Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations |
|||
FDIC Federal Register Citations |
Executive Secretary Attn: Comments/OES Federal Deposit Insurance Corporation 550 17th Street, N.W. Washington, DC 20429 RE: Comment on Proposed Regulation to implement Section 326 of the USA PATRIOT Act of 2001. Dear Sir or Madam: On behalf of Juniper Bank, I am pleased to submit my comments on the proposed regulation to implement section 326 of the USA PATRIOT Act of 2001, drafted by the Department of Treasury, the Financial Crimes Enforcement Network (FinCEN), the Federal Reserve Board (the Fed), the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), and the National Credit Union Administration (NCUA) (Collectively "the agencies"). I am the Director of Compliance at Juniper Bank, a Delaware state bank that issues credit cards nationwide, both under the Juniper name and in conjunction with various marketing partners. I believe that the proposed regulation goes a long way in balancing the conflicting requirements of collecting enough data sufficient to identify a customer with the avoidance of unduly burdening the financial institutions that must collect and examine the information. I am very pleased that the proposed regulation, when outlining minimum identity verification procedures, takes into consideration transactions where a customer is not physically present, and does not require production of government issued documents, such as a driver's license, for opening an account on the phone, the Internet, or through the mail. The recognition that there are other high tech ways to verify identities, and that collecting government issued documents through these channels would be highly burdensome and ineffective in reducing fraud or identity theft is very helpful. However, I believe that, when listing the information required to open an account in section 103.121(b)(2)(i), a further distinction between whether the bank initiates an application for an account, or whether the consumer initiates an application is needed in the final regulation; and that the failure to do so could seriously undermine banks' ability to conduct Bank Initiated applications while at the same time not materially reducing fraud or identity theft. Consumer Initiated applications occur when a potential customer visits a branch, mails in a take one application, randomly visits the bank's website, or calls a customer service center. These types of applications present the highest risk of fraud, identity theft, or other abuse because the bank has no prior knowledge about the individual. At Juniper, incidences of attempted fraud as a percentage of total applications are more than seven times higher among Consumer Initiated applications than among Bank Initiated applications. A prudent banker collects and verifies as much information as possible (including the items required by 103.121(b)(2)(i)) before opening an account for a Consumer Initiated application. We therefore support the requirements in as far as they apply to Consumer Initiated applications. Bank Initiated applications have materially different risk profile and the regulations should reflect the difference. They occur when a bank has purchased a list of eligible consumers from a credit bureau or other entity. The application occurs when the bank contacts a particular consumer on the list, at the consumer's residence, through the phone, or the mail. Because the bank has certain consumer information before the application process begins, the bank is able to verify a consumer's address and phone number with the first contact. This verification process minimizes the risk of a fraudulent application, ensuring the individual is who he or she says he is. Furthermore, since the bank initiates the contact, the consumer's ability to engage in fraud is seriously limited because the information provided by the consumer is reactive; the consumer is not provided the opportunity to plan beforehand. Some of the other information the proposed regulation requires banks to gather simply is not practical to obtain in connection with Bank Initiated applications; especially those initiated over the telephone, and would not materially reduce fraud or identity theft. It is our experience that consumers who are approached by an unfamiliar bank may be hesitant to give social security numbers or date of birth over the phone. Further, law enforcement and consumer groups encourage people not to give this information over the phone; therefore, consumers are able to differentiate between legitimate Bank Initiated applications and scam artists based on the facts that a bank could use alternate methodology in verifying the applicant's identity. The proposed regulation eliminates that distinction. Often banks will take an application without this data, using address and phone number to verify the account, and determine the social security number or date of birth at a later time through other means such as obtaining the information through multiple credit reporting agencies, or verifying the information with the activation of a credit card or other access device. If banks were required by regulation to collect a fixed set of data at a fixed point in time, as in the current proposal, it would seriously limit Bank Initiated applications, and restrict access to credit and other banking products for cautious consumers who are trying to protect their personal information. Given that Congress did not mandate collection of social security numbers or date of birth in the USA PATRIOT Act, the agencies should extend greater latitude to banks to determine proper risk based identification procedures for these low risk Bank Initiated applications, rather than restrict banks to a strict required list of data. Second, I respectfully request the agencies clarify whether Authorized Users or Powers of Attorney are included as "customers" as defined by the regulation. Authorized Users and Powers of Attorney are individuals who the owner of the account identifies and lists as eligible to use the account. Authorized Users and Powers of Attorney are not liable for the account, and are often limited by the owner or the bank in the ways they can use the account. Given, that the Authorized User or Power of Attorney is designated by the owner of the account who has already been identified, that the Authorized User's or Power of Attorney's contact with the bank is minimal, and, that the Authorized User or Power of Attorney is limited in the how he or she can manipulate the account, a lesser degree of scrutiny in identifying these individuals is warranted and practical. The new regulation should either exempt these individuals from the definition of "customer", or at least extend greater latitude to banks for identifying Authorized Users and Powers of Attorney based on risk, rather than a rigid set of data collection and verification requirements. Third, the agencies should clarify the definition of a "face-to-face transaction" as discussed in paragraph (b)(2)(B). For example, if a customer, during an airplane flight, completes an airline credit card application and hands it to an airline employee such as a flight attendant, who mails the application to the bank, has a face-to-face transaction requiring examination and copying of government issued documents occurred? If a credit card bank hires college students to hand out and collect credit card applications at a college football game, will the students, who are merely collecting the applications and mailing them to the bank, need to make copies of driver's licenses? These scenarios where the individual taking an application is not a regular, permanent bank employee, is not working on a bank's premises, and is acting in a capacity that is little more than a courier between the customer and the bank who will process the application, are for all intents and purposes a mail transaction and not a face-to-face transaction, and verification should occur through non-documentary methods. Lastly, the agencies should consider extending the implementation period for this new regulation. The comment period runs until September 6. Issuing a Final Rule, and implementing the systems changes and training needed to comply with the regulation by October 25 is a very aggressive schedule. Thank you for your consideration. I hope the above comments prove to be helpful to you. Sincerely, Scot S. Štetka |
Last Updated 09/05/2002 | regs@fdic.gov |