We currently will not accept a bank statement from another FI as proof of address. I would like to propose that we change this.

The reasoning was that "customers don't always update their address with their FI"-- but I don't think that should be a reason not to accept a statement as proof of address if it does match. If the address didn't match, we wouldn't use it regardless.

Is there some unknown risk I am missing?

Why not just look at their Driver's License? Or is this online account opening?

We have a lot of potential customers that move and don't update their Diver's License for some reason. So we have to clear a lot of address discrepancies.

A utility bill is always an option.

The main reason to have accurate street addresses for bank accounts has always been to assure USPS delivery of statements and other necessary communications. Undetected errors in street addresses could remain in bank records indefinitely if the customer has consented to e-delivery of statements.

Using any piece of mail as "proof of address" is excessively weak. All it tells you is that the person provided that entity that address, and was able to obtain the mail there. Doesn't mean they live there. Means they have (or actually, had, at some point) access to the mailbox at that location. With US mailboxes sitting on streets unguarded and unlocked, a piece of mail tells you almost nothing.

A piece of mail is also exceeding easy to fake, with photoshop. A window envelope, with a letter inserted inside of it, is not a reliable proof of address.

In this day and age, given the purpose of the CIP regulation, banks need to be requiring address verification in the form of a) seeing it on a government-issued photo ID, or b) confirming it on a credit report, or c) both. You need to confirm where your customer sleeps, not where they one time may or may not have gotten a piece of mail delivered.

That is is a risk adverse position which is permissible; however, not required by the USA PATRIOT Act. The law and regulation simply says that the financial institution must adopt procedures to form a reasonable belief that it has verified the identity of its customer. Each institution is free to adopt its own risk-based approach based on its CIP Risk Assessment and FACT Act ID Theft Risk Assessment in determining what it will require to resolve a "substantive discrepancy" to one of the four required pieces of information (name, address, TIN, birthdate.)

Anon points out some of the potential risks of accepting mail, but each institution should determine what risks it is willing to accept in its customer identification process. Part of the risk assessment would be to evaluate prior instances of ID Theft that you have experienced. If these are minimal/non-existent relying on a utility bill, then there may not be a not to adopt more stringent requirements.

I agree with what BrianC said, for the most part, but want to emphasize that of course, any contemplated changes to this sort of procedure should be coming from the Board of Directors or the person appointed as CIP Officer (generally, your BSA Officer). This would not be something for management or marketing or whoever to just decide to change, then notify BSA afterwards. This is in the CIP/BSA domain and any changes of this nature should be requested well in advance, as it may require some changes to the Board's Risk Assessment, changes to how new accounts or monitored or how addresses are verified or re-verified after opening, and so on. This is not something to change lightly, if at all. Besides the compliance considerations, you'd also be inviting more fraud into the bank, by stating that you could verify an address using a piece of paper literally any idiot could make at home.

If your CIP/BSA Officer feels this poses unacceptable risk given your location, geographic areas you serve, customer base, etc., then I'd counsel respecting that opinion. It's their job to let you know if you're weakening your CIP procedures to an unacceptably risky extent.

So you're willing to weaken an already weak process? Much like mentioned above, anyone can get mail sent anywhere.

When FB was having a tizzy about "real names", I, as a person that uses a "stage name" had to provide a piece of mail with my stage name on it. I subscribed to a magazine, and had it sent to my home. The person that it was addressed to, in theory, doesn't exist, yet the post office still delivered it.

We ask for a W from their employer with their address on it. Unemployed? A copy of their unemployment statement. This seems more legit than a piece of mail that anyone could send to anyone, anywhere.