Regulatory Advocacy

CUNA Regulatory Comment Call

July 19, 2002

Proposed Patriot Act Regulations on Member/Customer Identification

EXECUTIVE SUMMARY

The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001 (Patriot Act) requires the U.S. Department of Treasury to issue regulations setting forth minimum standards for financial institutions that relate to the identification and verification of any person who applies to open an account. Final regulations must be effective by October 25, 2002.

The Treasury and the other federal financial institution regulators, including NCUA, have jointly issued proposed rules that would require certain financial institutions to establish minimum procedures for identifying and verifying the identity of customers seeking to open new financial accounts.

The aim of the proposed rules is to protect the U.S. financial system from money laundering and terrorist financing. According to the Treasury, the “know your customer/member” rules, when finalized, would have the added benefit of helping to protect consumers against various forms of fraud, including the growing incidence of identity theft involving new accounts.

Financial institutions subject to the proposed rules would be required to do the following:

Establish programs specifying procedures for obtaining identifying information from customers/members seeking to open new accounts. The identifying information would be essentially the same information currently obtained by most financial institutions and for individual members/customers generally, including the customer’s/member’s name, address, date of birth and an identification number (for U.S. persons, a social security number; for non-U.S. persons, a similar number from a government-issued document). Members/customers with a signature authority over business accounts would furnish substantially similar information.
The program would also have to contain procedures to verify the identity of members/customers within a reasonable period of time. The proposed rules contemplate that financial institutions will generally use the same forms of identity verification that are already in place, such as examining drivers licenses, passports, credit reports, and other similar means.
Keep records of the information used to verify identities.
Check the names of new members/customers against government lists of known terrorists and terrorist organizations.
Provide members/customers with notice that the institution is requesting information.

While every program must meet the minimum elements previously mentioned, the proposed rules give financial institutions the flexibility to tailor their procedures as appropriate, taking into consideration an individual institution’s size, location, and type of business.

In general, the proposal refrains from imposing broad, new requirements on credit unions and other financial institutions at account opening. Credit unions and other financial institutions already have a number of procedures in place covering the opening of new accounts and the proposal appears to recognize that fact. CUNA is reviewing the proposal in depth with CUNA's Examination and Supervision Subcommittee, which will be developing our comments. One issue CUNA wants to make sure is clear is that credit unions will be able to rely on official documents such as the Matricula issued by the government of Mexico in opening accounts, particularly for those in low-income areas.

Comments are due to NCUA by September 6, 2002. Comments should be sent to Becky Baker, Secretary of the Board, National Credit Union Administration, 1775 Duke Street, Alexandria, Virginia 22314-3428. You may fax your comments to NCUA to (703) 518-6319 or e-mail them to regcomments@NCUA.gov. Please submit your comments to CUNA by August 23, 2002. Please feel free to fax your responses to CUNA at 202-638-7052; e-mail them to Associate General Counsel Mary Dunn at mdunn@cuna.com or to Senior Regulatory Counsel Catherine Orr at corr@cuna.com ; or mail them to Mary and Catherine in c/o CUNA’s Regulatory Advocacy Department, 601 Pennsylvania Avenue, NW, South Building, Suite 600, Washington, DC 20004-2601. To obtain a copy of the proposed regulations, please click here.

Credit unions that are not federally insured should send their comments to the Financial Crimes Enforcement Network (FinCEN). Comments should be mailed by September 6, 2002 to FinCEN, Section 326 Certain Credit Union and Trust Company Rule Coments, P.O. Box 39, Vienna, VA 22183 or sent by e-mail to regcomments@fincen.treas.gov with the caption "Attention: Section 326 Certain Credit Union and Trust Company Rule Comments" in the body of the text. For a copy of the proposal for credit unions that are not federally insured (the rules are the same as those for federally insured credit unions), please click here.

BACKGROUND

On October 26, 2001, the President signed the Patriot Act. The law is intended to facilitate the prevention, detection, and prosecution of international money laundering and the financing of terrorism. Section 326 of the Patriot Act directs the U.S. Department of the Treasury (Treasury) to jointly prescribe with each of the federal financial institution agencies, the Securities and Exchange Commission, and the Commodities Futures Trading Commission regulations setting forth minimum standards for financial institutions regarding the identification and verification of any person who applies to open an account. The Patriot Act specifies that those regulations must, at a minimum, require financial institutions to implement reasonable procedures for: (1) verifying the identity of any person seeking to open an account, to the extent reasonable and practicable; (2) maintaining records of the information used to verify the person’s identity; and (3) determining whether the person appears on any list of known or suspected terrorists organizations provided to the financial institution by any government agency. The Treasury has issued these proposed regulations for the purpose of soliciting comments.

DESCRIPTION OF THE PROPOSED RULES

Definition of “Account”

The proposed “know your customer/member” regulations would apply to persons seeking to open a new account at a financial institution. “Account” is defined in the proposal so as to make clear that this term is not intended to cover infrequent transactions such as the occasional purchase of a money order or a wire transfer: “Account means each formal banking or business relationship established to provide ongoing services, dealings, or other financial transactions. For example, a deposit account, a transaction or asset account, and a credit account or other extension of credit would each constitute an account.”

Definition of “Customer”

The proposed rule defines “customer” to mean any person seeking to open a new account. Accordingly, the term “customer” includes a person applying to open an account, but would not cover a person seeking information about an account, such as rates charged or interest paid on an account, if the person does not actually open an account. “Customer” includes both individuals and other persons such as corporations and trusts. In addition, any person seeking to open an account at a financial institution after the effective date of the final rule will be a “customer,” regardless of whether that person already has an account at the institution. “Customer” is also defined to include any signatory on an account. A signatory can become a “customer” when the account is opened or when the signatory is added to an existing account.

Transfers of accounts from one financial institution to another that are not initiated by the customer/member, for example as a result of a merger, are not covered under the proposed regulation. In some situations involving the transfer of accounts, however, it would be appropriate for a financial institution to verify the identity of customers/members associated with the accounts it is acquiring. Therefore, the federal financial institution regulators expect procedures for transfer of accounts to be part of a financial institution’s BSA Program.

Definition of “Bank”

The proposal adopts the definition of “bank” as set forth in the BSA (31 C.F.R. §103.11(c)), which encompasses virtually all financial institutions – including credit unions. The proposal modifies the definition to include “any foreign branch of an insured bank” to make clear the procedures required under the proposal must be implemented throughout the financial institution, no matter where its offices are located. In other words, the proposal would cover foreign branches of credit unions.

General Rule

The proposed regulation requires all financial institutions to implement a Customer Identification Program (CIP) that, at a minimum, includes each of the components that is discussed below. The CIP should be tailored to the bank’s size, location, and type of business. The CIP must be written and approved by the financial institution’s board of directors or a committee of the board. The approval requirement highlights the responsibility of the financial institution’s board of directors to approve and exercise general oversight over the institution’s CIP.

Currently, all insured depository institutions must have a Bank Secrecy Act (BSA) program under which they must record and retain certain records as well as report certain financial transactions to the federal government. Part 748 of NCUA’s Rules requires all federally-insured credit unions to establish and maintain procedures reasonably designed to assure and monitor compliance with the BSA requirements. In addition, all financial institutions are required to implement an anti-money laundering program (31 USC 5318(h)). Those programs must include, at a minimum: the development of internal policies, procedures, and controls; the designation of a compliance officer; an ongoing employee training program; and an independent audit function to test programs. Each of these requirements also applies to a financial institution’s CIP.

Unlike other sections of the BSA, the proposed regulation explicitly states that the CIP must be part of a financial institution’s BSA (anti-money laundering) program. The language is included to make clear that the CIP is not a separate program. For a summary of the BSA requirements, please see CUNA’s e-guide.

Identity Verification Procedures

The CIP must include procedures for verifying the identity of each member/customer, to the extent practicable. The procedures must be based on the financial institution’s assessment of the risks presented by the types of accounts maintained by the institution, the various methods of opening accounts, and the types of identifying information available. These procedures must enable the financial institution to form a reasonable belief that it knows the true identity of the member/customer.
The CIP must contain risk-based procedures for verifying the information that the financial institution obtains with a reasonable period of time after the account is opened or a signatory is added. The proposal provides a financial institution with the flexibility to use a risk-based approach to determine how soon identity must be verified.
The proposal requires a financial institution to exercise reasonable efforts to ascertain the identity of each member/customer. While the CIP must contain the identity verification procedures discussed below, a financial institution need not verify the identity of an existing member/customer seeking to open a new account or who becomes a signatory on an account if the financial institution previously verified the member’s/customer’s identity in accordance with procedures consistent with this regulation and continues to have a reasonable belief that it knows the identity of the member/customer.

Information Required

The CIP must contain procedures that specify the identifying information a financial institution must obtain from a member/customer. At a minimum, a financial institution must obtain from each member/customer the following information prior to opening an account or adding a signatory to an account:
- Name;
- For individuals, residence and, if different, mailing address; or
- For persons other than individuals, such as corporations and trusts, principal place of business and, if different, mailing address;
- For U.S. persons, a U.S. taxpayer identification number (social security number, individual taxpayer identification number, or employer identification number); or
- For non-U.S. persons, one or more of the following: a U.S. taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard (the term “similar safeguard” is used to permit biometric identifiers may be used in addition to or instead of photographs).
The CIP may permit the financial institution to open or add a signatory to an account for a person other than an individual (such as a corporation, partnership or trust) that has applied for, but has not received an employer identification number. However, in such a case, the financial institution must obtain a copy of the application before it opens or adds a signatory to the account and obtain the employer identification number within a reasonable period of time after it opens or adds a signatory to the account.

Verification Through Documents

The CIP must contain procedures describing when the financial institution will verify identity through documents and setting forth the documents that the institution will use for this purpose. These documents may include:

For individuals, unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard; and
For corporations, partnerships, trusts and persons other than individuals, documents showing the existence of the entity, such as registered articles of incorporation, a government-issued business license, partnership agreement, or trust instrument.

Non-Documentary Verification Methods

The CIP must contain procedures that describe non-documentary methods the financial institution will use to verify identity and when these methods will be used in addition to, or instead of, relying on documents. These procedures must address situations where an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard; the financial institution is not familiar with the documents presented; the account is opened without obtaining documents; and the account is not opened in a face-to-face transaction (such as via the telephone, mail, or the Internet). A financial institution’s procedures should be risk-based, they should identify types of accounts that pose a heightened risk, and prescribe additional measures to verify the identity of any person seeking to open an account and the signatory for such accounts.

Other verification methods may include contacting a member/customer; independently verifying documentary information through credit bureaus, public databases, or other sources; checking references with other financial institutions; and obtaining a financial statement. The financial institution may also wish to analyze whether there is logical consistency between the identifying information provided, such as the customer's/member’s name, street address, ZIP code, telephone number, date of birth, and social security number (logical verification). In light of the recent increase in identity fraud, financial institutions are encouraged to use other verification methods, even when a member/customer has provided original documents.

Lack of Verification

The CIP must include procedures for responding to circumstances in which the financial institution cannot form a reasonable belief that it knows the true identity of a member/customer, including when an account should not be opened. The procedures also should specify at what point, after attempts to verify a customer’s identity have failed, member’s/customer’s account that has been opened should be closed.
If a financial institution cannot form a reasonable belief that it knows the identity of a member/customer, the procedures should also include determining whether a Suspicious Activity Report (SAR) should be filed.

Recordkeeping

Under the proposal, a financial institution is required to maintain a record of all identifying information provided by the customer/member. The CIP must include reasonable procedures for maintaining such records.
Where the financial institution relies on a document to verify identity, the institution must maintain a copy of the document that it relied on that clearly evidences the type of document and any identifying information it may contain. The institution is not required to keep a separate record of the identifying information provided by the member/customer if the identifying information clearly appears on the copy of the document maintained by the institution.
The financial institution must also record the methods and result of any additional measures (pursuant to the section on non- documentary verification methods) undertaken to verify the identity of the member/customer.
The financial institution must record the resolution of any discrepancy in the identifying information obtained.
The financial institution must retain all of these records for 5 years after the date the account is closed.
A financial institution may use electronic records to satisfy the requirements of the proposal, as long as the records are accurate and remain accessible in accordance with the BSA section concerning nature of records and retention period: “All such records shall be filed or stored in such a way as to be accessible within a reasonable period of time, taking into consideration the nature of the record, and the amount of time expired since the record was made.” (12 C.F.R. §103.38(d)).

Comparison With Government Lists

The CIP must include procedures for determining whether the member/customer appears on any list of known or suspected terrorists or terrorist organizations provided to the financial institution by any federal government agency.
The CIP procedures must also ensure the financial institution follows all federal directives issued in connection with such lists. This provision in the proposal makes clear that an institution must have procedures for responding to circumstances when it determines that a member/customer is named on a list.
Credit unions and other financial institutions are already required to comply with directives issued by the Office of Foreign Assets Control (OFAC) with respect to its “Specially Designated Nationals and Blocked Persons” list. Specifically, credit unions and other financial institutions are required to block or "freeze" property and payment of any funds transfers or transactions involving those blocked countries or members/customers whose names appears on that list, and to report the "blocks" within 10 days of occurrence. Failure to block and report an “illicit transfer” may subject the credit union to civil fines, and possibly criminal penalties.

Member/Customer Notice

The CIP must include procedures for providing financial institution members/customers with adequate notice that the institution is requesting information to verify their identity. An institution may satisfy the notice requirement by generally notifying its members/customers about the procedures the institution must comply with to verify their identities. For example, a credit union may post a sign in its lobby or provide members with any other form of written or oral notice. If an account is opened electronically, such as through an Internet website, the institution may also provide notice electronically.

Exemptions

Under the proposal, NCUA with the concurrence of the Secretary of the Treasury may, by order or regulation, exempt any credit union or type of account from the requirements of a “know your member/customer” regulation. In issuing such exemptions, NCUA and the Secretary of the Treasury must consider whether the exemption is consistent with the BSA and with safe and sound banking and whether it is in the public interest. NCUA and the Treasury of the Secretary may also consider other appropriate factors.

The proposal is also seeking comments on whether any of the exemptions in Section 103.34(a) of the BSA (12 C.F.R. §103.34(a)) could apply. That section of the BSA provides that a financial institution does not need to obtain a taxpayer identification number with respect to the following categories of persons opening certain deposit accounts:

Agencies and instrumentalities of Federal, state, local or foreign governments;
Judges, public officials, or clerks of courts of record as custodians of funds in controversy or under the control of the court;
Aliens who are (A) ambassadors, ministers, career diplomatic or consular officers, or (B) naval, military or other attaches of foreign embassies and legations, and for the members of their immediate families;
Aliens who are accredited representatives of international organizations which are entitled to enjoy privileges, exemptions and immunities as an international organization under the International Organization Immunities Act of 1945 (22 U.S.C. 288) and the members of their immediate families;
Aliens temporarily residing in the United States for a period not to exceed 180 days;
Aliens not engaged in a trade or business in the United States who are attending a recognized college or university or any training program, supervised or conducted by any agency of the Federal Government;
Unincorporated subordinate units of a tax exempt central organization which are covered by a group exemption letter;
A person under 18 years of age with respect to an account opened as a part of a school thrift savings program, provided the annual interest is less than $10;
A person opening a Christmas club, vacation club and similar installment savings programs provided the annual interest is less than $10; and
Non-resident aliens who are not engaged in a trade or business in the United States.

QUESTIONS REGARDING THE PROPOSED RULES

Is the proposed definition of account appropriate? Should other examples of accounts be added to the text of the regulation?

Yes ______ No ______

If yes, what changes should be made or what examples should be added?
How should the proposed regulation apply to various types of accounts that are designed to allow a customer to transact business immediately?
Should the definition of “bank” in the proposed regulation be amended with respect to foreign branches by (i) excluding foreign branches or (ii) clarifying that a foreign branch must comply on to the extent the institution’s program does not contravene applicable local law?

Yes ______ No ______

If yes, how should the definition be amended?
What are ways that financial institutions can comply with the requirement that an institution obtain both the address of an individual’s residence and, if different, the individual’s mailing address in situations involving individuals who lack a permanent address?
Will non-U.S. persons that are not individuals be able to provide an institution with the identifying information or should other categories of identifying information be added to permit non-U.S. persons who are not individuals to open accounts? Please suggest other means of identification that financial institutions currently use or should use.
Are there laws in your state that would prevent credit unions from following this proposal? For example, we understand that some states make it an offense to photocopy a driver’s license from that state.

Yes ______ No ______

If yes, please cite and describe any potentially conflicting state laws.
The legislative history of this section of the Patriot Act indicates that Congress intended “the verification procedures prescribed by Treasury [to] make use of information currently obtained by most financial institutions in the account opening process.” Please indicate the extent to which the verification procedures required by the proposed regulation make use of information that credit unions currently obtain in the account opening process.
Do you believe the proposed recordkeeping and document retention requirements are appropriate? In particular, would the photocopying requirements be burdensome?

Yes ______ No ______

If not, how should those requirements be modified?
Should any of the exemptions from the customer identification requirements in Section 103.34(a)(3) of the BSA mentioned in the proposal summary be continued in the exemptions section (103.121(c)) of the proposal?

Yes ______ No ______

If yes, which exemptions do you believe should be continued in the proposal?
Do you believe the operational changes your credit union would have to make to conform to this proposed regulation would be a significant burden in terms of staff time or expense? Such operational changes could include, for example, obtaining and verifying the identification of a joint account owner, co-signer or guarantor on loans.

Yes ______ No ______

If so, could you quantify that burden?
Are the requirements in the proposal clearly stated?

Yes ______ No ______

If not, how could the regulation be more clearly stated?
Would a different format (grouping and order of sections, use of headings, paragraphing) make the regulation easier to understand?

Yes ______ No ______

If so, what specific changes to the format would make the regulation easier to understand?
Other comments?

Eric Richard • General Counsel • (202) 508-6742 • erichard@cuna.com
Mary Mitchell Dunn • SVP & Associate General Counsel • (202) 508-6736 • mdunn@cuna.com
Jeffrey Bloch • Assistant General Counsel • (202) 508-6732 • jbloch@cuna.com
Catherine Orr • Senior Regulatory Counsel • (202) 508-6743 • corr@cuna.com

CUNA's Comment Call on this Issue CUNA's Comment Letter on this Issue CUNA's Final Rule Analysis on this Issue

CUNA's Comment Letter on this Issue

CUNA's Final Rule Analysis on this Issue