Keeping Copies of IDs?

Is your bank keeping copies of IDs for deposit relationships? Lending aside.

S.2155 in 2018 refers to online account openings saying that copies must be destroyed after verifying identity. Are you guys destroying them for online account openings and keeping them for retail branch openings?

In my experience it has been a best practice to generally not keep them as loan officers could hypothetically see them in the core system if they went looking for it.

Our policy is silent on whether to keep the ID or not. So I want to get something in writing as this is a contentious topic.

We do keep copies on the deposit side for accounts opened in person at retail branches since they are useful for BSA/AML/Fraud purposes. The Lending areas do not retain any IDs in loan files, etc.

Same here. All BU's, excluding lending, keep copies of ID used in the transaction.

I think what praBSA (and I) are wondering about is deposit accounts opened using an online system. S.2155 in 2018 says copies of DLs used in opening accounts online need to be destroyed....is anyone following this? At this time, we are not. When a DL is provided for online account opening we are moving it to our Core system and it is used to verify identity if that customer comes to a branch. We are not destroying a copy of the DL. We may delete it from the email or however we initially received it but the photo is moved to our Core system. Does this mean we are in violation?

This has never been brought up in an exam or audit but.....we all know there may be a day when that is a hot topic.

For online account opening, we don't require a copy of the ID to be submitted. If/When the client comes into the branch the employee servicing them will ask to see their ID at that time.

interested in the online account opening process if not requiring a copy of the ID - we are putting our toes in this water so others' processes or the rational behind are good to consider.
currently we do keep copy of ID in our core on the retail side; nothing on the loan side. however with that being said a customer profile is built and therefore all CIP is housed there regardless of product / service.

ID verification for online accounts (Consumers) is done through non-documentary ID verification for which we have engaged a vendor for. There are plenty of vendors out there who specialize in this and for US Citizens, can produce very accurate results.

Curious to hear others chime in on this. We request the picture of the ID in the online account opening process; however, they have a way to bypass it and just enter the information. Almost all of the cases of online account opening fraud we've had were for accounts opened where the picture of the ID was not submitted.

We require a copy of the ID during the online account opening process (we are still in the setting up stage and have not went live with online account opening yet) but once all is complete and the copy has been transferred to our core system, we delete the image from the online account opening portal.

We scan all ID's into our Core system at account opening in the branch.

S. 2155 does not say anything about allowing a copy to be transferred a core system.

(3) Deletion of image.--A financial institution that makes a copy or receives an image of a driver's license or personal identification card of an individual in accordance with paragraphs (1) and (2) shall, after using the image for the purposes described in paragraph (2), permanently delete--
(A) any image of the driver's license or personal identification card, as applicable; and
(B) any copy of any such image.

Randy - I understand that. After discussing with the gal that does our yearly reviews (by an outside vendor) we decided that it came down to a bank decision and the risk to the bank. We decided it was a low risk since we will be deleting the image from the portal used to open the online account after transferring to our core system.

We also both agreed that the CFPB needs to provide additional guidance on this issue.

Good luck with that, while it is law, there is no agency assigned to issue interpretations.

We just started limited release of account openings online, everything is reviewed by branches after they apply. Customers can use an ID to auto populate information during the account opening process online. We have the vendor automatically delete all images at the 30 day mark. This ensures we have complete and accurate information reviewed by multiple teams as we pilot account openings online.

There may also be state law that has an impact on photocopying ID

When a law says if you get a copy of an ID this way, it must be deleted when the permitted use requirement no longer exists, I see little room for a bank to make a risk decision. The bank is making a decision to follow or not follow a law.

Creating your interpretation sounds like the risk decision.


12 USC 1829c
(b)(1) In general
When an individual initiates a request through an online service to open an account with a financial institution or obtain a financial product or service from a financial institution, the financial institution may record personal information from a scan of the driver's license or personal identification card of the individual, or make a copy or receive an image of the driver's license or personal identification card of the individual, and store or retain such information in any electronic format for the purposes described in paragraph (2).

(2) Uses of information
Except as required to comply with Federal bank secrecy laws, a financial institution may only use the information obtained under paragraph (1)-

(A) to verify the authenticity of the driver's license or personal identification card;

(B) to verify the identity of the individual; and

(C) to comply with a legal requirement to record, retain, or transmit the personal information in connection with opening an account or obtaining a financial product or service.

Just curious do any of you accept the electronic form of DL such as the app LA Wallet?

it seems the actual intent of S2155 was to provide access to online banking and not hinder that process. Based on this discussion below, you could retain a copy of the photo ID for "valid business purposes".....

https://www.nafcu.org/compliance-blog/plain-english-reading-s2155s-id-retention-provision

The plain reading of the deletion section of the bill seems to indicate that unless federal BSA laws require the credit union to keep a copy or image of a member's ID, the credit union would have to permanently destroy this copy/image after using it for one of the three purposes. And as it is the case, current BSA laws do not require the retention of a copy/image of the member's ID.

Section 1020.220 of the BSA only requires credit unions to "record a description of any documents that were relied on, noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date” rather than the scanning or copying of a member's ID. For those reasons, if the account, service or product requested online requires the member's ID for verification purposes, it seems that the credit union may now be required to permanently delete this record after using it for those purposes.

The good news here is that NAFCU's legislative affairs team raised this issue during consideration of the bill and we were informed Congress was reading the legislative language to mean credit unions can keep the member's ID for as long as they need it for a valid purpose, such as for the credit union's CIP. Our legal intern also sorted through the legislative history of the bills to find the Congressional intent behind the destruction section and found that this was added to end the practice of selling consumer's personal information by financial institutions. The legislative history also did not indicate intent to upend use of this information for viable and legitimate business purposes.

Additionally, keeping in mind the main Congressional intent of the MOBILE Act was to make online account opening easier, it may be arguable that Congress did not want to affect the use of a member's identification for other legitimate business purposes aside from online account opening/verification such as fraud prevention. For example, this part of the Congressional Record stresses that S.2155 was not intended to interfere with current operations of financial institutions, but to allow greater access to small banks and credit unions for consumers in underserved or unserved regions.

To bad that while Congressional intent might be a good argument made in a court of law, however have you ever tried that with a regulator and won?