Skip to content

Requirement to Look at FBI List

Question: 
We have software that can be used to run our customer base against not only the OFAC list, but also a more expansive list. The name list that the software contains in addition to the OFAC list, is an FBI list. My question is this, is the bank required, by any law/regulation/statute, to review any matches other than OFAC list matches? The matches we have appear to be simply common name matches, but obviously I don't want to be out of compliance.
Answer: 

Answer by Andy Zavoina:

There is no requirement for this. OFAC and any 326 lists for CIP will have stated requirements as do 314(a) checks on existing/past relationships. The last list immediately coming to mind is that of those past due on child support. FBI and others may be advantageous for knowing your customer, but they are not required by law. (Ensure you are not violating an internal policy if you stop.)

Answer: 

Answer by Ken Golliher:

Andy is correct, but this hits an emotional nerve with me, so feel free to discount my response somewhere between 5 and 95 percent. If the vendor is including lists other than OFAC; e.g., the FBI's Most Wanted, I would tell them in terms they would understand to take them out.

As for why, here's a repeat of what I posted here in August of last year, when the control list was still alive and before any of us realized 314(a) would be interpreted as allowing "e-mail searches" of customer lists:

...your vendor is overzealous to the point it may put you in the soup. The civil libertarians' "slippery slope" argument against requiring banks to search their records for people on the "control list" is that it is an unreasonable search lacking probable cause. They would argue that such a mechanism might be justified by national security, but its danger is that it could easily be expanded to look for people who are not the equivalent of "terrorists" and that the risk of its expansion might outweigh its value as a law enforcement tool. Your vendor has just proven that the argument is not ridiculous.

If you get a "hit" on the control list and report it, the Patriot Act regulations are designed to protect you -- it is a disclosure you are required by federal law to make and, thus, an exception to the RFPA.

However, if you get a hit on someone with the same name as an alleged ax murderer in Kansas and you report it, your best justification is that it was a voluntary SAR. It's a thin argument that I would not want to be stuck with just because a vendor's employee decided to enhance the data. I would tell them to take it out.


As of today, there is a Richard Goldberg on the FBI's most wanted list. He's a pedophile. (No one wants to know what I think should be done to pedophiles.) In our local phone book there are two Richard Goldbergs. Which one do you think it is, the one on Third Street or the one on Arapaho Road? Maybe it's the Richard Goldberg who opened an account with you this morning. Maybe it is not.

I've dealt with banks who have gotten "hits" of this kind and they are simply in no man's land as for what is an appropriate response.

I can't control the government's decisions except by voting, but heaven help me if I can't control a vendor.

First published on BankersOnline.com 10/6/03

First published on 10/06/2003

Filed under: 
Filed under security as: 

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics