[Federal Register: December 7, 1998 (Volume 63, Number 234)]
[Proposed Rules]
[Page 67529-67536]
From the Federal Register Online via GPO Access [wais.access.gpo.gov]
[DOCID:fr07de98-22]
-----------------------------------------------------------------------
FEDERAL DEPOSIT INSURANCE CORPORATION
12 CFR Part 326
RIN 3064-AC19
Minimum Security Devices and Procedures and Bank Secrecy Act
Compliance
AGENCY: Federal Deposit Insurance Corporation.
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The FDIC is proposing to issue a regulation requiring insured
nonmember banks to develop and maintain ``Know Your Customer''
programs. As proposed, the regulation would require each nonmember bank
to develop a program designed to determine the identity of its
customers; determine its customers' sources of funds; determine the
normal and expected transactions of its customers; monitor account
activity for transactions that are inconsistent with those normal
[[Page 67530]]
and expected transactions; and report any transactions of its customers
that are determined to be suspicious, in accordance with the FDIC's
existing suspicious activity reporting regulation. By requiring insured
nonmember banks to determine the identity of their customers, as well
as to obtain knowledge regarding the legitimate activities of their
customers, the proposed regulation will reduce the likelihood that
insured nonmember banks will become unwitting participants in illicit
activities conducted or attempted by their customers. It also will
level the playing field between institutions that already have adopted
formal Know Your Customer programs and those that have not.
DATES: Comments must be received by March 8, 1999.
ADDRESSES: Comments should be directed to: Robert E. Feldman, Executive
Secretary, Attention: Comments/OES, Federal Deposit Insurance
Corporation, 550 17th Street, N.W., Washington, DC 20429. Comments may
be hand-delivered to the guard station at the rear of the 550 17th
Street Building (located on F Street), on business days between 7 a.m.
and 5 p.m. In addition, comments may be sent by fax to (202) 898-3838,
or by electronic mail to comments@FDIC.gov. Comments may be inspected
and photocopied in the FDIC Public Information Center, Room 100, 801
17th Street, NW, Washington, D.C., between 9 a.m. and 4:30 p.m., on
business days.
FOR FURTHER INFORMATION CONTACT: Carol A. Mesheske, Special Activities
Section, Division of Supervision, (202) 898-6750, or Karen L. Main,
Counsel, Legal Division (202) 898-8838.
SUPPLEMENTARY INFORMATION:
Background
The integrity of the financial sector depends on the ability of
banks and other financial institutions to attract and retain legitimate
funds from legitimate customers. Financial institutions are able to
attract and retain the business of legitimate customers because of the
quality and reliability of the services being rendered and, as
important, the sound and highly respected reputation of the banking
industry. Illicit activities, such as money laundering, fraud, and
other transactions designed to assist criminals in their illegal
ventures, pose a serious threat to the integrity of financial
institutions. When transactions at financial institutions involving
illicit funds are revealed, these transactions invariably damage the
reputation of the financial institutions involved and, potentially, the
entire financial sector. While it is impossible to identify every
transaction at an institution that is potentially illegal or is being
conducted to assist criminals in the movement of illegally derived
funds, it is fundamental for safe and sound operations that financial
institutions take reasonable measures to identify their customers,
understand the legitimate transactions typically conducted by those
customers, and, consequently, identify those transactions conducted by
their customers that are unusual or suspicious in nature. By
identifying and, when appropriate, reporting such transactions in
accordance with existing suspicious activity reporting requirements,
financial institutions are protecting their integrity and are assisting
the efforts of the financial institution regulatory agencies and law
enforcement authorities to combat illicit activities at such
institutions.
One of the most effective means by which an insured nonmember bank
can both protect itself from engaging in transactions designed to
facilitate illicit activities and ensure compliance with applicable
suspicious activity reporting requirements is for the nonmember bank to
have adequate Know Your Customer policies and procedures. By knowing
its customers, an insured nonmember bank is better able to fulfill its
compliance responsibilities, including its Bank Secrecy Act and
suspicious activity reporting requirements, 12 CFR 326.8 and 12 CFR
part 353, respectively.
Recognizing that a Know Your Customer program for one nonmember
bank will not necessarily be appropriate for another, the proposed
regulation identifies only the basic components that the FDIC believes
should be contained in any Know Your Customer program. In supplemental
guidance to be provided at the time this regulation becomes final, the
FDIC, in coordination with the other federal financial institution
supervisory agencies, will provide further information about specific
steps that institutions may consider taking as they implement their
Know Your Customer programs. The FDIC believes that this approach
strikes an appropriate balance that responds to requests for additional
guidance in this area while preserving the flexibility for each insured
nonmember bank to take steps appropriate for its customers.
Privacy Issues
The proposed regulation requires insured nonmember banks to gather
information about customers that, if misused, could result in an
invasion of a customer's privacy. Given the potential for abuse in this
area, it is the FDIC's expectation that, in complying with the Know
Your Customer regulation, a nonmember bank will obtain only that
information that is necessary to comply with the regulation and will
limit the use of this information to complying with the regulation.
Insured nonmember banks need to safeguard and handle responsibly the
information gathered in connection with complying with these
obligations, and should integrate comprehensive privacy practices into
their Know Your Customer programs.
Authority To Issue the Regulation
The proposed regulation is authorized pursuant to the FDIC's
statutory authority under section 8(s)(1) of the Federal Deposit
Insurance Act (12 U.S.C. 1818(s)(1)), as amended by section 2596(a)(2)
of the Crime Control Act of 1990 (Pub. L. 101-647), which requires the
FDIC to issue regulations requiring banks under its supervision to
establish and maintain internal procedures reasonably designed to
ensure and monitor compliance with the Bank Secrecy Act. Effective Know
Your Customer programs serve to facilitate compliance with the Bank
Secrecy Act.
Proposal
The FDIC proposes to revise 12 CFR part 326 by adding a new subpart
requiring insured nonmember banks to develop and implement Know Your
Customer programs. Under the proposed regulation, the FDIC would expect
each nonmember bank to design a program that is appropriate given its
size and complexity, the nature and extent of its activities, its
customer base and the levels of risk associated with its various
customers and their transactions. The FDIC believes that this approach
is preferable to a detailed regulation that imposes the same list of
specific requirements on every bank regardless of its circumstances.
The FDIC recognizes that a Know Your Customer requirement will impose
additional burdens on some insured nonmember banks. Mindful of that
fact, the FDIC is striving to impose only those requirements that are
necessary to ensure that insured nonmember banks have in place adequate
Know Your Customer programs.
Each of the other federal bank supervisory agencies is proposing to
adopt substantially identical regulations covering state member and
national banks, federally-chartered branches and agencies of foreign
banks, savings associations, and credit unions. There also have been
discussions with the
[[Page 67531]]
federal regulators of non-bank financial institutions, such as broker-
dealers, concerning the need to propose similar rules governing the
activities of these non-bank institutions.
Analysis of Subpart C
Section 326.9 Know Your Customer Compliance
Paragraph (a)--Purpose
The purposes of adopting a Know Your Customer program are to
protect the reputation of the insured nonmember bank; to facilitate the
insured nonmember bank's compliance with all applicable statutes and
regulations (including the Bank Secrecy Act and the FDIC's suspicious
activity reporting regulations) and with safe and sound banking
practices; and to protect the insured nonmember bank from becoming a
vehicle for, or a victim of, illegal activities perpetrated by its
customers.
This subpart applies to all insured state nonmember banks as well
as any insured, state-licensed branches of foreign banks.
Paragraph (b)--Definitions
The proposed regulation defines the term ``customer'' as any person
or entity who has an account involving the receipt or disbursal of
funds with an insured nonmember bank covered by this regulation and any
person or entity on behalf of whom an account is maintained. Thus, for
instance, if an account is opened on behalf of a third party, the
nonmember bank will need to treat as a customer both the person or
entity opening the account and the person or entity for whom the
account is opened. A customer would include an accountholder, a
beneficial owner of an account, or a borrower. A ``customer'' could
include the beneficiary of a trust, an investment fund, a pension fund
or a company whose assets are managed by an asset manager; a
controlling shareholder of a closely held corporation; or the grantor
of a trust established in an off-shore jurisdiction. The term
``customer'' does not include recipients of services for which the
receipt or disbursal of customer funds is incidental, for instance,
safe deposit box rentals.
The proposed regulation does not differentiate between current
customers and new customers. The effectiveness of an insured nonmember
bank's Know Your Customer program would be greatly reduced if all
customer accounts in existence prior to the effective date of the
regulation were excluded from its scope. However, the FDIC does not
believe that it is practicable for a nonmember bank to conduct a large-
scale information request from all its existing customers. Rather, a
nonmember bank may comply with the proposed regulation with respect to
its current customers by determining their normal and expected
transactions, using available account data, and monitoring their
transactions for suspicious activities. However, depending on the
nature of the risk associated with some customers and their
transactions (for instance, transactions involving private banking
customers), it may be necessary to fulfill all of the requirements of
this regulation as if they were new customers.
Paragraph (c)--Establishment of Know Your Customer Program
This paragraph requires that each insured nonmember bank establish
a Know Your Customer program by April 1, 2000. Additionally, this
paragraph requires that the Know Your Customer program be reduced to
writing and approved by the board of directors of the nonmember bank,
or a committee thereof, and the approval recorded in the official
minutes of the board.
Paragraph (d)--Contents of Know Your Customer Program
This paragraph sets forth the specific requirements for the
contents of the Know Your Customer program. The FDIC recognizes that
insured nonmember banks vary considerably in the way in which they
conduct their business on a day-to-day basis. Therefore, the FDIC
believes that to impose a regulation that simply requires each insured
nonmember bank to follow a pre-designed, standardized checklist would
not be appropriate. The proposed regulation thus allows each nonmember
bank to develop and delineate a system that will comprise the Know Your
Customer program, consistent with the banking practices of the
particular bank that, when followed by the nonmember bank, will
effectively meet the requirements and goals of the regulation.
Section 326.9(d) reflects the FDIC's recognition that each insured
nonmember bank's Know Your Customer program may vary depending on the
nature of the specific activity, the type of customers involved, the
size of the transactions, and other factors that reflect the nonmember
bank's assessment of the risk presented. In complying with this
section, it may be beneficial for insured nonmember banks to classify
customers into varying risk-based categories that the insured nonmember
banks can use in determining the amount and type of information,
documentation and monitoring that is appropriate. While the proposed
regulation will provide nonmember banks with substantial flexibility in
devising an appropriate Know Your Customer program, the FDIC believes
that all Know Your Customer programs should contain certain critical
features, which are discussed below.
Documentation and due diligence. Paragraph (d)(1) of Sec. 326.9
requires that the Know Your Customer program delineate acceptable
documentation requirements and due diligence procedures the insured
nonmember bank will follow in meeting the requirements of the proposed
regulation. The delineation of this information in the Know Your
Customer program will ensure that the same standards are applied
throughout the nonmember bank and will inform auditors and examiners of
the nonmember bank's established standards for review of customer
information.
Minimum steps to take to comply with the Know Your Customer rule.
Paragraph (d)(2) of Sec. 326.9 sets forth the steps an insured
nonmember bank needs to take in order to know its customers. The
proposed regulation requires that, rather than following a
``checklist'' approach, an insured nonmember bank may develop a
``system'' designed to meet the basic requirements of the regulation.
The system approach allows each insured nonmember bank to design its
own program, in accordance with its own business practices, that will
best suit the nonmember bank. While this places some burden on the
nonmember bank to develop the specifics of the Know Your Customer
program, such an approach recognizes that each insured nonmember bank
conducts business in accordance with its own policies, procedures,
goals and objectives. The Know Your Customer program, in order to be
the most effective, must be developed and implemented with the
nonmember bank's regular and ordinary business practices in mind. The
FDIC believes that all Know Your Customer programs should contain
certain critical features, which are set forth below.
Identify the customer. Paragraph (d)(2)(i) requires that the Know
Your Customer program provide a system for determining the true
identity of prospective customers. If an insured nonmember bank has
reasonable cause to believe that it lacks sufficient information to
know the identity of an existing customer, paragraph (d)(4)(ii)(A) also
requires that the program provide a system for
[[Page 67532]]
determining the identity of that customer.
It is imperative that an insured nonmember bank establish, to its
own satisfaction, that it is dealing with a legitimate customer,
whether the customer is a natural person, corporation, or other
business entity. The nature and extent of the identification process
should be commensurate with the types of transactions anticipated by
the customer and the risks associated with such transactions. If a
prospective customer refuses to provide any of the requested
information, sound practices would require that the nonmember bank not
open the account. Similarly, if additional or follow-up information is
not forthcoming from an established customer, sound practices would
require that consideration be given to terminating the account
relationship.
The best identification documents for verifying the identity of
prospective customers are the ones that are the most difficult to
obtain illicitly and the most difficult to counterfeit. No single form
of identification can be guaranteed to be genuine, however. Therefore,
the identification process should be cumulative, obtaining enough
information and documentation to assure the insured nonmember bank that
it has adequately identified the prospective customer. For individual
accounts, this might include, for instance, a document containing a
photograph and signature of the individual. For corporate or business
customers, the customer identification process could include the review
of appropriate documentation that allows for a means to verify that the
corporation or other business entity does exist and does engage in the
business, as stated. All documentation reviewed, as well as
verifications of the information contained therein, should be recorded
and maintained by the nonmember bank.
Any practice of an insured nonmember bank that allows for the
establishment of a customer relationship without face-to-face contact
with bank personnel, such as banking by mail or Internet banking, poses
difficulties in the identification of the prospective customer by use
of the traditionally accepted practice of obtaining identification
documentation, to include photographic identification. Even though
photographic identification in such circumstances will be impractical,
other accepted means of identifying a customer are still viable. In
such circumstances, special care should be given to verification of
address and telephone number. Moreover, insured nonmember banks should
consider using commercially available data to compare items such as
name with date of birth and social security number.
If an insured nonmember bank offers private banking services, it is
important that the nonmember bank understand a customer's personal and
business background, source of funds, and intended use of the private
banking services. Typically, private banking customers are clients of
financial advisors or make use of account vehicles such as personal
investment companies, trusts, and personal mutual investment funds. The
establishment of such accounts serves the stated purposes of protecting
the legitimate confidentiality and financial privacy of the customers
who use such accounts. However, the need to identify properly the
beneficial owners of such accounts, through an effective Know Your
Customer program, is necessary to the continued safe and sound
operation of the insured nonmember bank. Any needed confidentiality
required by customers of an insured nonmember bank's private banking
department can be addressed by the development of special protections
to limit access to information that would generally reveal the
beneficial owners of those accounts.
Introductions or referrals of prospective customers by established
customers of the insured nonmember bank, while extremely valuable in
providing background information about the prospective customer, cannot
take the place of identification requirements that should be set forth
in the nonmember bank's Know Your Customer program. Details regarding
the introduction or referral should be documented so that the
information obtained can be effectively used to assist in the
verification of the prospective customer.
The extent of the information regarding the customer that may be
necessary to fulfill the nonmember bank's Know Your Customer
obligations should depend on a risk-based assessment of the customer
and the transactions that are expected to occur, and should be
addressed within the insured nonmember bank's Know Your Customer
program.
Determine the source of funds. Paragraph (d)(2)(ii) requires that
the Know Your Customer program provide a system for determining the
source of a customer's funds. The amount of information needed to do
this can depend on the type of customer in question. As an example, if
a retail banking customer maintains demand deposit accounts funded
primarily from payroll deposits, it should be a relatively simple task
to identify and document the source of funds as payroll deposits. On
the other hand, a more detailed analysis, with a more extensive
documentation process, would be required for high net worth customers
with multiple deposits from a variety of sources. For these reasons,
among others, it may be beneficial for insured nonmember banks to
classify customers into varying categories, based on factors such as
the types of accounts maintained, the types of transactions conducted,
and the potential risk of illicit activities associated with such
accounts and transactions. An insured nonmember bank could then develop
procedures to obtain necessary information and documentation based on
the risk assessment for the various categories or classes established
by the nonmember bank.
Determine normal and expected transactions. Paragraph (d)(2)(iii)
requires that the Know Your Customer program provide a system for
determining a customer's normal and expected transactions involving the
insured nonmember bank. A nonmember bank's understanding of a
customer's normal and expected transactions should be based on
information obtained both when an account is opened and during a
reasonable period of time thereafter. It also should be based on normal
transactions for similarly situated customers. Without this
information, an insured nonmember bank is unable to identify suspicious
transactions.
Monitor the account transactions. Paragraph (d)(2)(iv) requires
that the Know Your Customer program provide a system for monitoring, on
an ongoing basis, the transactions conducted by customers to identify
transactions that are inconsistent with the normal and expected
transactions for particular customers or for customers in the same or
similar categories or classes. The proposed regulation does not require
that every transaction of every customer be reviewed. Rather, it
requires that an insured nonmember bank develop a monitoring system
that is commensurate with the risks presented by the accounts
maintained at that bank.
In designing a monitoring system, an insured nonmember bank may
choose to classify accounts into various categories based on factors
such as the type and size of account, the types, number, and size of
transactions conducted in the account, and the risk of illicit activity
associated with the account. For certain classes or categories of
accounts, it would be sufficient for an effective monitoring system to
establish parameters for which the transactions
[[Page 67533]]
within these accounts will normally occur. Rather than monitoring each
transaction, an effective monitoring system could entail monitoring
only for those transactions that exceed the established parameters for
that particular class or category of accounts. For other categories or
classes of accounts, such as private banking accounts, it may be
necessary to monitor each significant transaction.
Determine if transaction should be reported. Once a transaction is
identified as inconsistent with normal and expected transactions,
paragraph (d)(2)(v) requires that an insured nonmember bank determine
if the transaction warrants the filing of a Suspicious Activity Report.
This is consistent with an insured nonmember bank's existing
obligations under 12 CFR 353.3(a). In identifying reportable
transactions, an insured nonmember bank should not conclude that every
transaction that falls outside what is expected for a given customer
should be reported. Rather, a nonmember bank should focus on patterns
of inconsistent transactions and isolated transactions that present
risk factors that warrant further review.
Paragraph (e)--Compliance With Know Your Customer Program
This paragraph sets forth the requirements an insured nonmember
bank must follow to ensure that it is in compliance with its Know Your
Customer program. The requirements include that an insured nonmember
bank provide for and document a system of internal controls to ensure
ongoing compliance, as well as provide for and document independent
testing for compliance with the Know Your Customer program.
Additionally, the nonmember bank must designate an individual
responsible for coordinating and monitoring day-to-day compliance and
provide for and document training to all appropriate personnel of the
content and requirements of the Know Your Customer program.
Paragraph (f)--Availability of Documentation
This paragraph requires, for all accounts opened or maintained in
the United States, that all information and documentation necessary to
comply with the regulations be made available for examination and
inspection, at a location specified by an FDIC representative, within
48 hours of a request for such information and documentation. In
instances where the information and documentation is at a location
other than where the customer's account is maintained or the financial
services are rendered, the insured nonmember bank must adopt, as part
of its Know Your Customer program, specific procedures designed to
ensure that the information and documentation is reviewed on an ongoing
basis by appropriate personnel. The nonmember bank should maintain
written evidence that the appropriate review is being performed on a
regular basis.
While issues arise on occasion concerning documentation on accounts
domiciled in the United States by foreign accountholders, the FDIC
believes that the information typically already exists within the
insured nonmember bank in the United States because the information is
used by the relationship manager, who resides in the United States, as
well as other components of the nonmember bank to provide banking
services to the customer.
Comments Sought
The FDIC invites comment on any aspect of the rule, and
specifically seeks comment on the following issues:
1. Whether the proposed definition of ``customer'' is sufficient to
include all persons who benefit from an account opened at an insured
nonmember bank such as persons who establish off-shore shell companies
or entities or otherwise conduct their business through intermediaries.
2. Whether the proposed definition of ``customer'' is too broad and
will unnecessarily include persons that pose a minimal Know Your
Customer risk.
3. Whether an insured nonmember bank's Know Your Customer program
should apply to a nonmember bank's counterparty relationships with
respect to transactions in wholesale financial markets (e.g., sales or
purchases involving foreign exchange or securities) and correspondent
banking relationships. If so, would a different standard than that
applicable to retail relationships be more appropriate for wholesale
and correspondent banking relationships? If such a distinction is
appropriate, is the proposed definition of ``customer'' sufficient?
4. Whether the benefits of implementing Know Your Customer
requirements outweigh the costs involved.
5. Whether the proposed regulation will create a competitive
disadvantage with respect to other financial entities offering similar
services that may not be subject to similar regulations (citing, where
possible, specific examples) and, if so, what could be done to mitigate
the disadvantage consistent with the FDIC's supervisory
responsibilities.
6. Whether the actual or perceived invasion of personal privacy
interests is outweighed by the additional compliance benefits
anticipated by this proposal.
7. Whether there should be a minimum account size threshold below
which the Know Your Customer requirements should be waived.
Regulatory Flexibility Act
Under the Regulatory Flexibility Act, the FDIC must either provide
an Initial Regulatory Flexibility Analysis (IRFA) with this proposed
rule, or certify that the proposed rule would not have a significant
economic impact on a substantial number of small entities. The proposed
rule is designed to be flexible so that each insured nonmember bank can
design a Know Your Customer program appropriate for its circumstances.
While advantageous to insured nonmember banks, this flexibility makes
it difficult to predict the magnitude of the economic impact of the
proposed rule on insured nonmember banks. The FDIC cannot, at this
time, determine whether the proposed rule would have a significant
economic impact on a substantial number of small entities. The FDIC,
therefore, includes this IRFA.
A. Reasons For and Objectives of the Proposed Rule.
The proposed Know Your Customer rule is designed to deter and
detect financial crimes, such as money laundering, tax evasion, and
fraud. Financial crimes conducted at or through financial institutions,
even where financial institutions are not parties to the transactions,
can damage the reputations of the institutions involved, and possibly
of the entire banking industry. Under current law, financial
institutions are required to report suspicious activities to law
enforcement authorities, but are not required to specifically search
for suspicious activities. As a result, suspicious activities may go
unreported, and illegal activity may go undetected. Know Your Customer
programs would better enable financial institutions to alert law
enforcement authorities to potential criminal conduct and help deter
criminal conduct in the banking industry.
The FDIC has two primary objectives for this proposed rulemaking:
(1) increasing insured nonmember banks' detection and reporting of
suspicious customer activities; and, (2) deterring financial crimes at
insured nonmember banks.
The proposed rule would apply to large and small insured nonmember
[[Page 67534]]
banks. Small nonmember banks are generally defined, for Regulatory
Flexibility Act purposes, as those with assets of $100 million or less.
This proposed rule would apply to approximately 3,950 small insured
nonmember banks.
B. Requirements of the Proposed Rule.
The proposed rule would require insured nonmember banks to identify
their customers, determine their customers' normal and expected
transactions, determine their customers' sources of funds, monitor
transactions to find those that are not normal and expected, and, for
transactions that are not normal and expected, identify which are
suspicious. Insured nonmember banks are required to report any
suspicious transactions under current law, and this proposed rule would
have no additional reporting requirements.
The impact of the proposed regulation on a nonmember bank's
resources, and the skills necessary to comply with it, will vary from
one nonmember bank to another because the proposed regulation is
designed to take into account each bank's size and resources. Because
each nonmember bank would be able to design an individualized Know Your
Customer program, it is difficult to specify the type of professional
skills necessary for preparing any required records or reports. Large
insured nonmember banks may be more likely to use computerized Know
Your Customer programs, and in that event would be more likely to need
professional computer skills. Small nonmember banks that choose to
automate their Know Your Customer programs would need professional
computer skills.
Know Your Customer monitoring would be similar to monitoring that
insured nonmember banks already do. For example, insured nonmember
banks monitor customer transactions to ensure that cash transactions
exceeding $10,000 are reported under the Bank Secrecy Act, to ensure
that customers do not overdraw their accounts, and to ensure that loan
payments are accurate and timely. Thus, Know Your Customer monitoring
would rely, at least in part, on computer and other skills that insured
nonmember bank personnel already have and regularly use.
C. Significant Alternatives
1. No Know Your Customer Requirements
The FDIC considered recommending Know Your Customer procedures
rather than proposing regulatory requirements. The FDIC decided to
propose this rulemaking, however, because of the risks that insured
nonmember banks face from customers who attempt illegal activities.
Illegal activities would harm a nonmember bank's reputation and that of
the entire banking industry. Requiring Know Your Customer programs
significantly reduces the likelihood that some insured nonmember banks
would not establish or adhere to such programs. In addition, because
other federal banking agencies are proposing Know Your Customer rules,
the FDIC believes that criminals would quickly move their illegal funds
transfers into insured nonmember banks without Know Your Customer
programs, thus increasing those banks' exposure to illegal activity.
Moreover, recommending rather than requiring Know Your Customer
programs would allow customers to simply refuse to answer appropriate
questions about their identities or transactions. If Know Your Customer
programs are required, insured nonmember banks can more easily collect
the necessary information because customers cannot turn readily to
another financial institution free of such requirements.
For these reasons, merely recommending Know Your Customer programs
would interfere with the FDIC's goals of increasing insured nonmember
banks' detection and reporting of suspicious customer activities, and
deterring financial crimes at insured nonmember banks.
2. Exemption for Small Nonmember Banks
The FDIC considered exempting small nonmember banks from Know Your
Customer requirements. However, this alternative has the disadvantage
of possibly creating a haven for criminal activity. It is likely that
criminals would concentrate their activity at those nonmember banks not
subject to any Know Your Customer requirements. An exemption for small
insured nonmember banks would conflict with the FDIC's goals of
increasing insured nonmember banks' detection and reporting of
suspicious customer activities and deterring financial crimes at
insured nonmember banks.
3. Flexible Know Your Customer Requirements
The FDIC is proposing to require that all insured nonmember banks
establish and follow Know Your Customer programs, but the proposal will
allow each nonmember bank to develop a program appropriate for its
circumstances, including but not limited to its size and resources.
This approach is preferable to the first two alternatives because it
does not allow criminals to choose an insured nonmember bank without
Know Your Customer requirements to conduct illegal activities. A
flexible alternative also avoids requirements beyond the means of small
nonmember banks. Small nonmember banks could use simpler, less costly,
and less burdensome programs than larger insured nonmember banks.
D. Other Matters
The FDIC has the statutory authority to promulgate this proposed
regulation. There are no federal rules that duplicate, overlap, or
conflict with this proposed rule.
The FDIC encourages comment on all aspects of this IRFA, including
comments on any significant economic impact the proposed rule would
have on small entities.
Paperwork Reduction Act
In accordance with the Paperwork Reduction Act (44 U.S.C. 3501 et
seq.) the FDIC may not conduct or sponsor, and a person is not required
to respond to, a collection of information unless it displays a
currently valid Office of Management and Budget (OMB) control number. A
collection of information contained in this rule and described below
has been submitted to OMB for review. Comments on the collection of
information should be sent to the desk officer for the FDIC: Alexander
T. Hunt, Office of Information and Regulatory Affairs, Office of
Management and Budget, New Executive Office Building, Room 3208,
Washington, DC 20503. Copies of comments should also be sent to: Steven
F. Hanft, FDIC Clearance Officer, Office of the Executive Secretary,
Federal Deposit Insurance Corporation, 550 17th Street, NW, Washington,
DC 20429, (202) 898-3907. Comments may be hand-delivered to the guard
station at the rear of the 17th Street building (located on F Street)
on business days between 7:00 a.m. and 5:00 p.m. [Fax number (202) 898-
3838; Internet address: COMMENTS@FDIC.GOV]. For further information on
the Paperwork Reduction Act aspect of this rule, contact Steven F.
Hanft at the above address. OMB will make a decision concerning the
change in the information collection between 30 and 60 days after the
publication of this document in the Federal Register. Therefore, a
comment to OMB is best assured of having its full effect if OMB
receives it within 30 days of this publication. Unless the FDIC
publishes a notice to the contrary, the public may assume that the
change in the collection
[[Page 67535]]
was approved within 60 days of this publication.
Comment is solicited on: (i) Whether the proposed collection of
information is necessary for the proper performance of the functions of
the agency, including whether the information will have practical
utility;
(ii) The accuracy of the agency's estimate of the burden of the
proposed collection of information, including the validity of the
methodology and assumptions used;
(iii) The quality, utility, and clarity of the information to be
collected; and
(iv) Ways to minimize the burden of the collection of information
on those who are to respond, including through the use of appropriate
automated, electronic, mechanical, or other technological collection
techniques or other forms of information technology, e.g., permitting
electronic submission of responses.
Title of the collection: The proposed rule will modify an
information collection previously approved by OMB titled ``Procedures
for Monitoring Bank Secrecy Act Compliance'' under OMB control number
3064-0087.
Summary of the change to the collection: The proposed rule will
modify the collection by adding a requirement that each bank develop a
written ``Know Your Customer'' program.
Need and Use of the information: Banks will use the Know Your
Customer program to assure that they do not become unwitting
participants in illicit activities conducted or attempted by their
customers. The FDIC will use the information kept to ensure and monitor
compliance with the Bank Secrecy Act.
Respondents: State nonmember banks (approximately 6,000).
Estimated annual burden: The majority of the paperwork burden
associated with the proposed rule is the one-time cost of developing a
plan and implementing written policies and procedures which will occur
in the first year of the rule's application to a covered bank. In the
normal course of business, most institutions likely already have
sufficient information about their customers in their files and would
only need to organize and review such information. The FDIC estimates
that there will be 6,000 recordkeepers in the first year. In subsequent
years, the recordkeepers will consist of newly-chartered institutions
subject to the rule. The proposed rule is not expected to significantly
increase the ongoing annual burden for the recordkeepers because most
of the ongoing burden is incurred in the normal course of their
business activities and or accounted for under other existing
information collections including their fraud prevention procedures,
their monitoring of transactions for reporting on the Department of the
Treasury's Currency Transaction Reports and as part of their procedures
to detect violations or suspicious activity reported on the Suspicious
Activity Report. Because the records would be maintained at the subject
organizations and are not provided to the Board, no issue of
confidentiality under the Freedom of Information Act arises.
Frequency of response: Occasional.
Number of responses: 6,000.
Number of hours to prepare a response: 10--30 hours, with an
average of 20 hours.
Total annual burden: 120,000.
List of Subjects in 12 CFR Part 326
Banks, banking, Bank robbery, Bank Secrecy Act, Crime, Currency,
Reporting and recordkeeping requirements, Security measures.
Authority and Issuance
For the reasons set forth in the preamble, part 326 of title 12 of
the Code of Federal Regulations is proposed to be amended as follows:
PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND BANK SECRECY
ACT COMPLIANCE
1. The authority citation for part 326 continues to read as
follows:
Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819[Tenth], 1881-
1883; 31 U.S.C. 5311-5324.
2. A new subpart C is added to read as follows:
Subpart C--Know Your Customer Compliance
Sec. 326.9 Know Your Customer rule.
(a) Purpose. This subpart requires that all insured nonmember banks
as defined in 12 CFR 326.1(a) establish and regularly maintain
procedures designed to determine the identity of their customers, as
well as their customers' normal and expected transactions and sources
of funds involving the nonmember bank. These procedures (referred to as
the ``Know Your Customer'' program) are intended to: protect the
reputation of the nonmember bank; facilitate the nonmember bank's
compliance with all applicable statutes and regulations (including the
Bank Secrecy Act and the suspicious activity reporting requirements of
12 CFR 353.3) and with safe and sound banking practices; and protect
the insured nonmember bank from becoming a vehicle for or a victim of
illegal activities perpetrated by its customers.
(b) Definition of customer. For the purposes of this section,
customer means:
(1) Any person or entity who has an account with an insured
nonmember bank covered by this subpart involving the receipt or
disbursal of funds; and
(2) Any person or entity on behalf of whom an account is
maintained.
(c) Establishment of Know Your Customer program. Each insured
nonmember bank shall develop and provide for the continued
administration of a Know Your Customer program by April 1, 2000. The
Know Your Customer program shall be reduced to writing and approved by
the board of directors (or a committee thereof) with the approval
recorded in the official minutes of the board.
(d) Contents of Know Your Customer program. The Know Your Customer
program may vary in complexity and scope according to categories or
classes of customers established by the nonmember bank and the
potential risk of illicit activities associated with those customers'
accounts and transactions.
(1) Appropriate documentation requirements and due diligence
procedures established by the insured nonmember bank to comply with
this section.
(2) A system for:
(i) Determining the identity of the insured nonmember bank's new
customers and, if the nonmember bank has reasonable cause to believe
that it lacks adequate information to know the identity of existing
customers, determining the identity of those existing customers;
(ii) Determining the customer's sources of funds for transactions
involving the insured nonmember bank;
(iii) Determining the particular customer's normal and expected
transactions involving the insured nonmember bank;
(iv) Monitoring customer transactions and identifying transactions
that are inconsistent with normal and expected transactions for that
particular customer or for customers in the same or similar categories
or classes, as established by the insured nonmember bank; and
(v) Determining if a transaction should be reported in accordance
with the FDIC's suspicious activity reporting regulations and, if so,
reporting accordingly.
(e) Compliance with Know Your Customer program. The insured
nonmember bank shall comply with its Know Your Customer program. To
ensure compliance, the nonmember bank shall:
[[Page 67536]]
(1) Provide for and document a system of internal controls;
(2) Provide for and document independent testing for compliance to
be conducted by bank personnel or by an outside party on a regular
basis;
(3) Designate an individual or individuals as responsible for
coordinating and monitoring day-to-day compliance; and
(4) Provide for and document training to all appropriate personnel,
on at least an annual basis, of the content and required procedures of
the Know Your Customer program.
(f) Availability of documentation. For all accounts opened or
maintained in the United States, each insured nonmember bank must
ensure that all information and documentation sufficient to comply with
the requirements of this section are available for examination and
inspection, at a location specified by an FDIC representative, within
48 hours of an FDIC representative's request for such information and
documentation. In instances where the information and documentation is
maintained at a location other than where the customer's account is
maintained or the financial services are rendered, the insured
nonmember bank must include, as part of its Know Your Customer program,
specific procedures designed to ensure that the information and
documentation is reviewed on an ongoing basis by appropriate bank
personnel in order to comply with this subpart.
By order of the Board of Directors.
Dated at Washington, D.C. this 27th day of October, 1998.
Federal Deposit Insurance Corporation.
Robert E. Feldman,
Executive Secretary.
[FR Doc. 98-32334 Filed 12-4-98; 8:45 am]
BILLING CODE 6714-01-P