Federal Deposit
Insurance Corporation

FinCEN
Section 326 Bank Rule Comments
P.O. Box 39
Vienna, VA 22183
Attention: Section 326 Bank Rule Comments

               Re: Section 326 USA PATRIOT Act Proposed Rules

Ladies and Gentlemen:

This comment letter is submitted on behalf of Visa U.S.A. in response to the Secretary of the Treasury's ("Treasury") request for comments on a proposed rule to implement section 326 of the USA PATRIOT Act ("Act"). Visa appreciates the opportunity to provide written comment on this important matter.

The Visa Payment System, of which Visa U.S.A.¹ is a part, is the largest consumer payment system in the world, with more volume than all other major payment cards combined. There are more than one billion Visa-branded cards, and they are accepted at more than 24 million physical locations in more than 130 countries. Visa plays a pivotal role in advancing new payment products and technologies, including information security initiatives, to benefit its 21,000 member financial institutions and their millions of cardholders worldwide. In 2002, well over $2 trillion in goods and services will be purchased using Visa products.

Visa also is the leading consumer e-commerce payment system in the world. Payment cards presently account for nearly 95 percent of online consumer transactions, and Visa card transactions account for 53 percent of that payment card portion. Moreover, we expect ten percent of Visa's overall transaction volume to come from Internet purchases by 2003, up from two percent today.

Section 326 of the Act requires the Treasury to prescribe regulations for financial institutions setting forth minimum standards for establishing the identity of their customers in connection with the opening of accounts and the establishment of other customer relationships. Under the Act, the Treasury is required to take into consideration the various types of accounts, the various methods of account opening, and the various types of identifying information available. The Department of the Treasury, through the Financial Crimes Enforcement Network, together with the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration (collectively, the "Agencies") jointly released a proposed rule to implement section 326 of the Act ("Proposed Rule"), which would require a covered financial institution to establish a program ("Program") to verify the identity of customers.

While, in part, the Proposed Rule attempts to provide desirable flexibility by permitting an institution to implement a program that is appropriate given the bank's size, location, and type of business, the Proposed Rule, nevertheless, includes a number of specific requirements that would significantly increase the cost of opening credit card accounts, while not yielding corresponding benefits in terms of verifying the identity of persons seeking to open a credit card account. In addition, many of the requirements of the Proposed Rule need clarification. We encourage the Agencies to consider or reconsider the types of systems that are already in place at many financial institutions to identify customers or prospective customers, and the natural market incentives that financial institutions already have to properly identify their customers.

Finally, and perhaps most importantly, depending on the specific revisions that are incorporated into the final rule, financial institutions will require substantial implementation time-up to 18 months-before the final rule becomes effective in order to modify their systems to obtain and to verify the information required to establish the identity of new customers. Even if the Agencies adopt a final rule that incorporates the recommended revisions, a delay in the mandatory compliance date-at least six months-would be necessary to establish a Program that would include procedures for verifying a customer's identity. However, if the final rule is substantially similar to the Proposed Rule, the minimum time necessary for institutions to develop, implement, and test systems would be 18 months.

    General Comments.

    Existing Incentives Have Lead to Appropriate Identification Procedures.

As an initial matter, we appreciate the flexibility that is built into the Proposed Rule and the recognition that Programs should be tailored to the bank's size, location, and type of business. However, we believe that the Proposed Rule does not adequately recognize the significant differences that currently exist in the various procedures and the inherent incentives that financial institutions have to identify customers and prospective customers, depending on the type of account relationship. For example, in extensions of credit, financial institutions have an even greater incentive to verify accurately the identity of their borrower than they do in the case of deposit accounts because a misidentification of a customer for a loan is likely to lead to a loss on the loan. Further, accounts that involve ongoing contact between the financial institution and the customer, such as the mailing of monthly statements and the receipt of customer service calls, tend to verify the identity of the customer through repeated communication with the customer at a specific address or a particular phone number. This verification is strongest in those cases where the customer routinely responds to that contact in a timely manner, such as by paying a monthly bill.

In the case of credit card accounts, in particular, we believe that the inherent incentives of the credit card issuer to minimize fraud, assure payment for authorized charges and to maintain and to grow the customer relationship, lead the card issuer to establish customer identification and verification procedures that result in a high level of reliability in the identification process. In addition, the existing identification procedures developed by card issuers are the most cost-effective procedures for receiving and processing customer applications and opening new accounts. Because these procedures are continually being tested by efforts to obtain credit fraudulently, including through identity theft, these procedures are continually evolving to meet these challenges?challenges that typically are not present, for example, with respect to deposit accounts. Thus, credit card issuers increasingly are relying on private services that specialize in helping to identify customers, as well as consumer reports and other means of customer identification and verification.

Despite this strong correlation between the incentives of credit card issuers for customer identification and the purposes of the Proposed Rule, the Proposed Rule includes a significant number of requirements that do not correspond to current credit card issuer practices. And, because card issuers already employ effective identification and anti-fraud procedures, these proposed requirements will result in an increase in regulatory-imposed costs, with no corresponding increase in the level of identification of customers and persons seeking to open accounts. In this regard, it is important to note that the recent GAO Report "Money Laundering: Extent of Money Laundering through Credit Cards is Unknown" ("Report") states that the regulators themselves believe that anti-money laundering examination resources should be dedicated to higher-risk areas of the bank, such as private banking, correspondent banking, or wire transfers, rather than credit card accounts. GAO-02-670 (July 22, 2002). Moreover, even though the body of the Report suggests that money laundering through the use of credit cards is possible, the Report still does not identify customer identification procedures as an important tool in reducing the likelihood of such an event. Accordingly, Visa believes that the Agencies should reconsider the specific requirements included in the Proposed Rule in favor of more flexible requirements that will allow the rapidly developing, market driven, account opening procedures to continue to shape identification programs where, as in the case of credit card accounts, those procedures have demonstrated that they will lead to a high level of customer identification.

    Definition of Bank.

   Exclude Foreign Offices.

Proposed Section 103.121(a)(2) would define "bank" to include virtually all of the financial institutions regulated by the Agencies, including foreign branches of an insured bank. The supplemental information to the Proposed Rule states that the regulation must be implemented throughout the bank no matter where its offices are located. Many countries have money laundering laws and regulations, as well as consumer protection and privacy laws, that govern how information should be collected and for what purposes. The Proposed Rule, which includes specific information collection and verification requirements, may conflict with these laws. As in the case of domestic transactions, foreign transactions already are designed to identify customers consistent with local laws and practices. Accordingly, imposing U.S. specific requirements on foreign offices will not only entail increased costs and burdens but will also place U.S. institutions at a competitive disadvantage with foreign institutions.

    Definition of Account.

    Clarify Definition.

Proposed section 103.121(a)(1) defines an account to mean "each formal banking or business relationship established to provide ongoing services, dealings, or other financial transactions." Visa understands that the Agencies based the proposed definition on the statutory definition of "account" provided in section 311 of the Act. Visa believes that even though the definition is limited appropriately to relationships that involve ongoing services, thus excluding an infrequent or a one time transaction involving a payment product (i.e., stored-value cards), in some situations the proposed definition is overly inclusive and, as proposed, could include bank relationships that do not play a roll in money laundering or terrorist financing. For example, the proposed definition is not clearly limited to financial transactions. Instead, the definition of account could be interpreted to include non-transactional services, such as advisory services, data processing services, or other relationships or services that do not involve financial transactions.

In order to avoid imposing unnecessary regulatory requirements on transactions and relationships that do not pose a threat of money laundering or terrorist financing, Visa recommends that the definition be revised to include only those types of accounts that are established on an ongoing basis to provide customers of a financial institution with the ability to conduct financial transactions-such as transactions conducted in a deposit account or a credit account. Such a definition would exclude an institution's relationship with vendors or other entities that provide servicing or processing on the institution's behalf.

    Definition of Customer.

Section 103.121(a)(3) of the Proposed Rule would define "customer" to include any person seeking to open a new account, any signatory on the account at the time that the account is opened, and any new signatory thereafter. The inclusion of applicants and signatories within the definition of customer is wholly inconsistent with current practices and makes many of the requirements of the Proposed Rule impossible, or commercially impracticable, to meet.

   Limit the Requirements for Applicants.

While Visa understands that the statute makes specific reference to persons "seeking to open an account," we believe that the Proposed Rule should focus on customers with ongoing account relationships, not on persons seeking to open an account. In this regard, a common reason for not opening an account is that the person seeking to open the account fails to provide requested information. In addition, any information that is provided on such persons may indicate that further processing of an application would not be warranted because the application is sure to be denied; therefore, it makes little sense to require an institution to seek additional information on someone who will never become its customer.

For example, it would be a useless expense to obtain a credit report on an applicant, or to verify information already obtained, where the face of the application shows that the consumer will not qualify for credit, and, thus, there is no justification for continuing the application process. The final rule should clarify that the verification and identification requirements do not apply to individuals for which accounts are not opened. Moreover, often the account opening procedures provide no practical means to obtain omitted information about an applicant, such as when the application is submitted by mail. Even where applications are submitted through an interactive process, there is no means to compel applicants to provide information, other than to deny them the requested service. For these reasons, in the case of persons seeking to open an account, the final rule should merely provide that the financial institution should retain any identifying information that has been provided in connection with the application process for an appropriate period of time.

In this regard, Visa recommends that the Agencies revise the Proposed Rule to clarify that a person merely "inquiring" about an account would not be a customer. The Federal Reserve Board's Official Staff Commentary to Regulation B, which implements the Equal Credit Opportunity Act ("ECOA"), distinguishes between an application and an inquiry. Consistent with Regulation B Comment 202.2(f)-4, we recommend that the Agencies specifically clarify that a customer merely calling or requesting information, without completing an application, is not seeking to open an account and thereby is not a customer under the rule. |

    Exclude "Signatories" on Credit Card Accounts.

The Proposed Rule's reference to signatories in the definition of customer also would make it difficult, if not impossible, to meet many of the requirements of the Proposed Rule. Although the term "signatory" is not defined in the proposal itself, the supplementary information accompanying the Proposed Rule states that "for example, an individual with signing authority over a corporate account is a 'customer' within the meaning of the proposed rule." Visa strongly recommends that, in the case of credit card accounts, the definition or scope of the term "signatory" in the final rule be clarified to apply only to account holders and not to other individuals who may be permitted to use an account. Specifically, for example, the final rule should make it clear that the identification and verification requirements do not apply to individuals simply authorized to use a credit card issued to another individual or to a business.

First of all, while the example of a signatory in the supplementary information to the Proposed Rule is based on a corporate account, the language of the Proposed Rule is not so limited, raising the specter that "signatory" could include individuals who simply are permitted to use credit cards issued to others, including spouses and children of account holders. Further, in the context of credit cards issued to a corporation for use by corporate employees for business purposes, the Proposed Rule could be read to result in all such employees being considered signatories on the account and, therefore, customers subject to the identification and verification requirements, because those employees were authorized by the corporation to enter into transactions on behalf of the corporation. Such an interpretation could destroy corporate account programs as they are structured today.

In this regard, individuals with credit card accounts often authorize other individuals to use their accounts. The authorization may be more formal, as when a corporate card is issued in the name of the user; or the authorization may be very informal, as when the credit card or a credit card number is "loaned" to a spouse, child, or other person. In either case, the account holder is the customer (that is, the person liable on the account), and the card issuer is likely to have no direct contact with, and often no knowledge of, the user. In these circumstances, it is impossible for the card issuer itself to collect and verify information about the user. For example, in the case of individual accounts, while the card issuer could request card holders to supply information about individuals who will receive a card bearing their name, it would be impossible to verify the information through documents, because there would be no face-to-face contact, or through consumer reports because, under federal law, a consumer report would not be available to the issuer unless the user was liable on the account. Less formal user arrangements present even greater difficulties in verifying the identity of such users.

To the extent that the corporation is liable on the accounts, the terms of that liability are governed by the terms of the agreement between the corporation and the card issuer. Since the corporation stands behind all authorized use of its cards, typically the only focus of the card issuer is how the card user's name is spelled on the card. On such accounts, fraud control is usually performed by evaluation of transaction patterns, rather than reliance on signature comparison or other means of identifying the individual presenting the card. As in the case of cards issued to individuals, where the user is not listed on the account, a consumer report would not be available. The cost required to obtain the required information could be significant, particularly if the issuer could not rely on the corporate customer to obtain and to verify the information on its own behalf. Without a consumer report and without direct contact with the card user, a card issuer would be forced to rely solely on non-consumer-reporting-agency identification services to identify tens of thousands, if not millions, of users at greatly increased cost and without a corresponding benefit.

Visa urges the Agencies to clarify that only individual account holders, in the case of individual accounts, and corporate officers with complete authority over the account, in the case of corporate accounts, such as those individuals with the authority to authorize card use by employees, are considered signatories to the account. Similarly, the Agencies should clarify that individuals with payment cards, such as those that are funded by an employee's payroll account held by a corporation, are not customers and, thereby, are not covered under the rule. Such payment cards are typically provided to consumers by the consumer's employer. As in the case of corporate credit cards, the card issuer's relationship is with the corporation, rather than the individual users, and there is no ready mechanism for the bank to obtain and verify information about the users directly.

    Changes in Terms are Not New Accounts.

The customer identification requirements of the Proposed Rule, fortunately, do not apply to existing customers, therefore, avoiding the Herculean task of obtaining additional information about those customers, verifying the information, reconciling discrepancies, and maintaining records. However, under the Proposed Rule, the coverage of customers that request or receive a credit line increase is unclear. In many instances, existing customers in good standing with an institution periodically will receive a line increase, such as at account renewal, and often the line increase is not requested, but expected. Visa recommends that the Agencies clarify, either in the supplementary information or in the definition of account or customer, that an existing customer who receives an increase in his or her credit line, whether or not that line increase is requested, and who would not previously have been verified under the rule, would not be covered under the rule. A contrary rule would discourage card issuers from granting line increases because the process would trigger the requirements of the Proposed Rule to customers with line increases.

Similarly, customers with existing deposit accounts may be provided additional features on the account. For example, institutions may provide customers with a debit card, ATM card, or other device that provides access to the customer's already existing deposit account. Visa recommends that the Agencies make clear that providing individuals with an additional feature, such as a debit card, is not opening an account under the rule.

    Identity Verification Procedures.

    Information Required by the Proposed Rule is not Collected Today.

Proposed section 103.121(b)(2) would require institutions to establish procedures that specify the identifying information that an institution must obtain from a customer. At a minimum, prior to the opening of an account, or adding of a signatory to an account, this information must include certain specific information, such as the name, date of birth, residence, and, if different, mailing address and taxpayer identification number. For persons other than individuals, the principal place of business or mailing address must also be obtained.

Currently, most credit card issuers do not obtain all of this information. For example, some issuers only require a customer's name and mailing address to open an account. Also, many card issuers do not currently ask for age, because such "protected criteria" can raise fair lending issues under existing federal law. Most card issuers currently do require a social security number or a government-issued number for anti-fraud and other identification purposes, but typically issuers will open an account if the customer cannot provide such a number -- provided that the issuer can otherwise verify the individual's identity and credit worthiness -- based on other information provided by the individual or by a joint account holder. The need for, or corresponding benefit of, certain additional information required under the Proposed Rule is not clear. Also, some institutions do not obtain certain information, such as a taxpayer identification number, until after the account is opened. Requiring that this information be obtained before, instead of after the account is opened, would create additional costs with no additional benefit in terms of combating money laundering or detecting terrorist financing.

Money laundering is not a new issue in banking; financial institutions have long maintained procedures, as required under the Bank Secrecy Act, designed to identify suspicious financial transactions. Absent the availability of a standardized methodology to identify accurately financial institution customers, the Agencies should not require institutions to collect new information without first determining and articulating its benefit. Today, identification verification is achieved by producing enough evidence to conclude with a high degree of certainty that the person is who she or he says she or he is. Some of the information that institutions would be required to obtain under the Proposed Rule would have no commercial value and would go beyond information that institutions already are collecting in connection with their existing money laundering and fraud-alert programs. Moreover, it is not clear that such information would enhance the ability of financial institutions to identify their customers. For example, with respect to individuals, the Proposed Rule would require institutions to begin obtaining the customer's date of birth without any indication of the need for such information. Although, in some cases, date of birth may distinguish fathers from sons, generally, it is not an important identifying characteristic and, as indicated above, can lead to fair lending and other discrimination issues.

Similarly, in many instances, institutions would be required to obtain two addresses: a mailing address and, if different, a residential address. Currently, many financial institutions collect, and only have one field in their automated system for, a single customer address. This field is used for a mailing address to which account statements are sent. The card issuer has no need for a residential address. While we understand that a residential address, if different from the mailing address, may help law enforcement "stake out" a suspected money launderer or terrorist, the practical problems associated with collecting and potentially verifying multiple addresses are enormous. In addition to the difficulty institutions would have in changing systems to accommodate two addresses, applicants are likely to resist providing more than one address as an unnecessary intrusion into their privacy. Also, financial institutions may not know that the address provided is not a residential address unless the address provided is a post office box. Even if a residential address is obtained, it may be impossible to verify that the individual actually resides there, as opposed to using that address as a mail drop or as a vacation home.

For these reasons, Visa recommends that the Proposed Rule be revised to provide institutions who already have systems in place to identify their customers and to detect suspicious transactions with flexibility in determining what information and supporting information is necessary to identify their customers. In other words, for example, in the case of credit card accounts, the Proposed Rule should be revised only to require the collection of information that a card issuer deems necessary and appropriate to identify customers.

In addition, regardless of whether the final rule requires the collection of specific information, the final rule clearly and specifically should provide that any state law that precludes a financial institution from collecting or obtaining information in order to comply with its identification program under the final rule is preempted. Such a clarification would ensure that individual states or local governments do not enact well-intentioned statutes designed to protect consumer privacy or prevent identity theft but that have the unintended consequence of interfering with customer identification programs.

   Customer Notice.

    Permit a Simple Notice.

Proposed section 103.121(b)(5) would require a financial institution to include in its Program procedures for providing its customers with "adequate notice" that the bank is requesting information to verify his or her identity. The supplementary information to the Proposed Rule states that a bank may satisfy the notice requirement by generally notifying its customers about the procedures with which the bank must comply to verify their identities. Such procedures are likely to be lengthy and confusing. We believe that a simple sentence explaining that certain information will be used to verify the customer's identity on an application or other account opening documents should be adequate. Accordingly, we recommend that the Agencies clarify, in the supplemental information or in the text of the rule, that the notice may be combined with other information or forms provided in connection with the account, and that a brief notice, as opposed to an explanation of verification procedures, is sufficient.

    Verification.

    Verify Identities, Not Information.

Proposed section 103.121(b)(2)(ii) would require institutions to establish procedures for verifying the information that a bank obtains when a customer is seeking to open an account. In contrast, section 103.121(b)(ii)(A) and 103.121(b)(ii)(B) refer to verifying identity. Verification of the information obtained and verification of identity can be very different. Visa believes that institutions should only be required to verify the identity of the customer.

The Proposed Rule appears to contemplate that institutions would seek to verify each piece of information that is obtained from a customer. When verification of identity is accomplished through the use of consumer reports and identity verification services, the identity of an individual often is verified by comparing a number of different pieces of information and making a judgment, often using artificial intelligence, to determine the identity of a specific individual. Often, this process does not involve definitively verifying individual pieces of information or resolving discrepancies between particular pieces of information. For example, a financial institution might be perfectly satisfied that an individual who recently moved has provided the correct address, because other information provided by the applicant matched the information obtained from the applicant. However, the address may be difficult to verify given the fact that the consumer just recently moved and the credit report, for example, reflects the customer's previous address. Similarly, a card issuer may request information, such as date of birth or age, that is used for verification of an individual's identity only in particular circumstances, such as when it is necessary to distinguish a father from a son. There is no reason to verify this information when, in fact, the institution has already or otherwise successfully verified the identity of the individual. For the same reasons, Visa recommends that the Agencies clarify that institutions are not required to resolve discrepancies in information obtained, as long as the institution believes that it has verified the identity of the customer.
In addition, the operation of the Fair Credit Reporting Act ("FCRA") and ECOA in collecting certain verifying information is unclear. For instance, under the Proposed Rule, institutions may request additional information to verify a customer's identity. In this regard, identification services have been developed to aid financial institutions in identifying customers. However, in some cases, the information provided by the services may be limited by concerns that providing certain information, such as information about accounts at other financial institutions, may lead to that identity verification service becoming a consumer reporting agency under the FCRA. The Agencies should clarify that to the extent that information obtained in connection with the rule is used to "assist" an institution in verifying the identity of a customer for purposes of the customer identification program and not the customer's eligibility for credit, the information would not be considered "consumer report" information under the FCRA-that is, information bearing on a consumer's credit worthiness, credit standing, character, such as income, or credit score-even if the institution decides not to open an account because the applicant fails to provide verifiable information.

    Clarify Relationship Between Collection, Verification and Adverse Action.

We also urge the Agencies to clarify the relationship between the collection and verification of information for purposes of the customer identification program and "adverse action" under other laws. For example, if a lender may request information for purposes of the Program, the inability to obtain that information and the refusal to open an account on that basis could trigger the adverse action requirements contained in both the FCRA and the ECOA. Visa believes that institutions should be permitted to use the information to alert institutions as to matters that the institution will further investigate. However, to the extent that such further investigations result in the failure to open, or the closure of, an account, such actions should not trigger FCRA or ECOA requirements.

In addition, there is a drafting error in proposed section 103.121(b)(2)(ii)(B), which sets forth the "non-documentary" requirements that institutions must employ when an individual is unable to present actual documents. The Proposed Rule refers to "independently" verifying "documentary" information, using credit bureau reports and other means. The Agencies should make clear that such non-documentary means can be used to verify the identity of a customer and that documentary means are not required.

    Recordkeeping.

    Reduce the Information that Must be Retained.

Section 103.121(b)(3) of the Proposed Rule would require an institution to include in its Program a record of the identifying information provided by the customer. Specifically, the records would have to be retained for five years after the account is closed and would have to include all identifying information provided by the customer, a "copy" of any document that was relied upon, the methods and results of any measures undertaken to verify the customer's identity, and the institution's resolution of any discrepancy in the identifying information obtained.

The types of records obtained in connection with credit card lending are significantly different from those obtained in connection with records obtained in connection with other financial products. With respect to credit card lending, the records would typically consist of the application and other information relied upon in identifying the customer. There is little value in maintaining copies of credit reports, for example, and other information that an institution might use in identifying the customer. We see no reason to retain credit report information, for example, when the correspondence between the applicant's self-reported information and the credit report information, rather than the credit report information itself, form the basis for the conclusion that the customer's identity has been verified. Nor do we see why a bank should retain a record of the processes the bank uses to verify customer identity on a customer-by-customer basis, if the processes and verification standards do not vary from customer to customer.

Visa recommends that the Proposed Rule be revised to provide financial institutions with the flexibility to retain the information that the institution deems necessary to readily identify the customer. Such a revision would avoid having financial institutions retain and make copies of valueless documents.

  Shorten the Record Retention Period.

Furthermore, the record retention standard should be consistent with existing regulations. The period of retention for any documents or other materials should be no greater than that of any record retention requirement that already applies to such documents or other materials. In the case of credit card accounts, "[a] creditor shall retain evidence of compliance with [Regulation Z, implementing the Truth in Lending Act] for 2 years after the date disclosures are required to be made or action is required to be taken." 12 C.F.R. § 226.25(a). The Proposed Rule should parallel this and other existing requirements in establishing the time period for retaining information collected in connection with the performance of the customer information program. Disparate retention requirements for different information are likely to be difficult to administer, possibly leading to the retention of all information for excessive periods, while yielding unnecessary costs. Further, particular information, including information in credit reports and about residence, will change over time. Some credit card accounts have been open for decades. Most of the information collected when these accounts were opened has no relevance for money laundering, terrorist financing, or credit purposes today.

   Clarify Retrieval is Not Required.

The Agencies should clarify that institutions are not required to be able to retrieve information retained in any particular way. Instead, institutions should be able to organize and to access their customer data bases in a variety of ways. Specifically, an institution should not be required to establish a system that would generate information by the consumer's name, date of birth, mailing address, account number, or by any type of information. Such a requirement would be particularly problematic for information that is required to be maintained on applicants where the information is of no ongoing use to the institution.
Finally, the Agencies should clarify that records may be retained electronically in any form that allows the institution to reconstruct accurately or reproduce the records.

Once again, we appreciate the opportunity to comment on this important matter. If you have any questions concerning these comments, or if we may otherwise be of assistance in connection with this matter, please do not hesitate to contact me at (415) 932-2178.

__________________________________