[Federal Register Volume 67, Number 141 (Tuesday, July 23, 2002)]
[Proposed Rules]
[Pages 48299-48306]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 02-18193]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

31 CFR Part 103

RIN 1506-AA31


Financial Crimes Enforcement Network; Customer Identification 
Programs for Certain Banks (Credit Unions, Private Banks and Trust 
Companies) That Do Not Have a Federal Functional Regulator

AGENCIES: The Financial Crimes Enforcement Network, Treasury.

ACTION: Notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: FinCEN is issuing a proposed regulation to implement section 
326 of the Uniting and Strengthening America by Providing Appropriate 
Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act of 
2001(the Act) for credit unions and trust companies that do not have a 
federal functional regulator. The proposed rule provides the same rules 
for these financial institutions as are provided in a companion notice 
of proposed rulemaking being issued jointly by FinCEN and the Federal 
bank regulators published elsewhere in this separate part of this issue 
of the Federal Register.

DATES: Written comments on the proposed rule may be submitted on or 
before September 6, 2002.

ADDRESSES: Because paper mail in the Washington area may be subject to

[[Page 48300]]

delay, commenters are encouraged to e-mail comments. Comments should be 
sent by one method only. Comments may be mailed to FinCEN, Section 326 
Certain Credit Union and Trust Company Rule Comments, P.O. Box 39, 
Vienna, VA 22183 or sent by e-mail to [email protected] with 
the caption ``Attention: Section 326 Certain Credit Union and Trust 
Company Rule Comments'' in the body of the text. Comments may be 
inspected at FinCEN between 10 a.m. and 4 p.m. in the FinCEN Reading 
Room in Washington, D.C. Persons wishing to inspect the comments 
submitted must request an appointment by telephoning (202) 354-6400 
(not a toll-free number).

FOR FURTHER INFORMATION CONTACT: Office of the Chief Counsel (FinCEN), 
(703) 905-3590.

SUPPLEMENTARY INFORMATION:

I. Background

A. Section 326 of the USA PATRIOT Act

    On October 26, 2001, President Bush signed into law the USA PATRIOT 
Act, Public Law 107-56. Title III of the Act, captioned ``International 
Money Laundering Abatement and Anti-terrorist Financing Act of 2001,'' 
adds several new provisions to the Bank Secrecy Act (BSA), 31 U.S.C. 
5311 et seq. These provisions are intended to facilitate the 
prevention, detection, and prosecution of international money 
laundering and the financing of terrorism.
    Section 326 of the Act adds a new subsection (l) to 31 U.S.C. 5318 
that requires the Secretary to prescribe regulations setting forth 
minimum standards for financial institutions that relate to the 
identification and verification of any person who applies to open an 
account. Final regulations implementing section 326 must be effective 
by October 25, 2002.
    Section 326 applies to all ``financial institutions.'' This term is 
defined very broadly in the BSA to encompass a variety of entities 
including banks, agencies and branches of foreign banks in the United 
States, thrifts, credit unions, brokers and dealers in securities or 
commodities, insurance companies, travel agents, pawnbrokers, dealers 
in precious metals, check-cashers, casinos, and telegraph companies, 
among many others. See 31 U.S.C. 5312(a)(2).
    For any financial institution engaged in financial activities 
described in section 4(k) of the Bank Holding Company Act of 1956 
(section 4(k) institutions), the Secretary is required to prescribe the 
regulations issued under section 326 jointly with each of the Federal 
bank regulators (the Agencies), the SEC, and the CFTC (the Federal 
functional regulators). FinCEN and the Federal bank regulators are 
today jointly issuing a proposed rule that applies to banks within the 
meaning of 31 CFR 103.11(c) that are subject to a Federal banking 
regulator. Under its own authority, FinCEN is issuing this proposed 
rule to extend rules identical \1\ to those in the joint proposal to 
all banks lacking a Federal functional regulator, namely private banks 
and State chartered credit unions that are not federally insured, and 
trust companies. The text of the joint rule is published elsewhere in 
this separate part of this issue of the Federal Register.
---------------------------------------------------------------------------

    \1\ The references in the joint rule to a bank's anti-money 
laundering program requirement (proposed Sec. 103.121 (b)(1)) and to 
the procedures for exemptions granted by the Federal functional 
regulator (with Treasury concurrence) (proposed Sec. 103.121(c)) 
will be modified appropriately at the final rule stage.
---------------------------------------------------------------------------

    Section 326 of the Act provides that the regulations must contain 
certain requirements. At a minimum, the regulations must require 
financial institutions to implement reasonable procedures for (1) 
verifying the identity of any person seeking to open an account, to the 
extent reasonable and practicable; (2) maintaining records of the 
information used to verify the person's identity, including name, 
address, and other identifying information; and (3) determining whether 
the person appears on any lists of known or suspected terrorists or 
terrorist organizations provided to the financial institution by any 
government agency.
    In prescribing these regulations, the Secretary is directed to take 
into consideration the various types of accounts maintained by various 
types of financial institutions, the various methods of opening 
accounts, and the various types of identifying information available.
    The Secretary has determined that the records required to be kept 
by section 326 of the Act have a high degree of usefulness in criminal, 
tax, or regulatory investigations or proceedings, or in the conduct of 
intelligence or counterintelligence activities, to protect against 
international terrorism.

B. Codification of the Proposed Rule

    The substantive requirements of the proposed rule will be codified 
with other Bank Secrecy Act regulations as part of Treasury's 
regulations in 31 CFR part 103. FinCEN anticipates that, at that time, 
it will publish a final rule that implements section 326 in a single 
section that will apply to all banks.

II. Detailed Analysis

A. Regulations Implementing Section 326

    Definitions. Account. The proposed rule's definition of ``account'' 
is based on the statutory definition of ``account'' that is used in 
section 311 of the Act. ``Account'' means each formal banking or 
business relationship established to provide ongoing services, 
dealings, or other financial transactions. For example, a deposit 
account, transaction or asset account, and a credit account or other 
extension of credit would each constitute an account.
    Section 311 of the Act does not require that this definition be 
used for regulations implementing section 326 of the Act. However, to 
the extent possible, Treasury proposes to apply consistent definitions 
for each of the regulations implementing the Act to reduce confusion. 
``Deposit accounts'' and ``transaction accounts,'' which as previously 
noted, are considered ``accounts'' for purposes of this rulemaking, are 
themselves defined terms. In addition, the term ``account'' is limited 
to banking and business relationships established to provide 
``ongoing'' services, dealings, or other financial transactions to make 
clear that this term is not intended to cover infrequent transactions 
such as the occasional purchase of a money order or a wire transfer.
    Bank. For purposes of this proposed rule, the ``bank'' includes 
only those banks within the meaning of 31 CFR 103.11(c) that lack a 
Federal functional regulator. These are private banks and certain State 
chartered credit unions that are not federally insured, and trust 
companies.
    Customer. The proposed rule defines ``customer'' to mean any person 
seeking to open a new account. Accordingly, the term ``customer'' 
includes a person applying to open an account, but would not cover a 
person seeking information about an account, such as rates charged or 
interest paid on an account, if the person does not actually open an 
account. ``Customer'' includes both individuals and other persons such 
as corporations, partnerships, and trusts. In addition, any person 
seeking to open an account at a bank, on or after the effective date of 
the final rule, will be a ``customer,'' regardless of whether that 
person already has an account at the bank.
    The proposed rule also defines a ``customer'' to include any 
signatory on an account. Thus, for example, an individual with signing 
authority over a corporate account is a ``customer'' within the meaning 
of the proposed

[[Page 48301]]

rule. A signatory can become a ``customer'' when the account is opened 
or when the signatory is added to an existing account.
    The requirements of section 326 of the Act apply to any person 
``seeking to open a new account.'' Accordingly, transfers of accounts 
from one bank to another, that are not initiated by the customer, for 
example, as a result of a merger, acquisition, or purchase of assets or 
assumption of liabilities, fall outside of the scope of section 326, 
and are not covered by the proposed regulation.
    Person. The proposed rule defines ``person'' by reference to 
Sec. 103.11(z). This definition includes individuals, corporations, 
partnerships, trusts, estates, joint stock companies, associations, 
syndicates, joint ventures, other unincorporated organizations or 
groups, certain Indian Tribes, and all entities cognizable as legal 
personalities.
    U.S. Person. Under the proposed rule, for an individual, ``U.S. 
person'' means a U.S. citizen. For persons other than an individual, 
``U.S. person'' means an entity established or organized under the laws 
of a State or the United States. A non-U.S. person is defined as a 
person who does not satisfy these criteria.
    Taxpayer identification number. The proposed rule continues the 
provision in current Sec. 103.34(a)(4), which provides that the 
provisions of section 6109 of the Internal Revenue Code and the 
regulations of the Internal Revenue Service thereunder determine what 
constitutes a taxpayer identification number.
    Customer Identification Program: Minimum Requirements.
    General Rule. Section 326 of the Act requires Treasury to issue a 
regulation that establishes minimum standards regarding the identity of 
any customer who applies to open an account. Section 326 then 
prescribes three procedures that Treasury must require institutions to 
implement as part of this process: (1) Identification and verification 
of persons seeking to open an account; (2) recordkeeping; and (3) 
comparison with government lists.
    Rather than imposing the same list of specific requirements on 
every bank, regardless of its circumstances, the proposed regulation 
requires all banks to implement a Customer Identification Program (CIP) 
that is appropriate given the bank's size, location, and type of 
business. The proposed regulation requires a bank's CIP to contain the 
statutorily prescribed procedures, describes these procedures, and 
details certain minimum elements that each of the procedures must 
contain.
    In addition, the proposed rule requires that the CIP be written and 
that it be approved by the bank's board of directors or a committee of 
the board. This latter requirement highlights the responsibility of a 
bank's board of directors to approve and exercise general oversight 
over the bank's CIP.
    Under the proposed joint regulation for federally regulated banks, 
the CIP must be incorporated into the bank's anti-money laundering 
(BSA) program. FinCEN has not yet issued an anti-money laundering 
program regulation for the banks subject to this proposed rule, but 
anticipates doing so in the near future, at which time they would be 
required to incorporate the CIP into that program. A bank's BSA program 
must include (1) internal policies, procedures, and controls to ensure 
ongoing compliance; (2) designation of a compliance officer; (3) an 
ongoing employee training program; and (4) an independent audit 
function to test programs. Each of these requirements also applies to a 
bank's CIP.
    Identity Verification Procedures. Under section 326 of the Act, the 
regulations issued by Treasury must require banks to implement and 
comply with reasonable procedures for verifying the identity of any 
person seeking to open an account, to the extent reasonable and 
practicable. The proposed regulation implements this requirement by 
providing that each bank must have risk-based procedures for verifying 
the identity of a customer that take into consideration the types of 
accounts that banks maintain, the different methods of opening 
accounts, and the types of identifying information available. These 
procedures must enable the bank to form a reasonable belief that it 
knows the true identity of the customer.
    Under the proposed regulation, a bank must first have procedures 
that specify the identifying information that the bank must obtain from 
any customer. The proposed regulation also sets forth certain, minimal 
identifying information that a bank must obtain prior to opening an 
account or adding a signatory to an account. Second, the bank must have 
procedures describing how the bank will verify the identifying 
information provided. The bank must have procedures that describe when 
it will use documents for this purpose and when it will use other 
methods, either in addition or as an alternative to using documents for 
the purpose of verifying the identity of a customer.
    While a bank's CIP must contain the identity verification 
procedures set forth above, these procedures are to be risk-based. For 
example, a bank need not verify the identifying information of an 
existing customer seeking to open a new account, or who becomes a 
signatory on an account, if the bank (1) previously verified the 
customer's identity in accordance with procedures consistent with this 
regulation, and (2) continues to have a reasonable belief that it knows 
the true identity of the customer. The proposal requires a bank to 
exercise reasonable efforts to ascertain the identity of each customer.
    Although the main purpose of the Act is to prevent and detect money 
laundering and the financing of terrorism, Treasury anticipates that 
the proposed regulation will ultimately benefit consumers. In addition 
to deterring money laundering and terrorist financing, requiring every 
bank to establish comprehensive procedures for verifying the identity 
of customers should reduce the growing incidence of fraud and identity 
theft involving new accounts.\2\
---------------------------------------------------------------------------

    \2\ Last year, over 86,000 complaints were logged into the 
Identity Theft Complaint database established by the Federal Trade 
Commission (FTC). Forms of identity theft commonly reported included 
(1) credit card fraud, where one or more new credit cards were 
opened in the victim's name; (2) bank fraud, where a new bank 
account was opened in the victim's name; and (3) fraudulent loans, 
where a loan had been obtained in the victim's name. See Statement 
of J. Howard Beales, Director, Bureau of Consumer Protection, FTC, 
to the Senate Committee on the Judiciary, Subcommittee on 
Technology, March 20, 2002.
---------------------------------------------------------------------------

    Information Required. The proposed regulation provides that a 
bank's CIP must contain procedures that specify the identifying 
information the bank must obtain from a customer. At a minimum, a bank 
must obtain from each customer the following information prior to 
opening an account or adding a signatory to an account: name; address; 
for individuals, date of birth; and an identification number, described 
in greater detail below. To satisfy the requirement that a bank obtain 
the address of a customer, Treasury expects a bank to obtain both the 
address of an individual's residence and, if different, the 
individual's mailing address. For customers who are not individuals, 
the bank should obtain an address showing the customer's principal 
place of business and, if different, the customer's mailing address.
    For U.S. persons a bank must obtain a U.S. taxpayer identification 
number (e.g., social security number, individual taxpayer 
identification number, or employer identification number). For non-U.S. 
persons a bank must obtain one or more of the following: a taxpayer 
identification number; passport number and country of issuance; alien 
identification card number; or number

[[Page 48302]]

and country of issuance of any other government-issued document 
evidencing nationality or residence and bearing a photograph or similar 
safeguard. The basic information that banks would be required to obtain 
under this proposed regulation reflects the type of information that 
financial institutions currently obtain in the account-opening process 
and is similar to the identifying information currently required for 
each deposit or share account opened (see 31 CFR 103.34(a)(1)). The 
proposed regulation uses the term ``similar safeguard'' to permit the 
use of any biometric identifiers that may be used in addition to, or 
instead of, photographs.
    Treasury recognizes that a new business may need access to banking 
services, particularly a bank account or an extension of credit, before 
it has received an employer identification number from the Internal 
Revenue Service. For this reason, the proposed regulation contains a 
limited exception to the requirement that a taxpayer identification 
number must be provided prior to establishing or adding a signatory to 
an account. Accordingly, a CIP may permit a bank to open or add a 
signatory to an account for a person other than an individual (such as 
a corporation, partnership, or trust) that has applied for, but has not 
received, an employer identification number. However, in such a case, 
the CIP must require that the bank obtain a copy of the application 
before it opens or adds a signatory to the account and obtain the 
employee identification number within a reasonable period of time after 
an account is established or a signatory is added to an account. 
Currently, the IRS indicates that the issuance of an employer 
identification number can take up to five weeks. This length of time, 
coupled with when the person applied for the employer identification 
number, should be considered by the bank in determining the reasonable 
period of time within which the person should provide its employer 
identification number to the bank.
    Verification. The proposed regulation provides that the CIP must 
contain risk-based procedures for verifying the information that the 
bank obtains in accordance with the proposed rule, within a reasonable 
period of time after the account is opened. Treasury considered 
proposing that a customer's identity be verified before an account is 
opened or within a specific time period after the account is opened. 
However, Treasury recognizes that such a position would be unduly 
burdensome for both banks and customers and therefore contrary to the 
plain language of the statute, which states that the procedures must be 
both reasonable and practicable. The amount of time it will take an 
institution to verify identity may depend upon the type of account 
opened, whether the customer is physically present when the account is 
opened, and the type of identifying information available. In addition, 
although an account may be opened, it is common practice among banks to 
place limits on the account, such as by restricting the number of 
transactions or the dollar value of transactions, until a customer's 
identity is verified. Therefore, the proposed regulation provides a 
bank with the flexibility to use a risk-based approach to determine how 
soon identity must be verified.\3\
---------------------------------------------------------------------------

    \3\ It is possible that a bank would, however, violate other 
laws by permitting a customer to transact business prior to 
verifying the customer's identity. See, e.g., 31 CFR 500, 
prohibiting transactions involving designated foreign countries or 
their nationals.
---------------------------------------------------------------------------

    Verification Through Documents. The CIP must contain procedures 
describing when the bank will verify identity through documents and 
setting forth the documents that the bank will use for this purpose. 
For individuals, these documents may include: unexpired government-
issued identification evidencing nationality or residence and bearing a 
photograph or similar safeguard. For corporations, partnerships, 
trusts, and other persons that are not individuals, these may be 
documents showing the existence of the entity, such as registered 
articles of incorporation, a government-issued business license, 
partnership agreement, or trust instrument.
    Non-Documentary Verification. The proposed regulation provides that 
a bank's CIP also must contain procedures describing non-documentary 
methods the bank will use to verify identity and when these methods 
will be used in addition to, or instead of, relying on documents. For 
example, the procedures must address situations where an individual is 
unable to present an unexpired government-issued identification 
document that bears a photograph or similar safeguard; the bank is not 
familiar with the documents presented; the account is opened without 
obtaining documents; the account is not opened in a face-to-face 
transaction; and the type of account increases the risk that the bank 
will not be able to verify the true identity of the customer through 
documents.
    Treasury believes that banks typically require documents to be 
presented when an account is opened face-to-face. Although customers 
usually satisfy these requirements by presenting government-issued 
identification documents bearing a photograph, such as a driver's 
license or passport, Treasury recognizes that some customers 
legitimately may be unable to present those customary forms of 
identification when opening an account. For example, an elderly person 
may not have a valid driver's license or passport. Under these 
circumstances, Treasury expects that banks will provide products and 
services to those customers and verify their identities through other 
methods. Similarly, a bank may be unable to obtain original documents 
to verify a customer's identity when an account is opened by telephone, 
by mail, and over the Internet. Thus, when an account is opened for a 
customer who is not physically present, a bank will be permitted to use 
other methods of verification, to the extent set forth in the CIP.
    While other verification methods must be used when a bank cannot 
examine original documents, Treasury also recognizes that original 
identification documents, including those issued by a government 
entity, may be obtained illegally and may be fraudulent. In light of 
the recent increase in identity fraud, banks are encouraged to use 
other verification methods, even when a customer has provided original 
documents.
    Obtaining sufficient information to verify a customer's identity 
can reduce the risk that a bank will be used as a conduit for money 
laundering and terrorist financing. The risk that the bank will not 
know the customer's true identity will be heightened for certain types 
of accounts, such as accounts opened in the name of a corporation, 
partnership, or trust that is created or conducts substantial business 
in jurisdictions that have been designated by the United States as a 
primary money laundering concern or have been designated as non-
cooperative by an international body. As a bank's identity verification 
procedures should be risk-based, they should identify types of accounts 
that pose a heightened risk, and prescribe additional measures to 
verify the identity of any person seeking to open an account and the 
signatory for such accounts.
    The proposed regulation gives examples of other non-documentary 
verification methods that a bank may use in the situations described 
above. These methods could include contacting a customer after the 
account is opened; obtaining a financial statement; comparing the 
identifying information provided by the customer against fraud and bad 
check databases to determine

[[Page 48303]]

whether any of the information is associated with known incidents of 
fraudulent behavior (negative verification); comparing the identifying 
information with information available from a trusted third party 
source, such as a credit report from a consumer reporting agency 
(positive verification); and checking references with other financial 
institutions. The bank also may wish to analyze whether there is 
logical consistency between the identifying information provided, such 
as the customer's name, street address, ZIP code, telephone number, 
date of birth, and social security number (logical verification).\4\
---------------------------------------------------------------------------

    \4\ Treasury understands that most banks currently make use of 
technology that permits instantaneous negative, positive, and 
logical verification of identity.
---------------------------------------------------------------------------

    Lack of Verification. The proposed regulation also states that a 
bank's CIP must include procedures for responding to circumstances in 
which the bank cannot form a reasonable belief that it knows the true 
identity of a customer.
    Generally, a bank should only maintain an account for a customer 
when it can form a reasonable belief that it knows the customer's true 
identity.\5\ Thus, a bank should have procedures that specify the 
actions that it will take when it cannot form a reasonable belief that 
it knows the true identity of a customer, including when an account 
should not be opened. In addition, a bank's CIP should have procedures 
that address the terms under which a customer may conduct transactions 
while a customer's identity is being verified. The procedures also 
should specify at what point, after attempts to verify a customer's 
identity have failed, a customer's account that has been opened should 
be closed. Finally, if a bank cannot form a reasonable belief that it 
knows the identity of a customer, the procedures should also include 
determining whether a Suspicious Activity Report should be filed in 
accordance with applicable law and regulation.
---------------------------------------------------------------------------

    \5\ There are some exceptions to this basic rule. For example, a 
bank may maintain an account, at the direction of a law enforcement 
or intelligence agency, although the bank does not know the true 
identity of a customer.
---------------------------------------------------------------------------

    Recordkeeping. Section 326 of the Act requires reasonable 
procedures for maintaining records of the information used to verify a 
person's name, address, and other identifying information. The proposed 
regulation sets forth recordkeeping procedures that must be included in 
a bank's CIP. Under the proposal, a bank is required to maintain a 
record of the identifying information provided by the customer. Where a 
bank relies upon a document to verify identity, the bank must maintain 
a copy of the document that the bank relied on that clearly evidences 
the type of document and any identifying information it may contain.\6\ 
The bank also must record the methods and result of any additional 
measures undertaken to verify the identity of the customer. Last, the 
bank must record the resolution of any discrepancy in the identifying 
information obtained. The bank must retain all of these records for 
five years after the date the account is closed.
---------------------------------------------------------------------------

    \6\ The bank need not keep a separate record of the identifying 
information provided by the customer if this information clearly 
appears on the copy of the document maintained by the bank.
---------------------------------------------------------------------------

    Treasury emphasizes that the collection and retention of 
information about a customer, such as an individual's race or sex, as 
an ancillary part of collecting identifying information do not relieve 
a bank from its obligations to comply with anti-discrimination laws or 
regulations, such as the prohibition in the Equal Credit Opportunity 
Act against discrimination in any aspect of a credit transaction on the 
basis of race, color, religion, national origin, sex or marital status, 
age, or other prohibited classifications.
    Nothing in this proposed regulation modifies, limits or supersedes 
section 101 of the Electronic Signatures in Global and National 
Commerce Act, Pub. L. 106-229, 114 Stat. 464 (15 U.S.C. 7001) (E-Sign 
Act). Thus, a bank may use electronic records to satisfy the 
requirements of this regulation, as long as the records are accurate 
and remain accessible in accordance with 31 CFR 103.38(d).
    Comparison with Government Lists. Section 326 of the Act also 
requires reasonable procedures for determining whether the customer 
appears on any list of known or suspected terrorists or terrorist 
organizations provided to the bank by any government agency. The 
proposed rule implements this requirement and clarifies that the 
requirement applies only with respect to lists circulated by the 
Federal government.
    In addition, the proposed rule requires that the procedures must 
ensure that the bank follows all Federal directives issued in 
connection with such lists. This provision makes clear that a bank must 
have procedures for responding to circumstances when the bank 
determines that a customer is named on a list.
    Customer Notice. Section 326 of the Act contemplates that financial 
institutions will provide their customers with ``adequate notice'' of 
the customer identification procedures. Therefore, a bank's CIP must 
include procedures for providing bank customers with adequate notice 
that the bank is requesting information to verify their identity. A 
bank may satisfy the notice requirement by generally notifying its 
customers about the procedures the bank must comply with to verify 
their identities. For example, the bank may post a sign in its lobby or 
provide customers with any other form of written or oral notice. If an 
account is opened electronically, such as through an Internet website, 
the bank may also provide notice electronically.
    Exemptions. Section 326 states that the Secretary (and, in the case 
of section 4(k) institutions, the appropriate Federal functional 
regulator) may by regulation or order, exempt any financial institution 
or type of account from the requirements of this regulation in 
accordance with such standards and procedures as the Secretary may 
prescribe.
    Under the proposed rule, Treasury, may by order or regulation 
exempt any bank lacking a federal functional regulator or type of 
account at such a bank from the requirements of this section. In 
issuing such exemptions, Treasury shall consider whether the exemption 
is consistent with the purposes of the Bank Secrecy Act, consistent 
with safe and sound banking, and in the public interest. Treasury also 
may consider other necessary and appropriate factors.
    Other Information Requirements Unaffected. Nothing in the proposal 
shall be construed to relieve a bank of its obligations to obtain, 
verify, or maintain information in connection with an account or 
transaction that is required by another provision in part 103. For 
example, if an account is opened with a deposit of more than $10,000 in 
cash, the bank opening the account must comply with the customer 
identification requirements in the proposal, as well as with the 
provisions of section 103.22, which require that certain information 
concerning the transaction be reported by filing a Cash Transaction 
Report (CTR).

B. Conforming Amendments to 31 CFR 103.34

    Current section 103.34(a) sets forth customer identification 
requirements when certain types of deposit accounts are opened. 
Generally, sections 103.34(a)(1) and (2) require a bank, within 30 days 
after certain deposit accounts are opened, to secure and maintain a 
record of the taxpayer identification number of the customer

[[Page 48304]]

involved. If the bank is unable to obtain the taxpayer identification 
number within 30 days (or a longer time if the person has applied for a 
taxpayer identification number), it need take no further action under 
section 103.34 concerning the account if it maintains a list of the 
names, addresses, and account numbers of the persons for which it was 
unable to secure taxpayer identification numbers, and provides that 
information to the Secretary upon request. In the case of a non-
resident alien, the bank is required to record the person's passport 
number or a description of some other government document used to 
determine identification. Treasury believes that the requirements of 
section 103.34(a)(1) and (2) are inconsistent with the intent and 
purpose of section 326 of the Act and incompatible with the proposal.
    Section 103.34(a)(3) currently provides that a bank need not obtain 
a taxpayer identification number with respect to specified categories 
of persons \7\ opening certain deposit accounts. This proposed rule 
does not contain any exemptions from the CIP requirements.
---------------------------------------------------------------------------

    \7\ The exemption applies to (i) agencies and instrumentalities 
of Federal, State, local, or foreign governments; (ii) judges, 
public officials, or clerks of courts of record as custodians of 
funds in controversy or under the control of the court; (iii) aliens 
who are ambassadors; ministers; career diplomatic or consular 
officers; naval, military, or other attaches of foreign embassies 
and legations; and members of their immediate families; (iv) aliens 
who are accredited representatives of certain international 
organizations, and their immediate families; (v) aliens temporarily 
residing in the United States for a period not to exceed 180 days; 
(vi) aliens not engaged in a trade or business in the United States 
who are attending a recognized college or university, or any 
training program supervised or conducted by an agency of the Federal 
Government; (vii) unincorporated subordinate units of a tax exempt 
central organization that are covered by a group exemption letter; 
(viii) a person under 18 years of age, with respect to an account 
opened as part of a school thrift savings program, provided the 
annual interest is less than $10; (ix) a person opening a Christmas 
club, vacation club, or similar installment savings program, 
provided the annual interest is less than $10; and (x) non-resident 
aliens who are not engaged in a trade or business in the United 
States.
---------------------------------------------------------------------------

    Treasury is requesting comments on whether any of these exemptions 
should apply in the context of the proposed CIP requirements in light 
of the intent and purpose of section 326 of the Act.
    Section 103.34(a)(4) provides that section 6109 of the Internal 
Revenue Code and the rules and regulations of the Internal Revenue 
Service (IRS) promulgated thereunder shall determine what constitutes a 
taxpayer identification number. This provision is continued in the 
proposal. Section 103.34(a)(4) also provides that IRS rules shall 
determine whose number shall be obtained in the case of multiple 
account holders. Treasury believes that this provision is inconsistent 
with section 326 of the Act, which requires that banks verify the 
identity of ``any'' person seeking to open an account. For these 
reasons, Treasury is proposing to repeal section 103.34(a).
    Section 103.34(b) sets forth certain recordkeeping requirements for 
banks. Among other things, section 103.34(b)(1) requires a bank to keep 
``any notations, if such are normally made, of specific identifying 
information verifying the identity of [a person with signature 
authority over an account] (such as a driver's license number or credit 
card number).'' Treasury believes that the quoted language in section 
103.34(b)(1) is inconsistent with the requirements of the proposal. For 
this reason, Treasury is proposing to delete the quoted language.

III. Request for Comments

    Treasury invites comment on all aspects of this rulemaking, and 
specifically seek comment on the following issues:
    1. Whether the proposed definition of ``account'' is appropriate 
and whether other examples of accounts should be added to the 
regulatory text.
    2. How the proposed regulation should apply to various types of 
accounts that are designed to allow a customer to transact business 
immediately.
    3. Ways that banks can comply with the requirement that a bank 
obtain both the address of an individual's residence, and, if 
different, the individual's mailing address in situations involving 
individuals who lack a permanent address.
    4. Whether non-U.S. persons that are not individuals will be able 
to provide a bank with the identifying information required in the 
proposal, or whether other categories of identifying information should 
be added to this proposal to permit non-U.S. persons that are not 
individuals to open accounts. Commenters on this issue should suggest 
other means of identification that banks currently use or should use.
    5. Whether the proposed regulation will subject banks to 
conflicting State laws. Treasury requests that commenters cite and 
describe any potentially conflicting State laws.
    6. The extent to which the verification procedures required by the 
proposed regulation make use of information that banks currently obtain 
in the account opening process. Treasury notes that the legislative 
history of section 326 indicates that Congress intended ``the 
verification procedures prescribed by Treasury [to] make use of 
information currently obtained by most financial institutions in the 
account opening process.'' See H.R. Rep. No. 107-250, pt. 1, at 63 
(2001).
    7. Whether any of the exemptions from the customer identification 
requirements contained in current section 103.34(a)(3) should be 
continued in the proposal. In this regard, Treasury requests that 
commenters address the standards set forth in the proposal (as well as 
any other appropriate factors).

IV. Regulatory Flexibility Act

    When an agency issues a rulemaking proposal, the Regulatory 
Flexibility Act (RFA) requires the agency to ``prepare and make 
available for public comment an initial regulatory flexibility 
analysis' unless the agency certifies that the rule will not have a 
``significant economic impact on a substantial number of small 
entities.'' 5 U.S.C. 603, 605(b).\8\
---------------------------------------------------------------------------

    \8\ The RFA defines the term ``small entity'' in 5 U.S.C. 601 by 
reference to the definitions published by the Small Business 
Administration (SBA). The SBA has defined a ``small entity'' for 
banking purposes as a bank or savings institution with less than 
$150 million in assets. See 13 CFR 121.201. The NCUA defines ``small 
credit union'' as those under $1 million in assets. Interpretive 
Ruling and Policy Statement No. 87-2, Developing and Reviewing 
Government Regulations (52 FR 35231, September 18, 1987).
---------------------------------------------------------------------------

    Treasury certifies that the proposed rule will not have a 
significant economic impact on a substantial number of small entities. 
The requirements of the proposed rule closely parallel the requirements 
for customer identification programs mandated by section 326 of the 
Act.
    Moreover, Treasury believes that banks already have implemented 
prudential business practices and anti-money laundering programs that 
involve the key controls that would be required in a customer 
identification program in accordance with the proposed regulation. 
First, all banks already undertake extensive measures to verify the 
identity of their customers as a matter of good business practice.
    Second, banks already should have compliance programs in place to 
check lists provided by the Federal government of known and suspected 
terrorists and terrorist organizations. Currently, banks are prohibited 
from engaging in transactions involving certain foreign countries or 
their nationals under rules issued by Treasury's Office of Foreign 
Assets Control (OFAC). See 31 CFR part 500. Banks should already have 
compliance programs in place to ensure that they do

[[Page 48305]]

not violate OFAC rules. Treasury understands that many banks, including 
small banks, have instituted programs to check other lists provided to 
them by the Federal government following the events of September 11, 
2001. Treasury believes that all banks have access to a variety of 
resources, such as computer software packages, that enable them to 
check lists provided by the Federal government.
    Third, Treasury believes the provision in the proposed rule that 
requires a bank to provide adequate notice to its customers that it is 
requesting information to verify their identity will impose minimal 
costs on banks. Banks may elect to satisfy that requirement through a 
variety of low-cost measures, such as by posting a sign in the bank's 
lobby or providing any other form of written or oral notice.
    The recordkeeping requirements similarly may impose some costs on 
banks, if, for example, some of the information that must be maintained 
as a consequence of implementing customer identification programs is 
not already retained. Treasury believes that the compliance burden, if 
any, is minimized for banks, including small banks, because the 
proposed regulation vests a bank with the discretion to design and 
implement appropriate recordkeeping procedures, including allowing 
banks to maintain electronic records in lieu of (or in combination 
with) paper records.
    Finally, Treasury believes that the flexibility incorporated into 
the proposed rule will permit each bank to tailor its CIP to fit its 
own size and needs. In this regard, Treasury believes that expenditures 
associated with establishing and implementing a CIP will be 
commensurate with the size of a bank. If a bank is small, the burden to 
comply with the proposed rule should be de minimis.

V. Paperwork Reduction Act

    The proposed rule contains recordkeeping and disclosure 
requirements that are subject to the Paperwork Reduction Act of 1995 
(44 U.S.C. 3501 et seq.). In summary, the proposed rule requires banks 
to implement reasonable procedures to (1) maintain records of the 
information used to verify the person's identity and (2) provide notice 
of these procedures to customers. These recordkeeping and disclosure 
requirements are required under section 326 of the Act.
    The proposed rule applies only to a financial institution that is a 
``bank'' as defined in 31 CFR 103.11(c) lacking a Federal functional 
regulator. The proposed rule requires each bank to establish a written 
CIP that must include recordkeeping procedures and procedures for 
providing customers with notice that the bank is requesting information 
to verify their identity.
    The proposed rule requires a bank to maintain a record of (1) the 
identifying information provided by the customer, the type of 
identification document(s) reviewed, if any, the identification number 
of the document(s), and a copy of the identification document(s); (2) 
the means and results of any additional measures undertaken to verify 
the identity of the customer; and (3) the resolution of any discrepancy 
in the identifying information obtained. These records must be 
maintained at the bank for five years after the date the account is 
closed. Treasury believes that little burden is associated with the 
recordkeeping requirements of the proposal, because such recordkeeping 
is a usual and customary business practice. In addition, banks already 
must keep similar records to comply with existing regulations in 31 CFR 
Part 103 (see, e.g., 31 CFR 103.34, requiring certain records for each 
deposit or share account opened).
    The proposed rule also requires banks to give customers ``adequate 
notice'' of the identity verification procedures. A bank may satisfy 
the notice requirement by posting a sign in the lobby or providing 
customers with any other form of written or oral notice. If the account 
is opened electronically, the bank may provide the notice 
electronically. Treasury believes that nominal burden is associated 
with the disclosure requirement of the proposal. This section requires 
a bank to notify its customers about the procedures the bank has 
implemented to verify their identities. However, a bank may choose 
among a variety of methods of providing adequate notice and may select 
the least burdensome method, given the circumstances under which 
customers seek to open new accounts.
    A person is not required to respond to a collection of information 
unless it displays a currently valid Office of Management and Budget 
(OMB) control number. The collection of information requirements 
contained in the proposed rule have been submitted to the OMB by 
Treasury in accordance with the Paperwork Reduction Act of 1995 (44 
U.S.C. 3507).
    The institutions subject to these requirements include private 
banks, credit unions, and trust companies that do not have a Federal 
functional regulator.
    Estimated number of financial institutions: 2,460.
    Estimated average annual burden for the recordkeeping requirements 
of the proposed rule per each financial institution respondent: 10 
hours.
    Estimated average annual burden for the disclosure requirements of 
the proposed rule per each financial institution respondent: 1 hour.
    Estimated total annual recordkeeping and disclosure burden: 27,060 
hours.
    Treasury requests public comment on all aspects of the 
recordkeeping and disclosure requirements contained in this proposed 
rule, including how burdensome it would be for banks to comply with 
these requirements. Also, Treasury requests comment on whether the 
banks are currently maintaining the records requested by the proposal. 
Treasury also invites comment on:
    (1) Whether the collections of information contained in the notice 
of proposed rulemaking are necessary for the proper performance of 
FinCEN's functions, including whether the information has practical 
utility;
    (2) The accuracy of the estimated burden of the proposed 
information collections;
    (3) Ways to enhance the quality, utility, and clarity of the 
information to be collected;
    (4) Ways to minimize the burden of the information collections on 
respondents, including the use of automated collection techniques or 
other forms of information technology; and
    (5) Estimates of capital or start-up costs and costs of operation, 
maintenance, and purchases of services to provide information.
    Comments concerning the recordkeeping and disclosure requirements 
in the proposed rule should be sent (preferably by fax (202-395-6974)) 
to Desk Officer for the Department of the Treasury, Office of 
Information and Regulatory Affairs, Office of Management and Budget, 
Paperwork Reduction Project (1506), Washington, DC 20503 (or by the 
Internet to [email protected]), with a copy to FinCEN by mail or the 
Internet at the addresses previously specified.

VI. Executive Order 12866

    Treasury has determined that this proposal is not a ``significant 
regulatory action'' under Executive Order 12866. The rule follows 
closely the requirements of section 326 of the Act.
    Treasury believes banks already have procedures in place that 
fulfill most of the requirements of the proposed regulation. First, the 
procedures are a matter of good business practice. Second, banks should 
already have compliance programs in place to ensure

[[Page 48306]]

they comply with OFAC rules prohibiting transactions with certain 
foreign countries or their nationals.

    Dated: July 15, 2002.
James F. Sloan,
Director, Financial Crimes Enforcement Network.
[FR Doc. 02-18193 Filed 7-22-02; 8:45 am]
BILLING CODE 4810-02-P