9 May 2003 Source: http://www.access.gpo.gov/su_docs/aces/fr-cont.html ----------------------------------------------------------------------- [Federal Register: May 9, 2003 (Volume 68, Number 90)] [Rules and Regulations] [Page 25089-25113] From the Federal Register Online via GPO Access [wais.access.gpo.gov] [DOCID:fr09my03-25] [[Page 25089]] ----------------------------------------------------------------------- Part II Department of the Treasury 31 CFR Part 103 Office of the Comptroller of the Currency 12 CFR Part 21 Office of Thrift Supervision 12 CFR Part 563 ----------------------------------------------------------------------- Federal Reserve System 12 CFR Parts 208 and 211 ----------------------------------------------------------------------- Federal Deposit Insurance Corporation 12 CFR Part 326 ----------------------------------------------------------------------- National Credit Union Administration 12 CFR Part 748 ----------------------------------------------------------------------- Commodity Futures Trading Commission 17 CFR Parts 1 and 42 ----------------------------------------------------------------------- Securities and Exchange Commission 17 CFR Part 270 and 31 CFR Part 103 Transactions and Customer Identification Programs; Final Rules and Proposed Rule [[Page 25090]] ----------------------------------------------------------------------- DEPARTMENT OF THE TREASURY Office of the Comptroller of the Currency 12 CFR Part 21 [Docket No. 03-08] RIN 1557-AC06 FEDERAL RESERVE SYSTEM 12 CFR Parts 208 and 211 [Docket No. R-1127] FEDERAL DEPOSIT INSURANCE CORPORATION 12 CFR Part 326 DEPARTMENT OF THE TREASURY Office of Thrift Supervision 12 CFR Part 563 [Docket No. 2003-16] NATIONAL CREDIT UNION ADMINISTRATION 12 CFR Part 748 RIN 3133 DEPARTMENT OF THE TREASURY 31 CFR Part 103 RIN 1506-AA31 Customer Identification Programs for Banks, Savings Associations, Credit Unions and Certain Non-Federally Regulated Banks AGENCIES: The Financial Crimes Enforcement Network, Treasury; Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve System; Federal Deposit Insurance Corporation; Office of Thrift Supervision, Treasury; National Credit Union Administration. ACTION: Joint final rule. ----------------------------------------------------------------------- SUMMARY: The Department of the Treasury, through the Financial Crimes Enforcement Network (FinCEN), together with the Office of the Comptroller of the Currency (OCC), the Board of Governors of the Federal Reserve System (Board), the Federal Deposit Insurance Corporation (FDIC), the Office of Thrift Supervision (OTS), and the National Credit Union Administration (NCUA) (collectively, the Agencies), have jointly adopted a final rule to implement section 326 of the Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 (the Act). Section 326 requires the Secretary of the Treasury (Secretary) to jointly prescribe with each of the Agencies, the Securities and Exchange Commission (SEC), and the Commodity Futures Trading Commission (CFTC), a regulation that, at a minimum, requires financial institutions to implement reasonable procedures to verify the identity of any person seeking to open an account, to the extent reasonable and practicable; maintain records of the information used to verify the person's identity; and determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency. This final regulation applies to banks, savings associations, credit unions, private banks, and trust companies. DATES: Effective Date: This rule is effective June 9, 2003. Compliance Date: Each bank must comply with this final rule by October 1, 2003. FOR FURTHER INFORMATION CONTACT: OCC: Office of the Chief Counsel at (202) 874-3295. Board: Enforcement and Special Investigations Sections at (202) 452-5235, (202) 728-5829, or (202) 452-2961. FDIC: Special Activities Section, Division of Supervision and Consumer Protection, and Legal Division at (202) 898-3671. OTS: Compliance Policy Division at (202) 906-6012. NCUA: Office of General Counsel at (703) 518-6540; or Office of Examination and Insurance at (703) 518-6360. Treasury: Office of the Chief Counsel (FinCEN) at (703) 905-3590; Office of the General Counsel (Treasury) at (202) 622-1927; or the Office of the Assistant General Counsel for Banking & Finance (Treasury) at (202) 622-0480. SUPPLEMENTARY INFORMATION: I. Background A. Section 326 of the USA PATRIOT Act On October 26, 2001, President Bush signed into law the USA PATRIOT Act, Pub. L. 107-56. Title III of the Act, captioned ``International Money Laundering Abatement and Anti-terrorist Financing Act of 2001,'' adds several new provisions to the Bank Secrecy Act (BSA), 31 U.S.C. 5311 et seq. These provisions are intended to facilitate the prevention, detection, and prosecution of international money laundering and the financing of terrorism. Section 326 of the Act adds a new subsection (l) to 31 U.S.C. 5318 of the BSA that requires the Secretary to prescribe regulations ``setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution.'' Section 326 applies to all ``financial institutions.'' This term is defined very broadly in the BSA to encompass a variety of entities, including commercial banks, agencies and branches of foreign banks in the United States, thrifts, credit unions, private banks, trust companies, investment companies, brokers and dealers in securities, futures commission merchants, insurance companies, travel agents, pawnbrokers, dealers in precious metals, check-cashers, casinos, and telegraph companies, among many others. See 31 U.S.C. 5312(a)(2) and (c)(1)(A). For any financial institution engaged in financial activities described in section 4(k) of the Bank Holding Company Act of 1956 (section 4(k) institutions), the Secretary is required to prescribe the regulations issued under section 326 jointly with each of the Agencies, the SEC, and the CFTC (the Federal functional regulators). Section 326 of the Act provides that the regulations must require, at a minimum, financial institutions to implement reasonable procedures for (1) verifying the identity of any person seeking to open an account, to the extent reasonable and practicable; (2) maintaining records of the information used to verify the person's identity, including name, address, and other identifying information; and (3) determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency. In prescribing these regulations, the Secretary is directed to take into consideration the various types of accounts maintained by various types of financial institutions, the various methods of opening accounts, and the various types of identifying information available. B. Overview of Comments Received On July 23, 2002, Treasury and the Agencies published a joint notice of proposed rulemaking in the Federal Register (67 FR 48290) applicable to (a) any financial institution defined as a ``bank'' in 31 CFR 103.11(c) \1\ and [[Page 25091]] subject to regulation by one of the Agencies; and (b) any foreign branch of an insured bank. On the same date, Treasury separately published an identical, proposed rule for credit unions, private banks, and trust companies that do not have a Federal functional regulator (67 FR 48299).\2\ Treasury and the Agencies proposed general standards that would require each bank to design and implement a customer identification program (CIP) tailored to the bank's size, location, and type of business. The proposed rule also included certain specific standards that would be mandated for all banks.\3\ --------------------------------------------------------------------------- \1\ This definition includes banks, savings associations, credit unions, Edge Act and Agreement corporations, and branches and agencies of foreign banks. \2\ In the preamble for this proposed rule, Treasury explained that a single final regulation would be issued for all financial institutions defined as ``banks'' under 31 CFR 103.11(c), with modifications to accommodate certain differences between Federally regulated and non-Federally regulated banks. See 67 FR 48299, 48300. \3\ At the same time, Treasury also published (1) together with the SEC, proposed rules for broker-dealers (67 FR 48306) and mutual funds (67 FR 48318); and (2) together with the CFTC, proposed rules for futures commission merchants and introducing brokers (67 FR 48328). --------------------------------------------------------------------------- Treasury and the Agencies collectively received approximately five hundred comments in response to these proposed rules (collectively referred to as the ``proposal'' or the ``proposed rule'' for ``banks''), although some commenters sent copies of the same letter to Treasury and to each of the Agencies. The majority of comments received by Treasury and the Agencies were from banks, savings associations, credit unions, and their trade associations. Most of these commenters agreed with the largely risk-based approach set forth in the proposal that allowed each bank to develop a CIP based on its specific operations. Some commenters, however, criticized the specific requirements in the proposed rule and suggested that Treasury and the Agencies issue a final rule containing an entirely risk-based approach without any minimum identification and verification requirements. According to some of these commenters, such a thoroughly risk-based approach would give banks appropriate discretion to focus their efforts and finite resources on specific, high-risk accounts most likely to be used by money-launderers and terrorists. Other commenters, especially those representing credit card banks and credit card issuers, asserted that the proposed minimum identification and verification requirements should be eliminated because they did not take into account the unique nature of credit card operations. They warned that these requirements, if implemented, would have a chilling effect on credit practices important to U.S. consumers and would impose significant compliance costs on their industry with little benefit to law enforcement. By contrast, some smaller banks criticized the flexibility of the proposal and stated that a risk-based approach would leave too much room for interpretation by the Agencies. These commenters urged Treasury and the Agencies to issue a final rule establishing more specific requirements. For example, some commenters suggested that the rule prescribe risk assessment levels for each customer type and type of account, along with a specific description of acceptable forms of identification and methods of verification appropriate for each bank's size and location. While commenters representing various segments of the industry differed on the approach that should be taken in the final rule, the vast majority concluded that Treasury and the Agencies had underestimated the compliance burden that would be imposed by certain elements of the proposal. Commenters were especially concerned about the proposed requirements that banks verify the identity of signatories on accounts, keep copies of documents used to verify a customer's identity, and retain identity verification records for five years after an account is closed. Some commenters also suggested that banks be given greater flexibility when dealing with established customers and urged that banks be permitted to rely on identification and verification of customers performed by a third party, including an affiliate. Other commenters asked for additional guidance regarding the lists of known and suspected terrorists and terrorist organizations that must be checked, and regarding what will be deemed adequate notice to customers for purposes of complying with the final rule. Many commenters requested that the final rule contain a delayed implementation date that would provide banks with the time needed to design a customer identification program, obtain board approval, alter existing policies and procedures, forms and software, and train staff. Several comments were received from companies engaged in the sale of technology or services that could be used to identify and verify customers, retain records, and check lists of known and suspected terrorists and terrorist organizations. Many of these companies recommended that the proposed rule be modified to make clear that use of specific products and services would be permissible. Some of these commenters urged that the rule require banks to authenticate any documents obtained to verify the identity of the customer through the use of automated document authentication technology. A small number of comments were received from individuals. Some of these individuals criticized the proposed requirement that banks obtain a social security number from persons opening an account as an infringement upon individual liberty and privacy. Some individuals were concerned that this requirement would expose them to an added risk of identity theft. Other individuals supported the proposal and concluded that its verification requirements might diminish instances of identity theft and fraud. A few commenters suggested that the government develop a separate national identification number or require that social security cards bear photographs and or other safeguards. A variety of commenters applauded the efforts of Treasury and the Federal functional regulators to devise a uniform set of rules that apply to banks, broker-dealers, mutual funds, futures commission merchants, and introducing brokers.\4\ They noted that, without uniformity, customers of financial institutions may seek to open accounts with institutions that customers perceive to have less robust customer identification requirements. These commenters also suggested revisions that would enhance the uniformity of the rules. --------------------------------------------------------------------------- \4\ See footnote 3, supra. --------------------------------------------------------------------------- Treasury and the Agencies have modified the proposed rule in light of the comments received. A discussion of the comments, and the manner in which the proposed rule has been modified, follows in the section- by-section analysis. In addition, as suggested by a number of commenters, Treasury and the Agencies expect to issue supplementary guidance following issuance of the final rule. C. Joint Issuance by Treasury and the Agencies The final rule implementing section 326 is being issued jointly by Treasury, through FinCEN, and by the Agencies. It applies to (1) a ``bank,'' as defined in 31 CFR 103.11(c), that is subject to regulation by one of the Agencies, and (2) to any non-Federally insured credit union, private bank or trust company that does not have a Federal functional regulator (collectively referred to in the final rule as ``a bank''). [[Page 25092]] The substantive requirements of this joint final rule are being codified as part of Treasury's BSA regulations located in 31 CFR part 103. In addition, each of the Agencies is concurrently publishing a provision in its own regulations \5\ to cross-reference this final rule in order to clarify the applicability of the final rule to the banks subject to its jurisdiction. --------------------------------------------------------------------------- \5\ 12 CFR 21.21 (OCC); 12 CFR 208.63, 211.5, and 211.24 (FRB); 12 CFR 326.8 (FDIC); 12 CFR 563.177 (OTS); and 12 CFR 748.2 (NCUA). --------------------------------------------------------------------------- Regulations governing the applicability of section 326 to certain financial institutions that are regulated by the SEC and the CFTC are the subject of separate rulemakings. Treasury, the Agencies, the SEC, and the CFTC consulted extensively in the development of all joint rules implementing section 326 of the Act. All of the participating agencies intend the effect of the rules to be uniform throughout the financial services industry. Treasury intends to issue separate rules under section 326 for certain non-bank financial institutions that are not regulated by one of the Federal functional regulators. The Secretary has determined that the records required to be kept by section 326 of the Act have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, to protect against international terrorism. In addition, Treasury, under its own authority, is issuing conforming amendments to 31 CFR 103.34, which imposes requirements concerning the identification of bank customers. D. Compliance Date Nearly all commenters on the proposed rule requested that banks be given adequate time to develop and implement the requirements of any final rule implementing section 326 of the Act. These commenters stated that if the proposed rule were implemented, banks would be required, among other things, to revise existing account opening policies and procedures, obtain board approval, train staff, update forms, purchase new or updated software for customer verification and checking of government lists, and purchase new equipment for copying or scanning and storing records. Commenters requested a delayed effective or compliance date, but, given the variety of banks that would be covered by the final rule, there was no consensus regarding the amount of time that would be necessary to comply with the final rule. The transition periods suggested by commenters ranged from 60 days to two years from the date a final rule is published. The final rule modifies various aspects of the proposal and eliminates some of the requirements that commenters identified as being most burdensome. Nonetheless, Treasury and the Agencies recognize that some banks will need time to develop a CIP, obtain board approval, and implement the CIP, which will include various measures, such as training of staff, reprinting forms, and developing new software. Accordingly, although this final rule will be effective 30 days after publication, banks are provided with a transition period to implement the rule. Treasury and the Agencies have determined that each bank must fully implement its CIP by October 1, 2003. II. Section-by-Section Analysis of Final Rule Implementing Section 326 Section 103.121(a) Definitions Section 103.121(a)(1) Account. The proposed rule defined ``account'' as each formal banking or business relationship established to provide ongoing services, dealings, or other financial transactions and stated that a deposit account, transaction or asset account, and a credit account or other extension of credit would each constitute an ``account.'' \6\ The proposal also explained that the term ``account'' was limited to formal banking and business relationships established to provide ``ongoing'' services, dealings, or other financial transactions to make clear that this term is not intended to cover infrequent transactions such as the occasional purchase of a money order or a wire transfer. --------------------------------------------------------------------------- \6\ The definition of ``account'' in the proposed rule was based on the statutory definition of ``account'' that is used in section 311 of the Act. --------------------------------------------------------------------------- Treasury and the Agencies received a large number of comments on this proposed definition. Some commenters agreed with the proposed definition though others thought the definition of ``account'' was either too broad or needed clarification. Some commenters suggested that the definition of ``account'' be narrowed to include only those relationships that are financial in nature. A number of commenters urged that the definition be limited to high-risk relationships that experts have identified as actually used by money launderers and terrorists. Some of these commenters suggested that particular types of accounts, especially those established as part of employee benefit plans, be excluded from the definition of ``account.'' Most commenters requested that the final rule provide additional examples of the relationships that would constitute an ``account.'' Many commenters requested that the rule clarify the meaning of ``ongoing services.'' These commenters asked whether a person who repeatedly and regularly purchased a money order, requested a wire transfer, or cashed a check on a weekly basis, without any other relationship with a bank, would be considered to have an ``account.'' Many other commenters asked that the exclusion for transfers of accounts between banks described in the preamble for the proposal-- which commenters characterized as the ``transfer exception'' --be stated expressly in the regulation and expanded to cover all loans originated by a third party and purchased by a bank, such as mortgages purchased from non-bank lenders and vehicle loans purchased from car dealers. The final rule contains a number of changes prompted by these comments. First, the reference to the term ``business relationship'' has been deleted from the definition of ``account.'' This change is made to clarify that the regulation applies to the bank's provision of financial products and services, as opposed to general ``business'' dealings, such as those in connection with the bank's own operations or premises. Second, the definition now contains additional, but non- exclusive, examples of products and services, such as safety deposit box and other safekeeping services, cash management, and custodian and trust services, that constitute an ``account.'' The definition of ``account'' also has been changed to include a list of products and services that will not be deemed an ``account.'' The preamble for the proposed rule had used the term ``ongoing services'' to define accounts covered by the final rule, and had referred to the exclusion of ``occasional'' transactions and ``infrequent'' purchases (which arguably would require a bank to monitor all transactions for repetitive contacts). By contrast, the final rule clarifies that ``account'' excludes products and services where a formal banking relationship is not established with a person, such as check cashing, wire transfer, or the sale of a check or money order.\7\ Treasury and the [[Page 25093]] Agencies note that part 103 already requires verification of identity in connection with many of these products and services. See, e.g., 31 CFR 103.29 (purchases of bank checks and drafts, cashier's checks, money orders, and traveler's checks for $3000 or more); 31 CFR 103.33 (funds transfers of $3000 or more). --------------------------------------------------------------------------- \7\ This exclusion is consistent with legislative history indicating that by referencing the term ``customers,'' Congress intended ``that the regulations prescribed by Treasury take an approach similar to that of regulations promulgated under title V of the Gramm-Leach-Bliley Act of 1999, where the Federal functional regulators defined ``customers'' and ``customer relationship'' for purposes of the financial privacy rules.'' H.R. Rep. No. 107-250, pt. 1, at 62 (2001). The definitions of ``customer'' and ``customer relationship'' in the financial privacy rules apply only to a consumer who has a ``continuing relationship'' with a bank, for example, in the form of a deposit or investment account, or a loan. See .3(h) and (i) of 12 CFR part 40 (OCC); 12 CFR part 216 (Board); 12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); and 12 CFR part 716 (NCUA). --------------------------------------------------------------------------- In addition, the final rule codifies and clarifies the ``transfer exception.'' Under the final rule, the definition of ``account'' excludes accounts that a bank acquires through an acquisition, merger, purchase of assets, or assumption of liabilities from any third party.\8\ Treasury and the Agencies note that the Act provides that the regulations shall require reasonable procedures for ``verifying the identity of any person seeking to open an account.'' Because these transfers are not initiated by customers, these accounts do not fall within the scope of section 326.\9\ --------------------------------------------------------------------------- \8\ In many cases, these third parties are themselves ``financial institutions'' for purposes of the BSA. Treasury anticipates that these third parties ultimately will be subject to their own customer identification rules implementing section 326 of the Act in the event that they are not presently covered by such a rule. \9\ Nevertheless, there may be situations involving the transfer of accounts where it would be appropriate for a bank, as part of the customer due diligence procedures required under existing regulations requiring banks to have compliance programs implementing the BSA (BSA compliance programs), to verify the identity of customers associated with accounts that it acquires from another financial institution. Treasury and the Agencies expect financial institutions to implement reasonable procedures to detect money laundering in any account, however acquired. --------------------------------------------------------------------------- Treasury and the Agencies generally agree with the view expressed by commenters who suggested that a bank's limited resources be focused on relationships that pose a higher risk of money laundering and terrorism. Accordingly, the Agencies have included an exception to the definition of ``account'' for accounts opened for the purpose of participating in an employee benefit plan established pursuant to the Employee Retirement Income Security Act of 1974. These accounts are less susceptible to use for the financing of terrorism and money laundering, because, among other reasons, they are funded through payroll deductions in connection with employment plans that must comply with Federal regulations which impose various requirements regarding the funding and withdrawal of funds from such accounts, including low contribution limits and strict distribution requirements. Section 103.121(a)(2) Bank. The proposal jointly issued by Treasury and the Agencies applied to any financial institution defined as a ``bank'' in 31 CFR 103.11(c) and subject to regulation by one of the Agencies, including banks, savings associations, credit unions, Edge Act and Agreement corporations, and branches and agencies of foreign banks. The proposed definition also included ``any foreign branch of an insured bank'' to make clear that the procedures required by the rule would have to be implemented throughout the bank, no matter where its offices are located. The preamble for the proposal explained that the rule would apply to bank subsidiaries to the same extent as existing regulations requiring banks to have BSA compliance programs.\10\ As described above, a second proposal issued simultaneously by Treasury applied to certain other financial institutions defined as a ``bank'' in 31 CFR 103.11(c), namely, those credit unions, private banks, and trust companies that do not have a Federal functional regulator. --------------------------------------------------------------------------- \10\ All insured depository institutions currently must have a BSA compliance program. See 12 CFR 21.21 (OCC); 12 CFR 208.63 (Board); 12 CFR 326.8 (FDIC); 12 CFR 563.177 (OTS); and 12 CFR 748.2 (NCUA). In addition, all financial institutions are required by section 352 of the Act, 31 U.S.C. 5318(h), to develop and implement an anti-money laundering program. Treasury issued a regulation implementing section 352 providing that a financial institution regulated by a Federal functional regulator is deemed to satisfy the requirements of section 5318(h)(1) if it implements and maintains an anti-money laundering program that complies with the regulation of its Federal functional regulator, i.e., the requirement to implement a BSA compliance program. See 31 CFR 103.120(b); 67 FR 2113 (April 29, 2002). However, Treasury temporarily deferred subjecting certain non-Federally regulated banks to the anti-money laundering program requirements in section 352. See 67 FR 67547 (November 6, 2002) (corrected 67 FR 68935 (November 14, 2002)). --------------------------------------------------------------------------- Under the final rule, ``bank'' includes all financial institutions covered by both of the proposals described above, except that ``bank'' does not include any foreign branch of an insured U.S. bank. Several commenters explained that the proposal to cover foreign branches might conflict with local laws applicable to branches of insured banks operating outside of the United States and might place U.S. institutions at a competitive disadvantage. Consistent with the approach taken with respect to final regulations implementing other sections of the Act,\11\ Treasury and the Agencies have determined that foreign branches of insured U.S. banks are not covered by the final rule. Nevertheless, Treasury and the Agencies encourage each bank to implement an effective CIP, as required by this final rule, throughout its organization, including in its foreign branches, except to the extent that the requirements of the rule would conflict with local law. --------------------------------------------------------------------------- \11\ See, e.g., 67 FR 60562, 60565 (Sept. 26, 2002) (FinCEN's regulation titled ``Anti-Money Laundering Requirements ``Correspondent Accounts for Foreign Shell Banks: Recordkeeping and Termination of Correspondent Accounts for Foreign Banks' implementing sections 313 and 319(b) of the Act). --------------------------------------------------------------------------- As noted in the preamble for the proposal, the CIP must be a part of a bank's BSA compliance program. Therefore, it will apply throughout such a bank's U.S. operations (including subsidiaries) in the same way as the BSA compliance program requirement. However, all subsidiaries that are in compliance with a separately applicable, industry-specific rule implementing section 326 of the Act will be deemed to be in compliance with this final rule. Section 103.121(a)(3) Customer. The proposal defined ``customer'' to mean any person \12\ seeking to open a new account. In addition, the proposal defined a ``customer'' to include any signatory on an account. The preamble for the proposal explained that the term ``customer'' included a person that applied to open an account, but not someone seeking information about an account, such as rates charged or interest paid on an account, if the person did not apply to open an account. The preamble also stated that any person seeking to open an account at a bank, on or after the effective date of the final rule, would be a ``customer,'' regardless of whether that person already had an account at the bank. --------------------------------------------------------------------------- \12\ The proposed rule defined ``person'' by reference to Sec. 103.11(z). This definition includes individuals, corporations, partnerships, trusts, estates, joint stock companies, associations, syndicates, joint ventures, other unincorporated organizations or groups, certain Indian Tribes, and all entities cognizable as legal personalities. Treasury and the Agencies agree that it is not necessary to repeat this definition. Therefore, it is omitted from the final rule. --------------------------------------------------------------------------- This proposed definition prompted a large number of comments. First, nearly all commenters recommended that the Agencies clarify in the text of the final rule that ``customer'' does not include a person who does not receive banking services, such as a person whose deposit or loan application is denied. Some of these commenters suggested that the rule for banks define ``customer'' to mean ``a person who opens a new account,'' as did the proposed rules for broker-dealers, mutual funds, futures commission merchants and introducing brokers. [[Page 25094]] Treasury and the Agencies agree with the view expressed by some commenters that the statute should be construed to ensure that banks design procedures to determine the identity of only those persons who open accounts. Accordingly, the final rule defines a ``customer'' as ``a person that opens a new account.'' \13\ For example, in the case of a trust account, the ``customer'' would be the trust. For purposes of this rule, a bank will not be required to look through trust, escrow, or similar accounts to verify the identities of beneficiaries and instead will only be required to verify the identity of the named accountholder.\14\ In the case of brokered deposits, the ``customer'' will be the broker that opens the deposit account. A bank will not need to look through the deposit broker's account to determine the identity of each individual sub-account holder; it need only verify the identity of the named accountholder. --------------------------------------------------------------------------- \13\ Therefore, each person named on a joint account is a ``customer'' under this final rule unless otherwise provided. \14\ However, based on a bank's risk assessment of a new account opened by a customer that is not an individual, a bank may need to take additional steps to verify the identity of the customer by seeking information about individuals with ownership or control over the account in order to identify the customer, as described in Sec. 103.121(b)(2)(ii)(C), or may need to look through the account in connection with the customer due diligence procedures required under other provisions of its BSA compliance program. --------------------------------------------------------------------------- Many commenters requested that the final rule clarify whether ``customer'' includes a minor child or an informal group with a common interest, such as a club account, where there is no legal entity. The final rule addresses these comments by providing that ``customer'' means ``an individual who opens a new account for (1) an individual who lacks legal capacity, such as a minor; or (2) an entity that is not a legal person, such as a civic club.'' A few banks stated that defining ``customer'' to include a signatory was consistent with their current practice of verifying the identity of the named accountholder and any signatory on the account. However, most commenters strenuously objected to the inclusion of a signatory as a customer whose identity must be verified, and asserted that this proposed requirement would deviate significantly from their current business practices. These commenters stated that requiring banks to verify signatories on an account would be enormously burdensome to the financial institutions and signatories themselves-- many of whom simply work as employees for firms with corporate accounts--and would outweigh any benefit.\15\ One commenter asserted that inclusion of signatories as customers went beyond the scope of section 326 of the Act. Although some commenters advocated that any requirement regarding a signatory should be omitted altogether, these commenters generally advocated a risk-based approach that would give banks the discretion to determine when a signatory's identity should be verified. --------------------------------------------------------------------------- \15\ Commenters contended that banks and individuals would confront numerous practical problems. Some commenters noted, for example, that the identification and verification of signatories could be burdensome for banks because business accounts might have many signatories and those signatories would change over time. Some commenters explained that collecting detailed information about an employee who is a signatory would raise privacy concerns for those employees who would be required to disclose personal information to their employer's financial institutions. Other commenters stated that a signatory rarely is present at the time of account opening and, consequently, a bank would encounter substantial obstacles when attempting to verify the signatory's identity using any of the most common methods described in the proposal, including by examining documents or by obtaining a credit report. (Under the Fair Credit Reporting Act (FCRA), a consumer reporting agency generally may furnish a consumer report in connection with transactions involving the consumer and no other. See 15 U.S.C. 1681b. Thus, for example, a bank would be prohibited from obtaining a credit report to verify the identity of an authorized user of a customer's credit card.) --------------------------------------------------------------------------- Credit card banks, in particular, were critical of the signatory requirement because the proposed provision, as drafted, encompassed all authorized users of credit cards. These banks characterized the signatory requirement as unnecessary in the case of credit card companies, which, they explained, already use sophisticated fraud filters to detect fraud and abnormal use. These banks also noted that a person need not be a signatory to use another person's credit card, especially when purchasing products by telephone or over the Internet. Therefore, the signatory requirement would not necessarily ensure that banks would be able to verify the identity of those using a credit card account. After revisiting the issue of whether a signatory should be a ``customer,'' Treasury and the Agencies have determined that requiring a bank to expend its limited resources on verifying the identity of all signatories on accounts could interfere with the bank's ability to focus on identifying customers and accounts that present a higher risk of not being properly identified. Accordingly, the proposed provision defining ``customer'' to include a signatory on an account is deleted. Instead, the final rule, at Sec. 103.121(b)(2)(ii)(C), requires a bank's CIP to address situations when the bank will take additional steps to verify the identity of a customer that is not an individual by seeking information about individuals with authority or control over the account, including signatories, in order to verify the customer's identity. In addition to defining who is a ``customer,'' the final rule contains a list of entities that will not be deemed ``customers.'' Many commenters questioned why a bank should be required to verify the identity of a government agency or instrumentality opening a new account, or of a publicly-traded company that is subject to SEC reporting requirements. Consistent with these and other comments urging that the final rule focus on requiring verification of the identity of customers that present a higher risk of not being properly identified, the final rule excludes from the definition of ``customer'' the following readily identifiable entities: a financial institution regulated by a Federal functional regulator; a bank regulated by a state bank regulator; and governmental agencies and instrumentalities, and companies that are publicly traded described in Sec. 103.22(d)(2)(ii)-(iv).\16\ Section 103.22(d)(2)(iv) exempts such companies only to the extent of their domestic operations. Accordingly, a bank's CIP will apply to any foreign offices, affiliates, or subsidiaries of such entities that open new accounts. --------------------------------------------------------------------------- \16\ Treasury previously determined that banks should be exempted from having to file reports of transactions in currency in connection with these entities. See 31 CFR 103.22(d)(1). --------------------------------------------------------------------------- A great many commenters also objected to the requirement in Sec. 103.121(b)(2)(ii) of the proposed rule that a bank verify the identity of an existing customer seeking to open a new account unless the bank previously verified the customer's identity in accordance with procedures consistent with the proposed rule and continues to have a reasonable belief that it knows the true identity of the customer. These commenters asserted that such a requirement would be burdensome for the bank and would upset existing customers. Some commenters recommended that the rule apply prospectively to new customers who previously had no account with the bank. Many commenters suggested that the final rule contain a risk-based approach where verification would not be required for an existing customer who opens a new account if the bank has a reasonable belief that it knows the identity of the customer, regardless of the procedures the bank followed to form this belief. [[Page 25095]] Treasury and the Agencies acknowledge that the proposed rule might have had unintended consequences for bank-customer relationships and that the risk-based approach suggested by commenters would avoid these consequences. Accordingly, the final rule excludes from the definition of ``customer'' a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person.\17\ --------------------------------------------------------------------------- \17\ As a foreign branch of an insured U.S. bank is no longer a ``bank'' for purposes of this rule, a customer of a bank's foreign branch will no longer be ``a person who has an existing account with the bank.'' Therefore, the bank must verify the identity of a customer of its foreign branch in accordance with its CIP if such a customer opens a new account in the U.S. --------------------------------------------------------------------------- Section 103.121(a)(4) Federal functional regulator. The proposed rule defined ``Federal functional regulator'' by reference to Sec. 103.120(a)(2), meaning each of the Agencies, the SEC, and the CFTC. There were no comments on this definition, and Treasury and the Agencies have adopted it as proposed. Section 103.121(a)(5) Financial institution. The final rule includes a new definition for the term ``financial institution'' that cross-references the BSA, 31 U.S.C. 5312(a)(2) and (c)(1). This is a more expansive definition of ``financial institution'' than that in 31 CFR 103.11, and includes entities such as futures commission merchants and introducing brokers. Section 103.121(a)(6) Taxpayer identification number. The proposed rule repeated the language from Sec. 103.34(a)(4), which states that the provisions of section 6109 of the Internal Revenue Code and the regulations of the Internal Revenue Service thereunder determine what constitutes ``a taxpayer identification number.'' There were no comments on this approach, and Treasury and the Agencies have adopted it substantially as proposed, with minor technical modifications. Section 103.121(a)(7) and (8) U.S. Person and non-U.S. person. The proposed rule provided that ``U.S. person'' is an individual who is a U.S. citizen, or an entity established or organized under the laws of a State or the United States. A ``non-U.S. person'' was defined as a person who did not satisfy either of these criteria. As described in greater detail below, a bank is generally required to obtain a U.S. taxpayer identification number from a customer who opens a new account. However, if the customer is a non-U.S. person and does not have such a number, the bank may obtain an identification number from some other form of government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. Several commenters suggested that it would be less confusing to bankers if ``U.S. person'' meant both a U.S. citizen and a resident alien, consistent with the definition of this term used in the Internal Revenue Code (IRS definition).\18\ A few commenters criticized the proposed definition because it would require banks to establish whether a customer is or is not a U.S. citizen. --------------------------------------------------------------------------- \18\ 26 U.S.C. 7701(a)(30)(A). --------------------------------------------------------------------------- Treasury and the Agencies believe that the proposed definition of ``U.S. person'' is a better standard for purposes of this final rule than the IRS definition. Adoption of the IRS definition of ``U.S. person'' would require bank staff to distinguish among various tax and immigration categories in connection with any type of account that is opened. Under the proposed definition, a bank will not necessarily need to establish whether a potential customer is a U.S. citizen. The bank will have to ask each customer for a U.S. taxpayer identification number (social security number, employer identification number, or individual taxpayer identification number). If a customer cannot provide one, the bank may then accept alternative forms of identification. For these reasons, the definition is adopted as proposed. Section 103.121(b) Customer Identification Program: Minimum Requirements Section 103.121(b)(1) General Rule. The proposed rule required each bank to implement a CIP that is appropriate given the bank's size, location, and type of business. The proposed rule required a bank's CIP to contain the statutorily prescribed procedures, described these procedures, and detailed certain minimum elements that each of the procedures must contain. In addition, the proposed rule required that the CIP be written and that it be approved by the bank's board of directors or a committee of the board. The proposed rule also stated that the CIP must be incorporated into the bank's BSA \19\ compliance program and should not be a separate program. A bank's BSA compliance program must be written, approved by the board, and noted in the bank's minutes. It must include (1) internal policies, procedures, and controls to ensure ongoing compliance; (2) designation of a compliance officer; (3) an ongoing employee training program; and (4) an independent audit function to test programs. The preamble for the proposal explained that the CIP should be incorporated into each of these four elements of a bank's BSA program. --------------------------------------------------------------------------- \19\ See footnote 10, supra. --------------------------------------------------------------------------- Most commenters agreed with the proposal's approach of allowing banks to develop risk-based programs tailored to their specific operation, though some of these commenters recommended that Treasury and the Agencies adopt an entirely risk-based approach without any minimum requirements while others recommended a more prescriptive approach. Many commenters suggested that Treasury and the Agencies clarify the extent to which a bank could rely on a third party, especially an affiliate, to perform some or all aspects of its CIP. Other commenters focused on the requirement that a bank's board of directors approve the CIP. These commenters urged Treasury and the Agencies to adopt a regulation that states that the role of a bank's board of directors need only be to approve broad policy rather than the specific methods or actual procedures that will be a part of a bank's CIP. One commenter recommended that the governing body of a financial institution be permitted to delegate its responsibility to approve the CIP. The final rule attempts to strike an appropriate balance between flexibility and detailed guidance by allowing a bank broad latitude to design and implement a CIP that is tailored to its particular business practices while providing a framework of minimum standards for identifying each customer, as the Act mandates. Following the description of the procedures and minimum requirements for each element of a bank's CIP (identity verification, recordkeeping, comparison with government lists, and customer notice), the final rule contains a new section describing the extent to which a bank may rely on a third party to perform these elements, described in detail below. The final rule removes the requirement that the bank's board of directors or a committee of the board must approve the bank's CIP because this requirement is redundant. A bank's BSA compliance program must already be approved by the board. Treasury and the Agencies regard the addition of a CIP to the bank's BSA compliance program to be a material change in the BSA compliance program that will require board approval. The board of director's responsibility to oversee bank compliance with section 326 of the Act [[Page 25096]] is a part of a board's conventional supervisory BSA compliance responsibilities that cannot be delegated to bank management. Therefore, a bank's board of directors must be responsible for approving a CIP described in detail sufficient for the board to determine that (1) the bank's CIP contains the minimum requirements of this final rule; and (2) the bank's identity verification procedures are designed to enable the bank to form a reasonable belief that it knows the true identity of the customer. Nevertheless, responsibility for the development, implementation, and day-to-day administration of the CIP may be delegated to bank management. The final rule will apply to some non-Federally regulated banks that are not yet subject to an anti-money laundering compliance program requirement.\20\ Therefore, the final rule only requires that the CIP be a part of a bank's anti-money laundering program once a bank becomes subject to an anti-money laundering compliance program requirement.\21\ --------------------------------------------------------------------------- \20\ See footnote 10, supra. \21\ The final rule therefore provides that until such time as credit unions, private banks, and trust companies without a Federal functional regulator are subject to such a program, their CIPs must be approved by their boards of directors. --------------------------------------------------------------------------- Section 103.121(b)(2) Identity Verification Procedures. The proposed rule provided that each bank must have a CIP that includes procedures for verifying the identity of each customer, to the extent reasonable and practicable, based on the bank's assessment of certain risks. The proposed rule stated that these procedures must enable the bank to form a reasonable belief that it knows the true identity of the customer. Some commenters recommended that the identity verification requirement be waived for new customers that are well known to a senior officer of the bank. Some of these commenters endorsed such a waiver provided that a bank employee could provide ``an affidavit of identity'' on behalf of the customer. One commenter criticized the standard requiring a bank to have identity verification procedures ``that enable the bank to form a reasonable belief that it knows the true identity of the customer'' as too subjective. This commenter suggested that a better standard would be lack of affirmative notice of deficiency in the identity process. Another commenter suggested that the rule make clear that a bank is only required to verify a customer's identity, to the extent reasonable and practical, in order to establish that it has a reasonable basis for knowing the true identity of its customer. The final rule provides that a bank's CIP must include risk-based procedures for verifying the identity of each customer \22\ to the extent reasonable and practicable. The final rule also states that the procedures must enable the bank to form a reasonable belief that it knows the true identity of the customer. As section 326 of the Act states, a bank's affirmative obligation to verify the identity of its customer applies to ``any person'' rather than only to a person whose identity is suspect, as suggested by one commenter. Furthermore, Treasury and the Agencies have determined that the statutory obligation to ``verify the identity of any person'' requires the bank to implement and follow procedures that allow the bank to have a reasonable belief that it knows the true identity of the customer. --------------------------------------------------------------------------- \22\ Other elements of the bank's CIP, such as procedures for recordkeeping or checking of government lists, are requirements that may not vary depending on risk factors. --------------------------------------------------------------------------- Given the flexibility built into the final rule, Treasury and the Agencies believe that it is not appropriate to provide special treatment for new customers known to bank personnel. In addition, permitting reliance on bank personnel to attest to the identity of a customer may be subject to manipulation. Accordingly, the final rule does not establish different rules for customers who are known to bank personnel. The final rule requires the identity verification procedures to be based upon relevant risks, including those presented by the types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, and the types of identifying information available. In addition to these risk factors, which are specifically identified in section 326, the final rule states that the procedures should take into account the bank's size, location, and type of business or customer base, additional factors mentioned in the Act's legislative history.\23\ --------------------------------------------------------------------------- \23\ H.R. Rep. No. 107-250, pt. 1, at 62 and 63 (2001). --------------------------------------------------------------------------- Section 103.121(b)(2)(i) Customer Information Required. The proposed rule required that a bank's CIP must contain procedures that specify the identifying information the bank must obtain from a customer. It stated that, at a minimum, a bank must obtain from each customer the following information prior to opening an account: (1) Name; (2) address (a residential and mailing address for individuals, and principal place of business and mailing address for a person other than an individual); (3) date of birth for individuals; and (4) an identification number. Treasury and the Agencies received a variety of comments criticizing the requirement that a bank obtain certain minimum identifying information prior to opening an account. Some commenters, including a trade association representing large financial institutions, recommended that a bank be permitted to open an account for a customer who lacks some of the minimum identifying information, provided that the bank has formed a reasonable belief that it knows the true identity of the customer. Credit card banks explained that the minimum information requirement would create problems for retailers that offer credit cards at the point of sale. These commenters stated that retailers were not likely to have the means to record identifying information other than what is currently collected. They suggested that when there are systems in place to identify customers and detect suspicious transactions, the rule should require only the collection of information that the credit card bank or card issuer deems necessary and appropriate to identify the customer. Other commenters stated that the rule should not require a bank to obtain the minimum identifying information prior to account opening in every instance. Some of these commenters suggested that a bank be permitted to obtain the required information within a reasonable time after the account is opened. Some commenters suggested that the rule permit banks to obtain identifying information from a party other than the customer. This would arise, for example, when a bank offers a credit card based on information obtained from a credit reporting agency. Other commenters suggested that a bank also be required to obtain information about a customer's occupation, profession or business, as this information is needed by a bank that intends to file a report of transactions in currency or a suspicious activities report on the customer. Consistent with the proposal, the final rule provides that a bank's CIP must contain procedures that specify the identifying information that the bank must obtain from each customer prior to opening an account. In addition, the rule specifies the four basic categories of information that a bank must obtain from the customer prior to opening an account. Treasury and the Agencies believe that requiring banks to gather these standard forms of information prior to opening an account is not overly burdensome because such identifying information is routinely [[Page 25097]] gathered by most banks in the account opening process and is required by other sections of 31 CFR part 103. Of course, based upon an assessment of the risks described above, a bank may require a customer to provide additional information to establish the customer's identity. Treasury and the Agencies acknowledge that imposing this requirement on banks that offer credit card accounts is likely to alter the manner in which they do business by requiring them to gather additional information beyond that which they currently obtain directly from a customer who opens an account at the point of sale or by telephone. Treasury and the Agencies are mindful of the legislative history of section 326, which indicates that Congress expected the regulations implementing this section to be appropriately tailored for accounts opened in situations where the account holder is not physically present at the financial institution and that the regulations should not impose requirements that are burdensome, prohibitively expensive, or impractical.\24\ --------------------------------------------------------------------------- \24\ H.R. Rep. No. 107-250, pt. 1, at 63 (2001). --------------------------------------------------------------------------- Therefore, Treasury and the Agencies have included an exception in the final rule for credit card accounts only, which would allow a bank broader latitude to obtain some information from the customer opening a credit card account, and the remaining information from a third party source, such as a credit reporting agency, prior to extending credit to a customer. Treasury and the Agencies recognize that these practices have produced an efficient and effective means of extending credit with little risk that the lender does not know the identity of the borrower. Treasury and the Agencies also received comments on the advisability of requiring banks to collect the specific identifying information (name, date of birth, address, and identification number), as would have been required under the proposed rule. With respect to obtaining the customer's name, one commenter recommended that based on Texas law and banks' experience, a bank should be required to obtain the name under which the customer is doing business and the customer's legal name. The final rule continues to require that the bank obtain the customer's name, meaning a legal name that can be verified. As noted above, this is a minimum requirement, and a bank may also need to obtain the name under which a person does business in order to establish a reasonable belief it knows the true identity of the customer. One trade association suggested that banks be permitted to make a risk-based determination before requiring a customer to provide date of birth because many customers would prefer not to share this information. One commenter stated that date of birth is not an important identifying characteristic and should be deleted. Another commenter stated that credit card issuers do not request this information because it can raise fair lending issues. Finally, a few commenters noted that standardized mortgage applications require age rather than date of birth and would have to be altered. The final rule provides that a bank must obtain the date of birth for a customer who is an individual. Treasury and the Agencies believe that date of birth is an important identifying characteristic and can be used to provide a bank or law enforcement with an additional means to distinguish between customers with identical names. However, the required collection and retention of information about a customer's date of birth does not relieve the bank from its obligations to comply with anti-discrimination laws or regulations, such as the prohibition in the Equal Credit Opportunity Act against discrimination in any aspect of a credit transaction on the basis of age or other prohibited classification. Banks collecting date of birth from individual customers should be able to take reasonable measures to convert this information into age for purposes of the forms used in the secondary mortgage market given the delayed compliance date for the final rule. Many commenters criticized the requirement that a bank obtain both the customer's physical and mailing address, if different. Most commenters urged Treasury and the Agencies to eliminate the requirement that the customer provide a physical address. Some of these commenters stated that this requirement could interfere with the ability of certain segments of the population to obtain a bank account, such as members of the military, persons who reside in mobile homes with no fixed address, and truck drivers who do not have a physical address. Banks that offer credit card accounts and card issuers stated that the address requirement would be extremely burdensome because they would have to change the manner in which they do business, and in some cases, credit card banks currently do not have the capacity to collect both addresses. Some of these commenters stated that new credit card customers are reluctant to give more than one address and, therefore, it would be difficult to obtain this information from customers. A trade association representing credit card banks asserted that customers may have a legitimate reason for handling correspondence through post office boxes and should not have to provide a physical address. This commenter asserted that requiring the customer to provide a physical address will discourage the provision of financial services to the unbanked and will prevent a victim of identity theft from using an alternative to an unsecured home mailbox. Another commenter noted that the physical address of a customer's principal place of business may not be relevant if the bank is working with a customer's local office. This commenter recommended that the rule simply permit the bank to obtain the customer's street address. Credit card banks and issuers urged Treasury and the Agencies to make the requirement that a bank obtain the customer's physical address optional. Section 326 of the Act requires Treasury and the Agencies to prescribe regulations that require financial institutions to implement ``reasonable procedures.'' Accordingly, under the final rule, a bank will not be required to obtain more than a single address for a customer. Nonetheless, Treasury and the Agencies believe that the identification, verification, and recordkeeping provisions of the Act, taken together, should provide appropriate resources for law enforcement agencies to investigate money laundering and terrorist financing. The final rule therefore provides that a bank generally must obtain a residential or business street address for a customer who is an individual because Treasury and the Agencies have determined that law enforcement agencies should be able to contact an individual customer at a physical location, rather than solely through a mailing address. Treasury and the Agencies recognize that this provision may be impracticable for members of the military who cannot readily provide a physical address, and other individuals who do not have a physical address but who reliably can be contacted. Accordingly, the final rule provides an exception under these circumstances that allows a bank to obtain an Army Post Office or Fleet Post Office box number, or the residential or business street address of next of kin or of another contact individual. For a customer other than an individual, such as a corporation, partnership, or trust, the bank may obtain the address of the principal place of business, local office, [[Page 25098]] or other physical location of the customer. Of course, a bank is free to obtain additional addresses from the customer, such as the customer's mailing address, to meet its own or its customer's business needs. The proposal required that banks obtain an identification number from customers. For U.S. persons, a bank would have been required to obtain a U.S. taxpayer identification number. For non-U.S. persons, a bank would have been required to obtain a number from various alternative forms of government-issued identification. One commenter stated that this requirement would not be burdensome. Commenters representing certain consumer advocacy groups commended Treasury and the Agencies for providing banks with the discretion to accept alternative forms of identifying information from non-U.S. citizens. These commenters stated that this position would assist low- income immigrants in gaining financial stability. By contrast, some commenters stated that the final rule should not permit a bank to open an account for a customer using only a foreign identification number when the customer provides a U.S. address. Other commenters asked for guidance on whether a bank is permitted to accept a number from the identification document issued by a foreign government. A few commenters urged the government to require a national identification document for all individuals. Other commenters, primarily credit card banks, stated that the requirement that a bank obtain a U.S. taxpayer identification number from U.S. persons would create considerable hardship. They stated that new credit card customers are reluctant to give out their social security numbers, especially over the telephone. They urged that banks be given the discretion to collect identifying information, other than social security numbers, when appropriate in light of consumer privacy and security concerns. In the alternative, they recommended that banks be permitted to obtain a U.S. taxpayer identification number for U.S. persons from a trusted third party source, such as a credit reporting agency. Some commenters questioned what number to use for accounts opened in the name of a bowling league or class reunion, or to accept donations for a special cause. Other commenters questioned what number could be obtained from foreign businesses and enterprises that have no taxpayer identification number or other government-issued documentation. The final rule provides that a bank must obtain an ``identification number'' from every customer. As discussed above, under the definition of ``customer,'' the final rule permits a bank to obtain the identification number of the individual who opens an account in the name of an individual who lacks legal capacity, such as a minor, or a civic group, such as a bowling league. After reviewing the comments, Treasury and the Agencies have determined that requiring a bank to obtain a customer's identification number, such as a social security number, from the customer himself or herself, in every case, including over the telephone, would be unreasonable and impracticable because it would be contrary to banks' current practices and could alienate many potential customers. Accordingly, Treasury and the Agencies have adopted an exception for credit card accounts that will permit a bank offering such accounts to acquire information about the customer, including an identification number, from a trusted third party source prior to extending credit to the customer, rather than having to obtain this information directly from the customer prior to opening an account. The final rule also provides that for a non-U.S. person, a bank must obtain one or more of the following: A taxpayer identification number (social security number, individual taxpayer identification number, or employer identification number); passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. This standard provides a bank with some flexibility to choose among a variety of identification numbers that it may accept from a non-U.S. person.\25\ However, the identifying information the bank accepts must permit the bank to establish a reasonable belief that it knows the true identity of the customer. --------------------------------------------------------------------------- \25\ The rule provides this flexibility because there is no uniform identification number that non-U.S. persons would be able to provide to a bank. See Treasury Department, ``A Report to Congress in Accordance with Section 326(b) of the USA PATRIOT Act,'' October 21, 2002. --------------------------------------------------------------------------- Treasury and the Agencies emphasize that the final rule neither endorses nor prohibits bank acceptance of information from particular types of identification documents issued by foreign governments. A bank must decide for itself, based upon appropriate risk factors, including those discussed above (the types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the other types of identifying information available, and the bank's size, location, and customer base), whether the information presented by a customer is reliable. Treasury and the Agencies recognize that a foreign business or enterprise may not have a taxpayer identification number or any other number from a government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. Therefore, the final rule notes that when opening an account for such a customer, the bank must request alternative government-issued documentation certifying the existence of the business or enterprise. The proposal also contained a limited exception to the requirement that a bank obtain a taxpayer identification number from a customer opening a new account. The exception permitted a bank to open an account for a person other than an individual (such as a corporation, partnership, or trust) that has applied for, but has not received, an employer identification number (EIN), provided that the bank obtains a copy of the application before it opens the account and obtains the EIN within a reasonable period of time after the account is established. The preamble for the proposed rule explained that this exception was included for a new business that might need access to banking services, particularly a bank account or an extension of credit, before it has received an EIN from the Internal Revenue Service. Some commenters questioned this limited exception for certain businesses. A few commenters suggested expanding the exception to include individuals who have applied for, but have not yet received a taxpayer identification number. Another commenter stated that the exception provided no added benefit and would add to a bank's recordkeeping and monitoring burden. Treasury and the Agencies have determined that a bank should be afforded more flexibility in situations where a person, including an individual, has applied for, but has not yet received, a taxpayer identification number. Therefore, the final rule states that instead of obtaining a taxpayer identification number from a customer prior to opening an account, the CIP may include procedures for opening an account for a customer (including an individual) that has applied for, but has not received, a taxpayer identification [[Page 25099]] number.\26\ To lessen the recordkeeping burden for a bank that elects to use this exception, the final rule also provides that the bank's CIP need only include procedures requiring the bank to confirm that the application was filed before the customer opens the account and to obtain the taxpayer identification number within a reasonable period of time after the account is opened. Thus, a bank will be able to exercise its discretion \27\ to determine how to confirm that a customer has filed an application for a taxpayer identification number rather than having to keep a copy of the application on file. --------------------------------------------------------------------------- \26\ This position is analogous to that in regulations issued by the Internal Revenue Service (IRS) concerning ``awaiting-TIN [taxpayer identification number] certificates.'' The IRS permits a taxpayer to furnish an ``awaiting-TIN certificate'' in lieu of a taxpayer identification number to exempt the taxpayer from the withholding of taxes owed on reportable payments (i.e., interest and dividends) on certain accounts. See 26 CFR 31.3406(g)-3. \27\ For example, the bank may wish to examine a copy of the application filed. --------------------------------------------------------------------------- Section 103.121(b)(2)(ii) Customer Verification. The proposed rule provided that the CIP must contain risk-based procedures for verifying the information that the bank obtains in accordance with Sec. 103.121(b)(2)(i), within a reasonable period of time after the account is opened.\28\ The proposed rule also described when a bank is required to verify the identity of existing customers. --------------------------------------------------------------------------- \28\ The preamble for the proposed rule noted that, although an account may be opened, it is common practice among banks to place limits on the account, such as by restricting the number of transactions or the dollar value of transactions, until a customer's identity is verified. Therefore, the proposed regulation provided the bank with the flexibility to use a risk-based approach to determine how soon identity must be verified. --------------------------------------------------------------------------- Several commenters asked Treasury and the Agencies to underscore that these verification procedures may be risk-based by noting that a bank may verify less than all of the identifying information provided by the customer. Many commenters noted that there is currently no reliable, efficient, or effective means of verifying a customer's social security number. Some of these commenters asked the government to establish a method that would permit banks to establish the authenticity and accuracy of a customer's name and taxpayer identification number. Treasury and the Agencies recognize that there currently is no method that would permit a bank to verify, for example, a taxpayer identification, passport or alien identification number through an official source. Accordingly, the final rule provides that a bank's CIP must contain procedures for verifying the identity of the customer, ``using the information obtained in accordance with paragraph (b)(2)(i),'' namely, the identifying information obtained by the bank. Thus, a bank need not establish the accuracy of every element of identifying information obtained but must do so for enough information to form a reasonable belief it knows the true identity of the customer. Some commenters stated that they appreciated the flexibility of the proposal permitting an institution to determine how soon identity must be verified. Other commenters asked Treasury and the Agencies to clarify what is a ``reasonable period of time.'' As stated in the preamble for the proposal, Treasury and the Agencies believe that the amount of time it will take an institution to verify a customer's identity may depend upon various factors, such as the type of account opened, whether the customer is physically present when the account is opened, and the type of identifying information available. For the same reasons, the final rule provides banks with the flexibility necessary to accommodate a wide range of situations by stating that the bank must verify the identifying information within a reasonable time after the account is opened.\29\ --------------------------------------------------------------------------- \29\ It is possible that a bank would, however, violate other laws by permitting a customer to transact business prior to verifying the customer's identity. See, e.g., 31 CFR part 500 (regulations of Treasury's Office of Foreign Asset Control (OFAC) prohibiting transactions involving designated foreign countries or their nationals). --------------------------------------------------------------------------- As discussed above in the definition section, many commenters criticized the proposed approach regarding verification of existing customers that open new accounts. The final rule addresses these concerns by modifying the definition of ``customer'' to exclude a person who has an existing account with the bank if the bank has a reasonable belief that it knows the true identity of the person. Many commenters urged that the final rule continue to allow, but not mandate, documentary verification. A few commenters requested that the final rule provide additional guidance on verification. Some commenters asked that the final rule clarify that a bank may choose to use only documentary methods and may refuse to open an account using other methods. The final rule addresses these comments by stating that a bank's CIP's verification procedures must describe when the bank will use documents, non-documentary methods, or a combination of both methods to verify a customer's identity. Section 103.121(b)(2)(ii)(A) Verification Through Documents. The proposed rule provided that the CIP must contain procedures describing when the bank will verify identity through documents and setting forth the documents that the bank will use for this purpose. It then gave examples of documents that could be used to verify the identity of individuals and other persons such as corporations, partnerships, and trusts. Most commenters noted that banks do not have the means to authenticate or validate documents provided by their customers and urged Treasury and the Agencies to clarify that document authentication is not a CIP requirement. Treasury and the Agencies wish to confirm that once a bank has obtained and verified the identity of the customer through a document such as a driver's license or passport, the bank will not be required to take steps to determine whether the document has been validly issued. A bank generally may rely on government-issued identification as verification of a customer's identity; however, if a document shows obvious indications of fraud, the bank must consider that factor in determining whether it can form a reasonable belief that it knows the customer's true identity. Some commenters also asked that Treasury and the Agencies provide more examples and discuss appropriate types of documentary identification in the final rule or in separate guidance that banks may easily access. Commenters asked whether a utility bill, or library card addressed to the same physical address and name of the person seeking the account, or a foreign identification card, such as a foreign voter registration card or driver's license, would be acceptable. Some commenters questioned whether copies of documents would suffice. Given the recent increases in identity theft and the availability of fraudulent documents, Treasury and the Agencies agree with a commenter who suggested that the value of documentary verification is enhanced by redundancy. The rule gives examples of types of documents that are considered reliable. However, a bank is encouraged to obtain more than one type of documentary verification to ensure that it has a reasonable belief that it knows the customer's true identity. Moreover, banks are encouraged to use a variety of methods to verify the identity of a customer, especially when the bank does not have the ability to examine original documents. The final rule attempts to strike the appropriate balance between the [[Page 25100]] benefits of requiring additional documentary verification and the burdens that may arise from such a requirement by providing that a bank's CIP must state the documents that a bank will use. This will require each bank to conduct its own risk-based analysis of the types of documents it believes will enable it to know the true identity of its customers. The final rule continues to provide an illustrative list of identification documents. For an individual, these may include an unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, such as a driver's license or passport. For a person other than an individual, these may include documents showing the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or a trust instrument. Some commenters questioned whether the examples of identification documents given for persons other than individuals would be reliable. One commenter questioned whether trust documents alone would be sufficient verification of identity. Another commenter suggested allowing banks to rely on a certification by the trustee, or an appropriate legal opinion, rather than the trust instrument to verify the existence of a trust. Someone else suggested that banks should be allowed to rely on documentation consisting of evidence that a business is either publicly traded or is authorized to do business in a state or the United States. The examples provided in the final rule were intended only to illustrate the documents a bank might use to verify the identity of a customer that is a corporation, partnership, or trust. A bank may use other documents, provided that they allow the bank to establish that it has a reasonable belief that it knows the true identity of its customer. Accordingly, the final rule makes no significant changes to the examples. Section 103.121(b)(2)(ii)(B) Non-Documentary Verification. Recognizing that some accounts are opened by telephone, by mail, and over the Internet, the proposed rule provided that a bank's CIP also must contain procedures describing what non-documentary methods the bank will use to verify identity and when the bank will use these methods (whether in addition to, or instead of, relying on documents). The preamble for the proposed rule also noted that even if the customer presents identification documents, it may be appropriate to use non- documentary methods as well. The proposed rule gave examples of non-documentary verification methods that a bank may use, including contacting a customer after the account is opened; obtaining a financial statement; comparing the identifying information provided by the customer against fraud and bad check databases to determine whether any of the information is associated with known incidents of fraudulent behavior (negative verification); comparing the identifying information with information available from a trusted third party source, such as a credit report from a consumer reporting agency (positive verification); and checking references with other financial institutions. The preamble for the proposed rule stated that a bank also may wish to analyze whether there is logical consistency between the identifying information provided, such as the customer's name, street address, ZIP code, telephone number, date of birth, and social security number (logical verification). The proposal required that the procedures address situations where an individual, such as an elderly person, legitimately is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard; the bank is not familiar with the documents presented; the account is opened without obtaining documents; the account is not opened in a face-to-face transaction, for example over the phone, by mail, or through the Internet; and the type of account increases the risk that the bank will not be able to verify the true identity of the customer through documents. Several commenters asked for additional guidance regarding when non-documentary verification methods should be used in addition to documentary verification methods and the circumstances in which only one or all of the non-documentary verification methods listed are necessary. Commenters also asked for guidance on audit methodology, and an explanation of the due diligence required for verification of accounts opened by telephone, mail, and through the Internet. A few commenters suggested that reference to verification, where a bank compares information provided by the customer with information from trusted third party sources, be expressly mentioned in the final rule. As the large number of comments on this section illustrates, a rule that attempted to address every scenario and combination of risk- factors that a bank might confront would be extremely complex and invariably would fail to address many situations. Rather than adopt a lengthy and potentially unwieldy rule that still would not address every situation, Treasury and the Agencies have concluded that it would be more effective to adopt general principles that are fleshed out through examples. Therefore, the final rule states that for a bank relying on non-documentary verification methods, the CIP must contain procedures that describe the non-documentary methods the bank will use. The final rule generally retains the illustrative list of non- documentary methods contained in the proposal. Treasury and the Agencies have clarified that one method is ``independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source,'' rather than verifying ``documentary information'' through such sources. The final rule also retains the variety of situations that the procedures must address that were identified in the proposal, with the following two changes. First, because ``transaction'' is a defined term in 31 CFR part 103, instead of using the term ``face-to-face transaction,'' the final rule states that the procedures must address the situation where a customer opens an account without appearing in person at the bank. Second, the final clause of this provision provides that the CIP must include procedures to address situations where the bank is otherwise presented with circumstances that increase the risk that the bank will be unable to verify the true identity of a customer through documents. This clause acknowledges that there may be circumstances beyond those specifically described in this provision when a bank should use non-documentary verification procedures. As stated in the preamble for the proposed rule, because identification documents may be obtained illegally and may be fraudulent, and in light of the recent increase in identity theft, Treasury and the Agencies encourage banks to use non-documentary methods even when the customer has provided identification documents. Section 103.121(b)(2)(ii)(C) Additional Verification for Certain Customers. As described above, the proposed rule required the identification and verification of each signatory for an account. Most commenters objected to this requirement as overly burdensome, and, upon consideration of the points raised by the commenters, Treasury and the Agencies agree that it is appropriate [[Page 25101]] to delete it. For the reasons discussed below, however, the rule does require that a bank's CIP address the circumstances in which it will obtain information about such individuals in order to verify the customer's identity. Treasury and the Agencies believe that while the majority of customers may be verified adequately through the documentary or non-documentary verification methods described in paragraphs (b)(2)(ii)(A) and (B), there may be instances where this is not possible. The risk that the bank will not know the customer's true identity may be heightened for certain types of accounts, such as an account opened in the name of a corporation, partnership, or trust that is created or conducts substantial business in a jurisdiction that has been designated by the United States as a primary money laundering concern or has been designated as non-cooperative by an international body. Obtaining sufficient information to verify a customer's identity can reduce the risk that a bank will be used as a conduit for money laundering and terrorist financing. Treasury and the Agencies believe that a bank must identify customers that pose a heightened risk of not being properly identified, and a bank's CIP must prescribe additional measures that may be used to obtain information about the identity of the individuals associated with the entity in whose name such an account is opened when standard documentary and non-documentary methods prove to be insufficient. For these reasons, the requirement to verify the identity of signatories has been replaced by a new provision in the final rule that requires that a bank's CIP address situations where, based on the bank's risk assessment of a new account opened by a customer that is not an individual, the bank also will obtain information about individuals with authority or control over such account, including signatories, in order to verify the customer's identity. This additional verification method will only apply when the bank cannot adequately verify the customer's identity using the documentary and non-documentary verification methods described in (b)(2)(ii)(A) and (B). Moreover, a bank need not undertake any additional verification if it chooses not to open an account when it cannot verify the customer's identity using standard documentary and non-documentary verification methods. Section 103.121(b)(2)(iii) Lack of Verification. The proposed rule stated that a bank's CIP must include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of a customer. The preamble for the proposed rule listed what these procedures should include. In addition, the proposal stated that a bank should only maintain an account for a customer when it can form a reasonable belief that it knows the customer's true identity.\30\ --------------------------------------------------------------------------- \30\ The preamble also explained that there are some exceptions to this basic rule. For example, a bank may maintain an account at the direction of a law enforcement or intelligence agency, even though the bank does not know the true identity of the customer. --------------------------------------------------------------------------- The final rule retains the general requirement that a bank's CIP include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of the customer. However, the rule text itself now states that the procedures should describe the following: when a bank should not open an account for a potential customer; the terms under which a customer may use an account while the bank attempts to verify the customer's identity; when the bank should close an account after attempts to verify a customer's identity have failed; and when the bank should file a Suspicious Activity Report in accordance with applicable law and regulation. One commenter stated that requiring a bank to close an account if it cannot verify a customer's identity would conflict with state laws and would subject the bank to legal liability. The commenter urged that if this provision is retained, the final rule also should shield banks from state regulatory and borrower liability in these circumstances. Other commenters asked that Treasury and the Agencies clarify that further investigation that results in failure to open an account will not trigger adverse action requirements under the FCRA, 15 U.S.C. 1681 et seq. or the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691 et seq. The final rule does not specifically require a bank to close the account of a customer whose identity the bank cannot verify, but instead leaves this determination to the discretion of the bank. Treasury and the Agencies have determined that there is no statutory basis to create a safe harbor that would shield banks from state regulatory or borrower liability if a bank should choose to close a customer's account. Any such closure should be consistent with the bank's existing procedures for closing accounts in accordance with its risk management practices. Treasury and the Agencies also note that a bank must comply with other applicable laws and regulations, such as the adverse action provisions under ECOA and the FCRA, when determining not to open an account because it cannot establish a reasonable belief that it knows the true identity of the customer.\31\ --------------------------------------------------------------------------- \31\ See 12 CFR 202.9(b) (Federal Reserve Regulation B that prescribes the form of ECOA notice and statement of specific reasons); 15 U.S.C. 1681m (FCRA provision that provides for duties of users taking adverse actions on the basis of information contained in consumer reports from other third parties or affiliates). --------------------------------------------------------------------------- Section 103.121(b)(3) Recordkeeping Section 103.121(b)(3)(i) Required Records. The proposed rule set forth recordkeeping procedures that must be included in a bank's CIP. Under the proposal, a bank would have been required to maintain a record of the identifying information provided by the customer. Where a bank relies upon a document to verify identity, the proposal would have required the bank to maintain a copy of the document that the bank relied on that clearly evidences the type of document and any identifying information it may contain. The bank also would have been required to record the methods and result of any additional measures undertaken to verify the identity of the customer. Last, the bank would have been required to record the resolution of any discrepancy in the identifying information obtained. This section of the proposed rule prompted the most comment. Though one commenter felt that the recordkeeping requirements in the proposed rule were weak, almost all other commenters identified the proposed documentation and record retention requirements as overly burdensome. Commenters urged Treasury and the Agencies to permit a bank to record the information from the documents obtained rather than requiring banks to maintain copies of these documents for the life of the account. Commenters generally argued that it would be difficult and very burdensome to store and retrieve copies of documents used to verify the identity of the customer. In addition, some commenters noted that many kinds of identification documents, particularly some new driver's licenses, have security features that prevent them from being copied legibly. Other commenters stated that copies of documents would be difficult to safeguard and could facilitate identity theft. Commenters stated that requiring banks to keep copies of documents would substantially deviate from current banking practice and would violate certain states' laws. Banks offering credit card accounts through retailers, who require the customer to [[Page 25102]] provide identifying documents at the point of sale, strenuously opposed this requirement if it were interpreted to cover documents presented to the merchant. These commenters stated that copy machines are not usually available at the point of sale, and that the rule as proposed would require merchants to purchase large numbers of additional copy machines. The commenters also anticipated that consumers would be greatly inconvenienced by this requirement and might have to endure lengthy waits during any busy shopping season. These commenters questioned whether the risks of money-laundering and the financing of terrorism through retail store credit cards, which generally have relatively low credit limits, restrictions on pre-payment, and other features to detect fraud, warrant the imposition of these additional costs. Other commenters stated that requiring banks to keep copies of documents that have pictures, such as driver's licenses, could expose the bank to allegations of unlawful discrimination, even if the retention of this information were not prohibited under ECOA. Some banks objected to this requirement on the grounds that it directly conflicted with the position that the Agencies have traditionally taken on this issue, including the criticism of banks that have retained such information in their files when extending credit. Other commenters asked that a bank be permitted to record the processes and procedures generally used for verification rather than being required to keep records of the methods used and the resolution for each and every account, especially where the bank uses standardized procedures for all customers and could demonstrate that these procedures were applied. Some commenters suggested that the final rule permit banks to use a risk-based approach for recordkeeping. In light of the comments received, Treasury and the Agencies have reconsidered and modified the recordkeeping requirements of the proposed rule. The final rule provides that a bank's CIP must include procedures for making and maintaining a record of all information obtained under the procedures implementing the requirement that a bank develop and implement a CIP. However, the final rule affords banks significantly more flexibility than did the recordkeeping provisions contained in the proposal. Under the final rule, a bank's records are to include ``a description,'' rather than a copy, of any document upon which the bank relied in order to verify the identity of the customer, noting the type of document, any identification number contained in the document, the place of issuance, and, if any, the date of issuance and expiration date. The final rule also clarifies that the record must include ``a description'' of the methods and results of any measures undertaken to verify the identity of the customer, and of the resolution of any ``substantive'' discrepancy discovered when verifying the identifying information obtained, rather than any documents generated in connection with these measures. As Treasury and the Agencies indicated in the preamble for the proposal, nothing in the rule modifies, limits, or supersedes section 101 of the Electronic Signatures in Global and National Commerce Act, Pub. L. 106-229, 114 Stat. 464 (15 U.S.C. 7001) (E-Sign Act). Thus, a bank may use electronic records to satisfy the requirements of this final rule, as long as the records are accurate and remain accessible in accordance with 31 CFR 103.38(d). Section 103.121(b)(3)(ii) Retention of Records The proposal required a bank to retain all of the records specified in the recordkeeping provision for five years after the date the account is closed. This requirement prompted strenuous objections. Assuming that copies of the documents used to verify the identity of the customer would have to be retained, commenters asserted that retaining records until five years after the account is closed would be very burdensome. Some commenters noted that imaging is not a routine practice for community banks and could be costly. Banks offering credit card accounts stated that the record retention requirement would require a change in forms, processes, and systems, while also increasing storage costs. As credit cards do not have a specific term, commenters noted that banks would be required to keep these records forever, unless they are culled manually. Some commenters suggested that the retention period be shortened, with suggestions ranging from one to three years after the account is closed, while other commenters suggested that the period be shortened to five years from when the account is opened. Many commenters stated that two years from when the information is obtained would be consistent with other regulatory requirements, such as the record retention requirements for an application for an extension of credit subject to ECOA (12 CFR 202.12(b)). By eliminating the requirement that a bank retain copies of the documents used to verify the identity of the customer, Treasury and the Agencies believe that the final rule largely addresses the main concern of these commenters. However, Treasury and the Agencies also have determined that, while the identifying information provided by the customer should be retained, there is little value in requiring banks to retain the remaining records for five years after an account is closed because this information is likely to have become stale. Therefore, the final rule now prescribes a bifurcated record retention schedule that is consistent with the general five-year retention requirement in 31 CFR 103.38. First, the bank must retain the information referenced in paragraph (b)(3)(i)(A) (that is, information obtained about a customer), for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant. Second, the bank need only retain the records that it must make and maintain under the remaining parts of the recordkeeping provision, paragraphs (b)(3)(i)(B), (C), and (D) (that is, information that verifies a customer's identity) for five years after the record is made. Section 103.121(b)(4) Comparison with Government Lists. The proposed rule required a bank to have procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations provided to the bank by any Federal government agency. In addition, the proposal stated that the procedures must ensure that the bank follows all Federal directives issued in connection with such lists. Most commenters were concerned about how a bank would be able to determine what lists should be checked for purposes of this provision and how these lists would be made available. Some commenters asked that the final rule confirm that a bank will not have an affirmative duty to seek out all lists compiled by the Federal government and would only be required to check lists provided to it by the Federal government. Some commenters noted that lists published by OFAC are published but are not provided to financial institutions.\32\ Many commenters urged that all lists within the meaning of section 326 of the Act, [[Page 25103]] be centralized, issued by a single designated government agency, and provided to financial institutions in a commonly used electronic format. Some of these commenters suggested that instead of providing multiple lists, the government set up a single Web site that would permit a bank to search for a name alphabetically, similar to the OFAC list. Other commenters asked Treasury and the Agencies to clarify what action a bank should take when a customer appears on a list. --------------------------------------------------------------------------- \32\ Nevertheless, the legislative history for this provision indicates that the lists Congress intended financial institutions to consult ``are those already supplied to financial institutions by the Office of Foreign Asset Control (OFAC), and occasionally by law enforcement and regulatory authorities, as in the days immediately following the September 11, 2001, attacks on the World Trade Center and the Pentagon.'' H.R. Rep. No. 107-250, pt. 1, at 63 (2001). --------------------------------------------------------------------------- Commenters also asked for guidance regarding the timing of when the comparison must be performed and asked whether the lists could be checked after an account is opened. Some commenters stated that there is no practical way for a financial institution to check lists prior to opening an account. The final rule states that a bank's CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal functional regulators. Because Treasury and the Federal functional regulators have not yet designated any such lists, the final rule cannot be more specific with respect to the lists banks must check in order to comply with this provision. However, banks will not have an affirmative duty under this regulation to seek out all lists of known or suspected terrorists or terrorist organizations compiled by the Federal government. Instead, banks will receive notification by way of separate guidance regarding the lists that must be consulted for purposes of this provision. Treasury and the Agencies have modified this provision to give guidance as to when a bank must consult a list of known or suspected terrorists or terrorist organizations. The final rule states that the CIP's procedures must require the bank to make a determination regarding whether a customer appears on a list ``within a reasonable period of time'' after the account is opened, or earlier if required by another Federal law or regulation or by a Federal directive issued in connection with the applicable list. The final rule provides that a bank's CIP must contain procedures requiring the bank to follow all Federal directives issued in connection with such lists. Again, because there are no lists that have been designated under this provision as yet, the final rule cannot provide more guidance in this area. Section 103.121(b)(5) Customer Notice. The proposed rule would have required a bank's CIP to include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identity. The preamble for the proposal stated that a bank could satisfy that notice requirement by generally notifying its customers about the procedures the bank must comply with to verify their identities. It stated that the bank could post a notice in its lobby or on its Internet website, or provide customers with any other form of written or oral notice. Treasury and the Agencies received a large number of comments on this provision. Some commenters did not agree that section 326 of the Act requires notice to bank customers. Some of these commenters suggested that a bank's request for identifying information should be considered adequate notice. Other commenters did not question this requirement and stated that they appreciated the flexibility of this provision. However, a great many commenters asked for additional guidance on the content and timing of the notice and specifically requested that the final rule provide model language so that all institutions represent the requirements of section 326 in the same manner and the adequacy of notice is not left to the interpretation of individual examiners. Section 326 provides that the regulations issued ``shall, at a minimum, require financial institutions to implement, and customers (after being given adequate notice) to comply with reasonable procedures'' that satisfy the statute. Based upon this statutory requirement, the final rule requires a bank's CIP to include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities. However, the final rule provides additional guidance regarding what constitutes adequate notice and the timing of the notice requirement. The final rule states that notice is adequate if the bank generally describes the identification requirements of the final rule and provides notice in a manner reasonably designed to ensure that a customer views the notice, or is otherwise given notice, before opening an account. The final rule also states that depending upon the manner in which an account is opened, a bank may post a notice in the lobby or on its website, include the notice on its account applications, or use any other form of oral or written notice. In addition, the final rule includes sample language that, if appropriate, will be deemed adequate notice to a bank's customers when provided in accordance with the requirements of this final rule. Section 103.121(b)(6) Reliance on Another Financial Institution. Many commenters urged that the final rule permit a bank to rely on a third party to perform elements of the bank's CIP. For example, some commenters asked that the final rule clarify that a bank may use a third party service provider to perform tasks and keep records. Other commenters recommended that the rule should permit a third party to verify the identity of the bank's customer in indirect lending arrangements, for example, where a car dealer acting as agent of the bank extends a loan to a customer or where a mortgage broker acts on a bank's behalf. Some commenters urged that the final rule be modified to more broadly permit financial institutions to share customer identification and verification duties with other financial institutions so as to avoid each institution having to undertake duplicative customer identification efforts. Some of these commenters suggested that a bank be permitted to allocate its responsibility to verify the customer's identity by contract with another financial institution as permitted in the proposed rule for broker-dealers. Other commenters requested that the final rule permit the CIP obligations to be performed initially by only one financial institution if a customer has different accounts with different affiliates. These commenters noted that it is common for a customer to maintain several different accounts with a financial institution and its affiliates. The same customer, for example, may have a credit card account with one affiliate, a home mortgage with another affiliate, and a brokerage account with a broker-dealer affiliate. The commenters urged that a bank be permitted to rely on customer identification and verification performed by an affiliate because it would be superfluous and unnecessarily burdensome to subject the same customer to substantially similar customer identification and verification procedures on multiple occasions. Furthermore, those commenters urged Treasury and the Agencies to allow a bank to rely on an affiliate in order to reduce the substantial costs of maintaining duplicative records regarding identity verification under the recordkeeping provisions of the rule. Treasury and the Agencies recognize that there may be circumstances where a bank should be able to rely on the performance by another financial institution of some or all of the elements of the bank's CIP. Therefore, the final rule provides that a bank's CIP may [[Page 25104]] include procedures specifying when the bank will rely on the performance by another financial institution (including an affiliate) of any procedures of the bank's CIP and thereby satisfy the bank's obligations under the rule. Reliance is permitted if a customer of the bank is opening, or has opened, an account or has established a similar banking or business relationship with the other financial institution to provide or engage in services, dealings, or other financial transactions. In order for a bank to rely on the other financial institution, such reliance must be reasonable under the circumstances, and the other financial institution must be subject to a rule implementing the anti- money laundering compliance program requirements of 31 U.S.C. 5318(h) and be regulated by a Federal functional regulator. The other financial institution also must enter into a contract requiring it to certify annually to the bank that it has implemented its anti-money laundering program and that it will perform (or its agent will perform) the specified requirements of the bank's CIP. The contract and certification will provide a standard means for a bank to demonstrate the extent to which it is relying on another institution to perform its CIP, and that the institution has in fact agreed to perform those functions. If it is not clear from these documents, a bank must be able to otherwise demonstrate when it is relying on another institution to perform its CIP with respect to a particular customer. The bank will not be held responsible for the failure of the other financial institution to adequately fulfill the bank's CIP responsibilities, provided the bank can establish that its reliance was reasonable and that it has obtained the requisite contracts and certifications. Treasury and the Agencies emphasize that the bank and the other financial institution upon which it relies must satisfy all of these conditions set forth in the rule. If they do not, then the bank remains solely responsible for applying its own CIP to each customer in accordance with this regulation. All of the Federal functional regulators are adopting comparable provisions in their respective regulations to permit such reliance. Furthermore, the Federal functional regulators expect to share information and to cooperate with each other to determine whether the institutions subject to their jurisdiction are in compliance with the conditions of the reliance provision of this final rule. The final rule issued here does not affect a bank's authority to contract for services to be performed by a third party either on or off the bank's premises. Thus, for example, a bank may contract with a third party service provider to keep its records even when the bank does not act under the reliance provision set forth in the regulation. However, Treasury and the Agencies note that the performance of these services for Federally regulated banks \33\ will be subject to regulation and examination by the Agencies under other applicable laws and regulations. See, e.g., 12 U.S.C. 1867. --------------------------------------------------------------------------- \33\ Because it lacks the specific statutory authority to regulate and examine service providers, NCUA, as a matter of safety and soundness, will require credit unions to document that their service providers fully comply with this regulation and with the credit union's customer identification program. --------------------------------------------------------------------------- The final rule also does not alter a bank's authority to use an agent to perform services on its behalf. Therefore, a bank is permitted to arrange for a car dealer or mortgage broker, acting as its agent in connection with a loan, to verify the identity of its customer. However, as with any other responsibility performed by an agent, and in contrast to the reliance provision in the rule, the bank ultimately is responsible for that agent's compliance with the requirements of this final rule. Section 103.121(c) Exemptions. The proposed rule provided that the appropriate Federal functional regulator, with the concurrence of Treasury, may by order or regulation exempt any bank or type of account from the requirements of this section. The proposal stated that, in issuing such exemptions, the Federal functional regulator and Treasury shall consider whether the exemption is consistent with the purposes of the BSA, consistent with safe and sound banking, and in the public interest. The proposal stated that the Federal functional regulator and Treasury also may consider other necessary and appropriate factors. There were a number of comments suggesting that various types of accounts be exempted from the final rule. For example, several commenters suggested that accounts of Federal, state, and local governmental entities, public companies, and correspondent banks be exempted from the final rule. One commenter suggested that student loan programs be exempted from the rule because current safeguards are sufficient to verify the identity of student loan borrowers. Another commenter suggested that small trust companies and limited purpose banks that provide trust services be exempted from the rule, because such entities are more local in operation, would be burdened by the rule, and have fewer employees to ensure compliance. Yet another commenter suggested that the NCUA exempt credit unions from the CIP requirements. Any suggested exemptions that Treasury and the Agencies have determined to be appropriate are incorporated into the definitions of ``account'' and ``customer'' for the reasons described above. The exemption provision of the final rule is essentially adopted as proposed with respect to banks that have a Federal functional regulator. Because the final rule will also apply to certain banks that do not have a Federal functional regulator, a new provision has been added to make clear that Treasury alone will make all determinations regarding exemptions for these institutions. Section 103.121(d) Other Information Requirements Unaffected. The proposal provided that nothing in Sec. 103.121 shall be construed to relieve a bank of its obligations to obtain, verify, or maintain information in connection with an account or transaction that is required by another provision in part 103. For example, if an account is opened with a deposit of more than $10,000 in cash, the bank opening the account must comply with the customer identification requirements in Sec. 103.121, as well as with the provisions of Sec. 103.22, which require that certain information concerning the transaction be reported by filing a Currency Transaction Report (CTR). There were no comments on this provision. Therefore, Treasury and the Agencies have adopted this provision generally as proposed, except that it has been clarified to provide that nothing in Sec. 103.121 should be construed to relieve a bank of any of its obligations, including its obligations to obtain, verify, or maintain information in connection with an account or transaction that is required by another provision in part 103. III. Conforming Amendments to 31 CFR 103.34 Section 103.34(a) sets forth customer identification requirements when certain types of deposit accounts are opened. Together with the proposed rule implementing section 326, Treasury, on its own authority, proposed deleting 31 CFR 103.34(a) for the following reasons. First, the preamble for the proposal explained that Treasury regards the requirements of Sec. Sec. 103.34(a)(1) and (2) as inconsistent with the intent and purpose of section 326 of the Act and incompatible with proposed section 103.121. Generally Sec. Sec. 103.34(a)(1) and (2) require a bank, within 30 days after [[Page 25105]] certain deposit accounts are opened, to secure and maintain a record of the taxpayer identification number of the customer involved. If the bank is unable to obtain the taxpayer identification number within 30 days (or a longer time if the person has applied for a taxpayer identification number), it need take no further action under Sec. 103.34 concerning the account if it maintains a list of the names, addresses, and account numbers of the persons for which it was unable to secure taxpayer identification numbers, and provides that information to Treasury upon request. In the case of a non-resident alien, the bank is required to record the person's passport number or a description of some other government document used to determine identification. These requirements conflicted with those in proposed Sec. 103.121 which required a bank to obtain the name, address, date of birth and an identification number from any person seeking to open a new account. Second, Sec. 103.34(a)(3) currently provides that a bank need not obtain a taxpayer identification number with respect to specified categories of persons \34\ opening certain deposit accounts. Proposed Sec. 103.121 did not exempt any persons from the CIP requirements. Treasury requested comment on whether any of the exemptions in Sec. 103.34(a)(3) should apply in light of the intent and purpose of section 326 of the Act and the requirements of proposed Sec. 103.121. --------------------------------------------------------------------------- \34\ The exemption applies to (i) agencies and instrumentalities of Federal, State, local, or foreign governments; (ii) judges, public officials, or clerks of courts of record as custodians of funds in controversy or under the control of the court; (iii) aliens who are ambassadors; ministers; career diplomatic or consular officers; naval, military, or other attaches of foreign embassies and legations; and members of their immediate families; (iv) aliens who are accredited representatives of certain international organizations, and their immediate families; (v) aliens temporarily residing in the United States for a period not to exceed 180 days; (vi) aliens not engaged in a trade or business in the United States who are attending a recognized college or university, or any training program supervised or conducted by an agency of the Federal Government; (vii) unincorporated subordinate units of a tax exempt central organization that are covered by a group exemption letter; (viii) a person under 18 years of age, with respect to an account opened as part of a school thrift savings program, provided the annual interest is less than $10; (ix) a person opening a Christmas club, vacation club, or similar installment savings program, provided the annual interest is less than $10; and (x) non-resident aliens who are not engaged in a trade or business in the United States. --------------------------------------------------------------------------- Third, Sec. 103.34(a)(4) also provides that IRS rules shall determine whose number shall be obtained in the case of multiple account holders. In the preamble that accompanied its proposal, Treasury stated that this provision is inconsistent with section 326 of the Act, which requires that banks verify the identity of ``any'' person seeking to open an account. In addition, Treasury proposed deleting Sec. 103.34(b)(1) which requires a bank to keep ``any notations, if such are normally made, of specific identifying information verifying the identity of the signer [who has signature authority over an account] (such as a driver's license number or credit card number).'' Treasury stated that the quoted language in Sec. 103.34(b)(1) is inconsistent with the proposed requirements of Sec. 103.121. For this reason, Treasury, under its own authority, proposed to delete the quoted language. Few comments were received regarding the proposed deletion of these provisions. Some commenters agreed that Sec. 103.34(a) should be deleted if proposed Sec. 103.121 were adopted. One commenter suggested that Sec. 103.34(a) should be revised to achieve the objectives of the section 326 of the Act. One commenter representing a military bank requested continuance of the exemption for agencies and instrumentalities of the Federal government that will permit exemption of commissaries, exchanges and various military organizations. Another commenter requested maintenance of the exemption for government entities, court funds, unincorporated units of tax-exempt organizations, and school thrift programs. Treasury has determined that given the more comprehensive requirements of the final version of Sec. 103.121, there is no longer a need for Sec. 103.34 (a). A number of the exemptions formerly in Sec. 103.34(a) have now been added to Sec. 103.121. Other exemptions conflict with the language and intent of section 326 of the Act and thus were not adopted in the final rule. While Sec. 103.34(a) will no longer be needed once the final rule is fully effective, withdrawing the provision before October 1, 2003, would create a gap period during which banks would not be subject to a rule under the BSA requiring a customer to be identified when opening an account. Because Treasury and the Agencies do not believe such a gap period would be appropriate, the final rule--rather than withdrawing Sec. 103.34(a)--amends the section to cut off its applicability on October 1, 2003, when Sec. 103.121 becomes fully effective.\35\ --------------------------------------------------------------------------- \35\ Appropriate conforming amendments are made to Sec. Sec. 103.34(b)(11) and (12) to add a cross-reference to the Internal Revenue Code regarding the rules for determining what constitutes a taxpayer identification number. --------------------------------------------------------------------------- By contrast, Treasury no longer believes that it is necessary to delete the quoted language in Sec. 103.34(b), which requires a bank to keep ``any notations, if such are normally made, of specific identifying information verifying the identity of [a person with signature authority over an account] (such as a driver's license number or credit card number).'' The definition of ``customer'' in the final version of Sec. 103.121 no longer includes a signatory on an account. Therefore, Sec. 103.121 and Sec. 103.34(b)(1) are not inconsistent and the records required to be kept in accordance with Sec. 103.34(b)(1) will still have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings, or in the conduct of intelligence or counterintelligence activities, and to protect against international terrorism. Therefore, the proposal to delete the quoted language in Sec. 103.34(b)(1) is not adopted as proposed. IV. Technical Amendment to 31 CFR 103.11(j) Section 103.11(j), which defines the term ``deposit account,'' contains an obsolete reference to the definition of ``transaction account,'' which is defined in Sec. 103.11(hh). Under its own authority, Treasury proposed to correct this reference. There were no comments on this proposed technical correction. Therefore, it is adopted as proposed. V. Regulatory Analysis A. Regulatory Flexibility Act Under the Regulatory Flexibility Act (RFA), an agency must either prepare a Final Regulatory Flexibility Analysis (FRFA) for a final rule or certify that the final rule will not have a significant economic impact on a substantial number of small entities.\36\ See 5 U.S.C. 604 and 605(b). --------------------------------------------------------------------------- \36\ The RFA defines the term ``small entity'' in 5 U.S.C. 601 by reference to the definitions published by the Small Business Administration (SBA). The SBA has defined a ``small entity'' for banking purposes as a bank or savings institution with less than $150 million in assets. See 13 CFR 121.201. The NCUA defines ``small credit union'' as those under $1 million in assets. Interpretive Ruling and Policy Statement No. 87-2, Developing and Reviewing Government Regulations (52 FR 35231, September 18, 1987). --------------------------------------------------------------------------- Treasury and the Agencies have reviewed the impact of this final rule on small banks. Treasury and the Agencies certify that the final rule will not have a significant economic impact on a substantial number of small entities. First, Treasury and the Agencies believe that banks already have implemented prudential business practices and anti-money laundering [[Page 25106]] programs that include most of the procedures that a CIP must contain under this final rule. Banks generally undertake extensive measures to verify the identity of their customers as a matter of good business practice. In addition, Federally regulated banks already must have anti-money laundering programs that include procedures for identification, verification, and documentation of customer information.\37\ --------------------------------------------------------------------------- \37\ See footnote 10. --------------------------------------------------------------------------- Second, although the final rule contains several requirements that will be new to banks we anticipate that the costs of implementing these requirements will not be economically significant. For example, the recordkeeping requirements in the final rule may impose some costs on banks to the extent that the information that must be maintained is not already collected and retained.\38\ Treasury and the Agencies believe that the compliance burden is minimized for banks, including small banks, because the final rule vests a bank with the discretion to design and implement appropriate recordkeeping procedures, including allowing banks to maintain electronic records in lieu of (or in combination with) paper records. --------------------------------------------------------------------------- \38\ See, e.g., identification and verification of customers in connection with each share or deposit account opened (31 CFR 103.34). --------------------------------------------------------------------------- The section of the final rule that requires banks to check lists of known and suspected terrorists and terrorist organizations and to follow Federal agency directives in connection with the lists is also a new requirement that will impose nominal burden, once Treasury and the Agencies publish lists that banks must consult. However, no such lists have been issued to date. Moreover, banks already must have procedures to satisfy other similar requirements. For instance, banks already have to ensure that they do not engage in transactions involving designated foreign countries, foreign nationals, and other entities prohibited under OFAC rules. See 31 CFR part 500. We also understand that many banks, including small banks, use electronic search tools to check lists \39\ and already use identity verification software, both as part of their customer due diligence obligations under existing BSA compliance program requirements and to detect fraud. --------------------------------------------------------------------------- \39\ We believe that most banks will use technology rather than manual methods to check lists. OFAC lists are generally incorporated into bank software and, in response to bank inquiries, Treasury and the Agencies have made clear that banks are permitted to share the lists they receive pursuant to section 314 of the Act with their service providers. We expect that any lists provided under section 326 of the Act will also be provided under the same conditions. --------------------------------------------------------------------------- The notice provisions of the rule also are new. However, they are very flexible and, as written, should impose only minimal costs. The final rule permits a bank to satisfy the notice requirement by choosing from a variety of low-cost measures, such as posting a sign in the lobby or on its website, by adding it to an account statement, or using any other form of written or oral notice. In addition, the amount of time that a bank will need to develop its notices will be minimal as the final rule now contains a sample notice. Treasury and the Agencies believe that the flexibility incorporated into the final rule will permit each bank to tailor its CIP to fit its own size and needs. In this regard, Treasury and the Agencies believe that expenditures associated with establishing and implementing a CIP will be commensurate with the size of a bank. If a bank is small, the burden to comply with the proposed rule should be de minimis. Most commenters on the proposed rule stated that Treasury and the Agencies had underestimated the burden imposed by the proposed rule. They highlighted aspects of the proposal that they maintained would have imposed excessive burdens and would have required banks to alter their current practices. Most comments focused on the proposed provisions requiring banks to verify the identity of signatories on accounts, to keep copies of documents used to verify a customer's identity, and to retain identity verification records for five years after an account is closed. In drafting the final rule, Treasury and the Agencies have either eliminated or minimized the most significant burdens identified by commenters. In response to commenters, for example, the final rule eliminates signatories from the definition of ``customer,'' no longer requires a bank to keep copies of documents used to verify a customer's identity, and reduces the universe of records that must be kept for five years after an account is closed. Treasury and the Agencies have taken other steps that significantly reduce the scope of the rule and burdens of the rule. Many of these burden-reducing actions are described in the Paperwork Reduction Act discussion below.\40\ As a result of these changes, the final rule is far more flexible and less burdensome than the proposed rule while still fulfilling the statutory mandates enumerated in section 326 of the Act. --------------------------------------------------------------------------- \40\ In addition to the burden-reducing measures discussed in the Paperwork Reduction Act discussion, other changes include: [sbull] A clarification that a bank must verify the customer's identity using the identifying information obtained. The proposed rule would have required the bank to verify all identifying information. The elimination of the requirement that a bank must obtain a physical and a mailing address from a customer opening an account. Under the final rule, the bank is only required to obtain a physical address. [sbull] A new provision that permits a bank to rely on another financial institution to perform its CIP under certain conditions. This provision allows financial institutions that share a customer to share customer identification and verification obligations and to reduce the cost of maintaining duplicative records required by the recordkeeping provisions of the final rule. [sbull] A revised provision that extends to customers who are individuals the exception that permits a bank to open an account for a customer that has applied for, but has not received, a taxpayer identification number. [sbull] A new exemption for credit card accounts from the requirement that a bank obtain identifying information from the customer prior to opening an account. In connection with credit card accounts, a bank is permitted to obtain identifying information from a third party source prior to extending credit. [sbull] A clarification stating that the government will provide lists of known or suspected terrorists and terrorist organizations to banks. Banks will not be required to seek out this information. In addition, the rule now states that the bank may determine whether a customer appears on the list within a reasonable time after the account is opened, unless it is required to do so earlier by another Federal law, regulation, or directive. [sbull] A transition period that permits banks a period of several months to comply with the final rule. --------------------------------------------------------------------------- Finally, Treasury and the Agencies did consider whether it would be appropriate to exempt small banks from the requirements of the rule. We do not believe that an exemption for small banks is appropriate, given the flexibility built into the rule to account for, among other things, the differing sizes and resources of banks, as well as the importance of the statutory goals and mandate of section 326. Money laundering can occur in small banks as well as large banks. B. Paperwork Reduction Act Certain provisions of the final rule contain ``collection of information'' requirements within the meaning of the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.). An agency may not conduct or sponsor, and a respondent is not required to respond to, an information collection unless it displays a currently valid Office of Management and Budget (OMB) control number. Treasury submitted the final rule to the OMB for review in accordance with 44 U.S.C. 3507(d). The OMB has approved the collection of information requirements in today's rule under control number 1506-0026. [[Page 25107]] Collection of Information Under the Proposed Rule The proposed rule applied only to a financial institution that is a ``bank'' as defined in 31 CFR 103.11(c),\41\ and any foreign branch of an insured bank. The proposed rule required each bank to establish a written CIP that must include recordkeeping procedures (proposed Sec. 103.121(b)(3)) and procedures for providing customers with notice that the bank is requesting information to verify their identity (proposed Sec. 103.121(b)(5)). --------------------------------------------------------------------------- \41\ This definition includes banks, thrifts, and credit unions. --------------------------------------------------------------------------- The proposed rule required a bank to maintain a record of (1) the identifying information provided by the customer, the type of identification document(s) reviewed, if any, the identification number of the document(s), and a copy of the identification document(s); (2) the means and results of any additional measures undertaken to verify the identity of the customer; and (3) the resolution of any discrepancy in the identifying information obtained. It also required these records to be maintained at the bank for five years after the date the account is closed (proposed Sec. 103.121(b)(3)). The proposed rule also required a bank to give its customers ``adequate notice'' of the identity verification procedures (proposed Sec. 103.121(b)(5)). The proposed rule stated that a bank could satisfy the notice requirement by posting a sign in the lobby or providing customers with any other form of written or oral notice. Collection of Information Under the Final Rule The final rule, like the proposed rule, requires banks to implement reasonable procedures to (1) maintain records of the information used to verify a customer's identity, and (2) provide notice of these procedures to customers. These recordkeeping and disclosure requirements are required under section 326 of the Act. However, the final rule greatly reduces the paperwork burden attributable to these requirements, as described below. The final rule also contains a new recordkeeping provision permitting a bank to rely on another financial institution to perform some or all its CIP, under certain circumstances. Among other things, the other financial institution must provide the bank with a contract requiring it to certify annually to the bank that it has implemented its anti-money laundering program, and that it will perform (or its agent will perform) the specified requirements of the bank's CIP. Response to Comments Received We received approximately 500 comments on the proposed rule. Most of the commenters specifically mentioned the recordkeeping burden associated with the proposed rule. Some commenters also asked Treasury and the Agencies to clarify the meaning of ``adequate notice'' and requested that a sample notice be provided in the final rule. Only a few commenters provided burden estimates of additional burden hours that would result from the proposed rule. However, these burden estimates did not necessarily focus on the recordkeeping and disclosure requirements in the proposal and ranged from 200 extra hours per year to 9,000 additional hours. Treasury and the Agencies believe that the final rule substantially addresses the concerns of the commenters. Specific concerns about paperwork burden have been addressed as follows: First, the recordkeeping and disclosure burden are minimized in the final rule because Treasury and the Agencies reduced the entire scope of the final rule, by: [sbull] Narrowing and clarifying the scope of ``account.'' The final rule specifically excludes accounts that (1) a bank acquires through an acquisition, merger, purchase of assets, or assumption of liabilities from a third party, and (2) accounts opened for the purpose of participating in an employee benefit plan established pursuant to the Employee Retirement Income Security Act of 1974. It also specifically excludes wire transfers, check cashing, and the sale of travelers checks, and any other product or service that does not lead to a ``formal banking relationship'' from the scope of the rule; [sbull] Narrowing the definition of ``bank'' covered by the rule to exclude a bank's foreign branches; and [sbull] Limiting and clarifying who is a ``customer'' for purposes of the final rule. The final rule now defines ``customer'' as ``a person that opens a new account'' making clear that a person who does not receive banking services, such as a person whose deposit or loan application is denied, is not a customer. The definition of customer also excludes signatories from the definition of ``customer.'' Moreover, the final rule excludes from the definition of ``customer'' the following readily-identifiable entities: A financial institution regulated by a Federal functional regulator; a bank regulated by a state bank regulator; and governmental agencies and instrumentalities and companies that are publicly traded (i.e., entities described in Sec. 103.22(d)(2)(ii)-(iv)). The final rule also excludes existing customers of the bank, provided that the bank has a reasonable belief that it knows the true identity of the person.\42\ --------------------------------------------------------------------------- \42\ The proposed rule stated that the identity of an existing customer would not need to be verified if the bank (1) had previously verified the customer's identity in accordance with procedures consistent with the proposed rule, and (2) continues to have a reasonable belief that it knows the true identity of the customer. --------------------------------------------------------------------------- Second, recordkeeping burden was further reduced by: [sbull] Eliminating the requirement that a bank keep copies of any document that it relied upon in order to verify the identity of the customer and substituting a requirement that a bank's records need only include ``a description'' of any document that it relied upon in order to verify the identity of the customer. The final rule also clarifies that the records need only include ``a description'' of the methods and results of any measure undertaken to verify the identity of the customer, and of the resolution of any substantive discrepancy discovered when verifying the identifying information obtained, rather than any documents generated in connection with these measures; and [sbull] Reducing the length of time that records must be kept. The final rule requires that identifying information be kept for five years after the date the account is closed (or for credit card accounts, five years after the account is closed or becomes dormant). All other records may be kept for five years after the account is opened. Third, disclosure burden was reduced by providing sample language that, if appropriate and properly provided, will be deemed adequate notice to a bank's customer. Disclosure burden also was reduced by clarifying the term ``adequate notice.'' Treasury and the Agencies believe that little additional burden is imposed as a result of the recordkeeping requirements outlined in section 103.121(b)(3), because the type of recordkeeping required by the final rule is a usual and customary business practice. In addition, banks already must keep similar records to comply with existing regulations in 31 CFR part 103 (see, e.g., 31 CFR 103.34, requiring certain records for each deposit or share account opened). Treasury and the Agencies believe that nominal burden is associated with the disclosure requirement outlined in Sec. 103.121(b)(5). This section contains a sample notice that if appropriate and [[Page 25108]] provided in accordance with the final rule, will be deemed adequate notice. In addition, it continues to permit banks to choose among a variety of low-cost methods of providing adequate notice and to select the least burdensome method, given the circumstances under which customers seek to open new accounts. Treasury and the Agencies also believe that nominal burden is associated with the new recordkeeping requirement in Sec. 103.121(b)(6). This section permits a bank to rely on another financial institution to perform some or all its CIP under certain conditions, including the condition that the financial institution enter into a contract with the bank providing that it will certify annually to the bank that it (1) has implemented its anti-money laundering program and (2) will perform (or its agent will perform) the specified requirements of the bank's CIP. Not all banks will choose to rely on a third party. For those that do, the minimal burden of retaining the certification described above should allow them to reduce net burden under the rule by such reliance. Burden Estimates Treasury and the Agencies have reconsidered the burden estimates published in the proposed rule, given the comments stating that the burdens associated with the paperwork collections were underestimated. Having done so, and considering the reduction in burden taken in this final rule, Treasury and the Agencies have adjusted their estimates of the paperwork burden of this rule. The burden estimates that follow are estimates of the incremental burden imposed upon banks by this final rule, recognizing that some of the requirements in this rule are a usual and customary practice in the banking industry, or duplicate other regulatory requirements. The potential respondents are national banks and Federal branches and agencies (OCC financial institutions); state member banks and branches and agencies of foreign banks (Board financial institutions); insured state nonmember banks (FDIC financial institutions); savings associations (OTS financial institutions); Federally insured credit unions (NCUA financial institutions); and certain non-Federally regulated credit unions, private banks, and trust companies (FinCEN institutions). Estimated number of respondents: OCC: 2207. Board: 1240. FDIC: 5,500. OTS: 962. NCUA: 9,688. FinCEN: 2,460. Estimated average annual recordkeeping burden per respondent: 10 hours. Estimated average annual disclosure burden per respondent: 1 hour. Estimated total annual recordkeeping and disclosure burden: 242,627 hours. Treasury and the Agencies invite comment on the accuracy of the burden estimates and invite suggestions on how to further reduce these burdens. Comments should be sent (preferably by fax (202-395-6974)) to Desk Officer for the Department of the Treasury, Office of Information and Regulatory Affairs, Office of Management and Budget, Paperwork Reduction Project (1506-0026), Washington, DC 20503 (or by the Internet to jlackeyj@omb.eop.gov), with a copy to FinCEN by mail or the Internet at the addresses previously specified. Executive Order 12866 Treasury, the OCC, and OTS have determined that the final rule is not a ``significant regulatory action'' under Executive Order 12866 for the following reasons. The rule follows closely the requirements of section 326 of the Act. Moreover, Treasury, the OCC, and OTS believe that national banks and savings associations already have procedures in place that fulfill most of the requirements of the final rule because the procedures are a matter of good business practice. In addition, national banks and savings associations already are required to have BSA compliance programs that address many of the requirements detailed in this final rule. At the proposed rule stage, Treasury, the OCC, and OTS invited national banks, the thrift industry, and the public to provide any cost estimates and related data that they think would be useful in evaluating the overall costs of the rule. Most of the cost estimates provided by commenters related to the requirements in the proposed rule that banks verify the identity of signatories on accounts, keep copies of documents used to verify a customer's identity, and retain identity verification records for five years after an account is closed. As described in the preamble, the final rule eliminates signatories from the definition of ``customer,'' and no longer requires a bank to keep copies of documents used to verify a customer's identity. The final rule also reduces the universe of records that must be kept for five years after an account is closed. Treasury, the OCC and the OTS have taken other steps that significantly reduce the scope of the rule and the burden of the rule. These burden-reducing measures are described in the Paperwork Reduction Act discussion and Regulatory Flexibility Act discussion, above.\43\ --------------------------------------------------------------------------- \43\ For these same reasons, and consistent with section 201 of the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), Treasury, the OTS and the OCC have also determined that this final rule will not result in expenditures by State, local, and tribal governments in the aggregate, or by the private sector of $100 million or more in any one year, and therefore the rule is not subject to the requirements of section 202 of that Act. --------------------------------------------------------------------------- List of Subjects 12 CFR Part 21 Crime, Currency, National banks, Reporting and recordkeeping requirements, Security measures. 12 CFR Part 208 Accounting, Agriculture, Banks, banking, Confidential business information, Crime, Currency, Investments, Mortgages, Reporting and recordkeeping requirements, Securities. 12 CFR Part 211 Exports, Foreign banking, Holding companies, Investments, Reporting and recordkeeping requirements. 12 CFR Part 326 Banks, banking, Currency, Insured nonmember banks, Reporting and recordkeeping requirements, Security measures. 12 CFR Part 563 Accounting, Advertising, Crime, Currency, Investments, Reporting and Recordkeeping requirements, Savings associations, Securities, Surety bonds. 12 CFR Part 748 Credit unions, Crime, and Security measures. 31 CFR Part 103 Administrative practice and procedure, Authority delegations (Government agencies), Banks, banking, Brokers, Currency, Foreign banking, Foreign currencies, Gambling, Investigations, Law enforcement, Penalties, Reporting and recordkeeping requirements, Securities. Department of the Treasury 31 CFR Chapter I Authority and Issuance 0 For the reasons set forth in the preamble, part 103 of title 31 of the Code of Federal Regulations is amended as follows: [[Page 25109]] PART 103--FINANCIAL RECORDKEEPING AND REPORTING OF CURRENCY AND FOREIGN TRANSACTIONS 0 1. The authority citation for part 103 is revised to read as follows: Authority: 12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5314 and 5316-5332; title III, secs. 312, 313, 314, 319, 326, 352, Pub L. 107-56, 115 Stat. 307. Sec. 103.11 [Amended] 0 2. Section 103.11(j) is amended by removing ``paragraph (q)'' and adding ``paragraph (hh)'' in its place. Sec. 103.34 [Amended] 0 3. Section 103.34 is amended as follows: 0 a. By amending the first sentence of paragraph (a)(1) to add the words ``and before October 1, 2003'' after the words ``May 31, 1978'' and after the words ``June 30, 1972''; 0 b. By amending paragraph (b)(11) to add the words ``as determined under section 6109 of the Internal Revenue Code of 1986'' after the words ``taxpayer identification number;'' and 0 c. By amending paragraph (b)(12) to add the words ``as determined under section 6109 of the Internal Revenue Code of 1986'' after the words ``taxpayer identification number.'' 0 2. Subpart I of part 103 is amended by adding new Sec. 103.121 to read as follows: Sec. 103.121 Customer Identification Programs for banks, savings associations, credit unions, and certain non-Federally regulated banks. (a) Definitions. For purposes of this section: (1)(i) Account means a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit. Account also includes a relationship established to provide a safety deposit box or other safekeeping services, or cash management, custodian, and trust services. (ii) Account does not include: (A) A product or service where a formal banking relationship is not established with a person, such as check-cashing, wire transfer, or sale of a check or money order; (B) An account that the bank acquires through an acquisition, merger, purchase of assets, or assumption of liabilities; or (C) An account opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974. (2) Bank means: (i) A bank, as that term is defined in Sec. 103.11(c), that is subject to regulation by a Federal functional regulator; and (ii) A credit union, private bank, and trust company, as set forth in Sec. 103.11(c), that does not have a Federal functional regulator. (3)(i) Customer means: (A) A person that opens a new account; and (B) An individual who opens a new account for: (1) An individual who lacks legal capacity, such as a minor; or (2) An entity that is not a legal person, such as a civic club. (ii) Customer does not include: (A) A financial institution regulated by a Federal functional regulator or a bank regulated by a state bank regulator; (B) A person described in Sec. 103.22(d)(2)(ii) through (iv); or (C) A person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person. (4) Federal functional regulator is defined at Sec. 103.120(a)(2). (5) Financial institution is defined at 31 U.S.C. 5312(a)(2) and (c)(1). (6) Taxpayer identification number is defined by section 6109 of the Internal Revenue Code of 1986 (26 U.S.C. 6109) and the Internal Revenue Service regulations implementing that section (e.g., social security number or employer identification number). (7) U.S. person means: (i) A United States citizen; or (ii) A person other than an individual (such as a corporation, partnership, or trust), that is established or organized under the laws of a State or the United States. (8) Non-U.S. person means a person that is not a U.S. person. (b) Customer Identification Program: minimum requirements. (1) In general. A bank must implement a written Customer Identification Program (CIP) appropriate for its size and type of business that, at a minimum, includes each of the requirements of paragraphs (b)(1) through (5) of this section. If a bank is required to have an anti-money laundering compliance program under the regulations implementing 31 U.S.C. 5318(h), 12 U.S.C. 1818(s), or 12 U.S.C. 1786(q)(1), then the CIP must be a part of the anti-money laundering compliance program. Until such time as credit unions, private banks, and trust companies without a Federal functional regulator are subject to such a program, their CIPs must be approved by their boards of directors. (2) Identity verification procedures. The CIP must include risk- based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the bank to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the bank's assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank's size, location, and customer base. At a minimum, these procedures must contain the elements described in this paragraph (b)(2). (i) Customer information required. (A) In general. The CIP must contain procedures for opening an account that specify the identifying information that will be obtained from each customer. Except as permitted by paragraphs (b)(2)(i)(B) and (C) of this section, the bank must obtain, at a minimum, the following information from the customer prior to opening an account: (1) Name; (2) Date of birth, for an individual; (3) Address, which shall be: (i) For an individual, a residential or business street address; (ii) For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual; or (iii) For a person other than an individual (such as a corporation, partnership, or trust), a principal place of business, local office, or other physical location; and (4) Identification number, which shall be: (i) For a U.S. person, a taxpayer identification number; or (ii) For a non-U.S. person, one or more of the following: a taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. Note to paragraph (b)(2)(i)(A)(4)(ii): When opening an account for a foreign business or enterprise that does not have an identification number, the bank must request alternative government-issued documentation certifying the existence of the business or enterprise. (B) Exception for persons applying for a taxpayer identification number. [[Page 25110]] Instead of obtaining a taxpayer identification number from a customer prior to opening the account, the CIP may include procedures for opening an account for a customer that has applied for, but has not received, a taxpayer identification number. In this case, the CIP must include procedures to confirm that the application was filed before the customer opens the account and to obtain the taxpayer identification number within a reasonable period of time after the account is opened. (C) Credit card accounts. In connection with a customer who opens a credit card account, a bank may obtain the identifying information about a customer required under paragraph (b)(2)(i)(A) by acquiring it from a third-party source prior to extending credit to the customer. (ii) Customer verification. The CIP must contain procedures for verifying the identity of the customer, using information obtained in accordance with paragraph (b)(2)(i) of this section, within a reasonable time after the account is opened. The procedures must describe when the bank will use documents, non-documentary methods, or a combination of both methods as described in this paragraph (b)(2)(ii). (A) Verification through documents. For a bank relying on documents, the CIP must contain procedures that set forth the documents that the bank will use. These documents may include: (1) For an individual, unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, such as a driver's license or passport; and (2) For a person other than an individual (such as a corporation, partnership, or trust), documents showing the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or trust instrument. (B) Verification through non-documentary methods. For a bank relying on non-documentary methods, the CIP must contain procedures that describe the non-documentary methods the bank will use. (1) These methods may include contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement. (2) The bank's non-documentary procedures must address situations where an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard; the bank is not familiar with the documents presented; the account is opened without obtaining documents; the customer opens the account without appearing in person at the bank; and where the bank is otherwise presented with circumstances that increase the risk that the bank will be unable to verify the true identity of a customer through documents. (C) Additional verification for certain customers. The CIP must address situations where, based on the bank's risk assessment of a new account opened by a customer that is not an individual, the bank will obtain information about individuals with authority or control over such account, including signatories, in order to verify the customer's identity. This verification method applies only when the bank cannot verify the customer's true identity using the verification methods described in paragraphs (b)(2)(ii)(A) and (B) of this section. (iii) Lack of verification. The CIP must include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of a customer. These procedures should describe: (A) When the bank should not open an account; (B) The terms under which a customer may use an account while the bank attempts to verify the customer's identity; (C) When the bank should close an account, after attempts to verify a customer's identity have failed; and (D) When the bank should file a Suspicious Activity Report in accordance with applicable law and regulation. (3) Recordkeeping. The CIP must include procedures for making and maintaining a record of all information obtained under the procedures implementing paragraph (b) of this section. (i) Required records. At a minimum, the record must include: (A) All identifying information about a customer obtained under paragraph (b)(2)(i) of this section; (B) A description of any document that was relied on under paragraph (b)(2)(ii)(A) of this section noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date; (C) A description of the methods and the results of any measures undertaken to verify the identity of the customer under paragraph (b)(2)(ii)(B) or (C) of this section; and (D) A description of the resolution of any substantive discrepancy discovered when verifying the identifying information obtained. (ii) Retention of records. The bank must retain the information in paragraph (b)(3)(i)(A) of this section for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant. The bank must retain the information in paragraphs (b)(3)(i)(B), (C), and (D) of this section for five years after the record is made. (4) Comparison with government lists. The CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal functional regulators. The procedures must require the bank to make such a determination within a reasonable period of time after the account is opened, or earlier, if required by another Federal law or regulation or Federal directive issued in connection with the applicable list. The procedures must also require the bank to follow all Federal directives issued in connection with such lists. (5)(i) Customer notice. The CIP must include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities. (ii) Adequate notice. Notice is adequate if the bank generally describes the identification requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a bank may post a notice in the lobby or on its website, include the notice on its account applications, or use any other form of written or oral notice. (iii) Sample notice. If appropriate, a bank may use the following sample language to provide notice to its customers: IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, [[Page 25111]] address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents. (6) Reliance on another financial institution. The CIP may include procedures specifying when a bank will rely on the performance by another financial institution (including an affiliate) of any procedures of the bank's CIP, with respect to any customer of the bank that is opening, or has opened, an account or has established a similar formal banking or business relationship with the other financial institution to provide or engage in services, dealings, or other financial transactions, provided that: (i) Such reliance is reasonable under the circumstances; (ii) The other financial institution is subject to a rule implementing 31 U.S.C. 5318(h) and is regulated by a Federal functional regulator; and (iii) The other financial institution enters into a contract requiring it to certify annually to the bank that it has implemented its anti-money laundering program, and that it will perform (or its agent will perform) the specified requirements of the bank's CIP. (c) Exemptions. The appropriate Federal functional regulator, with the concurrence of the Secretary, may, by order or regulation, exempt any bank or type of account from the requirements of this section. The Federal functional regulator and the Secretary shall consider whether the exemption is consistent with the purposes of the Bank Secrecy Act and with safe and sound banking, and may consider other appropriate factors. The Secretary will make these determinations for any bank or type of account that is not subject to the authority of a Federal functional regulator. (d) Other requirements unaffected. Nothing in this section relieves a bank of its obligation to comply with any other provision in this part, including provisions concerning information that must be obtained, verified, or maintained in connection with any account or transaction. Dated: April 28, 2003. James F. Sloan, Director, Financial Crimes Enforcement Network. Dated: April 17, 2003. In concurrence: John D. Hawke, Jr., Comptroller of the Currency. In concurrence: By order of the Board of Governors of the Federal Reserve System, April 21, 2003. Jennifer J. Johnson, Secretary of the Board. In concurrence: By order of the Board of Directors of the Federal Deposit Insurance Corporation this 16th day of April, 2003. Valerie J. Best, Assistant Executive Secretary. In concurrence: Dated: April 9, 2003. James E. Gilleran, Director, Office of Thrift Supervision. In concurrence: Dated: April 7, 2003. Becky Baker, Secretary of the Board, National Credit Union Administration. Office of the Comptroller of the Currency 12 CFR Chapter I Authority and Issuance 0 For the reasons set out in the preamble, the OCC amends chapter I of title 12 of the Code of Federal Regulations as set forth below: PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF SUSPICIOUS ACTIVITIES, AND BANK SECRECY ACT COMPLIANCE PROGRAM Subpart C--Procedures for Monitoring Bank Secrecy Act Compliance 0 1. The authority citation for part 21, subpart C, continues to read as follows: Authority: 12 U.S.C. 93a, 1818, 1881-1884 and 3401-3422; 31 U.S.C. 5318. 0 2. In Sec. 21.21: 0 A. Revise the section heading; and 0 B. Revise Sec. 21.21(b) to read as follows: Sec. 21.21 Procedures for monitoring Bank Secrecy Act (BSA) compliance. * * * * * (b) Establishment of a BSA compliance program. (1) Program requirement. Each bank shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR part 103. The compliance program must be written, approved by the bank's board of directors, and reflected in the minutes of the bank. (2) Customer identification program. Each bank is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the OCC and the Department of the Treasury at 31 CFR 103.121, which require a customer identification program to be implemented as part of the BSA compliance program required under this section. * * * * * Dated: April 17, 2003. John D. Hawke, Jr., Comptroller of the Currency. Federal Reserve System 12 CFR Chapter II Authority and Issuance 0 For the reasons set out in the preamble, the Board of Governors of the Federal Reserve System amends 12 CFR Chapter II as follows: PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL RESERVE SYSTEM (REGULATION H) 0 1. The authority citation for part 208 continues to read as follows: Authority: 12 U.S.C. 24, 24a, 36, 92a, 93a, 248(a), 248(c), 321- 338a, 371d, 461, 481-486, 601, 611, 1814, 1816, 1818, 1820(d)(9), 1823(j), 1828(o), 1831, 1831o, 1831p-1, 1831r-1, 1831w, 1831x, 1835a, 1843(l), 1882, 2901-2907, 3105, 3310, 3331-3351, and 3906- 3909; 15 U.S.C. 78b, 78l(b), 78l(g), 78l(i), 78o-4(c)(5), 78q, 78q- 1, and 78w; 31 U.S.C. 5318; 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 4128. 0 2. Revise Sec. 208.63(b) to read as follows: Sec. 208.63 Procedures for monitoring Bank Secrecy Act compliance. * * * * * (b) Establishment of BSA compliance program. (1) Program requirement. Each bank shall develop and provide for the continued administration of a program reasonably designed to ensure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code, the Bank Secrecy Act, and the implementing regulations promulgated thereunder by the Department of the Treasury at 31 CFR part 103. The compliance program shall be reduced to writing, approved by the board of directors, and noted in the minutes. (2) Customer identification program. Each bank is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the Board and the Department of the Treasury at 31 CFR 103.121, which require a customer identification program to be [[Page 25112]] implemented as part of the BSA compliance program required under this section. * * * * * PART 211--INTERNATIONAL BANKING OPERATIONS (REGULATION K) 0 1. The authority citation for part 211 is revised to read as follows: Authority: 12 U.S.C. 221 et seq., 1818, 1835a, 1841 et seq., 3101 et seq., and 3901 et seq.; 15 U.S.C. 6801 and 6805; 31 U.S.C. 5318. 0 2. In Sec. 211.5, add new paragraph (m) to read as follows: Sec. 211.5 Edge and agreement corporations. * * * * * (m) Procedures for monitoring Bank Secrecy Act compliance. (1) [Reserved] (2) Customer identification program. Each Edge or agreement corporation is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the Board and the Department of the Treasury at 31 CFR 103.121, which require a customer identification program. 0 3. In Sec. 211.24, add new paragraph (j) to read as follows: Sec. 211.24 Approval of offices of foreign banks; procedures for applications; standards for approval; representative office activities and standards for approval; preservation of existing authority. * * * * * (j) Procedures for monitoring Bank Secrecy Act compliance. (1) [Reserved] (2) Customer identification program. Except for a federal branch or a federal agency or a state branch that is insured by the FDIC, a branch, agency, or representative office of a foreign bank operating in the United States is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the Board and the Department of the Treasury at 31 CFR 103.121, which require a customer identification program. By order of the Board of Governors of the Federal Reserve System, April 21, 2003. Jennifer J. Johnson, Secretary of the Board. Federal Deposit Insurance Corporation 12 CFR Chapter III Authority and Issuance 0 For the reasons set out in the preamble, the FDIC amends title 12, chapter III of the Code of Federal Regulations, as set forth below: PART 326--Minimum Security Devices and Procedures and Bank Secrecy Act Compliance 0 1. The authority citation for part 326 is revised to read as follows: Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1881- 1883; 31 U.S.C. 5311-5314 and 5316-5332.2. 0 2. Revise Sec. 326.8(b) to read as follows: Sec. 326.8 Bank Secrecy Act compliance. * * * * * (b) Compliance procedures. (1) Program requirement. Each bank shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR part 103. The compliance program shall be written, approved by the bank's board of directors, and noted in the minutes. (2) Customer identification program. Each bank is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the FDIC and the Department of the Treasury at 31 CFR 103.121, which require a customer identification program to be implemented as part of the Bank Secrecy Act compliance program required under this section. * * * * * By order of the Board of Directors of the Federal Deposit Insurance Corporation this 16th day of April, 2003. Valerie J. Best, Assistant Executive Secretary. Office of Thrift Supervision 12 CFR Chapter V Authority and Issuance 0 For the reasons set out in the preamble, OTS amends title 12, chapter V of the Code of Federal Regulations, as set forth below: PART 563--SAVINGS ASSOCIATIONS--OPERATIONS 0 1. The authority citation for part 563 is revised to read as follows: Authority: 12 U.S.C. 375b, 1462, 1462a, 1463, 1464, 1467a, 1468, 1817, 1820, 1828, 1831o, 3806; 31 U.S.C. 5318; 42 U.S.C. 4106. 0 2. In Sec. 563.177: 0 A. Revise the section heading; and 0 B. Revise paragraph (b) to read as follows: Sec. 563.177 Procedures for monitoring Bank Secrecy Act (BSA) compliance. * * * * * (b) Establishment of a BSA compliance program. (1) Program requirement. Each savings association shall develop and provide for the continued administration of a program reasonably designed to assure and monitor compliance with the recordkeeping and reporting requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR part 103. The compliance program must be written, approved by the savings association's board of directors, and reflected in the minutes of the savings association. (2) Customer identification program. Each savings association is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the OTS and the Department of the Treasury at 31 CFR 103.121, which require a customer identification program to be implemented as part of the BSA compliance program required under this section. * * * * * Dated: April 9, 2003. James E. Gilleran, Director, Office of Thrift Supervision. National Credit Union Administration 12 CFR Chapter VII Authority and Issuance 0 For the reasons set out in the preamble, NCUA amends title 12, chapter VII of the Code of Federal Regulations, as set forth below: PART 748--SECURITY PROGRAM, REPORT OF CRIME AND CATASTROPHIC ACT AND BANK SECRECY ACT COMPLIANCE 0 1. The authority citation for part 748 is revised to read as follows: Authority: 12 U.S.C. 1766(a), 1786(q); 15 U.S.C. 6801 and 6805(b); 31 U.S.C. 5311 and 5318. 0 2. In Sec. 748.2: 0 A. Revise the section heading; and 0 B. Revise paragraph (b) to read as follows: Sec. 748.2 Procedures for monitoring Bank Secrecy Act (BSA) compliance. * * * * * (b) Establishment of a BSA compliance program. (1) Program requirement. Each federally-insured credit union shall develop and provide for the continued administration of a [[Page 25113]] program reasonably designed to assure and monitor compliance with the recordkeeping and recording requirements set forth in subchapter II of chapter 53 of title 31, United States Code and the implementing regulations issued by the Department of the Treasury at 31 CFR part 103. The compliance program must be written, approved by the credit union's board of directors, and reflected in the minutes of the credit union. (2) Customer identification program. Each federally-insured credit union is subject to the requirements of 31 U.S.C. 5318(l) and the implementing regulation jointly promulgated by the NCUA and the Department of the Treasury at 31 CFR 103.121, which require a customer identification program to be implemented as part of the BSA compliance program required under this section. * * * * * Dated: April 7, 2003. Becky Baker, Secretary of the Board, National Credit Union Administration. [FR Doc. 03-11019 Filed 5-8-03; 8:45 am] BILLING CODE 4810-02-P ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- ----------------------------------------------------------------------- -----------------------------------------------------------------------