Overview

The federal regulatory agencies have released interagency guidance to assist the banking industry in complying with the Customer Identification Program requirements under Section 326 of the USA PATRIOT Act. This guidance, in the form of frequently asked questions (FAQ), is not intended to answer every compliance question, but does shed some light on examiner expectations. The following article will address a few of the regulatory interpretations provided in the FAQ.

Risk-Based Procedures

In their FAQ, the regulators again emphasize that four letter word “risk." Every organization, regardless of size or charter, is expected to implement Bank Secrecy Act (BSA) policies and procedures that address its risk for money laundering activity. To measure risk, institutions must evaluate the types of accounts offered and maintained, methods for opening accounts, their size and location, and their customer base. Based on this assessment, institutions can then develop policies and procedures to manage the risk identified.

For CIP purposes, areas of heightened risk need to be met with more stringent identification/verification practices. Compliance under Section 326 doesn’t follow a one size fits all approach. The law sets out minimum requirements, including the four basic pieces of identifying information to request from a customer:  name, address, taxpayer identification number (TIN) and date of birth if working with an individual. The key word here is minimum. Areas of potential risk for knowing the true identity of the customer will necessitate asking for more information and taking the verification process a step further.

Banking Subsidiaries

There has been some confusion over whether the CIP regulation applies to subsidiaries. According to the FAQ, the CIP does not apply to your foreign subsidiaries located outside of the U.S. In addition, the CIP rules do not apply to nonbank subsidiaries. The CIP requirements do, however, apply to bank subsidiaries. Entities that function as operating subsidiaries are subject to the same regulatory requirements as their parent bank. So, for example, a mortgage company that is an operating subsidiary of a bank would need to comply with all of the requirements under the Bank Secrecy Act, including the CIP rules. See 12 CFR 5.34 (OCC rule) and 12 CFR 559.3(h) (OTS rule).

Definition of “Customer”

The FAQ spends a fair amount of time discussing which party the CIP should be applied to when dealing with third party types of accounts. For accounts opened by someone with power of attorney, the application of your CIP depends on whether the true owner of the account has legal capacity. If an account is opened on behalf of a competent person, then the person with power of attorney is simply an agent and the CIP should be applied to the party on whose behalf the account is being opened. If the person with power of attorney is opening an account on behalf of a person who lacks legal capacity, then the person with power of attorney is considered the customer for CIP purposes.

With respect to accounts opened by a minor, it is important to recognize that the CIP regulations do not prohibit a minor from holding an account. Your state law and bank policy will dictate whether minors are permitted to open a deposit account. For CIP purposes, if the minor opens the account, then the minor is the customer. If an account is opened on behalf of a minor, such as under a Uniform Gifts to Minors Act statute, then the customer is the individual opening the account on behalf of the child.

Existing Customers

The CIP regulations generally apply to customers opening new accounts. The term “customer” does not include those persons who have an existing account with you if you have a reasonable belief that you know the true identity of that existing customer.The existing customer exception has raised questions regarding how to handle loan renewals or certificate of deposit (CD) rollovers. Each time a loan is renewed or CD is rolled over, a new account is opened. However, that new account is with an existing customer. So, as long as you have a reasonable belief that you know the true identity of that existing customer, you will not be required to apply your CIP when a loan is renewed or a CD is rolled over.

The issue regarding existing customers is perhaps more troublesome when working with customers with existing relationships established prior to the implementation of the CIP regulations. When opening new accounts in this situation, you will need to determine whether your account opening/know your customer procedures were comparable to those outlined in the CIP regs. The FAQ provides a somewhat more relaxed standard for demonstrating that you know the true identity of an existing customer. According to the FAQ, this can be accomplished by showing the existence of an active and longstanding relationship as evidence by a history of account statements sent to the customer, loans made and repaid, and other services performed over a period of time. Keep in mind, this alternative may not be sufficient when doing business with those considered high risk. With higher risk customers and accounts, it is probably best to apply your CIP.

Customers Without a TIN

Although the CIP regs do not specifically state it, accounts cannot be opened for U.S. customers that do not have a TIN. The only exception is if the customer has applied for a TIN, you have confirmed an application has been filed before the account is opened, and the customer actually obtains a TIN within a reasonable amount of time after the account is opened. Practically speaking, very few institutions want to take on the babysitting responsibilities of the awaiting TIN process. The bottom line—be sure your organization has a policy for how it will handle those customers without a TIN.

Verification Standards

The FAQ addresses a number of issues regarding the verification of identification process. Under the law, you are required to verify the identity of those seeking to open an account using the identification information obtained at account opening. This requirement does not mean you need to verify the accuracy of each piece of information collected. The goal is to take the information and apply it using documentary or nondocumentary methods to the point you have a reasonable belief that you know the true identity of the customer.

Institutions are also questioning whether they can rely on just an employee identification card to verify identity. The FAQ reiterates that institutions must have procedures in place that outline what documents will be relied upon for verifying identity. However, it is the regulators’ expectation that institutions will use government-issued forms of identification for verification purposes. Other forms of ID can be used if they lead to a reasonable belief of knowing the true identity of the customer. In any event, the regulators encourage the use of multiple documents since many identification documents can be fraudulently created.

Finally, questions have arisen regarding business identities that cannot be verified using documentary or nondocumentary methods. If the identity of the business cannot be adequately verified, you will need to dig deeper and apply identification/verification procedures to the individual(s) with authority or control over the business account. This practice should also be followed when dealing with entities that pose a high risk for potential money laundering activity, such as money services businesses.

Government List

Back to Top