[Federal Register Volume 63, Number 234 (Monday, December 7, 1998)]
[Proposed Rules]
[Pages 67524-67529]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 98-32333]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF THE TREASURY
Office of the Comptroller of the Currency
12 CFR Part 21
[Docket No. 98-15]
RIN 1557-AB66
``Know Your Customer'' Requirements
AGENCY: Office of the Comptroller of the Currency, Treasury (OCC).
ACTION: Notice of proposed rulemaking.
-----------------------------------------------------------------------
SUMMARY: The OCC is proposing to issue a regulation requiring national
banks to develop and maintain ``Know Your Customer'' programs. As
proposed, the regulation would require each bank to develop a program
designed to determine the identity of its customers; determine its
customers' sources of funds; determine the normal and expected
transactions of its customers; monitor account activity for
transactions that are inconsistent with those normal and expected
transactions; and report any transactions of its customers that are
determined to be suspicious, in accordance with the OCC's existing
suspicious activity reporting regulation. By requiring banks to
determine the identity of their customers, as well as to obtain
knowledge regarding the legitimate activities of their customers, the
proposed regulation will reduce the likelihood that banks will become
unwitting participants in illicit activities conducted or attempted by
their customers.
[[Page 67525]]
DATES: Comments must be received by March 8, 1999.
ADDRESSES: Comments should be directed to: Communications Division,
Office of the Comptroller of the Currency, 250 E Street, SW,
Washington, DC 20219, Attention: Docket No. 98-15. Comments will be
available for public inspection and photocopying at the same location.
In addition, comments may be sent by fax to (202) 874-5274, or by
electronic mail to [email protected].
FOR FURTHER INFORMATION CONTACT: Robert Pasley, Assistant Director,
Enforcement and Compliance Division (202) 874-4879; Thomas Fleming,
Compliance Specialist (202) 874-4879, or Susan Quill, Compliance Expert
(202) 874-4879, Community and Consumer Policy; or Mark Tenhundfeld,
Assistant Director, Legislative and Regulatory Activities Division
(202) 874-4879.
SUPPLEMENTARY INFORMATION:
Background
The integrity of the financial sector depends on the ability of
banks and other financial institutions to attract and retain legitimate
funds from legitimate customers. Banks are able to attract and retain
the business of legitimate customers because of the quality and
reliability of the services being rendered and, as important, the sound
and highly respected reputation of banks. Illicit activities, such as
money laundering, fraud, and other transactions designed to assist
criminals in their illegal ventures, pose a serious threat to the
integrity of banks. When transactions at banks involving illicit funds
are revealed, these transactions invariably damage the reputation of
the banks involved. While it is impossible to identify every
transaction at a bank that is potentially illegal or is being conducted
to assist criminals in the movement of illegally derived funds, it is
fundamental for safe and sound operations that banks take reasonable
measures to identify their customers, understand the normal and
expected transactions typically conducted by those customers, and,
consequently, identify those transactions conducted by their customers
that are suspicious in nature. By identifying and, when appropriate,
reporting such transactions in accordance with existing suspicious
activity reporting requirements, banks are protecting their integrity
and are assisting the efforts of the bank regulatory agencies and law
enforcement authorities to combat illicit activities at financial
institutions.
One of the most effective means by which a bank can both protect
itself from engaging in transactions designed to facilitate illicit
activities and ensure compliance with applicable suspicious activity
reporting requirements is for the bank to have adequate Know Your
Customer policies and procedures. By knowing its customers, a bank is
both better able to serve the legitimate needs of its customers and to
fulfill its compliance responsibilities, including its Bank Secrecy Act
and suspicious activity reporting requirements.
Recognizing that a Know Your Customer program for one bank will not
necessarily be appropriate for another, the proposed regulation focuses
on the basic components that the OCC believes should be contained in
any Know Your Customer program. In supplemental guidance to be provided
at the time this regulation becomes final, the OCC will provide further
information about specific steps that banks may consider taking to
ensure that their Know Your Customer programs comport with the
regulations. The OCC believes that this approach strikes an appropriate
balance that responds to requests for additional guidance in this area
while preserving the flexibility for each bank to take steps
appropriate for the size and complexity of its business.
Privacy Issues
The proposed regulation requires banks to gather information about
customers that, if misused, could result in an invasion of a customer's
privacy. Accordingly, it is the OCC's expectation that, in complying
the Know Your Customer regulation, a bank will obtain only that
information that is necessary to comply with the regulation and will
limit the use of this information to complying with the regulation.
Financial institutions need to safeguard and handle responsibly the
information gathered in connection with complying with these
obligations, and should integrate comprehensive privacy practices into
their Know Your Customer programs.
Authority to Issue Regulation
The proposed regulation is authorized pursuant to the OCC's
statutory authority under section 8(s)(1) of the Federal Deposit
Insurance Act (12 U.S.C. 1818(s)(1)), as amended by section 2596(a)(2)
of the Crime Control Act of 1990 (Pub. L. 101-647), which mandates that
the OCC issue regulations requiring banks under its supervision to
establish and maintain internal procedures reasonably designed to
ensure and monitor compliance with the Bank Secrecy Act. Effective Know
Your Customer programs serve to facilitate compliance with the Bank
Secrecy Act.
Proposal
The OCC proposes to revise 12 CFR Part 21 by requiring national
banks to develop and implement Know Your Customer programs. Under the
proposed regulation, the OCC would expect each bank to design a program
that is appropriate given the bank's size and complexity, the nature
and extent of its activities, its customer base and the levels of risk
associated with its various customers and their transactions. The OCC
believes that this approach is preferable to a detailed regulation that
imposes the same list of specific requirements on every bank regardless
of its circumstances.
Each of the other Federal bank supervisory agencies is proposing to
adopt Know Your Customer regulations covering state member and
nonmember banks, state-chartered branches and agencies of foreign
banks, and savings associations.1 The OCC also has been
discussing with the Federal regulators of non-bank financial
institutions, such as broker-dealers, the need to propose similar rules
governing the activities of these non-bank institutions.
---------------------------------------------------------------------------
\1\ As of the date this proposed rule was signed, the National
Credit Union Administration was still reviewing the issue of whether
to adopt a regulation that would create similar Know Your Customer
obligations for credit unions.
---------------------------------------------------------------------------
Section-by-Section Analysis
The OCC proposes to add a new Sec. 21.22. The various components of
the Know Your Customer rule are summarized below.
Purpose and scope (Sec. 21.22(a))
The purposes of adopting a Know Your Customer program are to
protect the reputation of the bank; to facilitate the bank's compliance
with all applicable statutes and regulations (including the Bank
Secrecy Act and the OCC's suspicious activity reporting regulations)
and with safe and sound banking practices; and to protect the bank from
becoming a vehicle for, or a victim of, illegal activities perpetrated
by its customers. The rules apply, as a general matter, to all national
banks. However, the rules do not apply to credit card banks, bankers'
banks, or other banks that operate solely to service the activities of
their affiliates. The OCC recognizes that certain banks operate solely
to service the activities of their affiliates or other banks and, in so
doing, do not interact in any manner with any public customers. The OCC
does not intend the proposed regulation
[[Page 67526]]
to impose any requirements on those banks.
The rules also apply to all Federal branches or agencies of foreign
banks licensed or chartered by the OCC. The OCC expects U.S. banks to
implement Know Your Customer systems in their overseas branches that
are equivalent to those that they have in the United States in order to
minimize the risk to the bank posed by illegal activities in the
overseas branches.
Definition of Customer (Sec. 21.22(b))
The proposed regulation defines the term ``customer'' as any person
or entity who has an account involving the receipt or disbursal of
funds with an institution covered by this regulation and any person or
entity on behalf of whom an account is maintained. If, for instance, a
bank knows that an account is opened on behalf of a third party, the
bank will need to treat as a customer both the person or entity opening
the account and the person or entity for whom the account is opened.
The regulation applies to deposit accounts, loan accounts, and any
other type of account involving the receipt or disbursal of funds. It
does not include, for instance, transactions such as renting safe
deposit boxes.
Except for the provisions regarding identifying customers (see the
discussion of paragraph (d)(2)(i) of the proposed rule, below) the
proposed regulation does not differentiate between current customers
and new customers. The effectiveness of a bank's Know Your Customer
program would be greatly reduced if all customer accounts in existence
prior to the effective date of the regulation were excluded from its
scope. However, the OCC does not believe that it is practicable for a
bank to conduct a large-scale information request from all its existing
customers. Rather, a bank may comply with the proposed regulation with
respect to its current customers by determining their normal and
expected transactions using available account data and monitoring their
transactions for suspicious activities. However, depending on the
nature of the risk associated with some customers and their
transactions (for instance, transactions involving private banking
customers), it may be necessary to fulfill all of the requirements of
this regulation as if they were new customers.
Establishment of Know Your Customer Program (Sec. 21.22(c))
This section requires that each bank establish a Know Your Customer
program by April 1, 2000. Additionally, this section requires that the
Know Your Customer program be reduced to writing and approved by the
board of directors of the bank, or a committee thereof, and the
approval recorded in the official minutes of the board.
Contents of Know Your Customer Program (Sec. 21.22(d))
This section sets forth the specific requirements for the contents
of the Know Your Customer program. As previously noted, the OCC
believes that to impose a regulation that requires each bank to follow
a pre-designed, standardized checklist would not be appropriate. The
proposed regulation thus allows each bank to develop and delineate a
system that will comprise the Know Your Customer program, consistent
with the banking practices of the particular bank that, when followed
by the bank, will effectively meet the requirements and goals of the
regulation.
Section 21.22(d) reflects the OCC's recognition that each bank's
Know Your Customer program may vary depending on the nature of the
specific activity, the type of customers involved, the size of the
transactions, and other factors that reflect the bank's assessment of
the risk presented. In complying with this section, it may be
beneficial for banks to classify customers into varying risk-based
categories that the banks can use in determining the amount and type of
information, documentation and monitoring that is appropriate. While
the proposed regulation will provide banks with substantial flexibility
in devising an appropriate Know Your Customer program, the OCC believes
that all Know Your Customer programs should contain certain critical
features, which are discussed below.
Documentation and Due Diligence
Paragraph (d)(1) of Sec. 21.22 requires that the Know Your Customer
program delineate acceptable documentation requirements and due
diligence procedures the bank will follow in meeting the requirements
of the proposed regulation. The delineation of this information in the
Know Your Customer program will ensure that the same standards are
applied throughout the bank and will inform auditors and examiners of
the bank's established standards for review of customer information.
Minimum Steps to Take to Comply With the Know Your Customer Rule
Paragraph (d)(2) of Sec. 21.22 sets forth the steps a bank needs to
take in order to know its customers. These steps are discussed below.
Identify the customer. Paragraph (d)(2)(i) requires that the Know
Your Customer program provide a system for determining the identity of
new customers. If a bank has reasonable cause to believe that it lacks
sufficient information to know the identity of an existing customer,
paragraph (d)(2)(i) also requires that the program provide a system for
determining the identity of that customer.
It is imperative that a bank establish, to its own satisfaction,
that it is dealing with a legitimate customer, whether the customer is
a natural person, corporation, or other business entity. The nature and
extent of the identification process should be commensurate with the
types of transactions anticipated by the customer and the risks
associated with such transactions. If a bank is unable to establish the
identity or legitimacy of the customer, sound practices require that
the bank not open the account (or terminate the account if the bank
lacks adequate information to know the identity of an existing customer
and is unable to obtain the information).
The best identification documents for verifying the identity of
prospective customers are the ones that are the most difficult to
obtain illicitly and the most difficult to counterfeit. No single form
of identification can be guaranteed to be genuine, however. Therefore,
the identification process should be cumulative, obtaining enough
information and documentation to assure the bank that it has adequately
identified the prospective customer. For individual accounts, this
might include, for instance, a photograph and signature of the
individual. For corporate or business customers, the customer
identification process could include the review of appropriate
documentation that allows for a means to verify that the corporation or
other business entity does exist and does engage in the business, as
stated. All documentation reviewed, as well as verifications of the
information contained therein, should be recorded and maintained by the
bank.
Any practice of a bank that allows for the establishment of a
customer relationship without face-to-face contact with bank personnel,
such as banking by mail or Internet banking, poses difficulties in the
identification of the prospective customer by use of the traditionally
accepted practice of obtaining photographic identification. Even though
photographic identification in such circumstances will be impractical,
other accepted means of identifying a customer are still viable. In
such circumstances, special care should
[[Page 67527]]
be given to verification of address and telephone number.
If a bank offers private banking services, it is important that the
bank understand a customer's personal and business background, source
of funds, and intended use of the private banking services. Typically,
private banking customers are clients of financial advisors or make use
of account vehicles such as personal investment companies, trusts, and
personal mutual investment funds. The establishment of such accounts
protects the legitimate confidentiality and financial privacy of the
customers who use such accounts. However, banks need to identify
properly the beneficial owners of such accounts in order to have an
effective Know Your Customer program. Any needed confidentiality
required by customers of a bank's private banking department can be
addressed by the development of special protections to limit access to
information that would generally reveal the beneficial owners of those
accounts.
Introductions or referrals of prospective customers by established
customers of the bank, while extremely valuable in providing background
information about the prospective customer, cannot take the place of
identification requirements that should be set forth in the bank's Know
Your Customer program. Details regarding the introduction or referral
should be documented so that the information obtained can be
effectively used to assist in the verification of the prospective
customer.
Determine the source of funds. Paragraph (d)(2)(ii) requires that
the Know Your Customer program provide a system for determining the
source of a customer's funds. The amount of information needed to do
this can depend on the type of customer in question. As an example, if
a retail banking customer maintains demand deposit accounts funded
primarily from payroll deposits, it should be a relatively simple task
to identify and document the source of funds as payroll deposits. On
the other hand, a more detailed analysis, with a more extensive
documentation process, would be required for high net worth customers
with multiple deposits from a variety of sources. For these reasons,
among others, it may be beneficial for banks to classify customers into
varying categories, based on factors such as the types of accounts
maintained, the types of transactions conducted, and the potential risk
of illicit activities associated with such accounts and transactions.
Banks could then develop procedures to obtain necessary information and
documentation based on the risk assessment for the various categories
or classes established by a bank.
Determine normal and expected transactions. Paragraph (d)(2)(iii)
requires that the Know Your Customer program provide a system for
determining a customer's normal and expected transactions involving the
bank. Without this information, a bank is unable to identify suspicious
transactions. A bank's understanding of a customer's normal and
expected transactions should be based on information obtained both when
an account is opened and during a reasonable period of time thereafter.
It also should be based on normal transactions for similarly situated
customers.
Monitor the account transactions. Paragraph (d)(2)(iv) requires
that the Know Your Customer program provide a system for monitoring, on
an ongoing basis, the transactions conducted by customers and
identifying transactions that are inconsistent with the normal and
expected transactions for particular customers or for customers in the
same or similar categories or classes. The proposed regulation does not
require that every transaction of every customer be reviewed. Rather,
it requires that a bank develop a monitoring system that is appropriate
for the risks presented by the accounts maintained at that bank.
In designing a monitoring system, a bank may choose to classify
accounts into various categories based on factors such as the type and
size of account, the types, number, and size of transactions conducted
in the account, and the risk of illicit activity associated with the
account. For certain classes or categories of accounts, it would be
sufficient for an effective monitoring system to establish parameters
for which the transactions within these accounts will normally occur.
Rather than monitoring each transaction, an effective monitoring system
could entail monitoring only for those transactions that exceed the
established parameters for that particular class or category of
accounts. For other categories or classes of accounts, such as private
banking accounts, it may be necessary to monitor each significant
transaction.
Determine if transaction should be reported. Once a transaction is
identified as inconsistent with normal and expected transactions,
paragraph (d)(2)(v) requires that a bank determine if the transaction
warrants the filing of a Suspicious Activity Report. This is consistent
with a bank's existing obligations under 12 CFR 21.11(c). In
identifying reportable transactions, a bank should not conclude that
every transaction that falls outside what is expected for a given
customer should be reported. Rather, a bank should focus on patterns of
inconsistent transactions and isolated transactions that present risk
factors that warrant further review.
Compliance with Know Your Customer Program (Sec. 21.22(e))
This section sets forth the requirements a bank must follow to
ensure that it is in compliance with its Know Your Customer program.
The requirements include that a bank provide for and document a system
of internal controls to ensure ongoing compliance, as well as provide
for and document independent testing for compliance with the Know Your
Customer program. Additionally, the bank must designate an individual
responsible for coordinating and monitoring day-to-day compliance and
provide for and document training to all appropriate personnel of the
content and requirements of the Know Your Customer program.
Availability of Documentation (Sec. 21.22(f))
This section requires, for all accounts opened or maintained in the
United States, that all information and documentation necessary to
comply with the regulation be made available for examination and
inspection, at a location specified by a OCC representative, within 48
hours of a request for such information and documentation. In instances
where the information and documentation is at a location other than
where the customer's account is maintained or the financial services
are rendered, the bank must adopt, as part of its Know Your Customer
program, specific procedures designed to ensure that the information
and documentation is reviewed by personnel at the location where the
customer's account is located or the financial services are rendered,
and the bank should provide written evidence that the appropriate
review of the information and documentation is being performed by the
personnel at that location on a regular basis.
While issues arise on occasion concerning whether foreign laws
permit a bank to disclose certain customer information, the OCC's
experience is that the information typically already exists within the
bank in the United States because the information is used by the
relationship manager, who resides in the United States, as well as
other components of the bank, to provide banking services to the
customer. Moreover, in instances where
[[Page 67528]]
banks have raised foreign law disclosure issues, the banks, at the
OCC's suggestion, have obtained from their customers waivers to any
perceived prohibition to disclosure of the information and
documentation. Thus, the OCC does not anticipate that foreign laws will
preclude the production of information relating to accounts opened and
maintained in the United States.
Comments Sought
The OCC invites comment on any aspect of the proposed regulation,
and specifically seeks comment on the following issues:
1. Whether the proposed definition of ``customer'' is sufficient to
include all persons who benefit from an account opened at a bank, such
as persons who establish off-shore shell companies or entities or
otherwise conduct their business through intermediaries.
2. Whether the proposed definition of ``customer'' is too broad and
will unnecessarily include persons that pose a minimal Know Your
Customer risk.
3. Whether a bank's Know Your Customer program should apply to a
bank's counterparty relationships with respect to transactions in
wholesale financial markets (e.g., sales or purchases involving foreign
exchange or securities) and correspondent banking relationships.
4. Whether a different standard than that applicable to retail
relationships would be more appropriate for wholesale and correspondent
banking relationships, and, if such a distinction is appropriate, how
the definition of ``customer'' can be distinguished between
transactional counterparty customers, correspondents, and retail
customers.
5. Whether the proposed regulation will create a competitive
disadvantage with respect to other financial entities offering similar
services that may not be subject to the similar regulations (citing,
where possible, specific examples) and, if so, what could be done to
mitigate the disadvantage consistent with the OCC's supervisory
responsibilities.
6. Whether the actual or perceived invasion of personal privacy
interests is outweighed by the additional compliance benefits
anticipated by this proposal.
7. Whether there should be a minimum account size threshold below
which the Know Your Customer requirements should be waived.
8. Whether credit card banks should be exempt from the regulation.
Regulatory Flexibility Act
Pursuant to section 605(b) of the Regulatory Flexibility Act (5
U.S.C. 601 et seq.), the OCC certifies that this proposal will not have
a significant economic impact on a substantial number of small
entities. Accordingly, a regulatory flexibility analysis is not
required. Most banks, from small to large, already have policies and
procedures aimed at collecting, retaining, and reviewing the types of
information required by this proposal. Therefore, there should not be a
significant economic impact from this proposal.
Paperwork Reduction Act
The OCC invites comment on:
(1) Whether the proposed collections of information contained in
this notice of proposed rulemaking are necessary for the proper
performance of the OCC's functions, including whether the information
has practical utility;
(2) The accuracy of the OCC's estimate of the burden of the
proposed information collection;
(3) Ways to enhance the quality, utility, and clarity of the
information to be collected;
(4) Ways to minimize the burden of the information collection on
respondents, including the use of automated collection techniques or
other forms of information technology; and
(5) Estimates of capital or start-up costs and costs of operation,
minutes, and purchase of services to provide information.
Recordkeepers are not required to respond to this collection of
information unless it displays a currently valid OMB control number.
The collection of information requirements contained in this notice
of proposed rulemaking have been submitted to the Office of Management
and Budget for review in accordance with the Paperwork Reduction Act of
1995 (44 U.S.C. 3507(d)). Comments on the collections of information
should be sent to the Office of Management and Budget, Paperwork
Reduction Project (1557-KYCP), Washington, D.C. 20503, with copies to
Office of the Comptroller of the Currency, Communications Division, 250
E Street, SW, Attention: 1557-KYCP, Washington, D.C. 20219.
The proposed rule is not expected to significantly increase the
ongoing annual paperwork burden for the recordkeepers because most of
the ongoing burden is incurred and accounted for under other existing
information collections. As discussed in the preamble to the proposed
rule, banks already must report suspicious transactions, pursuant to 12
CFR 21.11. Therefore, they already must gather information about
customers and monitor customer transactions as part of their usual and
customary activities in order to comply with the suspicious activity
reporting requirements. Moreover, the OCC has drafted the proposed
regulation in a way that is designed to give banks as much flexibility
as possible to design a system that is appropriate for each individual
bank and generally has not proposed to require compliance with specific
paperwork burdens.
The majority of the paperwork burden associated with the proposed
rule is the one-time burden of developing a plan. In the normal course
of business, most institutions likely already have sufficient
information about their customers in their files and would only need to
organize and review such information. Because each institution would
design its own program in accordance with its own business practices,
the OCC estimates that the burden of the proposed rule would vary
considerably and may range, during the initial year, from 10 to 30
hours, with an average of 20 hours per recordkeeper.
The collection of information requirements in this proposed rule
are found in 12 CFR 21.22(c) and 21.22(e)(3). This information is
required to evidence compliance with the requirements that the Know
Your Customer program has been developed and approved by a bank's board
of directors (or committee thereof) and to identify the person(s)
responsible for coordinating and monitoring compliance with the
program. The likely respondents are national banks, District banks, and
Federal branches and agencies of foreign banks licensed or chartered by
the OCC.
Estimated average annual burden hours per recordkeeper: 20 hours
for the first year, with an average over the first three years of 8
hours per year.
Estimated number of recordkeeper: 2,600.
Estimated total annual recordkeeping burden: 52,000 for the first
year, with an average over the first three years of 20,800 hours per
year.
Start-up costs: None.
Executive Order 12866
The Office of Management and Budget has concurred with the OCC's
determination that this proposal is not a significant regulatory action
under Executive Order 12866.
Unfunded Mandates Reform Act of 1995
The OCC has determined that this proposal will not result in
expenditures by state, local, and tribal governments, or by the private
sector, of $100 million
[[Page 67529]]
or more in any one year. Accordingly, a budgetary impact statement is
not required under section 202 of the Unfunded Mandates Reform Act of
1995. Most banks already have policies and procedures aimed at
collecting, retaining and reviewing the types of information required
by this proposal and, thus, this proposal should not result in
substantial additional expenditures.
List of Subjects in 12 CFR Part 21
Currency, National banks, Reporting and recordkeeping requirements,
Security measures.
Authority and Issuance
For the reasons set forth in the preamble, part 21 of chapter I of
title 12 of the Code of Federal Regulations is proposed to be amended
as follows:
PART 21--MINIMUM SECURITY DEVICES AND PROCEDURES, REPORTS OF
SUSPICIOUS ACTIVITIES, AND BANK SECRECY ACT COMPLIANCE PROGRAM
1. The authority citation for part 21 continues to read as follows:
Authority: 12 U.S.C. 93a, 1818, 1881-1884, and 3401-3422; 31
U.S.C. 5318.
2. A new Sec. 21.22 is added to read as follows:
Sec. 21.22 Know Your Customer rules.
(a) Purpose and scope--(1) Purpose. The Know Your Customer rules
require that national banks and Federal branches or agencies of foreign
banks establish and regularly maintain procedures designed to determine
the identity of their customers, as well as their customers' normal and
expected transactions and sources of funds involving the bank. These
procedures (referred to as the ``Know Your Customer'' program) are
intended to: protect the reputation of the bank; facilitate the bank's
compliance with all applicable statutes and regulations (including the
Bank Secrecy Act and the suspicious activity reporting requirements of
12 CFR 21.11) and with safe and sound banking practices; and protect
the bank from becoming a vehicle for or a victim of illegal activities
perpetrated by its customers.
(2) Scope. In general, the Know Your Customer rules apply to all
national banks as well as all Federal branches or agencies of foreign
banks licensed or chartered by the OCC. However, the rules do not apply
to credit card banks, bankers's banks, or other banks that operate
solely to service the activities of their affiliates.
(b) Definition of customer. For the purposes of this section,
customer means:
(1) Any person or entity who has an account involving the receipt
or disbursal of funds with an institution covered by this section; and
(2) Any person or entity on behalf of whom an account is
maintained.
(c) Establishment of Know Your Customer program. Each bank shall
develop and provide for the continued administration of a Know Your
Customer program by April 1, 2000. The Know Your Customer program shall
be reduced to writing and approved by the board of directors (or a
committee thereof) with the approval recorded in the official minutes
of the board.
(d) Contents of Know Your Customer program. The Know Your Customer
program may vary in complexity and scope according to categories or
classes of customers established by the bank and the potential risk of
illicit activities associated with those customers' accounts and
transactions. Components of the program should include the following:
(1) Appropriate documentation requirements and due diligence
procedures established by the bank to comply with this section; and
(2) A system for:
(i) Determining the identity of the bank's new customers and, if
the bank has reasonable cause to believe that it lacks adequate
information to know the identity of existing customers, determining the
identity of those existing customers;
(ii) Determining the customer's sources of funds for transactions
involving the bank;
(iii) Determining the particular customer's normal and expected
transactions involving the bank;
(iv) Monitoring customer transactions and identifying transactions
that are inconsistent with normal and expected transactions for that
particular customer or for customers in the same or similar categories
or classes, as established by the bank; and
(v) Determining if a transaction should be reported in accordance
with the OCC's suspicious activity reporting regulations and, if so,
reporting accordingly.
(e) Compliance with Know Your Customer program. The bank shall
comply with its Know Your Customer program. To ensure compliance, the
bank shall:
(1) Provide for and document a system of internal controls;
(2) Provide for and document independent testing for compliance to
be conducted by bank personnel or by an outside party on a regular
basis;
(3) Designate an individual or individuals responsible for
coordinating and monitoring day-to-day compliance; and
(4) Provide for and document training to all appropriate personnel,
on at least an annual basis, of the content and required procedures of
the Know Your Customer program.
(f) Availability of documentation. For all accounts opened or
maintained in the United States, each bank must ensure that all
information and documentation sufficient to comply with the
requirements of this section are available for examination and
inspection, at a location specified by an OCC representative, within 48
hours of an OCC representative's request for such information and
documentation. In instances where the information and documentation is
maintained at a location other than where the customer's account is
maintained or the financial services are rendered, the bank must
include, as part of its Know Your Customer program, specific procedures
designed to ensure that the information and documentation is reviewed
on an ongoing basis by appropriate bank personnel in order to comply
with this section.
Dated: October 17, 1998.
Julie L. Williams,
Acting Comptroller of the Currency.
[FR Doc. 98-32333 Filed 12-4-98; 8:45 am]
BILLING CODE 4810-33-P