Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations |
|||
FDIC Federal Register Citations |
September 5, 2002 Federal Deposit Insurance Corporation Re: Proposed Rule on Customer Identification Program I am the Compliance Officer of a $1.3 Billion Bank State non-member Bank with 14 branch offices plus a Headquarters office and a processing center located in the Southern California area. We have over 31,000 account relationships with approximately 17,000 consumer relationships and approximately 14,000 business relationships. Many of the accounts have more than one person on the account. Of this total, we have less than 60 customers who are not U.S. Persons as currently defined by the Internal Revenue Service. At Community Bank, we support the fight against money laundering and terrorism, and understand the importance of securing our financial system against infiltration and abuse by those seeking to undermine our way of life and destroy our country. In accomplishing this goal, it is important that we do not also endanger the very commerce and trust that are the economic lifeblood of this country. On consumer accounts, our current identification requirements consist of requiring a government issued photo ID along with a limited list of acceptable secondary identification for all signers on the account. We record the information from the ID, but do not retain a copy. On business or entity accounts, our documentation requirements relative to identification consist of requiring a copy of the appropriate formation documentation from the county or state or using various legal searches to verify the validity of the business entity. We keep a copy of these documents on file. We also obtain personal identification form all signers on entity accounts, but we do not retain a copy of the personal ID. We offer the following comments and suggestions on ways to implement the intent
of the USA PATRIOT Act and still safeguard our financial system without creating an overly
burdensome system that could suffocate legitimate business and create more barriers to
economic recovery. While the rules under 103.121 (b) (2) indicate we are to obtain the information before opening or adding a signatory to an account, by including the phrase "seeking to open" the issue becomes clouded as to when a bank will be required to retain the items required under 103.121 (b) (3). Section 103.121 (b) (2) (ii) Verification This is an area that is crucial for business lending, as it is not uncommon for an established business customer to obtain several new credit products in a year. To require the extensive copying of personal Photo ID documents would create a serious and unnecessary bottleneck in the servicing of existing known customers. Section 103.121 (3) Recordkeeping This presents a huge logistical and security challenge in terms of storage capacity, retrieval ability, and the Information Security requirements already imposed by Gramm-Leach-Bliley under §12 C.F.R. Part 225, Appendix F. Some banks have systems that can retain an imaged copy of this information under an easily indexed and retrievable system, but banks that do not have this technology or system will be placed in a tremendous competitive disadvantage. Typically, this would affect a smaller institution that would see an increase in storage and security costs in order to catalogue and safeguard these copies. One can only imagine how a financial institution would be an even more tempting target for perpetrators of identity theft. The requirements under subsections (B), (C) and (D) should only be required when a bank has the technological capacity to electronically store such documentation. In other words, only banks that have a fully functioning imaging system would be required to retain these copies. Many banks are working towards imaging for competitive, efficiency and other reasons, so at the documentation retention would be part of the scope of such a project within a bank. In addition, some states have laws that forbid the copying of state issued I.D. documents. Many state-issued documents have anti-forgery enhancements that render a photocopy nearly unintelligible. We are not sure what good it will do to have copies of unreadable documents, as it would seem to contribute nothing in the effort to combat money laundering and terrorism. Finally, the issue of merely having a copy of a Photo I.D. for a loan customer has long been a standard violation citation in Fair Lending and Regulation B examinations. The new requirement under section 103.121 (b) (3) would seem to place banks in conflict with this longstanding examination practice. If the final rule does not exempt banks that do have imaging capability, then there needs to be a safe harbor the storage of paper based copies with respect to the aforementioned examination issues. Section 103.121 (b) (4) Comparison with government lists Current written instructions from the FBI state that the list must be kept
under tight control. However, if we are to proactively check all new customers against the
list, we will need to make the list more widely available to our staff. Otherwise, we will
be faced with two alternatives: In addition, it remains unclear if the requirement to check lists will include any other lists issued by the FBI or government agency. The final rule must contain clear guidelines for a standard procedure to communicate and distribute any new lists to financial institutions. The concern is that a government agency can compile a list but not effectively communicate the existence of the list to all financial institutions. The initial distribution of the FBI Control List to the most senior official in each institution may have been well intended, but was ultimately misguided. The Control List should have been directed to the Bank Secrecy Act (BSA) Officer since every financial institution is required to have a person so designated. The BSA Officer is the person most likely to know how to properly disseminate such information in an effective and efficient manner. There remains a huge logistical issue with respect to the Control List, and potentially with any future lists. Such lists need to be compiled and communicated in a UNIFORM FORMAT that could be incorporated into software filtering systems. Manually checking a list against all new accounts is incongruous with technology and the automated speed at which most financial transactions are processed. It is my understanding that the FBI will not release the Control List to software vendors that already supply solutions for OFAC verification. There is, I suppose, a concern that the security of the list could be compromised. However, it should be pointed out that the Control List has been communicated to financial institutions via an Excel spreadsheet attached to an e-mail. The list was not encrypted or secured in any manner. Communication of the list via a secure data transmission from a verified vendor would be infinitely more secure than an unprotected Excel document. I suggest that the FBI and any other government agency establish a certification program with the existing software solution vendors. The vendors could have their own "Customer Identification Program" to verify those customers that should have access to the list. These customers (i.e. financial institutions that must check new accounts against government lists) could then be issued a subscription number and password to access updated list information via a Secure Server. The current methodology of communicating lists other than OFAC are anachronistic and
would not only hamper a bank's efforts to comply, but could jeopardize the very security
and effectiveness of the list. While not wishing to be repetitive, I cannot stress how
important it will be to have: Section 103.121 (b) (4) Customer Notice A number of regulations require banks to post public notices on their premises. Generally, these requirements are very specific and compliance can be objectively evaluated. While the proposal's flexibility is intended to benefit banks, its lack of objective standard introduces the probability that individual examiners could impose their personal opinions as to the adequacy of the notice. No purpose is served by leaving the specific wording of the notice to individual institutions, but it should be permissible for them to add additional information to any model language provided. At a minimum, the language should convey that the requirement to obtain, verify, and copy identification documents is required by federal law and cannot be waived by the institution. Adequate delivery of the notice is problematic especially for banks that engage in transactions with large commercial customers. There will be customer resistance to the identification requirements. The area most likely to cause a great deal of negative reaction will be the requirement to copy personal Photo I.D. documents. While banks have a duty to safeguard customer information, most customers will have an immediate concern about the possibility of those documents being used for Identify Theft. Again, it is important for people to know the requirement will be mandated by federal law. Other issues: The clear language of the USA PATRIOT Act indicates these regulations are to be effective by October 25, 2002. However, this proposal was not published until July 23 and the comment period does not end until September 6. Even if the agencies spend very little time reviewing and discussing the comments received, the best case scenario is that the final regulations will be issued The conclusion reached in the proposal is that the new requirements have a minimal
effect on small institutions. We are not certain who reached this conclusion or how they
obtained their information. The regulations will greatly increase the amount of
identification documentation we must obtain. At a minimum, it t will be necessary for us
to complete the following in order to fully comply with Section 326: B. Coverage of other non-bank businesses We would ask that required compliance for banks and non-banks alike be set at the same time so that no industry will have an unfair advantage over another. Keeping our financial system safe from terrorists and money launderers should be an effort shared by all. To require one industry to maintain this effort, and allow another industry to profit from non-compliance would seem to undermine not only the effectiveness of this important struggle, but could also undermine the very safety of the financial system itself. Sincerely, |
Last Updated 09/09/2002 | regs@fdic.gov |