Live, you've got a major issue there that is just begging for an enforcement action. You're right, the violation has happened, and you can't turn back time. If it was at my institution, I would immediately freeze the activity on the affected accounts and refuse any further transactions until the customer provided the legally required information. Of course, each customer deserves a phone call and email and mailed letter to make sure they understand this requirement. You could look at your online opening process and make sure it is clear in the instructions that a P.O. Box is not sufficient (so that this action on your part doesn't come as a shock to these persons). Allowing them to continue using the accounts, without obtaining full CIP on them, could be disastrous. And, what did you do to prevent this from continuing to happen? Our accounts opened online will require a manual employee review/approval, in every instance, to make sure the customer doesn't circumvent the requirements in this manner. Writing "Physical address required - no P.O. Boxes" on the relevant field is not enough if the system will allow a P.O. Box to be entered.
_________________________
"It is natural to give a clear view of the world after accepting the idea that it must be clear." - Albert Camus