Executive Secretary Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, N. W.
Washington, DC 20429
Re: Proposed Customer Identification Programs for Banks, Savings Associations, and Credit
Unions under Section 326 of the U.S.A. Patriot Act
I am writing to you on behalf of the Eastern Massachusetts Compliance Network, an
association of 88 community bank compliance professionals, including compliance officers,
attorneys and compliance auditors. We appreciate the opportunity to comment on the
proposed regulation implementing Section 326 of the U.S.A. Patriot Act.
In general, we are pleased that the proposal allows for some flexibility in establishing a
Customer Identification Program, as the customer base and the process of identifying
customers will vary from bank to bank based on each bank's geographic location, size and
the nature of its business.
In analyzing the proposal, however, we have several concerns that we believe may cause
difficulty in the implementation and subsequently, in regulatory examinations. We are
seeking additional guidance and we offer suggestions for modifications in the final rule.
The proposal provides for alternative I.D. verification methods for customers who are not
"U.S. persons". The definition of a "U.S. person" at Sec.
103.121(a)(6) of the proposed regulation is a "U.S. citizen". This definition
differs from the definition of a "U.S. person" that appears on IRS Form W-9,
which is signed by the customer at account opening to certify the customer's tax
identification number. The W-9 Form requires such certification of "U.S. citizens
(including resident aliens)." Both definitions must be unO--tocl. by account
opening personnel. We suggest that these definitions be made consistent to avoid the
inevitable confusion the disparity will present at account opening.
Under Section 103.121(b)(2) of the proposed regulation, a "...bank need not verify
the identifying information of an existing customer seeking to open a new account, or who
becomes a signatory on an account, if the bank (1) previously verified the customer's
identity in accordance with procedures consistent with this regulation..." Because
previously, banks have not been required to maintain copies of identifying documents or
records of alternate means of verifying I.D., compliance with this portion of the
regulation would require banks to re-verify the I.D. on existing customers who seek to
open new accounts, and who, in many cases have been doing business with the bank for many
years. We suggest that the verification provision not be applicable to existing customers.
Alternatively, we suggest that for existing customers, banks be permitted to rely on
notations on the account opening documents that evidence compliance with the bank's
standard identification procedures.
We anticipate that verifying the identity of all signatories to an account will present
practical obstacles as well as customer service complaints. Large companies often
authorize numerous individuals as account signers, and those signers change from time to
time. We suggest that the verification requirement as to mere "signers" be
struck, or, alternatively, that banks be allowed to place the burden for verifying the
identity of business and government entity account signers on those customers through
their deposit agreements.
The proposal allows a bank to open an account for a person other than an individual that
has applied for, but not yet received, an employer identification number, as long as the
bank obtains a copy of the application from the customer and obtains the EIN within a
reasonable time. Our experience has been that many new businesses, trusts and estate
fiduciaries obtain EINs not by filing a paper application, but rather, by calling the IRS'
Tele-TIN line. In that case, the IRS will provide the caller with a confirmatory letter
within 30 days, but the customer will not have a copy of an application to provide to the
bank. We suggest that banks be permitted to continue to accept the statement of customers
other than individuals that they have applied for an EIN, as long as the bank has a system
in place to monitor such accounts to ensure the receipt of the EIN within a reasonable
Identity Verification: Non-U.S. Persons
For non-U. S. persons, Sec 103.121(b)(2)(i) of the proposal requires the bank to obtain
one or more of the following: taxpayer identification number, passport number and country
of issuance, alien ident'Ication card number, or another government-issued document. But,
according to Sec. 103.121(b)(2)(ii)(B), "if the bank is not familiar with the
documents presented," it can use non-documentary verification methods. Banks have
been given little guidance on valid foreign identity documents and valid INS-issued and
State Department-issued documents, and many, are therefore unfamiliar with the documents
that may be presented. Consequently, the bank would need to rely on non-documentary
methods for identifying non-citizens. However, aliens (particularly those without tax
identification numbers) generally have little or no credit history or third party source
history, making such non-documentary verification methods impractical. We would welcome
the assistance of Treasury in providing banks with the resources to better recognize and
understand the government-issued documentation a legal alien should be able to present at
We are pleased that the proposal recognizes that accounts may not always be opened
face-to-face with the applicant, and that it provides for identity verification through
non-documentary methods. Several examples of non-documentary methods are provided in the
proposal. However, we would appreciate more guidance. For example, if references from
other financial institutions may be used, would the bank's own prior experience with the
customer also be considered appropriate? As to a minor, would a verbal confirmation of
identity by a parent or guardian suffice? These methods would be consistent with a
fundamental principle of the proposed regulation - that the institution be able to form a
reasonable belief that it knows the true identity of a customer.
Under Sec. 103.121(b)(2), each bank must have procedures for verifying the identity of a
"customer." A "customer" is defined as anyone seeking to open a new
account, including any signatory, not only those who actually do actually open a new
account. The recordkeeping requirement at Sec. 102.121(b)(3) requires that records of the
documents or method of identity verification be retained for "five years after the
date the account is closed." This requirement presents several problems.
Most notably, the new recordkeeping requirement is extremely burdensome and presents
additional risk to the bank that customers' privacy rights may be breached. As discussed
previously, most banks now notate their method of identification on the signature card or
other account opening documents. Only rarely is a photocopy made of the actual identity
document. The proposed rule will place an enormous strain on already overburdened records
management programs. Further, the same customers we are educating to avoid identity theft
by controlling access to their account numbers, codes and identification documents are
likely to voice concerns that their identity may be unnecessarily exposed to
misappropriation as a result of the bank's new procedure.
A concern arises from the language of the recordkeeping provision. Whereas the bank is
required to record the identification of each customer, the destruction date for the
records of that identification is based on the closing of the account. The most practical
method of compliance would have the bank retain the identification copies along with the
account signature card. However, unless each customer is re-identified each time he or she
opens a new account, the bank may be in violation of the regulation when it destroys the
records once the initial account has been closed for more than five years. If physical
records of identification must be retained, we suggest that the requirement be applicable
only as to the initial account opened by each customer, and that banks be permitted to
simply reference the initial verification on subsequent account opening documents.
Finally, the recordkeeping provision is unclear as to its timing. Records of customer
identification must be retained "for five years after the date the account is
closed." In lending parlance, a loan "closes" at the time the applicant
signs the promissory note and supporting documentation and becomes a "borrower"
on the books of the bank. Does the recordkeeping time clock begin to run for borrowers at
the time the loan "closes" or at the time it is paid off? This provision seems
to provide timing only as to deposit accounts and should be clarified as to other types of
We find the recordkeeping requirement as to applicants who do not become customers of the
bank to be unnecessarily burdensome. But if it is retained in the final rule, we would
appreciate clarification as to how it should be applied for an applicant who does not
become a borrower, a depositor, a securities or insurance customer when their application
is rejected or withdrawn. In that case, should the five year recordkeeping time clock
begin to run at the time of application or at the time the bank rejects, or the applicant
withdraws the application?
Comparison With Government Lists
The proposed rule, under Sec. 103.121(b)(4), requires "procedures for determining
whether the customer appears on any list of known or suspected terrorists or terrorist
organizations ... by any bank agency." The proposed rule does not specify what lists
the bank must consult, although we assume this includes the lists maintained by Treasury's
Office of Foreign Assets Control (OFAC). We ask that the regulation specify the lists that
must be consulted and make them readily available to banks and their third party
We presume that the requirement includes a screening against the FBI "Control
List". Because this particular list is highly confidential, some bank service bureaus
and other third party sources that provide screening for banks against the OFAC SDN List
have reported that they have been unable to gain access to the Control List. Screening
each new applicant to the bank against the Control List becomes unmanageable when only one
person in each institution has been given access to the List, and the bank is unable to
rely on its service bureau. We suggest that the Treasury Department and the bank
regulatory agencies encourage the F.B.I. to authorize disbursement of the Control List to
the to the major service
providers that perform OFAC screening for banks.
Banks must provide notice to their customers that the bank is requesting information to
verify their identity. We would appreciate model language for a lobby posting. More
important, we would appreciate the assistance of Treasury and the agencies in publicizing
the new requirements so that we may avoid customer resistance and possibly, a resulting
loss of business.
The final regulation is to be effective by October 25, 2002. We recognize the legislative
mandate for implementation of the regulation. But we are concerned that we will be unable
to comply fully in the short period of time available between the issuance of the final
rule and the effective date. The retention ofadditional documents will require banks to
develop new records management processes. The development of a comprehensive CIP, and its
presentation and approval by the bank's board, will require sufficient time to accomplish.
We ask that the effective date of the regulation be deferred, or, at minimum, that
compliance with the sections pertaining to recordkeeping and a board-approved CIP be
delayed at least 180 days.
Member and Past Chairperson,
Eastern Massachusetts Compliance Network
Senior Vice President,
Salem Five Cents Savings Bank
cc: Massachusetts Bankers Association
John J. Byrne, Senior Counsel, American Bankers Association