We offer online account openings and noticed that a few customers provided a PO Box instead of a residential address. We have sent letters directing that they update the address but to date many have not responded.

As I believe the reg requires that a residential address be obtained at account opening, I am not sure how to proceed. We could close the account but why as the violation has already happened (opened w/ a PO BOX)?

Is it reasonable to allow the accounts to stay open as long as we can demonstrate that we attempted to cure the defect by contacting the customer?

Thanks for your thoughts.

I guess a couple of things come to mind.

1st, I'd address your software vendor/provider regarding allowing P O Box addresses as an option.

2nd, I don't think the issue is demonstrating an attempt to cure, but more that the bank is able "to form a reasonable belief that it knows the true identity of each customer." [as quoted from 103.121(b)(2)]

Live, you've got a major issue there that is just begging for an enforcement action. You're right, the violation has happened, and you can't turn back time. If it was at my institution, I would immediately freeze the activity on the affected accounts and refuse any further transactions until the customer provided the legally required information. Of course, each customer deserves a phone call and email and mailed letter to make sure they understand this requirement. You could look at your online opening process and make sure it is clear in the instructions that a P.O. Box is not sufficient (so that this action on your part doesn't come as a shock to these persons). Allowing them to continue using the accounts, without obtaining full CIP on them, could be disastrous. And, what did you do to prevent this from continuing to happen? Our accounts opened online will require a manual employee review/approval, in every instance, to make sure the customer doesn't circumvent the requirements in this manner. Writing "Physical address required - no P.O. Boxes" on the relevant field is not enough if the system will allow a P.O. Box to be entered.

P.S. My opinion above is based on the understanding that your institution failed to "obtain" the required info. Nothing requires you to verify all elements; i.e., you could obtain all elements and verify only the name, DOB, and TIN, and call it good enough, as long as you at least "obtained" all elements including the physical address.

The problem is the volume of openings precludes a manual review. Instead, we tried to block PO BOX from being entered. However, crafty customers will enter something like "P BX 15" or "15 P Office". Trying to consider all variations is a tad daunting.

As noted by Maytagman (my you haven't aged!), we have indeed formed a reasonable belief as to the person's identity (id verification), but are falling short on obtaining all required information.

I'm concerned that blocking the customer's ability to perform a transaction might become an issue in that our disclosure does not specifically indicate that this condition will result in restricting account access. Next thing you know a customer wants to sue because we did not allow them to schedule an ACH mortage payment.

That's why I love our disclosure: "We may change any term of this agreement....We may close this account at any time upon reasonable notice to you..."

Live, I don't think examiners are going to care about the volume the way that you and I would. They are more likely to say that your institution failed to plan for the volume and had compliance defiencies as a result of poor management. "I don't have enough time to do that," when it comes from a compliance officer's mouth, sounds to an examiner like, "Institution has failed to provide adequate resources to personnel..."

Is your software vendor able to interface the application with the USPS (zip + 4) website?

If so, that would return a "Full Address in Standard Format" for some abbreviated addresses (e.g. POB) and would render others invalid, unacceptable or unable to be processed.

I'd recommend making sure that your website states that the street address is mandatory (mailing address, if different should also be obtained, of course), and that the bank reserves the right to close the account if the appropriate information isn't provided.

Regulators are not likely to be impressed by the volume issues that make monitoring difficult. The regulation doesn't give you any wiggle room.

We added a sentence to our CIP disclosure that states that if all required information is not provided it could cause the bank to refuse to conduct transactions until the information is received.

I thank you all for taking the time to consider my question. Your thoughts were extremely helpful and, as always, very much appreciated!

The CIP process is indeed an effort to establish a reasonable belief of the customer's identity. Compliance with that concept would allow you to say it is not necessary to verify all four of the required pieces of information.

It does not put your bank in a position to say it does not have to get all four pieces of required information. Your bank is required to obtain a physical address prior to opening the account. Every time you fail to do that is a clear violation of law and the degree of inconvenience involved is not a mitgating factor. The suggested edits to the web site are necessary as is a prompt review of the information received. You cannot "fix" the violations and unilaterally closing accounts has significant risks of its own.