- The USA PATRIOT Act Privacy Rules
- November 6, 2008 | Author: John B. Whalen
- Law Firm: Whalen, John B., Jr. - Wayne Office
Less than two months after September 11th, President Bush signed the USA PATRIOT Act.
- The USA PATRIOT (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism ("U.S.A. P.A.T.R.I.O.T.") Act, announced a wide range of new tools to strengthen the U.S. economic system from, in addition to many other things, money laundering, terrorist financing, identity theft, and fraud.
- Among the tools of the USA PATRIOT Act was Section 326, which virtually overhauled the account-opening process at financial institutions. Section 326 required that the Treasury Department establish minimum standards with which financial institutions must strictly comply in order to open new accounts. This note will outline a brief history and a few aspects of Section 326 with which we are all now faced.
- On July 23, 2002, the Treasury Department issued the Proposed Rules for Section 326, which received overwhelming criticism from all interests. The criticism ranged from one side advocating for a rule containing an entirely risk-based approach without any minimum identification and verification requirements, to the opposing side desiring a rule with more specific requirements [because a completely] risk-based approach would leave too much room for interpretation. The overwhelming sentiment from all sides, however, was that the Treasury Department had underestimated the compliance burden that would be imposed on financial institutions.
- On April 30, 2003, the Treasury Department adopted the Joint Final Rule for Section 326, which attempted to both increase the verification effectiveness for new accounts and decrease the needless drain on financial institutions. Changes from the Proposed Rules to the Joint Final Rule included a narrowed definition of customer (i.e., by excluding signatories on accounts) and redefined record-keeping requirements (i.e., by requiring only notations from, not copies of, identity-verifying documents such as driver's licenses). Most notably, the Joint Final Rule implemented the Customer Identity Program (C.I.P.) rules.
- On October 1, 2003, the C.I.P. rules became mandatory, which dictated that [a]ll financial institutions, regardless of size, have a CIP that contains customer identification and verification procedures.
- The purpose of a C.I.P. is to ensure that financial institutions know the true identity of those opening accounts. Each institution's C.I.P should be risk-based, and should be an integrated part of its Bank Secrecy Act and Anti-Money Laundering programs.
- In establishing a C.I.P., Section 326 dictates minimum, not maximum, standards. Therefore, the measures taken by each financial institution will vary based on many factors. With respect to the account, aspects will include the account type, the method by which it is opened (i.e., in person or electronically), and the identity verification information provided by the customer. With respect to the institution, considerations will include its size, location, and customer base.
- In activating a C.I.P., Section 326 dictates that it will occur anytime a new customer opens a new account. However, it may also occur in varying degrees with existing customers and existing accounts. The essence of the meaning of an account lies in ongoing relationships, not infrequent interactions. It is defined as a formal relationship to provide or engage in services, dealings or other financial transactions. The gist of the meaning of customer speaks to both individuals and entities, including estates and trusts. It is defined as a person opening a new account and an individual who opens a new account for one who lacks legal capacity (i.e., a minor) or an entity that is not a legal person (i.e., a civic group). Taken together, all of these factors and definitions should allow an institution to conclude that it has a reasonable belief as to a customer's true identity.
- The hallmark of a C.I.P. should be flexibility. Accordingly, the Joint Final Rule begins with the minimum steps for a C.I.P., and then allows each financial institution to develop its own C.I.P., which must be written and approved by the institution's Board of Directors, by building upon those steps. The four minimum steps to a CIP are verifying identities, keeping records, comparing lists, and notifying customers.
- The 1st Step - Verifying Identities. The first element of a C.I.P is verifying identities. This step is a two-pronged procedure - the customer provides identifying items and the financial institution validates those identifying items. To satisfy the first prong, the customer (whether an individual or an entity) must provide three essential pieces of identifying items - name, address, and identification number (with a fourth requirement, date of birth, also required of individuals). To satisfy the second prong, a financial institution's C.I.P should specify by what methods (whether documentary proof and/or non-documentary confirmation) it will use to validate the customer's identifying information. Worthy of mention is the aspect that, although the Joint Final Rule specifically includes driver's licenses and passports, it does not preclude other forms of identification. Presently, however, some institutions only accept these two forms of identification. Also of note is that the exact requirement of an identification number appears to be somewhat unsettled at this point. Granted, with respect to estates and trusts, an Employer Identification Number is obligatory, but presently some institutions also require the individual fiduciary's Social Security Number (as well as address and date of birth). As a word of caution, the initial information provided to a financial institution for an estate or trust should be closely monitored to ensure that it is coded properly with the Employer Identification Number of the entity, and not the Social Security Number of the individual fiduciary. Again, as the Joint Final Rule specifies only minimum requirements, it appears that these practices, which may be initially perceived as overreaching, are, in fact, not out of bounds. The theme to keep in mind is that the financial institution is allowed to form a reasonable belief that it knows the true identity of the customer.
- The 2nd Step - Keeping Records. The second element of a C.I.P is keeping records. In other words, what measures must the financial institution take to document that the first step - verifying identities - was in fact performed. The C.I.P rules contain a bifurcated record-keeping system. The identifying information (i.e., name, address, and identification number, and, with individuals, date of birth) must be kept for five years after the account is closed, and all other information must be kept for five years after the record is made.
- The 3rd Step - Comparing Lists. The third element of a C.I.P is comparing lists. The C.I.P must include procedures for determining whether a customer appears on any list of known or suspected terrorist organizations issued by the federal government. Although this requirement seems quite onerous upon first blush, financial institutions are not required to actively seek out any and all government lists. Although no "Section 326 Government List" currently exists, it has been stated that the Department of the Treasury will create and provide a "Section 326 List" for the industry to use for this specific purpose.
- The 4th Step - Notifying Customers. The fourth element of a C.I.P is notifying customers. Every institution must provide customers with adequate notice that they are requesting information to verify their identities. This notice can be either given to the customers on an individual basis, such as a handout, or on a collective basis, such as a placard displayed in the bank. The statute also has sample language in the regulation that may be used.
- The USA PATRIOT Act is a massive tome, with the commentary on it alone capable of filing a small warehouse. I hope this note offers a little foothold to it.