98-32334. Minimum Security Devices and Procedures and Bank Secrecy Act Compliance  

  • [Federal Register Volume 63, Number 234 (Monday, December 7, 1998)]
    [Proposed Rules]
    [Pages 67529-67536]
    From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
    [FR Doc No: 98-32334]
    
    
    -----------------------------------------------------------------------
    
    FEDERAL DEPOSIT INSURANCE CORPORATION
    
    12 CFR Part 326
    
    RIN 3064-AC19
    
    
    Minimum Security Devices and Procedures and Bank Secrecy Act 
    Compliance
    
    AGENCY: Federal Deposit Insurance Corporation.
    
    ACTION: Notice of proposed rulemaking.
    
    -----------------------------------------------------------------------
    
    SUMMARY: The FDIC is proposing to issue a regulation requiring insured 
    nonmember banks to develop and maintain ``Know Your Customer'' 
    programs. As proposed, the regulation would require each nonmember bank 
    to develop a program designed to determine the identity of its 
    customers; determine its customers' sources of funds; determine the 
    normal and expected transactions of its customers; monitor account 
    activity for transactions that are inconsistent with those normal
    
    [[Page 67530]]
    
    and expected transactions; and report any transactions of its customers 
    that are determined to be suspicious, in accordance with the FDIC's 
    existing suspicious activity reporting regulation. By requiring insured 
    nonmember banks to determine the identity of their customers, as well 
    as to obtain knowledge regarding the legitimate activities of their 
    customers, the proposed regulation will reduce the likelihood that 
    insured nonmember banks will become unwitting participants in illicit 
    activities conducted or attempted by their customers. It also will 
    level the playing field between institutions that already have adopted 
    formal Know Your Customer programs and those that have not.
    
    DATES: Comments must be received by March 8, 1999.
    
    ADDRESSES: Comments should be directed to: Robert E. Feldman, Executive 
    Secretary, Attention: Comments/OES, Federal Deposit Insurance 
    Corporation, 550 17th Street, N.W., Washington, DC 20429. Comments may 
    be hand-delivered to the guard station at the rear of the 550 17th 
    Street Building (located on F Street), on business days between 7 a.m. 
    and 5 p.m. In addition, comments may be sent by fax to (202) 898-3838, 
    or by electronic mail to [email protected] Comments may be inspected 
    and photocopied in the FDIC Public Information Center, Room 100, 801 
    17th Street, NW, Washington, D.C., between 9 a.m. and 4:30 p.m., on 
    business days.
    
    FOR FURTHER INFORMATION CONTACT: Carol A. Mesheske, Special Activities 
    Section, Division of Supervision, (202) 898-6750, or Karen L. Main, 
    Counsel, Legal Division (202) 898-8838.
    
    SUPPLEMENTARY INFORMATION:
    
    Background
    
        The integrity of the financial sector depends on the ability of 
    banks and other financial institutions to attract and retain legitimate 
    funds from legitimate customers. Financial institutions are able to 
    attract and retain the business of legitimate customers because of the 
    quality and reliability of the services being rendered and, as 
    important, the sound and highly respected reputation of the banking 
    industry. Illicit activities, such as money laundering, fraud, and 
    other transactions designed to assist criminals in their illegal 
    ventures, pose a serious threat to the integrity of financial 
    institutions. When transactions at financial institutions involving 
    illicit funds are revealed, these transactions invariably damage the 
    reputation of the financial institutions involved and, potentially, the 
    entire financial sector. While it is impossible to identify every 
    transaction at an institution that is potentially illegal or is being 
    conducted to assist criminals in the movement of illegally derived 
    funds, it is fundamental for safe and sound operations that financial 
    institutions take reasonable measures to identify their customers, 
    understand the legitimate transactions typically conducted by those 
    customers, and, consequently, identify those transactions conducted by 
    their customers that are unusual or suspicious in nature. By 
    identifying and, when appropriate, reporting such transactions in 
    accordance with existing suspicious activity reporting requirements, 
    financial institutions are protecting their integrity and are assisting 
    the efforts of the financial institution regulatory agencies and law 
    enforcement authorities to combat illicit activities at such 
    institutions.
        One of the most effective means by which an insured nonmember bank 
    can both protect itself from engaging in transactions designed to 
    facilitate illicit activities and ensure compliance with applicable 
    suspicious activity reporting requirements is for the nonmember bank to 
    have adequate Know Your Customer policies and procedures. By knowing 
    its customers, an insured nonmember bank is better able to fulfill its 
    compliance responsibilities, including its Bank Secrecy Act and 
    suspicious activity reporting requirements, 12 CFR 326.8 and 12 CFR 
    part 353, respectively.
        Recognizing that a Know Your Customer program for one nonmember 
    bank will not necessarily be appropriate for another, the proposed 
    regulation identifies only the basic components that the FDIC believes 
    should be contained in any Know Your Customer program. In supplemental 
    guidance to be provided at the time this regulation becomes final, the 
    FDIC, in coordination with the other federal financial institution 
    supervisory agencies, will provide further information about specific 
    steps that institutions may consider taking as they implement their 
    Know Your Customer programs. The FDIC believes that this approach 
    strikes an appropriate balance that responds to requests for additional 
    guidance in this area while preserving the flexibility for each insured 
    nonmember bank to take steps appropriate for its customers.
    
    Privacy Issues
    
        The proposed regulation requires insured nonmember banks to gather 
    information about customers that, if misused, could result in an 
    invasion of a customer's privacy. Given the potential for abuse in this 
    area, it is the FDIC's expectation that, in complying with the Know 
    Your Customer regulation, a nonmember bank will obtain only that 
    information that is necessary to comply with the regulation and will 
    limit the use of this information to complying with the regulation. 
    Insured nonmember banks need to safeguard and handle responsibly the 
    information gathered in connection with complying with these 
    obligations, and should integrate comprehensive privacy practices into 
    their Know Your Customer programs.
    
    Authority To Issue the Regulation
    
        The proposed regulation is authorized pursuant to the FDIC's 
    statutory authority under section 8(s)(1) of the Federal Deposit 
    Insurance Act (12 U.S.C. 1818(s)(1)), as amended by section 2596(a)(2) 
    of the Crime Control Act of 1990 (Pub. L. 101-647), which requires the 
    FDIC to issue regulations requiring banks under its supervision to 
    establish and maintain internal procedures reasonably designed to 
    ensure and monitor compliance with the Bank Secrecy Act. Effective Know 
    Your Customer programs serve to facilitate compliance with the Bank 
    Secrecy Act.
    
    Proposal
    
        The FDIC proposes to revise 12 CFR part 326 by adding a new subpart 
    requiring insured nonmember banks to develop and implement Know Your 
    Customer programs. Under the proposed regulation, the FDIC would expect 
    each nonmember bank to design a program that is appropriate given its 
    size and complexity, the nature and extent of its activities, its 
    customer base and the levels of risk associated with its various 
    customers and their transactions. The FDIC believes that this approach 
    is preferable to a detailed regulation that imposes the same list of 
    specific requirements on every bank regardless of its circumstances. 
    The FDIC recognizes that a Know Your Customer requirement will impose 
    additional burdens on some insured nonmember banks. Mindful of that 
    fact, the FDIC is striving to impose only those requirements that are 
    necessary to ensure that insured nonmember banks have in place adequate 
    Know Your Customer programs.
        Each of the other federal bank supervisory agencies is proposing to 
    adopt substantially identical regulations covering state member and 
    national banks, federally-chartered branches and agencies of foreign 
    banks, savings associations, and credit unions. There also have been 
    discussions with the
    
    [[Page 67531]]
    
    federal regulators of non-bank financial institutions, such as broker-
    dealers, concerning the need to propose similar rules governing the 
    activities of these non-bank institutions.
    
    Analysis of Subpart C
    
    Section 326.9 Know Your Customer Compliance
    
    Paragraph (a)--Purpose
        The purposes of adopting a Know Your Customer program are to 
    protect the reputation of the insured nonmember bank; to facilitate the 
    insured nonmember bank's compliance with all applicable statutes and 
    regulations (including the Bank Secrecy Act and the FDIC's suspicious 
    activity reporting regulations) and with safe and sound banking 
    practices; and to protect the insured nonmember bank from becoming a 
    vehicle for, or a victim of, illegal activities perpetrated by its 
    customers.
        This subpart applies to all insured state nonmember banks as well 
    as any insured, state-licensed branches of foreign banks.
    Paragraph (b)--Definitions
        The proposed regulation defines the term ``customer'' as any person 
    or entity who has an account involving the receipt or disbursal of 
    funds with an insured nonmember bank covered by this regulation and any 
    person or entity on behalf of whom an account is maintained. Thus, for 
    instance, if an account is opened on behalf of a third party, the 
    nonmember bank will need to treat as a customer both the person or 
    entity opening the account and the person or entity for whom the 
    account is opened. A customer would include an accountholder, a 
    beneficial owner of an account, or a borrower. A ``customer'' could 
    include the beneficiary of a trust, an investment fund, a pension fund 
    or a company whose assets are managed by an asset manager; a 
    controlling shareholder of a closely held corporation; or the grantor 
    of a trust established in an off-shore jurisdiction. The term 
    ``customer'' does not include recipients of services for which the 
    receipt or disbursal of customer funds is incidental, for instance, 
    safe deposit box rentals.
        The proposed regulation does not differentiate between current 
    customers and new customers. The effectiveness of an insured nonmember 
    bank's Know Your Customer program would be greatly reduced if all 
    customer accounts in existence prior to the effective date of the 
    regulation were excluded from its scope. However, the FDIC does not 
    believe that it is practicable for a nonmember bank to conduct a large-
    scale information request from all its existing customers. Rather, a 
    nonmember bank may comply with the proposed regulation with respect to 
    its current customers by determining their normal and expected 
    transactions, using available account data, and monitoring their 
    transactions for suspicious activities. However, depending on the 
    nature of the risk associated with some customers and their 
    transactions (for instance, transactions involving private banking 
    customers), it may be necessary to fulfill all of the requirements of 
    this regulation as if they were new customers.
    Paragraph (c)--Establishment of Know Your Customer Program
        This paragraph requires that each insured nonmember bank establish 
    a Know Your Customer program by April 1, 2000. Additionally, this 
    paragraph requires that the Know Your Customer program be reduced to 
    writing and approved by the board of directors of the nonmember bank, 
    or a committee thereof, and the approval recorded in the official 
    minutes of the board.
    Paragraph (d)--Contents of Know Your Customer Program
        This paragraph sets forth the specific requirements for the 
    contents of the Know Your Customer program. The FDIC recognizes that 
    insured nonmember banks vary considerably in the way in which they 
    conduct their business on a day-to-day basis. Therefore, the FDIC 
    believes that to impose a regulation that simply requires each insured 
    nonmember bank to follow a pre-designed, standardized checklist would 
    not be appropriate. The proposed regulation thus allows each nonmember 
    bank to develop and delineate a system that will comprise the Know Your 
    Customer program, consistent with the banking practices of the 
    particular bank that, when followed by the nonmember bank, will 
    effectively meet the requirements and goals of the regulation.
        Section 326.9(d) reflects the FDIC's recognition that each insured 
    nonmember bank's Know Your Customer program may vary depending on the 
    nature of the specific activity, the type of customers involved, the 
    size of the transactions, and other factors that reflect the nonmember 
    bank's assessment of the risk presented. In complying with this 
    section, it may be beneficial for insured nonmember banks to classify 
    customers into varying risk-based categories that the insured nonmember 
    banks can use in determining the amount and type of information, 
    documentation and monitoring that is appropriate. While the proposed 
    regulation will provide nonmember banks with substantial flexibility in 
    devising an appropriate Know Your Customer program, the FDIC believes 
    that all Know Your Customer programs should contain certain critical 
    features, which are discussed below.
        Documentation and due diligence. Paragraph (d)(1) of Sec. 326.9 
    requires that the Know Your Customer program delineate acceptable 
    documentation requirements and due diligence procedures the insured 
    nonmember bank will follow in meeting the requirements of the proposed 
    regulation. The delineation of this information in the Know Your 
    Customer program will ensure that the same standards are applied 
    throughout the nonmember bank and will inform auditors and examiners of 
    the nonmember bank's established standards for review of customer 
    information.
        Minimum steps to take to comply with the Know Your Customer rule. 
    Paragraph (d)(2) of Sec. 326.9 sets forth the steps an insured 
    nonmember bank needs to take in order to know its customers. The 
    proposed regulation requires that, rather than following a 
    ``checklist'' approach, an insured nonmember bank may develop a 
    ``system'' designed to meet the basic requirements of the regulation. 
    The system approach allows each insured nonmember bank to design its 
    own program, in accordance with its own business practices, that will 
    best suit the nonmember bank. While this places some burden on the 
    nonmember bank to develop the specifics of the Know Your Customer 
    program, such an approach recognizes that each insured nonmember bank 
    conducts business in accordance with its own policies, procedures, 
    goals and objectives. The Know Your Customer program, in order to be 
    the most effective, must be developed and implemented with the 
    nonmember bank's regular and ordinary business practices in mind. The 
    FDIC believes that all Know Your Customer programs should contain 
    certain critical features, which are set forth below.
        Identify the customer. Paragraph (d)(2)(i) requires that the Know 
    Your Customer program provide a system for determining the true 
    identity of prospective customers. If an insured nonmember bank has 
    reasonable cause to believe that it lacks sufficient information to 
    know the identity of an existing customer, paragraph (d)(4)(ii)(A) also 
    requires that the program provide a system for
    
    [[Page 67532]]
    
    determining the identity of that customer.
        It is imperative that an insured nonmember bank establish, to its 
    own satisfaction, that it is dealing with a legitimate customer, 
    whether the customer is a natural person, corporation, or other 
    business entity. The nature and extent of the identification process 
    should be commensurate with the types of transactions anticipated by 
    the customer and the risks associated with such transactions. If a 
    prospective customer refuses to provide any of the requested 
    information, sound practices would require that the nonmember bank not 
    open the account. Similarly, if additional or follow-up information is 
    not forthcoming from an established customer, sound practices would 
    require that consideration be given to terminating the account 
    relationship.
        The best identification documents for verifying the identity of 
    prospective customers are the ones that are the most difficult to 
    obtain illicitly and the most difficult to counterfeit. No single form 
    of identification can be guaranteed to be genuine, however. Therefore, 
    the identification process should be cumulative, obtaining enough 
    information and documentation to assure the insured nonmember bank that 
    it has adequately identified the prospective customer. For individual 
    accounts, this might include, for instance, a document containing a 
    photograph and signature of the individual. For corporate or business 
    customers, the customer identification process could include the review 
    of appropriate documentation that allows for a means to verify that the 
    corporation or other business entity does exist and does engage in the 
    business, as stated. All documentation reviewed, as well as 
    verifications of the information contained therein, should be recorded 
    and maintained by the nonmember bank.
        Any practice of an insured nonmember bank that allows for the 
    establishment of a customer relationship without face-to-face contact 
    with bank personnel, such as banking by mail or Internet banking, poses 
    difficulties in the identification of the prospective customer by use 
    of the traditionally accepted practice of obtaining identification 
    documentation, to include photographic identification. Even though 
    photographic identification in such circumstances will be impractical, 
    other accepted means of identifying a customer are still viable. In 
    such circumstances, special care should be given to verification of 
    address and telephone number. Moreover, insured nonmember banks should 
    consider using commercially available data to compare items such as 
    name with date of birth and social security number.
        If an insured nonmember bank offers private banking services, it is 
    important that the nonmember bank understand a customer's personal and 
    business background, source of funds, and intended use of the private 
    banking services. Typically, private banking customers are clients of 
    financial advisors or make use of account vehicles such as personal 
    investment companies, trusts, and personal mutual investment funds. The 
    establishment of such accounts serves the stated purposes of protecting 
    the legitimate confidentiality and financial privacy of the customers 
    who use such accounts. However, the need to identify properly the 
    beneficial owners of such accounts, through an effective Know Your 
    Customer program, is necessary to the continued safe and sound 
    operation of the insured nonmember bank. Any needed confidentiality 
    required by customers of an insured nonmember bank's private banking 
    department can be addressed by the development of special protections 
    to limit access to information that would generally reveal the 
    beneficial owners of those accounts.
        Introductions or referrals of prospective customers by established 
    customers of the insured nonmember bank, while extremely valuable in 
    providing background information about the prospective customer, cannot 
    take the place of identification requirements that should be set forth 
    in the nonmember bank's Know Your Customer program. Details regarding 
    the introduction or referral should be documented so that the 
    information obtained can be effectively used to assist in the 
    verification of the prospective customer.
        The extent of the information regarding the customer that may be 
    necessary to fulfill the nonmember bank's Know Your Customer 
    obligations should depend on a risk-based assessment of the customer 
    and the transactions that are expected to occur, and should be 
    addressed within the insured nonmember bank's Know Your Customer 
    program.
        Determine the source of funds. Paragraph (d)(2)(ii) requires that 
    the Know Your Customer program provide a system for determining the 
    source of a customer's funds. The amount of information needed to do 
    this can depend on the type of customer in question. As an example, if 
    a retail banking customer maintains demand deposit accounts funded 
    primarily from payroll deposits, it should be a relatively simple task 
    to identify and document the source of funds as payroll deposits. On 
    the other hand, a more detailed analysis, with a more extensive 
    documentation process, would be required for high net worth customers 
    with multiple deposits from a variety of sources. For these reasons, 
    among others, it may be beneficial for insured nonmember banks to 
    classify customers into varying categories, based on factors such as 
    the types of accounts maintained, the types of transactions conducted, 
    and the potential risk of illicit activities associated with such 
    accounts and transactions. An insured nonmember bank could then develop 
    procedures to obtain necessary information and documentation based on 
    the risk assessment for the various categories or classes established 
    by the nonmember bank.
        Determine normal and expected transactions. Paragraph (d)(2)(iii) 
    requires that the Know Your Customer program provide a system for 
    determining a customer's normal and expected transactions involving the 
    insured nonmember bank. A nonmember bank's understanding of a 
    customer's normal and expected transactions should be based on 
    information obtained both when an account is opened and during a 
    reasonable period of time thereafter. It also should be based on normal 
    transactions for similarly situated customers. Without this 
    information, an insured nonmember bank is unable to identify suspicious 
    transactions.
        Monitor the account transactions. Paragraph (d)(2)(iv) requires 
    that the Know Your Customer program provide a system for monitoring, on 
    an ongoing basis, the transactions conducted by customers to identify 
    transactions that are inconsistent with the normal and expected 
    transactions for particular customers or for customers in the same or 
    similar categories or classes. The proposed regulation does not require 
    that every transaction of every customer be reviewed. Rather, it 
    requires that an insured nonmember bank develop a monitoring system 
    that is commensurate with the risks presented by the accounts 
    maintained at that bank.
        In designing a monitoring system, an insured nonmember bank may 
    choose to classify accounts into various categories based on factors 
    such as the type and size of account, the types, number, and size of 
    transactions conducted in the account, and the risk of illicit activity 
    associated with the account. For certain classes or categories of 
    accounts, it would be sufficient for an effective monitoring system to 
    establish parameters for which the transactions
    
    [[Page 67533]]
    
    within these accounts will normally occur. Rather than monitoring each 
    transaction, an effective monitoring system could entail monitoring 
    only for those transactions that exceed the established parameters for 
    that particular class or category of accounts. For other categories or 
    classes of accounts, such as private banking accounts, it may be 
    necessary to monitor each significant transaction.
        Determine if transaction should be reported. Once a transaction is 
    identified as inconsistent with normal and expected transactions, 
    paragraph (d)(2)(v) requires that an insured nonmember bank determine 
    if the transaction warrants the filing of a Suspicious Activity Report. 
    This is consistent with an insured nonmember bank's existing 
    obligations under 12 CFR 353.3(a). In identifying reportable 
    transactions, an insured nonmember bank should not conclude that every 
    transaction that falls outside what is expected for a given customer 
    should be reported. Rather, a nonmember bank should focus on patterns 
    of inconsistent transactions and isolated transactions that present 
    risk factors that warrant further review.
    Paragraph (e)--Compliance With Know Your Customer Program
        This paragraph sets forth the requirements an insured nonmember 
    bank must follow to ensure that it is in compliance with its Know Your 
    Customer program. The requirements include that an insured nonmember 
    bank provide for and document a system of internal controls to ensure 
    ongoing compliance, as well as provide for and document independent 
    testing for compliance with the Know Your Customer program. 
    Additionally, the nonmember bank must designate an individual 
    responsible for coordinating and monitoring day-to-day compliance and 
    provide for and document training to all appropriate personnel of the 
    content and requirements of the Know Your Customer program.
    Paragraph (f)--Availability of Documentation
        This paragraph requires, for all accounts opened or maintained in 
    the United States, that all information and documentation necessary to 
    comply with the regulations be made available for examination and 
    inspection, at a location specified by an FDIC representative, within 
    48 hours of a request for such information and documentation. In 
    instances where the information and documentation is at a location 
    other than where the customer's account is maintained or the financial 
    services are rendered, the insured nonmember bank must adopt, as part 
    of its Know Your Customer program, specific procedures designed to 
    ensure that the information and documentation is reviewed on an ongoing 
    basis by appropriate personnel. The nonmember bank should maintain 
    written evidence that the appropriate review is being performed on a 
    regular basis.
        While issues arise on occasion concerning documentation on accounts 
    domiciled in the United States by foreign accountholders, the FDIC 
    believes that the information typically already exists within the 
    insured nonmember bank in the United States because the information is 
    used by the relationship manager, who resides in the United States, as 
    well as other components of the nonmember bank to provide banking 
    services to the customer.
    
    Comments Sought
    
        The FDIC invites comment on any aspect of the rule, and 
    specifically seeks comment on the following issues:
        1. Whether the proposed definition of ``customer'' is sufficient to 
    include all persons who benefit from an account opened at an insured 
    nonmember bank such as persons who establish off-shore shell companies 
    or entities or otherwise conduct their business through intermediaries.
        2. Whether the proposed definition of ``customer'' is too broad and 
    will unnecessarily include persons that pose a minimal Know Your 
    Customer risk.
        3. Whether an insured nonmember bank's Know Your Customer program 
    should apply to a nonmember bank's counterparty relationships with 
    respect to transactions in wholesale financial markets (e.g., sales or 
    purchases involving foreign exchange or securities) and correspondent 
    banking relationships. If so, would a different standard than that 
    applicable to retail relationships be more appropriate for wholesale 
    and correspondent banking relationships? If such a distinction is 
    appropriate, is the proposed definition of ``customer'' sufficient?
        4. Whether the benefits of implementing Know Your Customer 
    requirements outweigh the costs involved.
        5. Whether the proposed regulation will create a competitive 
    disadvantage with respect to other financial entities offering similar 
    services that may not be subject to similar regulations (citing, where 
    possible, specific examples) and, if so, what could be done to mitigate 
    the disadvantage consistent with the FDIC's supervisory 
    responsibilities.
        6. Whether the actual or perceived invasion of personal privacy 
    interests is outweighed by the additional compliance benefits 
    anticipated by this proposal.
        7. Whether there should be a minimum account size threshold below 
    which the Know Your Customer requirements should be waived.
    
    Regulatory Flexibility Act
    
        Under the Regulatory Flexibility Act, the FDIC must either provide 
    an Initial Regulatory Flexibility Analysis (IRFA) with this proposed 
    rule, or certify that the proposed rule would not have a significant 
    economic impact on a substantial number of small entities. The proposed 
    rule is designed to be flexible so that each insured nonmember bank can 
    design a Know Your Customer program appropriate for its circumstances. 
    While advantageous to insured nonmember banks, this flexibility makes 
    it difficult to predict the magnitude of the economic impact of the 
    proposed rule on insured nonmember banks. The FDIC cannot, at this 
    time, determine whether the proposed rule would have a significant 
    economic impact on a substantial number of small entities. The FDIC, 
    therefore, includes this IRFA.
    
    A. Reasons For and Objectives of the Proposed Rule.
    
        The proposed Know Your Customer rule is designed to deter and 
    detect financial crimes, such as money laundering, tax evasion, and 
    fraud. Financial crimes conducted at or through financial institutions, 
    even where financial institutions are not parties to the transactions, 
    can damage the reputations of the institutions involved, and possibly 
    of the entire banking industry. Under current law, financial 
    institutions are required to report suspicious activities to law 
    enforcement authorities, but are not required to specifically search 
    for suspicious activities. As a result, suspicious activities may go 
    unreported, and illegal activity may go undetected. Know Your Customer 
    programs would better enable financial institutions to alert law 
    enforcement authorities to potential criminal conduct and help deter 
    criminal conduct in the banking industry.
        The FDIC has two primary objectives for this proposed rulemaking: 
    (1) increasing insured nonmember banks' detection and reporting of 
    suspicious customer activities; and, (2) deterring financial crimes at 
    insured nonmember banks.
        The proposed rule would apply to large and small insured nonmember
    
    [[Page 67534]]
    
    banks. Small nonmember banks are generally defined, for Regulatory 
    Flexibility Act purposes, as those with assets of $100 million or less. 
    This proposed rule would apply to approximately 3,950 small insured 
    nonmember banks.
    
    B. Requirements of the Proposed Rule.
    
        The proposed rule would require insured nonmember banks to identify 
    their customers, determine their customers' normal and expected 
    transactions, determine their customers' sources of funds, monitor 
    transactions to find those that are not normal and expected, and, for 
    transactions that are not normal and expected, identify which are 
    suspicious. Insured nonmember banks are required to report any 
    suspicious transactions under current law, and this proposed rule would 
    have no additional reporting requirements.
        The impact of the proposed regulation on a nonmember bank's 
    resources, and the skills necessary to comply with it, will vary from 
    one nonmember bank to another because the proposed regulation is 
    designed to take into account each bank's size and resources. Because 
    each nonmember bank would be able to design an individualized Know Your 
    Customer program, it is difficult to specify the type of professional 
    skills necessary for preparing any required records or reports. Large 
    insured nonmember banks may be more likely to use computerized Know 
    Your Customer programs, and in that event would be more likely to need 
    professional computer skills. Small nonmember banks that choose to 
    automate their Know Your Customer programs would need professional 
    computer skills.
        Know Your Customer monitoring would be similar to monitoring that 
    insured nonmember banks already do. For example, insured nonmember 
    banks monitor customer transactions to ensure that cash transactions 
    exceeding $10,000 are reported under the Bank Secrecy Act, to ensure 
    that customers do not overdraw their accounts, and to ensure that loan 
    payments are accurate and timely. Thus, Know Your Customer monitoring 
    would rely, at least in part, on computer and other skills that insured 
    nonmember bank personnel already have and regularly use.
    
    C. Significant Alternatives
    
    1. No Know Your Customer Requirements
        The FDIC considered recommending Know Your Customer procedures 
    rather than proposing regulatory requirements. The FDIC decided to 
    propose this rulemaking, however, because of the risks that insured 
    nonmember banks face from customers who attempt illegal activities. 
    Illegal activities would harm a nonmember bank's reputation and that of 
    the entire banking industry. Requiring Know Your Customer programs 
    significantly reduces the likelihood that some insured nonmember banks 
    would not establish or adhere to such programs. In addition, because 
    other federal banking agencies are proposing Know Your Customer rules, 
    the FDIC believes that criminals would quickly move their illegal funds 
    transfers into insured nonmember banks without Know Your Customer 
    programs, thus increasing those banks' exposure to illegal activity.
        Moreover, recommending rather than requiring Know Your Customer 
    programs would allow customers to simply refuse to answer appropriate 
    questions about their identities or transactions. If Know Your Customer 
    programs are required, insured nonmember banks can more easily collect 
    the necessary information because customers cannot turn readily to 
    another financial institution free of such requirements.
        For these reasons, merely recommending Know Your Customer programs 
    would interfere with the FDIC's goals of increasing insured nonmember 
    banks' detection and reporting of suspicious customer activities, and 
    deterring financial crimes at insured nonmember banks.
        2. Exemption for Small Nonmember Banks
        The FDIC considered exempting small nonmember banks from Know Your 
    Customer requirements. However, this alternative has the disadvantage 
    of possibly creating a haven for criminal activity. It is likely that 
    criminals would concentrate their activity at those nonmember banks not 
    subject to any Know Your Customer requirements. An exemption for small 
    insured nonmember banks would conflict with the FDIC's goals of 
    increasing insured nonmember banks' detection and reporting of 
    suspicious customer activities and deterring financial crimes at 
    insured nonmember banks.
    3. Flexible Know Your Customer Requirements
        The FDIC is proposing to require that all insured nonmember banks 
    establish and follow Know Your Customer programs, but the proposal will 
    allow each nonmember bank to develop a program appropriate for its 
    circumstances, including but not limited to its size and resources. 
    This approach is preferable to the first two alternatives because it 
    does not allow criminals to choose an insured nonmember bank without 
    Know Your Customer requirements to conduct illegal activities. A 
    flexible alternative also avoids requirements beyond the means of small 
    nonmember banks. Small nonmember banks could use simpler, less costly, 
    and less burdensome programs than larger insured nonmember banks.
    
    D. Other Matters
    
        The FDIC has the statutory authority to promulgate this proposed 
    regulation. There are no federal rules that duplicate, overlap, or 
    conflict with this proposed rule.
        The FDIC encourages comment on all aspects of this IRFA, including 
    comments on any significant economic impact the proposed rule would 
    have on small entities.
    
    Paperwork Reduction Act
    
        In accordance with the Paperwork Reduction Act (44 U.S.C. 3501 et 
    seq.) the FDIC may not conduct or sponsor, and a person is not required 
    to respond to, a collection of information unless it displays a 
    currently valid Office of Management and Budget (OMB) control number. A 
    collection of information contained in this rule and described below 
    has been submitted to OMB for review. Comments on the collection of 
    information should be sent to the desk officer for the FDIC: Alexander 
    T. Hunt, Office of Information and Regulatory Affairs, Office of 
    Management and Budget, New Executive Office Building, Room 3208, 
    Washington, DC 20503. Copies of comments should also be sent to: Steven 
    F. Hanft, FDIC Clearance Officer, Office of the Executive Secretary, 
    Federal Deposit Insurance Corporation, 550 17th Street, NW, Washington, 
    DC 20429, (202) 898-3907. Comments may be hand-delivered to the guard 
    station at the rear of the 17th Street building (located on F Street) 
    on business days between 7:00 a.m. and 5:00 p.m. [Fax number (202) 898-
    3838; Internet address: [email protected]]. For further information on 
    the Paperwork Reduction Act aspect of this rule, contact Steven F. 
    Hanft at the above address. OMB will make a decision concerning the 
    change in the information collection between 30 and 60 days after the 
    publication of this document in the Federal Register. Therefore, a 
    comment to OMB is best assured of having its full effect if OMB 
    receives it within 30 days of this publication. Unless the FDIC 
    publishes a notice to the contrary, the public may assume that the 
    change in the collection
    
    [[Page 67535]]
    
    was approved within 60 days of this publication.
        Comment is solicited on: (i) Whether the proposed collection of 
    information is necessary for the proper performance of the functions of 
    the agency, including whether the information will have practical 
    utility;
        (ii) The accuracy of the agency's estimate of the burden of the 
    proposed collection of information, including the validity of the 
    methodology and assumptions used;
        (iii) The quality, utility, and clarity of the information to be 
    collected; and
        (iv) Ways to minimize the burden of the collection of information 
    on those who are to respond, including through the use of appropriate 
    automated, electronic, mechanical, or other technological collection 
    techniques or other forms of information technology, e.g., permitting 
    electronic submission of responses.
        Title of the collection: The proposed rule will modify an 
    information collection previously approved by OMB titled ``Procedures 
    for Monitoring Bank Secrecy Act Compliance'' under OMB control number 
    3064-0087.
        Summary of the change to the collection: The proposed rule will 
    modify the collection by adding a requirement that each bank develop a 
    written ``Know Your Customer'' program.
        Need and Use of the information: Banks will use the Know Your 
    Customer program to assure that they do not become unwitting 
    participants in illicit activities conducted or attempted by their 
    customers. The FDIC will use the information kept to ensure and monitor 
    compliance with the Bank Secrecy Act.
        Respondents: State nonmember banks (approximately 6,000).
        Estimated annual burden: The majority of the paperwork burden 
    associated with the proposed rule is the one-time cost of developing a 
    plan and implementing written policies and procedures which will occur 
    in the first year of the rule's application to a covered bank. In the 
    normal course of business, most institutions likely already have 
    sufficient information about their customers in their files and would 
    only need to organize and review such information. The FDIC estimates 
    that there will be 6,000 recordkeepers in the first year. In subsequent 
    years, the recordkeepers will consist of newly-chartered institutions 
    subject to the rule. The proposed rule is not expected to significantly 
    increase the ongoing annual burden for the recordkeepers because most 
    of the ongoing burden is incurred in the normal course of their 
    business activities and or accounted for under other existing 
    information collections including their fraud prevention procedures, 
    their monitoring of transactions for reporting on the Department of the 
    Treasury's Currency Transaction Reports and as part of their procedures 
    to detect violations or suspicious activity reported on the Suspicious 
    Activity Report. Because the records would be maintained at the subject 
    organizations and are not provided to the Board, no issue of 
    confidentiality under the Freedom of Information Act arises.
        Frequency of response: Occasional.
        Number of responses: 6,000.
        Number of hours to prepare a response: 10--30 hours, with an 
    average of 20 hours.
        Total annual burden: 120,000.
    
    List of Subjects in 12 CFR Part 326
    
        Banks, banking, Bank robbery, Bank Secrecy Act, Crime, Currency, 
    Reporting and recordkeeping requirements, Security measures.
    
    Authority and Issuance
    
        For the reasons set forth in the preamble, part 326 of title 12 of 
    the Code of Federal Regulations is proposed to be amended as follows:
    
    PART 326--MINIMUM SECURITY DEVICES AND PROCEDURES AND BANK SECRECY 
    ACT COMPLIANCE
    
        1. The authority citation for part 326 continues to read as 
    follows:
    
        Authority: 12 U.S.C. 1813, 1815, 1817, 1818, 1819[Tenth], 1881-
    1883; 31 U.S.C. 5311-5324.
    
        2. A new subpart C is added to read as follows:
    
    Subpart C--Know Your Customer Compliance
    
    
    Sec. 326.9  Know Your Customer rule.
    
        (a) Purpose. This subpart requires that all insured nonmember banks 
    as defined in 12 CFR 326.1(a) establish and regularly maintain 
    procedures designed to determine the identity of their customers, as 
    well as their customers' normal and expected transactions and sources 
    of funds involving the nonmember bank. These procedures (referred to as 
    the ``Know Your Customer'' program) are intended to: protect the 
    reputation of the nonmember bank; facilitate the nonmember bank's 
    compliance with all applicable statutes and regulations (including the 
    Bank Secrecy Act and the suspicious activity reporting requirements of 
    12 CFR 353.3) and with safe and sound banking practices; and protect 
    the insured nonmember bank from becoming a vehicle for or a victim of 
    illegal activities perpetrated by its customers.
        (b) Definition of customer. For the purposes of this section, 
    customer means:
        (1) Any person or entity who has an account with an insured 
    nonmember bank covered by this subpart involving the receipt or 
    disbursal of funds; and
        (2) Any person or entity on behalf of whom an account is 
    maintained.
        (c) Establishment of Know Your Customer program. Each insured 
    nonmember bank shall develop and provide for the continued 
    administration of a Know Your Customer program by April 1, 2000. The 
    Know Your Customer program shall be reduced to writing and approved by 
    the board of directors (or a committee thereof) with the approval 
    recorded in the official minutes of the board.
        (d) Contents of Know Your Customer program. The Know Your Customer 
    program may vary in complexity and scope according to categories or 
    classes of customers established by the nonmember bank and the 
    potential risk of illicit activities associated with those customers' 
    accounts and transactions.
        (1) Appropriate documentation requirements and due diligence 
    procedures established by the insured nonmember bank to comply with 
    this section.
        (2) A system for:
        (i) Determining the identity of the insured nonmember bank's new 
    customers and, if the nonmember bank has reasonable cause to believe 
    that it lacks adequate information to know the identity of existing 
    customers, determining the identity of those existing customers;
        (ii) Determining the customer's sources of funds for transactions 
    involving the insured nonmember bank;
        (iii) Determining the particular customer's normal and expected 
    transactions involving the insured nonmember bank;
        (iv) Monitoring customer transactions and identifying transactions 
    that are inconsistent with normal and expected transactions for that 
    particular customer or for customers in the same or similar categories 
    or classes, as established by the insured nonmember bank; and
        (v) Determining if a transaction should be reported in accordance 
    with the FDIC's suspicious activity reporting regulations and, if so, 
    reporting accordingly.
        (e) Compliance with Know Your Customer program. The insured 
    nonmember bank shall comply with its Know Your Customer program. To 
    ensure compliance, the nonmember bank shall:
    
    [[Page 67536]]
    
        (1) Provide for and document a system of internal controls;
        (2) Provide for and document independent testing for compliance to 
    be conducted by bank personnel or by an outside party on a regular 
    basis;
        (3) Designate an individual or individuals as responsible for 
    coordinating and monitoring day-to-day compliance; and
        (4) Provide for and document training to all appropriate personnel, 
    on at least an annual basis, of the content and required procedures of 
    the Know Your Customer program.
        (f) Availability of documentation. For all accounts opened or 
    maintained in the United States, each insured nonmember bank must 
    ensure that all information and documentation sufficient to comply with 
    the requirements of this section are available for examination and 
    inspection, at a location specified by an FDIC representative, within 
    48 hours of an FDIC representative's request for such information and 
    documentation. In instances where the information and documentation is 
    maintained at a location other than where the customer's account is 
    maintained or the financial services are rendered, the insured 
    nonmember bank must include, as part of its Know Your Customer program, 
    specific procedures designed to ensure that the information and 
    documentation is reviewed on an ongoing basis by appropriate bank 
    personnel in order to comply with this subpart.
    
        By order of the Board of Directors.
    
        Dated at Washington, D.C. this 27th day of October, 1998.
    
    Federal Deposit Insurance Corporation.
    Robert E. Feldman,
    Executive Secretary.
    [FR Doc. 98-32334 Filed 12-4-98; 8:45 am]
    BILLING CODE 6714-01-P
    
    
    

Document Information

Published:
12/07/1998
Department:
Federal Deposit Insurance Corporation
Entry Type:
Proposed Rule
Action:
Notice of proposed rulemaking.
Document Number:
98-32334
Dates:
Comments must be received by March 8, 1999.
Pages:
67529-67536 (8 pages)
RINs:
3064-AC19: "Know Your Customer" Requirements
RIN Links:
https://www.federalregister.gov/regulations/3064-AC19/-know-your-customer-requirements
PDF File:
98-32334.pdf
CFR: (1)
12 CFR 326.9