Federal Deposit
Insurance Corporation

Comments Re: USA PATRIOT ACT, SECTION 326 CUSTOMER IDENTIFICATION PROGRAM

Submitted by: Linda L. Walker, AVP, Heritage Bank of Florida

I would like to see Section 326 strengthened to close the loopholes that exist in the current proposed rules. I believe all banks, regardless of size, need to uphold the same standards if we are going to ensure the safety of our financial banking system. A terrorist gaining access to an account at a small bank can do just as much damage as he would if he gained access to an account at a large bank. The risk is the same. Small banks are more susceptible to infiltration by fraudsters and terrorists because they think (1) small banks don't have the manpower to be on the alert and (2) small banks are community-oriented, not risk-conscious. If the CIP requirement is well defined, with universal standards, then small banks can comply as well as anyone else. Getting customer cooperation will be easier, I believe, if all banks require the same things. Otherwise, a customer will "shop around" for a bank that doesn't ask a lot of questions. It makes sense to me to close the loopholes that exist in the current proposed rules by doing the following:

1. Tighten CIP requirements. There is too much latitude given for banks to create their own definitions in their CIP, which gives examiners no real basis for criticism. Close the loopholes by requiring all CIPs to have certain critical elements alike and to hold to certain universal standards. It will make it easier on all banks when we all share the same standards.

2. Require proof of residence. It is more difficult to get a library card than a bank account. When applying for a library card, you have to provide at minimum an independent proof of residence (such as a lease agreement or utility bill in your name), plus photo ID.

3. "Customer" should include anyone with a beneficial Interest in an account. Under the OCC's proposed Know Your Customer rules of 1998, a customer was defined as "any person or entity who has an account involving the receipt or disbursal of funds with an institution covered by this regulation and any person or entity on behalf of whom an account is maintained." If, for instance, an account is opened on behalf of a third party, the bank will need to treat as a customer both the person or entity opening the account and the person or entity for whom the account is opened. This will curtail the growing trend of "sub-accounts" which afford a shield for ineligible people to gain access to financial accounts.

4. Monitoring transactions of existing customers. The OCC's proposed KYC rules included a monitoring provision for existing customers. By "determining their normal and expected transactions using available account data and monitoring their transactions for suspicious activities," the reg could be satisfied for existing customers. "However, depending on the nature of the risk associated with some customers and their transactions (for instance, transactions involving private banking customers), it may be necessary to fulfill all of the requirements of this regulation as if they were new customers. In designing a monitoring system, a bank may choose to classify accounts into various categories based on factors such as the type and size of account, the types, number, and size of transactions conducted in the account, and the risk of illicit activity associated with the account. For certain classes or categories of accounts, it would be sufficient for an effective monitoring system to establish parameters for which the transactions within these accounts will normally occur. Rather than monitoring each transaction, an effective monitoring system could entail monitoring only for those transactions that exceed the established parameters for that particular class or category of accounts. For other categories or classes of accounts, such as private banking accounts, it may be necessary to monitor each significant transaction. A bank's understanding of a customer's normal and expected transactions should be based on information obtained both when an account is opened and during a reasonable period of time thereafter. It also should be based on normal transactions for similarly situated customers." (See #7 below)

5. Non-U.S. Persons. All non-U.S. citizens should be required to produce a passport as one of two required IDs. In addition, they should have to produce a cedula number (if South American), proof of a Social Security Number (if they have one), proof of local residence and verification/proof of work or student status, plus a recommendation from a U.S. citizen (with their contact information).

6. Application Process. The reg should mandate that the CID will require a formal application form to capture all the required data, which all signatories must sign. The form should include, for businesses, how much account activity they expect to do monthly in cash and wires (domestic & international). The form should include space for the bank's verification results. (I developed an application form based upon the OCC KYC rules that fits this description and it has worked very well for us.) Access to accounts should be prohibited until all required data is provided and verified. No exceptions allowed. (Otherwise, bankers will be waiving this requirement for every VIP, every friend, every friend of a friend, etc.)

7. Transaction Verification. The reg should require the CIP to include transaction verification by each business entity (i.e., their three most recent bank statements from their previous /current bank). Note: This has been a common requirement for credit card merchant banks for fifteen years so that parameters for expected volumes could be set for monitoring purposes.

8. Independent Verification. The reg should require the CIP to include independent verification of the information given on all applications (instead of banks "being encouraged to use other verification methods, even when a customer has provided original documents.") The CIP should require proof that business entities are actively registered to do business in that state.

9. Account Review. The reg should require the CIP to include a timely third-party review of every new account by another bank employee or officer to insure all CIP standards are being met.

10. High Risk Profiles. The reg should mandate the CIP to access and use regulatory profiles of traditionally high risk types of bank accounts, which include recommended measures to use when opening these types of accounts. (Again, credit card merchant banks have used high risk profiles for fifteen years.)