WikiLeaks Document Release http://wikileaks.org/wiki/CRS-RS21547 February 2, 2009 Congressional Research Service Report RS21547 Financial Institution Customer Identification Programs Mandated by the USA PATRIOT Act M. Maureen Murphy, American Law Division September 27, 2004 Abstract. The USA PATRIOT Act, P.L. 107-56, section 326, 31 U.S.C. Section 5318(1), requires the Secretary of the Treasury to prescribe minimum standards for financial institutions to use in verifying the identify of customers opening new accounts. The 9/11 Commission Report included some information about the use of bank accounts by terrorists and raised questions about further sharing of information among government agencies, and the use of biometric identifiers for foreign travelers, that may eventually have an impact on the CIP program. Related CRS reports include CRS Report RL32094, Consular Identification Cards: Domestic and Foreign Policy Implications, the Mexican Case, and Related Legislation; CRS Report RS21627, Implication of the Vienna Convention on Consular Relations Upon the Regulation of Consular Identification Cards; CRS Report RL31377, The USA PATRIOT ACT: A Legal Analysis; CRS Report RL31208, The International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001, Title III of P.L. 107-56 (USA PATRIOT Act); and CRS Report RS21032, Money Laundering: Current Law and Proposals. Order Code RS21547 Updated September 27, 2004 CRS Report for Congress Received through the CRS Web Financial Institution Customer Identification Programs Mandated by the USA PATRIOT Act M. Maureen Murphy Legislative Attorney American Law Division Summary http://wikileaks.org/wiki/CRS-RS21547 Under the USA PATRIOT Act, P.L. 107-56, section 326, 31 U.S.C. § 5318(l), the Secretary of the Treasury has prescribed minimum standards for banks, savings associations, credit unions, and securities firms to establish Customer Identification Programs (CIPs). To open a new account, U.S. individuals must provide a social security number and non-U.S. persons, a government issued identification with a photograph. The required information must be verified either by documents, such as driver's licenses, or by non-documentary means, such as inquiring with a credit reporting agency. The institutions are to cross-check names of new account holders against lists of terrorists and suspected terrorists that the federal government will provide. The regulations permit financial institutions to rely on photograph-bearing- foreign-government-issued documents, such as the matricula consular, issued by the Mexican government, to identify new account-holders. Acceptance of the matricula consular, issued by the Mexican government, would be authorized under H.R. 773 and precluded by H.R. 3674. The 9/11 Commission Report included some information about the use of bank accounts by terrorists and raised questions about further sharing of information among government agencies, and the use of biometric identifiers for foreign travelers, that may eventually have an impact on the CIP program. This report will be updated as legislative developments warrant. Related CRS reports include CRS Report RL32094, Consular Identification Cards: Domestic and Foreign Policy Implications, the Mexican Case, and Related Legislation; CRS Report RS21627, Implication of the Vienna Convention on Consular Relations Upon the Regulation of Consular Identification Cards; CRS Report RL31377, The USA PATRIOT ACT: A Legal Analysis; CRS Report RL31208, The International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001, Title III of P.L. 107-56 (USA PATRIOT Act); and CRS Report RS21032, Money Laundering: Current Law and Proposals. Customer Identification Programs (CIPs). On May 9, 2003, 68 Fed. Reg. 25090, Treasury's Financial Crimes Enforcement Network, (FinCEN), together with Congressional Research Service ~ The Library of Congress CRS-2 federal banking1 and securities2 industry regulators, issued customer identification rules under section 326 of the USA PATRIOT Act, 31 U.S.C. § 5318(l). Section 326 of the USA PATRIOT Act requires that these regulations prescribe minimum procedures for financial institutions to use and their customers, after reasonable notice, to comply with, to verify the identity of new account holders "to the extent reasonable and practicable." It also requires financial institutions to maintain records thereof; and, to consult "lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list." 31 U.S.C. §§ 5318(l)(2). The law further provides that the federal regulators may exempt any financial institution or type of account from the requirements under section 326 in accordance with standards and procedures prescribed by the Secretary. The rules issued on May 9, 2003, apply to certain financial institutions covered by the anti-money laundering laws.3 They apply to banks, credit unions, savings associations, broker-dealers, mutual funds, futures commission merchants and introducing brokers, and certain non-federally regulated banking organizations. They require them http://wikileaks.org/wiki/CRS-RS21547 to institute, as part of their anti-money laundering or Bank Secrecy Act (BSA)4 programs, customer identification programs (CIPs) to verify the identity of customers opening accounts and cross check the information with government lists of terrorists and terrorist organizations. FinCEN has proposed or issued rules requiring the establishment of anti-money laundering programs by: persons involved in real estate closings and settlements, 68 Fed. Reg. 17569 (April10, 2003); dealers in precious metals, stones, or jewels, 68 Fed. Reg. 8481 (February 21, 2003); travel agencies, 68 Fed. Reg. 8571 (February 24, 2003); businesses engaged in vehicle sales, 68 Fed. Reg. 8568 (February 24, 2003); insurance companies, 67 Fed. Reg. 60625 (September 26, 2002); unregistered investment companies, 67 Fed. Reg. 60617 (September 26, 2002); and money services businesses, 67 Fed. Reg. 21114 (April 29, 2002); and operators of credit card systems, 67 Fed. Reg. 21121 (April 29, 2002). At this time, none of these require CIPs. Should CIPs be required of them, regulations will be issued by FinCEN. All of FinCEN's regulations and issuances may be consulted at its website, [http://www.fincen.gov /reg_bsaregulations.html]. 1 Office of the Comptroller of the Currency (12 C.F.R. Part 21); Federal Reserve System (12 C.F.R. Parts 208 and 21); Federal Deposit Insurance Corporation (12 C.F.R. Part 326); Office of Thrift Supervision (12 C.F.R. Part 563); and National Credit Union Administration (12 C.F.R. Part 748). 2 On May 9, 2003, jointly with FinCEN, the Securities and Exchange Commission issued rules requiring customer identification programs for broker-dealers, 68 Fed. Reg.25113, for mutual funds, 58 Fed.Reg. 25113. Also on May 9, 2003, jointly with FinCEN, the Commodity Futures Trading Commission issued rules for futures commission merchants and introducing brokers, 68 Fed. Reg. 25149. 3 "Financial institution" is defined to include casinos, card clubs, and telegraph companies. 31 C.F.R. § 103.11(n). 4 12 U.S.C. §§ 1829b and 1951 - 1959, and 31 U.S.C. §§ 5311 - 5322. CRS-3 Verification of Identity of Customers Opening Accounts. The section 326 rules require each covered financial institution, by October 1, 2003, to implement a Customer Identification Program (CIP) to verify the identity of individuals and other legal persons, such as corporations, partnerships, trusts, associations, and foreign governments, that establish a formal banking relationship or open a new account. After October 1, 2003, anyone opening a new deposit account, establishing a new line of credit or loan, contracting for a safety deposit box or for asset, cash, or trust management services will be required to provide certain means of identification. The institution will also have to outline a means of verifying the information. It must also specify procedures for refusing to open an account, limiting account operations while verification of identity is undertaken, closing an account when identity cannot be reasonably verified, and filing reports of suspicious activity.5 The verification procedures do not apply to non-customers who cash checks or purchase money orders, checks, or wire transfers. Nor do they apply to existing customers who open new accounts or loans, provided the institution has a reasonable belief that it knows the customer's true identity. To verify the identity of new customers, an institution must obtain certain information: Minimum Requirements for CIP for Verifying Identity http://wikileaks.org/wiki/CRS-RS21547 Individuals­U.S. Persons Name, date of birth, residential or business street address, and taxpayer identification number. Individuals­Non-U.S. Persons Name, date of birth, residential or business street address, and one or more of the following: taxpayer identification number, passport number and country of issuance; alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or other safeguard. Persons other than Individuals Principal place of business, local office, or (Corporations, Trusts, Partnership, other physical location, and taxpayer Associations, etc.) identification number (if U.S. person). For non-U.S. person having no tax payer identification number, bank must request alternative government-issued documentation certifying the existence of the business enterprise. There are specifications allowing for some circumstances in which one or more of these requirements is not possible. For instance, military personnel may use military post office boxes in lieu of a street address; persons who have applied for taxpayer identification numbers may present evidence of the application. Trusted third party sources, such as consumer reporting agencies, may be used to obtain information 5 31 C.F.R. § 103.21. The authority to require suspicious activity reports derives from 31 U.S.C. § 5314(h), authorizing the Secretary of the Treasury to require financial institutions to report suspicious transactions, originally enacted as section 1518 of the Housing and Community Development Act of 1992, P.L. 102-550, 106 Stat. 3672, 4059. CRS-4 necessary for opening credit card accounts, thus, permitting continuance of the current practice of doing this by telephone or at the point of sale. The comments accompanying the promulgation of the regulations specifically noted that although date of birth and taxpayer identification number (i.e., social security number­for U.S. individuals) are required before any account is opened, for credit card accounts, it is not necessary for the customer to provide them directly. In that situation, they may be obtained from trusted third parties, such as consumer reporting agencies.6 In all circumstances, however, the institution's program must set forth procedures for verifying the identification, either through examination of such documents as passports or driver's licenses or certified articles of incorporation, or by non-documentary means.7 Non-documentary means could include contacting a customer, comparing information with information obtained from a consumer reporting agency, or checking references. CIPs must also include procedures to deal with situations in which the customer cannot produce the required documentary evidence and must specify when the bank should not open an account or terms under which a customer may have an account pending verification of identity. In opening an account for an entity such as a corporation, association, or partnership, a financial institution is not required to obtain identifying information for every person http://wikileaks.org/wiki/CRS-RS21547 having signature authority or control over such an account, but it must have procedures for assessing the risks involved and obtaining the needed information in view of the associated risks. Under the program, the institutions are not required to keep copies of the documents accepted for verifying identity. They must retain a record of the information obtained and a description of the documents and methods used to identify the customer and retain them for five years beyond the closing of the account. Cross-Checking Names of New Account Holders with Terrorist Lists. The regulation also specifies that the customer identification program must include procedures for determining whether the customer appears on lists of known or suspected terrorists or terrorist organizations issued by any federal agency within a reasonable time. In issuing the rules, the agencies noted that although no such lists have yet been circulated, banks and other regulated financial institutions have long been obliged to comply with sanctions against designated foreign countries, foreign nationals, and foreign terrorists under various laws and regulations administered by Treasury's of Office Foreign Assets Control, 31 C.F.R., Part 500,8 that prohibit certain financial transactions and include lists that must be cross-checked. Banks must have procedures in place to identify and block transactions with OFAC's periodically updated list of Specially Designated Nationalists and Blocked Persons9 under regulations specifying Special Information Sharing Procedures to Deter Money Laundering and Terrorism, 31 C.F.R. Part 100, issued on September 25, 2002,10 and, under section 314(a) of the USA PATRIOT Act, 31 U.S.C. § 5311. Note, moreover, banking institutions are required to search for names on 6 An account may also be opened for a customer, individual or entity, that produces evidence of having applied for a tax payer identification or an employer identification number. 7 The required information must be verified either by documents, such as driver's licenses, or by non-documentary means, such as inquiring with a credit reporting agency 8 See OFAC's summary: [http://www.treas.gov/offices/eotffc/ofac/sanctions/index.html]. 9 [http://www.treas.gov/offices/eotffc/ofac/sdn/index.html]. 10 67 Fed. Reg. 60519. CRS-5 lists of possible terrorists and money launderers issued by FinCEN. If there is a match with a name in the bank's files, FinCEN is to be informed of the fact and provided with the name of a contact person at the bank. Cost of Compliance. In analyzing the cost of instituting CIPs under section 326, the federal agencies determined that the effect of this regulatory regime would not add a significant burden to the covered institutions, including the small banks. In reaching this conclusion, the agencies considered the fact that other requirements of the anti-money laundering laws and regulations have, along with prudent risk avoidance practices, already motivated the institutions to install programs to identify customers. The financial services industry may have another view of the accumulated cost of complying with the CIP requirement and other requirements of the array of federal regulations promulgated under the anti-money laundering laws and the USA PATRIOT Act. On June 9, 2003, for example, the American Bankers Association issued the results of its survey of banking companies with respect to cost and attitude toward complying with various federal regulations. The survey is titled, The Nationwide Bank Compliance Officer Survey. Top costs in the compliance area are assigned to complying with Bank Secrecy Act, anti- money laundering and OFAC regulations. http://wikileaks.org/wiki/CRS-RS21547 Treasury's Request for Comments on Retaining Photocopies of Documents Verifying Identity of Foreign Nationals. On September 17, 2003,11 the Treasury Department announced that institutions must have customer identification programs in place as originally scheduled in the final regulations; no changes were required by the results of its July 1, 2003, request for comments on: (1) whether the institutions should retain photocopies of the documents used to verify identity and (2) whether there are circumstances under which the regulations should preclude reliance on certain forms of foreign government-issued identification documents. Essentially, this request for comments revived issues that were presumed settled when the final rules were issued on May 9, 2003. As originally proposed, the regulations would have required institutions to keep copies of documents used to verify identity. This requirement was eliminated because of the number of comments calling it "overly burdensome." 68 Fed. Reg. 25090, 25101. The July 1, 2003, notice sought information on whether photocopying documents is necessary in all cases or some and whether there should be regulations regarding risk factors indicating the necessity of retaining photocopies. It also specifically sought input from law enforcement, as well as the financial services industry. This may indicate a heightened awareness of the potential importance of copies of identifying photographs of new customers to law enforcement investigators. 68 Fed. Reg. 39039. The issue of what documentation is to be required of non-U.S. persons was also considered earlier. In its report to Congress on customer identification requirements for foreign nationals, [http://www.treas.gov/press/releases/reports/sec326breport.final.pdf], as required under section 326(b) of the USA PATRIOT Act, 115 Stat. 272, 315, Treasury recommended, that, because of the lack of a single, reliable system for verifying the identity of foreign nationals opening accounts, financial institutions be given flexibility in choosing reasonable means of verifying identity. This would mean that they be required to make reasonable efforts to verify identity but be permitted to rely on existing information and documents, including the matricula consular. The matricula consular 11 68 Fed. Reg. 55335 (September 25, 2003). CRS-6 is a card, carrying an identifying photograph, issued to Mexican nationals by Mexican consulate offices in the United States and used to open bank and credit union accounts with U.S. financial institutions. Essentially, the approach taken in the final regulations, issued on May 9, 2003, follows the recommendations of the earlier report to Congress. On May 23, 2003, the House Judiciary's Subcommittee on Immigration, Border Security, and Claims held hearings on "the Issuance, Acceptance, and Reliability of Consular Identifying Cards," [http://www.house.gov/judiciary/immigration.htm]. House Judiciary Committee Chairman Sensenbrenner, directed letters to the Departments of the Treasury, Homeland Security, and Justice, objecting to the elimination of the requirement for maintaining copies of verification documents and to the authorization of matricula consular to verify identity.12 The letter informed the agencies that Committee staff were conducting an investigation of the use of documents such as the matricula consular and asked that implementation of the regulations be delayed for six months. The 9/11 Commission Report. Although 9/11 Commission Report made no direct reference to the CIP program, some of its findings and recommendations may eventually require reassessing the CIP regulations. The Commission noted that hijackers http://wikileaks.org/wiki/CRS-RS21547 used U.S. banks extensively. They opened accounts in their own names and gave bank employees, some of whom filled in the Social Security number slot with a visa number or date of birth, no cause to file suspicious activity reports.13 Legislation. H.J.Res. 58, disapproves of the customer identification rules issued under section 326(a) of the USA PATRIOT Act; H.R. 773 amends section 326(a) to authorize financial institutions to accept the matricula consular, issued by the Mexican government, as a valid form of identification; and H.R. 3674 prohibits financial institutions from using any form of identification issued by a foreign government other than a passport to verify the identity of a person opening an account. By roll call vote no. 452, on September 14, 2004, the House approved an Oxley, Frank, Kolbe amendment to H.R. 5025, the FY2005 Transportation/Treasury appropriations bill, to remove a provision that would have prohibited the Department of the Treasury from using funds to enforce the regulatory provisions that permit the use of the matricula consular as identification. H.R. 10, H.R. 4104, H.R. 5024, H.R. 5040, S. 2774, and S. 2811, which are among the bills introduced since the 9/11 Commission Report, address certain matters recommended by the Commission14 that may have an impact on the CIP program. Each of these bills covers at least one of the following: biometric screening of international travelers; federal standards for identification documents, such as birth certificates and driver's licenses; and, Presidentially determined guidelines for information sharing among government agencies and by the agencies with the private sector. 12 Richard Crowden, "Banking Groups Object to Treasury Inquiry into Possible Changes in Customer ID Rules," 127 Daily Report for Executives A-23 (July 2, 2003). 13 Final Report of the National Commission on Terrorist Attacks on the United States (Official Government Edition 237, 528, n. 116 (2004)). [http://www.gpoaccess.gov/911/] 14 Id., at 387-394.