I want to include in our revised BSA/AML policy a statement that the policy is not intended to protect third parties. This was a recommendation from a CIP seminar. I believe reference was made to recent case law. Can anyone give the nutshell version of the case(s)? How was a bank liable to a third party because of something in its BSA/AML program, policy, or processes? I'm sure my Board will ask.

I also heard this recommendation at a seminar, but no reference was made to a specific case.

You may want to include a statement in the policy itself that "this policy of xyz bank does not create rights or obligations to current or future customers. This policy is an internal document adopted to comply with federal mandates."

What was pointed out at the seminar I attended is that the Customer Identification Program was created to fight money laundering and terrorism as per the USA PATRIOT Act.

The CIP regulation does not give a rat's rear about Identity Theft. This is an AML/anti-terrorist effort, and not an ID Theft prevention effort.

The problem is that the general public will perceive CIP to be about fighting Identity Theft. If someone's identity is stolen and used to open deposit and/or loan accounts at a bank, the victim may try to sue the bank, and use the bank's CIP policy against it.

The most well publicized case is the one where insurance commissioners from several states sued two banks for failing to detect fraudulent activity involving insurance companies which had been looted by their owners. The complaint alleged that the banks, through their written "know your customer" programs should have detected the activity. The complaint was filed in state court and the defendants attempted to move the case to federal court, but there has been no trial. (It was reported on BOL.) A similar complaint involving land fraud, ultimately submitted to private arbitration, has been filed against a bank with operations in Texas.

Both cases pre-date CIP. They are based on the tenuous theory that a bank's attempts to detect illegal activity create a duty to a third party; i.e. if the bank fails to detect and report the illegal activity it becomes liable to those who are injured. But for the involvement of several states in the first law suit, it would be easy to label the claim as frivolous. A boilerplate reference to the real purpose of policies related to detecting suspicious activity may not prevent such a law suit. However, in the event a claim is made, having it is better than not having it.