Plain English Reading of S.2155's ID Retention Provision
By Stephanie Lyon, Senior Regulatory Compliance Counsel, NAFCU
Since the passage of S.2155, the compliance team has received many questions regarding the use and retention of identification documents for accounts opened or financial services offered online. As background, this provision was first introduced as part of the MOBILE Act (which was never passed) and later tacked on to S.2155. Prior to the passage of this bill, many credit unions were having a hard time offering online account opening services as the copying or scanning of a member's personal identification was prohibited. As a federal law, the bill now preempts any state law that directly contradicts this provision thus allowing credit unions the ability to serve their e-savvy members.
Unfortunately, the bill has caused quite the stir because of language indicating credit unions are required to delete the copy or image of the member's personal identification after using it to for one of the following purposes: (1) verify the identity of the individual; (2) verify the authenticity of the driver's license or personal ID; and (3) to comply with a legal requirement to record, retain or transmit the personal information in connection with opening an account or offering a financial product/service such as the BSA's Customer Identification Program (CIP) requirements.
The plain reading of the deletion section of the bill seems to indicate that unless federal BSA laws require the credit union to keep a copy or image of a member's ID, the credit union would have to permanently destroy this copy/image after using it for one of the three purposes. And as it is the case, current BSA laws do not require the retention of a copy/image of the member's ID.
Section 1020.220 of the BSA only requires credit unions to "record a description of any documents that were relied on, noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date” rather than the scanning or copying of a member's ID. For those reasons, if the account, service or product requested online requires the member's ID for verification purposes, it seems that the credit union may now be required to permanently delete this record after using it for those purposes.
The good news here is that NAFCU's legislative affairs team raised this issue during consideration of the bill and we were informed Congress was reading the legislative language to mean credit unions can keep the member's ID for as long as they need it for a valid purpose, such as for the credit union's CIP. Our legal intern also sorted through the legislative history of the bills to find the Congressional intent behind the destruction section and found that this was added to end the practice of selling consumer's personal information by financial institutions. The legislative history also did not indicate intent to upend use of this information for viable and legitimate business purposes.
Additionally, keeping in mind the main Congressional intent of the MOBILE Act was to make online account opening easier, it may be arguable that Congress did not want to affect the use of a member's identification for other legitimate business purposes aside from online account opening/verification such as fraud prevention. For example, this part of the Congressional Record stresses that S.2155 was not intended to interfere with current operations of financial institutions, but to allow greater access to small banks and credit unions for consumers in underserved or unserved regions.
NAFCU recently released its S. 2155 Analysis of Regulatory Relief for Credit Unions. As this document notes, "Conforming Regulations May Be Necessary," so we may have to wait for more guidance from either FinCEN as they set the regulatory requirements for CIP or from NCUA as they implement and examine FinCEN's BSA requirements for credit unions. However, we are hoping the regulators note the legislative intent behind the bill when drafting any conforming regulations that could make this issue non-existent.
On a separate note, the section discussed in this blog seems to be limited to online activity rather than accounts, services or products obtained by members in person at the credit union's branch. However, it is important to note that some IDs can never be scanned or copied because of other laws such as the federal prohibition of photocopying US government/military identification cards. Additionally, it is generally a good practice to keep any copies of IDs separate from loan files because of fair lending concerns. You can find our previous blog on this topic here. Finally, other limitations on the use of a member's ID may come from your state law so the credit union may need to consult with local counsel regarding whether or not there are additional limitations to the scanning/copying of a member's ID when opening and account physically at the branch.