Skip to content
 

CIP Compliance Delayed

By Ken Golliher (Opinions expressed are those of the author.)

Already the grist for a Bankers' Thread, an October 11 press release from The Department of Treasury indicates that compliance with "Customer Identification Program" (CIP) requirements will not be mandatory on October 26. The press release does not say when final regulations will be published, nor does it say when compliance with their terms will be mandatory. It does say: "The final rules will provide financial institutions with a reasonable amount of time in which to come into compliance."

Regulations interpreting section 326 of the USA PATRIOT Act were to be effective one year after the date of the Act's passage on October 25, 2001. The consortium of agencies writing the proposed regulations did not publish them until July 23, 2002. The comment period ended 45 days later, September 6. The press release indicates the reason for delay is the need to assess "substantial issues" raised in industry comment letters. (It does not mention that the time available for reviewing industry comments was abbreviated by the fact it took 9 months to issue proposed regulations.)

The announcement is a relief for bankers who were pulling out all the stops to meet the statutory deadline. For those who have made no move to comply, it is a temporary reprieve, not a commutation of their sentence.

The Context
The final regulations will augment the Bank Secrecy Act's (BSA's) record retention requirements. In essence, the proposal contemplates requiring financial institutions to develop a written CIP for adoption by the board of directors. The CIP would include reasonable procedures for:

  • verifying customer identity,
  • maintaining records of the information used to verify identity and
  • determining whether the person appears on any list of known or suspected terrorists or terrorist organizations.

CIP's genealogy is traceable. Previously espoused regulatory concepts, "know your customer" (KYC) and "enhanced due diligence" are its ancestors. The former began as a concept espoused in examination procedures, but then served as the basis for an aborted 1998 attempt by the regulatory agencies to raise it to the level of a regulation. The proposed KYC regulation was withdrawn in a relative firestorm of public protest.

"Enhanced due diligence" is a phrase currently found in regulatory examination procedures, not in legal requirements. It largely focuses on requiring customer identification and monitoring customer activity. As BSA is >
However, when final CIP regulations take effect, failure to adhere to their requirements could be cited as a violation of law, a major issue in any regulatory examination.

The Early Adopter Contingent
Many financial institutions spent countless hours attempting to divine the meaning of the proposed regulation, simply because the October 26, 2002 effective date was obvious from the plain language of the statute. Their intent was to comply with the statutory deadline even if guidance was inadequate or incomplete. Hopefully, their efforts will pay a dividend in more refined, more easily implemented compliance programs. However, the issue of Board adoption of the CIP is critical to this group.

If the Board of Directors has already adopted the CIP, then it is the financial institution's policy, regardless of when the final regulation is published or compliance is mandatory. So, the financial institution must follow it. If it proves unworkable or turns out to be in conflict with the final regulation, then it must be amended by Board action. BSA policy violations are serious, even if the policy was adopted in anticipation of legal requirements.

If the Board has not already adopted the CIP, then its adoption should be delayed until the last possible date allowed under the final regulations. The financial institution should put the program in place, but not seek Board approval unless their CIP would affect previously approved Board policies. The goal is to use the implementation period to the fullest possible advantage. Accordingly, these institutions should have the opportunity to test and "debug" their compliance effort - what they ultimately present to the Board should be fully tested.

The "Let's Wait and See" Camp
Some financial institutions have made no effort to build the required program, convinced the CIP regulation would suffer the same fate as the KYC proposal. However, the CIP regulation is mandated by federal statute. It cannot be unilaterally withdrawn by the agencies; it would take an act of Congress to kill the idea. That is not likely.

While waiting to see a final regulation before investing huge amounts of time and resources is generally a good idea, the early adopters' investment has put them miles ahead of those who decided to "wait and see." Whatever Treasury's "reasonable amount of time" for coming into compliance is, the early adopters can use it to test their CIP. Those who have done nothing will both design and test their programs in the same time frame.

Hopefully, those who waited to see if it was all for real are now convinced. Their foundation should be laid by a review of the proposal and the beginnings of a "self assessment."

The proposal is the template for the final regulation. The final regulation will undoubtedly be longer and more detailed. However, the requirement that a proposed regulation be offered for public comment precludes the final version from including concepts not contained in the proposal. Since there is no obvious date by which final regulations must be published, it would be appropriate to spend some time getting acquainted with the proposal now.

The next step is to perform a "self-assessment" regarding the financial institution's account types and methods for opening accounts. The more methods a customer can use to open an account; e.g. in - person, by mail, over the telephone, via the Internet, etc. the more complex the financial institution's CIP is destined to be. Current policies and procedures should be inventoried long before any attempt is made to develop practices necessary to comply with the final regulations.

Compliance with the proposed regulation would have required some financial institutions to make very few adjustments to their existing policies and procedures. Their primary efforts would have focused on: reducing their program to writing, having it approved by the Board of Directors and training (primarily convincing everyone that it applies to all areas, including lending, and that Board approved requirements cannot be "waived" by anyone).

What Do We Need to Buy?
Perhaps nothing. Clearly, in order to be credible, the financial institution's ability to review government lists, both Control and OFAC, needs to be automated to the extent possible. However, there has been an avalanche of new products and services often described as "essential" to CIP compliance.

Review such claims carefully. Note that the proposed regulation did not require use of a third party verification service. Actually, some of the supplementary language accompanying the proposal made it plain that many financial institutions are already doing enough to verify customer identity and that all they need to do is reduce it to writing. The purchase of additional services might well be cost justified as fraud control measures, but they are not likely to be justifiable as "necessary to CIP compliance."

What does the proposal mean when it said?
It doesn't make any difference anymore. Financial institutions that were attempting to comply with the proposal did well in seeking out the opinions of others. Now that the final regulation is on the horizon, the inner meanings of the proposal and its various shortcomings are academic. Wait for the final regulation.

If you filed a comment letter, you made a contribution toward getting those questions answered and correcting various flaws. Good for you!

Malicious rumor debunked Finally, there is no truth to the rumor that the implementation and administration of the CIP regulation has been turned over to HUD. It only feels that way.

Copyright, 2002, Bankers Online. First published on BankersOnline.com 10/15/02.

First published on 10/15/2002

Filed under: 
Compliance
Filed under compliance as: 
CIP
Board of Directors
BSA
HUD
Filed under technology as: 
Internet
OFAC
Money Laundering
USA PATRIOT Act

Report a problem with this page

Search Topics