4 Ways Identity Authentication Helps Financial Institutions Comply with the Bank Secrecy Act

As of this writing in June 2021, fraud and cyber crimes are running rampant and unabated throughout our global economy.

• Rogue state or organized cybercriminals continue to plunder millions from companies that fall victim to ransomware, yielding to its threat to lock up or destroy an organization’s database and systems. Homeland Security Secretary Alejandro Mayorkas estimated that $350 million in ransom payments were paid out last year.
• Per the FTC, pandemic stimulus fraud has cost Americans $382 million since January 2020
• In March of this year, the Justice Department told Congress that it charged $446 million in losses related to PPP fraud

But long before COVID-19 brought our society to a screeching halt and paved the way to these fraud events and headlines, financial institutions (FI) had long run afoul of laws designed to stop criminals from exploiting our financial system and prevent fraudulent transactions such as money laundering.

The United States Bank Secrecy Act (BSA) was created in 1970 to prevent financial institutions from being used by criminals to hide or launder their ill-gotten gains. Also known as the “Currency and Foreign Transactions Reporting Act”, the BSA aims to detect and prevent money laundering by requiring financial institutions to provide clear procedures and records documentation to federal regulators.

Transaction documentation can be required when FI clients deal with cash transactions in excess of $10,000, and the FI’s must report suspicious activity that may indicate money laundering, tax evasion, or other criminal activities.

For a more comprehensive overview of BSA’s scope and reporting requirements, please review the FraudFighter BSA education page on our website.

BSA Violation Types and Fines

The U.S. Department of Treasury defines violations of regulation 31 CFR 103 (Financial Recordkeeping and Reporting of Currency and Foreign Transactions) as:

• Failure to adequately identify and report large cash transactions in a timely manner
• Failure to report Suspicious Activities, such as deposit layering or structuring cash transactions
• Failure to reasonably identify and verify customer identity
• Failure to maintain adequate documentation of financial transactions, such as the purchase or sale of monetary instruments and originating or receiving wire transfers.

This article will focus on the role that Identity Authentication plays in successful BSA compliance.

The US government can and has imposed major statutory penalties for BSA violations, with fines that have reached into the millions and even billions of dollars:

• Y2012: HSBC paid $1.2 billion as settlement for money laundering activities
• Y2018: US Bancorp was fined $613 million for BSA violations
• And in January of this year, Capital One was assessed a $390 million penalty for its BSA violations:
  • Failure to implement an Anti-Money Laundering (AML) program
  • Failure to file Suspicious Activity Reports (SARs)
  • Failure to file Currency Transaction Reports (CTRs)

Specifically, between 2008-2014, Capital One failed to report millions of dollars in suspicious transactions, including proceeds connected to organized crime, tax evasion, fraud, and other financial crimes laundered through the bank into the U.S. financial system.

Beyond the financial consequences of non-compliance, FI’s that run afoul of the BSA also risk reputational damage -- losing the confidence of their customers and employees. Complying with the BSA certainly represents an operational and administrative challenge, but there exists robust tools such as forensic level identity authentication and data analytics platforms designed to make the process less onerous.

Specific BSA requirements that can benefit from Identity Authentication solutions

1) Submission of Currency Transaction Report (CTR)

Financial institutions must submit currency transaction reports (CTR) given transactions exceeding $10,000 in one business day, regardless of whether it is in one transaction or several cash transactions. The report is electronically filed with the Financial Crimes Enforcement Network (FinCEN) and is identified as FinCEN Form 112 (formerly Form 104).

Financial institutions are required to provide the following information on the CTR for the customer conducting the transaction:

• Name
• Physical street address (a post office box number is not acceptable)
• Social security number (SSN) or taxpayer identification number (TIN) (for non-U.S. residents)
• Date of birth

The documentation type used to verify the identity of the individual conducting the transaction should be specified (Government issued identity documents such as driver’s license, passport, Real ID, military ID).

2) Implementation of a Customer Identification Program (CIP)

Section 326 of the USA PATRIOT Act, which is implemented by 31 CFR 103.121, requires financial institutions to develop and deploy a Customer Identification Program (CIP) appropriate for its size and type of business.

The definition and scope of “financial institutions” encompasses banks, agencies and branches of foreign banks in the U.S., thrifts, credit unions, private banks, trust companies, investment companies, brokers and dealers in securities, futures commission merchants, insurance companies, travel agents, pawnbrokers, dealers in precious metals, check cashers, casinos, and many others identified in regulation 31 USC 5312.

The CIP details procedures for:

• Verifying a customer’s true identity and defining the methodologies used in the verification process
• Collecting specific identifying information from each customer when opening an account
• Responding to circumstances and defining the actions taken when a customer’s true identity cannot be appropriately verified with “reasonable belief”
• Maintaining appropriate records during the collection and verification of a customer’s identity
• Verifying a customer’s name against specified terrorist lists
• Providing customers with adequate notice that the bank is requesting identification to verify their identity

For customers who already have an established account with a financial institution, these CIP procedures would not be required provided the FI had a “reasonable belief” that it knows the true identity of their customer. As such,

if the existing customer were to open an additional account, or renew or roll over an existing account, CIP procedures would not be required.

A bank can prove a prior relationship with its customer by:

• Demonstrating that it had similar procedures in place to verify identity prior to the effective date of the CIP rule
• Providing a history of account statements sent to the customer
• Maintaining account information sent to the IRS regarding the customer’s accounts accompanied by IRS replies that contain no negative comments
• Providing evidence of loans made and repaid, or other services performed for the customer over a period of time

An important caveat to note is that these “known-customer” actions may not be sufficient for potentially high risk account holders.

An example of a high risk customer would be an import/export business where the only identity information the bank had on file was a duplicate passport with no additional business information available. In this instance, the bank should follow all of the 31 CFR 103.121 CIP procedures since it does not have sufficient information to form a “reasonable belief” of the true identity of their account holder.

3) Establish a “Risk-focused” approach to verifying customer identity

Financial institutions should have a risk-focused approach when forming a CIP to verify their customers’ identities.

While a FI does not need to confirm the accuracy of every single identity element when opening a customer account, it must have enough information to form a “reasonable belief” that it knows the true identity of their customer.

At a minimum, the risk-focused procedures must be based on, but not limited to, the following factors:

• Risks presented by the various types of accounts offered by the bank
• Various methods of opening accounts provided by the bank
• Various sources and types of identifying information available
• The bank’s size, location, and customer base

Further, a bank’s CIP procedures must state when the bank will use documentary verification methods,

non-documentary verification methods, or a combination of both methods:

Documentary Verification:

• Unexpired government-issued identification such as a driver’s license or passport that proves customer nationality or residence

Non-Documentary Verification:

A bank can choose to accept and use non-documentary identity verification methods that are approved and incorporated into its CIP, including:

• Contacting the customer
• Checking references with other financial institution
• Obtaining financial statements
• Independently verifying the customer’s identity via
  • Consumer reporting agencies (Experian, Equifax, TransUnion)
  • Public databases (Lexis Nexis, Dunn and Bradstreet)
  • Other sources (utility bills, phone books, voter registration bills)

Examples of when banks might look to employ non-documentary identity verification procedures:

• The inability of its customer to present an unexpired government-issued identification document that bears a photograph or similar safeguard
• A bank’s unfamiliarity with the identity documents presented
• Accounts opened without obtaining documents
• Accounts opened remotely without the customer physically present at the bank

4) Establish Recordkeeping procedures

The bank’s CIP must include recordkeeping procedures for:

• Identity document’s type, unique identification number, the place and date of issuance, and date of expiration
• Methods and measures of non-documentary verification procedures
• Information on discrepancies discovered when verifying a customer’s identity information

As regards photocopies of identity documents, banks are not required to make and retain copies, but if they do, they must ensure that these photocopies are secured against theft. Additionally, the ID copies should not be stored alongside a customer’s credit files in order to avoid any potential problems with consumer compliance regulations.

Identity document required retention period

In the event of account closure, all of the customer’s identity information that was collected upon account opening must be retained for five years after the account is closed. For credit card accounts, ID information must be kept for five years after the account is closed or becomes dormant.

Documentary and non-documentary verification procedures (and any descriptions of substantive discrepancy resolution) must be retained for five years after the record is made.

If a customer simultaneously opened several accounts at a bank, the required customer identifying information obtained at account opening must be retained for five years after the last account is closed. In the case of credit card accounts, ID information must be kept five years after the last account is closed or becomes dormant.

For over 20 years, Financial Institutions have trusted and relied upon UVeritech for currency and identity authentication solutions to ensure regulation compliance, avoid risk and losses, and thrive throughout numerous cycles of uncertainty. Contact us today to establish an identity proofing solution configured specifically for your needs, to best serve your customers.