[Federal Register Volume 63, Number 234 (Monday, December 7, 1998)]
[Proposed Rules]
[Pages 67529-67536]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-32334]


-----------------------------------------------------------------------

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

RIN 3064-AC19


Minimum Security Devices and Procedures and Bank Secrecy Act 
Compliance

AGENCY: Federal Deposit Insurance Corporation.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: The FDIC is proposing to issue a regulation requiring insured 
nonmember banks to develop and maintain ``Know Your Customer'' 
programs. As proposed, the regulation would require each nonmember bank 
to develop a program designed to determine the identity of its 
customers; determine its customers' sources of funds; determine the 
normal and expected transactions of its customers; monitor account 
activity for transactions that are inconsistent with those normal

[[Page 67530]]

and expected transactions; and report any transactions of its customers 
that are determined to be suspicious, in accordance with the FDIC's 
existing suspicious activity reporting regulation. By requiring insured 
nonmember banks to determine the identity of their customers, as well 
as to obtain knowledge regarding the legitimate activities of their 
customers, the proposed regulation will reduce the likelihood that 
insured nonmember banks will become unwitting participants in illicit 
activities conducted or attempted by their customers. It also will 
level the playing field between institutions that already have adopted 
formal Know Your Customer programs and those that have not.

DATES: Comments must be received by March 8, 1999.

ADDRESSES: Comments should be directed to: Robert E. Feldman, Executive 
Secretary, Attention: Comments/OES, Federal Deposit Insurance 
Corporation, 550 17th Street, N.W., Washington, DC 20429. Comments may 
be hand-delivered to the guard station at the rear of the 550 17th 
Street Building (located on F Street), on business days between 7 a.m. 
and 5 p.m. In addition, comments may be sent by fax to (202) 898-3838, 
or by electronic mail to [email protected]. Comments may be inspected 
and photocopied in the FDIC Public Information Center, Room 100, 801 
17th Street, NW, Washington, D.C., between 9 a.m. and 4:30 p.m., on 
business days.

FOR FURTHER INFORMATION CONTACT: Carol A. Mesheske, Special Activities 
Section, Division of Supervision, (202) 898-6750, or Karen L. Main, 
Counsel, Legal Division (202) 898-8838.

SUPPLEMENTARY INFORMATION:

Background

    The integrity of the financial sector depends on the ability of 
banks and other financial institutions to attract and retain legitimate 
funds from legitimate customers. Financial institutions are able to 
attract and retain the business of legitimate customers because of the 
quality and reliability of the services being rendered and, as 
important, the sound and highly respected reputation of the banking 
industry. Illicit activities, such as money laundering, fraud, and 
other transactions designed to assist criminals in their illegal 
ventures, pose a serious threat to the integrity of financial 
institutions. When transactions at financial institutions involving 
illicit funds are revealed, these transactions invariably damage the 
reputation of the financial institutions involved and, potentially, the 
entire financial sector. While it is impossible to identify every 
transaction at an institution that is potentially illegal or is being 
conducted to assist criminals in the movement of illegally derived 
funds, it is fundamental for safe and sound operations that financial 
institutions take reasonable measures to identify their customers, 
understand the legitimate transactions typically conducted by those 
customers, and, consequently, identify those transactions conducted by 
their customers that are unusual or suspicious in nature. By 
identifying and, when appropriate, reporting such transactions in 
accordance with existing suspicious activity reporting requirements, 
financial institutions are protecting their integrity and are assisting 
the efforts of the financial institution regulatory agencies and law 
enforcement authorities to combat illicit activities at such 
institutions.
    One of the most effective means by which an insured nonmember bank 
can both protect itself from engaging in transactions designed to 
facilitate illicit activities and ensure compliance with applicable 
suspicious activity reporting requirements is for the nonmember bank to 
have adequate Know Your Customer policies and procedures. By knowing 
its customers, an insured nonmember bank is better able to fulfill its 
compliance responsibilities, including its Bank Secrecy Act and 
suspicious activity reporting requirements, 12 CFR 326.8 and 12 CFR 
part 353, respectively.
    Recognizing that a Know Your Customer program for one nonmember 
bank will not necessarily be appropriate for another, the proposed 
regulation identifies only the basic components that the FDIC believes 
should be contained in any Know Your Customer program. In supplemental 
guidance to be provided at the time this regulation becomes final, the 
FDIC, in coordination with the other federal financial institution 
supervisory agencies, will provide further information about specific 
steps that institutions may consider taking as they implement their 
Know Your Customer programs. The FDIC believes that this approach 
strikes an appropriate balance that responds to requests for additional 
guidance in this area while preserving the flexibility for each insured 
nonmember bank to take steps appropriate for its customers.

Privacy Issues

    The proposed regulation requires insured nonmember banks to gather 
information about customers that, if misused, could result in an 
invasion of a customer's privacy. Given the potential for abuse in this 
area, it is the FDIC's expectation that, in complying with the Know 
Your Customer regulation, a nonmember bank will obtain only that 
information that is necessary to comply with the regulation and will 
limit the use of this information to complying with the regulation. 
Insured nonmember banks need to safeguard and handle responsibly the 
information gathered in connection with complying with these 
obligations, and should integrate comprehensive privacy practices into 
their Know Your Customer programs.

Authority To Issue the Regulation

    The proposed regulation is authorized pursuant to the FDIC's 
statutory authority under section 8(s)(1) of the Federal Deposit 
Insurance Act (12 U.S.C. 1818(s)(1)), as amended by section 2596(a)(2) 
of the Crime Control Act of 1990 (Pub. L. 101-647), which requires the 
FDIC to issue regulations requiring banks under its supervision to 
establish and maintain internal procedures reasonably designed to 
ensure and monitor compliance with the Bank Secrecy Act. Effective Know 
Your Customer programs serve to facilitate compliance with the Bank 
Secrecy Act.

Proposal

    The FDIC proposes to revise 12 CFR part 326 by adding a new subpart 
requiring insured nonmember banks to develop and implement Know Your 
Customer programs. Under the proposed regulation, the FDIC would expect 
each nonmember bank to design a program that is appropriate given its 
size and complexity, the nature and extent of its activities, its 
customer base and the levels of risk associated with its various 
customers and their transactions. The FDIC believes that this approach 
is preferable to a detailed regulation that imposes the same list of 
specific requirements on every bank regardless of its circumstances. 
The FDIC recognizes that a Know Your Customer requirement will impose 
additional burdens on some insured nonmember banks. Mindful of that 
fact, the FDIC is striving to impose only those requirements that are 
necessary to ensure that insured nonmember banks have in place adequate 
Know Your Customer programs.
    Each of the other federal bank supervisory agencies is proposing to 
adopt substantially identical regulations covering state member and 
national banks, federally-chartered branches and agencies of foreign 
banks, savings associations, and credit unions. There also have been 
discussions with the

[[Page 67531]]

federal regulators of non-bank financial institutions, such as broker-
dealers, concerning the need to propose similar rules governing the 
activities of these non-bank institutions.

Analysis of Subpart C

Section 326.9 Know Your Customer Compliance

Paragraph (a)--Purpose
    The purposes of adopting a Know Your Customer program are to 
protect the reputation of the insured nonmember bank; to facilitate the 
insured nonmember bank's compliance with all applicable statutes and 
regulations (including the Bank Secrecy Act and the FDIC's suspicious 
activity reporting regulations) and with safe and sound banking 
practices; and to protect the insured nonmember bank from becoming a 
vehicle for, or a victim of, illegal activities perpetrated by its 
customers.
    This subpart applies to all insured state nonmember banks as well 
as any insured, state-licensed branches of foreign banks.
Paragraph (b)--Definitions
    The proposed regulation defines the term ``customer'' as any person 
or entity who has an account involving the receipt or disbursal of 
funds with an insured nonmember bank covered by this regulation and any 
person or entity on behalf of whom an account is maintained. Thus, for 
instance, if an account is opened on behalf of a third party, the 
nonmember bank will need to treat as a customer both the person or 
entity opening the account and the person or entity for whom the 
account is opened. A customer would include an accountholder, a 
beneficial owner of an account, or a borrower. A ``customer'' could 
include the beneficiary of a trust, an investment fund, a pension fund 
or a company whose assets are managed by an asset manager; a 
controlling shareholder of a closely held corporation; or the grantor 
of a trust established in an off-shore jurisdiction. The term 
``customer'' does not include recipients of services for which the 
receipt or disbursal of customer funds is incidental, for instance, 
safe deposit box rentals.
    The proposed regulation does not differentiate between current 
customers and new customers. The effectiveness of an insured nonmember 
bank's Know Your Customer program would be greatly reduced if all 
customer accounts in existence prior to the effective date of the 
regulation were excluded from its scope. However, the FDIC does not 
believe that it is practicable for a nonmember bank to conduct a large-
scale information request from all its existing customers. Rather, a 
nonmember bank may comply with the proposed regulation with respect to 
its current customers by determining their normal and expected 
transactions, using available account data, and monitoring their 
transactions for suspicious activities. However, depending on the 
nature of the risk associated with some customers and their 
transactions (for instance, transactions involving private banking 
customers), it may be necessary to fulfill all of the requirements of 
this regulation as if they were new customers.
Paragraph (c)--Establishment of Know Your Customer Program
    This paragraph requires that each insured nonmember bank establish 
a Know Your Customer program by April 1, 2000. Additionally, this 
paragraph requires that the Know Your Customer program be reduced to 
writing and approved by the board of directors of the nonmember bank, 
or a committee thereof, and the approval recorded in the official 
minutes of the board.
Paragraph (d)--Contents of Know Your Customer Program
    This paragraph sets forth the specific requirements for the 
contents of the Know Your Customer program. The FDIC recognizes that 
insured nonmember banks vary considerably in the way in which they 
conduct their business on a day-to-day basis. Therefore, the FDIC 
believes that to impose a regulation that simply requires each insured 
nonmember bank to follow a pre-designed, standardized checklist would 
not be appropriate. The proposed regulation thus allows each nonmember 
bank to develop and delineate a system that will comprise the Know Your 
Customer program, consistent with the banking practices of the 
particular bank that, when followed by the nonmember bank, will 
effectively meet the requirements and goals of the regulation.
    Section 326.9(d) reflects the FDIC's recognition that each insured 
nonmember bank's Know Your Customer program may vary depending on the 
nature of the specific activity, the type of customers involved, the 
size of the transactions, and other factors that reflect the nonmember 
bank's assessment of the risk presented. In complying with this 
section, it may be beneficial for insured nonmember banks to classify 
customers into varying risk-based categories that the insured nonmember 
banks can use in determining the amount and type of information, 
documentation and monitoring that is appropriate. While the proposed 
regulation will provide nonmember banks with substantial flexibility in 
devising an appropriate Know Your Customer program, the FDIC believes 
that all Know Your Customer programs should contain certain critical 
features, which are discussed below.
    Documentation and due diligence. Paragraph (d)(1) of Sec. 326.9 
requires that the Know Your Customer program delineate acceptable 
documentation requirements and due diligence procedures the insured 
nonmember bank will follow in meeting the requirements of the proposed 
regulation. The delineation of this information in the Know Your 
Customer program will ensure that the same standards are applied 
throughout the nonmember bank and will inform auditors and examiners of 
the nonmember bank's established standards for review of customer 
information.
    Minimum steps to take to comply with the Know Your Customer rule. 
Paragraph (d)(2) of Sec. 326.9 sets forth the steps an insured 
nonmember bank needs to take in order to know its customers. The 
proposed regulation requires that, rather than following a 
``checklist'' approach, an insured nonmember bank may develop a 
``system'' designed to meet the basic requirements of the regulation. 
The system approach allows each insured nonmember bank to design its 
own program, in accordance with its own business practices, that will 
best suit the nonmember bank. While this places some burden on the 
nonmember bank to develop the specifics of the Know Your Customer 
program, such an approach recognizes that each insured nonmember bank 
conducts business in accordance with its own policies, procedures, 
goals and objectives. The Know Your Customer program, in order to be 
the most effective, must be developed and implemented with the 
nonmember bank's regular and ordinary business practices in mind. The 
FDIC believes that all Know Your Customer programs should contain 
certain critical features, which are set forth below.
    Identify the customer. Paragraph (d)(2)(i) requires that the Know 
Your Customer program provide a system for determining the true 
identity of prospective customers. If an insured nonmember bank has 
reasonable cause to believe that it lacks sufficient information to 
know the identity of an existing customer, paragraph (d)(4)(ii)(A) also 
requires that the program provide a system for

[[Page 67532]]

determining the identity of that customer.
    It is imperative that an insured nonmember bank establish, to its 
own satisfaction, that it is dealing with a legitimate customer, 
whether the customer is a natural person, corporation, or other 
business entity. The nature and extent of the identification process 
should be commensurate with the types of transactions anticipated by 
the customer and the risks associated with such transactions. If a 
prospective customer refuses to provide any of the requested 
information, sound practices would require that the nonmember bank not 
open the account. Similarly, if additional or follow-up information is 
not forthcoming from an established customer, sound practices would 
require that consideration be given to terminating the account 
relationship.
    The best identification documents for verifying the identity of 
prospective customers are the ones that are the most difficult to 
obtain illicitly and the most difficult to counterfeit. No single form 
of identification can be guaranteed to be genuine, however. Therefore, 
the identification process should be cumulative, obtaining enough 
information and documentation to assure the insured nonmember bank that 
it has adequately identified the prospective customer. For individual 
accounts, this might include, for instance, a document containing a 
photograph and signature of the individual. For corporate or business 
customers, the customer identification process could include the review 
of appropriate documentation that allows for a means to verify that the 
corporation or other business entity does exist and does engage in the 
business, as stated. All documentation reviewed, as well as 
verifications of the information contained therein, should be recorded 
and maintained by the nonmember bank.
    Any practice of an insured nonmember bank that allows for the 
establishment of a customer relationship without face-to-face contact 
with bank personnel, such as banking by mail or Internet banking, poses 
difficulties in the identification of the prospective customer by use 
of the traditionally accepted practice of obtaining identification 
documentation, to include photographic identification. Even though 
photographic identification in such circumstances will be impractical, 
other accepted means of identifying a customer are still viable. In 
such circumstances, special care should be given to verification of 
address and telephone number. Moreover, insured nonmember banks should 
consider using commercially available data to compare items such as 
name with date of birth and social security number.
    If an insured nonmember bank offers private banking services, it is 
important that the nonmember bank understand a customer's personal and 
business background, source of funds, and intended use of the private 
banking services. Typically, private banking customers are clients of 
financial advisors or make use of account vehicles such as personal 
investment companies, trusts, and personal mutual investment funds. The 
establishment of such accounts serves the stated purposes of protecting 
the legitimate confidentiality and financial privacy of the customers 
who use such accounts. However, the need to identify properly the 
beneficial owners of such accounts, through an effective Know Your 
Customer program, is necessary to the continued safe and sound 
operation of the insured nonmember bank. Any needed confidentiality 
required by customers of an insured nonmember bank's private banking 
department can be addressed by the development of special protections 
to limit access to information that would generally reveal the 
beneficial owners of those accounts.
    Introductions or referrals of prospective customers by established 
customers of the insured nonmember bank, while extremely valuable in 
providing background information about the prospective customer, cannot 
take the place of identification requirements that should be set forth 
in the nonmember bank's Know Your Customer program. Details regarding 
the introduction or referral should be documented so that the 
information obtained can be effectively used to assist in the 
verification of the prospective customer.
    The extent of the information regarding the customer that may be 
necessary to fulfill the nonmember bank's Know Your Customer 
obligations should depend on a risk-based assessment of the customer 
and the transactions that are expected to occur, and should be 
addressed within the insured nonmember bank's Know Your Customer 
program.
    Determine the source of funds. Paragraph (d)(2)(ii) requires that 
the Know Your Customer program provide a system for determining the 
source of a customer's funds. The amount of information needed to do 
this can depend on the type of customer in question. As an example, if 
a retail banking customer maintains demand deposit accounts funded 
primarily from payroll deposits, it should be a relatively simple task 
to identify and document the source of funds as payroll deposits. On 
the other hand, a more detailed analysis, with a more extensive 
documentation process, would be required for high net worth customers 
with multiple deposits from a variety of sources. For these reasons, 
among others, it may be beneficial for insured nonmember banks to 
classify customers into varying categories, based on factors such as 
the types of accounts maintained, the types of transactions conducted, 
and the potential risk of illicit activities associated with such 
accounts and transactions. An insured nonmember bank could then develop 
procedures to obtain necessary information and documentation based on 
the risk assessment for the various categories or classes established 
by the nonmember bank.
    Determine normal and expected transactions. Paragraph (d)(2)(iii) 
requires that the Know Your Customer program provide a system for 
determining a customer's normal and expected transactions involving the 
insured nonmember bank. A nonmember bank's understanding of a 
customer's normal and expected transactions should be based on 
information obtained both when an account is opened and during a 
reasonable period of time thereafter. It also should be based on normal 
transactions for similarly situated customers. Without this 
information, an insured nonmember bank is unable to identify suspicious 
transactions.
    Monitor the account transactions. Paragraph (d)(2)(iv) requires 
that the Know Your Customer program provide a system for monitoring, on 
an ongoing basis, the transactions conducted by customers to identify 
transactions that are inconsistent with the normal and expected 
transactions for particular customers or for customers in the same or 
similar categories or classes. The proposed regulation does not require 
that every transaction of every customer be reviewed. Rather, it 
requires that an insured nonmember bank develop a monitoring system 
that is commensurate with the risks presented by the accounts 
maintained at that bank.
    In designing a monitoring system, an insured nonmember bank may 
choose to classify accounts into various categories based on factors 
such as the type and size of account, the types, number, and size of 
transactions conducted in the account, and the risk of illicit activity 
associated with the account. For certain classes or categories of 
accounts, it would be sufficient for an effective monitoring system to 
establish parameters for which the transactions

[[Page 67533]]

within these accounts will normally occur. Rather than monitoring each 
transaction, an effective monitoring system could entail monitoring 
only for those transactions that exceed the established parameters for 
that particular class or category of accounts. For other categories or 
classes of accounts, such as private banking accounts, it may be 
necessary to monitor each significant transaction.
    Determine if transaction should be reported. Once a transaction is 
identified as inconsistent with normal and expected transactions, 
paragraph (d)(2)(v) requires that an insured nonmember bank determine 
if the transaction warrants the filing of a Suspicious Activity Report. 
This is consistent with an insured nonmember bank's existing 
obligations under 12 CFR 353.3(a). In identifying reportable 
transactions, an insured nonmember bank should not conclude that every 
transaction that falls outside what is expected for a given customer 
should be reported. Rather, a nonmember bank should focus on patterns 
of inconsistent transactions and isolated transactions that present 
risk factors that warrant further review.
Paragraph (e)--Compliance With Know Your Customer Program
    This paragraph sets forth the requirements an insured nonmember 
bank must follow to ensure that it is in compliance with its Know Your 
Customer program. The requirements include that an insured nonmember 
bank provide for and document a system of internal controls to ensure 
ongoing compliance, as well as provide for and document independent 
testing for compliance with the Know Your Customer program. 
Additionally, the nonmember bank must designate an individual 
responsible for coordinating and monitoring day-to-day compliance and 
provide for and document training to all appropriate personnel of the 
content and requirements of the Know Your Customer program.
Paragraph (f)--Availability of Documentation
    This paragraph requires, for all accounts opened or maintained in 
the United States, that all information and documentation necessary to 
comply with the regulations be made available for examination and 
inspection, at a location specified by an FDIC representative, within 
48 hours of a request for such information and documentation. In 
instances where the information and documentation is at a location 
other than where the customer's account is maintained or the financial 
services are rendered, the insured nonmember bank must adopt, as part 
of its Know Your Customer program, specific procedures designed to 
ensure that the information and documentation is reviewed on an ongoing 
basis by appropriate personnel. The nonmember bank should maintain 
written evidence that the appropriate review is being performed on a 
regular basis.
    While issues arise on occasion concerning documentation on accounts 
domiciled in the United States by foreign accountholders, the FDIC 
believes that the information typically already exists within the 
insured nonmember bank in the United States because the information is 
used by the relationship manager, who resides in the United States, as 
well as other components of the nonmember bank to provide banking 
services to the customer.

Comments Sought

    The FDIC invites comment on any aspect of the rule, and 
specifically seeks comment on the following issues:
    1. Whether the proposed definition of ``customer'' is sufficient to 
include all persons who benefit from an account opened at an insured 
nonmember bank such as persons who establish off-shore shell companies 
or entities or otherwise conduct their business through intermediaries.
    2. Whether the proposed definition of ``customer'' is too broad and 
will unnecessarily include persons that pose a minimal Know Your 
Customer risk.
    3. Whether an insured nonmember bank's Know Your Customer program 
should apply to a nonmember bank's counterparty relationships with 
respect to transactions in wholesale financial markets (e.g., sales or 
purchases involving foreign exchange or securities) and correspondent 
banking relationships. If so, would a different standard than that 
applicable to retail relationships be more appropriate for wholesale 
and correspondent banking relationships? If such a distinction is 
appropriate, is the proposed definition of ``customer'' sufficient?
    4. Whether the benefits of implementing Know Your Customer 
requirements outweigh the costs involved.
    5. Whether the proposed regulation will create a competitive 
disadvantage with respect to other financial entities offering similar 
services that may not be subject to similar regulations (citing, where 
possible, specific examples) and, if so, what could be done to mitigate 
the disadvantage consistent with the FDIC's supervisory 
responsibilities.
    6. Whether the actual or perceived invasion of personal privacy 
interests is outweighed by the additional compliance benefits 
anticipated by this proposal.
    7. Whether there should be a minimum account size threshold below 
which the Know Your Customer requirements should be waived.

Regulatory Flexibility Act

    Under the Regulatory Flexibility Act, the FDIC must either provide 
an Initial Regulatory Flexibility Analysis (IRFA) with this proposed 
rule, or certify that the proposed rule would not have a significant 
economic impact on a substantial number of small entities. The proposed 
rule is designed to be flexible so that each insured nonmember bank can 
design a Know Your Customer program appropriate for its circumstances. 
While advantageous to insured nonmember banks, this flexibility makes 
it difficult to predict the magnitude of the economic impact of the 
proposed rule on insured nonmember banks. The FDIC cannot, at this 
time, determine whether the proposed rule would have a significant 
economic impact on a substantial number of small entities. The FDIC, 
therefore, includes this IRFA.

A. Reasons For and Objectives of the Proposed Rule.

    The proposed Know Your Customer rule is designed to deter and 
detect financial crimes, such as money laundering, tax evasion, and 
fraud. Financial crimes conducted at or through financial institutions, 
even where financial institutions are not parties to the transactions, 
can damage the reputations of the institutions involved, and possibly 
of the entire banking industry. Under current law, financial 
institutions are required to report suspicious activities to law 
enforcement authorities, but are not required to specifically search 
for suspicious activities. As a result, suspicious activities may go 
unreported, and illegal activity may go undetected. Know Your Customer 
programs would better enable financial institutions to alert law 
enforcement authorities to potential criminal conduct and help deter 
criminal conduct in the banking industry.
    The FDIC has two primary objectives for this proposed rulemaking: 
(1) increasing insured nonmember banks' detection and reporting of 
suspicious customer activities; and, (2) deterring financial crimes at 
insured nonmember banks.
    The proposed rule would apply to large and small insured nonmember

[[Page 67534]]

banks. Small nonmember banks are generally defined, for Regulatory 
Flexibility Act purposes, as those with assets of $100 million or less. 
This proposed rule would apply to approximately 3,950 small insured 
nonmember banks.

B. Requirements of the Proposed Rule.

    The proposed rule would require insured nonmember banks to identify 
their customers, determine their customers' normal and expected 
transactions, determine their customers' sources of funds, monitor 
transactions to find those that are not normal and expected, and, for 
transactions that are not normal and expected, identify which are 
suspicious. Insured nonmember banks are required to report any 
suspicious transactions under current law, and this proposed rule would 
have no additional reporting requirements.
    The impact of the proposed regulation on a nonmember bank's 
resources, and the skills necessary to comply with it, will vary from 
one nonmember bank to another because the proposed regulation is 
designed to take into account each bank's size and resources. Because 
each nonmember bank would be able to design an individualized Know Your 
Customer program, it is difficult to specify the type of professional 
skills necessary for preparing any required records or reports. Large 
insured nonmember banks may be more likely to use computerized Know 
Your Customer programs, and in that event would be more likely to need 
professional computer skills. Small nonmember banks that choose to 
automate their Know Your Customer programs would need professional 
computer skills.
    Know Your Customer monitoring would be similar to monitoring that 
insured nonmember banks already do. For example, insured nonmember 
banks monitor customer transactions to ensure that cash transactions 
exceeding $10,000 are reported under the Bank Secrecy Act, to ensure 
that customers do not overdraw their accounts, and to ensure that loan 
payments are accurate and timely. Thus, Know Your Customer monitoring 
would rely, at least in part, on computer and other skills that insured 
nonmember bank personnel already have and regularly use.

C. Significant Alternatives

1. No Know Your Customer Requirements
    The FDIC considered recommending Know Your Customer procedures 
rather than proposing regulatory requirements. The FDIC decided to 
propose this rulemaking, however, because of the risks that insured 
nonmember banks face from customers who attempt illegal activities. 
Illegal activities would harm a nonmember bank's reputation and that of 
the entire banking industry. Requiring Know Your Customer programs 
significantly reduces the likelihood that some insured nonmember banks 
would not establish or adhere to such programs. In addition, because 
other federal banking agencies are proposing Know Your Customer rules, 
the FDIC believes that criminals would quickly move their illegal funds 
transfers into insured nonmember banks without Know Your Customer 
programs, thus increasing those banks' exposure to illegal activity.
    Moreover, recommending rather than requiring Know Your Customer 
programs would allow customers to simply refuse to answer appropriate 
questions about their identities or transactions. If Know Your Customer 
programs are required, insured nonmember banks can more easily collect 
the necessary information because customers cannot turn readily to 
another financial institution free of such requirements.
    For these reasons, merely recommending Know Your Customer programs 
would interfere with the FDIC's goals of increasing insured nonmember 
banks' detection and reporting of suspicious customer activities, and 
deterring financial crimes at insured nonmember banks.
    2. Exemption for Small Nonmember Banks
    The FDIC considered exempting small nonmember banks from Know Your 
Customer requirements. However, this alternative has the disadvantage 
of possibly creating a haven for criminal activity. It is likely that 
criminals would concentrate their activity at those nonmember banks not 
subject to any Know Your Customer requirements. An exemption for small 
insured nonmember banks would conflict with the FDIC's goals of 
increasing insured nonmember banks' detection and reporting of 
suspicious customer activities and deterring financial crimes at 
insured nonmember banks.
3. Flexible Know Your Customer Requirements
    The FDIC is proposing to require that all insured nonmember banks 
establish and follow Know Your Customer programs, but the proposal will 
allow each nonmember bank to develop a program appropriate for its 
circumstances, including but not limited to its size and resources. 
This approach is preferable to the first two alternatives because it 
does not allow criminals to choose an insured nonmember bank without 
Know Your Customer requirements to conduct illegal activities. A 
flexible alternative also avoids requirements beyond the means of small 
nonmember banks. Small nonmember banks could use simpler, less costly, 
and less burdensome programs than larger insured nonmember banks.

D. Other Matters

    The FDIC has the statutory authority to promulgate this proposed 
regulation. There are no federal rules that duplicate, overlap, or 
conflict with this proposed rule.
    The FDIC encourages comment on all aspects of this IRFA, including 
comments on any significant economic impact the proposed rule would 
have on small entities.

Paperwork Reduction Act

    In accordance with the Paperwork Reduction Act (44 U.S.C. 3501 et 
seq.) the FDIC may not conduct or sponsor, and a person is not required 
to respond to, a collection of information unless it displays a 
currently valid Office of Management and Budget (OMB) control number. A 
collection of information contained in this rule and described below 
has been submitted to OMB for review. Comments on the collection of 
information should be sent to the desk officer for the FDIC: Alexander 
T. Hunt, Office of Information and Regulatory Affairs, Office of 
Management and Budget, New Executive Office Building, Room 3208, 
Washington, DC 20503. Copies of comments should also be sent to: Steven 
F. Hanft, FDIC Clearance Officer, Office of the Executive Secretary, 
Federal Deposit Insurance Corporation, 550 17th Street, NW, Washington, 
DC 20429, (202) 898-3907. Comments may be hand-delivered to the guard 
station at the rear of the 17th Street building (located on F Street) 
on business days between 7:00 a.m. and 5:00 p.m. [Fax number (202) 898-
3838; Internet address: [email protected]]. For further information on 
the Paperwork Reduction Act aspect of this rule, contact Steven F. 
Hanft at the above address. OMB will make a decision concerning the 
change in the information collection between 30 and 60 days after the 
publication of this document in the Federal Register. Therefore, a 
comment to OMB is best assured of having its full effect if OMB 
receives it within 30 days of this publication. Unless the FDIC 
publishes a notice to the contrary, the public may assume that the 
change in the collection

[[Page 67535]]

was approved within 60 days of this publication.
    Comment is solicited on: (i) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
the agency, including whether the information will have practical 
utility;
    (ii) The accuracy of the agency's estimate of the burden of the 
proposed collection of information, including the validity of the 
methodology and assumptions used;
    (iii) The quality, utility, and clarity of the information to be 
collected; and
    (iv) Ways to minimize the burden of the collection of information 
on those who are to respond, including through the use of appropriate 
automated, electronic, mechanical, or other technological collection 
techniques or other forms of information technology, e.g., permitting 
electronic submission of responses.
    Title of the collection: The proposed rule will modify an 
information collection previously approved by OMB titled ``Procedures 
for Monitoring Bank Secrecy Act Compliance'' under OMB control number 
3064-0087.
    Summary of the change to the collection: The proposed rule will 
modify the collection by adding a requirement that each bank develop a 
written ``Know Your Customer'' program.
    Need and Use of the information: Banks will use the Know Your 
Customer program to assure that they do not become unwitting 
participants in illicit activities conducted or attempted by their 
customers. The FDIC will use the information kept to ensure and monitor 
compliance with the Bank Secrecy Act.
    Respondents: State nonmember banks (approximately 6,000).
    Estimated annual burden: The majority of the paperwork burden 
associated with the proposed rule is the one-time cost of developing a 
plan and implementing written policies and procedures which will occur 
in the first year of the rule's application to a covered bank. In the 
normal course of business, most institutions likely already have 
sufficient information about their customers in their files and would 
only need to organize and review such information. The FDIC estimates 
that there will be 6,000 recordkeepers in the first year. In subsequent 
years, the recordkeepers will consist of newly-chartered institutions 
subject to the rule. The proposed rule is not expected to significantly 
increase the ongoing annual burden for the recordkeepers because most 
of the ongoing burden is incurred in the normal course of their 
business activities and or accounted for under other existing 
information collections including their fraud prevention procedures, 
their monitoring of transactions for reporting on the Department of the 
Treasury's Currency Transaction Reports and as part of their procedures 
to detect violations or suspicious activity reported on the Suspicious 
Activity Report. Because the records would be maintained at the subject 
organizations and are not provided to the Board, no issue of 
confidentiality under the Freedom of Information Act arises.
    Frequency of response: Occasional.
    Number of responses: 6,000.
    Number of hours to prepare a response: 10--30 hours, with an 
average of 20 hours.
    Total annual burden: 120,000.

List of Subjects in 12 CFR Part 326

    Banks, banking, Bank robbery, Bank Secrecy Act, Crime, Currency, 
Reporting and recordkeeping requirements, Security measures.

Authority and Issuance

    For the reasons set forth in the preamble, part 326 of title 12 of 
the Code of Federal Regulations is proposed to be amended as follows:

PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND BANK SECRECY 
ACT COMPLIANCE

    1. The authority citation for part 326 continues to read as 
follows:

    Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819[Tenth], 1881-
1883; 31 U.S.C. 5311-5324.

    2. A new subpart C is added to read as follows:

Subpart C--Know Your Customer Compliance


Sec. 326.9  Know Your Customer rule.

    (a) Purpose. This subpart requires that all insured nonmember banks 
as defined in 12 CFR 326.1(a) establish and regularly maintain 
procedures designed to determine the identity of their customers, as 
well as their customers' normal and expected transactions and sources 
of funds involving the nonmember bank. These procedures (referred to as 
the ``Know Your Customer'' program) are intended to: protect the 
reputation of the nonmember bank; facilitate the nonmember bank's 
compliance with all applicable statutes and regulations (including the 
Bank Secrecy Act and the suspicious activity reporting requirements of 
12 CFR 353.3) and with safe and sound banking practices; and protect 
the insured nonmember bank from becoming a vehicle for or a victim of 
illegal activities perpetrated by its customers.
    (b) Definition of customer. For the purposes of this section, 
customer means:
    (1) Any person or entity who has an account with an insured 
nonmember bank covered by this subpart involving the receipt or 
disbursal of funds; and
    (2) Any person or entity on behalf of whom an account is 
maintained.
    (c) Establishment of Know Your Customer program. Each insured 
nonmember bank shall develop and provide for the continued 
administration of a Know Your Customer program by April 1, 2000. The 
Know Your Customer program shall be reduced to writing and approved by 
the board of directors (or a committee thereof) with the approval 
recorded in the official minutes of the board.
    (d) Contents of Know Your Customer program. The Know Your Customer 
program may vary in complexity and scope according to categories or 
classes of customers established by the nonmember bank and the 
potential risk of illicit activities associated with those customers' 
accounts and transactions.
    (1) Appropriate documentation requirements and due diligence 
procedures established by the insured nonmember bank to comply with 
this section.
    (2) A system for:
    (i) Determining the identity of the insured nonmember bank's new 
customers and, if the nonmember bank has reasonable cause to believe 
that it lacks adequate information to know the identity of existing 
customers, determining the identity of those existing customers;
    (ii) Determining the customer's sources of funds for transactions 
involving the insured nonmember bank;
    (iii) Determining the particular customer's normal and expected 
transactions involving the insured nonmember bank;
    (iv) Monitoring customer transactions and identifying transactions 
that are inconsistent with normal and expected transactions for that 
particular customer or for customers in the same or similar categories 
or classes, as established by the insured nonmember bank; and
    (v) Determining if a transaction should be reported in accordance 
with the FDIC's suspicious activity reporting regulations and, if so, 
reporting accordingly.
    (e) Compliance with Know Your Customer program. The insured 
nonmember bank shall comply with its Know Your Customer program. To 
ensure compliance, the nonmember bank shall:

[[Page 67536]]

    (1) Provide for and document a system of internal controls;
    (2) Provide for and document independent testing for compliance to 
be conducted by bank personnel or by an outside party on a regular 
basis;
    (3) Designate an individual or individuals as responsible for 
coordinating and monitoring day-to-day compliance; and
    (4) Provide for and document training to all appropriate personnel, 
on at least an annual basis, of the content and required procedures of 
the Know Your Customer program.
    (f) Availability of documentation. For all accounts opened or 
maintained in the United States, each insured nonmember bank must 
ensure that all information and documentation sufficient to comply with 
the requirements of this section are available for examination and 
inspection, at a location specified by an FDIC representative, within 
48 hours of an FDIC representative's request for such information and 
documentation. In instances where the information and documentation is 
maintained at a location other than where the customer's account is 
maintained or the financial services are rendered, the insured 
nonmember bank must include, as part of its Know Your Customer program, 
specific procedures designed to ensure that the information and 
documentation is reviewed on an ongoing basis by appropriate bank 
personnel in order to comply with this subpart.

    By order of the Board of Directors.

    Dated at Washington, D.C. this 27th day of October, 1998.

Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 98-32334 Filed 12-4-98; 8:45 am]
BILLING CODE 6714-01-P