Q&As on CIP (Updated)
By BOL Guru David Dickinson
Q1: Do the identification and verification requirements apply to guarantors? What about PODs (payable on death) or other beneficiaries?
A: The CIP requirements do not apply to guarantors, persons listed as a POD or other beneficiaries, as they are not customers as defined in the final rule.
Q2: What about non-profit organizations such as churches, Lion?s Club, Rotary, etc.?
A: These accounts are not exempt and the new rule does apply to them. Officials should obtain the TIN for the non-profit organization opening the account. Officials would be required to verify the identity of the organization opening the account. This verification would most likely be accomplished through non-documentary procedures.
Q3: What about informal (non-legal) organizations such as bowling teams, > A: These accounts are not exempt and the new rules do apply. The individual opening the account must supply their personal TIN. Bank officials are required to verify the identity of the entity and/or the individual opening the account to be reasonably assured they know the true identity of the customer. These types of accounts pose a low risk of money laundering and/or financing terrorism.
Q4: What about brokered deposits?
A: The individual brokered deposits are exempt from the Customer Identification Program as the customer is the broker that opened the account. Bank officials should identify and verify the broker who opened the account.
Q5: Who is the customer for CIP purposes?
A: The customer is a ?person? that opens a new account. A ?person? includes individuals or entities such as a trust, corporation, partnership, LLC, etc. A customer is also an individual who opens an account for an individual who lacks legal capacity, such as a minor, or and entity that is not a legal person, such as a civic club.
Q6: Do the identification rules apply to our current customers?
A: Existing customers are exempt from the verification requirements providing the financial institution has a ?reasonable belief? they know the true identity of the customer. Each financial institution will need to develop guidelines of what will constitute this reasonable belief for existing customers. An example is that it may be reasonable to believe we know the true identity of a customer if an account has been maintained with the financial institution for 12 consecutive months with periodic statements being mailed to a physical address.
Q7: Do the identification and verification requirements apply to a POA (Power of Attorney) or other signatories?
A: Signatories are not account owners; therefore, officials are not required to identify or verify signatories. Signatories on an account could be identified and verified if the financial institution determines that the risk involved in the transaction or account type is high enough to warrant this. In regards to Power of Attorney, the regulatory agencies have stated they will issue further guidance on this issue. A Q & A is expected in July 2003.
Q8: Do the identification and verification requirements apply to co-signers?
A: Yes. If the co-signer is signing the note, he/she is considered a customer and would need to be identified and verified.
Q9: What about loan participations and indirect lending?
A: Accounts acquired through an acquisition or purchase of assets are exempt from the requirements of the Customer Identification Program.
If dealer loans are closed in the name of the Financial Institution, the customer?s identity must be verified, as the consumer would be a customer of the Financial Institution. The Financial Institution may have the dealer act as their agent to obtain and verify the customer information; however, the Financial Institution has the ultimate responsibility for the accuracy of the information gathered by the dealer. The Financial Institution would retain the identification and verification information obtained by the dealer according to the record keeping requirements of the Act.
If the loan is closed in the name of the dealer and is purchased by the Financial Institution, the loan would be exempt from the requirements of this rule as the consumer is not a customer of the Financial Institution.
If the Financial Institution makes the credit decision concerning an indirect loan and the loan will not be made if the Financial Institution denies the application CIP would apply and identification and verification must be completed. Under these circumstances, it would not matter if the loan were closed in the name of the Financial Institution or Dealer, CIP applies.
Q10: Would our CIP apply to loans that we purchase on the secondary market?
A: No. This is considered the purchase of an asset and would be exempt from CIP requirements.
Q11: The CIP is supposed to be risk based. What kinds of things would be considered in regards to the level of risk?
A: Remember, the USA PATRIOT ACT is designed to detect, prevent and prosecute persons involved in money laundering and/or financing terrorism. Some things to consider when measuring the level of risk would be the type of account being opened, method of opening the account, geographic location, type of entity opening the account, financial institution, asset size and number of office locations.
Q12: Are we required to include CIP procedures with the policy and obtain Board approval?
A: The final rule reads that several items that are procedural in nature should be included in your Customer Identification Program approved by the Board. The preamble to the Regulation states ?responsibility for the development, implementation, and the day-to-day administration of the CIP may be delegated to bank management? supporting the separation of policy and procedures. Banker?s Compliance Consulting would recommend separating policy and procedure for CIP. The Board would approve the policy and at the same time review (not approve) the written CIP procedures. This would allow management to complete the day-to-day administration of the CIP. The risk of this approach is that examiners could criticize your Financial Institution for not having your procedures approved by the Board.
If you decide to have policy and procedures approved by the Board, any changes to procedure required to complete the day-to-day administration of the CIP would require Board approval. We feel this is a higher risk approach as when procedures are not followed in the day-to-day administration of the program it would be a violation of Bank policy. We feel you need the flexibility to change procedures on a day-to-day basis as needed without going back to the Board for approval.
IDENTITY VERIFICATION PROCEDURES
Q13: Do the identification rules apply to all owners? For instance, some parents may have their children as co-owners of a CD; however, they do not want the children to know that they are co-owners. What do we do?
A: CIP applies to all owners of an account. However, you do not have to perform the same level of verification on all account owners. If co-owners on the account are minors, identification and verification of the parents is adequate. If the children who are co-owners of the account are of legal age, officials must obtain the name, address, TIN and date of birth for each. The final rule would require the bank to verify the identity of owners and co-owners to the extent that they are reasonably assured they know the true identity of the customer based on the potential risk of money laundering or terrorist financing from the account.
Q14: How do we verify the ID of minors?
A: Since minors lack the legal capacity to enter into a contract, the parent or guardian on the account with the minor is the customer. Officials should obtain and verify the identity of the parent or guardian on the account with the minor. If there were no parent or guardian on the account with the minor, then the minor?s identification would need to be verified.
Q15: What are the consequences of not getting all four of the required collection items?
A: This would be a violation of Section 326. It would likely be comparable to a BSA violation. The severity of any penalty for the violation would depend upon whether it is an isolated incident or a repetitive practice.
Q16: What if the customer does not yet have a Taxpayer Identification Number (TIN)?
A: It is okay to open the account, as long as the customer has applied for a TIN. The customer must provide the TIN to the bank within a reasonable time after account opening or the account should be closed. While it does take some time for a TIN to be processed, anything over eight weeks would not be reasonable. The final rule does not require the bank to retain a copy of the application for the TIN; however, it would be a good practice to request and retain a copy of the application.
Q17: Are rural route addresses acceptable as a physical address?
A: Typically rural routes have box numbers, which could be considered a physical address. If the address is 911 compatible, then it would be a sufficient physical address.
Q18: Do I need to verify all information provided by the customer?
A: No. The Customer Identification Program is to be risk based. The extent of the verification of information should be on such factors as type of account opened, method of opening the account, financial institution?s size, location, etc. The final rule requires you to verify enough information to be reasonably assured you know the true identity of the customer.
Q19: How many documents do we need to review to verify the customer?s identification?
A: The extent to which you must verify the identifying information provided by the customer should be risk based. You should review as many documents as needed to form a reasonable belief that you know the true identity of the customer. You should be redundant until you are satisfied.
In some instances, based on a low level of risk, the bank may wish to use non-documentary procedures only.
Q20: Is simply knowing the customer a sufficient verification method?
A: No. The Preamble to the Reg states: ?Given the flexibility built into the final rule, Treasury and the Agencies believe that it is not appropriate to provide special treatment for new customers known to bank personnel. In addition, permitting reliance on bank personnel to attest to the identity of a customer may be subject to manipulation. Accordingly, the final rule does not establish different rules for customers who are known to bank personnel.?
Q21: Is contact via email or cell phone a sufficient verification method?
A: No. Neither of these verify any of the required four collection items.
Q22: Can a phone book be used as a verification method?
A: Yes. It can verify zip code, city, and sometimes even the customer?s address.
Q23: Can visas be used as a means for verifying identification?
A: No. A visa is not a sufficient verification document as the potential to falsify these documents in high.
Q24: Can banks rely on Matricula Consular cards, Native American tribal identification cards and cedular cards as a means for verifying identification?
A: There is currently no prohibition in Section 326 against using any of these for verifying identification. It is up to each bank to determine whether or not they will rely on these forms of identification. It is important to remember that what you rely on to verify a customer?s identity must enable your bank to form a reasonable belief that it knows the true identity of the customer.
Q25: What if the customer doesn?t have a driver?s license, as in the case with many elderly or handicapped individuals?
A: The bank could use non-documentary methods to verify identification, such as contacting the customer, checking a credit report, checking credit references, etc. It is not a requirement that banks always use documentary verification. Non-documentary methods may be used solely if the risk level of the circumstances warrants this.
Q26: We are required to review an unexpired government issued document with a photo. Must we obtain new identification after the expiration date of the current document?
A: No. You need only obtain an unexpired document at the time the verification is completed.
Q27: Do I need to verify IDs (drivers license, articles of incorporation, passports, etc.)?
A: Do not confuse ?verification? with ?legitimacy.? You are not required to ensure that the documents provided are authentic.
Q28: What if I am unfamiliar with the documents provided?
A: If you are unfamiliar with the documents provided, you may wish to ask for additional verification documents or use non-documentary methods until you are satisfied. You can always refuse to open the account.
Q29: How do we verify the identity of account owners who are not present at the time of account opening (account opened over the phone, internet or non-local)?
A: Some financial institutions are choosing to not open accounts that are not opened face-to-face. CIP is clear that opening accounts when the consumer is not present is acceptable. The rule would require financial institutions to have procedures in place for these instances that would allow the officials to be reasonably assured that they know the true identity of the customer. Financial institutions may use non-documentary verification methods such as credit reports, online verification services, financial statements, etc.
Q30: What if the document used to verify the information is inconsistent with information provided by the customer (for instance, a driver?s license showing a different address than provided)?
A: The record retention requirements state that you must document any substantial discrepancies and their resolutions. If discrepancies cannot be resolved, the account should not be opened. Discrepancies in information may warrant an expanded verification process so that the financial institution can be reasonably assured they know the true identity of the customer.
Q31: Do our procedures have to state how various discrepancies will be resolved?
A: No. Your procedures must state that discrepancies will be resolved before opening the account. They do not have to outline every possible scenario where a discrepancy may occur.
Q32: What if I can?t verify the consumer?s address because they have recently moved?
A: You are not required to verify all information obtained. You are required to verify enough information to form a reasonable belief you know the true identity of your customer. Substantial discrepancies encountered in the verification process must be resolved and documented in the customer file. A reasonable explanation for a discrepancy between the addresses provided by the customer and their driver?s license might be that the customer has recently moved to your area for employment purposes.
Q33: Are we required to keep copies of the documents used to verify the customer?s identification?
A: No. The final rule eliminated the requirement that a bank retain copies of the documents used to verify the identity of a customer. At a minimum, banks are required to retain a ?description? of any documents used to verify the identity of the customer. A ?description? means noting the type of document, any identification number on the document, the place of issuance, and, if any, the date of issuance and expiration date. However, keeping copies may be the more viable option for many banks.
Q34: If I take a copy of the consumer?s driver?s license as verification for a credit transaction is it a violation of Equal Credit Opportunity (Regulation B)?
A: It is not, nor has it ever been, a violation of Regulation B to photocopy identification documents. However, it would be a violation of Regulation B if you use the information copied to discriminate against any person relating to credit decisions. If you obtain copies of driver?s licenses to verify information collected from the customer, copies of the license should be not be retained in the credit file. We also suggest that you copy driver?s licenses on a system wide basis. This way, you will not appear to be collecting race/sex information in a discriminatory manner.
Q35: Is it OK if our new accounts people always copy driver?s licenses and our loan officers do not?
A: Yes. There should be no problem in doing this provided your procedures address this and it is a consistent practice.
Q36: Do I need to retain CIP records when I sell a loan to the secondary market?
A: Yes. The financial institution that makes the loan is subject to the CIP record retention requirements.
Q37: What is the 326 list?
A: The CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations within a reasonable period of time after the account is opened, or earlier, if required by another Federal law or regulation.
No such list has been designated as of yet. Financial institutions will be notified once a list is designated for the purposes of this regulation. In the meantime, there are no interim requirements for checking any lists for Section 326.
Q38: How do we provide notification to customers who are not present at the time of account opening (account opened over the phone, internet or non-local)? A: Some financial institutions are choosing to not open accounts that are not opened face-to-face. CIP is clear that opening accounts when the consumer is not present is acceptable. If the account is opened over the internet, a notice should be posted on the bank?s web site. If the account is opened over the phone or by mail, the notice can be mailed along with other account documents. MISCELLANEOUS Q39: When am I required to file a Suspicious Activity Report?
A: A Suspicious Activity Report may be justified if during the verification process you suspect a phony ID or identity theft. Additionally, if non-documentary information gathered would suggest information is not internally consistent a SAR may be warranted.
Q40: Does my CIP program replace my Know Your Customer/Anti-Money Laundering Policy?
A: No. CIP is an account opening requirement designed to aid in the detection, prevention and prosecution of persons involved in money laundering and/or financing terrorism. The Know Your Customer/Anti-Money Laundering Policy requirement goes beyond the account opening stage.
Q41: What safe harbors does Section 326 provide banks asking for customer identification?
A: The CIP requirements for collecting and verifying customer identification do not violate any laws. Consequently, there are no safe harbors for asking for customer identification.
Q42: If we turn down a loan applicant because we cannot verify identity, are we required to send an adverse action notice?
A: Yes. The loan applicant would be entitled to an adverse action notice if you cannot verify identity. However, if the applicant decides not to apply after you ask for identification, this would be a withdrawal and no adverse action notice would be required.
Q43: Are the bank?s subsidiaries required to have a CIP?
A: Yes. The bank?s CIP must be a part of the bank?s BSA compliance program. Therefore, it will apply to the bank?s U.S. operations (including subsidiaries) in the same way as the BSA compliance program requirement. However, all subsidiaries that are in compliance with a separately applicable, industry specific rule implementing Section 326 of the of the Act will be deemed to be in compliance with the final rule.
Q44: Can you pull a credit report on both applicants when one is not present at time of account opening?
A: Yes. This is more of a Fair Credit Reporting Act question than a CIP question. A bank can obtain a consumer report for any legitimate business need that is initiated by the consumer. Legitimate business needs include credit transactions, review or collection of an account, opening a deposit or savings account or underwriting of insurance. Banker?s Compliance Consulting suggests that you have a signed application, signature card or other documentation to justify your business need for the consumer report.
Copyright, 2003, David Dickinson. First published on BankersOnline.com 07/25/03.
First published on 07/25/2003