Federal Deposit
Insurance Corporation

Re: Customer Identification Programs for Banks, Savings Associations,
and Credit Unions, USA-PATRIOT Act Section 326

Dear Sir or Madam:

The Independent Community Bankers of America (ICBA)¹ appreciates the opportunity to offer comments on the proposed customer identification and verification rules issued by the Treasury and the federal bank and credit union regulatory agencies.

Section 326 of the USA-PATRIOT Act requires the Treasury Department, working with these agencies, to issue regulations setting out minimum standards that banks, thrifts and credit unions must use to identify a customer who opens an account. This provision is perhaps the most significant provision of the USA-PATRIOT Act for community banks. It will require all banks to establish a "Customer Identification Program" (CIP) as part of their Bank Secrecy Act compliance procedures.

Background

The statute requires all financial institutions, not only banks and thrifts, to establish customer identification and verification procedures by October 25. The proposed rule for banks, thrifts and credit unions is a companion to virtually identical proposals issued for futures exchanges, brokers and dealers and mutual funds. The goal is to implement rules that apply uniformly throughout the financial services industry.

At a minimum, the statute requires "reasonable procedures" to verify the identity of any person seeking to open an account. During the debate on the statute, Congress also contemplated requiring financial institutions to carry out identification procedures for existing customers. However, the ICBA and others argued successfully that the costs and burdens associated with such a requirement would far outweigh the benefits. Therefore, the rule is limited to new accounts, including new accounts opened by an existing customer if the bank does not have the necessary information on file for that customer. It has also been suggested that if existing information on a customer is dated, it should be updated.

In addition to carrying out the identification procedures, the statute requires banks to maintain records on how it verified a person's identity. And, banks must consult lists of known or suspected terrorists or terrorist organizations provided by any government agency to determine whether the person seeking to open an account appears on such a list.

Summary of ICBA Comments

ICBA members are committed to support effective measures that will stop terrorists from using the United States financial system to transfer money to fund their operations. Generally, the ICBA applauds the agencies for creating a flexible rule that allows each community bank to tailor its policies and procedures to its own operations, taking into account the risk profile presented by the bank's customer base, its location and the types of accounts it offers.

Some aspects of the proposal will prove very burdensome to community banks, especially the requirements to maintain records on how a customer's identity was verified and to verify the identity of authorized signers. The ICBA recommends that these requirements be adjusted in the final rule, as more fully detailed below, particularly reducing record-retention time for closed accounts. The ICBA also recommends additional flexibility in requirements for customer address, to take into account students and, more important, members of the military that may not have a fixed address, allowing the bank some latitude in assessing the risk of a given situation.

The ICBA strongly urges the agencies to simplify and streamline the lists of terrorists and terrorist organizations released by the federal government. Currently, the information is organized for the convenience of the government, but that does not necessarily make it easier for banks to check names on the lists to ensure that transactions are caught.

The ICBA commends the agencies for making it as easy as possible for banks to comply with the notice requirements of the statute. And, while we do not propose any exemptions from the requirement at this time, we do urge the agencies to incorporate additional flexibility to allow banks to rely on customer identification and verification carried out by a trusted third-party, based on the risk inherent in the particular transaction in question.

Perhaps most important, though, is that while the rules are not radically different from existing procedures, the differences are sufficient that additional time should be allowed for banks to adapt procedures, obtain board approval and train staff. The ICBA urges the agencies to either defer the effective date or allow a transition period in the final rule to accommodate these changes.

Because there is so much flexibility in the rule, the ICBA strongly recommends that Treasury and the banking agencies issue additional supplementary guidance, such as a commentary or set of Questions-and-Answers, once the final rule is in place. While the general parameters of the proposal are relatively straightforward, it is highly likely that questions will arise as banks implement the new procedures. The ICBA believes use of a commentary type of guidance would be extremely helpful. The Federal Reserve has successfully relied on this type of guidance for many of its regulations. Such a commentary would serve as a single reference tool that supplements the regulation and could be easily adapted and updated. Alternatives to a formal commentary would be best practices, recommended dos and don'ts, examples of what is covered by a specific element of the rule, and sample language for notices. As with any other instance where regulatory language is flexible and allows discretion, reasonable minds can differ in interpretation. It is therefore important that both bankers and bank examiners have sufficient understanding and guidance on the regulatory requirements to reconcile any differences of opinion.

Current Bank Procedures

Most community banks currently have procedures in place to identify their customers. For example, typically community banks collect the name, address, social security number and date of birth for customers. The bank itself reviews a driver's license or other type of photo identification (e.g., passport, military ID) for verification, although the bank does not typically retain a copy of the documentary identification in the files; ² rather, the bank will make note of the information such as the driver's license number.

In instances where a customer does not have a driver's license or passport, community banks use a variety of mechanisms to confirm the identity of the customer. For example, community banks use Social Security cards, utility bills (to confirm address), employee photo identification cards from known and reputable businesses, green cards, Canadian driver's licenses, and military IDs. However, many community banks also refuse to open accounts if proper identification cannot be proferred.

Generally, banks check this information against a database, such as ChexSystems, to verify the information provided by the customer for a deposit account. For loan customers, community banks instead likely run a credit report. Accounts are also generally checked against the OFAC lists using ChexSystems or similar database. The ChexSystems data report may be printed out and retained in the file.

For business accounts, community banks typically collect the name, address and phone number of the business, and the entity's employer identification number issued by the Internal Revenue Service. Depending on the account and the type of business, the bank may also request a copy of the Articles of Incorporation, a copy of the Partnership Agreement, the business license and possibly a Certificate of Good Standing issued by the state where the company is chartered.

However, it is also important to acknowledge that many community banks operate in small, rural communities and have known and served their customers for a long time. Given the assessment of risk, the bank may waive any identification procedures for individuals that are personally known to them.

                                                             The Proposal

Definitions
Account. The proposed definitions are a key part of the rule. The requirements would apply to any person seeking to open an account, defined as a "formal banking or business relationship established to provide ongoing services," such as a deposit account or loan. It would not include persons who conduct one-time transactions, such as the purchase of a money order or a wire transfer, nor accounts acquired through merger or purchase of assets where the customer does not voluntarily move the account. The important aspect of the definition is that it looks to the creation of an ongoing relationship.

The ICBA believes that the proposed definition of account is appropriate. Trying to track information on those who merely inquire about accounts or who engage in one-time transactions would be extremely burdensome, and unlikely to provide information that would be useful for detecting money laundering or terrorist activities. However, the ICBA recommends that the final definition incorporate examples of an "ongoing customer relationship"³ as the privacy regulations do. For example, the privacy regulation lists a deposit or investment account, a loan, and the servicing rights on a loan as representative of a "continuing customer relationship." The ICBA also urges the agencies to coordinate terms between the privacy rules and the new section 326 requirements, since coordinating terms and definitions between different regulations facilitates compliance and eliminates potential confusion.

Customer. The proposal defines a "customer" as any person seeking to open a new account, and would therefore include account applicants. "Person" includes both individuals and legal entities, such as corporations, partnerships, trusts, estates, and associations. A customer also includes an authorized signatory on an account. For example, if a company with a checking account at the bank seeks to add or change an authorized signer after the rule takes effect, the bank would have to carry out the requisite identification and verification procedures for the new signer.

Authorized Signers. Currently, few banks treat a signatory on an account as the owner of the account. The bank views the entity opening the account as its customer and not the representative of the entity that has signing authority. For the most part, banks currently rely on business customers to provide the information on who is authorized to sign on an account. In fact, the Uniform Commercial Code places a certain level of responsibility on the customer to detect an unauthorized signature.⁴

Requiring banks to carry out identification and verification procedures for authorized signers on accounts will be a burdensome task and a major change to current procedures. Because many companies, especially larger ones, experience a regular turnover of employees, keeping this information updated is already difficult, but adding the burden of customer identification and verification will become an impediment to normal operations. For example, authorized signers may be some distance from the bank and not readily available to a bank location to provide the necessary information. Based on the risk concept that underlies section 326, the ICBA encourages the agencies to allow banks to rely on the customer (the entity) to identify and verify the identity of signers, following the premise established in the UCC. If there are circumstances where the risk or information provided by the company merit additional investigation, then it may be appropriate for the bank to carry out additional identification procedures. However, identifying individual signatories on an account should not be mandated as a general practice, especially since it is not the signer who is considered the bank's customer.

If, however, the final rule does impose this burden, then the ICBA strongly urges the agencies to incorporate more specificity regarding which authorized signers are covered by incorporating a list of examples in the final rule. For example, clarification should be provided on whether this requirement applies to loan guarantors.

U.S. and non-U.S. Persons. Finally, because different requirements apply for U. S. persons and non-U. S. persons, the proposal defines a U. S. person as a U. S. citizen or an entity organized under the laws of the United States. A non-U. S. person is any person that does not satisfy those criteria.

Customer Identification Program

The proposal requires each bank to establish a "Customer Identification Program" (CIP). The program would be risk-based, with identification and verification procedures appropriate to the bank's size, location and type of business, as urged by the ICBA. The CIP must be written and will be part of the bank's overall Bank Secrecy Act (BSA) compliance program, subject to the other requirements for a BSA program, such as auditing and ongoing training. To underscore the importance of the CIP, it must be approved by the bank's board of directors or the appropriate board committee.

The CIP would establish procedures to identify and verify the identity of each customer applying to open an account. The procedures would be based on the type of account, the method used to open the account and the type of identifying information available. Overall, the bank must reasonably believe that it knows the true identity of the customer.⁵

The proposal seeks comment on the steps that should be taken when a customer desires to conduct transactions immediately. The ICBA believes that the regulatory requirements that generally apply to customer identification and verification procedures are sufficient to cover instances when a customer desires to conduct transactions immediately. Since the proposal allows a great deal of flexibility based on the risk assessed by the bank, each bank can establish procedures as part of its own CIP to identify instances when it is appropriate to allow immediate transactions on an account even though verification of identity is not yet complete. The CIP can incorporate specific provisions, e.g., limits on types or size of transaction, until identity has been properly verified. However, this is one aspect where further experience with the regulation may warrant supplemental guidance.

Identifying Information. The CIP must set forth the minimal information that a bank will obtain from a customer. For individuals, the rule would require name, date of birth, address (both residence and mailing address if they are different), and identification number. For non-individuals, such as businesses, the bank must acquire the name, principal place of business (and mailing address if the mailing address is different) and identification number.

Addresses. For the great majority of community bank customers, obtaining both a mailing address and a residential address should not be difficult. However, there are instances when exceptions will be needed. For example, a student studying away from home or a member of the military serving overseas may not have a fixed permanent address. Since there will be instances when exceptions will be needed, the ICBA urges the agencies to incorporate exceptions into the final rule (with appropriate identification to verify their status such as a student ID card or military ID card). In the alternative, since the overall tenor of the regulation is based on risk-assessment, the final rule should allow banks either to waive this requirement when appropriate (as determined by the bank) or allow the customer to provide the address of a contact such as a parent or guardian to serve as a substitute when the customer does not have a fixed permanent address.

Banks are also likely to encounter difficulty obtaining an address for migrant workers. Many migrant workers provide a vital service for the nation's agricultural communities where many ICBA members are located. The Department of the Treasury has been urging banks to take steps to ensure that these individuals (among others) have access to banking services and to encourage them to participate in the nation's banking system. Since they will not have a fixed permanent address, if the final rule does not incorporate a provision allowing flexibility for this situation, banks may be unwilling to open accounts for migrant workers, defeating efforts to reach this segment of the "unbanked."

Identification Number. The proposal would require banks to obtain an identification number for each customer For U. S. citizens and entities, the identification number would be their taxpayer identification number. Since new businesses may not yet have a taxpayer identification number, the rule would allow a limited exception for those businesses to open the account, provided they provide the bank with a copy of their application for a taxpayer identification number and provided the bank has procedures in place to ensure the number is provided within a reasonable period of time.⁶

Generally, obtaining a taxpayer identification number for new accounts is a normal procedure for community banks. While banks do allow customers to open accounts without the taxpayer ID, they also have procedures to follow-up with the customer within a reasonable amount of time, such as 30 days, to obtain the information. Where community banks do make exceptions for opening the account, they do so on a limited basis, such as for new business entities or for minor children of established customers. Therefore, this requirement will not be burdensome.

For non-U.S. citizens, the rule would require one or more of the following for the identification number: a U. S. taxpayer identification number, a passport number and country of issuance, an alien identification card number, or the number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.⁷

The ICBA believes that banks will need additional guidance on the types of identification appropriate for non-U.S. citizens, including the ability to accept the new identification card being issued by the Mexican government and identification other than passports and green cards. Domestic banks, especially community banks, will need guidance on appropriate identification mechanisms for non-U.S. citizens that will be acceptable under the section 326 requirements. While such guidance need not necessarily be incorporated in the actual rule, it is important that the government provide it.

Verification. Once it has obtained the necessary information from the customer, the bank must take steps to verify the information. These verification procedures must also be part of the bank's CIP. The proposal does not mandate what a bank must do to verify the information, nor does it establish a timeframe for verification, which may depend on the type of account opened, whether the customer is physically present when the account is opened, and the type of identifying information available. Restrictions may be placed on an account until identity is verified. However, the intent of the proposal is to provide flexibility for each bank to develop a risk-based approach in its CIP.

Verification procedures can be documentary or non-documentary. For individuals, documentary verification may be through unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, such as a driver's license or passport. For business entities, the documents may be items such as registered articles of incorporation, a government issued business license, or partnership or trust agreement. The ICBA recommends that the agencies incorporate examples of appropriate types of documentary identification in the final rule or in separate guidance that banks may easily access.

The bank's CIP must also include procedures for non-documentary methods of customer identification. For example, there may be situations where a customer does not have a current driver's license or a passport (e.g., elderly customers) or the customer is not physically present when the account is opened. Non-documentary methods of customer identification would include contacting the customer at the address provided, verifying information against a bad check database, comparing the information against information from a credit bureau, or analyzing the information given for consistency (Social Security number and birth date, address and phone number and zip code, and so forth).

As noted above, many community banks already rely on non-documentary forms of identification, such as ChexSystems for deposit accounts or credit reports for loan applicants. However, not all community banks have incorporated these methods into their policies and procedures, and so the new requirement will mandate additional procedures and training staff.

Recordkeeping. The statute requires a bank to maintain records that include the identifying information and how the customer's identity was verified. These recordkeeping procedures must be included in the bank's CIP.

If a bank uses a document to verify identity, the bank must maintain a copy of the document. The bank must also record any other steps that it took to verify a customer's identity. And, the bank must keep a record of how any discrepancy in the identifying information was resolved. All records must be retained for five years after the account in question is closed.

The agencies emphasize that while banks must now maintain these records, it does not relieve them from obligations under other provisions of law, such as the Equal Credit Opportunity Act which bars a bank from considering a loan applicant's race or gender in making credit decisions. In the past, banks have been cautioned against keeping a copy of a customer's driver's license to avoid running afoul of this requirement, but the new CIP procedures change this. According to informal feedback from the Federal Reserve, keeping a copy of a driver's license will be permissible since it is now required by law, but the information cannot be considered in evaluating a loan application. The ICBA has recommended that the Federal Reserve issue guidance on compliance with what appear to be conflicting requirements. Because this will be a change in generally understood federal mandates for many banks, the guidance should be issued as soon as possible.

Finally, the agencies make it clear that recordkeeping may be electronic.

While the agencies are accurate in their assessment that banks already undertake a variety of procedures that parallel the new requirements, the recordkeeping requirements are new and a departure from the procedures followed by many community banks. While banks have procedures to identify and verify the identity of customers, they may note the information in the customer file, but not retain a copy of the documentation or document what has been done to confirm a customer's identity. These new procedures will be a radical departure from existing requirements, and will impose a substantial burden on banks. The extra work to maintain the additional documentation will be extensive. Therefore, a transition period should be provided to allow banks to phase in this requirement, as more fully discussed below.

In addition, the ICBA recommends shortening the five year retention period for this information after an account has been closed. Ultimately, the goal of the requirement is to detect and deter money laundering and terrorist financing. Once an account has been closed for two or more years, it is not likely that the information will be sufficiently current to help detect money laundering or terrorist financing. While the information may be useful in prosecuting a case, the older the information is, the less useful it will be to investigators or prosecutors. Keeping the information on file for five years will be burdensome, not only because of the additional documents and files required, but also because these requirements mandate audit and compliance procedures, including bank examination procedures, to verify that the requirement is followed. Therefore, the ICBA recommends a shorter record retention period for this information, possibly two to three years after an account is closed.

Comparison with Government Lists. The USA-PATRIOT Act requires a bank to determine whether a customer appears on any list of known or suspected terrorists or terrorist organizations provided to the bank by any government agency. The proposal clarifies that the requirement only applies to lists circulated by the federal government. The proposal also specifies that the bank must comply with any federal directives included with these lists. A bank's CIP must include procedures in case the bank determines that a customer is named on one of the lists, such as filing a Suspicious Activity Report or contacting law enforcement, or declining to open the account.

Currently, community banks utilize a variety of methods to check customer names against government lists. Many community banks use ChexSystems to compare names against OFAC lists at account opening, using a paper print-out of the list for ongoing transactions. Other banks have incorporated procedures into their software, primarily vendor supplied software, that conduct this analysis. Because many community banks rely on vendors for their software, the ICBA encourages the Treasury and the banking agencies to take steps to ensure that vendors are aware of these new requirements, as the banking agencies did to ensure vendors were prepared for Y2K.

Generally, the ICBA does not believe that it will be difficult to comply with the requirement that government directives in these lists be followed. However, the ICBA wishes to stress the importance of the federal government continuing to take steps to facilitate the use and awareness of changes to the lists. For example, the FDIC has recently issued alerts whenever the OFAC lists are updated. Such steps are important for software vendors and community banks to easily and quickly access the most recent information - and to be aware when that information has been updated. Coordination of the OFAC lists so that there is only one list for banks to check, rather than a series of lists, would be extremely helpful. And, it would be extremely helpful if the banking agencies issued guidance that clearly specifies what lists banks much check. To date, there has been a fair amount of confusion about the number of lists that banks must consult and where to locate them. The ICBA recommends that additional guidance be issued as a companion to the final section 326 rule that provides definitive information on this subject.

Customer Notice. The statute requires a bank to have procedures to notify customers that it will verify identity. The proposal provides that a general notice, such as a lobby sign, would satisfy the requirement, as would a general written or oral notice. For accounts opened electronically, the notice may be provided electronically.

The ICBA believes that use of a lobby notice as a general form of notification is an appropriate mechanism to carry out this provision of the statute. This will facilitate compliance and reduce both cost and burden. However, the final rule should clarify that a single notice, prominently displayed in the branch, should be sufficient, rather than a series of notices at each teller station or throughout the branch, especially since federal regulations already mandate a variety of other notices to be posted in the branch, such as the Fair Housing Lender Notice, the Home Mortgage Disclosure Act (HMDA) notice, the Community Reinvestment Act (CRA) notice and so forth.

The ICBA also recommends that the banking agencies offer sample language that banks may use in creating notices, as has been done in other instances, e.g., Truth-in-Lending Act disclosures.

While some community banks are reluctant to open accounts unless new customers that are present in person, the instances of account openings by customers who are not present has been greatly increasing, especially with usage of the Internet. Therefore, the ICBA recommends that the agencies issue guidance on how banks can comply with the notice requirement in those instances where customers are not physically present to open an account.

Exemptions. The statute provides that the appropriate agency may exempt any financial institution or type of account from the requirements of section 326. In doing so, the Treasury and the bank's supervisory agency must consider whether such an exemption would be consistent with the purposes of the Bank Secrecy Act, safe and sound banking practices, and public interest. No exemptions have been proposed at this time.

The ICBA does not have any specific exemptions to recommend at this time; however, we urge the agencies to continue to assess situations where an exemption might be appropriate due to the minimal risk posed by the type of transaction or the type of customer maintaining an account.

The ICBA also recommends that the agencies incorporate procedures into the final rule that allow a community bank to rely on the identification procedures carried out by another entity, much as the proposal exempts accounts acquired through a merger. For example, banks should be allowed to rely on another financial institution's identification procedures when an established account is transferred. For example, federal procedures for the rollover of an Individual Retirement Account (IRA) mandate transferal directly from one financial institution to another. The receiving financial institution should be permitted to rely on a short certification (perhaps a box checked on the transfer form) from the transferring financial institution that the identity of the customer is reasonably known to the transferring institution.

Regulatory Burden and Effective Date. The agencies estimate that it will take a bank an average of ten hours to comply with the recordkeeping requirements, and that the proposal will present little additional burden because such recordkeeping is a usual and customary business practice. Although banks already follow many of these procedures in their normal business operations, the ICBA believes that this estimate overlooks a number of very significant factors.

First, existing policies and procedures will have to be revised and updated to comply with the new requirements. If a bank does not have existing written procedures, it will have to commit those procedures to a single writing and incorporate it into it's Bank Secrecy Act compliance program. For some banks, this may take substantial effort as the consolidate procedures that may be spread throughout existing procedures and policies.

Second, while banks take steps to identify and verify the identity of customers, they do not always maintain records of that information. This new requirement will necessitate substantial changes, including development of filing systems to make the information accessible.

Third, as with any other change, once the procedures and policies have been established and approved by the bank's board of directors, management will have to ensure that employees are properly trained in the new procedures. Bank forms and notices will have to be updated with the new requirements. And, compliance and audit procedures will have to be updated as well. Therefore, the ICBA believes that, at a minimum, the estimate of burden far understates the amount of time that will be needed.

Because the changes will be significant, the ICBA recommends that the effective date be deferred, especially since final regulations are not likely to be available until nearly October 25. Since many banks are already carrying out the important elements of the requirement, i.e., identifying and verifying the identity of customers to ensure they are reasonably certain of the customer's identity, deferring the effective date of the technical requirements of these rules should not affect bank efforts to detect instances of money laundering and terrorist financing. If the effective date is not deferred, then the ICBA strongly recommends a transition period to allow banks to update policies and procedures and properly train employees on these new USA-PATRIOT Act requirements.

Thank you for the opportunity to comment.

__________________________________-

Sincerely,
A. Pierce Stone
Chairman
Independent Community Bankers of America
Washington, DC

cc:
Office of the Comptroller of the Currency
250 E Street, SW
Public Information Room, Mailstop 1-5
Washington, DC 20219
Attention: Docket No. 02-11

Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue, NW
Washington, DC 20551

Executive Secretary
Attention: Comments/OES
Federal Deposit Insurance Corporation
550 17th Street, NW
Washington, DC 20429

Regulation Comments
Chief Counsel's Office
Office of Thrift Supervision
1700 G Street, NW
Washington, DC 20552
Attention: No. 2002-27