Skip to content

CIP Final Rules: 10 Quick Changes

by BOL Guru Mary Beth Guard

With the regulatory document on the final CIP rules running more than 100 pages, it will take a while to digest and summarize all the fine points of the new regulation. Fortunately, compliance is not mandatory until October 1, 2003. In the meantime, here's a quick heads-up on the first ten differences we've spotted between the proposed CIP regulations and the final rules.

  1. Financial institutions must notify customers of identity verification procedures. The proposed rule said notification could be orally, in writing, or via a lobby notice. The final rule gives more guidance. It provides that the notice must be "adequate", then goes on to say that notice is adequate if the bank generally describes the identification requirements and provides the notice in a manner "reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account." What constitutes "adequate notice" will depend, in part, upon the manner in which the account is opened. Examples of possibilities include posting a notice in the lobby or on the institution's website, including the notice on its account applications, or using any other form of written or oral notice.

  2. When it comes to how you make customers aware of your customer identity verification procedures, the final rule even includes sample language. The rule states that, if appropriate, a bank may use the following sample language to provide notice to its customers:

    IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT
    To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver?s license or other identifying documents.
  3. In some instances, you will be able to rely on the customer ID verification performed by another financial institution. On pages 86-87 of the PDF rule, it specifies three conditions that must be met. One condition is that the other financial institution must enter into a contract requiring it to certify annually to the bank that it has implemented its anti- money laundering program, and that it will perform (or its agent will perform) the specified requirements of the bank?s CIP.

  4. There is currently no "government list" for purposes of Section 326. When a list is so designated, it will be clear that it is a Section 326 government list. Your CIP must
    • include procedures for determining whether the customer appears on any such list;
    • include a requirement for you to make such a determination within a reasonable period of time after the account is opened, or earlier, if required by another Federal law or regulation or Federal directive issued in connection with the applicable list.

    In addition, your CIP needs to specify that you will also follow all Federal directives issued in connection with such lists.

  5. In terms of record retention, there are two different retention requirements.
    • The final rule says the institution must retain information described in paragraph (b)(3)(i)(A) [See page 80 and 81 -- they're talking about the minimum information, such as name, date of birth, address, etc., obtained from a customer] used to verify identity for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant.
    • The information required in paragraphs (b)(3)(i)(B), (C), and (D) on pages 81 and 82 must be retained for five years after the record is made. [That includes your description of what you relied upon to verify the identity information.]


  6. There is no requirement for you to retain copies of driver's licenses and other IDs used to identify individual customers. What IS required is that you keep a record of the minimum data elements you are required to obtain (name, address, TIN, etc.) AND
    • if you verify the information through documentary means, keep a description of any document that was relied on, noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date;
    • if you verify the information through nondocumentary means, record a description of the methods and the results of the measures undertaken to verify the identity;
    • if there is a discrepancy in the identifying data, keep a description of the resolution of any substantive discrepancy discovered when verifying the identifying information obtained.


    Keep in mind, however, that this regulation spells out the minimum standards for customer identification programs. If your state law does not prohibit it, and if you do it in a way that does not violate Regulation B/ECOA, you may decide, as a matter of policy, that you DO want to retain such copies.

  7. If an individual who seeks to open an account doesn't have a residential or street address, it is permissible to obtain an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual.

  8. The rule focuses on verifying the identity of "customers". Under the final rule, the term "customer" includes two different things:
    • a person that opens a new account. [If you turn down the application, the person will not become a "customer".]; and
    • an individual who opens a new account for l) an individual who lacks legal capacity, such as a minor; or 2) an entity that is not a legal person, such as a civic club.

    So, for example, on a UTMA account, the custodian would be the "customer". On an estate account, the personal representative of the estate would be the customer. On an organization account, the customer would be the person authorized to open the acocunt.

  9. The definition of customer also excludes signatories from the definition of ?customer.? Publicly held companies and governmental agencies and instrumentalities will not be considered "customers" for purposes of the ID verification requirements. The definition also excludes signatories on accounts (i.e., authorized signers), as well as a financial institution regulated by a Federal functional regulator, a bank regulated by a state bank regulator, and governmental agencies and instrumentalities.

  10. When the rule talks about verifying customer identity in connection with the opening of an "account", there are notable exceptions to the definition of "account". The definition EXCLUDES:
    • accounts that a bank acquires through an acquisition, merger, purchase of assets, or assumption of liabilities from a third party;
    • accounts opened for the purpose of participating in an employee benefit plan established pursuant to the Employee Retirement Income Security Act of 1974;
    • wire transfers;
    • check cashing;
    • the sale of travelers checks; and
    • any other product or service that does not lead to a ?formal banking relationship?.



Copyright, Bankers Online. First published on BankersOnline.com 4/30/03.

First published on 04/30/2003

Filed under: 
Filed under compliance as: 
Filed under security as: 

Banker Store View All

From training, policies, forms, and publications, to office products and occasional gifts, it’s available here:

Banker Store

hot right now

image description

Looking for effective, convenient training on a particular subject?

BOL Learning Connect offers more than 200 courses ON-DEMAND or on CD ROM from AML to Reg Z and every topic in between.

Search Topics