Is your bank keeping copies of IDs for deposit relationships? Lending aside.

S.2155 in 2018 refers to online account openings saying that copies must be destroyed after verifying identity. Are you guys destroying them for online account openings and keeping them for retail branch openings?

In my experience it has been a best practice to generally not keep them as loan officers could hypothetically see them in the core system if they went looking for it.

Our policy is silent on whether to keep the ID or not. So I want to get something in writing as this is a contentious topic.

We do keep copies on the deposit side for accounts opened in person at retail branches since they are useful for BSA/AML/Fraud purposes. The Lending areas do not retain any IDs in loan files, etc.

Same here. All BU's, excluding lending, keep copies of ID used in the transaction.

I think what praBSA (and I) are wondering about is deposit accounts opened using an online system. S.2155 in 2018 says copies of DLs used in opening accounts online need to be destroyed....is anyone following this? At this time, we are not. When a DL is provided for online account opening we are moving it to our Core system and it is used to verify identity if that customer comes to a branch. We are not destroying a copy of the DL. We may delete it from the email or however we initially received it but the photo is moved to our Core system. Does this mean we are in violation?

This has never been brought up in an exam or audit but.....we all know there may be a day when that is a hot topic.

For online account opening, we don't require a copy of the ID to be submitted. If/When the client comes into the branch the employee servicing them will ask to see their ID at that time.

interested in the online account opening process if not requiring a copy of the ID - we are putting our toes in this water so others' processes or the rational behind are good to consider.
currently we do keep copy of ID in our core on the retail side; nothing on the loan side. however with that being said a customer profile is built and therefore all CIP is housed there regardless of product / service.

ID verification for online accounts (Consumers) is done through non-documentary ID verification for which we have engaged a vendor for. There are plenty of vendors out there who specialize in this and for US Citizens, can produce very accurate results.

Curious to hear others chime in on this. We request the picture of the ID in the online account opening process; however, they have a way to bypass it and just enter the information. Almost all of the cases of online account opening fraud we've had were for accounts opened where the picture of the ID was not submitted.

We require a copy of the ID during the online account opening process (we are still in the setting up stage and have not went live with online account opening yet) but once all is complete and the copy has been transferred to our core system, we delete the image from the online account opening portal.

We scan all ID's into our Core system at account opening in the branch.

S. 2155 does not say anything about allowing a copy to be transferred a core system.

(3) Deletion of image.--A financial institution that makes a copy or receives an image of a driver's license or personal identification card of an individual in accordance with paragraphs (1) and (2) shall, after using the image for the purposes described in paragraph (2), permanently delete--
(A) any image of the driver's license or personal identification card, as applicable; and
(B) any copy of any such image.

Randy - I understand that. After discussing with the gal that does our yearly reviews (by an outside vendor) we decided that it came down to a bank decision and the risk to the bank. We decided it was a low risk since we will be deleting the image from the portal used to open the online account after transferring to our core system.

We also both agreed that the CFPB needs to provide additional guidance on this issue.

Good luck with that, while it is law, there is no agency assigned to issue interpretations.

We just started limited release of account openings online, everything is reviewed by branches after they apply. Customers can use an ID to auto populate information during the account opening process online. We have the vendor automatically delete all images at the 30 day mark. This ensures we have complete and accurate information reviewed by multiple teams as we pilot account openings online.

There may also be state law that has an impact on photocopying ID

When a law says if you get a copy of an ID this way, it must be deleted when the permitted use requirement no longer exists, I see little room for a bank to make a risk decision. The bank is making a decision to follow or not follow a law.

Creating your interpretation sounds like the risk decision.


12 USC 1829c
(b)(1) In general
When an individual initiates a request through an online service to open an account with a financial institution or obtain a financial product or service from a financial institution, the financial institution may record personal information from a scan of the driver's license or personal identification card of the individual, or make a copy or receive an image of the driver's license or personal identification card of the individual, and store or retain such information in any electronic format for the purposes described in paragraph (2).

(2) Uses of information
Except as required to comply with Federal bank secrecy laws, a financial institution may only use the information obtained under paragraph (1)-

(A) to verify the authenticity of the driver's license or personal identification card;

(B) to verify the identity of the individual; and

(C) to comply with a legal requirement to record, retain, or transmit the personal information in connection with opening an account or obtaining a financial product or service.

Just curious do any of you accept the electronic form of DL such as the app LA Wallet?