Lending and Customer Identification Programs: An Introduction
By BOL Guru Ken Golliher
In the future, when a "customer" opens a new credit account or any other new extension of credit, Customer Identification Program (CIP) regulations will require lenders to:
provide a disclosure,
obtain information,
verify identity,
check a new government list and
retain records of the process.
Actually, the regulation affects all formal banking relationships, not just those related to lending. However, it creates lending compliance issues which are unlike those found in consumer protection laws. For example, all of the CIP regulations' requirements are equally applicable to business and consumer loans. Actually, the purpose of the loan is irrelevant to this regulation - it is about documenting the borrower's identity.
The CIP regulations implement section 326 of the USA PATRIOT Act and were effective on June 9, 2003. However, compliance is not mandatory until October 1, 2003.
The new requirements are part of the Bank Secrecy Act (BSA). BSA compliance is reviewed in safety and soundness examinations and affects the bank's CAMELS rating. The bank's CIP program must be in writing and, as a substantial amendment to its BSA policy, must be approved by the Board of Directors.
Disclosure or Notice Requirement
The disclosure or notice must be where it can be seen or read by the customer "before opening an account." The regulation includes the following sample language:
IMPORTANT INFORMATION ABOUT PROCEDURES
FOR OPENING A NEW ACCOUNT
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents.
Acceptable methods for providing the notice include oral statements, signs, handouts and including the language on applications.
In situations where an application is made from a web site, the notice can appear on the web site. When the bank engages in indirect lending; e.g. approves applications taken by a third party such as a car dealer, the bank remains responsible for providing the notice. In this circumstance, putting the disclosure on the application forms supplied to car dealers seems prudent. A similar approach may become common for credit card applications where there would be no other practical opportunity to assure the customer receives the disclosure "before" opening the account.
There are no specific requirements indicating the disclosure must be in a form the consumer can keep, that the typeface be of a certain size or that it must be separated from other disclosures.
Obtaining Information
Prior to opening the account, the bank is required to obtain specific information from customers including their:
name,
physical address (not a P.O. box), and
identifying number (for a U.S. person, that is a Social Security number or employer identification number).
For individuals, the lender must also obtain the:
date of birth.
There is a provision in the regulation that allows credit card issuers to obtain the customer's information from a third party rather than from the customer. In any case, obtaining the information is a condition of opening the account; failing to obtain the information is a violation of law. Under BSA's longstanding penalty provisions, a negligent failure to obtain the information can generate a $500 penalty per instance. A knowing or intentional failure inflates the amount to $1,000 per instance and creates the possibility of criminal penalties. In short, obtaining the information is not negotiable. (The bank is only allowed to create a temporary exception in its written policy for a customer who has applied for, but not received a taxpayer identification number, for example a new corporation or a new partnership.)
Verifying Identity
Customer identification programs must provide procedures where the lender can take the information the customer has provided and verify its accuracy against "documentary" or "nondocumentary" sources.
For an individual, documentary verification might consist of government issued, unexpired identification which includes a photograph. Nondocumentary verification could consist of a consumer report. For an entity, verification of identity can be accomplished by requiring copies of certified copies of articles of incorporation, business licenses, DBA certificates, checking the Secretary of State's web site, etc. (Resolutions on borrowing authority do not establish existence of the entity.) In any case, the verification tool is used as a control against which information supplied by the customer is compared.
The verification procedures are to be "risk weighted" based on specific factors spelled out in the regulation:
account type,
method of opening,
types of identification available, and
the bank's
size,
location, and
customer base.
In short: not all banks are expected to use the same verification procedures; different areas within the same bank may use different methods of verification and, no matter what methods of verification a bank chooses, it will be expected to show how its choices were driven by its risk assessment prior to the adoption of its CIP.
The regulations are neutral in terms of preferring one method of verification over another. However, the supplementary information accompanying the regulations clearly indicates that banks using documentary methods should consider requiring more than one form of identification. They also suggest that a combination of documentary and nondocumentary verification is preferred.
For example, for an in - person application, a bank's written CIP might require two pieces of identification for each customer, one of which must be the type of "primary" identification described above. The CIP might require that the package be completed with a credit report on the lending side and a report from a negative data base on the deposit side. Conceivably, a bank could design a program where identity is verified using one method for loan customers and a different method for deposit customers. (There may be a logic fault in a CIP that says a "risk based" analysis indicated that customer identities should be verified differently solely based on the type of account being opened.)
For an application that is not in - person, the CIP might direct the lender to use the consumer report as the control document for comparison to information contained in the application. The CIP might further enhance the process by the requiring the lender to speak directly to the borrower and ask questions about information contained in the consumer report that is not contained in the application. As this example indicates, there is no requirement that the bank use documentary verification; i.e. require photo identification in every circumstance.
These regulations are aimed at denying the use of the U.S. financial system to those involved in terrorist financing and money laundering. However, supplementary information accompanying the originally proposed regulation indicated a hope that the regulations would help reduce the incidence of the fastest growing crime in the U.S., identity theft. [audblog audio post by Mary Beth Guard on Identity clues found in credit reports: Don't miss them!"]
Loan guarantors are not seeking to open an account with the bank; i.e. they do not meet the definition of a "customer." Thus, for example, the bank is not required by law to obtain information and verify identity on the individual who provides a personal guarantee for a corporate credit. However, if it is this person who makes the loan bankable, the bank's underwriting policies may require more than the law does.
The regulations indicate that the verification of identity is to take place "…within a reasonable time after an account is opened…" It is difficult to imagine that a "risk based" analysis would allow a bank to verify identity after disbursing loan proceeds.
Checking a New Government List
Not the OFAC list, not the now defunct "control" list, but a completely new list of "known or suspected terrorists or terrorist organizations" must be checked within a reasonable time after the account is opened. To date, regulators have provided very little insight into how such a list might be established or when it will appear. Nevertheless, banks must provide for the list's review in their written CIP. Again, it is difficult to imagine that a "risk based" analysis would allow a bank to check a list of prohibited customers after disbursing loan proceeds.
Record Retention
Finally, the CIP must provide for record retention. The bank must retain the customer information; i.e. name, address, etc. for five years after the account is closed or, in the case of a credit card, becomes dormant.
The bank must retain verification related records for five years after the information is obtained. This component is limited to "descriptions" of:
any document relied on to establish identity;
the methods and results of any measures undertaken to verify the customer's identity; and
the resolution of any substantive discrepancy discovered.
The bank cannot rely on a procedural statement that it always obtains two pieces of identification and pulls a consumer report on each customer. If its CIP requires it, the bank's records must indicate that it obtained two pieces of identification and pulled a consumer report on this customer, but there is no requirement that it retain copies of its verification methods.
A proposed regulation would have required the bank to retain copies of any documents used to verify identity. The final regulation is satisfied with a "description" of those documents that includes "…the type of document, any identification number contained in the document, the place of issuance and if any, the date of issuance and expiration date."
The requirement to photocopy identification was deleted, partially to avoid overruling the laws in some states that prohibit photocopying drivers' licenses and perhaps in deference to Regulation B's phantom prohibition on copying photo identification.
Nevertheless, recent reports from the National Regulatory Compliance Conference indicate regulatory agencies may no longer support criticisms offered by individual examiners on this point. [See the 6/12 Compliance Briefing] However, the primary reason for deletion of the requirement to photocopy identification is probably the fact that so many of those filing comments on the proposed regulation complained about it vociferously.
Banks are currently exploring alternatives for organizing this information so it can be stored efficiently. Document imaging will undoubtedly become an even more attractive option to many banks. However, it is equally important to note which options are not desirable. Relying on the loan application as the method for retaining the information is one of those. Loan applications are generally subject to a relatively brief retention period. Relying on them for a secondary use that requires they be kept for five years after a loan is paid off is a significant compliance management error.
Under BSA's general record retention requirements records may be the originals, copies, or other reproductions. The records must also be accessible within a reasonable period of time.
Transfer Exception
If the bank obtains a loan through an acquisition, merger or purchase of assets it does not meet the definition of a new "account" and it is not necessary to perform CIP. Examples would include the purchase of participation loans and indirect lending where the term describes a situation where a car dealer has already made the loan and the bank purchases it from the dealer. In these cases, the loan is transferred to the bank - the borrower did not seek to open a new account with the bank. Again, underwriting policies may require more than the law does.
Current Borrowers
The regulation exempts a person that has "an existing account" from the definition of a customer if "…the bank has a reasonable belief that it knows the true identity of the person." In effect, it would not be necessary to obtain the customer's identification, verify identity, etc. in connection with a new loan. So, in the case of a customer with an existing account, the bank may create an exception in its CIP. However, that exclusion will be risk based and conditioned on more than an unsupported claim that the customer is "well known" to an individual lender. [See: "CIP - Excluding a 'Person with an Existing Account'"]
Conclusion
These new BSA regulations affect lending activities just like they affect the bank's other formal relationships. Lending personnel should be actively involved in helping design and implement the bank's CIP program and fully aware that verifying borrower identity has been elevated from a "policy" to "legal" requirement.
Copyright, 2003, Bankers Online. First published on BankersOnline.com 06/13/03.
BankersOnline is a free service made possible by the generous support of our advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all banking professionals. Support our advertisers and sponsors by clicking through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
