At Last: The KYC Proposal

It's here. The Federal Reserve Board has signed off on proposed Know Your Customer ("KYC") rules. Although the proposal is supported by a fairly lengthy memorandum explaining the proposal, the proposed regulatory language itself is surprisingly short and general. In fact, it is a bit difficult to figure out what the delay was all about.

The proposed rule itself is not much more than we already knew: each bank should have KYC procedures. The actual form and content of those procedures is left to each bank. This is precisely what Rick Small has been telling us for the several years that we have been waiting for this rule. Believe it! Although this proposal looks general, read it carefully. There are several concrete elements in this simple-looking rule.

Who you have to know. First, there are only two definitions: "customer" and "bank." Neither definition has any surprises. But look carefully at the definition of customer. It includes loan and trust customers. A customer is a "person or entity who has an account involving the receipt or disbursal of funds with a bank and any other person or entity on behalf of whom such an account is maintained." While only one straightforward looking statement, this includes trust accounts and loans - all loans, commercial as well as consumer. It also means all types of consumer accounts, not just transaction accounts. Consumer loans, credit cards, home equity lines of credit, and mortgages should all be included in your KYC program. Because of the differences in these types of transactions, you should consider tailoring your KYC program to each product or type of product.

Written program. The proposal would require a formal, written program. The program should be approved by the board of directors. This action should be reflected in the board's minutes. The examiners will review the board's minutes when they come in and will be looking for this.

The program itself. After this long wait, the regulation as proposed gives virtually no guidance as to content of KYC procedures. It leaves this up to the institution. First, the regulation expects KYC programs to vary in complexity and scope from bank to bank. It also contemplates variation within a bank based on the different types of customer relationships.

Whatever elements the KYC program includes, it should be designed to determine the normal and expected transactions of that customer with the bank. In addition, it should establish the source of funds for those transactions.

Minimal information elements that you should compile include a method of determining the customers' true identities and determining their source(s) of funds for the account or transaction.

Any identification procedures you develop in your program should comply with Regulation B's information gathering restrictions. In addition, they should account for compliance with general discrimination laws and the Americans with Disabilities Act. In other words, don't require only one type of identification such as a driver's license. Also, don't establish inappropriately difficult procedures for loan applicants that are permanent resident aliens.

In addition to knowing the customer and the source of funds, your procedures should identify the normal and expected transactions that this customer will bring to the bank. These transactions should be appropriate to the status and business of the customer. This also lays the foundation for identifying a change in pattern that would trigger a suspicious activity report. This is also a critical step for the Tier II Exemptions. Without this element in your KYC program, there will be no exemptions.

Your program should also include a method for monitoring transactions and a set of internal controls. The monitoring must have the capability to determine whether transactions are consistent with the normal and expected transactions for that customer or for that type of transaction. The monitoring and controls should be sufficient to identify transactions that deviate from the expected pattern and to evaluate whether the transaction is suspicious and to prevent suspicious or deviant transactions from occurring without notice. In designing this part of the program, your fraud controls should be a good resource. Independent testing. As with other elements of the BSA program, your KYC program should be independently tested at least once a year. The proposed regulation allows this testing to be done internally by staff independent from the process, or by outside auditors.

Responsible staff. Someone has to hold the bag. Your program should designate an individual or individuals who are responsible for managing the KYC program on a day to day basis. Needless to say, whoever has this responsibility must also have sufficient authority to take action and ensure that the program works.

Documentation and due diligence requirements. The KYC program should include a requirement that the procedure be supported by written documentation. In short, you must create and maintain a file for each customer that contains the information or record that KYC procedures were followed. Although the proposed regulation does not specify this, the information should be revised or supplemented for additional relationships if those relationships require different or additional information under your KYC procedures. For example, source of funds information would be different for a mortgage loan than for a transaction account.

You must be able to produce any documentation upon your examiners request within 48 hours. The entire KYC program should be held to a due diligence standard.

Training. No surprises here. Staff must be trained in the content and procedures for KYC. This training should be appropriate for the job responsibilities and the type of customer relationships the staff handles. You may not be able to simply design a one-size-fits-all training program. Trust officers and commercial lenders will have different procedures and information considerations than new accounts staff. Training should be delivered "on a regular basis."

Timing. The rule will be proposed for 60 days. You have until after Thanksgiving to get your comments in. Once the rule is adopted in final, banks would have six months to develop and implement a final KYC program.

Read this proposal in the context of the Tier II Exemption Rule. The exemption rule relies heavily on KYC procedures and the ability of banks to identify suspicious transactions. In other words, it all comes down to KYC and bank procedures.

The comment process. In preparing comments on the KYC proposal, it is important to keep in mind that the primary purpose of the proposal is to protect the good name of the bank and to enhance the bank's relationship with good customers. Your comments should tell the FRB what the bank can and cannot do effectively and what impact certain practices or questions has on customers. Pam Johnson urges the industry to suggest viable approaches, especially if objecting to elements in the proposal.

In issuing a final rule, the FRB expects to provide guidance to the industry that will be more specific than the regulation itself. The suggestions and information in the guidance will be gleaned from comments. This means that the quality and extent of the guidance the FRB gives will depend on the number and quality of comments it receives.

When preparing comments, consider the implementation and management of several aspects of the rule. The proposal is intentionally broad and non-specific - which translates to vague in the compliance dictionary. The comment period is your chance to get clarification. Ask for clarification or suggest ideas for monitoring (including content and frequency) , effective or acceptable checks and balances for activities such as managing, monitoring, and auditing the program, how to establish what constitutes normal and expected business with the bank, and procedures for verifying sources of funds. Also ask for clarification on how to treat seasonal businesses, such as ski resorts.

ACTION STEPS

Discuss KYC with your lending staff. Make sure they are aware of the requirements to know their customers and the sources of their funds.
Find out what loan officers know about subsequent sources of funds used for payments on loans.
Review loan procedures - including commercial - to evaluate the extent to which the lender knows the customer and the source of funds. If this is inadequate, set up a task force to revise the procedures and make sure that someone who knows BSA is included on the task force.
Now go through the same steps with branch staff. Be sure to talk with branch managers, customer service reps, and tellers.
Review all consumer and commercial relationships with the bank and determine what you need to know about the customers for each type of relationship.
Look to any fraud protection procedures you have for guidance on monitoring and evaluating account activity.
Consider and regularly review the impact of other laws, such as ECOA and ADA on your KYC program.