How To Comply With PATRIOT Act's New Customer ID Rules

Register now

After months of anticipation, the U. S. Treasury Department issued final regulations implementing the Customer Identification Program (CIP) requirements of the USA PATRIOT Act on April 30. Credit unions across the nation must comply with these new regulations by Oct. 1.

Many of the originally proposed regulations created controversy within the financial services industry-generating numerous comments to regulators and Treasury. This dialogue provided Treasury with practical feedback and alternative ideas, many of which were taken to heart. The following is a high-level overview of the major requirements of the final regulation.


The proposed regulations covered situations where a member applied for an account. Troublesome areas in the proposed regs included definitions of the term "signatory" on the account and "member," as well as uncertainty as to whether parties such as guarantors or holders of powers of attorney were covered.

A number of questions surfaced regarding the event a beneficiary of an account (e.g. a trust or an IRA) became an account owner on the death of the originally named account holder. Many letters suggested limiting the definition to those who opened accounts.

The final rules apply to depository institutions and cover formal banking relationships such as deposit accounts, transaction or asset accounts, extensions of credit, safe deposit rentals and cash management, and custodian or trust services. Excluded are non-continuing dealings such as cashing checks, doing wire transfers or selling checks or money orders; accounts acquired through acquisitions, mergers or purchase; and accounts opened for employee benefit plans. "Members" include individuals, business entities and representatives of minors or informal groups, but the requirement to always verify signatories is gone, as is language about those "seeking" to open an account. Instead, the requirement is that in the event that a member that is not an individual cannot be directly verified, the credit union must obtain information about the individuals with control over the account to verify the member's identity.

Identity and Verification

Issues arose concerning the depth of the due diligence expected. Some commenters urged a credit union be allowed to rely on the member to identify and verify other persons with account access. Others supported a credit union being allowed to rely on the identification and verification procedures used by their intermediaries, affiliates, and service providers.

The final rules require members that open accounts to go through a risk-based identification process. Existing members are exempt if the credit union has a reasonable belief it knows their identity. Certain information must be collected such as name, address, and identification number. The member's identity must be verified within a reasonable time after the account is opened. Documents may be used or non-documentary means such as automated identity verification. There is a limited provision for reliance on the actions of other regulated institutions.

Government List Review

Many credit unions noted no specific list was named in the proposed rules. Several credit unions recommended required lists be named in the regulations, or, alternatively, be limited to those assembled by one agency, such as FinCEN.

The final regulations continue to say members must be checked against any government-issued list of known or suspected terrorists. Specific lists will be named in later guidance. The list-checking must be done within a reasonable time after the account is opened or earlier if required by federal law, regulation or directive. The full scope of this requirement will largely be dictated by the later guidance and directives. It is widely believed that a new list will be issued.

Adequate Notice

Industry representatives said Treasury needed to provide more specific details of adequate methods and language as well as assurance using the model language would provide a safe-harbor from liability.

The final rules provide members must be given notice if the credit union is requesting information to verify their identities. It may be given in any manner reasonably designed to ensure the member is able to view or get the notice before opening the account, such as by lobby poster, or on account applications. There is sample language in the regulation that may be used.

Records and Retention

The proposed regulations would have required credit unions to maintain records for five years from the date of the account closing-a departure from the traditional requirements for record keeping under other Bank Secrecy Act provisions. Many credit unions requested the requirement be based on the date of the account opening because other recording requirements are tracked from the same date. They also requested that the period of retention be eased to two years, because it is typically within this period that "sleeper" accounts (ones which begin to exhibit laundering or other troublesome activity after a period of quiet) will become active.

Credit unions also showed concern about the tension between the requirements to keep copies of any document relied upon to verify identity and other regulations. This appeared to fly in the face of regulators' historic stance against maintaining such copies, particularly in a credit file. Regulation B and ECOA prohibit the retention of certain information denoting race or sex and a photo ID would certainly make this information a part of the record. Also, various states have their own restrictions or prohibitions on photocopying driver's licenses that would bring the CIP requirements in direct conflict with state law without providing statutory preemption. Commenters suggested reworking this provision so that simply recording a driver's license number and state of issuance would meet the requirements. Alternatively, it was suggested statutory preemption be provided.

The final rules eliminate the requirement to maintain copies of identifying documents and all of the associated concerns. Instead, all identifying information, descriptions of any documents used (as opposed to keeping actual copies), descriptions of any nondocumentary methods used and the results, and resolutions of any discrepancies must be retained by the credit union. The identifying information must be retained for five years after the account is closed, but the remaining information only must be kept for five years after the record is made.


With final CIP regulations released, credit unions large and small now have their work cut out for them. It goes without saying the implementation of this new law will require extensive time and resources. However, by working with the government, credit unions can play a key role in the war against terrorism and protect themselves against the losses associated with fraudulent account activity.

Ted Dreyer is an attorney with Bankers Systems, Inc. For more comprehensive information regarding the final CIP regulations and tips on implementation, visit

For reprint and licensing requests for this article, click here.