one of which must be primary identification, is the foundation for a CIP.

Generally, "primary"identification is considered as something that is issued by the government, has a photograph and is relatively hard to get. The best examples are the items that are acceptable as identification for a Currency Transaction Report ? a drivers license, state identification card, cedular card, resident alien card, military identification card or a passport. I have heard from regulatory personnel, but have not been able to find in print, that FinCEN considers the matricula consular as acceptable identification. "Secondary" identification encompasses everything from Social Security and insurance cards to student identification cards.

Mentioning some of these concepts in the supplementary information may be of considerable help to bankers. In candor, it may be of equal help to examiners. The regulatory agencies have not made it a routine practice to review deposit account documentation. There is no basis for assuming examiners know as much about deposit account documentation as bankers do.

Suggestion: Revise 103.121.(b)(2)(ii)(B) by inserting the phrase, "If a bank chooses to open accounts under any of the following circumstances,..." at the beginning of the second sentence.

The second sentence is long and confusing, but as currently written, it appears the bank is required to make alternative provisions for verification when documents are in some way unavailable or unacceptable. The supplementary information supports that reading.

Banks choosing to open accounts without their normal documentation should be required to state their alternative verification methods. However, if they decide not to waive documentary requirements or waive them only in one of two circumstances, they should not be required to develop procedures for theoretical events.

Currently, banks are able to refuse to open an account for any reason they choose, other than a basis prohibited by law. Clearly, the USA Patriot Act was not intended to force them to reduce their documentation requirements. A tacit requirement that a bank must attempt to open an account in the absence of documentation that meets the bank's standards is simply outside the scope of the statute and, thus, the regulation.

Revise the supplementary information accompanying 103.121(b)(2)(ii)(B) to eliminate the statement that "...Treasury and the Agencies expect that banks will provide products and services to those customers (unable to provide customary identification) and verify their identity through other methods."

This provision's use of mandatory language is counterintuitive to the purpose of the regulation. It reads like a "rider;" it is unconnected to the subject matter but, something that someone with a separate agenda wanted to tack on.

The statute does not provide a foundation for a statement that the agencies "expect" that banks "will" make concessions on behalf of any class of persons. Rewording it to say that the agencies "...accept that some banks may..." make concessions to certain classes of persons in requiring documentation would render it gratuitous, but keep it within the agencies' powers. Permitting banks to make concessions on documentation to identifiable groups is helpful, but an indication that they must do it is out of bounds.

Neither age nor disability is substitute for the identification necessary to board a commercial aircraft. There is no reason it should be for opening a bank account when experience indicates that bank account can affect several commercial aircraft. Given the ready availability of the state ID card, a bank that requires some form of U.S. issued photo identification for U.S. citizens as a condition of opening the account is not imposing an unreasonable requirement. That is particularly true if the bank is willing to waive that requirement for those affected by religious beliefs.

In a number of illegal enterprises ranging from terrorism to the black market peso exchange, a bank account is a transferable tool opened by one person and used by another. It really is important to know who opened the account initially. Laudable social goals or a regulatory desire to avoid criticism by special interest groups does not outweigh the critical nature of that information.

Suggestion: Establish a method whereby banks can verify Name/TIN combinations, not just when and where the TIN was issued.

I am aware that a program is "in the works." It is essential to the effectiveness of any CIP. Currently, many banks believe that they "verify" TIN's by using an outside service at account opening.

Those services have a proprietary data base of names and TIN?s built by client contributions; they do not have access to the SSA or IRS databases. The vendors also have publicly available information regarding TIN issuance practices and SSA's database of decedents. Finally, they have access to drivers' license information for some, but not all states. An experienced perpetrator has access to most of the same information and can subvert the proprietary database.

However, at present that is not necessary. Most banks publish their use of such a system with notices on the front door and signs on the new accounts desk - all the actor has to do is go to a different bank, one without all the signage.

In short, many banks now pay for a verification process that is hardly infallible. An alternative system that would authenticate the SSN as being consistent with the name given is truly an essential part of a CIP that actually works and should not be a fee based service.

Suggestion: Establish that a "reasonable time to verify identity" begins at the time all of the required information is received and can vary based on the type of account being opened and the type of activity being proposed. Note in supplementary information that banks should not conduct significant transactions with customers whose identity has not been verified.

As a practical matter, a customer whose identification has not been verified is the same as a noncustomer - the bank does not have a reasonable belief of the person's identity. Many verification methods currently in use can and should be employed before the customer leaves the bank. Allowing a longer time as a "safe harbor" means it will be used in circumstances when it is not necessary. If "urgency" is an acceptable excuse for collapsing identification requirements, illegal actors will always pose their situation as urgent.

Suggestion: Delete 103.121(3)(C)

The requirements of (A) and (B) of this section meet the requirements of section 326(a)(2)(B) of the Patriot Act. Paragraph (C) expands them greatly, but the records it generates are of no law enforcement value and, if kept for each customer until 5 years after his account is closed, will reach an enormous volume. The requirement runs contrary to the normal observation that BSA's record retention requirements are substantive, not mere "evidence of compliance" as required by consumer protection laws.

What is proposed here is that banks keep evidence of compliance, including non documentary verification efforts, even though the great bulk of all verification processes will not yield actionable results; i.e. usually, the information provided by the customer will prove to be correct. A bank that does no more than write a letter confirming an address, run the customer through a verification service and pull a credit bureau report will be required to keep records of each effort. While there is no requirement that these records be centralized, it is a practical necessity. Every institution will find that its CIP files are substantial, but largely worthless.

The bank is required to have verification procedures and employ them for each customer. Like many other compliance requirements, statistical or random sampling can verify whether those procedures are used. It serves no purpose to retain verification records other than those on applications where discrepancies or deficiencies were noted.

It is noted that the breadth of the record retention requirement was actually suggested by an industry group. However, its cost relative to value is grossly disproportionate.

Suggestion: Reword 103.121(b)(3)(ii) to say: "Record retention methods must be consistent with 31 CFR 103.38 and the time frame set out there begins to run for these documents when the account is closed."

It should be made obvious that banks are not required to set up a separate record retention system or centralize the records required by this regulation in order to comply - they can use the records they accumulate and retain in the ordinary course of business if they choose to do so. (Some banks will develop dedicated record retention programs, but it should not be required.) As long as the retention period is the same as that required for records generally, there is no need to mention a time frame here.

Thank you for your consideration of these comments. If there are any questions regarding them, you can reach me as indicated below.

Ken Golliher
6016 Innes Trace Road
Louisville, KY 40222-6005

Last Updated 08/28/2002 regs@fdic.gov

Last Updated: August 4, 2024