Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations

September 5, 2002

Federal Deposit Insurance Corporation
Executive Secretary, Attention: Comments/OES
550 17TH Street, N.W.
Washington, DC 20249

Re: Proposed Rule on Customer Identification Program
USA PATRIOT Act - Section 26 Bank Rule Comments

Dear Sirs/Mesdames:

I am the Compliance Officer of a $1.3 Billion Bank State non-member Bank with 14 branch offices plus a Headquarters office and a processing center located in the Southern California area. We have over 31,000 account relationships with approximately 17,000 consumer relationships and approximately 14,000 business relationships. Many of the accounts have more than one person on the account. Of this total, we have less than 60 customers who are not U.S. Persons as currently defined by the Internal Revenue Service.

At Community Bank, we support the fight against money laundering and terrorism, and understand the importance of securing our financial system against infiltration and abuse by those seeking to undermine our way of life and destroy our country. In accomplishing this goal, it is important that we do not also endanger the very commerce and trust that are the economic lifeblood of this country.

On consumer accounts, our current identification requirements consist of requiring a government issued photo ID along with a limited list of acceptable secondary identification for all signers on the account. We record the information from the ID, but do not retain a copy. On business or entity accounts, our documentation requirements relative to identification consist of requiring a copy of the appropriate formation documentation from the county or state or using various legal searches to verify the validity of the business entity. We keep a copy of these documents on file. We also obtain personal identification form all signers on entity accounts, but we do not retain a copy of the personal ID.

We offer the following comments and suggestions on ways to implement the intent of the USA PATRIOT Act and still safeguard our financial system without creating an overly burdensome system that could suffocate legitimate business and create more barriers to economic recovery.

Section 103.121 (a) (3) Definition of "Customer".
The proposal states a customer is any person (including business entities) that are "seeking to open" an account. We request that this definition be narrowed to state that a customer is "one who successfully opens an account."

Since the term "account" includes loans as well as deposits, please be aware that we have many "Applicants" who do not successfully open accounts. They may be seeking to open an account, but the request is declined for any number of lawful reasons. To require such an extensive inventory of identification documents for a person or entity that will not be an ongoing customer of the Bank is burdensome. In addition, we may have difficulty with an individual if we seek to retain a copy of their Photo I.D. when we are declining to open the account.

While the rules under 103.121 (b) (2) indicate we are to obtain the information before opening or adding a signatory to an account, by including the phrase "seeking to open" the issue becomes clouded as to when a bank will be required to retain the items required under 103.121 (b) (3).

Section 103.121 (b) (2) (ii) Verification
The proposal states "a bank need not verify the information about an existing customer seeking to open a new account….if the bank previously verified the customer's identity in accordance with procedures consistent with this section…." What remains unclear is if the Recordkeeping requirements under 103.121 (b) (3) would apply to an existing customer. We ask it be clarified that if the bank has previously verified identification as outlined in 103.121 (b) (2) and has a reasonable belief that it knows the true identify of the customer, then the recordkeeping requirements of 103.121 (b)(3) would not apply.

This is an area that is crucial for business lending, as it is not uncommon for an established business customer to obtain several new credit products in a year. To require the extensive copying of personal Photo ID documents would create a serious and unnecessary bottleneck in the servicing of existing known customers.

Section 103.121 (3) Recordkeeping
Subsection (i)(A) is already standard industry practice as banks routinely have recorded the information provided by a customer such as the number on a passport or Driver's License.
However, subsections (i)(B), (i)(C) and (i)(D) are troubling given the requirement under subsection (ii) to retain this information for 5 years after the date the account is closed.

This presents a huge logistical and security challenge in terms of storage capacity, retrieval ability, and the Information Security requirements already imposed by Gramm-Leach-Bliley under §12 C.F.R. Part 225, Appendix F. Some banks have systems that can retain an imaged copy of this information under an easily indexed and retrievable system, but banks that do not have this technology or system will be placed in a tremendous competitive disadvantage. Typically, this would affect a smaller institution that would see an increase in storage and security costs in order to catalogue and safeguard these copies. One can only imagine how a financial institution would be an even more tempting target for perpetrators of identity theft.

The requirements under subsections (B), (C) and (D) should only be required when a bank has the technological capacity to electronically store such documentation. In other words, only banks that have a fully functioning imaging system would be required to retain these copies. Many banks are working towards imaging for competitive, efficiency and other reasons, so at the documentation retention would be part of the scope of such a project within a bank.

In addition, some states have laws that forbid the copying of state issued I.D. documents. Many state-issued documents have anti-forgery enhancements that render a photocopy nearly unintelligible. We are not sure what good it will do to have copies of unreadable documents, as it would seem to contribute nothing in the effort to combat money laundering and terrorism.

Finally, the issue of merely having a copy of a Photo I.D. for a loan customer has long been a standard violation citation in Fair Lending and Regulation B examinations. The new requirement under section 103.121 (b) (3) would seem to place banks in conflict with this longstanding examination practice. If the final rule does not exempt banks that do have imaging capability, then there needs to be a safe harbor the storage of paper based copies with respect to the aforementioned examination issues.

Section 103.121 (b) (4) Comparison with government lists
The proposal requires that all new accounts be checked against government lists of terrorists and suspected terrorists. This section needs to be clarified as to which lists are being referenced in this section. We have a procedure to check our accounts against the OFAC (Office of Foreign Assets Control) list at the time the account is requested, and again if there is a change to the OFAC list. However, if this section also refers to the FBI "Control List", then additional guidelines must be issued with respect tot he proper handling of this control list within an institution.

Current written instructions from the FBI state that the list must be kept under tight control. However, if we are to proactively check all new customers against the list, we will need to make the list more widely available to our staff. Otherwise, we will be faced with two alternatives:
1. Utilize one full-time employee just to handle the searching of the list for every new deposit or loan account that will be opened. OR
2. Halt all new transactions until such time as one person can search all requests at the end of the business day.

In addition, it remains unclear if the requirement to check lists will include any other lists issued by the FBI or government agency. The final rule must contain clear guidelines for a standard procedure to communicate and distribute any new lists to financial institutions. The concern is that a government agency can compile a list but not effectively communicate the existence of the list to all financial institutions. The initial distribution of the FBI Control List to the most senior official in each institution may have been well intended, but was ultimately misguided. The Control List should have been directed to the Bank Secrecy Act (BSA) Officer since every financial institution is required to have a person so designated. The BSA Officer is the person most likely to know how to properly disseminate such information in an effective and efficient manner.

There remains a huge logistical issue with respect to the Control List, and potentially with any future lists. Such lists need to be compiled and communicated in a UNIFORM FORMAT that could be incorporated into software filtering systems. Manually checking a list against all new accounts is incongruous with technology and the automated speed at which most financial transactions are processed.

It is my understanding that the FBI will not release the Control List to software vendors that already supply solutions for OFAC verification. There is, I suppose, a concern that the security of the list could be compromised. However, it should be pointed out that the Control List has been communicated to financial institutions via an Excel spreadsheet attached to an e-mail. The list was not encrypted or secured in any manner. Communication of the list via a secure data transmission from a verified vendor would be infinitely more secure than an unprotected Excel document.

I suggest that the FBI and any other government agency establish a certification program with the existing software solution vendors. The vendors could have their own "Customer Identification Program" to verify those customers that should have access to the list. These customers (i.e. financial institutions that must check new accounts against government lists) could then be issued a subscription number and password to access updated list information via a Secure Server.

The current methodology of communicating lists other than OFAC are anachronistic and would not only hamper a bank's efforts to comply, but could jeopardize the very security and effectiveness of the list. While not wishing to be repetitive, I cannot stress how important it will be to have:
1. A standard procedure for communicating the existence of new lists or updates to existing lists.
2. Uniform format of information on the lists in order to facilitate the use in automatic software screening programs.
3. The distribution of the list to verified and/or certified vendors to allow efficient transmission of the list via a secure channel.

Section 103.121 (b) (4) Customer Notice
The proposal states that a financial institution must include procedures for providing bank customers with adequate notice. The final rule should establish specific, objective criteria for the content and timing of the required notice to customers, including model language deemed to be in compliance with the regulation.

A number of regulations require banks to post public notices on their premises. Generally, these requirements are very specific and compliance can be objectively evaluated. While the proposal's flexibility is intended to benefit banks, its lack of objective standard introduces the probability that individual examiners could impose their personal opinions as to the adequacy of the notice.

No purpose is served by leaving the specific wording of the notice to individual institutions, but it should be permissible for them to add additional information to any model language provided. At a minimum, the language should convey that the requirement to obtain, verify, and copy identification documents is required by federal law and cannot be waived by the institution.

Adequate delivery of the notice is problematic especially for banks that engage in transactions with large commercial customers. There will be customer resistance to the identification requirements. The area most likely to cause a great deal of negative reaction will be the requirement to copy personal Photo I.D. documents. While banks have a duty to safeguard customer information, most customers will have an immediate concern about the possibility of those documents being used for Identify Theft. Again, it is important for people to know the requirement will be mandated by federal law.

Other issues:
A. Mandatory compliance date
Immediately after this comment period ends, I strongly suggest that compliance with the final regulations not be mandatory until at least 90 days after their publication in the Federal Register.

The clear language of the USA PATRIOT Act indicates these regulations are to be effective by October 25, 2002. However, this proposal was not published until July 23 and the comment period does not end until September 6. Even if the agencies spend very little time reviewing and discussing the comments received, the best case scenario is that the final regulations will be issued

The conclusion reached in the proposal is that the new requirements have a minimal effect on small institutions. We are not certain who reached this conclusion or how they obtained their information. The regulations will greatly increase the amount of identification documentation we must obtain. At a minimum, it t will be necessary for us to complete the following in order to fully comply with Section 326:
1. Write additional procedures on top of our existing Customer Identification program.
2. Determine how the copies of identity documentation can be stored in a manner that will meet the requirement of Section 326 AND the Gramm-Leach-Bliley Act, AND still be available to all of our offices.
3. We will need to draft amendments to our existing BSA policy for the board to approve at a regularly scheduled meeting.
4. Develop the mandatory disclosures for customers and determine the most effective means to deliver the disclosure.
5. We will need to develop additional training materials and make sure all affected staff members receive sufficient training with respect to any additional procedures and disclosures.
We cannot complete any of those tasks until we see the final regulation. We will need advance knowledge of the compliance date so we can calculate all of the project plan steps necessary to effectively and efficiently implement such a program.

B. Coverage of other non-bank businesses
The analysis of the proposed rules states "We note that securities broker-dealers, futures commission merchants, insurance companies, and investment companies will be subject to forthcoming rules implementing section 326, whether or not they are affiliated with a bank." As alluded to earlier in this comment letter, some of the proposed rules would create competitive disadvantages to some banks. I would like to point out that there are many businesses that now complete head-to-head with banks for customers. It would seem this identification program would not bind these same businesses until some time in the future. However, during the period of time that banks would be required to comply with these rules, these non-bank businesses will be at a tremendous competitive advantage in soliciting customers that would be upset with bank documentation requirements.

We would ask that required compliance for banks and non-banks alike be set at the same time so that no industry will have an unfair advantage over another. Keeping our financial system safe from terrorists and money launderers should be an effort shared by all. To require one industry to maintain this effort, and allow another industry to profit from non-compliance would seem to undermine not only the effectiveness of this important struggle, but could also undermine the very safety of the financial system itself.

Sincerely,
Bonnie Mizrahi
Vice President, Compliance Officer
COMMUNITY BANK
100 E. Corson St.
Pasadena, CA 91103
(626) 568-2006

 

Last Updated 09/09/2002 regs@fdic.gov

Skip Footer back to content