Proposed Customer Identification Rule: KYC Re-named
FinCEN and the financial regulatory agencies have finally proposed a rule under the USA PATRIOT Act to implement customer identification procedures. This isn't a surprise. We have been waiting to see what these rules would look like.
From the top, there are several important considerations. First, there are only a few specific mandatory steps. Instead of containing procedural detail, the rule is risk-based. This places the responsibility on each institution to take a hard look at its business, its market, and its customers to assess risk.
Second, this proposal is probably pretty close to the final rule. We have no reason to expect major changes. Lobbying for privacy and against institutional nosiness has completely lost the battle to self-protection in the wake of September 11, 2001. However there is room for procedural issues. Well-crafted comments with information about systems and information collection could have an effect on the final rule.
Finally, this rule affects all transactions with customers and consumers including loans. The final rule may have a significant impact on ECOA and Regulation B by mandating collection of information to identify the customer. If collection of that information is otherwise prohibited by Regulation B, we can expect Reg B to back off. The critical issue will be what and how much information about the customer to document.
Scope and Coverage
In our current environment, we should expect scope and coverage to be as broad as possible. Account is defined as any formal banking or business relationship. There is no requirement for account numbers, institutional decisions, or documentation to exist as an account. You should apply this definition broadly and not attempt to exclude anything by clever reasoning. The definition also specifically mentions that credit accounts and extensions of credit are included in the definition.
Customer is also broadly defined. It includes anyone seeking an account and any signatory on the account. Someone added later as a signatory becomes a customer subject to the requirements. Merely shopping for information would not elevate the person to customer status. However, you should be alert for suspicious shoppers.
The definition of customer triggers equal attention to existing customers as they enter new account relationships. Just in case you missed them before - or they have been lying low hoping you will develop a comfort level with them - a new account relationship is subject to full scrutiny under the rule.
Customer Information Program
KYC is now CIP: Customer Information Program. This is probably a more politically correct term than the old KYC name. But the proposal has some elements in it that were not included in the old KYC concept.
First, every institution must have a Customer Information Program. The program won't officially exist until adopted by the Board of Directors or a committee of the board. In short, this must be a top-down official program.
Second, the CIP must be part of the institution's anti-money laundering program. This is not a stand-alone or separate program. The regulators are looking for an efficiently-designed, cohesive program. By requiring board approval, the regulators expect the board to play an active oversight role.
In addition to the anti-money laundering program, the CIP should take into account OFAC procedures and the Control List. The verification of customer identities should include checking against these lists.
The program itself should be tailored to the business and market of the institution. For example, an institution located in a small community far from international borders may not need procedures for and information on international passports and forms of identification. But institutions located in cities such as San Francisco, New York, and Miami should compile more detailed information on how to identify international customers.
The key element of the CIP is customer identification and verification procedures. The rule directs institutions to base their procedures on the risk assessment. This assessment should look both at the community and at the business products and services offered. The goal of the procedures is to give the institution "a reasonable belief that it knows the true identity of the customer."
The procedures should take into account how accounts are opened. There should be specific steps for accounts opened in person and accounts opened through the mail or over the Internet. Procedures should also differentiate between customers with local addresses and customers that are not local.
The procedures should be specific about what information and how much information should be obtained from each customer.
Certain information is needed to meet a minimum standard. Institutions may conclude that collecting more information is necessary in the context of their risk assessment.
Minimum information on individuals includes the customer's name, date of birth, residence and mailing address, and a U.S. taxpayer identification number. For non-U.S. citizens, the identification may include a passport number with the country of issuance, or an alien identification card number. Alternatively, the institution may use a government-issued document showing the individual's nationality or residence. This must contain a picture of the individual or "similar safeguard."
Information on corporations should include the name, principle place of business, and employer identification number. Accounts could be opened without the EIN if the institution takes steps to obtain a copy of the application and subsequently obtains the number within a "reasonable period of time."
It isn't enough to collect the information about customers. The critical step is making sure that the information is true. This verification must take place within a "reasonable time" after the account is established. The steps are slightly different for documentary and non-documentary verification methods.
One important time-saver is that the institution need not re-verify information that was previously verified. If the institution is satisfied that the customer's identity is known, using methods that meet this rule's standards, the institution need not re-verify the customer's identity. However, the earlier verification must meet the information standards of this rule.
In order to verify information using documents, the documents must meet certain minimal requirements. Government-issued identifications for individuals must contain a photograph "or similar safeguard" and must also show evidence of nationality or residence. Passports will become increasingly useful.
Corporations and trusts will need to produce documentation that validates the existence of the entity. This will be in the form of an executed legal document such as a trust or partnership agreement, or a document issued by a state official such as a business license.
Customer Identification Procedures should also contain instructions on steps to take for verifying non-documented customer information and steps in addition to reviewing documents. This may include checking with independent sources, such as a credit bureau or a public database, to verify information.
Third-party verifications may include checking references with other financial institutions. This may be a motivator to file as an information sharer.
Five years is a familiar number. In this case, however, the five year retention requirement begins only after the account is closed.
Here's what must be in the files: a copy of any document that was relied on to verify the customer's identity. The copy must show the type of document and the identification number. Here is the conflict with the existing Regulation B. But stand by. The Federal Reserve expects to publish revisions to Reg B within the next several months. It is now highly likely that the final Reg B changes will accommodate this CIP documentation requirement.
Recordkeeping should also contain information about what steps were taken to verify a customer's identity.
- Study the proposal and think through what this will mean for your institution.
- Pull together a team to discuss the proposal and sketch out an implementation plan.
- Draft a comment letter. Focus on the most important issues for your institution. Give reasons and make suggestions.
- Compare your existing Know Your Customer procedures with the minimum requirements of this proposal. Determine what additional steps you will have to take to verify the identity of existing customers.
- Talk with branch managers and other front-line staff to find out what they think would be useful and realistic in your CIP.
- Review suspicious activity reports for the last several years. Compare them to what you knew and didn't know about the customer when you opened the account. Then consider what you could have known and include that in your CIP.
Copyright © 2002 Compliance Action. Originally appeared in Compliance Action, Vol. 7, No. 10, 8/02
First published on 08/01/2002