Originally published in CU Insight
By Brandy Bruyere, NCCO, Vice President of Regulatory Compliance, NAFCU
Since the passage of S.2155 (the Economic Growth, Regulatory Relief and Consumer Protection Act) in May 2018, many credit unions have wondered about a particular provision – section 213, titled "making online banking initiation legal and easy."
As background, S.2155’s ID retention provision was first introduced as part of the MOBILE Act (which was never passed) and later tacked on to S.2155. Some credit unions were having a hard time offering online account opening services because the copying or scanning of a member’s personal identification was prohibited by a state law. Section 213 attempts to overcome these hurdles and preempts any directly conflicting state law provision, thus allowing credit unions the ability to serve their e-savvy members.
However, the wording of this law seems to indicate that, when opening accounts online, it is a requirement to delete a copy or image of a member's identification card after using that copy for one of the following:
- Verifying the person's identity;
- Verifying that the identification card is authentic; or
- Complying with a legal requirement to record, retain or transmit personal information in connection with opening an account (e.g. the Bank Secrecy Act's customer identification program requirements).
Unfortunately, section 213 has caused quite the stir because a plain reading of the deletion section seems to indicate that unless a law requires the credit union to keep a copy or image of a member’s ID, the credit union would have to permanently destroy this copy/image after using it for one of those three purposes.
BSA Requirements for Record Retention
So, to what extent might the requirement to delete copies of IDs actually disrupt credit unions' processes, and what would be the penalty for being deemed non-compliant because an ID was kept on record?
As a starting point, section 213 is a freestanding provision, meaning it does not amend a pre-existing statute or framework. It is not clearly incorporated into an existing part of the US Code that addresses issues like civil liability, regulatory authority and enforcement. This may be because, from our discussions with staffers on Capitol Hill who worked on this particular section, the aim was to make online account opening easier. In other words, it does not seem to be a statute with stand-alone penalties.
Section 213 also does not specifically require any regulator to exam or enforce the bill. We would hope that regulators may provide clarification, such as FinCEN perhaps addressing how section 213 interplays with a customer identification program (CIP). However, the BSA rules do not mandate keeping copies, just recording a description of the documents relied upon when using documentary methods.
Many credit unions indicated that they retain copies of IDs to assist in verifying members' identities on an ongoing basis, such as when they come to branches to make withdrawals. Some also indicate retaining copies of IDs as part of their BSA CIP program, asking whether this would allow retaining the record.
However, the BSA does not explicitly require retaining the records. Section 1020.220 of the BSA only requires credit unions to “record a description of any documents that were relied on, noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date" rather than the scanning or copying of a member’s ID.
For those reasons, if the account, service or product requested online requires the member’s ID for verification purposes, it seems that the plain reading of section 213 would require permanently deleting this record after using it for those purposes. This seems to create operational challenges, but is this what Congress intended?
S.2155 Not Intended as a Roadblock
The good news is that NAFCU’s legislative affairs team raised this issue during consideration of the bill and we were informed Congress was reading the legislative language to mean credit unions can keep the member’s ID for as long as they need it for a valid purpose, such as for the credit union’s CIP, verification of identity or fraud prevention. Our team also sorted through section 213's legislative history to find the Congressional intent behind the destruction section and found that this was added to end the practice of selling consumers' personal information by financial institutions.
Additionally, keeping in mind the main Congressional intent was to make online account opening easier, it may be arguable that Congress did not want to affect the use of a member’s identification for other legitimate business purposes. For example, this part of the Congressional Record stresses that S.2155 was not intended to interfere with current operations of financial institutions, but to allow greater access to small banks and credit unions for consumers in underserved or unserved regions.
Section 213 Limited Only to Online Activity
On a separate note, section 213 only addresses online activity rather than accounts, services or products obtained by members in person at a credit union’s branch. However, it is important to note that some IDs can never be scanned or copied because of other laws such as the federal prohibition of photocopying US government/military identification cards. Additionally, it is generally a good practice to keep any copies of IDs separate from loan files because of fair lending concerns.
Finally, other limitations on the use of a member’s ID may come from your state law so the credit union may need to consult with local counsel regarding whether or not there are additional limitations to the scanning/copying of a member’s ID when opening an account physically at the branch.
NAFCU recently released and updated version of its S. 2155 Analysis of Regulatory Relief for Credit Unions. As this document notes, “conforming regulations may be necessary,” so we may have to wait for more guidance from either FinCEN as they set the regulatory requirements for CIP or from NCUA as they implement and examine FinCEN’s BSA requirements for credit unions. However, we are hoping the regulators note the legislative intent behind the bill when drafting any conforming regulations that could make this issue non-existent. NAFCU's compliance team welcomes inquiries from our members on this and other topics.
To read more by the NAFCU Compliance Team, see our blog.