CUNA Comment Letter
Section 326 of the USA PATRIOT Act
September 6, 2002
Ms. Becky Baker
Secretary of the Board
National Credit Union Administration
1775 Duke Street
Alexandria, Virginia 22314-3428.
In Re: Section 326, Credit Unions
Dear Ms. Baker:
The Credit Union National Association appreciates this opportunity to comment on the agencys proposal, issued jointly with the U. S. Department of the Treasury, to establish minimum standards under the USA PATRIOT Act for financial institutions that govern the identification and verification of any person who applies to open an account. Final regulations must be effective by October 25, 2002. CUNA represents more than 90% of our nations 10,300 state and federal credit unions.
Our comments were developed under the auspices of the CUNA Examination and Supervision Subcommittee chaired by Mr. John Franklin, President and CEO of the South Carolina Credit Union League. They also are based in part on conversations we have had with officials at NCUA as well as with the Treasurys Financial Crimes Enforcement Network, FinCEN. The points raised in this letter apply to federally insured, as well as to privately insured, credit unions. A copy of this letter is being filed directly with FinCEN on behalf of privately insured credit unions.
Summary of CUNAs Comments
- CUNA wholeheartedly supports the objective of the proposed rule, which is to protect the United States and the nations financial system from being preyed upon by terrorists seeking to finance their despicable activities through traditional financial institutions. Treasury and NCUA also envision a final rule that will help shield consumers against various types of fraud, such as identity theft, regarding the opening of new accounts.
- While we support the proposals general approach, there are several areas in which we have concerns or feel clarification is warranted. These issues are addressed in further detail below.
- On a different but related matter, by separate correspondence, CUNA is requesting a meeting with the chief, compliance programs division, of the Office of Foreign Assets Control (OFAC) to help facilitate compliance with OFAC requirements for all credit unions.
The USA PATRIOT Act specifies that new regulations must, at a minimum, require financial institutions to implement reasonable procedures for: (1) verifying the identity of any person seeking to open an account, to the extent reasonable and practicable; (2) maintaining records of the information used to verify the persons identity; and (3) determining whether the person appears on any list of known or suspected terrorists organizations provided to the financial institution by any government agency.
While credit unions realized at the time of its passage that the USA PATRIOT Act would result in additional regulatory burdens for them, nonetheless CUNA is generally supportive of this initiative to help fight the war on terrorism. Further, as stated in the summary, CUNA commends the regulators for their efforts to refrain from imposing broad, new requirements on credit unions and other financial institutions at account opening.
In particular, there are several aspects of the rule that credit unions find favorable:
- The proposal recognizes that credit unions and other financial institutions already have a number of procedures in place covering the opening of new accounts.
- The proposed rules generally contemplate that financial institutions will use the same forms of identity verification that are being examined, such as drivers licenses, passports, credit reports, and other similar means of identification.
- While every program must meet the minimum elements contained in the proposal, the proposed rule gives financial institutions the flexibility to tailor their procedures as appropriate, taking into consideration an individual institutions size, location, and type of business.
- The proposal also uses a risk-based approach to verification under which an institution may determine for itself how soon an individuals identity must be verified after account opening.
Issues of Concern
Our general support aside, we have several operational concerns that we urge the regulators to address in the final regulation.
We realize that the statute requires the final rule to take effect before the end of the 1-year period beginning on the date of enactment of the International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001-- or October 25, 2002. However, even if the regulators approve a final rule by the end of this month, only about one month is left for credit unions to review their procedures and practices in light of the new rule.
In addition, financial institutions have only had this proposal since July 2002. Thus, there will only be three months for credit unions and other institutions to review the proposal, determine how it will affect their operations and figure out what needs to be done to achieve compliance, including changing account opening forms, when necessary.
Simply put, institutions have not been given sufficient time to allow them to achieve good faith compliance.
While the regulators have considered the processes institutions already utilize in opening an account, the proposal nonetheless contemplates some changes that financial institutions will have to incorporate, such as extensive photocopying of the records relied upon for verification. In addition, institutions will want to review current procedures to make sure they are in compliance.
Credit unions, like other institutions, want to do their part to assist the government in helping to prevent the financing of terrorism, but we do not believe that an unrealistic compliance deadline serves that cause. We urge financial regulators, working with Congress, to address this issue in the final rule.
We request that the regulators provide an additional twelve months for compliance. We believe this approach that will facilitate implementation and relieve the frustration institutions will certainly encounter as they attempt to meet an unreasonable compliance deadline.
Safe Harbor Concept
Undoubtedly the regulators will want to resist massive changes in the proposal, given the tight compliance deadline they are facing. However, there is an important amendment we urge the regulators to add, which we think would improve the regulation, enhance compliance for financial institutions and would not affect the other provisions in the proposal.
Our recommendation is that the regulators include language in the final rule that establishes a safe harbor-- for institutions meeting the minimum requirements for the Customer Identification Program and other basic requirements of the rule. We feel this approach could be extremely useful, given the level of liability institutions face should they fail to be in compliance with any aspect of the rule. This is particularly the case for smaller credit unions. About one-half of all credit unions have assets of less than $10 million and nearly one- third are operated strictly by unpaid personnel. The vast majority of all credit union board members are not compensated beyond reimbursement for their expenses. Yet, such credit unions are subject to the same liability for noncompliance that applies to other institutions that utilize well-paid employees.
To address this concern, we recommend the regulators implement a safe harbor approach that could apply to all financial institutions. Under such an approach, institutions would identify basic procedures they have developed and implemented to ensure compliance with the proposal. While such procedures could vary, depending on the characteristics of each institution and other variables, such as the members/customers for whom an account is opened, each institutions procedures must be appropriate for its situation(s). During the routine examination process, examiners would review an institutions basic procedures and determine if it qualifies for the safe harbor designation. We believe such an approach could help minimize concerns that inadvertent oversight could subject an institution to significant liability.
Definition of Account--
The regulators asked for comments on the proposed definition of account,-- which means each formal banking or business relationship established to provide ongoing services, dealings, or other financial transactions. For example, a deposit account, a transaction or asset account, and a credit account or other extension of credit would each constitute an account.-- The language describing an account in the proposal clarifies that it would not incorporate infrequent transactions-- such as the purchase of a money order. We request that the regulators include this language in the definition of account.
Definition of Customer--
The proposed rule defines customer-- to mean any person seeking to open a new account. As consumers are generally members of credit unions, rather than customers, we strongly recommend that the term, Member/Customer-- be used for in the credit union regulations when referring to an individual opening an account.
The term customer-- would include existing members who seek to open an account after the rule takes effect. However, under the discussion in the proposal regarding Identity Verification Procedures-- the proposal states that if an institution has already verified the identity of a customer/member using procedures that are consistent with the rule, it does not have to re-verify that individuals identity as long as it has reasonable belief to know the individuals identity. To avoid confusion, we recommend that the regulators include that information in the definition of member/customer.--
The proposal explains that the term customer-- includes a person applying to open an account, but would not cover a person seeking information about an account, such as rates charged or interest paid on an account, if the person does not actually open an account. We believe that clarification should also be in the definition.
The proposal is not clear regarding how institutions should treat beneficiaries, co-signors, and loan guarantors. It is our recommendation that these individuals should not be defined generally as a customer/member.-- If the regulators are concerned that the spirit of Section 326 will be compromised if the identity of such individuals is not verified, then we strongly recommend that such verification only be required if and when the individual has access to the funds in an account.
A related issue is what is required in terms of verification for account signatories for member/ customer transactions. For example, a small business has a member/customer relationship with a credit union. Several of the business senior employees would likely be permitted to transact business at the credit union on behalf of the small business. The identification of these employees would have already been verified by the small business. We recommend that the credit union in such an instance be allowed to obtain a certification from the small business that the identification of a signatory has been verified and retain that certification in its files to satisfy the verification and recordkeeping requirements under the new regulation. This treatment should also be permitted for corporate credit unions that open accounts for natural person credit unions.
Definition of Bank--
The proposal uses the term bank-- to describe financial institutions within its scope. While in some statutory contexts credit unions are referred to as banks, they are distinct institutions, which strongly prefer that their uniqueness be recognized. We recommend that the final rule for credit unions use the term credit union-- and not use the generic term bank-- to refer to these institutions.
Information Required for Identity Verification
The proposal requires each institution to develop a Customer/Member Identification Program that will establish reasonable procedures to verify the identity of individual seeking to open an account. The institution must obtain from each member/customer at account opening minimum information, such as name, address, and a U.S. taxpayer identification number (social security number, individual taxpayer identification number, or employer identification number) for U.S. persons.
The proposal would require an individual or business to supply both the mailing address and the residence, or place of business, if different. However, institutions do not always routinely require both the mailing address and the residence. The proposal does not explain why the regulators feel the additional information is necessary, and we are not convinced that it is. The proposal does state that the basic information required reflects the type of information that financial institutions currently obtain.-- In light of this, we recommend that the final rule only require the institution obtain a mailing address or a residential address, but not both.
A few credit unions have raised the issue of the definition of residence.-- They have requested that the proposal clarify that residence-- in the case of enlisted military personnel, for example, could be their address outside of their military service.
Verification Through Documents
Under the proposal, an institution may verify identity through the use of documents or through the use of nondocumentary information. The final rule should clarify that an institution does not have to utilize only one method, but depending on the situation, may use either one it chooses, even for individuals who open an account in person.
Some have read the proposal to indicate that an institution must first try to verify identity with the use of documents before using a nondocumentary approach, and we request the regulators clarify that this is not your intent.
The proposal provides that for non-U.S. persons, a credit union using documents to verify identity may rely on a document issued by another government that evidences nationality or residence and bears a photograph or similar safeguard. We appreciate the inclusion of this language, which will encompass the use of documents, such as Matricula issued by offices in this country of the Mexican government as identification for its citizens in the United States.
We also appreciate the approach the regulators have taken in allowing institutions to verify identification for non-U.S. persons with a variety of documents. Thus, the proposal does not necessitate that any institution must obtain a taxpayer identification number from a non- U.S. person, as long as the institution has obtained one or more of the following: a passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard. We think this approach will provide useful flexibility to institutions, while helping to minimize potential anxiety a non-U.S. person may have in opening an account if they do not have a TIN.
The proposal states that the regulators realize that original identification documents may be obtained illegally and may be fraudulent. The proposal encourages institutions to use other verification methods, even when a member/customer has provided original documents. We strongly urge that this language be dropped from the final rule. Credit unions and other institutions should not be required to determine whether a document is fraudulent or obtained under fraudulent circumstances. Institutions using documents to verify identification must be allowed to rely on those documents without having to be concerned whether they are illegally obtained. Such an assessment, in most instances, would be impossible for the institution to determine. Vague language indicating an institution might have a responsibility to consider how identifying documents are procured imposes a legal liability on financial institutions that is not required by Section 326. We urge the regulators to remove this language from the final rule.
While we support the regulators approach that will permit verification based on nondocumentary information, we have concerns about some of the language in the description of this method as provided in the proposal. In general, we feel that the regulators need to include more detailed examples of what is expected of institutions using this method.
In addition, the proposal indicates that institutions may wish to analyze whether there is logical consistency between the identifying information provided. -- In Footnote #4 the proposal states, Treasury understands that most banks currently make use of technology that permits instantaneous negative, positive and logical verification of identity.--
While the language of Section 326 requires reasonable procedures-- for verifying identification in connection with an account opening, we believe the requirement to check for a logical connection-- among the various forms of information provided to substantiate identity goes beyond the scope of the reasonable procedures-- requirements in Section 326. Further, we disagree with Footnote #4 in that number of credit unions do not have access to such technology, and it could be very costly for them to obtain. Thus, we urge the regulators to remove the language regarding logical consistency-- along with Footnote #4.
Lack of Verification
Under the proposal, the CIP must include procedures for responding to circumstances in which the financial institution cannot form a reasonable belief that it knows the true identity of a member/customer, including when an account should not be opened or closed after it has been opened. Some credit unions are very concerned about these provisions. To help them and other financial institutions avoid potential problems with disgruntled individuals who are denied an account, it would be helpful if the proposal provided more guidance as to when it would be considered reasonable for an institution not to have opened an account in the first place.
Under the proposal, a financial institution is required to maintain a record of all identifying information provided by the customer/member. The CIP must include reasonable procedures for maintaining such records. As the proposal states, where an institution relies on a document to verify identity, the institution must maintain a copy of the document that it relied on that clearly evidences the type of document and any identifying information it may contain. All institutions must retain all of these records for 5 years after the date the account is closed.
CUNA is strongly opposed to the recordkeeping requirements that the proposal would impose. While the procedures for verifying identity are fairly consistent with general practices among credit unions (with a few notable exceptions as addressed above), the recordkeeping requirements are far more extensive, and thus far more burdensome, than the current procedures most credit unions employ.
More specifically, the requirement to photocopy and retain for five years each document relied upon for verification is regulatory overkill, and there are no assurances it will help the government in its efforts to track potential terrorists.
To help institutions comply, we urge the regulators to allow them to list the documents or other information on which they relied, or otherwise make a notation in the appropriate file, regarding what they reviewed to verify a members/customers identity. This would replace the requirement that all documents be photocopied. In light of the fact that a number of states already collect, maintain, and share information about their residents through the process of licensing drivers, providing other licenses, or police tracking, we do not feel it is necessary for financial institutions to develop individual record keeping systems that replicate what is already being provided by the states.
In any event, we question the five-year record retention period, given the mobility of todays society. Because we feel many records could be outdated in five years, we think the maximum period that records (or as we are recommending, notations) be kept in the file should be two years.
Conflicts with State Laws
The regulators ask for comments on whether the proposal would subject institutions to conflicting state laws. We believe that in some instances, this could be the case. For example, Section 46.2-346 of Virginia law provides that no one may reproduce any drivers license without obtaining prior written permission from-- the Department of Motor Vehicles. Other states may have similar provisions that should be taken into consideration in finalizing the regulation.
Comparison With Government Lists
Section 326 requires institutions to consult lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency.-- The proposal states that this requirement applies only with respect to lists circulated by the Federal government.--
This language has resulted in considerable confusion as to which lists credit unions are required to check and whether compilations such as the Federal Bureau of Investigations Most Wanted-- list are included. We encourage the regulators to address this concern.
One approach would be for FinCEN to become the central repository for maintaining a consolidated list that includes all the names generated by all relevant agencies that credit unions and other financial institutions are required to check.
At a minimum, we request the regulators to develop an Appendix to the regulation that provides the titles of the various lists institutions must check. The Appendix could include the name of the corresponding agency that develop each list, and should be updated as frequently as necessary to ensure compliance for financial institutions. The list should be accessible through the website of each federal financial institution regulatory agency, as well as through the website of FinCEN and OFAC.
On a different but related matter, the issue of compliance with OFAC requirements is a continuing one that has been exacerbated by the new proposal under Section 326, which when implemented, is intended to dovetail with those current requirements. We are anxious to work with OFAC to relieve regulatory barriers that could impede compliance with current OFAC requirements. In that connection, by separate correspondence, CUNA is requesting a meeting with the Chief, Compliance Programs Division of OFAC, Mr. Dennis Wood, to begin an important dialogue on how we can work with OFAC to address issues related to regulatory burden. We want to coordinate this effort with the National Credit Union Administration and FinCEN and will be following up with both those agencies on this matter.
The CIP must include procedures for providing financial institution members/customers with adequate notice that the institution is requesting information to verify their identity. An institution may satisfy the notice requirement by generally notifying its members/customers about the procedures the institution must comply with to verify their identities. For example, a credit union may post a sign in its lobby or provide members with any other form of written or oral notice. If an account is opened electronically, such as through an Internet website, the institution may also provide notice electronically.
We support this approach, while requesting further clarification for accounts opened through the Internet. We request that the regulators allow institutions opening accounts through the Internet to fulfill the notice requirement by posting suitable language on their home page. This approach would be the most analogous to the provisions in the proposal that allow institutions to post a notice in their lobby for accounts opened in person.
Under the proposal, NCUA with the concurrence of the Secretary of the Treasury may, by order or regulation, exempt any credit union or type of account from its requirements. The proposal is also seeking comments on whether any of the exemptions in Section 103.34(a) of the BSA (12 C.F.R. §103.34(a)) could apply. That section of the BSA provides that a financial institution does not need to obtain a taxpayer identification number with respect to certain categories of persons opening accounts. CUNA believes this issue deserves considerable review by the agencies. Some of the individuals who might be exempted under this provision would include aliens who are in the country on a temporary basis; aliens who are enrolled in a training program supervised by the U.S. Government; aliens who are officials of a foreign government or such officials immediate family members; and nonresident aliens.
While we recognize that it might be problematic for financial institutions to verify the identity of such individuals, there is a concern that an exemption applied broadly, as indicated in the proposal, might create the kind of vulnerabilities for the financial system that the proposal and the USA PATRIOT Act seek to address.
Rather than a blanket exemption, we urge the regulators to give careful consideration to the inclusion of such individuals within the scope of the final rule. We ask request that the regulators consider what steps the federal government could take to facilitate compliance for financial institutions, which would be handling account openings for such individuals.
For example, the government could compile and make available a central list that includes the categories of individuals who are in this country for a short period of time. We understand that temporary visitors to the U.S. complete Form I-94, Record of Arrival-Departure, from the Immigration and Naturalization Service (INS) at the port of entry. One possible approach would be for the INS to develop a composite list of the individuals completing such forms and provide it to FinCEN for distribution to institutions.
We appreciate the opportunity to share our views on the member/customer identification procedures under the USA PATRIOT Act. As we indicate above, CUNA supports full compliance with the statute. We offer our recommendations discussed above to facilitate compliance and produce a more feasible set of requirements that is fully consistent with Section 326. Please do not hesitate to contact me if you have any questions or need further information about our comments.
Mary Mitchell Dunn
Associate General Counsel and Senior Vice President