|
Overview
With
the passage of the USA PATRIOT Act and various implementing
regulations, a confidential document, known as the Control
List, is making the headlines. Although it has been
around for over a year, many in the financial services
industry are unfamiliar with the Control List and confused
as to how to respond.
This article will attempt to eliminate that confusion
by answering some common questions regarding compliance
with the Control List.
Common
Questions and Answers
What
exactly is the Control List?
The
Control List is a confidential document produced by
the Federal Bureau of Investigation (FBI). The List
was compiled by various federal law enforcement agencies
conducting investigations into terrorist activities.
It consists of names and identifying data for individuals
and entities that these agencies believe may be related
to their investigation.
How do I obtain a copy of the Control List?
The
Control List is distributed to financial institutions
through their respective federal banking regulator.
The Control List is deemed highly confidential and is
not, therefore, a "public list" that may be
accessed via the Internet or other sources.
In
response to the September 11, 2001, attacks, the FBI
initiated a proactive campaign to ensure that all institutions
receive a copy of the Control List. In October of 2001,
the FBI provided the Control List to all financial institution
regulators. The regulators, in turn, forwarded the List
to financial institutions under their supervision once
the financial institution "registered" with
its respective regulator. Financial institutions were
given until October 12, 2001, to provide their regulator
with the name of a senior level person as the contact
for the Control List, that person's title, telephone
number, and e-mail address. Upon receipt of this registration
information, the regulators e-mailed a copy of the Control
List to the institution. Subsequent updates to the List
have also been submitted to the financial institution
contact person through e-mail.
If
your institution has not yet registered and has not
received a copy of the Control List, it is important
that you contact your regulator and ask for instructions
on how to proceed.
What
does the Control List require?
Once
the Control List is received, institutions are asked
to check their records and determine whether any of
the individuals or entities on the List have or have
had any transactions or relationships with your institution.
Institutions should review their records for the time
period beginning January 1, 1996, through the present.
If you are able to easily search records on file earlier
than 1996, you are asked to do so. In your search, be
sure to check all account files, wire and book transfer
records, automated clearing house transaction records,
credit records, and loan/mortgage documentation. In
looking for matches, institutions are asked to err on
the side of reporting. However, if the match only reflects
a portion of the name, such as the last name, and the
other parts of the name, such as the first and middle
names, are sufficiently different from the name on the
Control List, you do not need to report this as a match.
If a match is found, you are asked to promptly send
an e-mail message to suspicious.accounts@ny.frb.org.
You are not to give out any additional information at
this time, such as names, account numbers, balances,
etc. Also, do not submit negative responses; in other
words, the fact that you did not find any matches. The
goal here is for the government to respond quickly to
potential problems. Uninformative e-mails simply clog
the system. If the government chooses to pursue the
information provided by your institution, it will obtain
a subpoena for the relevant customer records. To facilitate
service of a subpoena, your are asked to include in
your e-mail message the name, address, telephone number,
fax number and e-mail address of the person at your
institution who is authorized to accept service of the
subpoena. You should also indicate whether you will
agree to accept service by fax.
Finally,
the search for names on the Control List is currently
a one-time search and not an ongoing search as to existing
account holders. However, in light of customer identification
program requirements under the USA PATRIOT Act (see
discussion below), institutions may in the future be
required to compare the names of new account holders
against the Control List prior to account opening. Also,
keep in mind that your regulator may periodically e-mail
you supplements to the original Control List. Supplements
to the List will only include new information or corrections
to previous Lists. Upon receipt of a List supplement,
you only need to search existing account holder records
for matches on the supplement. You are not required
to conduct another full search of the original Control
List or previous supplements.
In
addition to the Control List requirements, a suspicious
activity report (SAR) may be triggered. If you are aware
of any suspicious activity related to any of the names
on the Control List, you should file an SAR by contacting
the FinCEN financial institution hotline at 1-866-556-3974
as well as submitting a written report. Keep in mind
that the fact that there was a match on the Control
List is not in and of itself suspicious. A SAR is only
required if activity above and beyond a Control List
match is considered suspicious.
The
initial Control List released by the FBI in October
2001 contained between 300 and 400 names. Since manually
matching names from the List against account records
is a timely and costly process, you may want to consider
relying on a software provider to perform your search.
Must
employee access to the Control List be restricted?
Yes.
According to the Control List instructions, the List
and any updates are to be handled with the utmost of
confidentiality. In October of 2001, the regulators
requested the name of a contact person to receive the
Control List. This person is to be a senior level employee
who appreciates the sensitive nature of government investigations
and who will exercise appropriate discretion. Given
all of this, it seems that the Control List should not
be distributed institution wide. Institutions should
have procedures and security control measures in place
to limit employee access to the List. Unfortunately,
there have been cases involving unscrupulous bank employees
who use their position to conduct illegal activity.
To ensure that your institution stays in compliance
and is not used as a vehicle for fraud, it makes sense
to limit access to all information including the Control
List.
Is
the Control List the same as the OFAC list?
The
short answer is No. The Control List and the OFAC list
are not the same and cannot be used interchangeably.
The Control List is issued by the FBI, while the OFAC
Specially Designated National (SDN) list is issued by
the Treasury Department---two different government agencies
with two different mandates. The Control List is only
available from your regulator while the OFAC SDN list
is a public document that may be accessed via the OFAC
web site. A match on the Control List requires notification
to the government while a match on the OFAC list requires
either blocking or rejecting the transaction depending
on the individual or entity involved. Furthermore, you
cannot tell someone they are on the Control List; however,
it is permissible to tell a person they are on the OFAC
list. Also, you should not automatically close an account
if there is a match on the Control List. Any directives
regarding further action on the account will be specified
in a subpoena. A match on the OFAC list requires you
to take action on the account and either block or reject
the transaction. Finally, unless subpoenaed by the government,
you have no record keeping obligations with respect
to matches on the Control List, whereas a match on the
OFAC list triggers extensive record keeping requirements.
Although
the government has indicated they are working on consolidating
the various lists financial institutions must review,
that consolidation has not happened yet. Until such
time, it is important to deal with each List individually
and respond appropriately.
How
does the USA PATRIOT Act impact the Control List?
There
are a couple of sections under the USA
PATRIOT Act where the FBI Control List may come
into play. First is Section
326 and the requirement that institutions determine
whether the customer appears on any list of known or
suspected terrorists provided by any federal government
agency prior to opening an account. The Control List
is one list that may fall within this category. Although
there are rumors of a delay, the Section 326 requirements
are slated to become effective on October 26, 2002.
Another
section of the USA PATRIOT Act that implicates the Control
List is Section
314(a), which addresses sharing information with
the government. Final regulations implementing section
314 (a) were issued on September 26, 2002, and may,
at some point, involve the Control List. The Section
314 provisions permit other federal law enforcement
agencies to request that FinCEN solicit information
from a financial institution. Upon receipt of an information
request from FinCEN, the financial institution must
search its records to see if it has maintained any accounts
for anyone named in the request. If a match is found,
the institution must report back to FinCEN and provide
information pertaining to the identity of the accountholder.
At this time, the Control List is not being distributed
through FinCEN; however, with the Section 314(a) process
in place, we may see modifications in how the List is
disseminated down the road.
Conclusion
A
search of the FBI Control List will be a part of everyday
life when it comes to establishing and maintaining account
relationships. To ease the burden in reviewing multiple
lists, the government is looking into ways to streamline
the process. However, until further action by the government,
individual list requirements and directives need to
be complied with. Now is the time to verify that your
institution has detailed procedures and adequate tools
in place for handling the Control List.
For
additional questions regarding compliance with the Control
List, please contact your primary regulator (FDIC,
NCUA,
FRB,
OCC,
OTS).
Back
to Top
|
