Federal Enactments Impact Privacy and Customer Identification Requirements for New Jersey Banks
Not since the enactment of Gramm-Leach-Bliley, has there been a federal law with more broad-reaching privacy concerns than the USA PATRIOT Act. It has caused a flurry of regulatory activity that may have a significant impact on the operation of New Jersey's financial institutions. Given the delay of federal regulations, banks should be wary of the outcome of the federal regulatory process. Indeed, as is often the case with legislation on the federal level, "the devil is in the details," thus warranting a more thorough analysis of the applicable regulations. However, in many instances cited in this article, the federal regulations are still in the "proposed" phase. So stay tuned!
Privacy Implications USA PATRIOT Act
In October 2001, in response to the September 11, 2001 terrorist attacks, Congress passed the "Uniting and Strengthening America and Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act," commonly known as the USA PATRIOT Act. The provisions impacting financial institutions are largely found in Title III of the Act - the International Money Laundering Abatement and Anti-Terrorist Financing Act - that added provisions to the Bank Secrecy Act and enhanced the powers of the Treasurer to root out money laundering and the financing of terrorism. With these laudable goals in mind (and despite the existence of already broad reporting requirements for financial institutions), the PATRIOT Act gave the Treasurer the power to, among many things, require additional review of large currency transactions; the filing of suspicious activity reports (SARs) by non-financial institutions; and revised provisions concerning the liability for disclosure of SARs. From a privacy perspective, the PATRIOT Act, in Section 326, mandates that the Treasurer "prescribe regulations setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution." These are the minimum new customer identification and verification standards and record-keeping requirements. According to the House Report, use of the term "customers" in this section was intended so that Treasury would take a similar approach to the Gramm-Leach-Bliley Act's financial privacy rules. On May 9, 2003, the Financial Crimes Enforcement Network (FinCEN), OCC, Federal Reserve Board, FDIC, OTS and the National Credit Union Administration (NCUA) jointly adopted a final rule to implement Section 326 of the PATRIOT Act based on regulations originally proposed July 23, 2002. The rule takes effect on June 9, 2003, but financial institutions have until Oct. 1 to comply. The PATRIOT Act requires financial institutions to implement procedures to (1) verify the identity of any person seeking to open an account to the extent reasonable and practicable, (2) maintain records of the information used to verify the identity of the person, and (3) consult lists of known or suspected terrorists. The implementing regulations further require that, in verifying the identity of the person opening the account, banks must seek the person's name, address, date of birth, tax identification number and other identifying information. In order to determine if the person appears on any applicable lists of known or suspected terrorists or terrorist organizations, the banks must consult the lists of known or suspected terrorists supplied to financial institutions by the Office of Foreign Asset Control (OFAC), law enforcement and other regulatory authorities. The verification procedures prescribed by the Department of Treasury make use of information currently typically gathered by most financial institutions in the account opening process. Financial institutions should immediately review the types of accounts maintained, the methods of opening accounts and the types of identifying information available to ensure compliance with the new regulations. Depository institutions are currently required to make reasonable efforts to determine the true identity of all customers requesting an institution's services.
What Do You Mean by That?
Certain definitions are worthy of mention. The term "customer" is defined as any person who opens a new account, including anyone named on a joint account or for someone without legal capacity or who is not a legal person. This would not include a person with an existing account who opens a new account if the bank has a reasonable belief of the person's identity. The definition does not cover other financial institutions, government agencies or publicly traded companies for their domestic operations. As defined, "financial institution" includes state and federally chartered banks, credit unions and trust companies and U.S. offices of foreign banks, but not foreign branches of U.S. banks. The regulation defines "account" as a formal banking or business relationship established to provide or engage in services, dealings or other financial transactions- These include deposit transactions, credit accounts, cash management, custodian and trust services. Commenters on the proposed regulations questioned whether the definition of account applied to isolated transactions (i.e., sales of traveler's checks, stored value cards, leasing of safe deposit boxes), but Treasury clarified those instances found not to be an account: check cashing, wire transfer, sale of money orders or accounts acquired in a merger, acquisition or purchase of assets, or accounts opened to participate in an employee benefit plan.
The Customer Identification Program
The PATRIOT Act regulations outline the minimum requirements for a Customer Identification Program (CIP) that must be established by financial institutions. The CIP must be in writing, tailored to the size and business type of the institution, and approved by the institution's board of directors or a committee of the board of directors. The program should be incorporated into the institution's anti-money laundering (AML) program. The CIP must use "risk based" procedures to verify customers' identities, i.e. the institution must reasonably believe it has identified the customer, to the extent reasonable and practicable. The federal regulatory agencies plan to issue guidance on how to treat non-matching information provided by a customer, but the CIP must contain information as to when the institution will not open an account, the terms under which an individual can use the account while being verified, when it will close an account and when it will file a SAR. The CIP must also specify the verification policy in the product description and policy on signatories. The record-keeping provisions require that records of the identifying information, description of documents relied upon, methods of non-documentary verification and resolution of discrepancies must be kept for five (5) years after the account is closed (for the identifying information) and from the date the information is obtained for all other descriptions. Even though the rule does not require financial institutions to keep copies of verification documents, Treasury officials have suggested that financial institutions determine for themselves whether to retain copies of verification documents as part of their "risk-based" determinations. Financial institutions will also have to provide adequate notice (oral, written, lobby notice) to their customers about section 326, which may include a lobby poster, training employees, website, or information on the account application. The rule includes a sample notice that provides:
"Important Information About Procedures For Opening a New Account To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify and record information that identifies each person who opens an account. What this means for you: when you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents."
Treasury regulations concerning SARs, AML program and due diligence policies were finalized, at least on an interim basis, on July 1 and July 23, 2002, respectively. The Department of Treasury and FinCEN recently proposed three rules to expand the AML regulations to commodity trading advisors, and securities investment advisers and filing of SARs by futures commission merchants. Several other sets of regulations were proposed, some of which Treasury already adopted, to implement the various goals of the PATRIOT Act. The PATRIOT Act also contains several other noteworthy provisions. Financial institutions are required to maintain AML programs that must include at least a compliance officer, an employee training program, the development of internal policies, procedures and controls, and an independent audit feature. The PATRIOT Act allowed law enforcement to subpoena an Internet or communication service provider's customer records to obtain credit card and bank account numbers. Financial institutions and law enforcement are encouraged to share information concerning suspected money laundering and terrorist activities. The PATRIOT Act also codified in statute the Financial Crimes Enforcement Network (FinCEN) as a bureau within the federal Department of Treasury. FinCEN is required to develop a highly secure network to allow financial institutions to file SARs and other reports electronically and to provide alerts to financial institutions concerning the implementation of money laundering protective measures. FinCEN also published an advance notice of proposed rulemaking regarding the AML program requirements for persons involved in real estate closings and settlements. Further, U.S. financial institutions are required to respond to bank regulatory authorities' requests for AML records (within 120 hours) and to Justice or Treasury Department subpoenas or summons for records concerning foreign deposits (within 7 days).
Money Laundering Provisions
Another major section of the PATRIOT Act gives the Treasurer the power to issue regulations and orders, in consultation with other regulatory agencies, to require certain financial institutions to take special measures and exercise due diligence to combat money laundering. Such institutions include those outside the United States and in particular jurisdictions, with certain types of accounts and transactions that may have money laundering issues. According to a Congressional Research Services Report, these "special" measures may require U.S. financial institutions to: maintain records and submit additional reports relating to participants in foreign financial transactions with which they are involved; secure beneficial ownership information with respect to accounts maintained for foreign customers; adhere to "know-your-customer" requirements concerning foreign customers who used "payable-through accounts" held by the U.S. entity for foreign financial institutions; keep identification records on foreign financial institutions' customers whose transactions are routed through the foreign financial institution's correspondent accounts with the U.S. financial institution; and honor limitations on correspondent or payable-through accounts maintained for foreign financial institutions. The PATRIOT Act gives the Treasurer the power to issue regulations to prevent a financial institution from allowing its customers to conceal their financial activities by taking advantage of the institution's "concentration account" practices. While the term "concentration accounts" is not defined, the House Report indicates that this was designed "to ensure that these accounts are not used to prevent association of the identity of an individual customer with the movement of funds of which the customer is the direct or beneficial owner." The regulations should "prohibit financial institutions from allowing clients to direct transactions into, out of, or through the concentration accounts of the institution; prohibit financial institutions and their employees from informing customers of the existence of, or means of identifying, the concentration accounts of the institution; and to establish written procedures governing the documentation of all transactions involving a concentration account."