CIP - Excluding a "Person with an Existing Account"
By BOL Guru Ken Golliher Opinions expressed are those of the author.
On and after October 1, 2003, when a "customer" opens a new account of any type (loan, deposit, safe deposit etc.), Customer Identification Program (CIP) regulations require financial institutions to:
provide a disclosure,
check a new government list and
The new requirements are part of the Bank Secrecy Act (BSA) record retention requirements.
However, the definition of "customer" does not include "…a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person." In effect, the regulation does not require performance of the five activities when a person with an existing account opens a new account. However, the exclusion is very pointedly conditioned on the bank's "…reasonable belief that it knows the true identity of the person."
It is fair to assume that the exclusion was included in good faith; regulators expect some banks to use it. However, identity verification procedures are to be "risk based." So, it is also fair to assume that a bank cannot simply make an unsupported and self serving assertion that it knows the true identity of all customers with existing accounts. Examiners will expect to be able to review the bank's assessment of any risk the exclusion might represent and to see the exclusion outlined in the bank's written CIP.
Neither the regulation nor the supplementary information accompanying it provide any guidance as to what might give the bank a "reasonable belief" that it "knows the true identity" of a person who has not made a prior trip through the bank's CIP gauntlet. Regulators have promised additional guidance on the regulation in general, but not specifically on this point. In the absence of official pronouncements, banks need to fashion their own rationale for excluding persons with existing accounts from the CIP drill.
Persons with Existing Accounts as of October 1
Some banks have major public relations concerns over asking existing customers for identification in connection with new accounts. At some point, those banks should conduct an honest self-examination regarding whether those perceptions are well founded. Specifically, are the concerns more accurately attributed to customer reluctance to provide identification or employee reluctance to ask for it?
In any case, bankers' complaints about asking existing customers for identification prompted regulators to remove a proposed requirement that existing customers opening new accounts would have to establish their identity. In its place, the draftsmen substituted the exclusion for persons with existing accounts. However, by conditioning it on the bank's reasonable belief that it knows the true identity of the person, they created the conundrum: How can a bank have a reasonable belief that it knows a customer's identity if it has never verified the customer's identity?
There appear to be two working philosophies banks can use to exempt persons with existing accounts on and after October 1. One option is to exclude customers with existing accounts from CIP on a case-by-case basis because they meet objective criteria. Alternatively, they can attempt to exclude their entire customer base as of the effective date, based on a combination of prior practices and logical verification.
The case-by-case approach might rely on a previously existing BSA concept:
31CFR103.11(l) Established customer. A person with an account with the financial institution, including a loan account or deposit or other asset account, or a person with respect to which the financial institution has obtained and maintains on file the person's name and address, as well as taxpayer identification number (e.g., social security or employer identification number) or, if none, alien identification number or passport number and country of issuance, and to which the financial institution provides financial services relying on that information.
On this tack, banks would waive the CIP procedures for established customers, perhaps describing the concept in their written CIP as: "If an account is being opened in the same name(s) as an existing account and the central information file for the existing account contains physical addresses and identifying numbers for each customer, it is not necessary to conduct identity verification procedures. Should any element of the information be missing, e.g. one of the owners of a new multiple party account is a new customer or records do not include a physical address or a taxpayer identification number, all routine identity verification procedures are to be followed for that person.
Use of this definition as the basis for waiving verification for a new account is not a perversion of existing BSA concepts. First, under current regulations, a bank is not required to record identification in connection with a funds transfer for an "established customer." Waiving identification for additional accounts relying on the same concept is merely consistent with this long standing waiver. Second, CIP regulations require the bank to obtain the name, date of birth, address and identifying number for an individual. From this list, the "established customer" definition omits only the date of birth as a requirement for an individual. For an entity, the core information required is identical to that required by CIP.
The drawback of the case-by-case approach is that it requires employees opening accounts to review existing information for adequacy. The process is not foolproof and it is possible that employees occasionally may not realize information is missing when the new account is opened; e.g. the customer's prior relationships have been on loans or safe deposit boxes where the bank did not record a taxpayer identification number and the employee opening a checking account failed to note its absence. Any failure to follow the bank's policy would be cited as a violation of BSA's record retention requirements.
Obviously, it would be much easier to just issue a blanket exemption to all persons holding an existing account as of October 1, 2003. In large part, the ability to make a convincing claim that the decision is risk based depends on the bank's prior identification practices. (For many banks, CIP will only add inflexibility to their identification process, not more steps; they already require more than the pending regulation does.)
So, assume an imaginary bank, "Omega National," currently requires two pieces of identification, at least one of which is "primary" identification to open a deposit account and it records the descriptive information from both. In addition, it pulls a consumer report, either from a negative data base or a credit bureau, on every new individual customer. Business customers are required to provide government issued evidence of existence; e.g. licenses, listings on the Secretary of State's web site, etc. A thank you note is mailed to an individual customer's physical address within 24 hours of account opening and an officer call is made to the premises of any new business customer within 3 days of account opening. Omega has had these procedures in place for 3 years.
On the lending side, Omega's loan officers have been expected to look at photo identification for new customers, but they have not consistently recorded the information. However, the bank has a strict policy that lenders are to pull a consumer report on every application from individual borrowers. It also requires a financial statement on all business borrowers and insists they provide a current statement annually. These practices have been in place for more than five years. (Omega National does not have a trust department and does not rent safe deposit boxes to non customers.)
When Omega performs the self assessment required by CIP regulations it determines that its existing practices only need to be tweaked. The major substantive change is that lenders will be required to see primary identification from new borrowers and record the descriptive information. In effect, the bank has an excellent argument that it does know the "true identity" of any customer who opened an account in the last three years - its new procedures are only slightly more stringent than those it previously had in place.
However, the bank has been in existence for 75 years; there are many customers for whom there is no identification on file. Based on the absence of conventional documentary and nondocumentary verification for a substantial part of its customer base, the bank may need to turn to an argument based on "logical" verification.
The supplementary information accompanying both the proposed and the final regulation referred to logical verification as a subset of nondocumentary verification. The examples used there relate to the consistency of the information; e.g. is the date of issuance for the SSN consistent with the date of birth. Clearly, logical verification can encompass additional connections between existing facts.
For example, the customer who has banked with Omega for 30 years has never been subjected to standard verification methods. Yet, statements mailed to his house for three decades have never been returned. So, it is logical to assume that the name and address are correct. In addition, information returns sent to the IRS showing his Name/TIN combination have yet to generate a "B Notice," a formal notification from the IRS that they do not go together. Apparently, both are correct.
As is often the case, Omega's prior identification techniques on the lending side are a little weaker. In addition, fewer mailings are routinely made in connection with loans and fewer loans are subject to information reporting. But, what generates greater logical verification of identity than the simple fact that the person Omega loaned the money to is paying it back?
Clearly, it is much easier for the bank if it can exempt all persons with existing accounts from CIP. The best basis for claiming a blanket exemption for all existing customers is the prior existence of strong identification and verification practices. The critical component of the decision is that the bank must show it has actively, objectively assessed the risks involved.
New Customers Beginning October 1
In the long run, it will be more important for some banks to design a CIP where, beginning October 1, once a customer's identity has been verified, the bank will not repeat the CIP drill every time a new account is opened.
For example, if a new customer obtains an installment loan on October 1, the bank will follow its CIP procedures. If the person returns 10 days later to open a checking account the bank can 1) repeat the drill in its entirety or 2) create a mechanism where the customer is recognized as a person with an existing account and forgo obtaining the information and verifying identity a second time. The interval used in the example, 10 days, is intended to suggest that it would not be productive to repeat the process.
Yet, for reasons relating generally to ease of administration, some banks will repeat their CIP routine every time a person opens a new account, regardless of whether the person's identity has been previously verified. Their decision may be due to their size; the lack of reliable cross-referenced central information files; relative costs; or just the ease of training contact personnel. In effect, these banks will not use the exclusion. Obviously, if they do not intend to use it for customers opening accounts after October 1, they will not use it for customers whose existing accounts were opened prior to that date.
In the alternative, some banks will create a mechanism which allows them to run CIP only once per customer. They will need to establish a bank-wide "marker" noting that CIP has been performed. For example, a simple indicator on a person's customer information file could say, "Identity Verified." A check in that field would indicate to the customer service representative opening the second account in the above example that the person's identity was verified according to the bank's CIP when the installment loan was made. So, it is not necessary to do it again.
In making the earlier installment loan, the bank would already have the required information: name, address, DOB and identifying number. Its only concern would be to assure that the record retention requirements are met; i.e. now the information must be kept five years after the checking account is closed or after the loan is paid off, whichever is longer. (Record retention requirements are at the individual account level.)
To exercise the option, banks would describe it in their written CIP; e.g. "Customers whose identity has been previously verified in accordance with the bank's Customer Identification Program are not required to have their identity verified when opening a new account. The person opening the account is to rely on an indicator in the 'Identity Verified' field of the person's central information file in making this determination." Please note the obvious necessity for coordinating this language with the language used on accounts opened prior to October 1, 2003. Instead of referring to customers "whose identity has been previously verified" the policy could repeat the reference to "established customer."
Any person who has been properly identified under CIP automatically meets the definition of an established customer.
The presence of a reliable indicator that identity has been previously verified or this person is an established customer plus a clear exclusion in the written CIP addresses the compliance issues. However, the employee opening the checking account in the above example still has a problem. Assuming the employee does not know the customer, how does he or she know the person who wants to open the checking account is the really the same one who took out the installment loan? Requiring identification will probably remain an essential component of the process, regardless of the fact that the bank decided to omit the bulk of its verification procedures for customers with existing accounts.
Not all banks will attempt to take advantage of the exclusion for customers with existing accounts; some will say the administrative effort outweighs the benefits. Others will focus on reducing the administrative effort to its natural minimum, but they will make use of the exclusion. Since the verification process is to be risk based, a bank should be entitled to significant latitude in its decisions, as long as it can demonstrate it assessed the risks.
Copyright, 2003, Bankers Online. First published on BankersOnline.com 06/03/03.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.