98-32333. ``Know Your Customer'' Requirements  

  • [Federal Register Volume 63, Number 234 (Monday, December 7, 1998)]
    [Proposed Rules]
    [Pages 67524-67529]
    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
    [FR Doc No: 98-32333]
    
    
    =======================================================================
    -----------------------------------------------------------------------
    
    DEPARTMENT OF THE TREASURY
    
    Office of the Comptroller of the Currency
    
    12 CFR Part 21
    
    [Docket No. 98-15]
    RIN 1557-AB66
    
    
    ``Know Your Customer'' Requirements
    
    AGENCY: Office of the Comptroller of the Currency, Treasury (OCC).
    
    ACTION: Notice of proposed rulemaking.
    
    -----------------------------------------------------------------------
    
    SUMMARY: The OCC is proposing to issue a regulation requiring national 
    banks to develop and maintain ``Know Your Customer'' programs. As 
    proposed, the regulation would require each bank to develop a program 
    designed to determine the identity of its customers; determine its 
    customers' sources of funds; determine the normal and expected 
    transactions of its customers; monitor account activity for 
    transactions that are inconsistent with those normal and expected 
    transactions; and report any transactions of its customers that are 
    determined to be suspicious, in accordance with the OCC's existing 
    suspicious activity reporting regulation. By requiring banks to 
    determine the identity of their customers, as well as to obtain 
    knowledge regarding the legitimate activities of their customers, the 
    proposed regulation will reduce the likelihood that banks will become 
    unwitting participants in illicit activities conducted or attempted by 
    their customers.
    
    
    [[Page 67525]]
    
    
    DATES: Comments must be received by March 8, 1999.
    
    ADDRESSES: Comments should be directed to: Communications Division, 
    Office of the Comptroller of the Currency, 250 E Street, SW, 
    Washington, DC 20219, Attention: Docket No. 98-15. Comments will be 
    available for public inspection and photocopying at the same location. 
    In addition, comments may be sent by fax to (202) 874-5274, or by 
    electronic mail to regs.comments@occ.treas.gov.
    
    FOR FURTHER INFORMATION CONTACT: Robert Pasley, Assistant Director, 
    Enforcement and Compliance Division (202) 874-4879; Thomas Fleming, 
    Compliance Specialist (202) 874-4879, or Susan Quill, Compliance Expert 
    (202) 874-4879, Community and Consumer Policy; or Mark Tenhundfeld, 
    Assistant Director, Legislative and Regulatory Activities Division 
    (202) 874-4879.
    
    SUPPLEMENTARY INFORMATION:
    
    Background
    
        The integrity of the financial sector depends on the ability of 
    banks and other financial institutions to attract and retain legitimate 
    funds from legitimate customers. Banks are able to attract and retain 
    the business of legitimate customers because of the quality and 
    reliability of the services being rendered and, as important, the sound 
    and highly respected reputation of banks. Illicit activities, such as 
    money laundering, fraud, and other transactions designed to assist 
    criminals in their illegal ventures, pose a serious threat to the 
    integrity of banks. When transactions at banks involving illicit funds 
    are revealed, these transactions invariably damage the reputation of 
    the banks involved. While it is impossible to identify every 
    transaction at a bank that is potentially illegal or is being conducted 
    to assist criminals in the movement of illegally derived funds, it is 
    fundamental for safe and sound operations that banks take reasonable 
    measures to identify their customers, understand the normal and 
    expected transactions typically conducted by those customers, and, 
    consequently, identify those transactions conducted by their customers 
    that are suspicious in nature. By identifying and, when appropriate, 
    reporting such transactions in accordance with existing suspicious 
    activity reporting requirements, banks are protecting their integrity 
    and are assisting the efforts of the bank regulatory agencies and law 
    enforcement authorities to combat illicit activities at financial 
    institutions.
        One of the most effective means by which a bank can both protect 
    itself from engaging in transactions designed to facilitate illicit 
    activities and ensure compliance with applicable suspicious activity 
    reporting requirements is for the bank to have adequate Know Your 
    Customer policies and procedures. By knowing its customers, a bank is 
    both better able to serve the legitimate needs of its customers and to 
    fulfill its compliance responsibilities, including its Bank Secrecy Act 
    and suspicious activity reporting requirements.
        Recognizing that a Know Your Customer program for one bank will not 
    necessarily be appropriate for another, the proposed regulation focuses 
    on the basic components that the OCC believes should be contained in 
    any Know Your Customer program. In supplemental guidance to be provided 
    at the time this regulation becomes final, the OCC will provide further 
    information about specific steps that banks may consider taking to 
    ensure that their Know Your Customer programs comport with the 
    regulations. The OCC believes that this approach strikes an appropriate 
    balance that responds to requests for additional guidance in this area 
    while preserving the flexibility for each bank to take steps 
    appropriate for the size and complexity of its business.
    
    Privacy Issues
    
        The proposed regulation requires banks to gather information about 
    customers that, if misused, could result in an invasion of a customer's 
    privacy. Accordingly, it is the OCC's expectation that, in complying 
    the Know Your Customer regulation, a bank will obtain only that 
    information that is necessary to comply with the regulation and will 
    limit the use of this information to complying with the regulation. 
    Financial institutions need to safeguard and handle responsibly the 
    information gathered in connection with complying with these 
    obligations, and should integrate comprehensive privacy practices into 
    their Know Your Customer programs.
    
    Authority to Issue Regulation
    
        The proposed regulation is authorized pursuant to the OCC's 
    statutory authority under section 8(s)(1) of the Federal Deposit 
    Insurance Act (12 U.S.C. 1818(s)(1)), as amended by section 2596(a)(2) 
    of the Crime Control Act of 1990 (Pub. L. 101-647), which mandates that 
    the OCC issue regulations requiring banks under its supervision to 
    establish and maintain internal procedures reasonably designed to 
    ensure and monitor compliance with the Bank Secrecy Act. Effective Know 
    Your Customer programs serve to facilitate compliance with the Bank 
    Secrecy Act.
    
    Proposal
    
        The OCC proposes to revise 12 CFR Part 21 by requiring national 
    banks to develop and implement Know Your Customer programs. Under the 
    proposed regulation, the OCC would expect each bank to design a program 
    that is appropriate given the bank's size and complexity, the nature 
    and extent of its activities, its customer base and the levels of risk 
    associated with its various customers and their transactions. The OCC 
    believes that this approach is preferable to a detailed regulation that 
    imposes the same list of specific requirements on every bank regardless 
    of its circumstances.
        Each of the other Federal bank supervisory agencies is proposing to 
    adopt Know Your Customer regulations covering state member and 
    nonmember banks, state-chartered branches and agencies of foreign 
    banks, and savings associations.1 The OCC also has been 
    discussing with the Federal regulators of non-bank financial 
    institutions, such as broker-dealers, the need to propose similar rules 
    governing the activities of these non-bank institutions.
    ---------------------------------------------------------------------------
    
        \1\  As of the date this proposed rule was signed, the National 
    Credit Union Administration was still reviewing the issue of whether 
    to adopt a regulation that would create similar Know Your Customer 
    obligations for credit unions.
    ---------------------------------------------------------------------------
    
    Section-by-Section Analysis
    
        The OCC proposes to add a new Sec. 21.22. The various components of 
    the Know Your Customer rule are summarized below.
    
    Purpose and scope (Sec. 21.22(a))
    
        The purposes of adopting a Know Your Customer program are to 
    protect the reputation of the bank; to facilitate the bank's compliance 
    with all applicable statutes and regulations (including the Bank 
    Secrecy Act and the OCC's suspicious activity reporting regulations) 
    and with safe and sound banking practices; and to protect the bank from 
    becoming a vehicle for, or a victim of, illegal activities perpetrated 
    by its customers. The rules apply, as a general matter, to all national 
    banks. However, the rules do not apply to credit card banks, bankers' 
    banks, or other banks that operate solely to service the activities of 
    their affiliates. The OCC recognizes that certain banks operate solely 
    to service the activities of their affiliates or other banks and, in so 
    doing, do not interact in any manner with any public customers. The OCC 
    does not intend the proposed regulation
    
    [[Page 67526]]
    
    to impose any requirements on those banks.
        The rules also apply to all Federal branches or agencies of foreign 
    banks licensed or chartered by the OCC. The OCC expects U.S. banks to 
    implement Know Your Customer systems in their overseas branches that 
    are equivalent to those that they have in the United States in order to 
    minimize the risk to the bank posed by illegal activities in the 
    overseas branches.
    
    Definition of Customer (Sec. 21.22(b))
    
        The proposed regulation defines the term ``customer'' as any person 
    or entity who has an account involving the receipt or disbursal of 
    funds with an institution covered by this regulation and any person or 
    entity on behalf of whom an account is maintained. If, for instance, a 
    bank knows that an account is opened on behalf of a third party, the 
    bank will need to treat as a customer both the person or entity opening 
    the account and the person or entity for whom the account is opened. 
    The regulation applies to deposit accounts, loan accounts, and any 
    other type of account involving the receipt or disbursal of funds. It 
    does not include, for instance, transactions such as renting safe 
    deposit boxes.
        Except for the provisions regarding identifying customers (see the 
    discussion of paragraph (d)(2)(i) of the proposed rule, below) the 
    proposed regulation does not differentiate between current customers 
    and new customers. The effectiveness of a bank's Know Your Customer 
    program would be greatly reduced if all customer accounts in existence 
    prior to the effective date of the regulation were excluded from its 
    scope. However, the OCC does not believe that it is practicable for a 
    bank to conduct a large-scale information request from all its existing 
    customers. Rather, a bank may comply with the proposed regulation with 
    respect to its current customers by determining their normal and 
    expected transactions using available account data and monitoring their 
    transactions for suspicious activities. However, depending on the 
    nature of the risk associated with some customers and their 
    transactions (for instance, transactions involving private banking 
    customers), it may be necessary to fulfill all of the requirements of 
    this regulation as if they were new customers.
    
    Establishment of Know Your Customer Program (Sec. 21.22(c))
    
        This section requires that each bank establish a Know Your Customer 
    program by April 1, 2000. Additionally, this section requires that the 
    Know Your Customer program be reduced to writing and approved by the 
    board of directors of the bank, or a committee thereof, and the 
    approval recorded in the official minutes of the board.
    
    Contents of Know Your Customer Program (Sec. 21.22(d))
    
        This section sets forth the specific requirements for the contents 
    of the Know Your Customer program. As previously noted, the OCC 
    believes that to impose a regulation that requires each bank to follow 
    a pre-designed, standardized checklist would not be appropriate. The 
    proposed regulation thus allows each bank to develop and delineate a 
    system that will comprise the Know Your Customer program, consistent 
    with the banking practices of the particular bank that, when followed 
    by the bank, will effectively meet the requirements and goals of the 
    regulation.
        Section 21.22(d) reflects the OCC's recognition that each bank's 
    Know Your Customer program may vary depending on the nature of the 
    specific activity, the type of customers involved, the size of the 
    transactions, and other factors that reflect the bank's assessment of 
    the risk presented. In complying with this section, it may be 
    beneficial for banks to classify customers into varying risk-based 
    categories that the banks can use in determining the amount and type of 
    information, documentation and monitoring that is appropriate. While 
    the proposed regulation will provide banks with substantial flexibility 
    in devising an appropriate Know Your Customer program, the OCC believes 
    that all Know Your Customer programs should contain certain critical 
    features, which are discussed below.
    Documentation and Due Diligence
        Paragraph (d)(1) of Sec. 21.22 requires that the Know Your Customer 
    program delineate acceptable documentation requirements and due 
    diligence procedures the bank will follow in meeting the requirements 
    of the proposed regulation. The delineation of this information in the 
    Know Your Customer program will ensure that the same standards are 
    applied throughout the bank and will inform auditors and examiners of 
    the bank's established standards for review of customer information.
    Minimum Steps to Take to Comply With the Know Your Customer Rule
        Paragraph (d)(2) of Sec. 21.22 sets forth the steps a bank needs to 
    take in order to know its customers. These steps are discussed below.
        Identify the customer. Paragraph (d)(2)(i) requires that the Know 
    Your Customer program provide a system for determining the identity of 
    new customers. If a bank has reasonable cause to believe that it lacks 
    sufficient information to know the identity of an existing customer, 
    paragraph (d)(2)(i) also requires that the program provide a system for 
    determining the identity of that customer.
        It is imperative that a bank establish, to its own satisfaction, 
    that it is dealing with a legitimate customer, whether the customer is 
    a natural person, corporation, or other business entity. The nature and 
    extent of the identification process should be commensurate with the 
    types of transactions anticipated by the customer and the risks 
    associated with such transactions. If a bank is unable to establish the 
    identity or legitimacy of the customer, sound practices require that 
    the bank not open the account (or terminate the account if the bank 
    lacks adequate information to know the identity of an existing customer 
    and is unable to obtain the information).
        The best identification documents for verifying the identity of 
    prospective customers are the ones that are the most difficult to 
    obtain illicitly and the most difficult to counterfeit. No single form 
    of identification can be guaranteed to be genuine, however. Therefore, 
    the identification process should be cumulative, obtaining enough 
    information and documentation to assure the bank that it has adequately 
    identified the prospective customer. For individual accounts, this 
    might include, for instance, a photograph and signature of the 
    individual. For corporate or business customers, the customer 
    identification process could include the review of appropriate 
    documentation that allows for a means to verify that the corporation or 
    other business entity does exist and does engage in the business, as 
    stated. All documentation reviewed, as well as verifications of the 
    information contained therein, should be recorded and maintained by the 
    bank.
        Any practice of a bank that allows for the establishment of a 
    customer relationship without face-to-face contact with bank personnel, 
    such as banking by mail or Internet banking, poses difficulties in the 
    identification of the prospective customer by use of the traditionally 
    accepted practice of obtaining photographic identification. Even though 
    photographic identification in such circumstances will be impractical, 
    other accepted means of identifying a customer are still viable. In 
    such circumstances, special care should
    
    [[Page 67527]]
    
    be given to verification of address and telephone number.
        If a bank offers private banking services, it is important that the 
    bank understand a customer's personal and business background, source 
    of funds, and intended use of the private banking services. Typically, 
    private banking customers are clients of financial advisors or make use 
    of account vehicles such as personal investment companies, trusts, and 
    personal mutual investment funds. The establishment of such accounts 
    protects the legitimate confidentiality and financial privacy of the 
    customers who use such accounts. However, banks need to identify 
    properly the beneficial owners of such accounts in order to have an 
    effective Know Your Customer program. Any needed confidentiality 
    required by customers of a bank's private banking department can be 
    addressed by the development of special protections to limit access to 
    information that would generally reveal the beneficial owners of those 
    accounts.
        Introductions or referrals of prospective customers by established 
    customers of the bank, while extremely valuable in providing background 
    information about the prospective customer, cannot take the place of 
    identification requirements that should be set forth in the bank's Know 
    Your Customer program. Details regarding the introduction or referral 
    should be documented so that the information obtained can be 
    effectively used to assist in the verification of the prospective 
    customer.
        Determine the source of funds. Paragraph (d)(2)(ii) requires that 
    the Know Your Customer program provide a system for determining the 
    source of a customer's funds. The amount of information needed to do 
    this can depend on the type of customer in question. As an example, if 
    a retail banking customer maintains demand deposit accounts funded 
    primarily from payroll deposits, it should be a relatively simple task 
    to identify and document the source of funds as payroll deposits. On 
    the other hand, a more detailed analysis, with a more extensive 
    documentation process, would be required for high net worth customers 
    with multiple deposits from a variety of sources. For these reasons, 
    among others, it may be beneficial for banks to classify customers into 
    varying categories, based on factors such as the types of accounts 
    maintained, the types of transactions conducted, and the potential risk 
    of illicit activities associated with such accounts and transactions. 
    Banks could then develop procedures to obtain necessary information and 
    documentation based on the risk assessment for the various categories 
    or classes established by a bank.
        Determine normal and expected transactions. Paragraph (d)(2)(iii) 
    requires that the Know Your Customer program provide a system for 
    determining a customer's normal and expected transactions involving the 
    bank. Without this information, a bank is unable to identify suspicious 
    transactions. A bank's understanding of a customer's normal and 
    expected transactions should be based on information obtained both when 
    an account is opened and during a reasonable period of time thereafter. 
    It also should be based on normal transactions for similarly situated 
    customers.
        Monitor the account transactions. Paragraph (d)(2)(iv) requires 
    that the Know Your Customer program provide a system for monitoring, on 
    an ongoing basis, the transactions conducted by customers and 
    identifying transactions that are inconsistent with the normal and 
    expected transactions for particular customers or for customers in the 
    same or similar categories or classes. The proposed regulation does not 
    require that every transaction of every customer be reviewed. Rather, 
    it requires that a bank develop a monitoring system that is appropriate 
    for the risks presented by the accounts maintained at that bank.
        In designing a monitoring system, a bank may choose to classify 
    accounts into various categories based on factors such as the type and 
    size of account, the types, number, and size of transactions conducted 
    in the account, and the risk of illicit activity associated with the 
    account. For certain classes or categories of accounts, it would be 
    sufficient for an effective monitoring system to establish parameters 
    for which the transactions within these accounts will normally occur. 
    Rather than monitoring each transaction, an effective monitoring system 
    could entail monitoring only for those transactions that exceed the 
    established parameters for that particular class or category of 
    accounts. For other categories or classes of accounts, such as private 
    banking accounts, it may be necessary to monitor each significant 
    transaction.
        Determine if transaction should be reported. Once a transaction is 
    identified as inconsistent with normal and expected transactions, 
    paragraph (d)(2)(v) requires that a bank determine if the transaction 
    warrants the filing of a Suspicious Activity Report. This is consistent 
    with a bank's existing obligations under 12 CFR 21.11(c). In 
    identifying reportable transactions, a bank should not conclude that 
    every transaction that falls outside what is expected for a given 
    customer should be reported. Rather, a bank should focus on patterns of 
    inconsistent transactions and isolated transactions that present risk 
    factors that warrant further review.
    
    Compliance with Know Your Customer Program (Sec. 21.22(e))
    
        This section sets forth the requirements a bank must follow to 
    ensure that it is in compliance with its Know Your Customer program. 
    The requirements include that a bank provide for and document a system 
    of internal controls to ensure ongoing compliance, as well as provide 
    for and document independent testing for compliance with the Know Your 
    Customer program. Additionally, the bank must designate an individual 
    responsible for coordinating and monitoring day-to-day compliance and 
    provide for and document training to all appropriate personnel of the 
    content and requirements of the Know Your Customer program.
    
    Availability of Documentation (Sec. 21.22(f))
    
        This section requires, for all accounts opened or maintained in the 
    United States, that all information and documentation necessary to 
    comply with the regulation be made available for examination and 
    inspection, at a location specified by a OCC representative, within 48 
    hours of a request for such information and documentation. In instances 
    where the information and documentation is at a location other than 
    where the customer's account is maintained or the financial services 
    are rendered, the bank must adopt, as part of its Know Your Customer 
    program, specific procedures designed to ensure that the information 
    and documentation is reviewed by personnel at the location where the 
    customer's account is located or the financial services are rendered, 
    and the bank should provide written evidence that the appropriate 
    review of the information and documentation is being performed by the 
    personnel at that location on a regular basis.
        While issues arise on occasion concerning whether foreign laws 
    permit a bank to disclose certain customer information, the OCC's 
    experience is that the information typically already exists within the 
    bank in the United States because the information is used by the 
    relationship manager, who resides in the United States, as well as 
    other components of the bank, to provide banking services to the 
    customer. Moreover, in instances where
    
    [[Page 67528]]
    
    banks have raised foreign law disclosure issues, the banks, at the 
    OCC's suggestion, have obtained from their customers waivers to any 
    perceived prohibition to disclosure of the information and 
    documentation. Thus, the OCC does not anticipate that foreign laws will 
    preclude the production of information relating to accounts opened and 
    maintained in the United States.
    
    Comments Sought
    
        The OCC invites comment on any aspect of the proposed regulation, 
    and specifically seeks comment on the following issues:
        1. Whether the proposed definition of ``customer'' is sufficient to 
    include all persons who benefit from an account opened at a bank, such 
    as persons who establish off-shore shell companies or entities or 
    otherwise conduct their business through intermediaries.
        2. Whether the proposed definition of ``customer'' is too broad and 
    will unnecessarily include persons that pose a minimal Know Your 
    Customer risk.
        3. Whether a bank's Know Your Customer program should apply to a 
    bank's counterparty relationships with respect to transactions in 
    wholesale financial markets (e.g., sales or purchases involving foreign 
    exchange or securities) and correspondent banking relationships.
        4. Whether a different standard than that applicable to retail 
    relationships would be more appropriate for wholesale and correspondent 
    banking relationships, and, if such a distinction is appropriate, how 
    the definition of ``customer'' can be distinguished between 
    transactional counterparty customers, correspondents, and retail 
    customers.
        5. Whether the proposed regulation will create a competitive 
    disadvantage with respect to other financial entities offering similar 
    services that may not be subject to the similar regulations (citing, 
    where possible, specific examples) and, if so, what could be done to 
    mitigate the disadvantage consistent with the OCC's supervisory 
    responsibilities.
        6. Whether the actual or perceived invasion of personal privacy 
    interests is outweighed by the additional compliance benefits 
    anticipated by this proposal.
        7. Whether there should be a minimum account size threshold below 
    which the Know Your Customer requirements should be waived.
        8. Whether credit card banks should be exempt from the regulation.
    
    Regulatory Flexibility Act
    
        Pursuant to section 605(b) of the Regulatory Flexibility Act (5 
    U.S.C. 601 et seq.), the OCC certifies that this proposal will not have 
    a significant economic impact on a substantial number of small 
    entities. Accordingly, a regulatory flexibility analysis is not 
    required. Most banks, from small to large, already have policies and 
    procedures aimed at collecting, retaining, and reviewing the types of 
    information required by this proposal. Therefore, there should not be a 
    significant economic impact from this proposal.
    
    Paperwork Reduction Act
    
        The OCC invites comment on:
        (1) Whether the proposed collections of information contained in 
    this notice of proposed rulemaking are necessary for the proper 
    performance of the OCC's functions, including whether the information 
    has practical utility;
        (2) The accuracy of the OCC's estimate of the burden of the 
    proposed information collection;
        (3) Ways to enhance the quality, utility, and clarity of the 
    information to be collected;
        (4) Ways to minimize the burden of the information collection on 
    respondents, including the use of automated collection techniques or 
    other forms of information technology; and
        (5) Estimates of capital or start-up costs and costs of operation, 
    minutes, and purchase of services to provide information.
        Recordkeepers are not required to respond to this collection of 
    information unless it displays a currently valid OMB control number.
        The collection of information requirements contained in this notice 
    of proposed rulemaking have been submitted to the Office of Management 
    and Budget for review in accordance with the Paperwork Reduction Act of 
    1995 (44 U.S.C. 3507(d)). Comments on the collections of information 
    should be sent to the Office of Management and Budget, Paperwork 
    Reduction Project (1557-KYCP), Washington, D.C. 20503, with copies to 
    Office of the Comptroller of the Currency, Communications Division, 250 
    E Street, SW, Attention: 1557-KYCP, Washington, D.C. 20219.
        The proposed rule is not expected to significantly increase the 
    ongoing annual paperwork burden for the recordkeepers because most of 
    the ongoing burden is incurred and accounted for under other existing 
    information collections. As discussed in the preamble to the proposed 
    rule, banks already must report suspicious transactions, pursuant to 12 
    CFR 21.11. Therefore, they already must gather information about 
    customers and monitor customer transactions as part of their usual and 
    customary activities in order to comply with the suspicious activity 
    reporting requirements. Moreover, the OCC has drafted the proposed 
    regulation in a way that is designed to give banks as much flexibility 
    as possible to design a system that is appropriate for each individual 
    bank and generally has not proposed to require compliance with specific 
    paperwork burdens.
        The majority of the paperwork burden associated with the proposed 
    rule is the one-time burden of developing a plan. In the normal course 
    of business, most institutions likely already have sufficient 
    information about their customers in their files and would only need to 
    organize and review such information. Because each institution would 
    design its own program in accordance with its own business practices, 
    the OCC estimates that the burden of the proposed rule would vary 
    considerably and may range, during the initial year, from 10 to 30 
    hours, with an average of 20 hours per recordkeeper.
        The collection of information requirements in this proposed rule 
    are found in 12 CFR 21.22(c) and 21.22(e)(3). This information is 
    required to evidence compliance with the requirements that the Know 
    Your Customer program has been developed and approved by a bank's board 
    of directors (or committee thereof) and to identify the person(s) 
    responsible for coordinating and monitoring compliance with the 
    program. The likely respondents are national banks, District banks, and 
    Federal branches and agencies of foreign banks licensed or chartered by 
    the OCC.
        Estimated average annual burden hours per recordkeeper: 20 hours 
    for the first year, with an average over the first three years of 8 
    hours per year.
        Estimated number of recordkeeper: 2,600.
        Estimated total annual recordkeeping burden: 52,000 for the first 
    year, with an average over the first three years of 20,800 hours per 
    year.
        Start-up costs: None.
    
    Executive Order 12866
    
        The Office of Management and Budget has concurred with the OCC's 
    determination that this proposal is not a significant regulatory action 
    under Executive Order 12866.
    
    Unfunded Mandates Reform Act of 1995
    
        The OCC has determined that this proposal will not result in 
    expenditures by state, local, and tribal governments, or by the private 
    sector, of $100 million
    
    [[Page 67529]]
    
    or more in any one year. Accordingly, a budgetary impact statement is 
    not required under section 202 of the Unfunded Mandates Reform Act of 
    1995. Most banks already have policies and procedures aimed at 
    collecting, retaining and reviewing the types of information required 
    by this proposal and, thus, this proposal should not result in 
    substantial additional expenditures.
    
    List of Subjects in 12 CFR Part 21
    
        Currency, National banks, Reporting and recordkeeping requirements, 
    Security measures.
    
    Authority and Issuance
    
        For the reasons set forth in the preamble, part 21 of chapter I of 
    title 12 of the Code of Federal Regulations is proposed to be amended 
    as follows:
    
    PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF 
    SUSPICIOUS ACTIVITIES, AND BANK SECRECY ACT COMPLIANCE PROGRAM
    
        1. The authority citation for part 21 continues to read as follows:
    
        Authority: 12 U.S.C. 93a, 1818, 1881-1884, and 3401-3422; 31 
    U.S.C. 5318.
    
        2. A new Sec. 21.22 is added to read as follows:
    
    
    Sec. 21.22  Know Your Customer rules.
    
        (a) Purpose and scope--(1) Purpose. The Know Your Customer rules 
    require that national banks and Federal branches or agencies of foreign 
    banks establish and regularly maintain procedures designed to determine 
    the identity of their customers, as well as their customers' normal and 
    expected transactions and sources of funds involving the bank. These 
    procedures (referred to as the ``Know Your Customer'' program) are 
    intended to: protect the reputation of the bank; facilitate the bank's 
    compliance with all applicable statutes and regulations (including the 
    Bank Secrecy Act and the suspicious activity reporting requirements of 
    12 CFR 21.11) and with safe and sound banking practices; and protect 
    the bank from becoming a vehicle for or a victim of illegal activities 
    perpetrated by its customers.
        (2) Scope. In general, the Know Your Customer rules apply to all 
    national banks as well as all Federal branches or agencies of foreign 
    banks licensed or chartered by the OCC. However, the rules do not apply 
    to credit card banks, bankers's banks, or other banks that operate 
    solely to service the activities of their affiliates.
        (b) Definition of customer. For the purposes of this section, 
    customer means:
        (1) Any person or entity who has an account involving the receipt 
    or disbursal of funds with an institution covered by this section; and
        (2) Any person or entity on behalf of whom an account is 
    maintained.
        (c) Establishment of Know Your Customer program. Each bank shall 
    develop and provide for the continued administration of a Know Your 
    Customer program by April 1, 2000. The Know Your Customer program shall 
    be reduced to writing and approved by the board of directors (or a 
    committee thereof) with the approval recorded in the official minutes 
    of the board.
        (d) Contents of Know Your Customer program. The Know Your Customer 
    program may vary in complexity and scope according to categories or 
    classes of customers established by the bank and the potential risk of 
    illicit activities associated with those customers' accounts and 
    transactions. Components of the program should include the following:
        (1) Appropriate documentation requirements and due diligence 
    procedures established by the bank to comply with this section; and
        (2) A system for:
        (i) Determining the identity of the bank's new customers and, if 
    the bank has reasonable cause to believe that it lacks adequate 
    information to know the identity of existing customers, determining the 
    identity of those existing customers;
        (ii) Determining the customer's sources of funds for transactions 
    involving the bank;
        (iii) Determining the particular customer's normal and expected 
    transactions involving the bank;
        (iv) Monitoring customer transactions and identifying transactions 
    that are inconsistent with normal and expected transactions for that 
    particular customer or for customers in the same or similar categories 
    or classes, as established by the bank; and
        (v) Determining if a transaction should be reported in accordance 
    with the OCC's suspicious activity reporting regulations and, if so, 
    reporting accordingly.
        (e) Compliance with Know Your Customer program. The bank shall 
    comply with its Know Your Customer program. To ensure compliance, the 
    bank shall:
        (1) Provide for and document a system of internal controls;
        (2) Provide for and document independent testing for compliance to 
    be conducted by bank personnel or by an outside party on a regular 
    basis;
        (3) Designate an individual or individuals responsible for 
    coordinating and monitoring day-to-day compliance; and
        (4) Provide for and document training to all appropriate personnel, 
    on at least an annual basis, of the content and required procedures of 
    the Know Your Customer program.
        (f) Availability of documentation. For all accounts opened or 
    maintained in the United States, each bank must ensure that all 
    information and documentation sufficient to comply with the 
    requirements of this section are available for examination and 
    inspection, at a location specified by an OCC representative, within 48 
    hours of an OCC representative's request for such information and 
    documentation. In instances where the information and documentation is 
    maintained at a location other than where the customer's account is 
    maintained or the financial services are rendered, the bank must 
    include, as part of its Know Your Customer program, specific procedures 
    designed to ensure that the information and documentation is reviewed 
    on an ongoing basis by appropriate bank personnel in order to comply 
    with this section.
    
        Dated: October 17, 1998.
    Julie L. Williams,
    Acting Comptroller of the Currency.
    [FR Doc. 98-32333 Filed 12-4-98; 8:45 am]
    BILLING CODE 4810-33-P
    
    
    

Document Information

Published:
12/07/1998
Department:
Comptroller of the Currency
Entry Type:
Proposed Rule
Action:
Notice of proposed rulemaking.
Document Number:
98-32333
Dates:
Comments must be received by March 8, 1999.
Pages:
67524-67529 (6 pages)
Docket Numbers:
Docket No. 98-15
RINs:
1557-AB66: Bank Secrecy Act Compliance: "Know Your Customer" Requirements
RIN Links:
https://www.federalregister.gov/regulations/1557-AB66/bank-secrecy-act-compliance-know-your-customer-requirements
PDF File:
98-32333.pdf
CFR: (1)
12 CFR 21.22