The Bank Secrecy Act or BSA requires a written Customer Identification Program (CIP) for client identification verification. Banks particularly must have a CIP that is appropriate for their size and the types of transactions they engage in. The CIP must be approved by the banks board of directors and its implementation, including customer identification verification is not only a matter of compliance but necessary for protection from risk to the banks reputation.
Requirements for a Customer Identification Program (CIP)
The CIP must at least allow the bank to form a reasonable belief that it is satisfied of the true identity of the customer. The CIP must include procedures for opening an account including specific identifying information that the customer must present. It must also include a risk based procedure that is both reasonable and practical for customer identification verification. By conducting a risk assessment their products and customer base they can determine risks associated with:
- The types of accounts offered by the bank
- The banks method for opening accounts
- The types of identifying information available and
- The banks size, location, customer base, including the types of products and services used in different locations.
An account, according to the BSA, is any account that creates a formal banking relationship. This includes deposit accounts, transactional or asset accounts, credit accounts or any other extension of credit as well as the relationship associated with a safe deposit box, cash management, and custodial or trust services.
For Banks an account does not include check cashing, funds transfers or the sale of a check or money order. Nor is the CIP required for accounts acquired from another banking institution through merger, asset purchases, acquisition or an assumption of liabilities. Also, identification verification is not necessary for an account opened to participate in an employee benefit plan opened under ERISA.
The CIP applies not only to accounts but to customers or a "customer:" A customer is a person or entity including an individual, a corporation, LLC an estate or a trust or any other entity recognized as a legal person who opens an account. A person does not include a person whose loan is denied or does not otherwise receive banking services. It is interesting to note that a customer does not include an existing customer so long as the bank is reasonably certain they know the identity of the customer.
The information required for identification verification, at a minimum must include:
- Date of Birth for individuals (date of incorporation for corp or LLCs)
- identification number (either SS# TIN or Corporate ID #)
Depending on the level of risk involved (based on its risk assessment) banks may require additional information above and beyond the minimum listed.
The bank must verify the identity of its customer within a reasonable time of opening the account. Identification verification must at a minimum verify the identifying information stated above. There are two methods for identification verification namely: Document Verification and Non Documentary Verification.
Each bank must have procedures and policies in place setting forth the minimum acceptable documentation. The primary documentary verification evidence is a government issued ID that is valid at the time of opening the account. The identification must prove the customer's nationality or residence and have a photograph. Typically we are talking about a driver's license, state ID or passport.
Because there are over 1000 different designs and formats of U.S. State IDs and Driver Licenses, and passports from over 150 countries in the world, electronic verification of these documents is essential to prevent fraud and mistakes. It makes better sense and is a best practice to NOT RELY ON EMPLOYEES to make judgment calls as to the validity of a particular piece of identification. Identity scanners are the best course particularly one that has an updated (and up-datable) data base to draw upon for identification verification.
Nevertheless, given the extent of fraud and identity theft banks are well placed to seek more than one document in order to from a reasonable belief that they know the identity of their customer.
For a person that is not individual, banks must obtain documents that show the legal existence of the entity. This includes corporations, LLCs, trusts and partnerships. The necessary documents include articles of incorporation, articles of organization, a partnership agreement or trust instrument.
Non Documentary Verification
Although banks are not required to use non documentary methods to verify a customer's identity if they do they must document the procedure for non-documentary verification in the same manner as they do for documentary verification as part of their CIP. Non-documentary methods include:
- contacting a customer from the phone information provided
- independently verifying identity through a third party such as a credit reporting bureau, public database or other source and
- checking references with other financial institutions.
There are some situations in which non-documentary verification is the only way to be reasonably certain the bank knows the identity of its customer. These include:
- Where a document with a photograph cannot be produced
- The bank is not familiar with the docs presented
- The account is opened without obtaining any docs (i.e. to be verified later)
- Customer opens an account without personally appearing or
- There are other factors that increase the risk to the bank that it will be unable to verify its customer's true identity.
For customers that are not an individual the bank must obtain documentary or non-documentary identification verification on those individuals that will have signing authority (*or other control) over the account.
Record Keeping and Retention
A Bank CIP has to have written record keeping procedures which, at a minimum retain the identifying information for a period of five years. Again, this is an instance in which electronic identification verification is essential for record retention because it easily and digitally stores the information either on site or off site for access later when reporting.
Records required to be kept include:
- a doc that was relied on to verify identity including the date of issuance, place of issuance, issuing authority and expiration date
- the method and results of any non-documentary information
- the results of any discrepancy discovered.
There is also a requirement for comparing the identification verification information with government lists including anti-terror lists. Adequate customer notice must be given to the customer that the information will be used for that purpose. The language provided is probably familiar to most:
IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT — To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
A Note On Third Parties
Nothing in the Rule relieves banks of their obligations under the BSA. However, they are allowed to contract with third parties for:
- Identification verification and
- record retention
These third party relationships can be very important to banks that conduct a substantial amount of identification verification. Using technology to verify authenticity of documentary evidence and using third parties to store and maintain the documentary evidence is a cost effective way to comply with the BSA CIP requirements.