I. INTRODUCTION
The U.S. Department of Treasury and other federal financial regulatory agencies have issued rules to implement § 326 of the USA PATRIOT Act (the “Act”). Section 326 requires the Secretary of the Treasury to issue regulations setting forth standards for financial institutions to follow in the identification and verification of customers that seek to open accounts by: (a) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; (b) maintaining records of the information used to verify a person’s identity, including name, address and other identifying information; and (c) consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.
The regulations are part of the Bank Secrecy Act (BSA) record retention requirements and cover minimum requirements for a financial institution in establishing its “customer identification program” (“CIP”). Compliance with the regulations was mandatory on October 1, 2003.
II. ESSENTIAL DEFINITIONS
The regulations employ four definitions that are essential to understand in order to comply effectively with § 326.
“Account”. The definition of “account” means a formal banking relationship established to provide or engage in services, dealings or other financial transactions,e.g.:
In terms of verifying customer identity in connection with the opening of an account, there are notable exceptions, within the definition of “account”:
A financial institution is not required to verify the identity of individuals or other entities if there is no “account” relationship.
“Customer”. The definition of a “customer” means any person who opens a “new” account (and includes each person named on a joint account). A “customer” is also an individual who opens a new account for an individual lacking legal capacity (e.g., a minor) or an entity that is not a legal person (e.g., a civic club).
There are several notable exceptions to the definition of customer. The regulatory definition does not cover a person who only “seeks” to open an account or attempts to open an account but is denied and does not actually receive any banking services.
The term “customer” does not include a person holding an existing account with a financial institution who then opens a new account with the same institution provided the bank has a “reasonable belief” that it knows the customer’s true identity. With the current absence of official regulatory guidance, a financial institution will have to devise its own “risk-based” CIP rationale and procedure as to what constitutes its “reasonable belief” that it “knows the true identity” of a person for the purpose of excluding a person with an existing account. While this regulatory exception allows an institution to create an exception for existing customers, in order to maintain such a “risk-based” exception, an institution should show evidence of something more than an unsupported claim that the customer is “well known” to an individual employee.
Finally, accounts of other financial institutions that are regulated by a federal functional regulator or banks regulated by a state bank regulator, governmental agencies and instrumentalities and publicly-held corporations are not considered “customers” for purposes of the regulation.
“U.S. person”. A U.S. person means a United States citizen or a person other than an individual (e.g., corporation, partnership or trust) that is established or organized under the laws of a State or the United States.
“Non-U.S. person”. A non-U.S. person means a person that is not a U.S. person.
III. CUSTOMER NOTIFICATION
The regulations provide that financial institutions must give “adequate” notice to customers, prior to opening a new account, of the bank’s identity verification procedures. Notice is deemed adequate if the financial institution generally describes the identification requirements and provides the notice in a manner “reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account.” Therefore, “adequate notice” is somewhat dependent upon the way in which an account is opened and may be accomplished in a variety of ways (e.g., posting notice in the lobby, in a handout, on account applications or on a website; training employees to describe the requirements at account opening; placing a notice on account applications; or in some other written or oral manner).
When the bank is an indirect lender that processes applications taken by a third party (e.g., a car dealer), the bank must still provide adequate notice, which could be accomplished if such notification were to appear on the application form itself.
The regulations also provide sample language that would be considered adequate:
IMPORTANT INFORMATION ABOUT PROCEDURES
FOR OPENING A NEW ACCOUNT
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
There is no regulatory requirement that the notice be of a particular size or typeface, be given in a form to be retained by the customer or be separate or apart from other documents.
IV. ESTABLISHING A CUSTOMER IDENTIFICATION PROGRAM (CIP)
The regulations provide that each financial institution must write and implement a risk-based “customer identification program” (CIP) and be made a part of the institution’s Anti-Money Laundering compliance program (AML). The CIP may be tailored to the institution’s size, location and type of business or products offered. The institution’s board of directors is responsible for approving a CIP described in detail sufficient for it to determine that the CIP contains minimum requirements and that the identity verification procedures are designed to allow the institution to form a reasonable belief that it knows the true identity of the customer.
A. Identification and Verification
The CIP regulations require that a financial institution’s CIP must be “risk-based” and the institution is held to a “reasonable belief standard” that it has identified the customer. Since the regulations address the documentation of a customer’s identity, the purpose of the account is irrelevant, being applicable to business and consumer deposit and loan accounts. Identification verification procedures are to be based on the institution’s assessment of the relevant risks, including those presented by various types of accounts maintained, the various methods of opening accounts, the various types of identifying information available and the institution’s size, location and customer base.
Customer identity verification procedures must describe the information that the institution needs to obtain from the customer at the time of opening the account and whether the institution will use documents, non-documentary means, both or additional methods to verify the customer’s identity. The institution is not required to verify each piece of identifying information.
The following identifying information that must be obtained prior to opening an account for any “new” customer is:
For a U.S.person, the financial institution must obtain a tax identification number [which may be a social security number, taxpayer identification number (TIN) or employee identification number]. There is an exception for persons applying for a TIN in that a CIP may include procedures confirming that an application was filed prior to account opening and procedures to obtain a TIN within a reasonable time after the account is opened.
For a non-U.S. person, the financial institution must obtain one or more of the following:
1. Customer Identity Verification Methods
For customers who are individuals, the regulations appear to non cover signatories on accounts (i.e., authorized signers). Since a guarantor on a loan is not seeking to open an account with the bank, such person may arguably not meet the definition of a “customer”, but if the person is essential to the making of the loan, then the bank’s underwriting policies and CIP “risked-based” policy may require more than the minimum standards of the CIP regulations.
The regulations allow customer identity verification by either documentary or non-documentary methods (e.g., the use of consumer credit reports or “on-line” verification tools such as public databases) or a combination of both methods. There is no regulatory requirement that documentary identification be used exclusively (e.g., requiring only a government-issued photo identification card). The regulations note that the CIP should include those instances when additional verification may be necessary where the institution cannot form a reasonable belief that it knows the true identity of a customer. In regard to credit card operations, the regulations contain several provisions that address situations unique to such products.
The CIP must include the verification policy in the program description. For an individual, these documents may include unexpired government-issue identification evidencing nationality or residence and bearing a photograph or similar safeguard (e.g., driver’s license, state identification card, passport or matricula consularcard) and for a person other than an individual (e.g., corporation, partnership or trust), documents showing the existence of the entity (e.g., certified articles of incorporation, government-issued business license, partnership agreement or trust instrument) may be satisfactory.
Should electronic banking services or products be offered, then the CIP should describe how customer identity verification will be accomplished (e.g., a statement that when a person is seeking to open an account electronically, the institution will verify the customer’s identity by using a consumer credit report, software program, on-line system or public database.
When relying on non-documentary methods, the regulations provide that the CIP must contain procedures that describe the methods to be used (e.g., contacting a customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database or other source; checking references with other financial institutions; and obtaining a financial statement). Non-documentary procedures must address situations where: an individual is unable to present an unexpired government-issue identification document that bears a photograph or similar safeguard; the bank is not familiar with the documents presented; the account is opened without obtaining documents; the customer opens the account without appearing in person at the institution; and the bank is otherwise presented with circumstances that increase the risk that it will be unable to verify the true identity of a customer through documents.
NOTE: CIP regulations provide that customer identity verification is to take place “…within a reasonable time after an account is opened…” Coupling the concept of “reasonable time after an account is opened” with the regulatory “risk-based” standard, it may be acceptable to conduct follow-up verification procedures after a deposit account is opened, but it would appear to be less acceptable to allow follow-up verification procedures after an institution opens a credit account and disburses loan proceeds.
2. Signatories and Verification
Prior to finalization, a draft of the regulations had proposed coverage of § 326 to all new signers on accounts not held by individuals. This was a concern for institutions for there are occasions where multiple signatories to an account may number in the hundreds. Identity verification of all signatories would have been extremely costly, impractical and not useful to law enforcement. Commentators argued for the need of a “risk-based” response on the signatories issue and the final rule accommodated that position by stating that the CIP must address situations where, based on the risk assessment of a new account opened by a customer that is not an individual, the institution will obtain information about individuals with authority or control over such account, including signatories, in order to verify the customer’s identity. Such rule applies when the identification cannot verify the customer’s true identity using the verification methods described in Paragraph A above. The CIP must clearly state the policy on signatories.
3. Lack of Verification
Current regulations provide that a CIP address procedures for responding to situations where “the institution cannot form a reasonable belief as to the customer’s true identity.” In addition, the CIP must cover:
Regulatory guidance is forthcoming to address the issue of how an institution should proceed following mismatches of identifying information (e.g., a person submits identifying information, such as an address, that does not match, but the remaining information is accurate).
Obtaining required information is a condition of opening an account and failure to do so is a violation of law. Using the Bank Secrecy Act’s penalty provisions, negligent failure to obtain required information may be subject to a $500 penalty per instance. The penalty for a knowing or intentional failure may be enhanced to $1,000 per instance with possible criminal penalties. An institution is only allowed to create a temporary exception in its written policy for a customer who has applied for, but not received a taxpayer identification number (e.g., a newly created corporation or partnership).
B. Record Retention
A common question being fielded at this time is whether the bank should make and retain photocopies of documentation (e.g., a government issued identify card or a driver’s license) that is used to verify a customer’s identity. During the regulatory process, many commentators were concerned about any requirement to retain copies of documentation. These concerns included issues involving possible Regulation B (Equal Credit Opportunity Act) violations, certain state laws that prohibit such copying, identity theft issues, copying costs and the maintenance of local or centralized copies.
The current regulations, as of this writing, do not require that any documented identification that is relied upon, including government-issued identification cards or drivers’ licenses, be copied or retained. Note that the regulations address minimum standards for a CIP. So, for example, a bank could decide to make and retain copies of Nebraska-issued identification cards or drivers’ licenses or other documentation so long as it is done in a manner that does not violate Regulation B and so long as Nebraska law does not prohibit the making and retention of stat-issued documentation.
The regulations do require that a CIP must retain the following records:
The specific identifying information records must be retained for five years after the account has been closed, or in the case of credit card accounts, five years after the account is closed or becomes dormant (See, 1. above). The remaining records (See, 2, 3 and 4 above) must be retained for five years after the date the information was obtained.
The records may be originals, copies or other reproductions and must be accessible within a reasonable period of time.
C. Consulting Government Lists
The regulations provide that procedures must be developed within the CIP for a financial institution to determine if a customer appears on any federal government lists of suspected terrorists or terrorist organizations within a reasonable period of time after account opening – or earlier – if required by federal law, regulation or directive. Although, as of this date, no § 326 lists have been promulgated by the government, a financial institution’s CIP policy and procedures must address this issue so that it will be ready to implement this requirement when the lists are designated and promulgated by the government.
V. RELIANCE ON THIRD PARITIES
The CIP may include procedures that specify when a financial institution will rely on another financial institution, including affiliates, to perform customer identification verification with respect to any customer of the bank that is opening or has opened an account or who has established a similar formal banking or business relationship with the other financial institution to provide or engage in services, dealings or other financial transactions. The reliance must be reasonable under the circumstances and the other institution must be subject to AML program requirements. The performing institution must, by contract, certify annually to the other institution that it has implemented its AML program and that it (or its agent) will perform the specified requirements of the bank’s CIP. A financial institution may also contract with third parties or agents (e.g., car dealers) to perform the CIP functions but the institution will be ultimately responsible for non-compliance.
VI. GUIDANCE REGARDING APPLICTION OF § 326 RULES IN THE FORM OF FREQUENTLY ASKED QUESTIONS
The staff of the U.S. Treasury Department, through the Financial Crimes Enforcement Network (FinCEN), and federal banking agencies (the Board of Governors of the Federal Reserve System, the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration and the Office of Thrift Supervision) have developed additional guidance regarding the application of the § 326 rules in the form of frequently asked questions (FAQs), which are set forth below for your review. The most recent FAQs edition was dated April 28, 2005.
31 C.F.R. § 103.121(a)(1) -- Definition of “account”
1. The CIP rule applies to a “customer,” which is generally “a person that opens a new account.” (Emphasis added.) At what point does the CIP rule apply when the account is a loan? When is the account opened?
“Customer” does not include a person who does not receive banking services, such as a person whose loan application is denied. See 68 FR 25090, 25093 (May 9, 2003). Therefore, when the account is a loan, the account is opened when the bank enters into an enforceable agreement to provide a loan to the customer. (January 2004)
2. Are loan participations purchased from third parties and loans purchased from a car dealer or mortgage broker within the exclusion from the definition of “account” for loans acquired through an acquisition, merger, purchase of assets, or assumption of liabilities?
Yes, this exclusion is intended to cover loan participations purchased from third parties and loans purchased from a car dealer or mortgage broker. If, however, the bank is extending credit to the borrower using a car dealer or mortgage broker as its agent, then it must ensure that the dealer or broker is performing the bank’s CIP. (January 2004)
3. Are data processing, data warehousing, and data transmission on behalf of a person an “account?”
“Account” is defined to mean “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit. Account also includes a relationship established to provide a safety deposit box or other safekeeping services, or cash management, custodian and trust services.” The examples provided in 31 C.F.R. § 103.121(a)(1) of formal banking relationships included within the meaning of “account” focus on bank products and services that relate to the deposit, lending or custody of funds or other assets on behalf of a customer. Data processing, warehousing, and transmission services generally do not involve a service, dealing, or financial transaction that, taken alone, constitutes a “formal banking relationship” within the meaning of 31 C.F.R. § 103.121(a)(1). If, however, any of these services are part of the establishment of a formal banking relationship, then the CIP rule in 31 C.F.R. § 103.121 would apply. (April 2005)
31 C.F.R. § 103.121(a)(2) – Definition of “bank”
1. Is the CIP rule applicable to a bank’s foreign subsidiaries?
No. The CIP rule does not apply to any part of the bank located outside of the United States. Nevertheless, as a matter of safety and soundness, banks are encouraged to implement an effective CIP throughout their operations, including in their foreign offices, except to the extent that the requirements of the rule would conflict with local law. (January 2004)
2. Is the CIP rule applicable to bank holding companies and their non-bank subsidiaries, or to savings and loan holding companies and their non-savings association subsidiaries?
No, the CIP rule in 31 C.F.R. § 103.121 applies only to a “bank.” A bank holding company is not subject to the rule solely because it owns a bank. However, a bank holding company may be subject to another CIP rule. For example, if the company is a broker-dealer in securities, it would be subject to 31 C.F.R. §103.122.
Similarly, a non-bank subsidiary of a bank holding company is not subject to the CIP rule for banks solely as a result of being affiliated with a bank in a holding company structure. However, a non-bank subsidiary may be subject to one of the other CIP rules.
Even if a bank holding company is not itself subject to the CIP rule under 31 C.F.R. § 103.121, it should, as a matter of safety and soundness, take appropriate measures throughout its organization to ensure that each entity is in compliance with any applicable CIP rule, to ensure that new accounts receive appropriate due diligence, and generally to protect the consolidated organization from risks associated with money laundering and financial crime.
The analysis set forth above is equally applicable to savings and loan holding companies and their non-savings association subsidiaries. (April 2005)
3. Should subsidiaries of a bank implement a customer identification program?
Yes. The Federal banking agencies take the position that implementation of customer identification programs by subsidiaries of banks is appropriate as a matter of safety and soundness and protection from reputational risks. Subsidiaries (other than functionally regulated subsidiaries) of banks should comply with the customer identification program rule that applies to the parent bank when opening an account within the meaning of 31 C.F.R. § 103.121. In addition, a number of the Federal banking agencies have separately issued rules that require certain subsidiaries of banks to conduct their activities pursuant to the same terms and conditions that apply to the conduct of such activities by the parent bank. See, e.g., 12 C.F.R. § 5.34 (OCC); 12 C.F.R. § 559.3(h) (OTS).
Some functionally regulated subsidiaries of banks are already subject to a customer identification program rule issued jointly by their functional regulator and FinCEN (i.e., 31 C.F.R. § 103.122 (broker-dealers); 31 C.F.R. § 103.131 (mutual funds); and 31 C.F.R. § 103.123 (futures commission merchants and introducing brokers)). For purposes of the requirements imposed under section 326 of the USA PATRIOT Act, functionally regulated subsidiaries are: broker-dealers, investment companies, investment advisers registered with the SEC, persons licensed to provide insurance, and any entity with respect to a financial activity that is subject to the jurisdiction of the CFTC (such as futures commission merchants, introducing brokers, commodity trading advisors, commodity pools, and commodity pool operators). See 31 U.S.C. § 5318(l)(4); 15 U.S.C. §§ 6805, 6809. Subsidiaries of banks that are functionally regulated by the SEC or the CFTC are required to comply with the applicable CIP rules issued by the SEC or CFTC, respectively, and FinCEN.
The Federal banking agencies, SEC, CFTC, Department of the Treasury, and FinCEN have worked together to create uniform rules that minimize potential conflicts or differences between the agencies’ rules. In addition, Treasury and FinCEN intend to issue customer identification program rules applicable to other types of financial institutions in the future. (April 2005)
31 C.F.R. § 103.121(a)(3) – Definition of “customer”
1. Who is the “customer” when an account is opened by an individual who has power-of- attorney for a competent person who is the named owner of the account?
The CIP rule provides that a “customer” generally is “a person that opens a new account.” 31 C.F.R. § 103.121(a)(3)(i)(A). When an account is opened by an individual who has power-of-attorney for a competent person, the individual with a power-of-attorney is merely an agent acting on behalf of the person that opens the account. Therefore, the “customer” will be the named owner of the account rather than the individual with a power-of-attorney over the account. By contrast, an individual with power-of-attorney will be the “customer” if the account is opened for a person who lacks legal capacity. 31 C.F.R. § 103.121(a)(3)(i)(B)(1). (January 2004)
2. Is a person who becomes co-owner of an existing deposit account a “customer” to whom the CIP rule applies?
Yes, a person who becomes the co-owner of an existing deposit account is a “customer” subject to the CIP rule because that person is establishing a new account relationship with the bank. (January 2004)
3. Is a new borrower who is substituted for an existing borrower through an assumption of a loan a “customer” to whom the CIP rule applies?
Yes, a new borrower who is substituted for an existing borrower through an assumption of a loan is a “customer” because the new borrower is establishing a new account relationship with the bank. (January 2004)
4. The CIP rule requires a bank to verify the identity of each “customer.” Under the CIP rule, a “customer” generally is defined as “a person that opens a new account.” If a pension plan administrator chooses to remove a former employee from the plan pursuant to section 657(c) of the Economic Growth and Tax Relief Reconciliation Act of 2001 (EGTRRA), it is required by law to transfer these funds to a financial institution. In addition, an administrator of a terminated plan may remove former employees that it is unable to locate, by transferring their benefits to a financial institution. Would a plan administrator or the former employee be a bank “customer” where funds are transferred to a bank and an account established in the name of the former employee, in either of these situations?
In either situation, the administrator has no ownership interest in or other right to the funds, and therefore, is not the bank’s “customer.” Nor would we view the administrator as acting as the customer’s agent when the administrator transfers the funds of former employees in these situations. A customer relationship arises and the requirements of the rule are implicated when the former employee “opens” an account. While the former employee has a legally enforceable right to the funds that are transferred to the bank, the employee has not exercised that right until he or she contacts the bank to assert an ownership interest. Thus, in light of the requirements imposed on the plan administrator under EGTRRA, as well as the requirements in connection with plan terminations, the former employee will not be deemed to have “opened a new account” for purposes of the CIP rule until he or she contacts the bank to assert an ownership interest over the funds, at which time a bank will be required to implement its CIP with respect to the former employee.
This interpretation applies only to (1) transfers of funds as required under section 657(c) of EGTRRA, and (2) transfers to banks by administrators of terminated plans in the name of participants that they have been unable to locate, or who have been notified of termination but have not responded, and should not be construed to apply to any other transfer of funds that may constitute opening an account. (January 2004)
5. A bank is an agent for a (bank) credit card issuer. The cards are co-branded, the two banks share in the revenue from the cards issued. However, the issuer approves the credit card applications and handles collections. Is a person who obtains a credit card a customer of the agent bank or the card issuer.
A person who receives a credit card is receiving an extension of credit from, and therefore is establishing an account with, the issuing bank. The agent bank is compensated by the issuing bank and not by the customer. For these reasons, the issuing bank is responsible for ensuring that its CIP applies to the customer. However, the agent bank may perform parts of the CIP on behalf of the issuing bank. As with any other responsibility performed by an agent, the issuing bank ultimately is responsible for the agent’s compliance with the requirements of the CIP rule. See 68 FR 25090, 25104 (May 9, 2003). Alternatively, the issuing bank may rely upon the agent bank to perform elements of its CIP, provided that the issuing bank is able to satisfy the requirements of the reliance provision, 31 C.F.R. § 103.121(b)(6), including the requirement that the person be a customer of both the issuing and agent bank. (January 2004)
6. Does the CIP rule prohibit a minor from opening an account?
No, the CIP rule does not bar a minor from opening an account. It merely states that the bank’s “customer” is the individual who opens the account for an individual who lacks legal capacity, such as a minor. In other words, if a parent opens an account for a minor, the bank’s customer is the parent. If, however, a minor opens the account, then the minor is the bank’s customer. For example, where a bank sends its employees to elementary schools so that students may open savings accounts as part of a program to promote financial literacy, a student opening an account is the bank’s customer. In this situation, as for all customers, the bank should get the name, address, date of birth, and taxpayer identification number of the student. Since verification procedures are risk-based, banks can use any reasonable documentary or non-documentary method to verify a student’s identity. In this case, the bank might verify a student’s identity using a student identification card or by having the student’s teacher confirm the student’s identity. (April 2005)
7. The definition of “account” excludes accounts opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974 (ERISA). In the case of a trust, custodial, or other administrative account established by an employer at a bank to maintain and administer assets under a non-ERISA employee retirement, benefit, or deferred compensation plan, who is the bank's "customer?" Is a participant in or beneficiary of such an account the “customer?”
In the case of these accounts (including, for example, accounts established by governmental entities to administer retirement or benefit plans or by employers to administer stock option or restricted stock plans) that are established as trusts, the bank’s “customer” will be the trust established by the employer to maintain the assets. If the account is not a trust, the bank’s “customer” will be the employer that contracts with the bank to establish the account.* Based on the bank’s risk assessment of any new account opened by a customer that is not an individual, the bank may need “to obtain information about” individuals with authority or control over such an account, including signatories, in order to verify the customer’s identity. See 31 C.F.R. § 103.121(b)(2)(ii)(C).
For purposes of the CIP rule, a participant in or beneficiary of such an account will not be deemed to be the bank’s “customer,” as such a person will not have initiated the relationship with the bank. The account will not be considered opened by the employee even if a subaccount is maintained in the employee’s name, or the employee is able to make deposits into the account, so long as such ability to make deposits is limited to rolling over assets from another plan, purchasing securities or exercising options to purchase securities issued by the employer, or repaying a loan, in accordance with the terms of the plan. By contrast, where an individual opens an individual retirement account in a bank, the individual who opens the account is the bank’s “customer.” (April 2005)
* Note, however, that the CIP rule will not apply if the employer is exempt from the definition of “customer” under 31 C.F.R. § 103.121(a)(3)(ii).
8. Does the definition of “customer” include the relationship with an investor that is established when a bank acts as a registered transfer agent for an issuer, for example, when it effects transactions for the investor in the securities of an issuer as part of the issuer’s dividend reinvestment plan or as part of the plan or program for the purchase or sale of that issuer’s shares in a manner that does not cause the bank to be a broker under the Securities Exchange Act of 1934?
No. A bank that is a registered transfer agent is acting as agent of the issuer of securities. The relationship with the investor does not constitute a “formal banking relationship established to engage in services, dealings, or other financial transactions” with the investor in these situations. Thus, the bank’s relationship with the investor does not constitute a “customer” relationship.
With respect to a bank acting as a transfer agent for its own securities, such bank is dealing with shareholders as shareholders and not as customers. (April 2005)
9. Who is the “customer” for purposes of trust accounts? Does it make a difference whether the bank or a third party is trustee for the trust?
In the case of a trust account, the “customer” is the trust whether or not the bank is the trustee for the trust. “A bank will not be required to look through trust, escrow, or similar accounts to verify the identities of beneficiaries and instead will only be required to verify the identity of the named accountholder.” See 68 FR 25090, 25094 (May 9, 2003). However, the CIP rule also provides that, based on the bank’s risk assessment of a new account opened by a customer that is not an individual, the bank may need “to obtain information about” individuals with authority or control over such an account, including signatories, in order to verify the customer’s identity. See 31 C.F.R. § 103.121(b)(2)(ii)(C). For example, in certain circumstances involving revocable trusts, the bank may need to gather information about the settlor, grantor, trustee, or other persons with the authority to direct the trustee, and who thus have authority or control over the account, in order to establish the true identity of the customer. (April 2005)
10. Who is the “customer” for purposes of escrow accounts?
An escrow account is an account generally established for the deposit of funds that are to be paid to a specified party on the fulfillment of escrow conditions or returned. If a bank establishes an account in the name of a third party, such as a real estate agent, who is acting as escrow agent, then the bank’s customer will be the escrow agent. If the bank is the escrow agent, then the person who establishes the account is the bank’s “customer.” For example, if the purchaser of real estate directly opens an escrow account and deposits funds to be paid to the seller upon satisfaction of specified conditions, the bank’s customer will be the purchaser. Further, if a company in formation establishes an escrow account for investors to deposit their subscriptions pending receipt of a required minimum amount, the bank’s customer will be the company in formation (or if not yet a legal entity, the person opening the account on its behalf). “A bank will not be required to look through trust, escrow, or similar accounts to verify the identities of beneficiaries and instead will only be required to verify the identity of the named accountholder.” See 68 FR 25090, 25094 (May 9, 2003). However, the CIP rule also provides that, based on the bank’s risk assessment of a new account opened by a customer that is not an individual, the bank may need “to obtain information about” individuals with authority or control over such an account, including signatories, in order to verify the customer’s identity. See 31 C.F.R. § 103.121(b)(2)(ii)(C). (April 2005)
31 C.F.R. § 103.121(a)(3)(ii)(C) – Person with an existing account
1. A loan and a time deposit are each an “account” for purposes of the CIP rule. How do the requirements of the CIP rule apply to a loan that is renewed, or a certificate of deposit that is rolled over?
The CIP rule applies to a “customer,” generally, “a person that opens a new account.” 31 C.F.R. § 103.121(a)(3)(i). (Emphasis added.) “Account” means a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit. 31 C.F.R. § 103.121(a)(1)(i). For purposes of the CIP rule, each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established. However, the rule provides that the term “customer” does not include a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person. 31 C.F.R. § 103.121(a)(3)(ii)(C). In each of these cases, the customer has an existing account. Therefore, as long as the bank has a reasonable belief that it knows the person’s true identity, the bank need not perform its CIP when a loan is renewed or certificate of deposit is rolled over. However, if a new customer is added to the loan or deposit account, the bank would need to satisfy the CIP rule with respect to that new account relationship. (January 2004)
2. Does the exclusion from the definition of “customer” in 31 C.F.R. § 103.121(a)(3)(ii)(C) for a person with an existing account extend to a person who has had an account with the bank in the last twelve months but who no longer has an account?
No, this provision only excludes from the definition of “customer” a person that at the time a new account is opened currently “has an existing account with the bank,” and only if the bank has a reasonable belief that it knows the true identity of the person. Therefore, for example, when a person has a deposit account and subsequently obtains a loan, the person has an existing account with the bank. Conversely, a person would not be deemed to have an existing account at the bank if the person had a loan, paid it off, and twelve months later obtains a new loan. (January 2004)
3. How can a bank demonstrate that it has “a reasonable belief that it knows the true identity of a person with an existing account” with respect to persons that had accounts with the bank as of October 1, 2003
Among the ways a bank can demonstrate that it has “a reasonable belief” is by showing that prior to the issuance of the final CIP rule, it had comparable procedures in place to verify the identity of persons that had accounts with the bank as of October 1, 2003, though the bank may not have gathered the very same information about such persons as required by the final CIP rule. Alternative means include showing that the bank has had an active and longstanding relationship with a particular person, evidenced by such things as a history of account statements sent to the person, information sent to the IRS about the person’s accounts without issue, loans made and repaid, or other services performed for the person over a period of time. This alternative, however, may not suffice for persons that the bank has deemed to be high risk. (January 2004)
4. Can a bank exclude from the definition of “customer” a person that has an existing account with its affiliate
No, a person that has an existing account with a bank affiliate does not qualify as “a person who has an existing account with the bank” within the meaning of 31 C.F.R. § 103.121(a)(3)(ii)(C). However, the bank may be able to rely on its affiliate to perform elements of its CIP, as provided in 31 C.F.R. § 103.121(b)(6). (January 2004)
31 C.F.R. § 103.121(b)(2)(i) – Information required
1. What address should be obtained for customers who live in rural areas who do not have a residential or business address or the residential or business address of next of kin or another contact individual? For example, is a rural route number acceptable?
Yes, the number on the roadside mailbox on a rural route is acceptable as an address. A rural route number, unlike a post office box number, is a description of the approximate area where the customer can be located. In the absence of such a number, and in the absence of a residential or business address for next of kin or another contact individual, a description of the customer’s physical location will suffice. (January 2004)
2. Can a bank open an account for a U.S. person that does not have a taxpayer identification number?
No, the bank cannot unless the customer has applied for a taxpayer identification number, the bank confirms that the application was filed before the customer opened the account, and the bank obtains the taxpayer identification number within a reasonable period of time after the account is opened. Note, however, that a bank does not need to obtain a taxpayer identification number when opening a new account for a customer that has an existing account, as long as the bank has a reasonable belief that it knows the true identity of the customer. A bank may also open an account for a person who lacks legal capacity with the identifying information, including taxpayer identification number, of an individual who opens an account for that person. (January 2004)
3. The CIP rule requires a bank to obtain a taxpayer identification number from the customer prior to opening an account from a customer that is a U.S. person. When the bank’s customer is a trust, what taxpayer identification number should the bank obtain?
The taxpayer identification number for a trust is the trust’s employer identification number (EIN). If the trust is not required to have an EIN under the tax laws, then the bank may obtain the grantor’s taxpayer identification number, consistent with section 6109 of the Internal Revenue Code and the regulations thereunder. (April 2005)
31 C.F.R. § 103.121(b)(2)(ii) – Customer verification
1. Must a bank verify the accuracy of all of the identifying information it collects in connection with 31 C.F.R. § 103.121(b)(2)(i)?
The final rule provides that a bank’s CIP must contain procedures for verifying the identity of the customer, “using the information obtained in accordance with paragraph (b)(2)(i),” namely the identifying information obtained by the bank. 31 C.F.R. § 103.121(b)(2)(ii). A bank need not establish the accuracy of every element of identifying information obtained but must do so for enough information to form a reasonable belief it knows the true identity of the customer. See 68 FR 25090, 25099 (May 9, 2003). (January 2004)
2. Can a bank use an employee identification card as the sole means to verify a customer’s identity?
A bank using documentary methods to verify a customer’s identity must have procedures that set forth the documents that the bank will use. The CIP rule gives examples of types of documents that have long been considered primary sources of identification and reflects the Agencies’ expectation that banks will obtain government-issued identification from most customers. However, other forms of identification may be used if they enable the bank to form a reasonable belief that it knows the true identity of the customer. Nonetheless, given the availability of counterfeit and fraudulently obtained documents, a bank is encouraged to obtain more than a single document to ensure that it has a reasonable belief that it knows the customer’s true identity. (January 2004)
3. Can a bank use an electronic credential, such as a digital certificate, as a non-documentary means to verify the identity of a customer that opens an account over the Internet or through some other purely electronic channel?
A bank may obtain an electronic credential, such as a digital certificate, as one of the methods it uses to verify a customer’s identity. However, the CIP rule requires the bank to have a reasonable belief that it knows the true identity of the customer. Therefore, for example, the bank is responsible for ensuring that the third party uses the same level of authentication as the bank itself would use. See also FFIEC guidance titled “Authentication in an Electronic Banking Environment” (July 30, 2001). (January 2004)
4. How should a bank verify the identity of a partnership that opens a new account when there are no documents or non-documentary methods that will establish the identity of the partnership?
A bank opening an account for such a partnership must undertake additional verification by obtaining information about the identity of any individual with authority or control over the partnership account, in order to verify the partnership’s identity, as described in 31 C.F.R. § 103.121(b)(2)(ii)(C). (January 2004)
5. How should a bank verify the identity of a sole proprietorship that opens a new account, (such as an account titled in the name of an individual “doing business as” a sole proprietorship) when there are no documents or non-documentary methods that will establish the identity of the sole proprietorship?
In some states, sole proprietorships are required to file “fictitious” or “assumed name certificates.” Banks may choose to use these certificates as a means to verify the identity of a sole proprietorship, if appropriate. However, when there are no documents or non-documentary methods that will establish the identity of the sole proprietorship, the bank must undertake additional verification by obtaining information about the sole proprietor or any other individual with authority or control over the sole proprietorship account -- such as the name, address, date of birth, and taxpayer identification number of the sole proprietor, or any other individual with authority or control over the account -- in order to verify the sole proprietorship’s identity, as described in 31 C.F.R. § 103.121(b)(2)(ii)(C). (January 2004)
31 C.F.R. § 103.121(b)(3)(i) – Required records
1. Would it be acceptable to retain a description of the non-documentary customer verification method used (such as a consumer credit report or an inquiry to a fraud detection system) in a general policy or procedure instead of recording the fact that a particular method was used on each individual customer's record?
Yes, provided that the record cross-references the specific provision(s) of the risk-based procedures contained in the bank’s CIP used to verify the customer’s identity. (January 2004)
2. Can a bank keep copies of documents provided to verify a customer’s identity, in addition to the description required under 31 C.F.R. § 103.121(b)(3)(i)(B), even if it is not required to do so?
Yes, a bank may keep copies of identifying documents that it uses to verify a customer’s identity. A bank’s verification procedures should be risk-based and, in certain situations, keeping copies of identifying documents may be warranted. In addition, a bank may have procedures to keep copies of documents for other purposes, for example, to facilitate investigating potential fraud. (These documents should be retained in accordance with the general recordkeeping requirements in 31 C.F.R. § 103.38.) Nonetheless, a bank should be mindful that it must not improperly use any document containing a picture of an individual, such as a driver’s license, in connection with any aspect of a credit transaction. (January 2004)
31 C.F.R. § 103.121(b)(3)(ii) – Retention of records
1. Does the original information obtained during account opening have to be retained or can the bank satisfy the recordkeeping requirement by just keeping updated information about the customer, i.e., the customer’s current address?
The CIP rule requires that a bank retain the identifying information obtained about the customer at the time of account opening for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant. 31 C.F.R. § 103.121(b)(3)(ii). Updated information serves valuable, but different, purposes. (January 2004)
2. If the bank requires a customer to provide more identifying information than the minimum during the account opening process, does it have to keep this information for more than five years?
The bank must keep for five years after the account is closed, or in the case of credit card accounts, five years after the account is closed or becomes dormant, all identifying information it gathers about the customer to satisfy the requirements of § 103.121(b)(2)(i) of the CIP rule. 31 C.F.R. § 103.121(b)(3)(ii). This would include any identifying information, the bank will use, at the time the account is opened, to establish a reasonable belief it knows the true identity of the customer. So, for example, if the bank obtains other identifying information at account opening in addition to the minimal information required, such as the customer's phone number, then the bank must keep that information. (January 2004)
3. How does the record retention period apply to a customer who simultaneously opens multiple accounts in the bank?
If several accounts are opened for a customer simultaneously, all identifying information about a customer obtained under 31 C.F.R. § 103.121(b)(2)(i) must be retained for five years after the last account is closed or, in the case of credit card accounts, five years after the last account is closed or becomes dormant. All remaining records must be kept for five years after the records are made. (January 2004)
4. How does the record retention period apply to a situation where a bank sells a loan but retains the servicing rights to the loan?
When a bank sells a loan, the account is “closed” under the record retention provision (31 C.F.R. § 103.121(b)(3)(ii)), regardless of whether the bank retains the servicing rights to the loan. Thus, a bank should keep the records of identifying information about a customer for five years after the date that the loan is sold, as required by 31 C.F.R. § 103.121(b)(3)(i)(A). Any other record required by 31 C.F.R. § 103.121(b)(3)(i) must be kept for five years after the record is made. (April 2005)
31 C.F.R. § 103.121(b)(4) – Section 326 List
1. Has a list of known or suspected terrorists or terrorist organizations been designated for purposes of the CIP rule?
No such list has been designated to date. Banks will be contacted by their functional regulators when a list is issued. As of the time of publication, lists published by OFAC have not been designated as lists for purposes of the CIP rule. Of course, banks are separately obligated to check these lists in accordance with OFAC’s regulations. (January 2004)
31 C.F.R. § 103.121(b)(5) – Customer notice
1. Does a bank have to provide notice to all owners of a joint account?
Yes, notice must be provided to all owners of a joint account. In addition, notice must be provided “in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account.” 31 C.F.R. § 103.121(b)(5)(ii). The Agencies agree that a bank may satisfy this requirement by directly providing the notice to any one accountholder of a joint account for delivery to the other owners of the account. Similarly, the bank may open a joint account using information about each of the accountholders obtained from one accountholder, acting on behalf of the other joint accountholders. (January 2004)
2. How should a bank provide notice to its customer when it engages in indirect lending through a third party such as a mortgage broker or car dealer?
When a mortgage broker or car dealer is acting as the bank’s agent in connection with a loan, the bank may delegate to its agent the obligation to perform the requirements of the bank’s CIP rule. In contrast to the reliance provision in the CIP rule, the bank is ultimately responsible for its agent’s compliance with the rule. Depending upon the manner in which the account is opened, the agent can provide notice to the bank’s customer, for example, by posting a sign, printing the notice on the loan application given to the customer, orally providing the notice, or by providing the notice in any manner that is reasonably designed to ensure that the customer is given notice before opening an account. (January 2004)
31 C.F.R. § 103.121(b)(6) – Reliance
1. Where a bank is entitled to “rely” on another financial institution to perform its CIP, whose CIP must the relied-upon financial institution implement?
The reliance provision does not impose on the other financial institution the obligation to duplicate the procedures in the bank’s CIP. The reliance provision permits a bank to rely on another financial institution to perform any of the procedures of the bank’s CIP, meaning, any of the elements that the CIP rule requires to be in a bank’s CIP: (1) identity verification procedures, which include collecting the required information from customers and using some or all of that information to verify the customers’ identities; (2) keeping records related to the CIP; (3) determining whether a customer appears on a designated list of known or suspected terrorists or terrorist organizations; and (4) providing customers with adequate notice that information is being requested to verify their identities.
Note that a bank can only use the reliance provision when the other financial institution is regulated by a Federal functional regulator and is subject to a general BSA compliance program rule, they share the customer, the bank can show its reliance upon the other financial institution’s performance of an element of the bank’s CIP was reasonable under the circumstances, and the requisite contract is signed and certifications provided. (January 2004)
2. When a longstanding customer of another financial institution (including an affiliate) opens a new account at the bank, can a bank rely on the other financial institution’s verification of the identity of the customer performed before a CIP procedure was required?
A bank that is subject to the CIP rule may rely on another financial institution’s verification of the identity of the customer if the requirements of the reliance provision are satisfied. The bank would have to be able to demonstrate that such reliance upon the other financial institution’s verification of the identity of the customer is reasonable under the circumstances. For example, the bank could do so by reviewing the relied-upon institution’s procedures to ensure that they were adequate although the institution was not yet subject to a CIP rule when it verified the customer’s identity.
In addition, even when a bank is relying on the verification of identity performed by another institution, the bank would continue to be responsible for complying with all remaining requirements of the CIP rule, namely, the requirement that it keep records, provide customer notice, and as soon as a section 326 list has been designated, check the list when a new account is opened. (January 2004)
VII. CONCLUSION
The CIP regulations affect deposit products, certain nondepository products, lending activities and other formal relationships, meaning that current account opening procedures will be expanded and will require more comprehensive compliance policies and procedures. Therefore the appropriate financial institution personnel should be actively involved in designing and implementing a customer identification program and all personnel should be appropriately trained in compliance with the program. Customer identity verification has risen from the level of an institution’s “policy” to a “legal” requirement.
Since much of the regulations are “risk based”, a financial institution will be allowed quite a bit of latitude in making decisions as to how to devise a CIP policy and implement a program, so long as it can demonstrate that it has assessed the risks.