Building a CIP
The rules are out and the initial shock wave is over. No more excuses. It is time to get serious about building a Customer Identification Program.
First of all, what is covered? Coverage is determined by the definitions of account and customer. FinCEN has heeded industry comments and common sense in crafting the final definitions. You won't need to do an identity determination on anyone that walks into your lobby - or other parts of the institution.
The individuals or entities that you must identify are defined as a "customer." Customers are always people - human beings. This person or persons can appear in several capacities. First, a customer is a person that opens a new account in your institution. This part of the definition assumes that the customer is the account owner.
Part two of the definition includes individuals that open accounts for someone else such as a minor who lacks legal capacity to open the account. This part of the definition also includes someone opening an account for an entity that is not a "legal person" such as a civic club. This type of organization may not have a legally created existence but does have people as members or representatives.
The trick in this new rule is that the definition of customer for purposes of the CIP does not include someone - a person, for example - who already has an account with you. While this flies in the face of the commonly understood use of the term customer, it is intended to avoid triggering the rule when the rule would be unnecessarily burdensome. This "not a customer because already a customer" exception only applies, however, if you have a reasonable belief that you know this person's true identity. In other words, this exception allows you a fair amount of latitude with existing customers.
The other important coverage definition is "account." This is the definition that culls out those who simply drop by to pick up interesting consumer disclosures or copies of your CRA public file. The account is a "formal banking relationship." The relationship, such as a loan or deposit, exists to provide financial services. The definition also includes repeat relationships such as maintenance of a safe deposit box and custodial services. Think of this definition as one that contemplates repeat services that relate to banking - not those related simply to providing information in the form of account information or HELOC program disclosures.
An account relationship requires repeated transactions. A single transaction, such as a purchase of travelers checks or cashing a check, does not establish an account relationship.
What you need to know and how you need to know it depends on the status of the person on the other end of the account relationship. The regulation defines "U.S. person" as someone who is either a citizen of the United States or is a legally created entity by the U.S. or by one of the states. A corporation chartered in Delaware would meet the U.S. person test. A resident alien or a corporation chartered in the Caymans would not be a U.S. person.
The Customer Identification Program rule sets minimum standards. You can do more if that is appropriate or feasible for your institution.
First, the CIP is a part of the anti-money laundering program. Dozens of people have asked whether this needs to be separate from or can be combined with the BSA program. The rule itself answers that question. This is a mandate. And combining CIP and anti-money laundering makes sense. They are about the same thing. So although dictated by the USA PATRIOT Act, the CIP is a part of your BSA program.Second, the program has to be written. This means that someone must take pen to paper - or fingers to keyboard - and create a document that describes the program.
Then come the key elements of the program. These, described in 31 USC 103.121(b)(3)-(5), include identity verification procedures including what information will be required, recordkeeping, comparison with government lists, and customer notice. The most detailed of these describes the identity verification procedures.
What do you know?
The key question is how to be reasonably certain that the person opening the account is who they claim to be and is acting legally. The rule allows you to set identification standards based on risk. The steps you take should be "reasonable and practicable." What this actually means is up to you. Obviously you should do more to get to know customers than you would at a college mixer. How much more is the question.
Here is where elements of CRA sneak into the picture. The standards you apply and the methods you use to identify customers can be based on your community. This means that you should apply standards and expectations that are appropriate to your market - a.k.a. your assessment area.
For example, how to people usually open accounts? Do they seek branches near their home or near their place of work? This closely relates to the institution's strategy in choosing the location of the branch.
What forms of identification do customers usually carry? While driver's licenses are most common, there may also be work ID cards or passports used as picture IDs. If your customer base has a significant number of resident aliens, your program should account for the types of ID they can produce. If your branch serves a community with a large number of elderly, consider what types of identification the elderly are likely to produce.
No matter what types of identification you accept or ask for, the identification produced should also be appropriate for the customer's circumstances. A retired individual should not be producing a work ID.
The regulation contains a list of required information for each customer: name, date of birth (for individuals), physical address or location, and identification number. This laundry list is fairly standard. But the most important part of your CIP is evaluating the information. Does what the customer presents make sense? Does it cohere? Or does one piece of information conflict with another, such as an out-of-state driver's licence?
Your program should also evaluate whether the information offered to verify identification is appropriate for the type of customer. A corporation, for example, should be able to produce its corporate license. A charity should have evidence of its status. Someone who is not a U.S. citizen should have evidence of citizenship in another country.
It is not enough to collect the documents. You must review and evaluate them. When we provide disclosures to customers, we give them the opportunity to review them but they are not obligated to do so. Not so with customer identification. You are obligated to review the identification documents and evaluate whether they are accurate and consistent. You are also required to consider whether these documents enable you to know the true identity of the customer.
Not everyone has papers. Your CIP should anticipate situations where non-documentary identification steps should be taken. This may be instead of documentary ID or in addition to documents. But you should have specific steps that staff should take when documentary identification is lacking or not sufficient.
For example, you could use credit reports (when you have a legitimate business purpose under FCRA). Your procedures could include verification steps on the Internet. If you choose to include this, make sure that all persons with responsibility for verifying customer identities have the necessary Internet skills.
To top it all off, the verification procedures must be documented. Your institution must create and retain a record of how it knows what it knows about its customers. This record keeping also means keeping records of any concerns that the institution may have about the identity of its customers.
Think of documentation as an information vault. This is the record of how you know what you know and when you did or didn't know it. It is also a record of what you don't know.
What you do not do, to document the identification process, is violate Regulation B. You do not make copies of identification documents that contain the applicant's picture. While you may do this for accounts that do not have a credit feature, allowing the practice in one area may lead to violations in another. For example, don't expect a CSR to remember to make a copy of the customer's driver's license when opening a checking account but to tear up the copy when the same customer comes in to request an overdraft line of credit.
Like all good compliance regulations, this one has a record retention requirement. The retention period is five years. The important question is when that five years starts. The retention period runs, not from the time the record was created, but from the time the account was closed. Thus, you could maintain an account for seven years, with all identifying documentation carefully stored away. At the seventh year, when the account is closed, the five-year record retention period begins.
As with all good record retention requirements, there is a hidden trick. This trick is how to draw the connection between the account being closed and the identification records that were created seven years ago.
The five-year period can also be triggered by dormancy of the account. If you rely on dormant status to trigger the retention period, you will need clear criteria for establishing when the account becomes dormant. Of course, you can always keep everything forever.
As with other rules, such as those issued by OFAC, the financial institution is the front-line research organization for the government's law enforcement arms. The procedures must provide for comparison of the customer with any government list(s) designated by Treasury. So far, no lists have been designated, but don't be surprised if the lists we currently check - such as OFAC - become designated.
These procedures and the fact that you verify customer identification is not a secret. In fact, you are required to tell the customer what you are doing. The rule contains a model notice that explains to customers the content and purpose of the identification procedures. Smart institutions will simply follow the model language. They will also explain to customers that the identification procedures are for customer protection. Then reassure customers with privacy disclosures.
Developing the Program
This is not the type of program that can be designed in an ivory tower - or a compliance office. In order to be successful, the program must be based in reality. Your best resources in developing the CIP are the very people that will be asked to identify customers. Another required element of your program is guidance on when the institution should not open the account. To develop this guidance, you will also need the input of those who will be saying no to the customer. No one knows better than the front line which customers are suspicious. When it comes to deciding who should not be a customer - now or any more - rely on the front line. The front line can also give you input on what type of instructions or guidelines they are comfortable with and can follow.
- Review your existing Know Your Customer or CIP program. Compare it to the new CIP rule and identify anything that needs to be changed or added.
- Spend some time with front line staff (tellers, CSRs and branch managers) to find out how your existing procedures work. Collect their suggestions for improvements.
- Ask front line staff about what information or action tipped them off to a possible suspicious activity. Consider how to include these observations in your CIP.
- Don't overlook the lenders. Find out what kind of information that lenders regularly verify - or take at face value.
- Involve representatives from all lending departments in establishing a CIP for the lending side.
Copyright © 2003 Compliance Action. Originally appeared in Compliance Action, Vol. 8, No. 5, 6/03
First published on 06/01/2003