Skip to main content
U.S. flag
An official website of the United States government
Dot gov
The .gov means it’s official. 
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.
Https
The site is secure. 
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

FIL-133-98 Attachment

[Federal Register: December 7, 1998 (Volume 63, Number 234)]

[Proposed Rules]

[Page 67529-67536]

From the Federal Register Online via GPO Access [wais.access.gpo.gov]

[DOCID:fr07de98-22]


 

-----------------------------------------------------------------------


 

FEDERAL DEPOSIT INSURANCE CORPORATION


 

12 CFR Part 326


 

RIN 3064-AC19


 

 

Minimum Security Devices and Procedures and Bank Secrecy Act

Compliance


 

AGENCY: Federal Deposit Insurance Corporation.


 

ACTION: Notice of proposed rulemaking.


 

-----------------------------------------------------------------------


 

SUMMARY: The FDIC is proposing to issue a regulation requiring insured

nonmember banks to develop and maintain ``Know Your Customer''

programs. As proposed, the regulation would require each nonmember bank

to develop a program designed to determine the identity of its

customers; determine its customers' sources of funds; determine the

normal and expected transactions of its customers; monitor account

activity for transactions that are inconsistent with those normal


 

[[Page 67530]]


 

and expected transactions; and report any transactions of its customers

that are determined to be suspicious, in accordance with the FDIC's

existing suspicious activity reporting regulation. By requiring insured

nonmember banks to determine the identity of their customers, as well

as to obtain knowledge regarding the legitimate activities of their

customers, the proposed regulation will reduce the likelihood that

insured nonmember banks will become unwitting participants in illicit

activities conducted or attempted by their customers. It also will

level the playing field between institutions that already have adopted

formal Know Your Customer programs and those that have not.


 

DATES: Comments must be received by March 8, 1999.


 

ADDRESSES: Comments should be directed to: Robert E. Feldman, Executive

Secretary, Attention: Comments/OES, Federal Deposit Insurance

Corporation, 550 17th Street, N.W., Washington, DC 20429. Comments may

be hand-delivered to the guard station at the rear of the 550 17th

Street Building (located on F Street), on business days between 7 a.m.

and 5 p.m. In addition, comments may be sent by fax to (202) 898-3838,

or by electronic mail to comments@FDIC.gov. Comments may be inspected

and photocopied in the FDIC Public Information Center, Room 100, 801

17th Street, NW, Washington, D.C., between 9 a.m. and 4:30 p.m., on

business days.


 

FOR FURTHER INFORMATION CONTACT: Carol A. Mesheske, Special Activities

Section, Division of Supervision, (202) 898-6750, or Karen L. Main,

Counsel, Legal Division (202) 898-8838.


 

SUPPLEMENTARY INFORMATION:


 

Background


 

The integrity of the financial sector depends on the ability of

banks and other financial institutions to attract and retain legitimate

funds from legitimate customers. Financial institutions are able to

attract and retain the business of legitimate customers because of the

quality and reliability of the services being rendered and, as

important, the sound and highly respected reputation of the banking

industry. Illicit activities, such as money laundering, fraud, and

other transactions designed to assist criminals in their illegal

ventures, pose a serious threat to the integrity of financial

institutions. When transactions at financial institutions involving

illicit funds are revealed, these transactions invariably damage the

reputation of the financial institutions involved and, potentially, the

entire financial sector. While it is impossible to identify every

transaction at an institution that is potentially illegal or is being

conducted to assist criminals in the movement of illegally derived

funds, it is fundamental for safe and sound operations that financial

institutions take reasonable measures to identify their customers,

understand the legitimate transactions typically conducted by those

customers, and, consequently, identify those transactions conducted by

their customers that are unusual or suspicious in nature. By

identifying and, when appropriate, reporting such transactions in

accordance with existing suspicious activity reporting requirements,

financial institutions are protecting their integrity and are assisting

the efforts of the financial institution regulatory agencies and law

enforcement authorities to combat illicit activities at such

institutions.

One of the most effective means by which an insured nonmember bank

can both protect itself from engaging in transactions designed to

facilitate illicit activities and ensure compliance with applicable

suspicious activity reporting requirements is for the nonmember bank to

have adequate Know Your Customer policies and procedures. By knowing

its customers, an insured nonmember bank is better able to fulfill its

compliance responsibilities, including its Bank Secrecy Act and

suspicious activity reporting requirements, 12 CFR 326.8 and 12 CFR

part 353, respectively.

Recognizing that a Know Your Customer program for one nonmember

bank will not necessarily be appropriate for another, the proposed

regulation identifies only the basic components that the FDIC believes

should be contained in any Know Your Customer program. In supplemental

guidance to be provided at the time this regulation becomes final, the

FDIC, in coordination with the other federal financial institution

supervisory agencies, will provide further information about specific

steps that institutions may consider taking as they implement their

Know Your Customer programs. The FDIC believes that this approach

strikes an appropriate balance that responds to requests for additional

guidance in this area while preserving the flexibility for each insured

nonmember bank to take steps appropriate for its customers.


 

Privacy Issues


 

The proposed regulation requires insured nonmember banks to gather

information about customers that, if misused, could result in an

invasion of a customer's privacy. Given the potential for abuse in this

area, it is the FDIC's expectation that, in complying with the Know

Your Customer regulation, a nonmember bank will obtain only that

information that is necessary to comply with the regulation and will

limit the use of this information to complying with the regulation.

Insured nonmember banks need to safeguard and handle responsibly the

information gathered in connection with complying with these

obligations, and should integrate comprehensive privacy practices into

their Know Your Customer programs.


 

Authority To Issue the Regulation


 

The proposed regulation is authorized pursuant to the FDIC's

statutory authority under section 8(s)(1) of the Federal Deposit

Insurance Act (12 U.S.C. 1818(s)(1)), as amended by section 2596(a)(2)

of the Crime Control Act of 1990 (Pub. L. 101-647), which requires the

FDIC to issue regulations requiring banks under its supervision to

establish and maintain internal procedures reasonably designed to

ensure and monitor compliance with the Bank Secrecy Act. Effective Know

Your Customer programs serve to facilitate compliance with the Bank

Secrecy Act.


 

Proposal


 

The FDIC proposes to revise 12 CFR part 326 by adding a new subpart

requiring insured nonmember banks to develop and implement Know Your

Customer programs. Under the proposed regulation, the FDIC would expect

each nonmember bank to design a program that is appropriate given its

size and complexity, the nature and extent of its activities, its

customer base and the levels of risk associated with its various

customers and their transactions. The FDIC believes that this approach

is preferable to a detailed regulation that imposes the same list of

specific requirements on every bank regardless of its circumstances.

The FDIC recognizes that a Know Your Customer requirement will impose

additional burdens on some insured nonmember banks. Mindful of that

fact, the FDIC is striving to impose only those requirements that are

necessary to ensure that insured nonmember banks have in place adequate

Know Your Customer programs.

Each of the other federal bank supervisory agencies is proposing to

adopt substantially identical regulations covering state member and

national banks, federally-chartered branches and agencies of foreign

banks, savings associations, and credit unions. There also have been

discussions with the


 

[[Page 67531]]


 

federal regulators of non-bank financial institutions, such as broker-

dealers, concerning the need to propose similar rules governing the

activities of these non-bank institutions.


 

Analysis of Subpart C


 

Section 326.9 Know Your Customer Compliance


 

Paragraph (a)--Purpose

The purposes of adopting a Know Your Customer program are to

protect the reputation of the insured nonmember bank; to facilitate the

insured nonmember bank's compliance with all applicable statutes and

regulations (including the Bank Secrecy Act and the FDIC's suspicious

activity reporting regulations) and with safe and sound banking

practices; and to protect the insured nonmember bank from becoming a

vehicle for, or a victim of, illegal activities perpetrated by its

customers.

This subpart applies to all insured state nonmember banks as well

as any insured, state-licensed branches of foreign banks.

Paragraph (b)--Definitions

The proposed regulation defines the term ``customer'' as any person

or entity who has an account involving the receipt or disbursal of

funds with an insured nonmember bank covered by this regulation and any

person or entity on behalf of whom an account is maintained. Thus, for

instance, if an account is opened on behalf of a third party, the

nonmember bank will need to treat as a customer both the person or

entity opening the account and the person or entity for whom the

account is opened. A customer would include an accountholder, a

beneficial owner of an account, or a borrower. A ``customer'' could

include the beneficiary of a trust, an investment fund, a pension fund

or a company whose assets are managed by an asset manager; a

controlling shareholder of a closely held corporation; or the grantor

of a trust established in an off-shore jurisdiction. The term

``customer'' does not include recipients of services for which the

receipt or disbursal of customer funds is incidental, for instance,

safe deposit box rentals.

The proposed regulation does not differentiate between current

customers and new customers. The effectiveness of an insured nonmember

bank's Know Your Customer program would be greatly reduced if all

customer accounts in existence prior to the effective date of the

regulation were excluded from its scope. However, the FDIC does not

believe that it is practicable for a nonmember bank to conduct a large-

scale information request from all its existing customers. Rather, a

nonmember bank may comply with the proposed regulation with respect to

its current customers by determining their normal and expected

transactions, using available account data, and monitoring their

transactions for suspicious activities. However, depending on the

nature of the risk associated with some customers and their

transactions (for instance, transactions involving private banking

customers), it may be necessary to fulfill all of the requirements of

this regulation as if they were new customers.

Paragraph (c)--Establishment of Know Your Customer Program

This paragraph requires that each insured nonmember bank establish

a Know Your Customer program by April 1, 2000. Additionally, this

paragraph requires that the Know Your Customer program be reduced to

writing and approved by the board of directors of the nonmember bank,

or a committee thereof, and the approval recorded in the official

minutes of the board.

Paragraph (d)--Contents of Know Your Customer Program

This paragraph sets forth the specific requirements for the

contents of the Know Your Customer program. The FDIC recognizes that

insured nonmember banks vary considerably in the way in which they

conduct their business on a day-to-day basis. Therefore, the FDIC

believes that to impose a regulation that simply requires each insured

nonmember bank to follow a pre-designed, standardized checklist would

not be appropriate. The proposed regulation thus allows each nonmember

bank to develop and delineate a system that will comprise the Know Your

Customer program, consistent with the banking practices of the

particular bank that, when followed by the nonmember bank, will

effectively meet the requirements and goals of the regulation.

Section 326.9(d) reflects the FDIC's recognition that each insured

nonmember bank's Know Your Customer program may vary depending on the

nature of the specific activity, the type of customers involved, the

size of the transactions, and other factors that reflect the nonmember

bank's assessment of the risk presented. In complying with this

section, it may be beneficial for insured nonmember banks to classify

customers into varying risk-based categories that the insured nonmember

banks can use in determining the amount and type of information,

documentation and monitoring that is appropriate. While the proposed

regulation will provide nonmember banks with substantial flexibility in

devising an appropriate Know Your Customer program, the FDIC believes

that all Know Your Customer programs should contain certain critical

features, which are discussed below.

Documentation and due diligence. Paragraph (d)(1) of Sec. 326.9

requires that the Know Your Customer program delineate acceptable

documentation requirements and due diligence procedures the insured

nonmember bank will follow in meeting the requirements of the proposed

regulation. The delineation of this information in the Know Your

Customer program will ensure that the same standards are applied

throughout the nonmember bank and will inform auditors and examiners of

the nonmember bank's established standards for review of customer

information.

Minimum steps to take to comply with the Know Your Customer rule.

Paragraph (d)(2) of Sec. 326.9 sets forth the steps an insured

nonmember bank needs to take in order to know its customers. The

proposed regulation requires that, rather than following a

``checklist'' approach, an insured nonmember bank may develop a

``system'' designed to meet the basic requirements of the regulation.

The system approach allows each insured nonmember bank to design its

own program, in accordance with its own business practices, that will

best suit the nonmember bank. While this places some burden on the

nonmember bank to develop the specifics of the Know Your Customer

program, such an approach recognizes that each insured nonmember bank

conducts business in accordance with its own policies, procedures,

goals and objectives. The Know Your Customer program, in order to be

the most effective, must be developed and implemented with the

nonmember bank's regular and ordinary business practices in mind. The

FDIC believes that all Know Your Customer programs should contain

certain critical features, which are set forth below.

Identify the customer. Paragraph (d)(2)(i) requires that the Know

Your Customer program provide a system for determining the true

identity of prospective customers. If an insured nonmember bank has

reasonable cause to believe that it lacks sufficient information to

know the identity of an existing customer, paragraph (d)(4)(ii)(A) also

requires that the program provide a system for


 

[[Page 67532]]


 

determining the identity of that customer.

It is imperative that an insured nonmember bank establish, to its

own satisfaction, that it is dealing with a legitimate customer,

whether the customer is a natural person, corporation, or other

business entity. The nature and extent of the identification process

should be commensurate with the types of transactions anticipated by

the customer and the risks associated with such transactions. If a

prospective customer refuses to provide any of the requested

information, sound practices would require that the nonmember bank not

open the account. Similarly, if additional or follow-up information is

not forthcoming from an established customer, sound practices would

require that consideration be given to terminating the account

relationship.

The best identification documents for verifying the identity of

prospective customers are the ones that are the most difficult to

obtain illicitly and the most difficult to counterfeit. No single form

of identification can be guaranteed to be genuine, however. Therefore,

the identification process should be cumulative, obtaining enough

information and documentation to assure the insured nonmember bank that

it has adequately identified the prospective customer. For individual

accounts, this might include, for instance, a document containing a

photograph and signature of the individual. For corporate or business

customers, the customer identification process could include the review

of appropriate documentation that allows for a means to verify that the

corporation or other business entity does exist and does engage in the

business, as stated. All documentation reviewed, as well as

verifications of the information contained therein, should be recorded

and maintained by the nonmember bank.

Any practice of an insured nonmember bank that allows for the

establishment of a customer relationship without face-to-face contact

with bank personnel, such as banking by mail or Internet banking, poses

difficulties in the identification of the prospective customer by use

of the traditionally accepted practice of obtaining identification

documentation, to include photographic identification. Even though

photographic identification in such circumstances will be impractical,

other accepted means of identifying a customer are still viable. In

such circumstances, special care should be given to verification of

address and telephone number. Moreover, insured nonmember banks should

consider using commercially available data to compare items such as

name with date of birth and social security number.

If an insured nonmember bank offers private banking services, it is

important that the nonmember bank understand a customer's personal and

business background, source of funds, and intended use of the private

banking services. Typically, private banking customers are clients of

financial advisors or make use of account vehicles such as personal

investment companies, trusts, and personal mutual investment funds. The

establishment of such accounts serves the stated purposes of protecting

the legitimate confidentiality and financial privacy of the customers

who use such accounts. However, the need to identify properly the

beneficial owners of such accounts, through an effective Know Your

Customer program, is necessary to the continued safe and sound

operation of the insured nonmember bank. Any needed confidentiality

required by customers of an insured nonmember bank's private banking

department can be addressed by the development of special protections

to limit access to information that would generally reveal the

beneficial owners of those accounts.

Introductions or referrals of prospective customers by established

customers of the insured nonmember bank, while extremely valuable in

providing background information about the prospective customer, cannot

take the place of identification requirements that should be set forth

in the nonmember bank's Know Your Customer program. Details regarding

the introduction or referral should be documented so that the

information obtained can be effectively used to assist in the

verification of the prospective customer.

The extent of the information regarding the customer that may be

necessary to fulfill the nonmember bank's Know Your Customer

obligations should depend on a risk-based assessment of the customer

and the transactions that are expected to occur, and should be

addressed within the insured nonmember bank's Know Your Customer

program.

Determine the source of funds. Paragraph (d)(2)(ii) requires that

the Know Your Customer program provide a system for determining the

source of a customer's funds. The amount of information needed to do

this can depend on the type of customer in question. As an example, if

a retail banking customer maintains demand deposit accounts funded

primarily from payroll deposits, it should be a relatively simple task

to identify and document the source of funds as payroll deposits. On

the other hand, a more detailed analysis, with a more extensive

documentation process, would be required for high net worth customers

with multiple deposits from a variety of sources. For these reasons,

among others, it may be beneficial for insured nonmember banks to

classify customers into varying categories, based on factors such as

the types of accounts maintained, the types of transactions conducted,

and the potential risk of illicit activities associated with such

accounts and transactions. An insured nonmember bank could then develop

procedures to obtain necessary information and documentation based on

the risk assessment for the various categories or classes established

by the nonmember bank.

Determine normal and expected transactions. Paragraph (d)(2)(iii)

requires that the Know Your Customer program provide a system for

determining a customer's normal and expected transactions involving the

insured nonmember bank. A nonmember bank's understanding of a

customer's normal and expected transactions should be based on

information obtained both when an account is opened and during a

reasonable period of time thereafter. It also should be based on normal

transactions for similarly situated customers. Without this

information, an insured nonmember bank is unable to identify suspicious

transactions.

Monitor the account transactions. Paragraph (d)(2)(iv) requires

that the Know Your Customer program provide a system for monitoring, on

an ongoing basis, the transactions conducted by customers to identify

transactions that are inconsistent with the normal and expected

transactions for particular customers or for customers in the same or

similar categories or classes. The proposed regulation does not require

that every transaction of every customer be reviewed. Rather, it

requires that an insured nonmember bank develop a monitoring system

that is commensurate with the risks presented by the accounts

maintained at that bank.

In designing a monitoring system, an insured nonmember bank may

choose to classify accounts into various categories based on factors

such as the type and size of account, the types, number, and size of

transactions conducted in the account, and the risk of illicit activity

associated with the account. For certain classes or categories of

accounts, it would be sufficient for an effective monitoring system to

establish parameters for which the transactions


 

[[Page 67533]]


 

within these accounts will normally occur. Rather than monitoring each

transaction, an effective monitoring system could entail monitoring

only for those transactions that exceed the established parameters for

that particular class or category of accounts. For other categories or

classes of accounts, such as private banking accounts, it may be

necessary to monitor each significant transaction.

Determine if transaction should be reported. Once a transaction is

identified as inconsistent with normal and expected transactions,

paragraph (d)(2)(v) requires that an insured nonmember bank determine

if the transaction warrants the filing of a Suspicious Activity Report.

This is consistent with an insured nonmember bank's existing

obligations under 12 CFR 353.3(a). In identifying reportable

transactions, an insured nonmember bank should not conclude that every

transaction that falls outside what is expected for a given customer

should be reported. Rather, a nonmember bank should focus on patterns

of inconsistent transactions and isolated transactions that present

risk factors that warrant further review.

Paragraph (e)--Compliance With Know Your Customer Program

This paragraph sets forth the requirements an insured nonmember

bank must follow to ensure that it is in compliance with its Know Your

Customer program. The requirements include that an insured nonmember

bank provide for and document a system of internal controls to ensure

ongoing compliance, as well as provide for and document independent

testing for compliance with the Know Your Customer program.

Additionally, the nonmember bank must designate an individual

responsible for coordinating and monitoring day-to-day compliance and

provide for and document training to all appropriate personnel of the

content and requirements of the Know Your Customer program.

Paragraph (f)--Availability of Documentation

This paragraph requires, for all accounts opened or maintained in

the United States, that all information and documentation necessary to

comply with the regulations be made available for examination and

inspection, at a location specified by an FDIC representative, within

48 hours of a request for such information and documentation. In

instances where the information and documentation is at a location

other than where the customer's account is maintained or the financial

services are rendered, the insured nonmember bank must adopt, as part

of its Know Your Customer program, specific procedures designed to

ensure that the information and documentation is reviewed on an ongoing

basis by appropriate personnel. The nonmember bank should maintain

written evidence that the appropriate review is being performed on a

regular basis.

While issues arise on occasion concerning documentation on accounts

domiciled in the United States by foreign accountholders, the FDIC

believes that the information typically already exists within the

insured nonmember bank in the United States because the information is

used by the relationship manager, who resides in the United States, as

well as other components of the nonmember bank to provide banking

services to the customer.


 

Comments Sought


 

The FDIC invites comment on any aspect of the rule, and

specifically seeks comment on the following issues:

1. Whether the proposed definition of ``customer'' is sufficient to

include all persons who benefit from an account opened at an insured

nonmember bank such as persons who establish off-shore shell companies

or entities or otherwise conduct their business through intermediaries.

2. Whether the proposed definition of ``customer'' is too broad and

will unnecessarily include persons that pose a minimal Know Your

Customer risk.

3. Whether an insured nonmember bank's Know Your Customer program

should apply to a nonmember bank's counterparty relationships with

respect to transactions in wholesale financial markets (e.g., sales or

purchases involving foreign exchange or securities) and correspondent

banking relationships. If so, would a different standard than that

applicable to retail relationships be more appropriate for wholesale

and correspondent banking relationships? If such a distinction is

appropriate, is the proposed definition of ``customer'' sufficient?

4. Whether the benefits of implementing Know Your Customer

requirements outweigh the costs involved.

5. Whether the proposed regulation will create a competitive

disadvantage with respect to other financial entities offering similar

services that may not be subject to similar regulations (citing, where

possible, specific examples) and, if so, what could be done to mitigate

the disadvantage consistent with the FDIC's supervisory

responsibilities.

6. Whether the actual or perceived invasion of personal privacy

interests is outweighed by the additional compliance benefits

anticipated by this proposal.

7. Whether there should be a minimum account size threshold below

which the Know Your Customer requirements should be waived.


 

Regulatory Flexibility Act


 

Under the Regulatory Flexibility Act, the FDIC must either provide

an Initial Regulatory Flexibility Analysis (IRFA) with this proposed

rule, or certify that the proposed rule would not have a significant

economic impact on a substantial number of small entities. The proposed

rule is designed to be flexible so that each insured nonmember bank can

design a Know Your Customer program appropriate for its circumstances.

While advantageous to insured nonmember banks, this flexibility makes

it difficult to predict the magnitude of the economic impact of the

proposed rule on insured nonmember banks. The FDIC cannot, at this

time, determine whether the proposed rule would have a significant

economic impact on a substantial number of small entities. The FDIC,

therefore, includes this IRFA.


 

A. Reasons For and Objectives of the Proposed Rule.


 

The proposed Know Your Customer rule is designed to deter and

detect financial crimes, such as money laundering, tax evasion, and

fraud. Financial crimes conducted at or through financial institutions,

even where financial institutions are not parties to the transactions,

can damage the reputations of the institutions involved, and possibly

of the entire banking industry. Under current law, financial

institutions are required to report suspicious activities to law

enforcement authorities, but are not required to specifically search

for suspicious activities. As a result, suspicious activities may go

unreported, and illegal activity may go undetected. Know Your Customer

programs would better enable financial institutions to alert law

enforcement authorities to potential criminal conduct and help deter

criminal conduct in the banking industry.

The FDIC has two primary objectives for this proposed rulemaking:

(1) increasing insured nonmember banks' detection and reporting of

suspicious customer activities; and, (2) deterring financial crimes at

insured nonmember banks.

The proposed rule would apply to large and small insured nonmember


 

[[Page 67534]]


 

banks. Small nonmember banks are generally defined, for Regulatory

Flexibility Act purposes, as those with assets of $100 million or less.

This proposed rule would apply to approximately 3,950 small insured

nonmember banks.


 

B. Requirements of the Proposed Rule.


 

The proposed rule would require insured nonmember banks to identify

their customers, determine their customers' normal and expected

transactions, determine their customers' sources of funds, monitor

transactions to find those that are not normal and expected, and, for

transactions that are not normal and expected, identify which are

suspicious. Insured nonmember banks are required to report any

suspicious transactions under current law, and this proposed rule would

have no additional reporting requirements.

The impact of the proposed regulation on a nonmember bank's

resources, and the skills necessary to comply with it, will vary from

one nonmember bank to another because the proposed regulation is

designed to take into account each bank's size and resources. Because

each nonmember bank would be able to design an individualized Know Your

Customer program, it is difficult to specify the type of professional

skills necessary for preparing any required records or reports. Large

insured nonmember banks may be more likely to use computerized Know

Your Customer programs, and in that event would be more likely to need

professional computer skills. Small nonmember banks that choose to

automate their Know Your Customer programs would need professional

computer skills.

Know Your Customer monitoring would be similar to monitoring that

insured nonmember banks already do. For example, insured nonmember

banks monitor customer transactions to ensure that cash transactions

exceeding $10,000 are reported under the Bank Secrecy Act, to ensure

that customers do not overdraw their accounts, and to ensure that loan

payments are accurate and timely. Thus, Know Your Customer monitoring

would rely, at least in part, on computer and other skills that insured

nonmember bank personnel already have and regularly use.


 

C. Significant Alternatives


 

1. No Know Your Customer Requirements

The FDIC considered recommending Know Your Customer procedures

rather than proposing regulatory requirements. The FDIC decided to

propose this rulemaking, however, because of the risks that insured

nonmember banks face from customers who attempt illegal activities.

Illegal activities would harm a nonmember bank's reputation and that of

the entire banking industry. Requiring Know Your Customer programs

significantly reduces the likelihood that some insured nonmember banks

would not establish or adhere to such programs. In addition, because

other federal banking agencies are proposing Know Your Customer rules,

the FDIC believes that criminals would quickly move their illegal funds

transfers into insured nonmember banks without Know Your Customer

programs, thus increasing those banks' exposure to illegal activity.

Moreover, recommending rather than requiring Know Your Customer

programs would allow customers to simply refuse to answer appropriate

questions about their identities or transactions. If Know Your Customer

programs are required, insured nonmember banks can more easily collect

the necessary information because customers cannot turn readily to

another financial institution free of such requirements.

For these reasons, merely recommending Know Your Customer programs

would interfere with the FDIC's goals of increasing insured nonmember

banks' detection and reporting of suspicious customer activities, and

deterring financial crimes at insured nonmember banks.

2. Exemption for Small Nonmember Banks

The FDIC considered exempting small nonmember banks from Know Your

Customer requirements. However, this alternative has the disadvantage

of possibly creating a haven for criminal activity. It is likely that

criminals would concentrate their activity at those nonmember banks not

subject to any Know Your Customer requirements. An exemption for small

insured nonmember banks would conflict with the FDIC's goals of

increasing insured nonmember banks' detection and reporting of

suspicious customer activities and deterring financial crimes at

insured nonmember banks.

3. Flexible Know Your Customer Requirements

The FDIC is proposing to require that all insured nonmember banks

establish and follow Know Your Customer programs, but the proposal will

allow each nonmember bank to develop a program appropriate for its

circumstances, including but not limited to its size and resources.

This approach is preferable to the first two alternatives because it

does not allow criminals to choose an insured nonmember bank without

Know Your Customer requirements to conduct illegal activities. A

flexible alternative also avoids requirements beyond the means of small

nonmember banks. Small nonmember banks could use simpler, less costly,

and less burdensome programs than larger insured nonmember banks.


 

D. Other Matters


 

The FDIC has the statutory authority to promulgate this proposed

regulation. There are no federal rules that duplicate, overlap, or

conflict with this proposed rule.

The FDIC encourages comment on all aspects of this IRFA, including

comments on any significant economic impact the proposed rule would

have on small entities.


 

Paperwork Reduction Act


 

In accordance with the Paperwork Reduction Act (44 U.S.C. 3501 et

seq.) the FDIC may not conduct or sponsor, and a person is not required

to respond to, a collection of information unless it displays a

currently valid Office of Management and Budget (OMB) control number. A

collection of information contained in this rule and described below

has been submitted to OMB for review. Comments on the collection of

information should be sent to the desk officer for the FDIC: Alexander

T. Hunt, Office of Information and Regulatory Affairs, Office of

Management and Budget, New Executive Office Building, Room 3208,

Washington, DC 20503. Copies of comments should also be sent to: Steven

F. Hanft, FDIC Clearance Officer, Office of the Executive Secretary,

Federal Deposit Insurance Corporation, 550 17th Street, NW, Washington,

DC 20429, (202) 898-3907. Comments may be hand-delivered to the guard

station at the rear of the 17th Street building (located on F Street)

on business days between 7:00 a.m. and 5:00 p.m. [Fax number (202) 898-

3838; Internet address: COMMENTS@FDIC.GOV]. For further information on

the Paperwork Reduction Act aspect of this rule, contact Steven F.

Hanft at the above address. OMB will make a decision concerning the

change in the information collection between 30 and 60 days after the

publication of this document in the Federal Register. Therefore, a

comment to OMB is best assured of having its full effect if OMB

receives it within 30 days of this publication. Unless the FDIC

publishes a notice to the contrary, the public may assume that the

change in the collection


 

[[Page 67535]]


 

was approved within 60 days of this publication.

Comment is solicited on: (i) Whether the proposed collection of

information is necessary for the proper performance of the functions of

the agency, including whether the information will have practical

utility;

(ii) The accuracy of the agency's estimate of the burden of the

proposed collection of information, including the validity of the

methodology and assumptions used;

(iii) The quality, utility, and clarity of the information to be

collected; and

(iv) Ways to minimize the burden of the collection of information

on those who are to respond, including through the use of appropriate

automated, electronic, mechanical, or other technological collection

techniques or other forms of information technology, e.g., permitting

electronic submission of responses.

Title of the collection: The proposed rule will modify an

information collection previously approved by OMB titled ``Procedures

for Monitoring Bank Secrecy Act Compliance'' under OMB control number

3064-0087.

Summary of the change to the collection: The proposed rule will

modify the collection by adding a requirement that each bank develop a

written ``Know Your Customer'' program.

Need and Use of the information: Banks will use the Know Your

Customer program to assure that they do not become unwitting

participants in illicit activities conducted or attempted by their

customers. The FDIC will use the information kept to ensure and monitor

compliance with the Bank Secrecy Act.

Respondents: State nonmember banks (approximately 6,000).

Estimated annual burden: The majority of the paperwork burden

associated with the proposed rule is the one-time cost of developing a

plan and implementing written policies and procedures which will occur

in the first year of the rule's application to a covered bank. In the

normal course of business, most institutions likely already have

sufficient information about their customers in their files and would

only need to organize and review such information. The FDIC estimates

that there will be 6,000 recordkeepers in the first year. In subsequent

years, the recordkeepers will consist of newly-chartered institutions

subject to the rule. The proposed rule is not expected to significantly

increase the ongoing annual burden for the recordkeepers because most

of the ongoing burden is incurred in the normal course of their

business activities and or accounted for under other existing

information collections including their fraud prevention procedures,

their monitoring of transactions for reporting on the Department of the

Treasury's Currency Transaction Reports and as part of their procedures

to detect violations or suspicious activity reported on the Suspicious

Activity Report. Because the records would be maintained at the subject

organizations and are not provided to the Board, no issue of

confidentiality under the Freedom of Information Act arises.

Frequency of response: Occasional.

Number of responses: 6,000.

Number of hours to prepare a response: 10--30 hours, with an

average of 20 hours.

Total annual burden: 120,000.


 

List of Subjects in 12 CFR Part 326


 

Banks, banking, Bank robbery, Bank Secrecy Act, Crime, Currency,

Reporting and recordkeeping requirements, Security measures.


 

Authority and Issuance


 

For the reasons set forth in the preamble, part 326 of title 12 of

the Code of Federal Regulations is proposed to be amended as follows:


 

PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND BANK SECRECY

ACT COMPLIANCE


 

1. The authority citation for part 326 continues to read as

follows:


 

Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819[Tenth], 1881-

1883; 31 U.S.C. 5311-5324.


 

2. A new subpart C is added to read as follows:


 

Subpart C--Know Your Customer Compliance



 

Sec. 326.9 Know Your Customer rule.


 

(a) Purpose. This subpart requires that all insured nonmember banks

as defined in 12 CFR 326.1(a) establish and regularly maintain

procedures designed to determine the identity of their customers, as

well as their customers' normal and expected transactions and sources

of funds involving the nonmember bank. These procedures (referred to as

the ``Know Your Customer'' program) are intended to: protect the

reputation of the nonmember bank; facilitate the nonmember bank's

compliance with all applicable statutes and regulations (including the

Bank Secrecy Act and the suspicious activity reporting requirements of

12 CFR 353.3) and with safe and sound banking practices; and protect

the insured nonmember bank from becoming a vehicle for or a victim of

illegal activities perpetrated by its customers.

(b) Definition of customer. For the purposes of this section,

customer means:

(1) Any person or entity who has an account with an insured

nonmember bank covered by this subpart involving the receipt or

disbursal of funds; and

(2) Any person or entity on behalf of whom an account is

maintained.

(c) Establishment of Know Your Customer program. Each insured

nonmember bank shall develop and provide for the continued

administration of a Know Your Customer program by April 1, 2000. The

Know Your Customer program shall be reduced to writing and approved by

the board of directors (or a committee thereof) with the approval

recorded in the official minutes of the board.

(d) Contents of Know Your Customer program. The Know Your Customer

program may vary in complexity and scope according to categories or

classes of customers established by the nonmember bank and the

potential risk of illicit activities associated with those customers'

accounts and transactions.

(1) Appropriate documentation requirements and due diligence

procedures established by the insured nonmember bank to comply with

this section.

(2) A system for:

(i) Determining the identity of the insured nonmember bank's new

customers and, if the nonmember bank has reasonable cause to believe

that it lacks adequate information to know the identity of existing

customers, determining the identity of those existing customers;

(ii) Determining the customer's sources of funds for transactions

involving the insured nonmember bank;

(iii) Determining the particular customer's normal and expected

transactions involving the insured nonmember bank;

(iv) Monitoring customer transactions and identifying transactions

that are inconsistent with normal and expected transactions for that

particular customer or for customers in the same or similar categories

or classes, as established by the insured nonmember bank; and

(v) Determining if a transaction should be reported in accordance

with the FDIC's suspicious activity reporting regulations and, if so,

reporting accordingly.

(e) Compliance with Know Your Customer program. The insured

nonmember bank shall comply with its Know Your Customer program. To

ensure compliance, the nonmember bank shall:


 

[[Page 67536]]


 

(1) Provide for and document a system of internal controls;

(2) Provide for and document independent testing for compliance to

be conducted by bank personnel or by an outside party on a regular

basis;

(3) Designate an individual or individuals as responsible for

coordinating and monitoring day-to-day compliance; and

(4) Provide for and document training to all appropriate personnel,

on at least an annual basis, of the content and required procedures of

the Know Your Customer program.

(f) Availability of documentation. For all accounts opened or

maintained in the United States, each insured nonmember bank must

ensure that all information and documentation sufficient to comply with

the requirements of this section are available for examination and

inspection, at a location specified by an FDIC representative, within

48 hours of an FDIC representative's request for such information and

documentation. In instances where the information and documentation is

maintained at a location other than where the customer's account is

maintained or the financial services are rendered, the insured

nonmember bank must include, as part of its Know Your Customer program,

specific procedures designed to ensure that the information and

documentation is reviewed on an ongoing basis by appropriate bank

personnel in order to comply with this subpart.


 

By order of the Board of Directors.


 

Dated at Washington, D.C. this 27th day of October, 1998.


 

Federal Deposit Insurance Corporation.

Robert E. Feldman,

Executive Secretary.

[FR Doc. 98-32334 Filed 12-4-98; 8:45 am]

BILLING CODE 6714-01-P

Last Updated: March 24, 2024