The federal regulatory agencies have released interagency guidance to assist the banking industry in complying with the Customer Identification Program requirements under Section 326 of the USA Patriot Act. This guidance is not intended to answer every compliance question, but it does shed some light on examiner expectations.
Regulators again emphasize that four-letter word: risk. Every organization, regardless of size or charter, is expected to implement Bank Secrecy Act policies and procedures that address its risk of money-laundering activity. To measure risk, institutions must evaluate the types of accounts offered and maintained, methods for opening accounts, their size and location, and their customer base. Based on this assessment, institutions can then develop policies and procedures to manage the risk identified.
Areas of heightened risk need to be met with more stringent identification and verification practices. Compliance under Section 326 doesn't follow a one-size-fits-all approach. The law sets out minimum requirements, including the four basic pieces of identifying information to request from an individual customer: name, address, taxpayer-identification number and date of birth. The key word here is "minimum." Areas of potential risk for knowing the customer's true identity will necessitate taking the verification process a step further.
There has been some confusion over whether the CIP regulation applies to subsidiaries. The CIP does not apply to foreign subsidiaries outside the U.S nor to nonbank subsidiaries. They do, however, apply to bank subsidiaries. Entities that function as operating subsidiaries are subject to the same requirements as their parent bank.
The guidance spends a fair amount of space discussing which party the CIP should be applied to when dealing with third-party accounts. For accounts opened by someone with power of attorney, the application of the CIP depends on whether the true owner of the account has legal capacity. If an account is opened on behalf of a competent person, then the person with power of attorney is simply an agent and the CIP should be applied to the party on whose behalf the account is being opened. If the person with POA is opening an account on behalf of a person who lacks legal capacity, then the person with POA is the customer for CIP purposes.
With respect to accounts opened by a minor, it is important to recognize that the CIP regulations do not prohibit a minor from holding an account. Your state law and bank policy will dictate whether minors are permitted to open a deposit account. For CIP purposes, if the minor opens the account, then he is the customer. If an account is opened on behalf of a minor, such as under a Uniform Gifts to Minors Act statute, then the customer is the individual opening the account on behalf of the child.
The CIP regulations generally apply to customers opening new accounts. The term "customer" does not include those persons who have an existing account with you if you have a reasonable belief that you know his true identity. The "existing customer" exception has raised questions regarding how to handle loan renewals or certificates of deposit. Each time a loan is renewed or CD rolled over, a new account is opened-but there is no new customer. Therefore, a CIP is not required. When working with customers with relationships established before the CIP regulations were implemented, a bank needs to determine whether account-opening and know-your-customer procedures were comparable to the CIP regulations. Except for high-risk customers, the guidance provides a somewhat more relaxed standard for demonstrating an existing customer's true identity: by showing a longstanding relationship through account statements.
Accounts cannot be opened for U.S. customers that don't have a TIN, unless they can prove an application has been filed, and the number is obtained within a reasonable amount of time. The bottom line: Be sure your organization has a policy.
A number of issues are raised about the verification-of-identification process. Although a customer provides information when he opens an account, banks are not require to verify its accuracy. The guidance reiterates that institutions must have procedures that outline which documents will be used, but regulators expect banks to use government-issued forms of identification and encourage the use of multiple documents. What if an identity cannot be verified? Banks need to dig deeper and look at individuals with authority or control over the business account. This practice should also be followed when dealing with entities that pose a high risk for potential money-laundering activity, such as money-services businesses.
