Customer Identification Program Requirements
We Help Financial Institutions in the U.S. and Abroad Meet Their Federal Customer Identification Program (CIP) Requirements
The USA PATRIOT Act (the “Act”) established several new requirements for banks and other financial institutions located both domestically and abroad serving the U.S. financial markets. To “facilitate the prevention, detection, and prosecution of international money laundering and the financing of terrorism,” the Act requires financial institutions to adopt customer identification programs (CIPs) that allow them “to form a reasonable belief that [they] know the true identify of each customer.”
While all financial institutions operating in the United States are subject to the Act’s CIP rules, different institutions have different customer identification program requirements. Under the Act, a financial institution’s customer identification program should be “appropriate for its size and type of business,” and it should address the Act’s requirements in a manner that allows for consistent and ongoing compliance.
Understanding the USA PATRIOT Act’s Customer Identification Program Requirements
The USA PATRIOT Act’s customer identification program requirements are lengthy and complex. They are also non-standardized—allowing (and requiring) financial institutions to take a custom-tailored approach that facilitates adequate customer identification in light of their particular operations and risks. While this provides flexibility, it also presents a certain amount of inherent uncertainty. As a result, financial institutions need to work with their outside counsel to make informed decisions about what is necessary, and they must rely on their outside counsel to document their decision-making, their customer identification programs, and their ongoing efforts to meet all pertinent CIP requirements.
The 6 General Requirements for Financial Institution Customer Identification Programs
The Act establishes six general requirements for financial institution customer identification programs. As outlined by the Federal Deposit Insurance Corporation (FDIC) (and set forth in greater detail in the Act’s CIP Final Rule), these general requirements are:
1. A Written Customer Identification Program (CIP)
Financial institutions that are subject to the CIP Final Rule must adopt written customer identification programs that satisfy the Act’s requirements. To adequately demonstrate and maintain compliance, covered financial institutions must work with their outside counsel to develop custom-tailored CIPs that adequately address the requirements of the Act and the CIP Final Rule in light of their size, customer base, and other pertinent factors.
2. Four Pieces of Identifying Information for Customers
To meet the Act’s customer identification requirements, covered financial institutions must collect four pieces of identifying information from their customers: customer name, date of birth, address, and identification number. For U.S. citizens and businesses, “identification number” refers to their tax identification number (i.e., Social Security number or employer identification number). For foreign citizens and businesses, identification numbers can include tax identification numbers, passport numbers, alien identification card numbers, and any other number identified on a “government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.”
What constitutes a “customer”? The CIP Final Rule defines a customer as a business or individual that opens a new account (including an individual who opens an account on behalf of a business), and provides that a customer does not include:
- A bank or other financial institution subject to state or federal regulation in the United States;
- A business or individual that has an existing account with the bank, “provided that the bank has a reasonable believe that it knows the true identity” of the business or individual; or,
- A U.S. federal or state governmental authority and certain other qualifying entities under 31 C.F.R. Section 1020.315(b).
Subject only to these exceptions, financial institutions must follow their CIP programs’ identification procedures for all entities and individuals opening new accounts. When in doubt about whether customer identification is required, financial institution personnel should consult with the institution’s outside counsel, and under no circumstances should they assume without verification that customer identification is not required.
3. Identity Verification Procedures
In addition to collecting identifying information from new customers, financial institutions subject to the Act must also take adequate steps to verify new customers’ identifying information. The verification procedures that are necessary will vary case by case. As outlined by the FDIC, measures that may be appropriate and sufficient for verifying customers’ identities include:
- Contacting the customer;
- Comparing the information provided by the customer to information available from consumer reporting agencies, public databases, and other sources;
- Checking references with other financial institutions; and,
- Obtaining and reviewing a financial statement from the customer.
As the Financial Crimes Enforcement Network (FinCEN) explains, “[a] bank need not establish the accuracy of every element of identifying information obtained but must do so for enough information to form a reasonable belief it knows the true identity of the customer.” FinCEN also acknowledges that financial institutions may use “an electronic credential, such as a digital certificate,” as one method of verifying a customer’s identity.
Covered financial institutions must adopt procedures “for making and maintaining a record of all information obtained” in accordance with the Act and the CIP Final Rule. The CIP Final Rule provides that, “[a]t a minimum,” financial institutions must retain the following records:
- “All identifying information about a customer obtained under [the CIP Final Rule];
- “A description of any document that was relied on under [the CIP Final Rule’s verification requirements] noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date;
- “A description of the methods and the results of any measures undertaken to verify the identity of the customer . . . ; and
- “A description of the resolution of any substantive discrepancy discovered when verifying the identifying information obtained.”
5. Government List Comparison
Under the Act’s customer identification program requirements, covered financial institutions’ programs must include “procedures for determining whether [a] customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by Treasury in consultation with the Federal functional regulators.” Financial institutions must make these comparisons, “within a reasonable period of time after [an] account is opened, or earlier, if required” by federal law, regulation, or directive. They must also have procedures in place to ensure compliance with any directives issued in connection with these lists.
6. Customer Notices
The final general requirement for a compliant CIP is providing adequate customer notice when required. The CIP Final Rule states that covered financial institutions’ programs “must include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities.” While the CIP Final Rule provides a sample notice, it also makes clear that institutions may only use this sample notice “if appropriate” in light of the circumstances presented.
In addition to these six general requirements, financial institutions must meet various specific requirements when developing their customer identification programs as well. To ensure compliance, financial institutions must comprehensively assess their obligations under the Act and the CIP Final Rule, and they must carefully address all pertinent anti-money laundering (AML) compliance requirements as well.
FAQs: Compliance with the USA PATRIOT Act’s Customer Identification Program (CIP) Requirements
Which financial institutions are subject to the USA PATRIOT Act’s customer identification program (CIP) requirements?
The USA PATRIOT Act’s customer identification program requirements apply to most financial institutions doing business in the United States. Covered financial institutions include:
- Federally chartered and state-chartered commercial banks, trust companies, savings and loan associations, and credit unions;
- Savings banks, industrial banks, and other thrift institutions;
- National banking associations and corporations;
- Other state-chartered institutions that are subject to the oversight of state banking regulators (except money services businesses); and,
- Foreign banks conducting business in the United States.
How long must financial institutions keep customers’ information to comply with their customer identification program (CIP) obligations?
Under 31 C.F.R. Section 1020.220(a)(3)(ii), financial institutions must keep customers’ identifying information “for five years after the date the [customer’s] account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant.” Financial institutions must keep all other required records “for five years after the record is made.”
Is maintaining a customer identification program sufficient for know-your-customer (KYC) and anti-money laundering (AML) compliance?
No, while meeting the federal customer identification program requirements is essential for covered financial institutions, it is just one aspect of KYC and AML compliance. In addition to adopting a CIP, covered financial institutions must adopt various other policies and procedures designed to ensure complete compliance with the USA PATRIOT Act, Bank Secrecy Act, and all other pertinent federal laws and regulations.
How can I assess whether my bank is meeting the federal customer identification program requirements?
To assess customer identification program compliance, banks should work with outside lawyers experienced in USA PATRIOT Act, KYC, AML, and similar federal compliance matters. At Oberheiden P.C., our compliance team includes former U.S. Department of Justice (DOJ) lawyers who are highly experienced in these areas.
Discuss Your Financial Institution’s Customer Identification Program in Confidence
If you need to know more about the federal customer identification program requirements for financial institutions, we invite you to get in touch. To schedule a confidential initial consultation at Oberheiden P.C., please call 888-680-1745 or send us a message online today.