Were is it posted?

Also, we are set up to have lending personnel check ID each time a loan customer secures an additional loan - is that element included in the final reg?

BOL CIP final rules

You will not have to re-verify customers opening subsequent accounts. Being risk based you can also assume the long term customer who banks with you now and whose parents banked with you, etc. are who they are. So we don't have to go back on all existing customers either.

Let me piggy back off of Andy (that should put all sorts of pictures in your mind ). You are not required to verify the ID. The ID verifies what they have already told you (name, address, DOB, etc.). This is probably one of the biggest misunderstandings of the CIP rules.

Maybe it's just me, and it's late on a Friday afternoon and I've hit the wall on reading 326. But was I the only one to get a good laugh on page 74 where it states that "Treasury, the OCC, and OTS have determined that the final rule is not a 'significant regulatory action' "?

That's a good one. I wish they would stop already. My ribs hurt from laughing so hard. Stop it, you're killing me!

My favorite comment that me laugh was that several comments were received from companies engaged in the sale of technology that could be used to identify and verify customers. Some of these commenters urged that the rules REQUIRE (emphasis mine) banks to authenticate any documents obtained to verify the identity of customers through the use of automated document authentication technology.

Yeah, I bet! Is that a little self serving or what?

What am I missing? How does obtaining a financial statement from an entity prove identity? It's listed as an example of non-documentary verification. Maybe they mean an audited financial statement?

If you also had a CBR or D&B and it ties back to the financials, that is supporting data. I think many things will tie together in the risk based programs.

If you want an attorney's perspective on Section 326, here's a link to an 8-page white paper sponsored by ATTUS Technologies.

Mark,
I am not short-stopping Andy's response, only pointing out that you've asked a difficult question. When they stress your policy is to be "risk based" it becomes impossible to assure that anything will be acceptable. While your bank's size, location, clientele, past experience etc. are theoretical factors in the determination, my perspective is that the two major variables will be the agency that examines you for compliance and the individual who conducts that examination on their behalf. Andy and I could have a knock-down-drag out argument over whether "long term personal knowledge" is enough. For example, should you specifically indicate the length of the term? Does a long term customer who has only rented a safe deposit box offer you the same level of comfort as to her identity as a major borrower? If you have known me personally for 10 years, but I only opened an account at your bank last month, does your personal knowledge even play a role or is it more about whether "the bank" knows me?

Andy, you take either side of the argument and I'll take the other, but I don't think we will find out who "won" until after Mark's next exam.

The supplementary information accompanying the final regulation points out that some banks, notably smaller banks, lobbied for an objective check list of requirements where compliance would be assured. Others argued for an entirely risk-based approach. As the final regulation eliminates requirements to copy ID's, identify signatories and consistently identify established customers, it's easy to identify the winners in the debate.

In the final analysis, it will not be whether your program is adequate, but whether your ability to defend your program is adequate.

Many dedicated compliance folks have waited for months to develop their programs. It's likely that many are pulling out all the stops do it "now." However, the agencies have indicated they will issue additional guidance and I would want to see it before I had my board approve anything. In addition, your bank has roughly six months to design, implement and test a program. That time is a tool, using it would be the smartest thing you can do.

I have to wonder: Do the people who hand out euphemisms in lieu of information plan to tell their mothers that they are taking a "risk based" approach in deciding whether to take her to lunch on Mothers' Day?

I agree that standards are going to evolve just as they have with other regs. For example, I want information on principals of business borrowers even though the business is my "customer". Businesses do not exist and act without human beings. Do I want a customer whose corporate officers are criminals? But for businesses we have had as customers for 20 years, we will have a different approach. We will also keep the "high risk business" list in mind as we develop our policy. I approach these situations with the question of what could go wrong, what is my exposure, should I have known?Also, banks need to decide in situations where "judgement" comes into play, whose judgement are you going to trust? That also can vary by bank. Also, this has to work with your AML program. You either need confirmation on some people for all purposes or you don't.

Quote:

---

"Treasury, the OCC, and OTS have determined that the final rule is not a 'significant regulatory action'"

---

So why did it take them 18 months to come to some regulation that everyone can agree upon? I'm ROFL.

Or as Marybeth would say: ROFLMAO!

I guess the $64,000 question is: How can a bank establish a "reasonable belief" (that it knows the true identity of its existing customers) that is objective, cost-effective and defensible to examiners... while at the same time, not offend any long-term customers?

Perhaps one possible answer is that a bank’s CIP policy should, at the very minimum, require a baseline, social security number validation test for ALL new and existing customers. After all, the September 11th hijackers opened 35 bank accounts using bogus social security numbers that were not even questioned by bank officials.

The reason why I propose a baseline screening for ALL customers is that a risk-based approach for selecting which customer to screen is subject to a biased selection in the real world. The SSN validation test could be performed in the back office without confronting customers directly, without leaving a footprint on a credit report, and without incurring any online transaction charges. More importantly, a report of the test results could demonstrate one more step toward objective approach for defending a bank's assertion that it knows the true identity of their existing customers.

Doing a SSAN validation on EACH customer could be a very expensive proposition. I don't know what this would cost, but if it is .20 per SSAN, at 100,000 accounts that is $20,000. I see this as a low-risk for my banks at this point. Short of a more compelling reason, I would resist that.

I have to agree with Andy that doing a SSN validation 'scrub' of the entire database would be overkill. The approach that has worked best at my bank is to validate:
1- All new customers.
2- All existing customers that open a new transaction (not the Reg D definition) account. (Unless they had been previously validated.)

When the nineteen September 11th hijackers opened 35 bank accounts using bogus social security numbers, I wonder if that bank thought they knew the true identity of their existing customers? If the cost to validate the SSN's is reasonable, I wouldn't consider it overkill.

Mark,
When they made this risk based they left room for your individual assessment of risk. There will be considerable variations in the decisions made by individual institutions.

If you feel the SSN validation is cost effective, one thing you might do to reduce the length of your comparative list is to eliminate the accounts where name/TIN comparisons have been verified by implication; i.e. the account is subject to information reporting and no IRS "B Notices" have been received. Examples would be long term accounts subject to 1099 and 1098 reporting. Alternatively, you might just assume that illegal actors would be unlikely to open an interest bearing account using a name/TIN combination they know to be invalid and focus only on relationships where there is no information reporting; e.g. safe deposit and DDA .

Mark,
To put your postings in perspective, are you a vendor or a banker?