Skip Header

Federal Deposit
Insurance Corporation

Each depositor insured to at least $250,000 per insured bank



Home > Regulation & Examinations > Laws & Regulations > FDIC Federal Register Citations




FDIC Federal Register Citations

VIA ELECTRONIC MAIL

September 6, 2002

FinCEN
Section 326 Bank Rule Comments 
P.O. Box 39
Vienna, VA 22183

To whom it may concern:

This comment letter is filed on behalf of MasterCard International Incorporated ("MasterCard")1 in response to the Financial Crimes Enforcement Network's ("FinCEN") proposed rule implementing Section 326 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act ("Act") with respect to federally regulated depository institutions ("Proposed Rule"). MasterCard appreciates the opportunity to offer its comments on the Proposed Rule.

In General

Under Section 326, the Secretary of the Treasury must promulgate regulations setting forth standards for financial institutions regarding the identity of their customers. The regulations must "require financial institutions to implement, and customers (after being given adequate notice) to comply with, reasonable procedures" for: (i) verifying the identity of any person seeking to open an account, to the extent reasonable and practicable; (ii) maintaining records of the information used to verify the person's identity; and (iii) determining whether the person appears on certain government lists.

House Report 107-250, Part I (the "Report"), which includes the House Financial Services Committee's explanation of the language included in Section 326, provides useful guidance with respect to how Section 326 should be implemented. For example, the Report states that it is the intention of the Financial Services Committee that "the regulations prescribed under [Section 326] ... impose requirements appropriate to the size, location, and type of business of an institution." MasterCard supports FinCEN's decision to incorporate this guidance into Section 103.121(b) of the Proposed Rule itself. This approach should be retained in any final rule implementing Section 326 ("Final Rule"), as it correctly reflects the fact that a "one-size-fits-all" approach to developing a customer identification program ("CIP") cannot and will not be effective. A CIP that is appropriate for the largest card issuer in the country, for example, is probably not appropriate for a small community bank, and vice versa.

The Report is also instructive in another critical area, directing that the "procedures prescribed by Treasury make use of information currently obtained by most financial institutions in the account opening process. It is not the Committee's intent for the regulations to require verification procedures that are prohibitively expensive or impractical." We believe that FinCEN's efforts in crafting the Proposed Rule reflect the desire to develop requirements that fulfill this Congressional intent. For example, in the Supplementary Information to the Proposed Rule, FinCEN states the belief that the "basic information that banks would be required to obtain under (the Proposed Rule] reflects the type of information that financial institutions currently obtain in the account-opening process." The Supplementary Information also states that current industry practices generally provide financial institutions with a reasonable belief that they know the identity of those who hold an account with them already. MasterCard believes that adopting requirements that rely on information currently obtained by financial institutions is the most appropriate approach for implementing Section 326. We are concerned, however, that a number of provisions of the Proposed Rule may inadvertently require financial institutions to adopt procedures which go beyond current practices and could be both expensive and impractical to implement. We offer the following comments to address these and other issues.

Definition of Account

The Proposed Rule requires banks to form a reasonable belief that they know the true identity of any individual seeking to open an "account" (i.e. any "customer"). Section 103.121(a)(1) of the Proposed Rule defines "account" as "each formal banking or business relationship established to provide ongoing services, dealings, or other financial transactions." Examples of an account include a deposit account, a transaction account, and a credit account.

MasterCard commends FinCEN for defining an account to include only those relationships whereby the customer receives "ongoing" services from the bank. We also support FinCEN's inclusion of an important clarification in the Supplementary Information which states that the definition of an account would not "cover infrequent transactions such as the occasional purchase of a money order or a wire transfer." These exclusions are appropriate since such transactions involve only limited interaction with the bank and do not include the traditional indicia of an account relationship. In order to provide a more complete definition as to what constitutes an "account" for purposes of the Final Rule, we urge FinCEN to include additional examples of the types of transactions with a bank that would not be considered an account. For example, non-reloadable stored-value cards should be treated like money orders and wire transfers. These cards are, like a money order, purchased in a single transaction without establishing any ongoing relationship between the purchaser and the bank. Once purchased, the card can be used until the value on the card is depleted, at which time the card cannot be reloaded. Although a bank issuing the card would perform certain accounting and other back office functions in connection with the card, the only interaction between the bank and the purchaser of the card, if any, would be when the card is sold. In many, if not most instances, the card is purchased at a retail location or through an ATM without any direct interaction between the bank and the purchaser. Typically the card is not issued in the name of any individual. Moreover, because the card is generally purchased without any interaction with the bank, obtaining identification information of the type that would be required under the Proposed Rule, or performing verification procedures, may not be feasible.

There are a number of different varieties of these stored-value cards, some of which can be used only to make purchases at certain retail locations, while others are usable for purchases and/or obtaining cash at locations where general purpose payment cards are accepted. The use of these cards may provide certain benefits to law enforcement even though the cards are issued anonymously. For example, unlike cash, stored-value cards bearing a MasterCard brand typically would generate an electronic record each time they are used, which would give law enforcement the ability to trace transactions in ways that are not achievable when cash is used. We note that the ability to issue these stored-value cards would be impeded, if not eliminated, if they were to be covered under the Final Rule. We do not believe that such cards involve "ongoing services, dealings, or other financial transactions," and we urge that the Final Rule exclude these cards from its coverage. If FinCEN determines not to exclude these cards from coverage under the Final Rule, we urge FinCEN at least to exempt stored-value cards that are loadable with value below a certain specified dollar amount.

Definition of Customer

The Proposed Rule defines "customer" as "any person seeking to open a new account" and "any signatory on the account at the time the account is opened, and any new signatory added thereafter."

"Seeking to Open a New Account"

Section 326 of the Act states that a bank must implement reasonable procedures for "verifying the identity of any person seeking to open an account to the extent reasonable and practicable." The Proposed Rule's definition of a customer at Section 103.121(a)(3) reflects this statutory language by including in the definition of a customer "any person seeking to open a new account." FinCEN notes in the Supplementary Information that this portion of the definition includes an individual applying for an account but would not cover a person simply seeking information about an account. We believe that FinCEN has taken the correct approach in this regard, since it would be inappropriate for a bank to verify the identification of an individual who is only seeking information about an account, but not applying for one. MasterCard suggests that this important distinction may be more clear if FinCEN defines "customer" in a manner that omits reference to an individual "seeking" to open a new account, and refers instead to an individual "applying" to open a new account. This amended definition would provide more clarity to banks in their efforts to comply with a Final Rule while also reflecting the statutory intent.

We commend FinCEN for clarifying in the Supplementary Information that only those who seek to become a "customer" "on or after the effective date of the final rule," will be covered. To require banks to apply the requirements of Section 326 to its current customers would not be consistent with the plain language of the statute and would create significant unnecessary and costly burdens for banks. Accordingly, the approach embodied in the Proposed, Rule, that the requirements only apply prospectively, should be retained in the Final Rule.

FinCEN also explains in the Supplementary Information that the requirements of Section 326 apply only to persons "seeking to open a new account" and therefore account relationships established through other means, such as "transfers of accounts from one bank to another, that are not initiated by the customer, for example, as a result of a merger, acquisition, or purchase of assets or assumption of liabilities" are not covered by the Proposed Rule. We strongly support this approach. As FinCEN correctly notes, such situations are excluded by the statutory language since the individuals in these cases are not "seeking to open" an account with the financial institution acquiring the account relationship. Furthermore, to require a bank to treat such individuals as "customers" under the Proposed Rule would force banks to expend substantial resources with little corresponding benefit. Therefore, we urge FinCEN to retain this important clarification in the Final Rule.

Signatories

Section 103.121(a)(3)(ii) of the Proposed Rule includes an account "signatory" in the definition of a customer. The term "signatory" is not defined in the Proposed Rule. The Supplementary Information, however, indicates that the term signatory would include "an individual with signing authority over a corporate account." We believe that although this example may provide clarification regarding traditional corporate deposit accounts, the term "signatory," by itself, provides little guidance for determining who is a "customer" in a payment card transaction. For example, when a bank issues a payment card that accesses a credit account, the person with whom the bank has ongoing dealings and transactions and to whom the bank provides ongoing services is the person liable on the credit account. Where multiple parties are liable on the credit account -- so-called "joint account holders" - each of those parties would be involved in ongoing interactions of the type identified in the definition of customer.

We do not believe that the definition of customer should cover other persons who may be authorized by an account holder to use the account. For example, when a cardholder requests that a card be issued to a son or daughter attending college, or to any other individual the cardholder wishes to authorize to use the account, such authorized users should not be deemed to be customers for purposes of the Final Rule. In these circumstances, the bank does not have any formal relationship with the authorized user. The additional card in the name of the authorized user is sent to the account holder, and it is up to the account holder whether and how to deliver the card to the authorized user. Any transactions involving the account, including those initiated by the authorized user, are solely the responsibility of the account holder. For these reasons, we believe that authorized users should not be deemed to be customers for purposes of the Final Rule.

We note that this approach appears to be consistent with guidance provided to FinCEN by Congress in the Report. Specifically, the first sentence in the Report explaining Section 326 states that it "add[s] a new subsection governing the identification of account holders" (emphasis added). Therefore, it appears that Congress intended the regulations implementing Section 326 to apply to those individuals who hold an account with the bank. In order to provide appropriate guidance on this issue, we urge FinCEN to clarify that, with respect to payment cards that access a credit account, the term "signatory" means the person or persons liable on the account.

IdentificationVerification

The Proposed Rule requires a bank's CIP to contain procedures describing when the bank will verify a customer's identity through use of "documents" and describing the documents to be used for that purpose. The CIP must also contain procedures that describe non-documentary methods the bank will use to verify a customer's identity and when these methods will be used in addition to, or instead of, relying on documents.

Information Required

Section 103.121(b)(2)(i) of the Proposed Rule states that a bank's CIP "must contain procedures that specify the identifying information that the bank must obtain from each customer." The Proposed Rule also states that at a minimum the bank must obtain certain data, including a taxpayer identification number (e.g. a social security number for a U.S. individual), prior to opening, or adding a signatory to, an account. We believe it is reasonable to expect a bank to have a certain minimum amount of information about each of its customers. We do not think it necessary, however, that the bank must obtain each piece of information prior to opening the account. For example, a customer may open an account over the telephone. We do not believe it is prudent for the Final Rule to require the customer to provide his or her social security number, for example, as part of the telephone application process. A short delay in obtaining the information required by the Proposed Rule should not adversely affect the bank's ability to fulfill its requirements under the Proposed Rule since the bank would still be in a position to complete its verification process within a reasonable amount of time after the account is established.

Included in the information a bank must collect from a customer is the customer's mailing address, if it is different from the customer's residential address. This requirement raises significant concerns because many, if not most, banks use applications that have only a single address field. A requirement to collect two addresses where the mailing address is different from the residential address would force all of these banks to amend their current applications and redesign their systems in order to capture the additional field of information. Such a change would impose on banks the types of costs that, based on the legislative history of Section 326, Congress apparently was seeking to avoid. One possible alternative to the Proposed Rule's approach may be to require a second address only where the customer wishes to use a P.O. Box as his or her mailing address. This would provide greater flexibility for banks in designing their applications (including using a single address field and prohibiting the applicant from submitting a P.O. Box) while ensuring that banks obtain a street address for every new customer.

Face-to-Face/In Person Transactions

The Proposed Rule provides guidance for verifying a customer's identity when, among other things, the customer is involved in a face-to-face transaction. We request that FinCEN provide an important clarification regarding situations in which a customer seeks to open an account with a bank in a face-to-face transaction with someone other than a bank employee. For example, it is not uncommon for a bank to enter into an arrangement with a retailer under which the retailer will offer its shoppers the opportunity to apply for a credit account with the bank. Under these arrangements, the customer applies for credit at the point of sale, such as a cash register, in the retailer's store. The retail sales clerk provides the customer's request to the bank and, in many instances, the credit decision is communicated back to the sales clerk almost immediately, while the customer is still at the point of sale. Although the customer may be physically present in the retail store and involved in a face-to-face transaction with the sales clerk, the customer is not transacting directly with any employee of the bank. We urge FinCEN to clarify that under such circumstances, the customer is not physically present at, or involved in, a face-to-face transaction with the bank.

Verification:  Reasonable Time After the Account is Established

The Proposed Rule requires a bank's CIP to contain risk-based procedures for verifying a customer's identity. FinCEN notes in the Supplementary Information that the procedures may vary based on the type of account opened, how the account was opened, and what information is available to the bank. The flexibility provided in this requirement will allow banks the ability to develop their verification procedures most appropriately, based on whether the individual is physically present in the bank or whether the individual is applying for an account over the telephone, for example. We applaud FinCEN's recognition that a bank's verification procedures should be risk-based and urge that FinCEN retain the risk-based approach in the Final Rule.

Section 103.121(b)(2)(ii) of the Proposed Rule establishes that a bank must verify the information obtained within a "reasonable time after the account is established or a signatory is added to the account." The Supplementary Information indicates that FinCEN considered requiring a bank to verify a customer's identity before an account is opened or within a specific time period after the account is opened. However, FinCEN recognized that such an approach would be unduly burdensome for banks and customers and therefore contrary to the statute, which states that such procedures must be both reasonable and practicable. MasterCard agrees. Not only would it be burdensome for banks to verify identity before opening every account, but it would also greatly inconvenience honest customers who would experience unnecessary delays in opening accounts. Therefore, MasterCard requests that FinCEN retain the approach outlined in the Proposed Rule in any Final Rule and allow banks a reasonable time period after the account is opened to verify a customer's identity.

Verification: Methods

Under the Proposed Rule, a bank may rely on a variety of verification methods with respect to a customer's identity. This flexibility is important because, for example, a verification method that may be appropriate and convenient for a transaction taking place in a bank branch may not be appropriate for an application taken over the Internet. Indeed, even similar types of transactions may require different verification methods depending on the customer or the information available. The Supplementary Information notes, for example, that even in face-to-face transactions, obtaining a photo identification may not be possible with respect to all customers. We believe it is important for FinCEN to maintain this approach in the Final Rule in order to ensure that banks have the ability to craft appropriate verification methods depending on the circumstances surrounding the opening of the account.

Recordkeeping

Under the Act, the Secretary of the Treasury must establish "reasonable procedures for... maintaining records of the information used to verify a person's identity, including name, address, and other identifying information." In response to this requirement, FinCEN proposes to require each bank to maintain a record of: (i) the identification information provided by each customer; (ii) a copy of any document that was relied on pursuant to the bank's documentary verification procedures that clearly evidences the type of document and any identification number it may contain; (iii) the methods and result of any measures undertaken to verify the customer's identity pursuant to the bank's non-documentary verification efforts; and (iv) the resolution of any discrepancy in the identifying information obtained. The bank must retain all records for five years after the date the account is closed.

MasterCard understands and supports the need to maintain records documenting compliance with the requirements of Section 326. We are concerned, however, that the types of records and retention period required under the Proposed Rule could unintentionally require banks to substantially modify their recordkeeping procedures and greatly expand their record storage capacity. We believe that these burdens could be significantly reduced if the following changes were adopted.

First, with respect to identifying information, a bank should be required to retain only that information relied on by the bank, not all of the information that may have been provided by the customer. Second, retention of actual copies of documents relied on by a bank should not be required so long as the bank has recorded sufficient information to identify the document. For example a photocopy of a driver's license should not be required provided that the driver's license number is recorded and retained. Third, banks should not be required to retain the methods and results of verification measures undertaken or the resolution of discrepancies for each customer so long as the bank can demonstrate that it has implemented reasonable procedures to verify identity and resolve discrepancies. Fourth, the record retention period should be shortened significantly. The Proposed Rule would require recordkeeping that goes far beyond standard practices. For example, under the Proposed Rule, if a bank has a relationship with a customer for 10 years, it would have to keep records on that customer for 15 years. In contrast, the record retention period for credit applications under the Equal Credit Opportunity Act is 25 months (12 months for business credit) after the date the creditor notifies the applicant of the action taken on the application. Similarly, a 2-year record retention requirement is standard under the Truth in Lending Act and the Electronic Fund Transfer Act.

For these reasons MasterCard urges FinCEN to amend the record retention requirement. A requirement to retain the verification records for two years after an account is opened should be adequate. We do not believe that such an approach would fall short of the goal stated in the statute: that banks verify the identity of their customers. A two-year period would allow bank regulators the opportunity to evaluate a bank's compliance with the Final Rule and the bank's own CIP. This time period will also allow each bank the opportunity to perform audits on its CIP as required under its broader anti-money laundering program obligations. Furthermore, if the bank continues to hold the account after the 2-year period, it will continue to have the information needed by FinCEN or others in law enforcement (e.g. name, address, account number, etc.) in connection with examinations or investigations. We believe that this up-to-date contact and identification information may even be of more use than information gathered when the account was opened - information much more likely to be out of date.

Customer Notice

Section 326 requires the Secretary of the Treasury to issue regulations that "at a minimum, require... customers (after being given adequate notice) to comply with" reasonable customer identification procedures. The Proposed Rule states that banks must notify customers that the bank is requesting information to verify their identity. According to the Supplementary Information, such notice may take the form of a sign in a bank lobby or any other form of written or oral notice.

We urge FinCEN to retain this approach. In particular, it may be that a bank will not be able to post a sign at a physical location depending on how the account is opened (e.g. via the Internet or over the telephone) in order to provide customers with the notice, and will therefore need to rely on the ability to provide notice through other written or oral communications. We also urge FinCEN to modify the Supplementary Information to clarify that a bank may provide the notice electronically if the customer communicates information electronically to the bank in connection with the opening of an account, and not just in instances when the account is opened electronically. For example, if the customer provides information via the Internet, but the account is not actually opened through the Internet, the bank should still be able to provide the notice electronically.

Compliance Date

FinCEN notes that, by statute, the regulations implementing Section 326 of the Act must be effective by October 25, 2002. We are concerned that it will not be possible for banks to comply with a Final Rule by this time period. For this reason, we request FinCEN to allow banks adequate time to develop and implement a CIP before compliance with the Final Rule is required. Aside from determining the verification procedures that should be undertaken for the different types of accounts opened and the methods for opening them, banks would also likely need to alter their current systems requirements, and redesign their recordkeeping procedures. In order to allow sufficient time to accomplish this task, we request that banks be provided a period of 12 months after the Final Rule becomes effective to develop and implement a CIP that meets the requirements of the Final Rule.

Conclusion

MasterCard again thanks FinCEN for the opportunity to comment on this important matter. We appreciate FinCEN's effort to develop a Proposed Rule that implements the statutory requirements of Section 326 without creating unreasonable or impractical requirements for banks. We hope that our suggestions will assist FinCEN is meeting this goal.

If you have any questions concerning our comments, or if we may otherwise be of assistance in connection with this issue, please do not hesitate to call me, at the number indicated above, or Michael F. McEneney at Sidley Austin Brown & Wood LLP, at (202) 736-8368, our counsel in connection with this matter.

Sincerely,

Joshua L. Peirez
Vice President &
Senior Legislative/Regulatory Counsel

cc: Michael F. McEneney, Esq.


1 MasterCard is a global membership organization comprised of financial institutions that are licensed to use the MasterCard service marks in connection with a variety of payments systems.

Last Updated 09/11/2002 regs@fdic.gov

Skip Footer back to content