Footnote 49 in the Exam manual both refers to the Q & A and mirrors its content:
A bank may keep photocopies of identifying documents that it uses to verify a customer’s identity; however, the CIP regulation does not require it. A bank’s verification procedures should be risk-based and, in certain situations, keeping copies of identifying documents may be warranted. In addition, a bank may have procedures to keep copies of the documents for other purposes, for example, to facilitate investigating potential fraud. However, if a bank does choose to retain photocopies of identifying documents, it should ensure that these photocopies are physically secured to adequately protect against possible identity theft. (These documents should be retained in accordance with the general recordkeeping requirements in 31 CFR 103.38.) Nonetheless, a bank should be mindful that it must not improperly use any documents containing a picture of an individual, such as a driver’s license, in connection with any aspect of a credit transaction.
Any criticism offered in an audit should properly reflect these concerns; i.e. the simple fact that ID is being copied is not an adequate basis for criticism.
_________________________
In this world you must be oh so smart or oh so pleasant. Well, for years I was smart. I recommend pleasant.