As of this writing in June 2021, fraud and cyber crimes are running rampant and unabated throughout our global economy.
But long before COVID-19 brought our society to a screeching halt and paved the way to these fraud events and headlines, financial institutions (FI) had long run afoul of laws designed to stop criminals from exploiting our financial system and prevent fraudulent transactions such as money laundering.
The United States Bank Secrecy Act (BSA) was created in 1970 to prevent financial institutions from being used by criminals to hide or launder their ill-gotten gains. Also known as the “Currency and Foreign Transactions Reporting Act”, the BSA aims to detect and prevent money laundering by requiring financial institutions to provide clear procedures and records documentation to federal regulators.
Transaction documentation can be required when FI clients deal with cash transactions in excess of $10,000, and the FI’s must report suspicious activity that may indicate money laundering, tax evasion, or other criminal activities.
For a more comprehensive overview of BSA’s scope and reporting requirements, please review the FraudFighter BSA education page on our website.
The U.S. Department of Treasury defines violations of regulation 31 CFR 103 (Financial Recordkeeping and Reporting of Currency and Foreign Transactions) as:
This article will focus on the role that Identity Authentication plays in successful BSA compliance.
The US government can and has imposed major statutory penalties for BSA violations, with fines that have reached into the millions and even billions of dollars:
Specifically, between 2008-2014, Capital One failed to report millions of dollars in suspicious transactions, including proceeds connected to organized crime, tax evasion, fraud, and other financial crimes laundered through the bank into the U.S. financial system.
Beyond the financial consequences of non-compliance, FI’s that run afoul of the BSA also risk reputational damage -- losing the confidence of their customers and employees. Complying with the BSA certainly represents an operational and administrative challenge, but there exists robust tools such as forensic level identity authentication and data analytics platforms designed to make the process less onerous.
Financial institutions must submit currency transaction reports (CTR) given transactions exceeding $10,000 in one business day, regardless of whether it is in one transaction or several cash transactions. The report is electronically filed with the Financial Crimes Enforcement Network (FinCEN) and is identified as FinCEN Form 112 (formerly Form 104).
Financial institutions are required to provide the following information on the CTR for the customer conducting the transaction:
The documentation type used to verify the identity of the individual conducting the transaction should be specified (Government issued identity documents such as driver’s license, passport, Real ID, military ID).
Section 326 of the USA PATRIOT Act, which is implemented by 31 CFR 103.121, requires financial institutions to develop and deploy a Customer Identification Program (CIP) appropriate for its size and type of business.
The definition and scope of “financial institutions” encompasses banks, agencies and branches of foreign banks in the U.S., thrifts, credit unions, private banks, trust companies, investment companies, brokers and dealers in securities, futures commission merchants, insurance companies, travel agents, pawnbrokers, dealers in precious metals, check cashers, casinos, and many others identified in regulation 31 USC 5312.
The CIP details procedures for:
For customers who already have an established account with a financial institution, these CIP procedures would not be required provided the FI had a “reasonable belief” that it knows the true identity of their customer. As such,
if the existing customer were to open an additional account, or renew or roll over an existing account, CIP procedures would not be required.
A bank can prove a prior relationship with its customer by:
An important caveat to note is that these “known-customer” actions may not be sufficient for potentially high risk account holders.
An example of a high risk customer would be an import/export business where the only identity information the bank had on file was a duplicate passport with no additional business information available. In this instance, the bank should follow all of the 31 CFR 103.121 CIP procedures since it does not have sufficient information to form a “reasonable belief” of the true identity of their account holder.
Financial institutions should have a risk-focused approach when forming a CIP to verify their customers’ identities.
While a FI does not need to confirm the accuracy of every single identity element when opening a customer account, it must have enough information to form a “reasonable belief” that it knows the true identity of their customer.
At a minimum, the risk-focused procedures must be based on, but not limited to, the following factors:
Further, a bank’s CIP procedures must state when the bank will use documentary verification methods,
non-documentary verification methods, or a combination of both methods:
A bank can choose to accept and use non-documentary identity verification methods that are approved and incorporated into its CIP, including:
Examples of when banks might look to employ non-documentary identity verification procedures:
The bank’s CIP must include recordkeeping procedures for:
As regards photocopies of identity documents, banks are not required to make and retain copies, but if they do, they must ensure that these photocopies are secured against theft. Additionally, the ID copies should not be stored alongside a customer’s credit files in order to avoid any potential problems with consumer compliance regulations.
In the event of account closure, all of the customer’s identity information that was collected upon account opening must be retained for five years after the account is closed. For credit card accounts, ID information must be kept for five years after the account is closed or becomes dormant.
Documentary and non-documentary verification procedures (and any descriptions of substantive discrepancy resolution) must be retained for five years after the record is made.
If a customer simultaneously opened several accounts at a bank, the required customer identifying information obtained at account opening must be retained for five years after the last account is closed. In the case of credit card accounts, ID information must be kept five years after the last account is closed or becomes dormant.
For over 20 years, Financial Institutions have trusted and relied upon UVeritech for currency and identity authentication solutions to ensure regulation compliance, avoid risk and losses, and thrive throughout numerous cycles of uncertainty. Contact us today to establish an identity proofing solution configured specifically for your needs, to best serve your customers.
If you have followed the news at all lately, you have likely heard that financial institutions of...