Covering Required Training Subjects
by Mary Beth Guard, BOL Guru
There are five areas where a law or regulation mandates training for bank employees:
Expedited Funds Availability (Reg CC);
Bank Protection Act (physical bank security):
Anti-money laundering (BSA):
Customer Identification Program requirements (CIP rules);
Information Security (Interagency Guidelines for Safeguarding Customer Information).
So, what do you cover on each of these topics? Start with the five most important concepts for each and build from there. Customize the points to reflect your own institution's procedures and terminology. Make sure each affected employee understands the basic principles. We'll cover the five most important concepts for Reg CC next time. In this issue, we'll address the other four areas of required training.
Bank Protection Act
a. Vary your route to and from work in order to foil would-be hostage-takers.
b. Observe the "all clear" signal. If you don't see it, it's not safe to enter the bank. Follow the procedure for checking to see whether it was merely forgotten or is an indication that there is a real danger.
c. Be observant. Many times a robber will case a target institution in advance, trying to become familiar with the number of employees staffing the location, the physical layout, placement of surveillance videos, presence of a security guard. If you see someone you think might be casing the joint, communicate that fact to your security officer.
d. In the event of a robbery, remain calm, follow instructions, try to keep the note, if possible, focus on characteristics of the robber that cannot easily be altered, and observe the getaway if you can.
e. If a robbery occurs and you are a witness, do not discuss any details with fellow employees, customers, or other third parties, as it may taint your recollection. Instead, you may want to make a few notes while the incident is fresh in your mind, while you wait for the FBI and/or police to arrive and conduct their questioning.
Anti-money laundering
a. There are over 20 types of suspicious activity that can trigger the need to file a Suspicious Activity Report if the dollar amount thresholds are met. Read over the SAR form. Familiarize yourself with these types of activity. Ask your BSA Officer if you aren't sure what some of the categories entail.
b. You should maintain an awareness of what is normal, typical, expected for a customer. If you see cash activity, wire transfers, and other transactions that cannot be explained by what you know of a customer's financial background or business, talk to your BSA Officer about it.
c. Beware of possible structuring. A little cash here, a little cash there. Does it look like the customer is attempting to evade the currency transaction reporting requirements?
d. SARs are secret. Avoid doing or saying anything that might directly or indirectly lead to the subject of a SAR becoming aware that a Suspicious Activity Report has been, or will be, filed.
e. Remember four things about Currency Transaction Reports. Their filing is triggered when there is a 1) deposit, withdrawal, exchange of currency, or payment; 2) in cash; 3) over $10,000; and 4) there is not an applicable exemption for the customer.
Customer Identification Program requirements
a. Prior to opening the account, your institution must gather 4 piec4es of information from all individual customers on the new account - not just the primary owner or borrower or renter. Three pieces of information must be obtained prior to opening an account for an entity. Name, address, and identifying number on every customer, plus date of birth on individuals. There is no wiggle room, except in the case of an applied-for TIN, and even there you have to get documentation that it has been applied for and you must follow up.
b. The identity of each new customer must then be verified. The rule says verification must occur within a reasonable time after the account is opened (or sooner, if your CIP requires sooner). What does your bank's CIP say about the timing?
c. You can utilize whatever flexibility your CIP gives you to verify the identity of the customer (it probably gives you multiple alternative methods), but you cannot waive CIP requirements.
d. There are two special situations you may encounter, and you need to know what your bank's CIP requires you to do for each of them:
1. What does your CIP say about the circumstances under which you must obtain the 4 or 3 pieces of information and verify the identity of an existing customer who comes in to open a new account. [Please note: Former customers who open a new account are subject to the same requirements as a stranger. There is only wiggle room when it comes to existing customers.]
2. What are you supposed to do when a new customer cannot provide an unexpired, government-issued picture ID, if that's how your CIP says you are supposed to verify the identity of individual customers?
e. Know who the customer is for CIP purposes, and understand that in some instances it will be different from who is considered to be the customer for purposes of IRS reporting and account styling. Two examples of differences: Where an account is being opened on behalf of an organization which is not a legal entity, the customer for CIP purposes is the individual opening the account for the organization. (For account styling and IRS reporting purposes, however, the name you use will be the name of the organization and you will use the organization's TIN.) Another example is that when an account is being opened by an individual on behalf of an individual who lacks legal capacity, the customer, for CIP purposes, is the individual opening the account. (For account styling purposes and IRS reporting, however, the individual who lacks legal capacity, who is the owner of the funds, will be listed as the owner, and that person's SSN would be used as the TIN.)
Information Security
You have an obligation to safeguard customer information. That means you must observe your bank's administrative, technical and physical safeguards for customer data.
a. Procedures are there for a reason. Do not deviate from them.
b. There are four risks to customer information that you need to constantly guard against:
1. alteration;
2. destruction;
3. unauthorized disclosure; and
4. misuse
c. Trust, but verify. Social engineers and pretext callers will use all kinds of ruses and plausible-sounding stories to try to get you to give them information or access. They will lie and pose as a customer, another banker, a law enforcement official, a regulator. They will spin dire tales of woe and hardship. Don't make assumptions, and take nothing for granted. No one is who they say they are or from what they say they're from until they prove it under your procedures.
d. Know your procedures inside and out. That includes knowing your bank's logical access controls (including password rules, call verification procedures), physical access controls, incident response protocol. Follow your internal rules for dual control and separation of duties.
The original version appeared in the September 2003 edition of the Oklahoma Bankers Association Compliance Informer.
BankersOnline is a free service made possible by the generous support of our
advertisers and sponsors. Advertisers and sponsors are not responsible for site content. Please help us keep BankersOnline FREE to all
banking professionals. Support our advertisers and sponsors by clicking
through to learn more about their products and services.
Print Friendly!
Email This Article!
Discuss NOW!
