iIn the aftermath of the September 11 attacks, Congress became very concerned with how terrorists were getting their money. It quickly found that the loose requirements for creating accounts with banks and other financial institutions made it very easy to use legitimate financial systems for illegitimate ends without the bank ever even knowing who really owned the account.
In an attempt to rectify this, Congress included numerous provisions in the Patriot Act that gave the Financial Crimes Enforcement Network (FinCEN), a bureau of the Department of the Treasury, the power to implement regulations that required financial institutions in the U.S. to take certain steps to learn who their customers actually were.
Covered financial institutions have to take these steps, collectively known as a Customer Identification Program, or CIP, or face the costs of non-compliance. The CIP must also be incorporated into the bank's Bank Secrecy Act (BSA), subject to approval by the board of directors of the financial institutions.
Every CIP Compliance Strategy Has to Be Unique
Perhaps the most important thing to remember about a financial institution’s CIP obligations is that it has to be tailored to the institution’s needs and business model. Under one of the regulations promulgated by FinCEN to implement the law, 31 C.F.R. § 1020.220, every institution’s CIP procedures have to be “appropriate for the bank’s size and type of business.” It must include “risk-based procedures” that are designed to give the institution a “reasonable belief that it knows the true identity of each customer.” Those procedures “must be based on the bank’s assessment of the relevant risks.”
As corporate compliance lawyer Dr. Nick Oberheiden frequently points out, “These regulations strongly imply that cookie-cutter policies will not work. You have to conduct a risk assessment to determine what precautions are necessary and sufficient to enable your particular institution to get to know each customer’s true identity.”
Every CIP Has to Have These Six Elements
While every CIP must be unique and hand-crafted to suit the needs of your bank or financial institution, 31 C.F.R. § 1020.220 goes on to list six minimum elements that all of them need to effectively verify a customer’s identity:
-
The CIP policy has to be in writing
-
It has to require at least four pieces of identifying information from a customer
-
There has to be a procedure to verify the customer’s identity
-
The CIP has to create a recordkeeping policy
-
It has to make sure that the customer does not appear on a government-maintained list of terrorists or terrorist organizations
-
The customer has to be notified about the verification process
Each of these requirements deserves explication.
CIPs Have to be Written
Executives at financial institutions will generally fall into compliance with this obligation naturally, as an unwritten policy would be unwieldy, given how complicated CIPs can be. However, it is worth mentioning, especially as non-legal compliance personnel is likely to read the pertinent regulations and overlook the requirement that CIPs be in writing, which is hidden in the preamble to the listing of minimal CIP requirements.
Four Pieces of Customer Information are Required
31 C.F.R. § 1020.220(a)(2) says that, at a minimum, financial institutions must get four pieces of information from customers who want to open an account or conduct financial transactions with the institution. They are the customers:
-
Name
-
Date of birth, if the customer is an individual and not a business entity
-
Address
-
Identification number
The identification number gets complicated when the account applicant is not a U.S. citizen. In those cases, it can be any of the following:
-
Taxpayer identification number
-
Passport number, along with the country that issued it
-
Alien identification card number
-
Number and country of issuance of any government-issued document, so long as it:
-
Shows the applicant’s nationality or residence, and
-
Has a photograph or a similar safeguard
When the account applicant is a U.S. citizen, the identification number has to be a taxpayer identification number.
CIPs Must Have Procedures to Verify the Customer’s Identity
Regulations require that all CIPs state how the financial institution intends to verify the information that accounts applicants have proffered. The identity verification procedures can include the use of documentary evidence, non-documentary evidence, or a mixture of the two. CIPs must also cover the policies of the financial institution when the identity of an applicant cannot be verified using documentary and non-documentary evidence. Further, the CIP has to state the bank’s policy for when the institution cannot adequately identify the customer, including when the outcome will be to:
-
Refuse to open the account requested
-
State terms under which the customer can use the account while the bank takes additional steps to identify the customer
-
Close the account
-
File a Suspicious Activity Report (SAR) with law enforcement
Recordkeeping Policies
At a minimum, a financial institution’s CIP has to keep the following records:
-
All of the customer’s identifying information that was gathered
-
A description of any documentary evidence that the financial institution used to verify the customer’s true identity
-
The methods and results of any non-documentary evidence that was used to verify the customer’s identity
-
How any substantive discrepancy in the verification process was resolved
Banks have to keep these records for five years after the account is closed or, if it is a credit card account, becomes dormant. This is important: The five-year retention window begins when the account is closed, not when it is opened.
Check Government Watch Lists
The main reason for much of this information gathering is to ensure that the financial institution is not enabling money laundering activities that are associated with terrorism. Every CIP has to include the procedures that the institution takes to determine whether any account applicant is on a U.S. Treasury-designated list of known or suspected terrorists or terrorist organizations.
Customer Notification Requirements
Finally, the CIP has to include procedures for how bank customers or account applicants are notified that the bank is requesting information to verify their identity. Regulations require the notice to generally describe the identification requirements. The notice has to be made reasonably available to customers.
