Federal Deposit
Insurance Corporation

Re: Joint proposed rulemaking, Customer Identification Programs for Banks, Savings Associations, and Credit Unions

Dear Madams and Sirs:

Iowa Bankers Association ("IBA") is a trade association representing nearly 95% of banks and savings and loan associations in the State of Iowa. We appreciate this opportunity to comment on the joint proposed rulemaking for Customer Identification Programs implementing section 326 of the USA PATRIOT Act. In developing our comments contained herein, IBA invited its Compliance Committee to respond to questions posed in the proposed rulemaking. The Compliance Committee is comprised of 20 bankers from around the state, representing institutions of various asset sizes, product mixes and community demographics.

You ask for comment as to whether the proposed definition of "account" is appropriate. The current proposal defines "account" based on its statutory definition used in section 311 of the Act, "a formal banking or business relationship established to provide regular services, dealings or other financial transactions; and includes a demand deposit, savings deposit or other transaction or asset account and a credit account or other extension of credit." This definition of "account" is broad enough to include such transactions provided by "money services businesses" as defined at 31 CFR 103.11(uu), as these businesses provide regular services, dealings or other financial transactions to a large segment of the population. In addition, by excluding money services businesses from coverage under this proposal, the intent of the law, "to facilitate the prevention, detection, and prosecution of international money laundering and the financing of terrorism," is obscured, as the potential result may be to provide money launderers and terrorist financers an alternate facility through which they can continue their activities. We encourage the agencies to include money services businesses in the coverage requirements of this proposal.

While the proposed definition of "account" is not intended to cover infrequent transactions, such as the occasional purchase of money orders, wire transfers or other services and transactions, it is not clear whether a "business relationship" is established if the same person repeatedly uses those otherwise "occasional" services. Also, included in the definition of "account" is the term "asset account" which is not defined. We request more guidance and clarification of the definition of "asset account" and a determination whether specific services, dealing and transactions, if repeatedly used by the same person, are included in the definition of "account."

We object to the current definition of "customer" as set out at section 103.121(a)(3). Currently, the definition provides that any person "seeking to open an account" or to be added as a "signor" will be considered a "customer." This definition goes beyond the scope of the Act at section 326(a), where identification and verification is required only for "any person seeking to open an account." "Person" is later defined in the proposed regulation to include "individuals, corporations, partnerships, trusts, estates, joints stock companies, associations syndicates, joint ventures, other unincorporated organizations or groups, certain Indian Tribes, and all entities cognizable as legal personalities." The Act does not provide that identification and verification be obtained for those persons who will have signatory authority (a "signor") on an account. In many cases, for commercial, organizational or other non-individual accounts, there may be hundreds of signors authorized to transact business on these accounts, and these signatories change frequently due to election of new officers or changes in staff. If a financial institution conducts appropriate due-diligence to ensure that the entity seeking to open the account is "cognizable" as a legal entity, then it should be allowed to rely on the entity to conduct its own due-diligence in its hiring practices to adequately identify its employees whom it has entrusted to engage in financial transactions on its behalf. To impose a requirement to obtain verifiable identification from all signors on non-individual accounts would create an enormous compliance burden, extensive and unnecessary monitoring and record retention for financial institutions and negative publicity in the community. In addition, this requirement would impose an enormous burden on business account holders, to ensure all signors provided financial institutions with appropriate identifying documents. We oppose the requirement to obtain and verify identification for signors on non-individual accounts.

Section 103.121 requires verification of identification through documents or non-documentary methods. Nearly all of the bankers who provided input to us relating to this proposal commented they have established procedures in place (though usually not in formalized written programs) to obtain government-issued photo identification (such as a state driver's license, state identification card, state or federal employee identification cards or U.S. passports) as part of the account opening procedures. Frequently, banks use credit-reporting agencies to validate information provided during the account opening process, and annotate in the account opening documents the results of the credit inquiries. While they review the identification provided and record the information as part of account opening procedures, they do not retain photocopies of such identification. Requiring financial institutions to maintain copies of identification and the verification of such identification also creates substantial additional costs for institutions relative to storing those copies, whether retained in paper format or imaged, scanned or other electronic storage. Currently, the Office of the Comptroller of the Currency (OCC) suggests an "acceptable secondary form" of identification in its handbook for examination of BSA and anti-money laundering practices. One suggested "acceptable secondary form" is a major credit card. To require photocopies of this secondary form of identification, specifically the major credit card, would be a violation of State law, as Iowa Code section 537.8101 prohibits, as a means of identification, the recording of a credit card number or expiration date, or both. Only information concerning the type of credit card and the issuer may be recorded.

In addition, most banks require evidence of legal status for non-individual entities, such as copies of corporate resolutions, company authorizations or certificates of existence as issued by the Secretary of State. Most banks retain "legal files" for non-individual entities that maintain accounts with the bank, and periodically update these records and corresponding signature cards as officers or authorized signors for the entity change. Many banks conduct follow-up activities to the account opening procedures, including but not limited to, site visits for business entities, "welcome" letters and/or phone calls, and verification of addresses through city directories. To require financial institutions to photocopy the identification provided and to maintain records of the methods used to verify the information provided (other than the current practice of annotating such verification in the account documents or central information files) would create enormous additional time and expense. One bank, a $51 million nationally chartered institution, estimates an additional 10-15 minutes per new account to expand the verification and record keeping requirements beyond current practice. This particular institution opens approximately 55 new accounts each month, and estimates the additional documentation, verification and record keeping requirements would entail as many as 165 hours annually. If you consider all 435 banks and savings associations in the State of Iowa, this verification and record keeping requirement may, on the low side, account for as many as nearly 72,000 additional hours of record keeping burden. While we support the objective of the Act to verify the identity of persons opening accounts with financial institutions, we oppose any requirement to photocopy and retain such photocopies of the identification and/or the verification of identifying information. We believe it "reasonable and practical" to document by way of annotation to the customer's file the identification reviewed and the methods used to verify such identification; we believe it is unreasonable to require photocopies of the identification and verification methods employed during the account opening process.

In addition, we oppose the requirement to obtain and verify identification for existing customers when new accounts for those customers are established. Understanding that existing industry practice is to have obtained some form of identification when these persons became "customers" of the bank, and understanding the financial institution's responsibility to monitor such accounts and customers for suspicious transactions, it is unreasonable to require further identification or documentation requirements for existing customers known to the financial institution. In addition, the financial institutions' requests for such information will be met with great resistance from existing customers, and suspicions as to the financial institutions' purpose for and use of the information.

The proposal makes no mention of appropriate documentation and verification of identification on dealer or broker transactions, where a third-party acts as intermediary between the bank and its customer, as for dealer-paper transactions or brokered loans. While the proposed regulation allows flexibility in bank procedures to obtain non-documentary verification when accounts are not opened in face-to-face transactions, we suggest that should include the ability of the financial institution to rely on a third party, such as a broker or dealer, to obtain, record and verify such identification in order that the bank need not spend time and other resources on duplicative verification.

Among the minimum identification requirements set out in the proposed regulation is to obtain a permanent residence address for individuals. It appears the intent of the regulation is to avoid usage of a Post Office box or other mailing address as the only identifying address of the customer. However, there are situations when customers do not have a permanent residential address, for example, retirees who have sold their residential property and now live in a motor home, traveling the country. As a general rule, these customers have only a PO box for an address, and it is rare that any other address is available. We suggest that exceptions be allowed for such situations, allowing only for mailing address as an address identifier or allow the use of an additional means to locate the customer, i.e. next of kin, contact persons, etc.

Another minimum identification requirement is to verify individuals through the use of government-issued photo identification. While the regulation allows for non-documentary verification when the bank is unable to rely on documents to verify identification, most non-documentary verification methods point to outside sources, such as a credit reporting agency, a reference from another financial institutions or public databases. We hear from many of our community banks that they know many of their customers personally, having lived and worked in the same community with them. Their employees attend church with their customers, send their children to the same schools, participate in community activities together, and shop at the same stores. We recommend the regulation allow for bank employees to simply provide a comment to the customer's file or an "Affidavit of Identity," attested to by a bank officer or employee, to serve as non-documentary verification of identification, particularly for customers who are personally and professionally known to bank employees and who pose literally no risk to the bank or nation in regard to money-laundering and terrorism funding. In addition, similar exceptions should be allowed for persons who have no identification, for example, the elderly and minor children.

One standard suggested by the proposed regulation is to obtain a U.S. taxpayer identification number for U.S. persons prior to opening an account. The proposal calls for a limited exception to this requirement for non-individual accounts that have applied for, but not received, an employer identification number (EIN). The proposal suggests that the financial institution's Customer Identification Program (CIP) must require the institution to obtain a copy of the application for the EIN before it opens the account or adds a signatory to the account, and obtain the EIN within a "reasonable period" of time after an account is opened. This procedure will also add to the monitoring and record-keeping burden for financial institutions. We find no added benefit to financial institutions to retain a copy of the EIN application until such time as the EIN is provided…in fact, in many cases, it's unlikely that the entity has retained a copy of the EIN application. As a practical matter, most banks refuse to open an account until they have received a taxpayer identification number or other identifying information.

The proposed regulation also suggests for non-U.S. persons, financial institutions should obtain one or more identifying numbers. Most banks already have procedures in place to do so. However, the most frustrating aspect of the proposal is verification of the identification obtained. Currently, there are very few methods by which identification of U.S. persons can be positively verified, and literally no method by which identification provided by non-U.S. persons can be relied upon for valid authentication of the documents provided. We urge the Agencies to work with various federal departments, for example the Internal Revenue Service, the Social Security Administration, and the Immigration and Naturalization Services, to develop expedient methods (for example, online, fax or phone verification) by which tax identification numbers, social security numbers and visa/passport numbers can be readily verified and authenticated, providing some assurances to bankers that the person providing these numbers is the true "owner" of those numbers and entitled to use them for identification purposes.

It is not clear in the proposal whether identification documentation and record keeping requirements are applicable to persons seeking to open an account, but that are denied such accounts or other financial services. While other federal regulations require record retention for loan applications and adverse action notices, we oppose any requirement to maintain additional records of persons who were denied banking accounts or services. In addition, the record retention period, five years beyond account closing, is excessive. We recommend that the record-retention period be reduced to be consistent with other regulations, requiring no more than a two-year retention period, or in keeping with other BSA record retention requirements, not longer than five years after the creation of the record.

Of major concern to many financial institutions is that for purposes of obtaining, documenting and verifying identification, what previously was simply a lack of adequate documentation based on internal bank policy and procedures will now be raised to the level of a BSA violation, if specific identifying documents or non-documentary verifications are missing from the records of account holders. Another concern is that while the proposal allows for great flexibility in developing a CIP that is appropriate to the financial institution's size, location and type of business, what criteria will be used to determine "appropriateness"? It has been a long-standing complaint among our members that examination procedures vary widely among the Agencies (and even among examination staffs), creating inconsistentency in the practical application of the law from one supervised entity to another. We suggest interagency examination procedures covering only the minimum elements of the program as required under the Act (e.g. verifying identity to the extent reasonable and practical; maintaining records of such information; and monitoring lists of known or suspected terrorists or terrorist organizations).

The proposal sets out the requirement that identification may be obtained, documented and verified only after disclosure to the customers. We urge the Agencies to adopt a model lobby disclosure for use in all institutions to provide consistency among all financial institutions and reduce confusion by customers over varying forms and language contained in notices. Although we do not agree that any disclosure should be required, as it is a commercially reasonable industry standard to request identification in order to establish account relationships or deliver other financial services, we suggest the use of a lobby notice as the sole means for providing disclosure to customers. To do otherwise, for example written or oral notice prior to account opening, would just add to the time and expense of establishing new accounts.

The proposal requires that the bank's board of directors or a committee of the board must approve the CIP, which must be part of the bank's anti-money laundering program. While a bank's board is charged with oversight of bank operations and policies, we find no benefit in requiring the board or one of its committees to be involved in the evaluation or approval of the minutia of procedures relating to account opening and identification verification. Instead, a financial institution should be allowed to incorporate by reference its CIP in its anti-money laundering program, and thereby obtain board approval for the overall anti-money laundering objectives and policies relative to Bank Secrecy Act compliance.

Regarding compliance programs to check lists provided by the Federal government of known and suspected terrorists and terrorist organizations, many banks have purchased "add-on" services from credit reporting agencies to check new customers against the list provided by the Office of Foreign Assets Control (OFAC). However, few have purchased and deployed interdiction software to regularly update the list and monitor existing customer databases. Most banks, upon receipt of special "control lists" issued by the Federal Bureau of Investigation (FBI) have manually searched databases for any match. For most of the smaller community banks, use of third party sources and manual searches have been effective, due to the relative low-risk of listed persons and entities engaging in banking transactions in those communities and the infrequency with which listed persons have been found. It is critical that the Agencies continue to allow flexibility in compliance programs relative to checking government lists, allowing for manual monitoring as well as use of third party sources, rather than mandating expensive interdiction software for all institutions.

We believe the proposed regulation establishes unrealistic time frames within which financial institutions will be able to comply with the requirement to develop and implement a "Customer Identification Program" (CIP). Under the proposal, which is open for comment until September 6, 2002, the regulation is to become effective October 25, 2002. It is unreasonable to believe that banks will be able to implement a formal CIP in such short order, considering the final rule will not be issued until after the September 6 date. Most of the banks that have provided comment relating to this proposal advise that while they have informal account opening procedures in place, very few have the detailed, written programs and procedures that are required by this proposal. Many will have to revise existing practices to conform to expanded documentary and non-documentary requirements. If the requirement to obtain board approval of the CIP remains intact, many institutions will find it impossible to develop the CIP, obtain board approval, and adequately train staff to meet the established effective date of October 25, 2002. We believe the proposal grossly underestimates the expense and time needed to comply. At minimum, most banks will be required to develop or revise internal procedures and reduce to writing their account opening and identification practices. In addition, many banks will need to make decisions relative to purchasing additional services or software to enhance identification verification procedures and/or procedures to monitor government lists. Due to these constraints, we urge a delayed mandatory compliance date, to no earlier than April 25, 2003.

Thank you for the opportunity to comment on this important proposed regulation. We appreciate your consideration of our comments and suggestions. If you have questions related to this letter, you may contact me at Iowa Bankers Association, 515-286-4391 or via e-mail, dbauman@iowabankers.com.

Sincerely,
Dodie Bauman, CRCM
Compliance Manager
Iowa Bankers Association