Federal Deposit
Insurance Corporation

September 3, 2002

Ms. Jennifer J. Johnson, Secretary
Board of Governors of the Federal Reserve System
20th and Constitution Avenue Northwest
Washington, DC 20551

Dear Ms. Johnson:

This letter is written in response to the request for comments on the proposed Customer Identification Programs for Banks, Savings Associations, and Credit Unions (Docket No. R-1127).

Comment was requested as to whether the proposed definition of "account" is appropriate and whether other examples of accounts should be included in the regulatory text. We believe the proposed definition is acceptable as proposed. This definition is consistent with the application of the term in other regulations, and consistency reduces the likelihood of confusion when implementing procedures to comply with the various requirements under the Act.

Comment was solicited as to how the proposed regulation should apply to accounts that are designed to allow a customer to transact business immediately. We believe that there should be some allowable flexibility under these circumstances. Most financial institutions adequately identify and verify available information at the time an account is opened. However, this is not always possible in circumstances where all parties are not present at the time an account is opened. For example, in situations where families are relocating to different communities, it is not uncommon for one party to seek to establish a joint account with their spouse when the spouse has not yet arrived in the new area. It is not possible to completely identify the party that is not present. Recognizing the fact that the vast majority of customers are legitimate and are not trying to conduct illicit activity, the regulation should not prohibit a financial institution from allowing an account to be opened or restrict activity on the account until all parties have been properly identified. Financial institutions should also be allowed flexibility to determine the appropriate manner to handle these situations through its risk assessment and procedures that are required under the regulation.

The regulation should also provide for flexibility in identifying all signatories to commercial accounts. While we believe the premise of identifying all signers to a commercial account is generally appropriate, there are certain accounts where it is not practicable to identify all signers in accordance with the proposed regulation. There are accounts for legitimate businesses, such as title insurance companies, that literally have hundreds of signers that change periodically. It is not possible and would be extremely burdensome for a financial institution to identify and verify all of the required information and maintain it in accordance with the proposal. As long as the financial institution has identified and verified the legitimacy of the business, then there should be some allowable flexibility in not identifying all signatories to the account. This could also be addressed in the financial institution's assessment and procedures.

Comment was solicited as to whether the regulation should include or exclude foreign branches of banks. We believe, given the purpose of the Act, that all banks should be covered under the regulations, including foreign branches. However, these foreign branches should only need to comply with the regulation to the extent that it does not conflict with local law in their areas of operation. As our company does not operate any foreign branches, we cannot attest to any conflicting foreign laws.

Comment was also solicited as to the extent to which verification procedures make use of information that financial institutions currently obtain in the account opening process. We believe that the proposal does generally utilize information currently reviewed by financial institutions in opening accounts. However, the proposed regulation requires that financial institutions maintain copies of documents used to verify identity. This requirement seems unduly burdensome and poses additional legal risks to the financial institutions.

There are several primary reasons why financial institutions do not desire to keep copies of this information. First, there are potential fair lending considerations related to collection of race and gender information where the account being opened is a loan account and collection of the data is not permitted by law. Even though the data is being obtained for identification reasons and racial data is not specifically being collected, race can be inferred from a copy of the identification being maintained by the financial institution. In addition, the gender of the person is also usually included on identification cards. Keeping the copy in the customer's credit file would certainly lead to regulatory criticism. Even if it is not kept with the customer's credit file, the fact that the data is available could potentially be used in litigation to assert fair lending violations, even though the information was not collected for or utilized in the process of originating loans other than to identify a customer at the time an account is opened.

Another reason financial institutions do not desire to maintain copies of information of verification documents relates to potential legal risks associated with non-natural entities such as trusts. Our counsel has continually reiterated that we should not maintain copies of complete trust agreements at the bank, because the bank could be held liable for unauthorized transactions conducted by the trustee.

Beneficiaries and other interested parties could potentially attempt to hold a financial institution responsible for actions of a trustee through litigation, if they believe the trustee is breaching his fiduciary duty. Trust agreements can be rather lengthy, complicated, and contain numerous sections concerning actions of trustees. It is our understanding that financial institutions have been held accountable for transactions of the trustee accomplished through the institution where it was shown that the institution held a copy of the entire trust agreement and one section prohibited the trustee from undertaking the transaction. For this reason, our counsel has developed specific authorization forms for our bank to utilize that sufficiently protects our company and does not require us to maintain copies of these underlying agreements. While the proposal provides for alternate documentary evidence of authority for business entities, we believe there should be some flexibility allowed for documentation related to entities such as trusts.

The final primary reason for not desiring to maintain copies of the information relates to storage considerations and the increased potential for identification theft. Under the proposed regulation, copies of identification documents for customers must be maintained until five years after the date the account is closed. While the rule is prospective, over time there will be a significant number of copies being maintained. This presents some logistical problems for financial institutions which are already utilizing space to the maximum extent possible. Since the information cannot be contained in credit files for fair lending concerns, and not all customers have credit files, financial institutions may decide to maintain the information in a centralized file for storage. This may be kept within the bank or placed with an off-site storage facility or company. Recognizing the requirements for financial institutions to protect all customer information, the retention requirements would make institutions further targets for theft of the information. This has already been seen in the theft of identification equipment and expired licenses containing personal information from our state government's motor vehicle departments. This is another area for potential litigation against financial institutions in the event the information is successfully stolen and used to the detriment of the institution's customers.

An identification document contains more personally identifying information in one place than can generally be found in most bank records. While financial institutions review this information in the identification process, only portions of the information may be kept for reference and usually may be maintained in different locations. For example, our institution maintains certain identifying data only in electronic form under our customer records. In addition, we do not maintain records of physical appearance such as height, weight, and color of eyes which can be found on most identification cards. While this information is useful in identifying customers initially, there is usually no compelling reason to maintain the information at the institution once alternate methods of identifying customers, such as through the use of passwords or signature verification, have been established. On the other hand, identity thieves could certainly benefit by obtaining this additional data. As methods of identifying individuals by merchants are enhanced, thieves could use the data to match the physical appearance of their field operatives to the government data for the unsuspecting victim.

Recognizing the importance of identifying customers under the regulation and attempting to balance the legal implications of maintaining evidence of this verification, we would strongly recommend that financial institutions not be required to maintain copies of identification. The regulation should allow sufficient flexibility to determine what information is maintained, as long as the institution can demonstrate compliance with the identification requirements of the law. For example, documentation indicating that a financial institution's employee inspected and accepted the identification presented with a proper notation in the institution's records should be sufficient evidence for compliance under the regulation. These requirements could also be addressed in the financial institution's risk assessment and procedures.

We would also like to request that the final regulation contain further clarification on the requirement to notify customers that the institution is requesting information to verify identity. The proposal indicates that the notice may be oral or in writing. It also indicates that a posting in an institution's lobby may be sufficient. However, we believe that this needs to be clarified to indicate that oral notice, by itself, is sufficient and does not also need to be accompanied by a lobby posting. Alternatively, it should reiterate that a lobby posting, by itself, is sufficient to comply with the requirements of the regulation.

The final comment we would like to make relates to the application of the rule for accounts opened by domestic governmental entities. We periodically establish accounts with domestic governmental agencies. However, the proposed rule is unclear as to whether the identification and verification requirements apply to these entities. The statutory definition of "person" under the Act "includes a trustee, a representative of an estate, and when the Secretary prescribes, a governmental entity" [31 USC 5312(a)(4)]. The current regulation, under which the proposal will be incorporated, includes within the definition of "person" "all entities cognizable as legal personalities" [31 CFR 103.11(z)]. This would include governmental entities. If the proposed regulation is intended to cover these domestic entities, then clarification of the types of acceptable authorization documents needs to be provided within the regulation. These entities do not have traditional authorization documents and do not require business licenses. Examples should be included demonstrating what types of documentation would be acceptable for these entities.

Thank you for taking our comments into consideration. Please contact me at (303) 235-1375 or David Kelly at (303) 235-1491 if you would like to discuss these comments.

Sincerely,

John A. Ikard
President