FinCEN and Federal Functional Regulators Issue Final USA PATRIOT Act Customer Identity Verification Regulations for Banks and Mutual Funds

The Financial Crimes Enforcement Network ("FinCEN") of the Department of the Treasury and the 7 federal functional regulators (FRB, FDIC, OCC, OTS, CFTC, NCUA and SEC) issued final regulations (the "Regulations") under Section 326 of the USA PATRIOT Act concerning the requirement that entities deemed "financial institutions" under the Bank Secrecy Act ("FIs"), which include, among others, banks and registered open-end investment companies, establish procedures to verify the identity of new accountholders.

The Regulations implement the statutory requirement that FIs adopt and establish reasonable procedures to: (1) verify the identity of any person opening an account; (2) maintain records of the information used to verify the person¡¦s identity; and (3) determine whether the person appears on any list of known or suspected terrorists or terrorist organizations. Separate versions of the Regulations were issued for (a) banks, (b) mutual funds, (c) broker-dealers and (d) futures commission merchants and introducing brokers.

This Article covers the Regulations for banks and mutual funds. Next week¡¦s issue of the Alert will discuss the regulations applicable to broker-dealers and to futures commission merchants and introducing brokers.

Regulations for Banks. The version of the Regulations applicable to banks (the "Bank Regulations") applies to banks, savings associations, credit unions, certain non-federally regulated private banks and trust companies and U.S. offices of foreign banks, as well as the subsidiaries of these types of financial institutions (collectively "Banks"). The Bank Regulations were adopted jointly by FinCEN, the FRB, FDIC, OCC, OTS and NCUA (the "Banking Agencies").

(i) Definition of "Account". The definition of "account" covers formal banking relationships established to provide or engage in services, dealings or other similar transactions, (e.g., deposit transactions, extensions of credit and trust accounts). The Banking Agencies have clarified that general "business" dealings such as those in connection with a Bank¡¦s operations of its premises are not "accounts." Moreover, the Bank Regulations provide a list of products and services that are not deemed an "account," e.g., check cashing, purchase or sale of a money order, accounts opened to participate in an employee benefit plan. In addition, the definition of "account" excludes accounts that a Bank acquires through an acquisition, merger, purchase of assets, or assumption of liabilities from any third party. A Bank is not required to verify the identity of individuals or other entities if there is no "account" involved.

(ii) Definition of "Customer". The definition of "customer" includes a "person" who opens a "new" account and each person named on a joint account. For a trust account the customer is the trust. A Bank is not required to look through trust, escrow or similar accounts to establish the identity of beneficiaries, but it must verify the identity of the named accountholder. "Customer" includes the individual who opens an account for an organization, e.g., a club and the person who opens an account for a minor or someone else who lacks the legal capacity to open an account. The Bank Regulations delete the originally proposed requirement that a Bank verify the identity of each signatory on an account. Moreover, because they represent a relatively low money-laundering risk or are otherwise covered, FIs , government agencies and companies with publicly-traded securities are excluded from the definition of "customer." Moreover, the Bank Regulations exclude from the definition of "customer" a person who has an existing account with the Bank and as to whom the Bank has a reasonable belief that it knows the person¡¦s true identity. Furthermore, if a person simply seeks to open an account or if the person¡¦s request to open an account is denied, the person is not a "customer."

(iii) The Customer Identification Program. Each Bank¡¦s customer identification program ("CIP") must be a part of its anti-money laundering program ("AML Program") adopted pursuant to Section 352 of the USA PATRIOT Act. The AML Program must be approved by the Bank¡¦s Board (or a committee thereof) and the CIP may be approved as a part of or as a material amendment to the AML Program. The three key elements of the CIP are: (1) identification and verification of those who open an account; (2) recordkeeping; and (3) consulting the federal government lists of known or suspected terrorists or terrorist organizations.

1. Identification and Verification. A Bank's CIP must include risk-based procedures for verifying the identity of each customer to the extent "reasonable and practicable." The procedures must allow the Bank to form a reasonable belief that it knows the customer's true identity. The information a Bank must obtain before opening an "account" for a "customer" is: (1) name; (2) residence or business address (a Bank may use a P.O. Box address only for members of the military); (3) date of birth, for individuals; and (4) tax identification number, social security number or employee identification number for a U.S. person or taxpayer, and for a non-U.S. person, identification number, passport number, alien identification card or another government-issued identification card that shows nationality with a photograph or similar safeguard. A Bank's CIP must contain procedures for verifying the identity of the customer using the identity information obtained by the Bank. A Bank's CIP must also include procedures that the Bank will use to address situations where it cannot form a reasonable belief that it knows the customer¡¦s true identity. The CIP should accordingly address, among other things: (a) when the Bank will not open an account; (b) when the Bank will close an account; (c) when it will file a suspicious activity report; and (d) terms under which a customer may use an account while the Bank is v erifying the customer¡¦s identity. A Bank may use documentary as well as non-documentary methods to verify a customer¡¦s identity and the CIP should address situations when additional or enhanced verification procedures may be required.
2. Recordkeeping. A Bank's CIP must include procedures for making and maintaining a record (which may be an electronic record) of all information used in verifying a customer¡¦s identity. The record, however, may be a description rather than a copy of the documentation on which the Bank relied. The CIP should indicate that the Bank maintains records of such items as: (1) a list of identifying information presented by the customer; (2) a description of the document relied on for verification; (3) a description of the methods and results of non-documentary means of verification; and (4) a description of the resolution of any discrepancies. The Bank Regulations require, generally, that a Bank retain CIP records used to identify a customer for 5 years after an account has been closed and must maintain additional documents used to verify the customer¡¦s identity for 5 years after the record was made.

3. Consulting Government Lists. The CIP must also include procedures that the Bank will use to determine whether the customer¡¦s name appears on any federal government lists of known or suspected terrorists or terrorist organizations and for complying with directives related to those lists. The Bank Regulations state that Banks will receive separate, additional guidance from the Banking Agencies regarding the lists that must be consulted.

(iv) Notices to Customers. The Bank Regulations require a Bank to provide a notice to its customers regarding its CIP. The Bank Regulations provide several models of appropriate forms of notice. In disseminating the notice, a Bank, for example, may use a lobby poster, place the notice on account application forms and/or train Bank employees to describe the CIP requirements in connection with opening an account.

(v) Reliance on Third Parties. The CIP may include procedures that describe when the Bank will rely on another FI (which may be an affiliate) to perform identity verification. Reliance on the third party must be reasonable and the other FI must be subject to anti-money laundering ("AML") requirements under Section 352 of the USA PATRIOT Act. The other FI must enter into a contract with the Bank pursuant to which the FI agrees annually to certify that it has implemented and will perform the Bank¡¦s CIP functions. The Bank will not be h eld responsible for the other FI¡¦s failure to adequately fulfill the Bank¡¦s CIP responsibilities, provided that the Bank¡¦s reliance was reasonable, and it, in fact, obtains the required contract and certification from the other FI.

(vi) Effective Date. The Bank Regulations become effective 30 days after their publication in the Federal Register. Each Bank, however, must comply with (and have its board or a committee thereof approve the CIP pursuant to) the Bank Regulations by October 1, 2003.

Regulations for Mutual Funds. The version of the Regulations applicable to mutual funds (the "Mutual Fund Regulations") applies to open-end investment companies registered or required to register under Section 8 of the Investment Company Act of 1940 ("Funds"). The Mutual Fund Regulations were adopted jointly by FinCEN and the SEC.

(i) Definition of "Account". The definition of "account" covers relationships between a Fund and a person established to effect financial transactions in the Fund¡¦s securities. The definition of "account" excludes accounts that a Fund acquires through an acquisition, merger, purchase of assets, or assumption of liabilities from any third party. In addition, accounts opened for the purpose of participating in an employee benefit plan established pursuant to the Employee Retirement Income Security Act of 1974 are not accounts subject to the Mutual Fund Regulations.

(ii) Definition of "Customer". The definition of "customer" includes each person who opens a new account with a Fund as shareholder of record. Trust accounts, persons with existing accounts, FIs, government agencies and companies with publicly-traded securities receive generally the same treatment as under the Bank Regulations described above. For omnibus accounts established by a financial intermediary such as a broker-dealer, Funds are not generally required to look through to the underlying beneficial owners. Similarly, a Fund would not be required to look through a retirement plan to the underlying participants.

(iii) The Customer Identification Program. Each Fund¡¦s CIP must be a part of its AML Program adopted pursuant to Section 352 of the USA PATRIOT Act and is therefore subject to board approval. The three key elements of a Fund¡¦s CIP are: (1) verification of customer identity; (2) recordkeeping; and (3) consulting federal government lists of known or suspected terrorists or terrorist organizations.

1. Identification and Verification. A Fund's CIP must include risk-based procedures for verifying the identity of each customer to the extent "reasonable and practicable." The requirements applicable to Funds parallel those applicable to Banks (as described above) with respect to (1) obtaining identifying information before opening an account for a customer, (2) verifying the identity of the customer using the identity information obtained and (3) the need for CIPs to address situations where a Fund cannot form a reasonable belief that it knows the customer¡¦s true identity.

2. Recordkeeping. Funds are subject to recordkeeping requirements substantially similar to those applicable to Banks (as described above).

3. Consulting Government Lists. A Fund¡¦s CIP must also include procedures for determining whether a customer¡¦s name appears on federal government lists of known or suspected terrorists or terrorist organizations specified from time to time by the Department of the Treasury and for complying with directives associated with the lists.

(iv) Notices to Customers. The Mutual Fund Regulations require a Fund to provide adequate notice, (e.g., on a website or account application), to potential investors that the Fund is requesting information to verify their identities.

(v) Reliance on Third Parties. A Fund may rely on another FI (including an affiliate) to perform all or any part of the Fund¡¦s duties under its CIP subject to the same requirements applicable to Banks as noted above. A Fund that meets these requirements will not be held responsible for the other FI¡¦s failure to adequately fulfill the Fund¡¦s CIP responsibilities. This aspect of the Mutual Fund Regulations does not affect a Fund¡¦s ability to contractually delegate CIP operation to a third party. However, delegation does not relieve a Fund from responsibility for compliance with the Mutual Fund Regulations, and a Fund must therefore actively monitor the performance of any third party delegatee.

(vi) Effective Date. Each Fund must comply with the Mutual Fund Regulations (including securing the necessary board approvals) by October 1, 2003.

ƒnFinCEN Proposes Anti-Money Laundering Rules for Investment Advisers

FinCEN proposed AML rules that would apply to (a) U.S.-based, federally registered advisers that report assets under management to the SEC on Form ADV and (b) U.S.-based advisers with more than $30 million under management who rely on the exemption from federal registration generally applicable to advisers with fewer than 15 clients. The proposed rules require each affected adviser to establish written AML policies and procedures, which must be approved by the adviser¡¦s board of directors or the person or persons exercising similar governance powers for the adviser. An adviser¡¦s AML Program would need to (a) provide for periodic independent review, (b) designate a person or persons responsible for implementing and monitoring the AML Program and (c) provide ongoing training for appropriate adviser personnel. An unregistered adviser subject to the new rules would be required to file an initial notice with FinCEN identifying itself and its AML officer and providing its total number of clients and total assets under management. Unregistered advisers would be required to update the information identifying themselves and their AML officers within 30 days of any change and update all notice information on an annual basis. Under the proposed rules, an adviser¡¦s AML Program would seek to identify unusual transactions or transaction activity for each client whose assets the adviser manages. The release proposing the new rules describes different requirements that would apply depending on the type of transaction, transaction activity and client. FinCEN¡¦s proposal includes provisions that would permit an adviser to exclude from its AML Program any pooled investment vehicle that is independently subject to AML regulation. An adviser could also delegate the implementation and operation of appropriate elements of its AML Program by contract. FinCEN indicated that it is considering whether investment advisers should be subject to additional BSA requirements, including filing suspicious activity reports and complying with accountholder identification and verification procedures. Comments on FinCEN¡¦s proposal are due on or before July 7, 2003.