[Federal Register Volume 68, Number 90 (Friday, May 9, 2003)]
[Rules and Regulations]
[Pages 25090-25113]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 03-11019]



[[Page 25089]]

-----------------------------------------------------------------------


Part II

Department of the Treasury



31 CFR Part 103



Office of the Comptroller of the Currency

12 CFR Part 21



Office of Thrift Supervision

12 CFR Part 563



-----------------------------------------------------------------------
Federal Reserve System

 12 CFR Parts 208 and 211



-----------------------------------------------------------------------
Federal Deposit Insurance Corporation

12 CFR Part 326



-----------------------------------------------------------------------
National Credit Union Administration

12 CFR Part 748



-----------------------------------------------------------------------
Commodity Futures Trading Commission

17 CFR Parts 1 and 42



-----------------------------------------------------------------------
Securities and Exchange Commission

17 CFR Part 270 and 31 CFR Part 103



Transactions and Customer Identification Programs; Final Rules and 
Proposed Rule

  Federal Register / Vol. 68, No. 90 / Friday, May 9, 2003 / Rules and 
Regulations  

[[Page 25090]]


-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Office of the Comptroller of the Currency

12 CFR Part 21

[Docket No. 03-08]
RIN 1557-AC06

FEDERAL RESERVE SYSTEM

12 CFR Parts 208 and 211

[Docket No. R-1127]

FEDERAL DEPOSIT INSURANCE CORPORATION

12 CFR Part 326

DEPARTMENT OF THE TREASURY

Office of Thrift Supervision

12 CFR Part 563

[Docket No. 2003-16]

NATIONAL CREDIT UNION ADMINISTRATION

12 CFR Part 748

RIN 3133

DEPARTMENT OF THE TREASURY

31 CFR Part 103

RIN 1506-AA31


Customer Identification Programs for Banks, Savings Associations, 
Credit Unions and Certain Non-Federally Regulated Banks

AGENCIES: The Financial Crimes Enforcement Network, Treasury; Office of 
the Comptroller of the Currency, Treasury; Board of Governors of the 
Federal Reserve System; Federal Deposit Insurance Corporation; Office 
of Thrift Supervision, Treasury; National Credit Union Administration.

ACTION: Joint final rule.

-----------------------------------------------------------------------

SUMMARY: The Department of the Treasury, through the Financial Crimes 
Enforcement Network (FinCEN), together with the Office of the 
Comptroller of the Currency (OCC), the Board of Governors of the 
Federal Reserve System (Board), the Federal Deposit Insurance 
Corporation (FDIC), the Office of Thrift Supervision (OTS), and the 
National Credit Union Administration (NCUA) (collectively, the 
Agencies), have jointly adopted a final rule to implement section 326 
of the Uniting and Strengthening America by Providing Appropriate Tools 
Required To Intercept and Obstruct Terrorism (USA PATRIOT) Act of 2001 
(the Act). Section 326 requires the Secretary of the Treasury 
(Secretary) to jointly prescribe with each of the Agencies, the 
Securities and Exchange Commission (SEC), and the Commodity Futures 
Trading Commission (CFTC), a regulation that, at a minimum, requires 
financial institutions to implement reasonable procedures to verify the 
identity of any person seeking to open an account, to the extent 
reasonable and practicable; maintain records of the information used to 
verify the person's identity; and determine whether the person appears 
on any lists of known or suspected terrorists or terrorist 
organizations provided to the financial institution by any government 
agency. This final regulation applies to banks, savings associations, 
credit unions, private banks, and trust companies.

DATES: Effective Date: This rule is effective June 9, 2003.
    Compliance Date: Each bank must comply with this final rule by 
October 1, 2003.

FOR FURTHER INFORMATION CONTACT:
    OCC: Office of the Chief Counsel at (202) 874-3295.
    Board: Enforcement and Special Investigations Sections at (202) 
452-5235, (202) 728-5829, or (202) 452-2961.
    FDIC: Special Activities Section, Division of Supervision and 
Consumer Protection, and Legal Division at (202) 898-3671.
    OTS: Compliance Policy Division at (202) 906-6012.
    NCUA: Office of General Counsel at (703) 518-6540; or Office of 
Examination and Insurance at (703) 518-6360.
    Treasury: Office of the Chief Counsel (FinCEN) at (703) 905-3590; 
Office of the General Counsel (Treasury) at (202) 622-1927; or the 
Office of the Assistant General Counsel for Banking & Finance 
(Treasury) at (202) 622-0480.

SUPPLEMENTARY INFORMATION:

I. Background

A. Section 326 of the USA PATRIOT Act

    On October 26, 2001, President Bush signed into law the USA PATRIOT 
Act, Pub. L. 107-56. Title III of the Act, captioned ``International 
Money Laundering Abatement and Anti-terrorist Financing Act of 2001,'' 
adds several new provisions to the Bank Secrecy Act (BSA), 31 U.S.C. 
5311 et seq. These provisions are intended to facilitate the 
prevention, detection, and prosecution of international money 
laundering and the financing of terrorism.
    Section 326 of the Act adds a new subsection (l) to 31 U.S.C. 5318 
of the BSA that requires the Secretary to prescribe regulations 
``setting forth the minimum standards for financial institutions and 
their customers regarding the identity of the customer that shall apply 
in connection with the opening of an account at a financial 
institution.''
    Section 326 applies to all ``financial institutions.'' This term is 
defined very broadly in the BSA to encompass a variety of entities, 
including commercial banks, agencies and branches of foreign banks in 
the United States, thrifts, credit unions, private banks, trust 
companies, investment companies, brokers and dealers in securities, 
futures commission merchants, insurance companies, travel agents, 
pawnbrokers, dealers in precious metals, check-cashers, casinos, and 
telegraph companies, among many others. See 31 U.S.C. 5312(a)(2) and 
(c)(1)(A).
    For any financial institution engaged in financial activities 
described in section 4(k) of the Bank Holding Company Act of 1956 
(section 4(k) institutions), the Secretary is required to prescribe the 
regulations issued under section 326 jointly with each of the Agencies, 
the SEC, and the CFTC (the Federal functional regulators).
    Section 326 of the Act provides that the regulations must require, 
at a minimum, financial institutions to implement reasonable procedures 
for (1) verifying the identity of any person seeking to open an 
account, to the extent reasonable and practicable; (2) maintaining 
records of the information used to verify the person's identity, 
including name, address, and other identifying information; and (3) 
determining whether the person appears on any lists of known or 
suspected terrorists or terrorist organizations provided to the 
financial institution by any government agency. In prescribing these 
regulations, the Secretary is directed to take into consideration the 
various types of accounts maintained by various types of financial 
institutions, the various methods of opening accounts, and the various 
types of identifying information available.

B. Overview of Comments Received

    On July 23, 2002, Treasury and the Agencies published a joint 
notice of proposed rulemaking in the Federal Register (67 FR 48290) 
applicable to (a) any financial institution defined as a ``bank'' in 31 
CFR 103.11(c) \1\ and

[[Page 25091]]

subject to regulation by one of the Agencies; and (b) any foreign 
branch of an insured bank. On the same date, Treasury separately 
published an identical, proposed rule for credit unions, private banks, 
and trust companies that do not have a Federal functional regulator (67 
FR 48299).\2\ Treasury and the Agencies proposed general standards that 
would require each bank to design and implement a customer 
identification program (CIP) tailored to the bank's size, location, and 
type of business. The proposed rule also included certain specific 
standards that would be mandated for all banks.\3\
---------------------------------------------------------------------------

    \1\ This definition includes banks, savings associations, credit 
unions, Edge Act and Agreement corporations, and branches and 
agencies of foreign banks.
    \2\ In the preamble for this proposed rule, Treasury explained 
that a single final regulation would be issued for all financial 
institutions defined as ``banks'' under 31 CFR 103.11(c), with 
modifications to accommodate certain differences between Federally 
regulated and non-Federally regulated banks. See 67 FR 48299, 48300.
    \3\ At the same time, Treasury also published (1) together with 
the SEC, proposed rules for broker-dealers (67 FR 48306) and mutual 
funds (67 FR 48318); and (2) together with the CFTC, proposed rules 
for futures commission merchants and introducing brokers (67 FR 
48328).
---------------------------------------------------------------------------

    Treasury and the Agencies collectively received approximately five 
hundred comments in response to these proposed rules (collectively 
referred to as the ``proposal'' or the ``proposed rule'' for 
``banks''), although some commenters sent copies of the same letter to 
Treasury and to each of the Agencies. The majority of comments received 
by Treasury and the Agencies were from banks, savings associations, 
credit unions, and their trade associations. Most of these commenters 
agreed with the largely risk-based approach set forth in the proposal 
that allowed each bank to develop a CIP based on its specific 
operations.
    Some commenters, however, criticized the specific requirements in 
the proposed rule and suggested that Treasury and the Agencies issue a 
final rule containing an entirely risk-based approach without any 
minimum identification and verification requirements. According to some 
of these commenters, such a thoroughly risk-based approach would give 
banks appropriate discretion to focus their efforts and finite 
resources on specific, high-risk accounts most likely to be used by 
money-launderers and terrorists.
    Other commenters, especially those representing credit card banks 
and credit card issuers, asserted that the proposed minimum 
identification and verification requirements should be eliminated 
because they did not take into account the unique nature of credit card 
operations. They warned that these requirements, if implemented, would 
have a chilling effect on credit practices important to U.S. consumers 
and would impose significant compliance costs on their industry with 
little benefit to law enforcement.
    By contrast, some smaller banks criticized the flexibility of the 
proposal and stated that a risk-based approach would leave too much 
room for interpretation by the Agencies. These commenters urged 
Treasury and the Agencies to issue a final rule establishing more 
specific requirements. For example, some commenters suggested that the 
rule prescribe risk assessment levels for each customer type and type 
of account, along with a specific description of acceptable forms of 
identification and methods of verification appropriate for each bank's 
size and location.
    While commenters representing various segments of the industry 
differed on the approach that should be taken in the final rule, the 
vast majority concluded that Treasury and the Agencies had 
underestimated the compliance burden that would be imposed by certain 
elements of the proposal. Commenters were especially concerned about 
the proposed requirements that banks verify the identity of signatories 
on accounts, keep copies of documents used to verify a customer's 
identity, and retain identity verification records for five years after 
an account is closed.
    Some commenters also suggested that banks be given greater 
flexibility when dealing with established customers and urged that 
banks be permitted to rely on identification and verification of 
customers performed by a third party, including an affiliate. Other 
commenters asked for additional guidance regarding the lists of known 
and suspected terrorists and terrorist organizations that must be 
checked, and regarding what will be deemed adequate notice to customers 
for purposes of complying with the final rule. Many commenters 
requested that the final rule contain a delayed implementation date 
that would provide banks with the time needed to design a customer 
identification program, obtain board approval, alter existing policies 
and procedures, forms and software, and train staff.
    Several comments were received from companies engaged in the sale 
of technology or services that could be used to identify and verify 
customers, retain records, and check lists of known and suspected 
terrorists and terrorist organizations. Many of these companies 
recommended that the proposed rule be modified to make clear that use 
of specific products and services would be permissible. Some of these 
commenters urged that the rule require banks to authenticate any 
documents obtained to verify the identity of the customer through the 
use of automated document authentication technology.
    A small number of comments were received from individuals. Some of 
these individuals criticized the proposed requirement that banks obtain 
a social security number from persons opening an account as an 
infringement upon individual liberty and privacy. Some individuals were 
concerned that this requirement would expose them to an added risk of 
identity theft. Other individuals supported the proposal and concluded 
that its verification requirements might diminish instances of identity 
theft and fraud. A few commenters suggested that the government develop 
a separate national identification number or require that social 
security cards bear photographs and or other safeguards.
    A variety of commenters applauded the efforts of Treasury and the 
Federal functional regulators to devise a uniform set of rules that 
apply to banks, broker-dealers, mutual funds, futures commission 
merchants, and introducing brokers.\4\ They noted that, without 
uniformity, customers of financial institutions may seek to open 
accounts with institutions that customers perceive to have less robust 
customer identification requirements. These commenters also suggested 
revisions that would enhance the uniformity of the rules.
---------------------------------------------------------------------------

    \4\ See footnote 3, supra.
---------------------------------------------------------------------------

    Treasury and the Agencies have modified the proposed rule in light 
of the comments received. A discussion of the comments, and the manner 
in which the proposed rule has been modified, follows in the section-
by-section analysis.
    In addition, as suggested by a number of commenters, Treasury and 
the Agencies expect to issue supplementary guidance following issuance 
of the final rule.

C. Joint Issuance by Treasury and the Agencies

    The final rule implementing section 326 is being issued jointly by 
Treasury, through FinCEN, and by the Agencies. It applies to (1) a 
``bank,'' as defined in 31 CFR 103.11(c), that is subject to regulation 
by one of the Agencies, and (2) to any non-Federally insured credit 
union, private bank or trust company that does not have a Federal 
functional regulator (collectively referred to in the final rule as ``a 
bank'').

[[Page 25092]]

    The substantive requirements of this joint final rule are being 
codified as part of Treasury's BSA regulations located in 31 CFR part 
103. In addition, each of the Agencies is concurrently publishing a 
provision in its own regulations \5\ to cross-reference this final rule 
in order to clarify the applicability of the final rule to the banks 
subject to its jurisdiction.
---------------------------------------------------------------------------

    \5\ 12 CFR 21.21 (OCC); 12 CFR 208.63, 211.5, and 211.24 (FRB); 
12 CFR 326.8 (FDIC); 12 CFR 563.177 (OTS); and 12 CFR 748.2 (NCUA).
---------------------------------------------------------------------------

    Regulations governing the applicability of section 326 to certain 
financial institutions that are regulated by the SEC and the CFTC are 
the subject of separate rulemakings. Treasury, the Agencies, the SEC, 
and the CFTC consulted extensively in the development of all joint 
rules implementing section 326 of the Act. All of the participating 
agencies intend the effect of the rules to be uniform throughout the 
financial services industry. Treasury intends to issue separate rules 
under section 326 for certain non-bank financial institutions that are 
not regulated by one of the Federal functional regulators.
    The Secretary has determined that the records required to be kept 
by section 326 of the Act have a high degree of usefulness in criminal, 
tax, or regulatory investigations or proceedings, or in the conduct of 
intelligence or counterintelligence activities, to protect against 
international terrorism.
    In addition, Treasury, under its own authority, is issuing 
conforming amendments to 31 CFR 103.34, which imposes requirements 
concerning the identification of bank customers.

D. Compliance Date

    Nearly all commenters on the proposed rule requested that banks be 
given adequate time to develop and implement the requirements of any 
final rule implementing section 326 of the Act. These commenters stated 
that if the proposed rule were implemented, banks would be required, 
among other things, to revise existing account opening policies and 
procedures, obtain board approval, train staff, update forms, purchase 
new or updated software for customer verification and checking of 
government lists, and purchase new equipment for copying or scanning 
and storing records. Commenters requested a delayed effective or 
compliance date, but, given the variety of banks that would be covered 
by the final rule, there was no consensus regarding the amount of time 
that would be necessary to comply with the final rule. The transition 
periods suggested by commenters ranged from 60 days to two years from 
the date a final rule is published.
    The final rule modifies various aspects of the proposal and 
eliminates some of the requirements that commenters identified as being 
most burdensome. Nonetheless, Treasury and the Agencies recognize that 
some banks will need time to develop a CIP, obtain board approval, and 
implement the CIP, which will include various measures, such as 
training of staff, reprinting forms, and developing new software. 
Accordingly, although this final rule will be effective 30 days after 
publication, banks are provided with a transition period to implement 
the rule. Treasury and the Agencies have determined that each bank must 
fully implement its CIP by October 1, 2003.

II. Section-by-Section Analysis of Final Rule Implementing Section 326

Section 103.121(a) Definitions

    Section 103.121(a)(1) Account. The proposed rule defined 
``account'' as each formal banking or business relationship established 
to provide ongoing services, dealings, or other financial transactions 
and stated that a deposit account, transaction or asset account, and a 
credit account or other extension of credit would each constitute an 
``account.'' \6\ The proposal also explained that the term ``account'' 
was limited to formal banking and business relationships established to 
provide ``ongoing'' services, dealings, or other financial transactions 
to make clear that this term is not intended to cover infrequent 
transactions such as the occasional purchase of a money order or a wire 
transfer.
---------------------------------------------------------------------------

    \6\ The definition of ``account'' in the proposed rule was based 
on the statutory definition of ``account'' that is used in section 
311 of the Act.
---------------------------------------------------------------------------

    Treasury and the Agencies received a large number of comments on 
this proposed definition. Some commenters agreed with the proposed 
definition though others thought the definition of ``account'' was 
either too broad or needed clarification. Some commenters suggested 
that the definition of ``account'' be narrowed to include only those 
relationships that are financial in nature. A number of commenters 
urged that the definition be limited to high-risk relationships that 
experts have identified as actually used by money launderers and 
terrorists. Some of these commenters suggested that particular types of 
accounts, especially those established as part of employee benefit 
plans, be excluded from the definition of ``account.''
    Most commenters requested that the final rule provide additional 
examples of the relationships that would constitute an ``account.'' 
Many commenters requested that the rule clarify the meaning of 
``ongoing services.'' These commenters asked whether a person who 
repeatedly and regularly purchased a money order, requested a wire 
transfer, or cashed a check on a weekly basis, without any other 
relationship with a bank, would be considered to have an ``account.'' 
Many other commenters asked that the exclusion for transfers of 
accounts between banks described in the preamble for the proposal--
which commenters characterized as the ``transfer exception'' --be 
stated expressly in the regulation and expanded to cover all loans 
originated by a third party and purchased by a bank, such as mortgages 
purchased from non-bank lenders and vehicle loans purchased from car 
dealers.
    The final rule contains a number of changes prompted by these 
comments. First, the reference to the term ``business relationship'' 
has been deleted from the definition of ``account.'' This change is 
made to clarify that the regulation applies to the bank's provision of 
financial products and services, as opposed to general ``business'' 
dealings, such as those in connection with the bank's own operations or 
premises. Second, the definition now contains additional, but non-
exclusive, examples of products and services, such as safety deposit 
box and other safekeeping services, cash management, and custodian and 
trust services, that constitute an ``account.''
    The definition of ``account'' also has been changed to include a 
list of products and services that will not be deemed an ``account.'' 
The preamble for the proposed rule had used the term ``ongoing 
services'' to define accounts covered by the final rule, and had 
referred to the exclusion of ``occasional'' transactions and 
``infrequent'' purchases (which arguably would require a bank to 
monitor all transactions for repetitive contacts). By contrast, the 
final rule clarifies that ``account'' excludes products and services 
where a formal banking relationship is not established with a person, 
such as check cashing, wire transfer, or the sale of a check or money 
order.\7\ Treasury and the

[[Page 25093]]

Agencies note that part 103 already requires verification of identity 
in connection with many of these products and services. See, e.g., 31 
CFR 103.29 (purchases of bank checks and drafts, cashier's checks, 
money orders, and traveler's checks for $3000 or more); 31 CFR 103.33 
(funds transfers of $3000 or more).
---------------------------------------------------------------------------

    \7\ This exclusion is consistent with legislative history 
indicating that by referencing the term ``customers,'' Congress 
intended ``that the regulations prescribed by Treasury take an 
approach similar to that of regulations promulgated under title V of 
the Gramm-Leach-Bliley Act of 1999, where the Federal functional 
regulators defined ``customers'' and ``customer relationship'' for 
purposes of the financial privacy rules.'' H.R. Rep. No. 107-250, 
pt. 1, at 62 (2001). The definitions of ``customer'' and ``customer 
relationship'' in the financial privacy rules apply only to a 
consumer who has a ``continuing relationship'' with a bank, for 
example, in the form of a deposit or investment account, or a loan. 
See .3(h) and (i) of 12 CFR part 40 (OCC); 12 CFR part 216 (Board); 
12 CFR part 332 (FDIC); 12 CFR part 573 (OTS); and 12 CFR part 716 
(NCUA).
---------------------------------------------------------------------------

    In addition, the final rule codifies and clarifies the ``transfer 
exception.'' Under the final rule, the definition of ``account'' 
excludes accounts that a bank acquires through an acquisition, merger, 
purchase of assets, or assumption of liabilities from any third 
party.\8\ Treasury and the Agencies note that the Act provides that the 
regulations shall require reasonable procedures for ``verifying the 
identity of any person seeking to open an account.'' Because these 
transfers are not initiated by customers, these accounts do not fall 
within the scope of section 326.\9\
---------------------------------------------------------------------------

    \8\ In many cases, these third parties are themselves 
``financial institutions'' for purposes of the BSA. Treasury 
anticipates that these third parties ultimately will be subject to 
their own customer identification rules implementing section 326 of 
the Act in the event that they are not presently covered by such a 
rule.
    \9\ Nevertheless, there may be situations involving the transfer 
of accounts where it would be appropriate for a bank, as part of the 
customer due diligence procedures required under existing 
regulations requiring banks to have compliance programs implementing 
the BSA (BSA compliance programs), to verify the identity of 
customers associated with accounts that it acquires from another 
financial institution. Treasury and the Agencies expect financial 
institutions to implement reasonable procedures to detect money 
laundering in any account, however acquired.
---------------------------------------------------------------------------

    Treasury and the Agencies generally agree with the view expressed 
by commenters who suggested that a bank's limited resources be focused 
on relationships that pose a higher risk of money laundering and 
terrorism. Accordingly, the Agencies have included an exception to the 
definition of ``account'' for accounts opened for the purpose of 
participating in an employee benefit plan established pursuant to the 
Employee Retirement Income Security Act of 1974. These accounts are 
less susceptible to use for the financing of terrorism and money 
laundering, because, among other reasons, they are funded through 
payroll deductions in connection with employment plans that must comply 
with Federal regulations which impose various requirements regarding 
the funding and withdrawal of funds from such accounts, including low 
contribution limits and strict distribution requirements.
    Section 103.121(a)(2) Bank. The proposal jointly issued by Treasury 
and the Agencies applied to any financial institution defined as a 
``bank'' in 31 CFR 103.11(c) and subject to regulation by one of the 
Agencies, including banks, savings associations, credit unions, Edge 
Act and Agreement corporations, and branches and agencies of foreign 
banks. The proposed definition also included ``any foreign branch of an 
insured bank'' to make clear that the procedures required by the rule 
would have to be implemented throughout the bank, no matter where its 
offices are located. The preamble for the proposal explained that the 
rule would apply to bank subsidiaries to the same extent as existing 
regulations requiring banks to have BSA compliance programs.\10\ As 
described above, a second proposal issued simultaneously by Treasury 
applied to certain other financial institutions defined as a ``bank'' 
in 31 CFR 103.11(c), namely, those credit unions, private banks, and 
trust companies that do not have a Federal functional regulator.
---------------------------------------------------------------------------

    \10\ All insured depository institutions currently must have a 
BSA compliance program. See 12 CFR 21.21 (OCC); 12 CFR 208.63 
(Board); 12 CFR 326.8 (FDIC); 12 CFR 563.177 (OTS); and 12 CFR 748.2 
(NCUA). In addition, all financial institutions are required by 
section 352 of the Act, 31 U.S.C. 5318(h), to develop and implement 
an anti-money laundering program. Treasury issued a regulation 
implementing section 352 providing that a financial institution 
regulated by a Federal functional regulator is deemed to satisfy the 
requirements of section 5318(h)(1) if it implements and maintains an 
anti-money laundering program that complies with the regulation of 
its Federal functional regulator, i.e., the requirement to implement 
a BSA compliance program. See 31 CFR 103.120(b); 67 FR 2113 (April 
29, 2002). However, Treasury temporarily deferred subjecting certain 
non-Federally regulated banks to the anti-money laundering program 
requirements in section 352. See 67 FR 67547 (November 6, 2002) 
(corrected 67 FR 68935 (November 14, 2002)).
---------------------------------------------------------------------------

    Under the final rule, ``bank'' includes all financial institutions 
covered by both of the proposals described above, except that ``bank'' 
does not include any foreign branch of an insured U.S. bank. Several 
commenters explained that the proposal to cover foreign branches might 
conflict with local laws applicable to branches of insured banks 
operating outside of the United States and might place U.S. 
institutions at a competitive disadvantage. Consistent with the 
approach taken with respect to final regulations implementing other 
sections of the Act,\11\ Treasury and the Agencies have determined that 
foreign branches of insured U.S. banks are not covered by the final 
rule. Nevertheless, Treasury and the Agencies encourage each bank to 
implement an effective CIP, as required by this final rule, throughout 
its organization, including in its foreign branches, except to the 
extent that the requirements of the rule would conflict with local law.
---------------------------------------------------------------------------

    \11\ See, e.g., 67 FR 60562, 60565 (Sept. 26, 2002) (FinCEN's 
regulation titled ``Anti-Money Laundering Requirements 
``Correspondent Accounts for Foreign Shell Banks: Recordkeeping and 
Termination of Correspondent Accounts for Foreign Banks' 
implementing sections 313 and 319(b) of the Act).
---------------------------------------------------------------------------

    As noted in the preamble for the proposal, the CIP must be a part 
of a bank's BSA compliance program. Therefore, it will apply throughout 
such a bank's U.S. operations (including subsidiaries) in the same way 
as the BSA compliance program requirement. However, all subsidiaries 
that are in compliance with a separately applicable, industry-specific 
rule implementing section 326 of the Act will be deemed to be in 
compliance with this final rule.
    Section 103.121(a)(3) Customer. The proposal defined ``customer'' 
to mean any person \12\ seeking to open a new account. In addition, the 
proposal defined a ``customer'' to include any signatory on an account. 
The preamble for the proposal explained that the term ``customer'' 
included a person that applied to open an account, but not someone 
seeking information about an account, such as rates charged or interest 
paid on an account, if the person did not apply to open an account. The 
preamble also stated that any person seeking to open an account at a 
bank, on or after the effective date of the final rule, would be a 
``customer,'' regardless of whether that person already had an account 
at the bank.
---------------------------------------------------------------------------

    \12\ The proposed rule defined ``person'' by reference to Sec.  
103.11(z). This definition includes individuals, corporations, 
partnerships, trusts, estates, joint stock companies, associations, 
syndicates, joint ventures, other unincorporated organizations or 
groups, certain Indian Tribes, and all entities cognizable as legal 
personalities. Treasury and the Agencies agree that it is not 
necessary to repeat this definition. Therefore, it is omitted from 
the final rule.
---------------------------------------------------------------------------

    This proposed definition prompted a large number of comments. 
First, nearly all commenters recommended that the Agencies clarify in 
the text of the final rule that ``customer'' does not include a person 
who does not receive banking services, such as a person whose deposit 
or loan application is denied. Some of these commenters suggested that 
the rule for banks define ``customer'' to mean ``a person who opens a 
new account,'' as did the proposed rules for broker-dealers, mutual 
funds, futures commission merchants and introducing brokers.

[[Page 25094]]

    Treasury and the Agencies agree with the view expressed by some 
commenters that the statute should be construed to ensure that banks 
design procedures to determine the identity of only those persons who 
open accounts. Accordingly, the final rule defines a ``customer'' as 
``a person that opens a new account.'' \13\ For example, in the case of 
a trust account, the ``customer'' would be the trust. For purposes of 
this rule, a bank will not be required to look through trust, escrow, 
or similar accounts to verify the identities of beneficiaries and 
instead will only be required to verify the identity of the named 
accountholder.\14\ In the case of brokered deposits, the ``customer'' 
will be the broker that opens the deposit account. A bank will not need 
to look through the deposit broker's account to determine the identity 
of each individual sub-account holder; it need only verify the identity 
of the named accountholder.
---------------------------------------------------------------------------

    \13\ Therefore, each person named on a joint account is a 
``customer'' under this final rule unless otherwise provided.
    \14\ However, based on a bank's risk assessment of a new account 
opened by a customer that is not an individual, a bank may need to 
take additional steps to verify the identity of the customer by 
seeking information about individuals with ownership or control over 
the account in order to identify the customer, as described in Sec.  
103.121(b)(2)(ii)(C), or may need to look through the account in 
connection with the customer due diligence procedures required under 
other provisions of its BSA compliance program.
---------------------------------------------------------------------------

    Many commenters requested that the final rule clarify whether 
``customer'' includes a minor child or an informal group with a common 
interest, such as a club account, where there is no legal entity. The 
final rule addresses these comments by providing that ``customer'' 
means ``an individual who opens a new account for (1) an individual who 
lacks legal capacity, such as a minor; or (2) an entity that is not a 
legal person, such as a civic club.''
    A few banks stated that defining ``customer'' to include a 
signatory was consistent with their current practice of verifying the 
identity of the named accountholder and any signatory on the account. 
However, most commenters strenuously objected to the inclusion of a 
signatory as a customer whose identity must be verified, and asserted 
that this proposed requirement would deviate significantly from their 
current business practices. These commenters stated that requiring 
banks to verify signatories on an account would be enormously 
burdensome to the financial institutions and signatories themselves--
many of whom simply work as employees for firms with corporate 
accounts--and would outweigh any benefit.\15\ One commenter asserted 
that inclusion of signatories as customers went beyond the scope of 
section 326 of the Act. Although some commenters advocated that any 
requirement regarding a signatory should be omitted altogether, these 
commenters generally advocated a risk-based approach that would give 
banks the discretion to determine when a signatory's identity should be 
verified.
---------------------------------------------------------------------------

    \15\ Commenters contended that banks and individuals would 
confront numerous practical problems. Some commenters noted, for 
example, that the identification and verification of signatories 
could be burdensome for banks because business accounts might have 
many signatories and those signatories would change over time. Some 
commenters explained that collecting detailed information about an 
employee who is a signatory would raise privacy concerns for those 
employees who would be required to disclose personal information to 
their employer's financial institutions. Other commenters stated 
that a signatory rarely is present at the time of account opening 
and, consequently, a bank would encounter substantial obstacles when 
attempting to verify the signatory's identity using any of the most 
common methods described in the proposal, including by examining 
documents or by obtaining a credit report. (Under the Fair Credit 
Reporting Act (FCRA), a consumer reporting agency generally may 
furnish a consumer report in connection with transactions involving 
the consumer and no other. See 15 U.S.C. 1681b. Thus, for example, a 
bank would be prohibited from obtaining a credit report to verify 
the identity of an authorized user of a customer's credit card.)
---------------------------------------------------------------------------

    Credit card banks, in particular, were critical of the signatory 
requirement because the proposed provision, as drafted, encompassed all 
authorized users of credit cards. These banks characterized the 
signatory requirement as unnecessary in the case of credit card 
companies, which, they explained, already use sophisticated fraud 
filters to detect fraud and abnormal use. These banks also noted that a 
person need not be a signatory to use another person's credit card, 
especially when purchasing products by telephone or over the Internet. 
Therefore, the signatory requirement would not necessarily ensure that 
banks would be able to verify the identity of those using a credit card 
account.
    After revisiting the issue of whether a signatory should be a 
``customer,'' Treasury and the Agencies have determined that requiring 
a bank to expend its limited resources on verifying the identity of all 
signatories on accounts could interfere with the bank's ability to 
focus on identifying customers and accounts that present a higher risk 
of not being properly identified. Accordingly, the proposed provision 
defining ``customer'' to include a signatory on an account is deleted. 
Instead, the final rule, at Sec.  103.121(b)(2)(ii)(C), requires a 
bank's CIP to address situations when the bank will take additional 
steps to verify the identity of a customer that is not an individual by 
seeking information about individuals with authority or control over 
the account, including signatories, in order to verify the customer's 
identity.
    In addition to defining who is a ``customer,'' the final rule 
contains a list of entities that will not be deemed ``customers.'' Many 
commenters questioned why a bank should be required to verify the 
identity of a government agency or instrumentality opening a new 
account, or of a publicly-traded company that is subject to SEC 
reporting requirements. Consistent with these and other comments urging 
that the final rule focus on requiring verification of the identity of 
customers that present a higher risk of not being properly identified, 
the final rule excludes from the definition of ``customer'' the 
following readily identifiable entities: a financial institution 
regulated by a Federal functional regulator; a bank regulated by a 
state bank regulator; and governmental agencies and instrumentalities, 
and companies that are publicly traded described in Sec.  
103.22(d)(2)(ii)-(iv).\16\ Section 103.22(d)(2)(iv) exempts such 
companies only to the extent of their domestic operations. Accordingly, 
a bank's CIP will apply to any foreign offices, affiliates, or 
subsidiaries of such entities that open new accounts.
---------------------------------------------------------------------------

    \16\ Treasury previously determined that banks should be 
exempted from having to file reports of transactions in currency in 
connection with these entities. See 31 CFR 103.22(d)(1).
---------------------------------------------------------------------------

    A great many commenters also objected to the requirement in Sec.  
103.121(b)(2)(ii) of the proposed rule that a bank verify the identity 
of an existing customer seeking to open a new account unless the bank 
previously verified the customer's identity in accordance with 
procedures consistent with the proposed rule and continues to have a 
reasonable belief that it knows the true identity of the customer. 
These commenters asserted that such a requirement would be burdensome 
for the bank and would upset existing customers. Some commenters 
recommended that the rule apply prospectively to new customers who 
previously had no account with the bank. Many commenters suggested that 
the final rule contain a risk-based approach where verification would 
not be required for an existing customer who opens a new account if the 
bank has a reasonable belief that it knows the identity of the 
customer, regardless of the procedures the bank followed to form this 
belief.

[[Page 25095]]

    Treasury and the Agencies acknowledge that the proposed rule might 
have had unintended consequences for bank-customer relationships and 
that the risk-based approach suggested by commenters would avoid these 
consequences. Accordingly, the final rule excludes from the definition 
of ``customer'' a person that has an existing account with the bank, 
provided that the bank has a reasonable belief that it knows the true 
identity of the person.\17\
---------------------------------------------------------------------------

    \17\ As a foreign branch of an insured U.S. bank is no longer a 
``bank'' for purposes of this rule, a customer of a bank's foreign 
branch will no longer be ``a person who has an existing account with 
the bank.'' Therefore, the bank must verify the identity of a 
customer of its foreign branch in accordance with its CIP if such a 
customer opens a new account in the U.S.
---------------------------------------------------------------------------

    Section 103.121(a)(4) Federal functional regulator. The proposed 
rule defined ``Federal functional regulator'' by reference to Sec.  
103.120(a)(2), meaning each of the Agencies, the SEC, and the CFTC. 
There were no comments on this definition, and Treasury and the 
Agencies have adopted it as proposed.
    Section 103.121(a)(5) Financial institution. The final rule 
includes a new definition for the term ``financial institution'' that 
cross-references the BSA, 31 U.S.C. 5312(a)(2) and (c)(1). This is a 
more expansive definition of ``financial institution'' than that in 31 
CFR 103.11, and includes entities such as futures commission merchants 
and introducing brokers.
    Section 103.121(a)(6) Taxpayer identification number. The proposed 
rule repeated the language from Sec.  103.34(a)(4), which states that 
the provisions of section 6109 of the Internal Revenue Code and the 
regulations of the Internal Revenue Service thereunder determine what 
constitutes ``a taxpayer identification number.'' There were no 
comments on this approach, and Treasury and the Agencies have adopted 
it substantially as proposed, with minor technical modifications.
    Section 103.121(a)(7) and (8) U.S. Person and non-U.S. person. The 
proposed rule provided that ``U.S. person'' is an individual who is a 
U.S. citizen, or an entity established or organized under the laws of a 
State or the United States. A ``non-U.S. person'' was defined as a 
person who did not satisfy either of these criteria.
    As described in greater detail below, a bank is generally required 
to obtain a U.S. taxpayer identification number from a customer who 
opens a new account. However, if the customer is a non-U.S. person and 
does not have such a number, the bank may obtain an identification 
number from some other form of government-issued document evidencing 
nationality or residence and bearing a photograph or similar safeguard.
    Several commenters suggested that it would be less confusing to 
bankers if ``U.S. person'' meant both a U.S. citizen and a resident 
alien, consistent with the definition of this term used in the Internal 
Revenue Code (IRS definition).\18\ A few commenters criticized the 
proposed definition because it would require banks to establish whether 
a customer is or is not a U.S. citizen.
---------------------------------------------------------------------------

    \18\ 26 U.S.C. 7701(a)(30)(A).
---------------------------------------------------------------------------

    Treasury and the Agencies believe that the proposed definition of 
``U.S. person'' is a better standard for purposes of this final rule 
than the IRS definition. Adoption of the IRS definition of ``U.S. 
person'' would require bank staff to distinguish among various tax and 
immigration categories in connection with any type of account that is 
opened. Under the proposed definition, a bank will not necessarily need 
to establish whether a potential customer is a U.S. citizen. The bank 
will have to ask each customer for a U.S. taxpayer identification 
number (social security number, employer identification number, or 
individual taxpayer identification number). If a customer cannot 
provide one, the bank may then accept alternative forms of 
identification. For these reasons, the definition is adopted as 
proposed.

Section 103.121(b) Customer Identification Program: Minimum 
Requirements

    Section 103.121(b)(1) General Rule. The proposed rule required each 
bank to implement a CIP that is appropriate given the bank's size, 
location, and type of business. The proposed rule required a bank's CIP 
to contain the statutorily prescribed procedures, described these 
procedures, and detailed certain minimum elements that each of the 
procedures must contain. In addition, the proposed rule required that 
the CIP be written and that it be approved by the bank's board of 
directors or a committee of the board.
    The proposed rule also stated that the CIP must be incorporated 
into the bank's BSA \19\ compliance program and should not be a 
separate program. A bank's BSA compliance program must be written, 
approved by the board, and noted in the bank's minutes. It must include 
(1) internal policies, procedures, and controls to ensure ongoing 
compliance; (2) designation of a compliance officer; (3) an ongoing 
employee training program; and (4) an independent audit function to 
test programs. The preamble for the proposal explained that the CIP 
should be incorporated into each of these four elements of a bank's BSA 
program.
---------------------------------------------------------------------------

    \19\ See footnote 10, supra.
---------------------------------------------------------------------------

    Most commenters agreed with the proposal's approach of allowing 
banks to develop risk-based programs tailored to their specific 
operation, though some of these commenters recommended that Treasury 
and the Agencies adopt an entirely risk-based approach without any 
minimum requirements while others recommended a more prescriptive 
approach. Many commenters suggested that Treasury and the Agencies 
clarify the extent to which a bank could rely on a third party, 
especially an affiliate, to perform some or all aspects of its CIP.
    Other commenters focused on the requirement that a bank's board of 
directors approve the CIP. These commenters urged Treasury and the 
Agencies to adopt a regulation that states that the role of a bank's 
board of directors need only be to approve broad policy rather than the 
specific methods or actual procedures that will be a part of a bank's 
CIP. One commenter recommended that the governing body of a financial 
institution be permitted to delegate its responsibility to approve the 
CIP.
    The final rule attempts to strike an appropriate balance between 
flexibility and detailed guidance by allowing a bank broad latitude to 
design and implement a CIP that is tailored to its particular business 
practices while providing a framework of minimum standards for 
identifying each customer, as the Act mandates. Following the 
description of the procedures and minimum requirements for each element 
of a bank's CIP (identity verification, recordkeeping, comparison with 
government lists, and customer notice), the final rule contains a new 
section describing the extent to which a bank may rely on a third party 
to perform these elements, described in detail below.
    The final rule removes the requirement that the bank's board of 
directors or a committee of the board must approve the bank's CIP 
because this requirement is redundant. A bank's BSA compliance program 
must already be approved by the board. Treasury and the Agencies regard 
the addition of a CIP to the bank's BSA compliance program to be a 
material change in the BSA compliance program that will require board 
approval. The board of director's responsibility to oversee bank 
compliance with section 326 of the Act

[[Page 25096]]

is a part of a board's conventional supervisory BSA compliance 
responsibilities that cannot be delegated to bank management. 
Therefore, a bank's board of directors must be responsible for 
approving a CIP described in detail sufficient for the board to 
determine that (1) the bank's CIP contains the minimum requirements of 
this final rule; and (2) the bank's identity verification procedures 
are designed to enable the bank to form a reasonable belief that it 
knows the true identity of the customer. Nevertheless, responsibility 
for the development, implementation, and day-to-day administration of 
the CIP may be delegated to bank management.
    The final rule will apply to some non-Federally regulated banks 
that are not yet subject to an anti-money laundering compliance program 
requirement.\20\ Therefore, the final rule only requires that the CIP 
be a part of a bank's anti-money laundering program once a bank becomes 
subject to an anti-money laundering compliance program requirement.\21\
---------------------------------------------------------------------------

    \20\ See footnote 10, supra.
    \21\ The final rule therefore provides that until such time as 
credit unions, private banks, and trust companies without a Federal 
functional regulator are subject to such a program, their CIPs must 
be approved by their boards of directors.
---------------------------------------------------------------------------

    Section 103.121(b)(2) Identity Verification Procedures. The 
proposed rule provided that each bank must have a CIP that includes 
procedures for verifying the identity of each customer, to the extent 
reasonable and practicable, based on the bank's assessment of certain 
risks. The proposed rule stated that these procedures must enable the 
bank to form a reasonable belief that it knows the true identity of the 
customer.
    Some commenters recommended that the identity verification 
requirement be waived for new customers that are well known to a senior 
officer of the bank. Some of these commenters endorsed such a waiver 
provided that a bank employee could provide ``an affidavit of 
identity'' on behalf of the customer.
    One commenter criticized the standard requiring a bank to have 
identity verification procedures ``that enable the bank to form a 
reasonable belief that it knows the true identity of the customer'' as 
too subjective. This commenter suggested that a better standard would 
be lack of affirmative notice of deficiency in the identity process. 
Another commenter suggested that the rule make clear that a bank is 
only required to verify a customer's identity, to the extent reasonable 
and practical, in order to establish that it has a reasonable basis for 
knowing the true identity of its customer.
    The final rule provides that a bank's CIP must include risk-based 
procedures for verifying the identity of each customer \22\ to the 
extent reasonable and practicable. The final rule also states that the 
procedures must enable the bank to form a reasonable belief that it 
knows the true identity of the customer. As section 326 of the Act 
states, a bank's affirmative obligation to verify the identity of its 
customer applies to ``any person'' rather than only to a person whose 
identity is suspect, as suggested by one commenter. Furthermore, 
Treasury and the Agencies have determined that the statutory obligation 
to ``verify the identity of any person'' requires the bank to implement 
and follow procedures that allow the bank to have a reasonable belief 
that it knows the true identity of the customer.
---------------------------------------------------------------------------

    \22\ Other elements of the bank's CIP, such as procedures for 
recordkeeping or checking of government lists, are requirements that 
may not vary depending on risk factors.
---------------------------------------------------------------------------

    Given the flexibility built into the final rule, Treasury and the 
Agencies believe that it is not appropriate to provide special 
treatment for new customers known to bank personnel. In addition, 
permitting reliance on bank personnel to attest to the identity of a 
customer may be subject to manipulation. Accordingly, the final rule 
does not establish different rules for customers who are known to bank 
personnel.
    The final rule requires the identity verification procedures to be 
based upon relevant risks, including those presented by the types of 
accounts maintained by the bank, the various methods of opening 
accounts provided by the bank, and the types of identifying information 
available. In addition to these risk factors, which are specifically 
identified in section 326, the final rule states that the procedures 
should take into account the bank's size, location, and type of 
business or customer base, additional factors mentioned in the Act's 
legislative history.\23\
---------------------------------------------------------------------------

    \23\ H.R. Rep. No. 107-250, pt. 1, at 62 and 63 (2001).
---------------------------------------------------------------------------

    Section 103.121(b)(2)(i) Customer Information Required. The 
proposed rule required that a bank's CIP must contain procedures that 
specify the identifying information the bank must obtain from a 
customer. It stated that, at a minimum, a bank must obtain from each 
customer the following information prior to opening an account: (1) 
Name; (2) address (a residential and mailing address for individuals, 
and principal place of business and mailing address for a person other 
than an individual); (3) date of birth for individuals; and (4) an 
identification number.
    Treasury and the Agencies received a variety of comments 
criticizing the requirement that a bank obtain certain minimum 
identifying information prior to opening an account. Some commenters, 
including a trade association representing large financial 
institutions, recommended that a bank be permitted to open an account 
for a customer who lacks some of the minimum identifying information, 
provided that the bank has formed a reasonable belief that it knows the 
true identity of the customer. Credit card banks explained that the 
minimum information requirement would create problems for retailers 
that offer credit cards at the point of sale. These commenters stated 
that retailers were not likely to have the means to record identifying 
information other than what is currently collected. They suggested that 
when there are systems in place to identify customers and detect 
suspicious transactions, the rule should require only the collection of 
information that the credit card bank or card issuer deems necessary 
and appropriate to identify the customer.
    Other commenters stated that the rule should not require a bank to 
obtain the minimum identifying information prior to account opening in 
every instance. Some of these commenters suggested that a bank be 
permitted to obtain the required information within a reasonable time 
after the account is opened. Some commenters suggested that the rule 
permit banks to obtain identifying information from a party other than 
the customer. This would arise, for example, when a bank offers a 
credit card based on information obtained from a credit reporting 
agency. Other commenters suggested that a bank also be required to 
obtain information about a customer's occupation, profession or 
business, as this information is needed by a bank that intends to file 
a report of transactions in currency or a suspicious activities report 
on the customer.
    Consistent with the proposal, the final rule provides that a bank's 
CIP must contain procedures that specify the identifying information 
that the bank must obtain from each customer prior to opening an 
account. In addition, the rule specifies the four basic categories of 
information that a bank must obtain from the customer prior to opening 
an account. Treasury and the Agencies believe that requiring banks to 
gather these standard forms of information prior to opening an account 
is not overly burdensome because such identifying information is 
routinely

[[Page 25097]]

gathered by most banks in the account opening process and is required 
by other sections of 31 CFR part 103. Of course, based upon an 
assessment of the risks described above, a bank may require a customer 
to provide additional information to establish the customer's identity.
    Treasury and the Agencies acknowledge that imposing this 
requirement on banks that offer credit card accounts is likely to alter 
the manner in which they do business by requiring them to gather 
additional information beyond that which they currently obtain directly 
from a customer who opens an account at the point of sale or by 
telephone. Treasury and the Agencies are mindful of the legislative 
history of section 326, which indicates that Congress expected the 
regulations implementing this section to be appropriately tailored for 
accounts opened in situations where the account holder is not 
physically present at the financial institution and that the 
regulations should not impose requirements that are burdensome, 
prohibitively expensive, or impractical.\24\
---------------------------------------------------------------------------

    \24\ H.R. Rep. No. 107-250, pt. 1, at 63 (2001).
---------------------------------------------------------------------------

    Therefore, Treasury and the Agencies have included an exception in 
the final rule for credit card accounts only, which would allow a bank 
broader latitude to obtain some information from the customer opening a 
credit card account, and the remaining information from a third party 
source, such as a credit reporting agency, prior to extending credit to 
a customer. Treasury and the Agencies recognize that these practices 
have produced an efficient and effective means of extending credit with 
little risk that the lender does not know the identity of the borrower.
    Treasury and the Agencies also received comments on the 
advisability of requiring banks to collect the specific identifying 
information (name, date of birth, address, and identification number), 
as would have been required under the proposed rule. With respect to 
obtaining the customer's name, one commenter recommended that based on 
Texas law and banks' experience, a bank should be required to obtain 
the name under which the customer is doing business and the customer's 
legal name. The final rule continues to require that the bank obtain 
the customer's name, meaning a legal name that can be verified. As 
noted above, this is a minimum requirement, and a bank may also need to 
obtain the name under which a person does business in order to 
establish a reasonable belief it knows the true identity of the 
customer.
    One trade association suggested that banks be permitted to make a 
risk-based determination before requiring a customer to provide date of 
birth because many customers would prefer not to share this 
information. One commenter stated that date of birth is not an 
important identifying characteristic and should be deleted. Another 
commenter stated that credit card issuers do not request this 
information because it can raise fair lending issues. Finally, a few 
commenters noted that standardized mortgage applications require age 
rather than date of birth and would have to be altered.
    The final rule provides that a bank must obtain the date of birth 
for a customer who is an individual. Treasury and the Agencies believe 
that date of birth is an important identifying characteristic and can 
be used to provide a bank or law enforcement with an additional means 
to distinguish between customers with identical names. However, the 
required collection and retention of information about a customer's 
date of birth does not relieve the bank from its obligations to comply 
with anti-discrimination laws or regulations, such as the prohibition 
in the Equal Credit Opportunity Act against discrimination in any 
aspect of a credit transaction on the basis of age or other prohibited 
classification. Banks collecting date of birth from individual 
customers should be able to take reasonable measures to convert this 
information into age for purposes of the forms used in the secondary 
mortgage market given the delayed compliance date for the final rule.
    Many commenters criticized the requirement that a bank obtain both 
the customer's physical and mailing address, if different. Most 
commenters urged Treasury and the Agencies to eliminate the requirement 
that the customer provide a physical address. Some of these commenters 
stated that this requirement could interfere with the ability of 
certain segments of the population to obtain a bank account, such as 
members of the military, persons who reside in mobile homes with no 
fixed address, and truck drivers who do not have a physical address. 
Banks that offer credit card accounts and card issuers stated that the 
address requirement would be extremely burdensome because they would 
have to change the manner in which they do business, and in some cases, 
credit card banks currently do not have the capacity to collect both 
addresses. Some of these commenters stated that new credit card 
customers are reluctant to give more than one address and, therefore, 
it would be difficult to obtain this information from customers. A 
trade association representing credit card banks asserted that 
customers may have a legitimate reason for handling correspondence 
through post office boxes and should not have to provide a physical 
address. This commenter asserted that requiring the customer to provide 
a physical address will discourage the provision of financial services 
to the unbanked and will prevent a victim of identity theft from using 
an alternative to an unsecured home mailbox. Another commenter noted 
that the physical address of a customer's principal place of business 
may not be relevant if the bank is working with a customer's local 
office. This commenter recommended that the rule simply permit the bank 
to obtain the customer's street address. Credit card banks and issuers 
urged Treasury and the Agencies to make the requirement that a bank 
obtain the customer's physical address optional.
    Section 326 of the Act requires Treasury and the Agencies to 
prescribe regulations that require financial institutions to implement 
``reasonable procedures.'' Accordingly, under the final rule, a bank 
will not be required to obtain more than a single address for a 
customer. Nonetheless, Treasury and the Agencies believe that the 
identification, verification, and recordkeeping provisions of the Act, 
taken together, should provide appropriate resources for law 
enforcement agencies to investigate money laundering and terrorist 
financing. The final rule therefore provides that a bank generally must 
obtain a residential or business street address for a customer who is 
an individual because Treasury and the Agencies have determined that 
law enforcement agencies should be able to contact an individual 
customer at a physical location, rather than solely through a mailing 
address. Treasury and the Agencies recognize that this provision may be 
impracticable for members of the military who cannot readily provide a 
physical address, and other individuals who do not have a physical 
address but who reliably can be contacted. Accordingly, the final rule 
provides an exception under these circumstances that allows a bank to 
obtain an Army Post Office or Fleet Post Office box number, or the 
residential or business street address of next of kin or of another 
contact individual. For a customer other than an individual, such as a 
corporation, partnership, or trust, the bank may obtain the address of 
the principal place of business, local office,

[[Page 25098]]

or other physical location of the customer. Of course, a bank is free 
to obtain additional addresses from the customer, such as the 
customer's mailing address, to meet its own or its customer's business 
needs.
    The proposal required that banks obtain an identification number 
from customers. For U.S. persons, a bank would have been required to 
obtain a U.S. taxpayer identification number. For non-U.S. persons, a 
bank would have been required to obtain a number from various 
alternative forms of government-issued identification.
    One commenter stated that this requirement would not be burdensome. 
Commenters representing certain consumer advocacy groups commended 
Treasury and the Agencies for providing banks with the discretion to 
accept alternative forms of identifying information from non-U.S. 
citizens. These commenters stated that this position would assist low-
income immigrants in gaining financial stability. By contrast, some 
commenters stated that the final rule should not permit a bank to open 
an account for a customer using only a foreign identification number 
when the customer provides a U.S. address. Other commenters asked for 
guidance on whether a bank is permitted to accept a number from the 
identification document issued by a foreign government. A few 
commenters urged the government to require a national identification 
document for all individuals.
    Other commenters, primarily credit card banks, stated that the 
requirement that a bank obtain a U.S. taxpayer identification number 
from U.S. persons would create considerable hardship. They stated that 
new credit card customers are reluctant to give out their social 
security numbers, especially over the telephone. They urged that banks 
be given the discretion to collect identifying information, other than 
social security numbers, when appropriate in light of consumer privacy 
and security concerns. In the alternative, they recommended that banks 
be permitted to obtain a U.S. taxpayer identification number for U.S. 
persons from a trusted third party source, such as a credit reporting 
agency.
    Some commenters questioned what number to use for accounts opened 
in the name of a bowling league or class reunion, or to accept 
donations for a special cause. Other commenters questioned what number 
could be obtained from foreign businesses and enterprises that have no 
taxpayer identification number or other government-issued 
documentation.
    The final rule provides that a bank must obtain an ``identification 
number'' from every customer. As discussed above, under the definition 
of ``customer,'' the final rule permits a bank to obtain the 
identification number of the individual who opens an account in the 
name of an individual who lacks legal capacity, such as a minor, or a 
civic group, such as a bowling league.
    After reviewing the comments, Treasury and the Agencies have 
determined that requiring a bank to obtain a customer's identification 
number, such as a social security number, from the customer himself or 
herself, in every case, including over the telephone, would be 
unreasonable and impracticable because it would be contrary to banks' 
current practices and could alienate many potential customers. 
Accordingly, Treasury and the Agencies have adopted an exception for 
credit card accounts that will permit a bank offering such accounts to 
acquire information about the customer, including an identification 
number, from a trusted third party source prior to extending credit to 
the customer, rather than having to obtain this information directly 
from the customer prior to opening an account.
    The final rule also provides that for a non-U.S. person, a bank 
must obtain one or more of the following: A taxpayer identification 
number (social security number, individual taxpayer identification 
number, or employer identification number); passport number and country 
of issuance; alien identification card number; or number and country of 
issuance of any other government-issued document evidencing nationality 
or residence and bearing a photograph or similar safeguard. This 
standard provides a bank with some flexibility to choose among a 
variety of identification numbers that it may accept from a non-U.S. 
person.\25\ However, the identifying information the bank accepts must 
permit the bank to establish a reasonable belief that it knows the true 
identity of the customer.
---------------------------------------------------------------------------

    \25\ The rule provides this flexibility because there is no 
uniform identification number that non-U.S. persons would be able to 
provide to a bank. See Treasury Department, ``A Report to Congress 
in Accordance with Section 326(b) of the USA PATRIOT Act,'' October 
21, 2002.
---------------------------------------------------------------------------

    Treasury and the Agencies emphasize that the final rule neither 
endorses nor prohibits bank acceptance of information from particular 
types of identification documents issued by foreign governments. A bank 
must decide for itself, based upon appropriate risk factors, including 
those discussed above (the types of accounts maintained by the bank, 
the various methods of opening accounts provided by the bank, the other 
types of identifying information available, and the bank's size, 
location, and customer base), whether the information presented by a 
customer is reliable.
    Treasury and the Agencies recognize that a foreign business or 
enterprise may not have a taxpayer identification number or any other 
number from a government-issued document evidencing nationality or 
residence and bearing a photograph or similar safeguard. Therefore, the 
final rule notes that when opening an account for such a customer, the 
bank must request alternative government-issued documentation 
certifying the existence of the business or enterprise.
    The proposal also contained a limited exception to the requirement 
that a bank obtain a taxpayer identification number from a customer 
opening a new account. The exception permitted a bank to open an 
account for a person other than an individual (such as a corporation, 
partnership, or trust) that has applied for, but has not received, an 
employer identification number (EIN), provided that the bank obtains a 
copy of the application before it opens the account and obtains the EIN 
within a reasonable period of time after the account is established. 
The preamble for the proposed rule explained that this exception was 
included for a new business that might need access to banking services, 
particularly a bank account or an extension of credit, before it has 
received an EIN from the Internal Revenue Service.
    Some commenters questioned this limited exception for certain 
businesses. A few commenters suggested expanding the exception to 
include individuals who have applied for, but have not yet received a 
taxpayer identification number. Another commenter stated that the 
exception provided no added benefit and would add to a bank's 
recordkeeping and monitoring burden.
    Treasury and the Agencies have determined that a bank should be 
afforded more flexibility in situations where a person, including an 
individual, has applied for, but has not yet received, a taxpayer 
identification number. Therefore, the final rule states that instead of 
obtaining a taxpayer identification number from a customer prior to 
opening an account, the CIP may include procedures for opening an 
account for a customer (including an individual) that has applied for, 
but has not received, a taxpayer identification

[[Page 25099]]

number.\26\ To lessen the recordkeeping burden for a bank that elects 
to use this exception, the final rule also provides that the bank's CIP 
need only include procedures requiring the bank to confirm that the 
application was filed before the customer opens the account and to 
obtain the taxpayer identification number within a reasonable period of 
time after the account is opened. Thus, a bank will be able to exercise 
its discretion \27\ to determine how to confirm that a customer has 
filed an application for a taxpayer identification number rather than 
having to keep a copy of the application on file.
---------------------------------------------------------------------------

    \26\ This position is analogous to that in regulations issued by 
the Internal Revenue Service (IRS) concerning ``awaiting-TIN 
[taxpayer identification number] certificates.'' The IRS permits a 
taxpayer to furnish an ``awaiting-TIN certificate'' in lieu of a 
taxpayer identification number to exempt the taxpayer from the 
withholding of taxes owed on reportable payments (i.e., interest and 
dividends) on certain accounts. See 26 CFR 31.3406(g)-3.
    \27\ For example, the bank may wish to examine a copy of the 
application filed.
---------------------------------------------------------------------------

    Section 103.121(b)(2)(ii) Customer Verification. The proposed rule 
provided that the CIP must contain risk-based procedures for verifying 
the information that the bank obtains in accordance with Sec.  
103.121(b)(2)(i), within a reasonable period of time after the account 
is opened.\28\ The proposed rule also described when a bank is required 
to verify the identity of existing customers.
---------------------------------------------------------------------------

    \28\ The preamble for the proposed rule noted that, although an 
account may be opened, it is common practice among banks to place 
limits on the account, such as by restricting the number of 
transactions or the dollar value of transactions, until a customer's 
identity is verified. Therefore, the proposed regulation provided 
the bank with the flexibility to use a risk-based approach to 
determine how soon identity must be verified.
---------------------------------------------------------------------------

    Several commenters asked Treasury and the Agencies to underscore 
that these verification procedures may be risk-based by noting that a 
bank may verify less than all of the identifying information provided 
by the customer. Many commenters noted that there is currently no 
reliable, efficient, or effective means of verifying a customer's 
social security number. Some of these commenters asked the government 
to establish a method that would permit banks to establish the 
authenticity and accuracy of a customer's name and taxpayer 
identification number.
    Treasury and the Agencies recognize that there currently is no 
method that would permit a bank to verify, for example, a taxpayer 
identification, passport or alien identification number through an 
official source. Accordingly, the final rule provides that a bank's CIP 
must contain procedures for verifying the identity of the customer, 
``using the information obtained in accordance with paragraph 
(b)(2)(i),'' namely, the identifying information obtained by the bank. 
Thus, a bank need not establish the accuracy of every element of 
identifying information obtained but must do so for enough information 
to form a reasonable belief it knows the true identity of the customer.
    Some commenters stated that they appreciated the flexibility of the 
proposal permitting an institution to determine how soon identity must 
be verified. Other commenters asked Treasury and the Agencies to 
clarify what is a ``reasonable period of time.'' As stated in the 
preamble for the proposal, Treasury and the Agencies believe that the 
amount of time it will take an institution to verify a customer's 
identity may depend upon various factors, such as the type of account 
opened, whether the customer is physically present when the account is 
opened, and the type of identifying information available. For the same 
reasons, the final rule provides banks with the flexibility necessary 
to accommodate a wide range of situations by stating that the bank must 
verify the identifying information within a reasonable time after the 
account is opened.\29\
---------------------------------------------------------------------------

    \29\ It is possible that a bank would, however, violate other 
laws by permitting a customer to transact business prior to 
verifying the customer's identity. See, e.g., 31 CFR part 500 
(regulations of Treasury's Office of Foreign Asset Control (OFAC) 
prohibiting transactions involving designated foreign countries or 
their nationals).
---------------------------------------------------------------------------

    As discussed above in the definition section, many commenters 
criticized the proposed approach regarding verification of existing 
customers that open new accounts. The final rule addresses these 
concerns by modifying the definition of ``customer'' to exclude a 
person who has an existing account with the bank if the bank has a 
reasonable belief that it knows the true identity of the person.
    Many commenters urged that the final rule continue to allow, but 
not mandate, documentary verification. A few commenters requested that 
the final rule provide additional guidance on verification. Some 
commenters asked that the final rule clarify that a bank may choose to 
use only documentary methods and may refuse to open an account using 
other methods.
    The final rule addresses these comments by stating that a bank's 
CIP's verification procedures must describe when the bank will use 
documents, non-documentary methods, or a combination of both methods to 
verify a customer's identity.
    Section 103.121(b)(2)(ii)(A) Verification Through Documents. The 
proposed rule provided that the CIP must contain procedures describing 
when the bank will verify identity through documents and setting forth 
the documents that the bank will use for this purpose. It then gave 
examples of documents that could be used to verify the identity of 
individuals and other persons such as corporations, partnerships, and 
trusts.
    Most commenters noted that banks do not have the means to 
authenticate or validate documents provided by their customers and 
urged Treasury and the Agencies to clarify that document authentication 
is not a CIP requirement. Treasury and the Agencies wish to confirm 
that once a bank has obtained and verified the identity of the customer 
through a document such as a driver's license or passport, the bank 
will not be required to take steps to determine whether the document 
has been validly issued. A bank generally may rely on government-issued 
identification as verification of a customer's identity; however, if a 
document shows obvious indications of fraud, the bank must consider 
that factor in determining whether it can form a reasonable belief that 
it knows the customer's true identity.
    Some commenters also asked that Treasury and the Agencies provide 
more examples and discuss appropriate types of documentary 
identification in the final rule or in separate guidance that banks may 
easily access. Commenters asked whether a utility bill, or library card 
addressed to the same physical address and name of the person seeking 
the account, or a foreign identification card, such as a foreign voter 
registration card or driver's license, would be acceptable. Some 
commenters questioned whether copies of documents would suffice.
    Given the recent increases in identity theft and the availability 
of fraudulent documents, Treasury and the Agencies agree with a 
commenter who suggested that the value of documentary verification is 
enhanced by redundancy. The rule gives examples of types of documents 
that are considered reliable. However, a bank is encouraged to obtain 
more than one type of documentary verification to ensure that it has a 
reasonable belief that it knows the customer's true identity. Moreover, 
banks are encouraged to use a variety of methods to verify the identity 
of a customer, especially when the bank does not have the ability to 
examine original documents.
    The final rule attempts to strike the appropriate balance between 
the

[[Page 25100]]

benefits of requiring additional documentary verification and the 
burdens that may arise from such a requirement by providing that a 
bank's CIP must state the documents that a bank will use. This will 
require each bank to conduct its own risk-based analysis of the types 
of documents it believes will enable it to know the true identity of 
its customers.
    The final rule continues to provide an illustrative list of 
identification documents. For an individual, these may include an 
unexpired government-issued identification evidencing nationality or 
residence and bearing a photograph or similar safeguard, such as a 
driver's license or passport. For a person other than an individual, 
these may include documents showing the existence of the entity, such 
as certified articles of incorporation, a government-issued business 
license, a partnership agreement, or a trust instrument.
    Some commenters questioned whether the examples of identification 
documents given for persons other than individuals would be reliable. 
One commenter questioned whether trust documents alone would be 
sufficient verification of identity. Another commenter suggested 
allowing banks to rely on a certification by the trustee, or an 
appropriate legal opinion, rather than the trust instrument to verify 
the existence of a trust. Someone else suggested that banks should be 
allowed to rely on documentation consisting of evidence that a business 
is either publicly traded or is authorized to do business in a state or 
the United States.
    The examples provided in the final rule were intended only to 
illustrate the documents a bank might use to verify the identity of a 
customer that is a corporation, partnership, or trust. A bank may use 
other documents, provided that they allow the bank to establish that it 
has a reasonable belief that it knows the true identity of its 
customer. Accordingly, the final rule makes no significant changes to 
the examples.
    Section 103.121(b)(2)(ii)(B) Non-Documentary Verification. 
Recognizing that some accounts are opened by telephone, by mail, and 
over the Internet, the proposed rule provided that a bank's CIP also 
must contain procedures describing what non-documentary methods the 
bank will use to verify identity and when the bank will use these 
methods (whether in addition to, or instead of, relying on documents). 
The preamble for the proposed rule also noted that even if the customer 
presents identification documents, it may be appropriate to use non-
documentary methods as well.
    The proposed rule gave examples of non-documentary verification 
methods that a bank may use, including contacting a customer after the 
account is opened; obtaining a financial statement; comparing the 
identifying information provided by the customer against fraud and bad 
check databases to determine whether any of the information is 
associated with known incidents of fraudulent behavior (negative 
verification); comparing the identifying information with information 
available from a trusted third party source, such as a credit report 
from a consumer reporting agency (positive verification); and checking 
references with other financial institutions. The preamble for the 
proposed rule stated that a bank also may wish to analyze whether there 
is logical consistency between the identifying information provided, 
such as the customer's name, street address, ZIP code, telephone 
number, date of birth, and social security number (logical 
verification).
    The proposal required that the procedures address situations where 
an individual, such as an elderly person, legitimately is unable to 
present an unexpired government-issued identification document that 
bears a photograph or similar safeguard; the bank is not familiar with 
the documents presented; the account is opened without obtaining 
documents; the account is not opened in a face-to-face transaction, for 
example over the phone, by mail, or through the Internet; and the type 
of account increases the risk that the bank will not be able to verify 
the true identity of the customer through documents.
    Several commenters asked for additional guidance regarding when 
non-documentary verification methods should be used in addition to 
documentary verification methods and the circumstances in which only 
one or all of the non-documentary verification methods listed are 
necessary. Commenters also asked for guidance on audit methodology, and 
an explanation of the due diligence required for verification of 
accounts opened by telephone, mail, and through the Internet. A few 
commenters suggested that reference to verification, where a bank 
compares information provided by the customer with information from 
trusted third party sources, be expressly mentioned in the final rule.
    As the large number of comments on this section illustrates, a rule 
that attempted to address every scenario and combination of risk-
factors that a bank might confront would be extremely complex and 
invariably would fail to address many situations. Rather than adopt a 
lengthy and potentially unwieldy rule that still would not address 
every situation, Treasury and the Agencies have concluded that it would 
be more effective to adopt general principles that are fleshed out 
through examples. Therefore, the final rule states that for a bank 
relying on non-documentary verification methods, the CIP must contain 
procedures that describe the non-documentary methods the bank will use.
    The final rule generally retains the illustrative list of non-
documentary methods contained in the proposal. Treasury and the 
Agencies have clarified that one method is ``independently verifying 
the customer's identity through the comparison of information provided 
by the customer with information obtained from a consumer reporting 
agency, public database, or other source,'' rather than verifying 
``documentary information'' through such sources.
    The final rule also retains the variety of situations that the 
procedures must address that were identified in the proposal, with the 
following two changes. First, because ``transaction'' is a defined term 
in 31 CFR part 103, instead of using the term ``face-to-face 
transaction,'' the final rule states that the procedures must address 
the situation where a customer opens an account without appearing in 
person at the bank. Second, the final clause of this provision provides 
that the CIP must include procedures to address situations where the 
bank is otherwise presented with circumstances that increase the risk 
that the bank will be unable to verify the true identity of a customer 
through documents. This clause acknowledges that there may be 
circumstances beyond those specifically described in this provision 
when a bank should use non-documentary verification procedures.
    As stated in the preamble for the proposed rule, because 
identification documents may be obtained illegally and may be 
fraudulent, and in light of the recent increase in identity theft, 
Treasury and the Agencies encourage banks to use non-documentary 
methods even when the customer has provided identification documents.
    Section 103.121(b)(2)(ii)(C) Additional Verification for Certain 
Customers. As described above, the proposed rule required the 
identification and verification of each signatory for an account. Most 
commenters objected to this requirement as overly burdensome, and, upon 
consideration of the points raised by the commenters, Treasury and the 
Agencies agree that it is appropriate

[[Page 25101]]

to delete it. For the reasons discussed below, however, the rule does 
require that a bank's CIP address the circumstances in which it will 
obtain information about such individuals in order to verify the 
customer's identity. Treasury and the Agencies believe that while the 
majority of customers may be verified adequately through the 
documentary or non-documentary verification methods described in 
paragraphs (b)(2)(ii)(A) and (B), there may be instances where this is 
not possible. The risk that the bank will not know the customer's true 
identity may be heightened for certain types of accounts, such as an 
account opened in the name of a corporation, partnership, or trust that 
is created or conducts substantial business in a jurisdiction that has 
been designated by the United States as a primary money laundering 
concern or has been designated as non-cooperative by an international 
body.
    Obtaining sufficient information to verify a customer's identity 
can reduce the risk that a bank will be used as a conduit for money 
laundering and terrorist financing. Treasury and the Agencies believe 
that a bank must identify customers that pose a heightened risk of not 
being properly identified, and a bank's CIP must prescribe additional 
measures that may be used to obtain information about the identity of 
the individuals associated with the entity in whose name such an 
account is opened when standard documentary and non-documentary methods 
prove to be insufficient.
    For these reasons, the requirement to verify the identity of 
signatories has been replaced by a new provision in the final rule that 
requires that a bank's CIP address situations where, based on the 
bank's risk assessment of a new account opened by a customer that is 
not an individual, the bank also will obtain information about 
individuals with authority or control over such account, including 
signatories, in order to verify the customer's identity. This 
additional verification method will only apply when the bank cannot 
adequately verify the customer's identity using the documentary and 
non-documentary verification methods described in (b)(2)(ii)(A) and 
(B). Moreover, a bank need not undertake any additional verification if 
it chooses not to open an account when it cannot verify the customer's 
identity using standard documentary and non-documentary verification 
methods.
    Section 103.121(b)(2)(iii) Lack of Verification. The proposed rule 
stated that a bank's CIP must include procedures for responding to 
circumstances in which the bank cannot form a reasonable belief that it 
knows the true identity of a customer. The preamble for the proposed 
rule listed what these procedures should include. In addition, the 
proposal stated that a bank should only maintain an account for a 
customer when it can form a reasonable belief that it knows the 
customer's true identity.\30\
---------------------------------------------------------------------------

    \30\ The preamble also explained that there are some exceptions 
to this basic rule. For example, a bank may maintain an account at 
the direction of a law enforcement or intelligence agency, even 
though the bank does not know the true identity of the customer.
---------------------------------------------------------------------------

    The final rule retains the general requirement that a bank's CIP 
include procedures for responding to circumstances in which the bank 
cannot form a reasonable belief that it knows the true identity of the 
customer. However, the rule text itself now states that the procedures 
should describe the following: when a bank should not open an account 
for a potential customer; the terms under which a customer may use an 
account while the bank attempts to verify the customer's identity; when 
the bank should close an account after attempts to verify a customer's 
identity have failed; and when the bank should file a Suspicious 
Activity Report in accordance with applicable law and regulation.
    One commenter stated that requiring a bank to close an account if 
it cannot verify a customer's identity would conflict with state laws 
and would subject the bank to legal liability. The commenter urged that 
if this provision is retained, the final rule also should shield banks 
from state regulatory and borrower liability in these circumstances. 
Other commenters asked that Treasury and the Agencies clarify that 
further investigation that results in failure to open an account will 
not trigger adverse action requirements under the FCRA, 15 U.S.C. 1681 
et seq. or the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691 et 
seq.
    The final rule does not specifically require a bank to close the 
account of a customer whose identity the bank cannot verify, but 
instead leaves this determination to the discretion of the bank. 
Treasury and the Agencies have determined that there is no statutory 
basis to create a safe harbor that would shield banks from state 
regulatory or borrower liability if a bank should choose to close a 
customer's account. Any such closure should be consistent with the 
bank's existing procedures for closing accounts in accordance with its 
risk management practices. Treasury and the Agencies also note that a 
bank must comply with other applicable laws and regulations, such as 
the adverse action provisions under ECOA and the FCRA, when determining 
not to open an account because it cannot establish a reasonable belief 
that it knows the true identity of the customer.\31\
---------------------------------------------------------------------------

    \31\ See 12 CFR 202.9(b) (Federal Reserve Regulation B that 
prescribes the form of ECOA notice and statement of specific 
reasons); 15 U.S.C. 1681m (FCRA provision that provides for duties 
of users taking adverse actions on the basis of information 
contained in consumer reports from other third parties or 
affiliates).
---------------------------------------------------------------------------

Section 103.121(b)(3) Recordkeeping

    Section 103.121(b)(3)(i) Required Records. The proposed rule set 
forth recordkeeping procedures that must be included in a bank's CIP. 
Under the proposal, a bank would have been required to maintain a 
record of the identifying information provided by the customer. Where a 
bank relies upon a document to verify identity, the proposal would have 
required the bank to maintain a copy of the document that the bank 
relied on that clearly evidences the type of document and any 
identifying information it may contain. The bank also would have been 
required to record the methods and result of any additional measures 
undertaken to verify the identity of the customer. Last, the bank would 
have been required to record the resolution of any discrepancy in the 
identifying information obtained.
    This section of the proposed rule prompted the most comment. Though 
one commenter felt that the recordkeeping requirements in the proposed 
rule were weak, almost all other commenters identified the proposed 
documentation and record retention requirements as overly burdensome. 
Commenters urged Treasury and the Agencies to permit a bank to record 
the information from the documents obtained rather than requiring banks 
to maintain copies of these documents for the life of the account. 
Commenters generally argued that it would be difficult and very 
burdensome to store and retrieve copies of documents used to verify the 
identity of the customer. In addition, some commenters noted that many 
kinds of identification documents, particularly some new driver's 
licenses, have security features that prevent them from being copied 
legibly. Other commenters stated that copies of documents would be 
difficult to safeguard and could facilitate identity theft.
    Commenters stated that requiring banks to keep copies of documents 
would substantially deviate from current banking practice and would 
violate certain states' laws. Banks offering credit card accounts 
through retailers, who require the customer to

[[Page 25102]]

provide identifying documents at the point of sale, strenuously opposed 
this requirement if it were interpreted to cover documents presented to 
the merchant. These commenters stated that copy machines are not 
usually available at the point of sale, and that the rule as proposed 
would require merchants to purchase large numbers of additional copy 
machines. The commenters also anticipated that consumers would be 
greatly inconvenienced by this requirement and might have to endure 
lengthy waits during any busy shopping season. These commenters 
questioned whether the risks of money-laundering and the financing of 
terrorism through retail store credit cards, which generally have 
relatively low credit limits, restrictions on pre-payment, and other 
features to detect fraud, warrant the imposition of these additional 
costs.
    Other commenters stated that requiring banks to keep copies of 
documents that have pictures, such as driver's licenses, could expose 
the bank to allegations of unlawful discrimination, even if the 
retention of this information were not prohibited under ECOA. Some 
banks objected to this requirement on the grounds that it directly 
conflicted with the position that the Agencies have traditionally taken 
on this issue, including the criticism of banks that have retained such 
information in their files when extending credit.
    Other commenters asked that a bank be permitted to record the 
processes and procedures generally used for verification rather than 
being required to keep records of the methods used and the resolution 
for each and every account, especially where the bank uses standardized 
procedures for all customers and could demonstrate that these 
procedures were applied. Some commenters suggested that the final rule 
permit banks to use a risk-based approach for recordkeeping.
    In light of the comments received, Treasury and the Agencies have 
reconsidered and modified the recordkeeping requirements of the 
proposed rule. The final rule provides that a bank's CIP must include 
procedures for making and maintaining a record of all information 
obtained under the procedures implementing the requirement that a bank 
develop and implement a CIP. However, the final rule affords banks 
significantly more flexibility than did the recordkeeping provisions 
contained in the proposal. Under the final rule, a bank's records are 
to include ``a description,'' rather than a copy, of any document upon 
which the bank relied in order to verify the identity of the customer, 
noting the type of document, any identification number contained in the 
document, the place of issuance, and, if any, the date of issuance and 
expiration date. The final rule also clarifies that the record must 
include ``a description'' of the methods and results of any measures 
undertaken to verify the identity of the customer, and of the 
resolution of any ``substantive'' discrepancy discovered when verifying 
the identifying information obtained, rather than any documents 
generated in connection with these measures.
    As Treasury and the Agencies indicated in the preamble for the 
proposal, nothing in the rule modifies, limits, or supersedes section 
101 of the Electronic Signatures in Global and National Commerce Act, 
Pub. L. 106-229, 114 Stat. 464 (15 U.S.C. 7001) (E-Sign Act). Thus, a 
bank may use electronic records to satisfy the requirements of this 
final rule, as long as the records are accurate and remain accessible 
in accordance with 31 CFR 103.38(d).

Section 103.121(b)(3)(ii) Retention of Records

    The proposal required a bank to retain all of the records specified 
in the recordkeeping provision for five years after the date the 
account is closed.
    This requirement prompted strenuous objections. Assuming that 
copies of the documents used to verify the identity of the customer 
would have to be retained, commenters asserted that retaining records 
until five years after the account is closed would be very burdensome. 
Some commenters noted that imaging is not a routine practice for 
community banks and could be costly. Banks offering credit card 
accounts stated that the record retention requirement would require a 
change in forms, processes, and systems, while also increasing storage 
costs. As credit cards do not have a specific term, commenters noted 
that banks would be required to keep these records forever, unless they 
are culled manually. Some commenters suggested that the retention 
period be shortened, with suggestions ranging from one to three years 
after the account is closed, while other commenters suggested that the 
period be shortened to five years from when the account is opened. Many 
commenters stated that two years from when the information is obtained 
would be consistent with other regulatory requirements, such as the 
record retention requirements for an application for an extension of 
credit subject to ECOA (12 CFR 202.12(b)).
    By eliminating the requirement that a bank retain copies of the 
documents used to verify the identity of the customer, Treasury and the 
Agencies believe that the final rule largely addresses the main concern 
of these commenters. However, Treasury and the Agencies also have 
determined that, while the identifying information provided by the 
customer should be retained, there is little value in requiring banks 
to retain the remaining records for five years after an account is 
closed because this information is likely to have become stale. 
Therefore, the final rule now prescribes a bifurcated record retention 
schedule that is consistent with the general five-year retention 
requirement in 31 CFR 103.38. First, the bank must retain the 
information referenced in paragraph (b)(3)(i)(A) (that is, information 
obtained about a customer), for five years after the date the account 
is closed or, in the case of credit card accounts, five years after the 
account is closed or becomes dormant. Second, the bank need only retain 
the records that it must make and maintain under the remaining parts of 
the recordkeeping provision, paragraphs (b)(3)(i)(B), (C), and (D) 
(that is, information that verifies a customer's identity) for five 
years after the record is made.
    Section 103.121(b)(4) Comparison with Government Lists. The 
proposed rule required a bank to have procedures for determining 
whether the customer appears on any list of known or suspected 
terrorists or terrorist organizations provided to the bank by any 
Federal government agency. In addition, the proposal stated that the 
procedures must ensure that the bank follows all Federal directives 
issued in connection with such lists.
    Most commenters were concerned about how a bank would be able to 
determine what lists should be checked for purposes of this provision 
and how these lists would be made available. Some commenters asked that 
the final rule confirm that a bank will not have an affirmative duty to 
seek out all lists compiled by the Federal government and would only be 
required to check lists provided to it by the Federal government. Some 
commenters noted that lists published by OFAC are published but are not 
provided to financial institutions.\32\ Many commenters urged that all 
lists within the meaning of section 326 of the Act,

[[Page 25103]]

be centralized, issued by a single designated government agency, and 
provided to financial institutions in a commonly used electronic 
format. Some of these commenters suggested that instead of providing 
multiple lists, the government set up a single Web site that would 
permit a bank to search for a name alphabetically, similar to the OFAC 
list. Other commenters asked Treasury and the Agencies to clarify what 
action a bank should take when a customer appears on a list.
---------------------------------------------------------------------------

    \32\ Nevertheless, the legislative history for this provision 
indicates that the lists Congress intended financial institutions to 
consult ``are those already supplied to financial institutions by 
the Office of Foreign Asset Control (OFAC), and occasionally by law 
enforcement and regulatory authorities, as in the days immediately 
following the September 11, 2001, attacks on the World Trade Center 
and the Pentagon.'' H.R. Rep. No. 107-250, pt. 1, at 63 (2001).
---------------------------------------------------------------------------

    Commenters also asked for guidance regarding the timing of when the 
comparison must be performed and asked whether the lists could be 
checked after an account is opened. Some commenters stated that there 
is no practical way for a financial institution to check lists prior to 
opening an account.
    The final rule states that a bank's CIP must include procedures for 
determining whether the customer appears on any list of known or 
suspected terrorists or terrorist organizations issued by any Federal 
government agency and designated as such by Treasury in consultation 
with the Federal functional regulators. Because Treasury and the 
Federal functional regulators have not yet designated any such lists, 
the final rule cannot be more specific with respect to the lists banks 
must check in order to comply with this provision. However, banks will 
not have an affirmative duty under this regulation to seek out all 
lists of known or suspected terrorists or terrorist organizations 
compiled by the Federal government. Instead, banks will receive 
notification by way of separate guidance regarding the lists that must 
be consulted for purposes of this provision.
    Treasury and the Agencies have modified this provision to give 
guidance as to when a bank must consult a list of known or suspected 
terrorists or terrorist organizations. The final rule states that the 
CIP's procedures must require the bank to make a determination 
regarding whether a customer appears on a list ``within a reasonable 
period of time'' after the account is opened, or earlier if required by 
another Federal law or regulation or by a Federal directive issued in 
connection with the applicable list.
    The final rule provides that a bank's CIP must contain procedures 
requiring the bank to follow all Federal directives issued in 
connection with such lists. Again, because there are no lists that have 
been designated under this provision as yet, the final rule cannot 
provide more guidance in this area.
    Section 103.121(b)(5) Customer Notice. The proposed rule would have 
required a bank's CIP to include procedures for providing bank 
customers with adequate notice that the bank is requesting information 
to verify their identity. The preamble for the proposal stated that a 
bank could satisfy that notice requirement by generally notifying its 
customers about the procedures the bank must comply with to verify 
their identities. It stated that the bank could post a notice in its 
lobby or on its Internet website, or provide customers with any other 
form of written or oral notice.
    Treasury and the Agencies received a large number of comments on 
this provision. Some commenters did not agree that section 326 of the 
Act requires notice to bank customers. Some of these commenters 
suggested that a bank's request for identifying information should be 
considered adequate notice. Other commenters did not question this 
requirement and stated that they appreciated the flexibility of this 
provision. However, a great many commenters asked for additional 
guidance on the content and timing of the notice and specifically 
requested that the final rule provide model language so that all 
institutions represent the requirements of section 326 in the same 
manner and the adequacy of notice is not left to the interpretation of 
individual examiners.
    Section 326 provides that the regulations issued ``shall, at a 
minimum, require financial institutions to implement, and customers 
(after being given adequate notice) to comply with reasonable 
procedures'' that satisfy the statute. Based upon this statutory 
requirement, the final rule requires a bank's CIP to include procedures 
for providing bank customers with adequate notice that the bank is 
requesting information to verify their identities. However, the final 
rule provides additional guidance regarding what constitutes adequate 
notice and the timing of the notice requirement.
    The final rule states that notice is adequate if the bank generally 
describes the identification requirements of the final rule and 
provides notice in a manner reasonably designed to ensure that a 
customer views the notice, or is otherwise given notice, before opening 
an account. The final rule also states that depending upon the manner 
in which an account is opened, a bank may post a notice in the lobby or 
on its website, include the notice on its account applications, or use 
any other form of oral or written notice. In addition, the final rule 
includes sample language that, if appropriate, will be deemed adequate 
notice to a bank's customers when provided in accordance with the 
requirements of this final rule.
    Section 103.121(b)(6) Reliance on Another Financial Institution. 
Many commenters urged that the final rule permit a bank to rely on a 
third party to perform elements of the bank's CIP. For example, some 
commenters asked that the final rule clarify that a bank may use a 
third party service provider to perform tasks and keep records. Other 
commenters recommended that the rule should permit a third party to 
verify the identity of the bank's customer in indirect lending 
arrangements, for example, where a car dealer acting as agent of the 
bank extends a loan to a customer or where a mortgage broker acts on a 
bank's behalf. Some commenters urged that the final rule be modified to 
more broadly permit financial institutions to share customer 
identification and verification duties with other financial 
institutions so as to avoid each institution having to undertake 
duplicative customer identification efforts. Some of these commenters 
suggested that a bank be permitted to allocate its responsibility to 
verify the customer's identity by contract with another financial 
institution as permitted in the proposed rule for broker-dealers.
    Other commenters requested that the final rule permit the CIP 
obligations to be performed initially by only one financial institution 
if a customer has different accounts with different affiliates. These 
commenters noted that it is common for a customer to maintain several 
different accounts with a financial institution and its affiliates. The 
same customer, for example, may have a credit card account with one 
affiliate, a home mortgage with another affiliate, and a brokerage 
account with a broker-dealer affiliate. The commenters urged that a 
bank be permitted to rely on customer identification and verification 
performed by an affiliate because it would be superfluous and 
unnecessarily burdensome to subject the same customer to substantially 
similar customer identification and verification procedures on multiple 
occasions. Furthermore, those commenters urged Treasury and the 
Agencies to allow a bank to rely on an affiliate in order to reduce the 
substantial costs of maintaining duplicative records regarding identity 
verification under the recordkeeping provisions of the rule.
    Treasury and the Agencies recognize that there may be circumstances 
where a bank should be able to rely on the performance by another 
financial institution of some or all of the elements of the bank's CIP. 
Therefore, the final rule provides that a bank's CIP may

[[Page 25104]]

include procedures specifying when the bank will rely on the 
performance by another financial institution (including an affiliate) 
of any procedures of the bank's CIP and thereby satisfy the bank's 
obligations under the rule. Reliance is permitted if a customer of the 
bank is opening, or has opened, an account or has established a similar 
banking or business relationship with the other financial institution 
to provide or engage in services, dealings, or other financial 
transactions.
    In order for a bank to rely on the other financial institution, 
such reliance must be reasonable under the circumstances, and the other 
financial institution must be subject to a rule implementing the anti-
money laundering compliance program requirements of 31 U.S.C. 5318(h) 
and be regulated by a Federal functional regulator. The other financial 
institution also must enter into a contract requiring it to certify 
annually to the bank that it has implemented its anti-money laundering 
program and that it will perform (or its agent will perform) the 
specified requirements of the bank's CIP. The contract and 
certification will provide a standard means for a bank to demonstrate 
the extent to which it is relying on another institution to perform its 
CIP, and that the institution has in fact agreed to perform those 
functions. If it is not clear from these documents, a bank must be able 
to otherwise demonstrate when it is relying on another institution to 
perform its CIP with respect to a particular customer.
    The bank will not be held responsible for the failure of the other 
financial institution to adequately fulfill the bank's CIP 
responsibilities, provided the bank can establish that its reliance was 
reasonable and that it has obtained the requisite contracts and 
certifications. Treasury and the Agencies emphasize that the bank and 
the other financial institution upon which it relies must satisfy all 
of these conditions set forth in the rule. If they do not, then the 
bank remains solely responsible for applying its own CIP to each 
customer in accordance with this regulation.
    All of the Federal functional regulators are adopting comparable 
provisions in their respective regulations to permit such reliance. 
Furthermore, the Federal functional regulators expect to share 
information and to cooperate with each other to determine whether the 
institutions subject to their jurisdiction are in compliance with the 
conditions of the reliance provision of this final rule.
    The final rule issued here does not affect a bank's authority to 
contract for services to be performed by a third party either on or off 
the bank's premises. Thus, for example, a bank may contract with a 
third party service provider to keep its records even when the bank 
does not act under the reliance provision set forth in the regulation. 
However, Treasury and the Agencies note that the performance of these 
services for Federally regulated banks \33\ will be subject to 
regulation and examination by the Agencies under other applicable laws 
and regulations. See, e.g., 12 U.S.C. 1867.
---------------------------------------------------------------------------

    \33\ Because it lacks the specific statutory authority to 
regulate and examine service providers, NCUA, as a matter of safety 
and soundness, will require credit unions to document that their 
service providers fully comply with this regulation and with the 
credit union's customer identification program.
---------------------------------------------------------------------------

    The final rule also does not alter a bank's authority to use an 
agent to perform services on its behalf. Therefore, a bank is permitted 
to arrange for a car dealer or mortgage broker, acting as its agent in 
connection with a loan, to verify the identity of its customer. 
However, as with any other responsibility performed by an agent, and in 
contrast to the reliance provision in the rule, the bank ultimately is 
responsible for that agent's compliance with the requirements of this 
final rule.
    Section 103.121(c) Exemptions. The proposed rule provided that the 
appropriate Federal functional regulator, with the concurrence of 
Treasury, may by order or regulation exempt any bank or type of account 
from the requirements of this section. The proposal stated that, in 
issuing such exemptions, the Federal functional regulator and Treasury 
shall consider whether the exemption is consistent with the purposes of 
the BSA, consistent with safe and sound banking, and in the public 
interest. The proposal stated that the Federal functional regulator and 
Treasury also may consider other necessary and appropriate factors.
    There were a number of comments suggesting that various types of 
accounts be exempted from the final rule. For example, several 
commenters suggested that accounts of Federal, state, and local 
governmental entities, public companies, and correspondent banks be 
exempted from the final rule. One commenter suggested that student loan 
programs be exempted from the rule because current safeguards are 
sufficient to verify the identity of student loan borrowers. Another 
commenter suggested that small trust companies and limited purpose 
banks that provide trust services be exempted from the rule, because 
such entities are more local in operation, would be burdened by the 
rule, and have fewer employees to ensure compliance. Yet another 
commenter suggested that the NCUA exempt credit unions from the CIP 
requirements.
    Any suggested exemptions that Treasury and the Agencies have 
determined to be appropriate are incorporated into the definitions of 
``account'' and ``customer'' for the reasons described above. The 
exemption provision of the final rule is essentially adopted as 
proposed with respect to banks that have a Federal functional 
regulator. Because the final rule will also apply to certain banks that 
do not have a Federal functional regulator, a new provision has been 
added to make clear that Treasury alone will make all determinations 
regarding exemptions for these institutions.
    Section 103.121(d) Other Information Requirements Unaffected. The 
proposal provided that nothing in Sec.  103.121 shall be construed to 
relieve a bank of its obligations to obtain, verify, or maintain 
information in connection with an account or transaction that is 
required by another provision in part 103. For example, if an account 
is opened with a deposit of more than $10,000 in cash, the bank opening 
the account must comply with the customer identification requirements 
in Sec.  103.121, as well as with the provisions of Sec.  103.22, which 
require that certain information concerning the transaction be reported 
by filing a Currency Transaction Report (CTR). There were no comments 
on this provision. Therefore, Treasury and the Agencies have adopted 
this provision generally as proposed, except that it has been clarified 
to provide that nothing in Sec.  103.121 should be construed to relieve 
a bank of any of its obligations, including its obligations to obtain, 
verify, or maintain information in connection with an account or 
transaction that is required by another provision in part 103.

III. Conforming Amendments to 31 CFR 103.34

    Section 103.34(a) sets forth customer identification requirements 
when certain types of deposit accounts are opened. Together with the 
proposed rule implementing section 326, Treasury, on its own authority, 
proposed deleting 31 CFR 103.34(a) for the following reasons.
    First, the preamble for the proposal explained that Treasury 
regards the requirements of Sec. Sec.  103.34(a)(1) and (2) as 
inconsistent with the intent and purpose of section 326 of the Act and 
incompatible with proposed section 103.121. Generally Sec. Sec.  
103.34(a)(1) and (2) require a bank, within 30 days after

[[Page 25105]]

certain deposit accounts are opened, to secure and maintain a record of 
the taxpayer identification number of the customer involved. If the 
bank is unable to obtain the taxpayer identification number within 30 
days (or a longer time if the person has applied for a taxpayer 
identification number), it need take no further action under Sec.  
103.34 concerning the account if it maintains a list of the names, 
addresses, and account numbers of the persons for which it was unable 
to secure taxpayer identification numbers, and provides that 
information to Treasury upon request. In the case of a non-resident 
alien, the bank is required to record the person's passport number or a 
description of some other government document used to determine 
identification. These requirements conflicted with those in proposed 
Sec.  103.121 which required a bank to obtain the name, address, date 
of birth and an identification number from any person seeking to open a 
new account.
    Second, Sec.  103.34(a)(3) currently provides that a bank need not 
obtain a taxpayer identification number with respect to specified 
categories of persons \34\ opening certain deposit accounts. Proposed 
Sec.  103.121 did not exempt any persons from the CIP requirements. 
Treasury requested comment on whether any of the exemptions in Sec.  
103.34(a)(3) should apply in light of the intent and purpose of section 
326 of the Act and the requirements of proposed Sec.  103.121.
---------------------------------------------------------------------------

    \34\ The exemption applies to (i) agencies and instrumentalities 
of Federal, State, local, or foreign governments; (ii) judges, 
public officials, or clerks of courts of record as custodians of 
funds in controversy or under the control of the court; (iii) aliens 
who are ambassadors; ministers; career diplomatic or consular 
officers; naval, military, or other attaches of foreign embassies 
and legations; and members of their immediate families; (iv) aliens 
who are accredited representatives of certain international 
organizations, and their immediate families; (v) aliens temporarily 
residing in the United States for a period not to exceed 180 days; 
(vi) aliens not engaged in a trade or business in the United States 
who are attending a recognized college or university, or any 
training program supervised or conducted by an agency of the Federal 
Government; (vii) unincorporated subordinate units of a tax exempt 
central organization that are covered by a group exemption letter; 
(viii) a person under 18 years of age, with respect to an account 
opened as part of a school thrift savings program, provided the 
annual interest is less than $10; (ix) a person opening a Christmas 
club, vacation club, or similar installment savings program, 
provided the annual interest is less than $10; and (x) non-resident 
aliens who are not engaged in a trade or business in the United 
States.
---------------------------------------------------------------------------

    Third, Sec.  103.34(a)(4) also provides that IRS rules shall 
determine whose number shall be obtained in the case of multiple 
account holders. In the preamble that accompanied its proposal, 
Treasury stated that this provision is inconsistent with section 326 of 
the Act, which requires that banks verify the identity of ``any'' 
person seeking to open an account.
    In addition, Treasury proposed deleting Sec.  103.34(b)(1) which 
requires a bank to keep ``any notations, if such are normally made, of 
specific identifying information verifying the identity of the signer 
[who has signature authority over an account] (such as a driver's 
license number or credit card number).'' Treasury stated that the 
quoted language in Sec.  103.34(b)(1) is inconsistent with the proposed 
requirements of Sec.  103.121. For this reason, Treasury, under its own 
authority, proposed to delete the quoted language.
    Few comments were received regarding the proposed deletion of these 
provisions. Some commenters agreed that Sec.  103.34(a) should be 
deleted if proposed Sec.  103.121 were adopted. One commenter suggested 
that Sec.  103.34(a) should be revised to achieve the objectives of the 
section 326 of the Act. One commenter representing a military bank 
requested continuance of the exemption for agencies and 
instrumentalities of the Federal government that will permit exemption 
of commissaries, exchanges and various military organizations. Another 
commenter requested maintenance of the exemption for government 
entities, court funds, unincorporated units of tax-exempt 
organizations, and school thrift programs.
    Treasury has determined that given the more comprehensive 
requirements of the final version of Sec.  103.121, there is no longer 
a need for Sec.  103.34 (a). A number of the exemptions formerly in 
Sec.  103.34(a) have now been added to Sec.  103.121. Other exemptions 
conflict with the language and intent of section 326 of the Act and 
thus were not adopted in the final rule. While Sec.  103.34(a) will no 
longer be needed once the final rule is fully effective, withdrawing 
the provision before October 1, 2003, would create a gap period during 
which banks would not be subject to a rule under the BSA requiring a 
customer to be identified when opening an account. Because Treasury and 
the Agencies do not believe such a gap period would be appropriate, the 
final rule--rather than withdrawing Sec.  103.34(a)--amends the section 
to cut off its applicability on October 1, 2003, when Sec.  103.121 
becomes fully effective.\35\
---------------------------------------------------------------------------

    \35\ Appropriate conforming amendments are made to Sec. Sec.  
103.34(b)(11) and (12) to add a cross-reference to the Internal 
Revenue Code regarding the rules for determining what constitutes a 
taxpayer identification number.
---------------------------------------------------------------------------

    By contrast, Treasury no longer believes that it is necessary to 
delete the quoted language in Sec.  103.34(b), which requires a bank to 
keep ``any notations, if such are normally made, of specific 
identifying information verifying the identity of [a person with 
signature authority over an account] (such as a driver's license number 
or credit card number).'' The definition of ``customer'' in the final 
version of Sec.  103.121 no longer includes a signatory on an account. 
Therefore, Sec.  103.121 and Sec.  103.34(b)(1) are not inconsistent 
and the records required to be kept in accordance with Sec.  
103.34(b)(1) will still have a high degree of usefulness in criminal, 
tax, or regulatory investigations or proceedings, or in the conduct of 
intelligence or counterintelligence activities, and to protect against 
international terrorism. Therefore, the proposal to delete the quoted 
language in Sec.  103.34(b)(1) is not adopted as proposed.

IV. Technical Amendment to 31 CFR 103.11(j)

    Section 103.11(j), which defines the term ``deposit account,'' 
contains an obsolete reference to the definition of ``transaction 
account,'' which is defined in Sec.  103.11(hh). Under its own 
authority, Treasury proposed to correct this reference. There were no 
comments on this proposed technical correction. Therefore, it is 
adopted as proposed.

V. Regulatory Analysis

A. Regulatory Flexibility Act

    Under the Regulatory Flexibility Act (RFA), an agency must either 
prepare a Final Regulatory Flexibility Analysis (FRFA) for a final rule 
or certify that the final rule will not have a significant economic 
impact on a substantial number of small entities.\36\ See 5 U.S.C. 604 
and 605(b).
---------------------------------------------------------------------------

    \36\ The RFA defines the term ``small entity'' in 5 U.S.C. 601 
by reference to the definitions published by the Small Business 
Administration (SBA). The SBA has defined a ``small entity'' for 
banking purposes as a bank or savings institution with less than 
$150 million in assets. See 13 CFR 121.201. The NCUA defines ``small 
credit union'' as those under $1 million in assets. Interpretive 
Ruling and Policy Statement No. 87-2, Developing and Reviewing 
Government Regulations (52 FR 35231, September 18, 1987).
---------------------------------------------------------------------------

    Treasury and the Agencies have reviewed the impact of this final 
rule on small banks. Treasury and the Agencies certify that the final 
rule will not have a significant economic impact on a substantial 
number of small entities.
    First, Treasury and the Agencies believe that banks already have 
implemented prudential business practices and anti-money laundering

[[Page 25106]]

programs that include most of the procedures that a CIP must contain 
under this final rule. Banks generally undertake extensive measures to 
verify the identity of their customers as a matter of good business 
practice. In addition, Federally regulated banks already must have 
anti-money laundering programs that include procedures for 
identification, verification, and documentation of customer 
information.\37\
---------------------------------------------------------------------------

    \37\ See footnote 10.
---------------------------------------------------------------------------

    Second, although the final rule contains several requirements that 
will be new to banks we anticipate that the costs of implementing these 
requirements will not be economically significant. For example, the 
recordkeeping requirements in the final rule may impose some costs on 
banks to the extent that the information that must be maintained is not 
already collected and retained.\38\ Treasury and the Agencies believe 
that the compliance burden is minimized for banks, including small 
banks, because the final rule vests a bank with the discretion to 
design and implement appropriate recordkeeping procedures, including 
allowing banks to maintain electronic records in lieu of (or in 
combination with) paper records.
---------------------------------------------------------------------------

    \38\ See, e.g., identification and verification of customers in 
connection with each share or deposit account opened (31 CFR 
103.34).
---------------------------------------------------------------------------

    The section of the final rule that requires banks to check lists of 
known and suspected terrorists and terrorist organizations and to 
follow Federal agency directives in connection with the lists is also a 
new requirement that will impose nominal burden, once Treasury and the 
Agencies publish lists that banks must consult. However, no such lists 
have been issued to date. Moreover, banks already must have procedures 
to satisfy other similar requirements. For instance, banks already have 
to ensure that they do not engage in transactions involving designated 
foreign countries, foreign nationals, and other entities prohibited 
under OFAC rules. See 31 CFR part 500. We also understand that many 
banks, including small banks, use electronic search tools to check 
lists \39\ and already use identity verification software, both as part 
of their customer due diligence obligations under existing BSA 
compliance program requirements and to detect fraud.
---------------------------------------------------------------------------

    \39\ We believe that most banks will use technology rather than 
manual methods to check lists. OFAC lists are generally incorporated 
into bank software and, in response to bank inquiries, Treasury and 
the Agencies have made clear that banks are permitted to share the 
lists they receive pursuant to section 314 of the Act with their 
service providers. We expect that any lists provided under section 
326 of the Act will also be provided under the same conditions.
---------------------------------------------------------------------------

    The notice provisions of the rule also are new. However, they are 
very flexible and, as written, should impose only minimal costs. The 
final rule permits a bank to satisfy the notice requirement by choosing 
from a variety of low-cost measures, such as posting a sign in the 
lobby or on its website, by adding it to an account statement, or using 
any other form of written or oral notice. In addition, the amount of 
time that a bank will need to develop its notices will be minimal as 
the final rule now contains a sample notice.
    Treasury and the Agencies believe that the flexibility incorporated 
into the final rule will permit each bank to tailor its CIP to fit its 
own size and needs. In this regard, Treasury and the Agencies believe 
that expenditures associated with establishing and implementing a CIP 
will be commensurate with the size of a bank. If a bank is small, the 
burden to comply with the proposed rule should be de minimis.
    Most commenters on the proposed rule stated that Treasury and the 
Agencies had underestimated the burden imposed by the proposed rule. 
They highlighted aspects of the proposal that they maintained would 
have imposed excessive burdens and would have required banks to alter 
their current practices. Most comments focused on the proposed 
provisions requiring banks to verify the identity of signatories on 
accounts, to keep copies of documents used to verify a customer's 
identity, and to retain identity verification records for five years 
after an account is closed.
    In drafting the final rule, Treasury and the Agencies have either 
eliminated or minimized the most significant burdens identified by 
commenters. In response to commenters, for example, the final rule 
eliminates signatories from the definition of ``customer,'' no longer 
requires a bank to keep copies of documents used to verify a customer's 
identity, and reduces the universe of records that must be kept for 
five years after an account is closed. Treasury and the Agencies have 
taken other steps that significantly reduce the scope of the rule and 
burdens of the rule. Many of these burden-reducing actions are 
described in the Paperwork Reduction Act discussion below.\40\ As a 
result of these changes, the final rule is far more flexible and less 
burdensome than the proposed rule while still fulfilling the statutory 
mandates enumerated in section 326 of the Act.
---------------------------------------------------------------------------

    \40\ In addition to the burden-reducing measures discussed in 
the Paperwork Reduction Act discussion, other changes include:
    [sbull] A clarification that a bank must verify the customer's 
identity using the identifying information obtained. The proposed 
rule would have required the bank to verify all identifying 
information. The elimination of the requirement that a bank must 
obtain a physical and a mailing address from a customer opening an 
account. Under the final rule, the bank is only required to obtain a 
physical address.
    [sbull] A new provision that permits a bank to rely on another 
financial institution to perform its CIP under certain conditions. 
This provision allows financial institutions that share a customer 
to share customer identification and verification obligations and to 
reduce the cost of maintaining duplicative records required by the 
recordkeeping provisions of the final rule.
    [sbull] A revised provision that extends to customers who are 
individuals the exception that permits a bank to open an account for 
a customer that has applied for, but has not received, a taxpayer 
identification number.
    [sbull] A new exemption for credit card accounts from the 
requirement that a bank obtain identifying information from the 
customer prior to opening an account. In connection with credit card 
accounts, a bank is permitted to obtain identifying information from 
a third party source prior to extending credit.
    [sbull] A clarification stating that the government will provide 
lists of known or suspected terrorists and terrorist organizations 
to banks. Banks will not be required to seek out this information. 
In addition, the rule now states that the bank may determine whether 
a customer appears on the list within a reasonable time after the 
account is opened, unless it is required to do so earlier by another 
Federal law, regulation, or directive.
    [sbull] A transition period that permits banks a period of 
several months to comply with the final rule.
---------------------------------------------------------------------------

    Finally, Treasury and the Agencies did consider whether it would be 
appropriate to exempt small banks from the requirements of the rule. We 
do not believe that an exemption for small banks is appropriate, given 
the flexibility built into the rule to account for, among other things, 
the differing sizes and resources of banks, as well as the importance 
of the statutory goals and mandate of section 326. Money laundering can 
occur in small banks as well as large banks.

B. Paperwork Reduction Act

    Certain provisions of the final rule contain ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (44 U.S.C. 3501 et seq.). An agency may not 
conduct or sponsor, and a respondent is not required to respond to, an 
information collection unless it displays a currently valid Office of 
Management and Budget (OMB) control number. Treasury submitted the 
final rule to the OMB for review in accordance with 44 U.S.C. 3507(d). 
The OMB has approved the collection of information requirements in 
today's rule under control number 1506-0026.

[[Page 25107]]

Collection of Information Under the Proposed Rule
    The proposed rule applied only to a financial institution that is a 
``bank'' as defined in 31 CFR 103.11(c),\41\ and any foreign branch of 
an insured bank. The proposed rule required each bank to establish a 
written CIP that must include recordkeeping procedures (proposed Sec.  
103.121(b)(3)) and procedures for providing customers with notice that 
the bank is requesting information to verify their identity (proposed 
Sec.  103.121(b)(5)).
---------------------------------------------------------------------------

    \41\ This definition includes banks, thrifts, and credit unions.
---------------------------------------------------------------------------

    The proposed rule required a bank to maintain a record of (1) the 
identifying information provided by the customer, the type of 
identification document(s) reviewed, if any, the identification number 
of the document(s), and a copy of the identification document(s); (2) 
the means and results of any additional measures undertaken to verify 
the identity of the customer; and (3) the resolution of any discrepancy 
in the identifying information obtained. It also required these records 
to be maintained at the bank for five years after the date the account 
is closed (proposed Sec.  103.121(b)(3)).
    The proposed rule also required a bank to give its customers 
``adequate notice'' of the identity verification procedures (proposed 
Sec.  103.121(b)(5)). The proposed rule stated that a bank could 
satisfy the notice requirement by posting a sign in the lobby or 
providing customers with any other form of written or oral notice.
Collection of Information Under the Final Rule
    The final rule, like the proposed rule, requires banks to implement 
reasonable procedures to (1) maintain records of the information used 
to verify a customer's identity, and (2) provide notice of these 
procedures to customers. These recordkeeping and disclosure 
requirements are required under section 326 of the Act. However, the 
final rule greatly reduces the paperwork burden attributable to these 
requirements, as described below.
    The final rule also contains a new recordkeeping provision 
permitting a bank to rely on another financial institution to perform 
some or all its CIP, under certain circumstances. Among other things, 
the other financial institution must provide the bank with a contract 
requiring it to certify annually to the bank that it has implemented 
its anti-money laundering program, and that it will perform (or its 
agent will perform) the specified requirements of the bank's CIP.
Response to Comments Received
    We received approximately 500 comments on the proposed rule. Most 
of the commenters specifically mentioned the recordkeeping burden 
associated with the proposed rule. Some commenters also asked Treasury 
and the Agencies to clarify the meaning of ``adequate notice'' and 
requested that a sample notice be provided in the final rule.
    Only a few commenters provided burden estimates of additional 
burden hours that would result from the proposed rule. However, these 
burden estimates did not necessarily focus on the recordkeeping and 
disclosure requirements in the proposal and ranged from 200 extra hours 
per year to 9,000 additional hours. Treasury and the Agencies believe 
that the final rule substantially addresses the concerns of the 
commenters. Specific concerns about paperwork burden have been 
addressed as follows:
    First, the recordkeeping and disclosure burden are minimized in the 
final rule because Treasury and the Agencies reduced the entire scope 
of the final rule, by:
    [sbull] Narrowing and clarifying the scope of ``account.'' The 
final rule specifically excludes accounts that (1) a bank acquires 
through an acquisition, merger, purchase of assets, or assumption of 
liabilities from a third party, and (2) accounts opened for the purpose 
of participating in an employee benefit plan established pursuant to 
the Employee Retirement Income Security Act of 1974. It also 
specifically excludes wire transfers, check cashing, and the sale of 
travelers checks, and any other product or service that does not lead 
to a ``formal banking relationship'' from the scope of the rule;
    [sbull] Narrowing the definition of ``bank'' covered by the rule to 
exclude a bank's foreign branches; and
    [sbull] Limiting and clarifying who is a ``customer'' for purposes 
of the final rule. The final rule now defines ``customer'' as ``a 
person that opens a new account'' making clear that a person who does 
not receive banking services, such as a person whose deposit or loan 
application is denied, is not a customer. The definition of customer 
also excludes signatories from the definition of ``customer.'' 
Moreover, the final rule excludes from the definition of ``customer'' 
the following readily-identifiable entities: A financial institution 
regulated by a Federal functional regulator; a bank regulated by a 
state bank regulator; and governmental agencies and instrumentalities 
and companies that are publicly traded (i.e., entities described in 
Sec.  103.22(d)(2)(ii)-(iv)). The final rule also excludes existing 
customers of the bank, provided that the bank has a reasonable belief 
that it knows the true identity of the person.\42\
---------------------------------------------------------------------------

    \42\ The proposed rule stated that the identity of an existing 
customer would not need to be verified if the bank (1) had 
previously verified the customer's identity in accordance with 
procedures consistent with the proposed rule, and (2) continues to 
have a reasonable belief that it knows the true identity of the 
customer.
---------------------------------------------------------------------------

    Second, recordkeeping burden was further reduced by:
    [sbull] Eliminating the requirement that a bank keep copies of any 
document that it relied upon in order to verify the identity of the 
customer and substituting a requirement that a bank's records need only 
include ``a description'' of any document that it relied upon in order 
to verify the identity of the customer. The final rule also clarifies 
that the records need only include ``a description'' of the methods and 
results of any measure undertaken to verify the identity of the 
customer, and of the resolution of any substantive discrepancy 
discovered when verifying the identifying information obtained, rather 
than any documents generated in connection with these measures; and
    [sbull] Reducing the length of time that records must be kept. The 
final rule requires that identifying information be kept for five years 
after the date the account is closed (or for credit card accounts, five 
years after the account is closed or becomes dormant). All other 
records may be kept for five years after the account is opened.
    Third, disclosure burden was reduced by providing sample language 
that, if appropriate and properly provided, will be deemed adequate 
notice to a bank's customer. Disclosure burden also was reduced by 
clarifying the term ``adequate notice.''
    Treasury and the Agencies believe that little additional burden is 
imposed as a result of the recordkeeping requirements outlined in 
section 103.121(b)(3), because the type of recordkeeping required by 
the final rule is a usual and customary business practice. In addition, 
banks already must keep similar records to comply with existing 
regulations in 31 CFR part 103 (see, e.g., 31 CFR 103.34, requiring 
certain records for each deposit or share account opened).
    Treasury and the Agencies believe that nominal burden is associated 
with the disclosure requirement outlined in Sec.  103.121(b)(5). This 
section contains a sample notice that if appropriate and

[[Page 25108]]

provided in accordance with the final rule, will be deemed adequate 
notice. In addition, it continues to permit banks to choose among a 
variety of low-cost methods of providing adequate notice and to select 
the least burdensome method, given the circumstances under which 
customers seek to open new accounts.
    Treasury and the Agencies also believe that nominal burden is 
associated with the new recordkeeping requirement in Sec.  
103.121(b)(6). This section permits a bank to rely on another financial 
institution to perform some or all its CIP under certain conditions, 
including the condition that the financial institution enter into a 
contract with the bank providing that it will certify annually to the 
bank that it (1) has implemented its anti-money laundering program and 
(2) will perform (or its agent will perform) the specified requirements 
of the bank's CIP. Not all banks will choose to rely on a third party. 
For those that do, the minimal burden of retaining the certification 
described above should allow them to reduce net burden under the rule 
by such reliance.
Burden Estimates
    Treasury and the Agencies have reconsidered the burden estimates 
published in the proposed rule, given the comments stating that the 
burdens associated with the paperwork collections were underestimated. 
Having done so, and considering the reduction in burden taken in this 
final rule, Treasury and the Agencies have adjusted their estimates of 
the paperwork burden of this rule. The burden estimates that follow are 
estimates of the incremental burden imposed upon banks by this final 
rule, recognizing that some of the requirements in this rule are a 
usual and customary practice in the banking industry, or duplicate 
other regulatory requirements.
    The potential respondents are national banks and Federal branches 
and agencies (OCC financial institutions); state member banks and 
branches and agencies of foreign banks (Board financial institutions); 
insured state nonmember banks (FDIC financial institutions); savings 
associations (OTS financial institutions); Federally insured credit 
unions (NCUA financial institutions); and certain non-Federally 
regulated credit unions, private banks, and trust companies (FinCEN 
institutions).
    Estimated number of respondents:
    OCC: 2207.
    Board: 1240.
    FDIC: 5,500.
    OTS: 962.
    NCUA: 9,688.
    FinCEN: 2,460.
    Estimated average annual recordkeeping burden per respondent: 10 
hours.
    Estimated average annual disclosure burden per respondent: 1 hour.
    Estimated total annual recordkeeping and disclosure burden: 242,627 
hours.
    Treasury and the Agencies invite comment on the accuracy of the 
burden estimates and invite suggestions on how to further reduce these 
burdens. Comments should be sent (preferably by fax (202-395-6974)) to 
Desk Officer for the Department of the Treasury, Office of Information 
and Regulatory Affairs, Office of Management and Budget, Paperwork 
Reduction Project (1506-0026), Washington, DC 20503 (or by the Internet 
to [email protected]), with a copy to FinCEN by mail or the Internet 
at the addresses previously specified.
Executive Order 12866
    Treasury, the OCC, and OTS have determined that the final rule is 
not a ``significant regulatory action'' under Executive Order 12866 for 
the following reasons.
    The rule follows closely the requirements of section 326 of the 
Act. Moreover, Treasury, the OCC, and OTS believe that national banks 
and savings associations already have procedures in place that fulfill 
most of the requirements of the final rule because the procedures are a 
matter of good business practice. In addition, national banks and 
savings associations already are required to have BSA compliance 
programs that address many of the requirements detailed in this final 
rule.
    At the proposed rule stage, Treasury, the OCC, and OTS invited 
national banks, the thrift industry, and the public to provide any cost 
estimates and related data that they think would be useful in 
evaluating the overall costs of the rule. Most of the cost estimates 
provided by commenters related to the requirements in the proposed rule 
that banks verify the identity of signatories on accounts, keep copies 
of documents used to verify a customer's identity, and retain identity 
verification records for five years after an account is closed. As 
described in the preamble, the final rule eliminates signatories from 
the definition of ``customer,'' and no longer requires a bank to keep 
copies of documents used to verify a customer's identity. The final 
rule also reduces the universe of records that must be kept for five 
years after an account is closed. Treasury, the OCC and the OTS have 
taken other steps that significantly reduce the scope of the rule and 
the burden of the rule. These burden-reducing measures are described in 
the Paperwork Reduction Act discussion and Regulatory Flexibility Act 
discussion, above.\43\
---------------------------------------------------------------------------

    \43\ For these same reasons, and consistent with section 201 of 
the Unfunded Mandates Reform Act of 1995 (Pub. L. 104-4), Treasury, 
the OTS and the OCC have also determined that this final rule will 
not result in expenditures by State, local, and tribal governments 
in the aggregate, or by the private sector of $100 million or more 
in any one year, and therefore the rule is not subject to the 
requirements of section 202 of that Act.
---------------------------------------------------------------------------

List of Subjects

12 CFR Part 21

    Crime, Currency, National banks, Reporting and recordkeeping 
requirements, Security measures.

12 CFR Part 208

    Accounting, Agriculture, Banks, banking, Confidential business 
information, Crime, Currency, Investments, Mortgages, Reporting and 
recordkeeping requirements, Securities.

12 CFR Part 211

    Exports, Foreign banking, Holding companies, Investments, Reporting 
and recordkeeping requirements.

12 CFR Part 326

    Banks, banking, Currency, Insured nonmember banks, Reporting and 
recordkeeping requirements, Security measures.

12 CFR Part 563

    Accounting, Advertising, Crime, Currency, Investments, Reporting 
and Recordkeeping requirements, Savings associations, Securities, 
Surety bonds.

12 CFR Part 748

    Credit unions, Crime, and Security measures.

31 CFR Part 103

    Administrative practice and procedure, Authority delegations 
(Government agencies), Banks, banking, Brokers, Currency, Foreign 
banking, Foreign currencies, Gambling, Investigations, Law enforcement, 
Penalties, Reporting and recordkeeping requirements, Securities.

Department of the Treasury

31 CFR Chapter I

Authority and Issuance

0
For the reasons set forth in the preamble, part 103 of title 31 of the 
Code of Federal Regulations is amended as follows:

[[Page 25109]]

PART 103--FINANCIAL RECORDKEEPING AND REPORTING OF CURRENCY AND 
FOREIGN TRANSACTIONS

0
1. The authority citation for part 103 is revised to read as follows:

    Authority: 12 U.S.C. 1829b and 1951-1959; 31 U.S.C. 5311-5314 
and 5316-5332; title III, secs. 312, 313, 314, 319, 326, 352, Pub L. 
107-56, 115 Stat. 307.


Sec.  103.11  [Amended]

0
2. Section 103.11(j) is amended by removing ``paragraph (q)'' and 
adding ``paragraph (hh)'' in its place.


Sec.  103.34  [Amended]

0
3. Section 103.34 is amended as follows:

0
a. By amending the first sentence of paragraph (a)(1) to add the words 
``and before October 1, 2003'' after the words ``May 31, 1978'' and 
after the words ``June 30, 1972'';

0
b. By amending paragraph (b)(11) to add the words ``as determined under 
section 6109 of the Internal Revenue Code of 1986'' after the words 
``taxpayer identification number;'' and

0
c. By amending paragraph (b)(12) to add the words ``as determined under 
section 6109 of the Internal Revenue Code of 1986'' after the words 
``taxpayer identification number.''

0
2. Subpart I of part 103 is amended by adding new Sec.  103.121 to read 
as follows:


Sec.  103.121  Customer Identification Programs for banks, savings 
associations, credit unions, and certain non-Federally regulated banks.

    (a) Definitions. For purposes of this section:
    (1)(i) Account means a formal banking relationship established to 
provide or engage in services, dealings, or other financial 
transactions including a deposit account, a transaction or asset 
account, a credit account, or other extension of credit. Account also 
includes a relationship established to provide a safety deposit box or 
other safekeeping services, or cash management, custodian, and trust 
services.
    (ii) Account does not include:
    (A) A product or service where a formal banking relationship is not 
established with a person, such as check-cashing, wire transfer, or 
sale of a check or money order;
    (B) An account that the bank acquires through an acquisition, 
merger, purchase of assets, or assumption of liabilities; or
    (C) An account opened for the purpose of participating in an 
employee benefit plan established under the Employee Retirement Income 
Security Act of 1974.
    (2) Bank means:
    (i) A bank, as that term is defined in Sec.  103.11(c), that is 
subject to regulation by a Federal functional regulator; and
    (ii) A credit union, private bank, and trust company, as set forth 
in Sec.  103.11(c), that does not have a Federal functional regulator.
    (3)(i) Customer means:
    (A) A person that opens a new account; and
    (B) An individual who opens a new account for:
    (1) An individual who lacks legal capacity, such as a minor; or
    (2) An entity that is not a legal person, such as a civic club.
    (ii) Customer does not include:
    (A) A financial institution regulated by a Federal functional 
regulator or a bank regulated by a state bank regulator;
    (B) A person described in Sec.  103.22(d)(2)(ii) through (iv); or
    (C) A person that has an existing account with the bank, provided 
that the bank has a reasonable belief that it knows the true identity 
of the person.
    (4) Federal functional regulator is defined at Sec.  103.120(a)(2).
    (5) Financial institution is defined at 31 U.S.C. 5312(a)(2) and 
(c)(1).
    (6) Taxpayer identification number is defined by section 6109 of 
the Internal Revenue Code of 1986 (26 U.S.C. 6109) and the Internal 
Revenue Service regulations implementing that section (e.g., social 
security number or employer identification number).
    (7) U.S. person means:
    (i) A United States citizen; or
    (ii) A person other than an individual (such as a corporation, 
partnership, or trust), that is established or organized under the laws 
of a State or the United States.
    (8) Non-U.S. person means a person that is not a U.S. person.
    (b) Customer Identification Program: minimum requirements.
    (1) In general. A bank must implement a written Customer 
Identification Program (CIP) appropriate for its size and type of 
business that, at a minimum, includes each of the requirements of 
paragraphs (b)(1) through (5) of this section. If a bank is required to 
have an anti-money laundering compliance program under the regulations 
implementing 31 U.S.C. 5318(h), 12 U.S.C. 1818(s), or 12 U.S.C. 
1786(q)(1), then the CIP must be a part of the anti-money laundering 
compliance program. Until such time as credit unions, private banks, 
and trust companies without a Federal functional regulator are subject 
to such a program, their CIPs must be approved by their boards of 
directors.
    (2) Identity verification procedures. The CIP must include risk-
based procedures for verifying the identity of each customer to the 
extent reasonable and practicable. The procedures must enable the bank 
to form a reasonable belief that it knows the true identity of each 
customer. These procedures must be based on the bank's assessment of 
the relevant risks, including those presented by the various types of 
accounts maintained by the bank, the various methods of opening 
accounts provided by the bank, the various types of identifying 
information available, and the bank's size, location, and customer 
base. At a minimum, these procedures must contain the elements 
described in this paragraph (b)(2).
    (i) Customer information required. (A) In general. The CIP must 
contain procedures for opening an account that specify the identifying 
information that will be obtained from each customer. Except as 
permitted by paragraphs (b)(2)(i)(B) and (C) of this section, the bank 
must obtain, at a minimum, the following information from the customer 
prior to opening an account:
    (1) Name;
    (2) Date of birth, for an individual;
    (3) Address, which shall be:
    (i) For an individual, a residential or business street address;
    (ii) For an individual who does not have a residential or business 
street address, an Army Post Office (APO) or Fleet Post Office (FPO) 
box number, or the residential or business street address of next of 
kin or of another contact individual; or
    (iii) For a person other than an individual (such as a corporation, 
partnership, or trust), a principal place of business, local office, or 
other physical location; and
    (4) Identification number, which shall be:
    (i) For a U.S. person, a taxpayer identification number; or
    (ii) For a non-U.S. person, one or more of the following: a 
taxpayer identification number; passport number and country of 
issuance; alien identification card number; or number and country of 
issuance of any other government-issued document evidencing nationality 
or residence and bearing a photograph or similar safeguard.


    Note to paragraph (b)(2)(i)(A)(4)(ii):
    When opening an account for a foreign business or enterprise 
that does not have an identification number, the bank must request 
alternative government-issued documentation certifying the existence 
of the business or enterprise.


    (B) Exception for persons applying for a taxpayer identification 
number.

[[Page 25110]]

Instead of obtaining a taxpayer identification number from a customer 
prior to opening the account, the CIP may include procedures for 
opening an account for a customer that has applied for, but has not 
received, a taxpayer identification number. In this case, the CIP must 
include procedures to confirm that the application was filed before the 
customer opens the account and to obtain the taxpayer identification 
number within a reasonable period of time after the account is opened.
    (C) Credit card accounts. In connection with a customer who opens a 
credit card account, a bank may obtain the identifying information 
about a customer required under paragraph (b)(2)(i)(A) by acquiring it 
from a third-party source prior to extending credit to the customer.
    (ii) Customer verification. The CIP must contain procedures for 
verifying the identity of the customer, using information obtained in 
accordance with paragraph (b)(2)(i) of this section, within a 
reasonable time after the account is opened. The procedures must 
describe when the bank will use documents, non-documentary methods, or 
a combination of both methods as described in this paragraph 
(b)(2)(ii).
    (A) Verification through documents. For a bank relying on 
documents, the CIP must contain procedures that set forth the documents 
that the bank will use. These documents may include:
    (1) For an individual, unexpired government-issued identification 
evidencing nationality or residence and bearing a photograph or similar 
safeguard, such as a driver's license or passport; and
    (2) For a person other than an individual (such as a corporation, 
partnership, or trust), documents showing the existence of the entity, 
such as certified articles of incorporation, a government-issued 
business license, a partnership agreement, or trust instrument.
    (B) Verification through non-documentary methods. For a bank 
relying on non-documentary methods, the CIP must contain procedures 
that describe the non-documentary methods the bank will use.
    (1) These methods may include contacting a customer; independently 
verifying the customer's identity through the comparison of information 
provided by the customer with information obtained from a consumer 
reporting agency, public database, or other source; checking references 
with other financial institutions; and obtaining a financial statement.
    (2) The bank's non-documentary procedures must address situations 
where an individual is unable to present an unexpired government-issued 
identification document that bears a photograph or similar safeguard; 
the bank is not familiar with the documents presented; the account is 
opened without obtaining documents; the customer opens the account 
without appearing in person at the bank; and where the bank is 
otherwise presented with circumstances that increase the risk that the 
bank will be unable to verify the true identity of a customer through 
documents.
    (C) Additional verification for certain customers. The CIP must 
address situations where, based on the bank's risk assessment of a new 
account opened by a customer that is not an individual, the bank will 
obtain information about individuals with authority or control over 
such account, including signatories, in order to verify the customer's 
identity. This verification method applies only when the bank cannot 
verify the customer's true identity using the verification methods 
described in paragraphs (b)(2)(ii)(A) and (B) of this section.
    (iii) Lack of verification. The CIP must include procedures for 
responding to circumstances in which the bank cannot form a reasonable 
belief that it knows the true identity of a customer. These procedures 
should describe:
    (A) When the bank should not open an account;
    (B) The terms under which a customer may use an account while the 
bank attempts to verify the customer's identity;
    (C) When the bank should close an account, after attempts to verify 
a customer's identity have failed; and
    (D) When the bank should file a Suspicious Activity Report in 
accordance with applicable law and regulation.
    (3) Recordkeeping. The CIP must include procedures for making and 
maintaining a record of all information obtained under the procedures 
implementing paragraph (b) of this section.
    (i) Required records. At a minimum, the record must include:
    (A) All identifying information about a customer obtained under 
paragraph (b)(2)(i) of this section;
    (B) A description of any document that was relied on under 
paragraph (b)(2)(ii)(A) of this section noting the type of document, 
any identification number contained in the document, the place of 
issuance and, if any, the date of issuance and expiration date;
    (C) A description of the methods and the results of any measures 
undertaken to verify the identity of the customer under paragraph 
(b)(2)(ii)(B) or (C) of this section; and
    (D) A description of the resolution of any substantive discrepancy 
discovered when verifying the identifying information obtained.
    (ii) Retention of records. The bank must retain the information in 
paragraph (b)(3)(i)(A) of this section for five years after the date 
the account is closed or, in the case of credit card accounts, five 
years after the account is closed or becomes dormant. The bank must 
retain the information in paragraphs (b)(3)(i)(B), (C), and (D) of this 
section for five years after the record is made.
    (4) Comparison with government lists. The CIP must include 
procedures for determining whether the customer appears on any list of 
known or suspected terrorists or terrorist organizations issued by any 
Federal government agency and designated as such by Treasury in 
consultation with the Federal functional regulators. The procedures 
must require the bank to make such a determination within a reasonable 
period of time after the account is opened, or earlier, if required by 
another Federal law or regulation or Federal directive issued in 
connection with the applicable list. The procedures must also require 
the bank to follow all Federal directives issued in connection with 
such lists.
    (5)(i) Customer notice. The CIP must include procedures for 
providing bank customers with adequate notice that the bank is 
requesting information to verify their identities.
    (ii) Adequate notice. Notice is adequate if the bank generally 
describes the identification requirements of this section and provides 
the notice in a manner reasonably designed to ensure that a customer is 
able to view the notice, or is otherwise given notice, before opening 
an account. For example, depending upon the manner in which the account 
is opened, a bank may post a notice in the lobby or on its website, 
include the notice on its account applications, or use any other form 
of written or oral notice.
    (iii) Sample notice. If appropriate, a bank may use the following 
sample language to provide notice to its customers:

IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT

    To help the government fight the funding of terrorism and money 
laundering activities, Federal law requires all financial 
institutions to obtain, verify, and record information that 
identifies each person who opens an account.
    What this means for you: When you open an account, we will ask 
for your name,

[[Page 25111]]

address, date of birth, and other information that will allow us to 
identify you. We may also ask to see your driver's license or other 
identifying documents.

    (6) Reliance on another financial institution. The CIP may include 
procedures specifying when a bank will rely on the performance by 
another financial institution (including an affiliate) of any 
procedures of the bank's CIP, with respect to any customer of the bank 
that is opening, or has opened, an account or has established a similar 
formal banking or business relationship with the other financial 
institution to provide or engage in services, dealings, or other 
financial transactions, provided that:
    (i) Such reliance is reasonable under the circumstances;
    (ii) The other financial institution is subject to a rule 
implementing 31 U.S.C. 5318(h) and is regulated by a Federal functional 
regulator; and
    (iii) The other financial institution enters into a contract 
requiring it to certify annually to the bank that it has implemented 
its anti-money laundering program, and that it will perform (or its 
agent will perform) the specified requirements of the bank's CIP.
    (c) Exemptions. The appropriate Federal functional regulator, with 
the concurrence of the Secretary, may, by order or regulation, exempt 
any bank or type of account from the requirements of this section. The 
Federal functional regulator and the Secretary shall consider whether 
the exemption is consistent with the purposes of the Bank Secrecy Act 
and with safe and sound banking, and may consider other appropriate 
factors. The Secretary will make these determinations for any bank or 
type of account that is not subject to the authority of a Federal 
functional regulator.
    (d) Other requirements unaffected. Nothing in this section relieves 
a bank of its obligation to comply with any other provision in this 
part, including provisions concerning information that must be 
obtained, verified, or maintained in connection with any account or 
transaction.

    Dated: April 28, 2003.
James F. Sloan,
Director, Financial Crimes Enforcement Network.

    Dated: April 17, 2003.

In concurrence:

John D. Hawke, Jr.,
Comptroller of the Currency.

In concurrence:

    By order of the Board of Governors of the Federal Reserve 
System, April 21, 2003.
Jennifer J. Johnson,
Secretary of the Board.

In concurrence:
    By order of the Board of Directors of the Federal Deposit 
Insurance Corporation this 16th day of April, 2003.
Valerie J. Best,
Assistant Executive Secretary.

In concurrence:
    Dated: April 9, 2003.
James E. Gilleran,
Director, Office of Thrift Supervision.

In concurrence:

    Dated: April 7, 2003.
Becky Baker,
Secretary of the Board, National Credit Union Administration.

Office of the Comptroller of the Currency

12 CFR Chapter I

Authority and Issuance

0
For the reasons set out in the preamble, the OCC amends chapter I of 
title 12 of the Code of Federal Regulations as set forth below:

PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF 
SUSPICIOUS ACTIVITIES, AND BANK SECRECY ACT COMPLIANCE PROGRAM

Subpart C--Procedures for Monitoring Bank Secrecy Act Compliance

0
1. The authority citation for part 21, subpart C, continues to read as 
follows:

    Authority: 12 U.S.C. 93a, 1818, 1881-1884 and 3401-3422; 31 
U.S.C. 5318.


0
2. In Sec.  21.21:
0
A. Revise the section heading; and
0
B. Revise Sec.  21.21(b) to read as follows:


Sec.  21.21  Procedures for monitoring Bank Secrecy Act (BSA) 
compliance.

* * * * *
    (b) Establishment of a BSA compliance program. (1) Program 
requirement. Each bank shall develop and provide for the continued 
administration of a program reasonably designed to assure and monitor 
compliance with the recordkeeping and reporting requirements set forth 
in subchapter II of chapter 53 of title 31, United States Code and the 
implementing regulations issued by the Department of the Treasury at 31 
CFR part 103. The compliance program must be written, approved by the 
bank's board of directors, and reflected in the minutes of the bank.
    (2) Customer identification program. Each bank is subject to the 
requirements of 31 U.S.C. 5318(l) and the implementing regulation 
jointly promulgated by the OCC and the Department of the Treasury at 31 
CFR 103.121, which require a customer identification program to be 
implemented as part of the BSA compliance program required under this 
section.
* * * * *

    Dated: April 17, 2003.
John D. Hawke, Jr.,
Comptroller of the Currency.

Federal Reserve System

12 CFR Chapter II

Authority and Issuance

0
For the reasons set out in the preamble, the Board of Governors of the 
Federal Reserve System amends 12 CFR Chapter II as follows:

PART 208--MEMBERSHIP OF STATE BANKING INSTITUTIONS IN THE FEDERAL 
RESERVE SYSTEM (REGULATION H)

0
1. The authority citation for part 208 continues to read as follows:

    Authority: 12 U.S.C. 24, 24a, 36, 92a, 93a, 248(a), 248(c), 321-
338a, 371d, 461, 481-486, 601, 611, 1814, 1816, 1818, 1820(d)(9), 
1823(j), 1828(o), 1831, 1831o, 1831p-1, 1831r-1, 1831w, 1831x, 
1835a, 1843(l), 1882, 2901-2907, 3105, 3310, 3331-3351, and 3906-
3909; 15 U.S.C. 78b, 78l(b), 78l(g), 78l(i), 78o-4(c)(5), 78q, 78q-
1, and 78w; 31 U.S.C. 5318; 42 U.S.C. 4012a, 4104a, 4104b, 4106, and 
4128.


0
2. Revise Sec.  208.63(b) to read as follows:


Sec.  208.63  Procedures for monitoring Bank Secrecy Act compliance.

* * * * *
    (b) Establishment of BSA compliance program. (1) Program 
requirement. Each bank shall develop and provide for the continued 
administration of a program reasonably designed to ensure and monitor 
compliance with the recordkeeping and reporting requirements set forth 
in subchapter II of chapter 53 of title 31, United States Code, the 
Bank Secrecy Act, and the implementing regulations promulgated 
thereunder by the Department of the Treasury at 31 CFR part 103. The 
compliance program shall be reduced to writing, approved by the board 
of directors, and noted in the minutes.
    (2) Customer identification program. Each bank is subject to the 
requirements of 31 U.S.C. 5318(l) and the implementing regulation 
jointly promulgated by the Board and the Department of the Treasury at 
31 CFR 103.121, which require a customer identification program to be

[[Page 25112]]

implemented as part of the BSA compliance program required under this 
section.
* * * * *

PART 211--INTERNATIONAL BANKING OPERATIONS (REGULATION K)

0
1. The authority citation for part 211 is revised to read as follows:

    Authority: 12 U.S.C. 221 et seq., 1818, 1835a, 1841 et seq., 
3101 et seq., and 3901 et seq.; 15 U.S.C. 6801 and 6805; 31 U.S.C. 
5318.


0
2. In Sec.  211.5, add new paragraph (m) to read as follows:


Sec.  211.5  Edge and agreement corporations.

* * * * *
    (m) Procedures for monitoring Bank Secrecy Act compliance.
    (1) [Reserved]
    (2) Customer identification program. Each Edge or agreement 
corporation is subject to the requirements of 31 U.S.C. 5318(l) and the 
implementing regulation jointly promulgated by the Board and the 
Department of the Treasury at 31 CFR 103.121, which require a customer 
identification program.

0
3. In Sec.  211.24, add new paragraph (j) to read as follows:


Sec.  211.24  Approval of offices of foreign banks; procedures for 
applications; standards for approval; representative office activities 
and standards for approval; preservation of existing authority.

* * * * *
    (j) Procedures for monitoring Bank Secrecy Act compliance.
    (1) [Reserved]
    (2) Customer identification program. Except for a federal branch or 
a federal agency or a state branch that is insured by the FDIC, a 
branch, agency, or representative office of a foreign bank operating in 
the United States is subject to the requirements of 31 U.S.C. 5318(l) 
and the implementing regulation jointly promulgated by the Board and 
the Department of the Treasury at 31 CFR 103.121, which require a 
customer identification program.

    By order of the Board of Governors of the Federal Reserve 
System, April 21, 2003.
Jennifer J. Johnson,
Secretary of the Board.

Federal Deposit Insurance Corporation

12 CFR Chapter III

Authority and Issuance

0
For the reasons set out in the preamble, the FDIC amends title 12, 
chapter III of the Code of Federal Regulations, as set forth below:

PART 326--Minimum Security Devices and Procedures and Bank Secrecy 
Act Compliance

0
1. The authority citation for part 326 is revised to read as follows:

    Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819 (Tenth), 1881-
1883; 31 U.S.C. 5311-5314 and 5316-5332.2.


0
2. Revise Sec.  326.8(b) to read as follows:


Sec.  326.8  Bank Secrecy Act compliance.

* * * * *
    (b) Compliance procedures. (1) Program requirement. Each bank shall 
develop and provide for the continued administration of a program 
reasonably designed to assure and monitor compliance with recordkeeping 
and reporting requirements set forth in subchapter II of chapter 53 of 
title 31, United States Code and the implementing regulations issued by 
the Department of the Treasury at 31 CFR part 103. The compliance 
program shall be written, approved by the bank's board of directors, 
and noted in the minutes.
    (2) Customer identification program. Each bank is subject to the 
requirements of 31 U.S.C. 5318(l) and the implementing regulation 
jointly promulgated by the FDIC and the Department of the Treasury at 
31 CFR 103.121, which require a customer identification program to be 
implemented as part of the Bank Secrecy Act compliance program required 
under this section.
* * * * *

    By order of the Board of Directors of the Federal Deposit 
Insurance Corporation this 16th day of April, 2003.
Valerie J. Best,
Assistant Executive Secretary.

Office of Thrift Supervision

12 CFR Chapter V

Authority and Issuance

0
For the reasons set out in the preamble, OTS amends title 12, chapter V 
of the Code of Federal Regulations, as set forth below:

PART 563--SAVINGS ASSOCIATIONS--OPERATIONS

0
1. The authority citation for part 563 is revised to read as follows:

    Authority: 12 U.S.C. 375b, 1462, 1462a, 1463, 1464, 1467a, 1468, 
1817, 1820, 1828, 1831o, 3806; 31 U.S.C. 5318; 42 U.S.C. 4106.


0
2. In Sec.  563.177:
0
A. Revise the section heading; and
0
B. Revise paragraph (b) to read as follows:


Sec.  563.177  Procedures for monitoring Bank Secrecy Act (BSA) 
compliance.

* * * * *
    (b) Establishment of a BSA compliance program. (1) Program 
requirement. Each savings association shall develop and provide for the 
continued administration of a program reasonably designed to assure and 
monitor compliance with the recordkeeping and reporting requirements 
set forth in subchapter II of chapter 53 of title 31, United States 
Code and the implementing regulations issued by the Department of the 
Treasury at 31 CFR part 103. The compliance program must be written, 
approved by the savings association's board of directors, and reflected 
in the minutes of the savings association.
    (2) Customer identification program. Each savings association is 
subject to the requirements of 31 U.S.C. 5318(l) and the implementing 
regulation jointly promulgated by the OTS and the Department of the 
Treasury at 31 CFR 103.121, which require a customer identification 
program to be implemented as part of the BSA compliance program 
required under this section.
* * * * *

    Dated: April 9, 2003.
James E. Gilleran,
Director, Office of Thrift Supervision.

National Credit Union Administration

12 CFR Chapter VII

Authority and Issuance

0
For the reasons set out in the preamble, NCUA amends title 12, chapter 
VII of the Code of Federal Regulations, as set forth below:

PART 748--SECURITY PROGRAM, REPORT OF CRIME AND CATASTROPHIC ACT 
AND BANK SECRECY ACT COMPLIANCE

0
1. The authority citation for part 748 is revised to read as follows:

    Authority: 12 U.S.C. 1766(a), 1786(q); 15 U.S.C. 6801 and 
6805(b); 31 U.S.C. 5311 and 5318.


0
2. In Sec.  748.2:
0
A. Revise the section heading; and
0
B. Revise paragraph (b) to read as follows:


Sec.  748.2  Procedures for monitoring Bank Secrecy Act (BSA) 
compliance.

* * * * *
    (b) Establishment of a BSA compliance program. (1) Program 
requirement. Each federally-insured credit union shall develop and 
provide for the continued administration of a

[[Page 25113]]

program reasonably designed to assure and monitor compliance with the 
recordkeeping and recording requirements set forth in subchapter II of 
chapter 53 of title 31, United States Code and the implementing 
regulations issued by the Department of the Treasury at 31 CFR part 
103. The compliance program must be written, approved by the credit 
union's board of directors, and reflected in the minutes of the credit 
union.
    (2) Customer identification program. Each federally-insured credit 
union is subject to the requirements of 31 U.S.C. 5318(l) and the 
implementing regulation jointly promulgated by the NCUA and the 
Department of the Treasury at 31 CFR 103.121, which require a customer 
identification program to be implemented as part of the BSA compliance 
program required under this section.
* * * * *

    Dated: April 7, 2003.
Becky Baker,
Secretary of the Board, National Credit Union Administration.
[FR Doc. 03-11019 Filed 5-8-03; 8:45 am]
BILLING CODE 4810-02-P; 6720-01-P; 6210-01-P; 7537-01-P; 4810-33-P; 
6714-01-P