Statement of
Martin J. Gruenberg, Chairman,
Federal Deposit Insurance Corporation
before the
Subcommittee on Oversight and Investigations
Financial Services Committee
U.S. House of Representatives
March 24, 2015
Chairman Duffy, Ranking Member Green and members of the Subcommittee, I
appreciate the opportunity to testify on behalf of the Federal Deposit Insurance
Corporation (FDIC) on the FDIC's supervisory approach regarding insured institutions
providing banking services to customers, including third-party payment processors
(TPPPs). We are aware of concerns regarding the FDIC's efforts in this area and we
welcome the opportunity today to clarify the FDIC's supervisory approach. I also will
discuss the FDIC's interaction with the Department of Justice's (DOJ) Operation Choke
Point.
As the primary federal regulator of state-chartered financial institutions that are not
members of the Federal Reserve System, the FDIC supervises these institutions for
adherence with safety and soundness standards, information technology requirements,
Bank Secrecy Act and other anti-money laundering laws and regulations, and consumer
protection laws.
The USA PATRIOT Act, enacted in 2001, added new due diligence requirements for
banks under the Bank Secrecy Act (BSA). Section 326 of the Act requires banks to
establish and maintain a Customer Identification Program (CIP). At a minimum, financial
institutions must implement reasonable procedures for: (1) verifying the identity of any
person seeking to open an account, to the extent reasonable and practicable; (2)
maintaining records of the information used to verify the person's identity, including
name, address, and other identifying information; and (3) determining whether the
person appears on any lists of known or suspected terrorists or terrorist organizations
provided to the financial institution by any government agency. The purpose of the CIP
is to enable banks to form a reasonable belief that they know the true identity of each
customer. In its most basic form, knowing one's customer serves to protect banks from
the potential liability and risk of providing financial services to a customer engaged in
fraudulent and unlawful activity. In addition, but no less important, it provides another
level of protection to the general public against illegal activity (including terrorist
financing and money laundering), since banks are a gateway to the financial system.
Knowing your customer also involves ongoing monitoring of your customer base for
signs of potential illegal activity, and when necessary, requires filing Suspicious Activity
Reports (SAR) when banks believe a customer has engaged in a potential illegal
activity. Regulatory guidance requires financial institutions to have a Customer Due
Diligence (CDD) program that enables the institution to predict with relative certainty the
Martin J. Gruenberg, Chairman,
Federal Deposit Insurance Corporation
before the
Subcommittee on Oversight and Investigations
Financial Services Committee
U.S. House of Representatives
March 24, 2015
Chairman Duffy, Ranking Member Green and members of the Subcommittee, I
appreciate the opportunity to testify on behalf of the Federal Deposit Insurance
Corporation (FDIC) on the FDIC's supervisory approach regarding insured institutions
providing banking services to customers, including third-party payment processors
(TPPPs). We are aware of concerns regarding the FDIC's efforts in this area and we
welcome the opportunity today to clarify the FDIC's supervisory approach. I also will
discuss the FDIC's interaction with the Department of Justice's (DOJ) Operation Choke
Point.
As the primary federal regulator of state-chartered financial institutions that are not
members of the Federal Reserve System, the FDIC supervises these institutions for
adherence with safety and soundness standards, information technology requirements,
Bank Secrecy Act and other anti-money laundering laws and regulations, and consumer
protection laws.
The USA PATRIOT Act, enacted in 2001, added new due diligence requirements for
banks under the Bank Secrecy Act (BSA). Section 326 of the Act requires banks to
establish and maintain a Customer Identification Program (CIP). At a minimum, financial
institutions must implement reasonable procedures for: (1) verifying the identity of any
person seeking to open an account, to the extent reasonable and practicable; (2)
maintaining records of the information used to verify the person's identity, including
name, address, and other identifying information; and (3) determining whether the
person appears on any lists of known or suspected terrorists or terrorist organizations
provided to the financial institution by any government agency. The purpose of the CIP
is to enable banks to form a reasonable belief that they know the true identity of each
customer. In its most basic form, knowing one's customer serves to protect banks from
the potential liability and risk of providing financial services to a customer engaged in
fraudulent and unlawful activity. In addition, but no less important, it provides another
level of protection to the general public against illegal activity (including terrorist
financing and money laundering), since banks are a gateway to the financial system.
Knowing your customer also involves ongoing monitoring of your customer base for
signs of potential illegal activity, and when necessary, requires filing Suspicious Activity
Reports (SAR) when banks believe a customer has engaged in a potential illegal
activity. Regulatory guidance requires financial institutions to have a Customer Due
Diligence (CDD) program that enables the institution to predict with relative certainty the
types of transactions in which a customer is likely to engage. The CDD program assists
the financial institution in determining when transactions are potentially suspicious, so
that it can carry out suspicious activity reporting obligations. Banks, bank holding
companies, and their subsidiaries are required by federal regulations, issued pursuant
to the Annunzio-Wylie Money Laundering Suppression Act of 1992 to file a SAR with
respect to:
Criminal violations involving insider abuse in any amount.
Criminal violations aggregating $5,000 or more when a suspect can be identified.
Criminal violations aggregating $25,000 or more regardless of a potential
suspect.
Transactions conducted or attempted by, at, or through the bank (or an affiliate)
and aggregating $5,000 or more, if the bank or affiliate knows, suspects, or has
reason to suspect that the transaction
May involve potential money laundering or other illegal activity (e.g., terrorism
financing).
Is designed to evade the BSA or its implementing regulations.
Has no business or apparent lawful purpose or is not the type of transaction that
the particular customer would normally be expected to engage in, and the bank
knows of no reasonable explanation for the transaction after examining the
available facts, including the background and possible purpose of the
transaction.
TPPPs are bank customers that provide payment processing services to merchants and
other business entities, and they often use their commercial bank accounts to conduct
payment processing for their merchant clients. TPPPs are not subject to Bank Secrecy
Act or anti-money laundering (BSA/AML) requirements, and therefore are not required
to have customer identification programs, conduct customer due diligence, engage in
suspicious activity monitoring, or report suspicious activity to federal authorities. As a
result, some processors may be vulnerable to money laundering or other illegal
transactions. It can be challenging for banks to monitor these accounts for suspicious
activity, because TPPPs may have relationships with hundreds or even thousands of
merchant clients for which they initiate transactions.
When a bank fails to identify and understand the nature and source of the transactions
processed through an account, the risks to the bank and the likelihood of suspicious
activity can increase. Accordingly, interagency regulatory guidance, which was first
issued in 2005 and updated in 2010 and 2014, encourages banks offering account
services to TPPPs to develop and maintain adequate policies, procedures, and
processes to address risks related to these relationships.1
the financial institution in determining when transactions are potentially suspicious, so
that it can carry out suspicious activity reporting obligations. Banks, bank holding
companies, and their subsidiaries are required by federal regulations, issued pursuant
to the Annunzio-Wylie Money Laundering Suppression Act of 1992 to file a SAR with
respect to:
Criminal violations involving insider abuse in any amount.
Criminal violations aggregating $5,000 or more when a suspect can be identified.
Criminal violations aggregating $25,000 or more regardless of a potential
suspect.
Transactions conducted or attempted by, at, or through the bank (or an affiliate)
and aggregating $5,000 or more, if the bank or affiliate knows, suspects, or has
reason to suspect that the transaction
May involve potential money laundering or other illegal activity (e.g., terrorism
financing).
Is designed to evade the BSA or its implementing regulations.
Has no business or apparent lawful purpose or is not the type of transaction that
the particular customer would normally be expected to engage in, and the bank
knows of no reasonable explanation for the transaction after examining the
available facts, including the background and possible purpose of the
transaction.
TPPPs are bank customers that provide payment processing services to merchants and
other business entities, and they often use their commercial bank accounts to conduct
payment processing for their merchant clients. TPPPs are not subject to Bank Secrecy
Act or anti-money laundering (BSA/AML) requirements, and therefore are not required
to have customer identification programs, conduct customer due diligence, engage in
suspicious activity monitoring, or report suspicious activity to federal authorities. As a
result, some processors may be vulnerable to money laundering or other illegal
transactions. It can be challenging for banks to monitor these accounts for suspicious
activity, because TPPPs may have relationships with hundreds or even thousands of
merchant clients for which they initiate transactions.
When a bank fails to identify and understand the nature and source of the transactions
processed through an account, the risks to the bank and the likelihood of suspicious
activity can increase. Accordingly, interagency regulatory guidance, which was first
issued in 2005 and updated in 2010 and 2014, encourages banks offering account
services to TPPPs to develop and maintain adequate policies, procedures, and
processes to address risks related to these relationships.1