Financial institutions and other obliged entities must have “reasonable” procedures to gather and maintain information on customers’ identities, along with running watchlist checks on them. In the U.S., these Customer Identification Program (CIP) requirements, outlined in the USA PATRIOT Act, have been designed to limit money laundering, terrorism funding, corruption and other criminal activities.
But these CIP requirements raise important questions: What do regulators consider reasonable? How can these requirements be operationalized in an efficient, cohesive and compliant manner? How can an obliged entity create a CIP that meets the requirements and mitigates risk? Can the regulated entity fulfill its compliance and fraud prevention imperatives, while also delivering a seamless onboarding experience to its customers?
Standards of identity verification
The minimum requirements to open an individual financial account are clearly delimited:
- Date of birth
- Identification number (for a U.S. citizen, a taxpayer identification number)
While gathering this information at account opening is sufficient, the institution must verify the true identity of the account holder “within a reasonable time.” Procedures for identity verification include documents (for example, driver’s licenses and passports), non-documentary methods (for example, data sources like credit bureaus and government databases), or a combination of both.
These procedures are at the core of CIP; as with other Anti-Money Laundering (AML) compliance requirements, these policies shouldn’t be followed arbitrarily. They need to be clarified and codified to provide continued guidance to staff, executives, and for the benefit of regulators.
The exact policies depend on the risk-based approach of the institution and may consider factors like:
- The types of accounts offered by the bank
- The bank’s methods of opening accounts
- The types of identifying information available
- The bank’s size, location, and customer base, including the types of products and services used by customers in different geographic locations
The identity verification procedures must be robust enough to verify the identity of each customer to an extent that is “reasonable and practicable.”
Methods of identity verification
Traditionally, financial institutions would examine unexpired government-issued identification documents such as a driver’s license and/or passport. These documents, in general, should display a picture and the nationality of the individual. However, the policies and procedures of individual institutions may stipulate other documents that reach the reasonable standard for identity verification. Best practices, however, call for providing more than one document to offset the risks presented by counterfeit and fraudulently obtained documents.
In today’s online era, when consumers expect convenience and immediacy, visiting a bank branch to set up an account is a big ask. Why place demands on the customer’s time, and require them to physically attend a bank appointment, when there are much easier ways to have them sign up for an account online?
The case for electronic identity verification (eIDV)
These non-documentary methods are perfectly legal, provide the highest levels of risk mitigation and deliver a seamless onboarding experience. One method involves “independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source.” This is possible via an online process and is referred to as electronic identity verification (eIDV).
There are other non-documentary methods, such as contacting a customer, checking references with other financial institutions or obtaining a financial statement. However, these processes don’t offer the speed, convenience and reliability of eIDV.
Financial institutions can also combine documentary and non-documentary methods. One increasingly popular method is to use on-demand ID document verification combined with eIDV, to crosscheck ID documents electronically with the identity information, to further reduce the risk of fraud.
Dealing with edge cases
The CIP must also contain procedures to handle various edge cases — scenarios which may occasionally occur. What happens if a person doesn’t have an identity document? What happens if a document type is unknown to the institution? What happens if the customer isn’t able to visit a branch/office?
Regulations require that the financial institution’s CIP also incorporate procedures to handle situations where the risk level is higher than usual. For example, what happens when the institution can’t establish the true identity of an individual? When is it appropriate to not open an account? When is it OK to open the account, but require more information? When should it close an account or file a suspicious activity report?
It’s not enough just to collect identity information — the information must be maintained for five years past the customer’s relationship with the institution. This includes the actual identity information, as well as a description of any document that was relied on to verify identity, noting the type of document, the identification number, the date and place it was issued and its expiration date.
The financial institution must also check identities against domestic and international AML, Counter Terrorist Finance (CTF), and sanctions watchlists.
As of March 15, 2021, under a Final Rule issued by Financial Crimes Enforcement Network (FinCEN), banks that lack a federal functional regulator will also require a CIP. This includes private banks, international banking entities, state-chartered non-depository trust companies and non-federally-insured credit unions, state-chartered banks and savings and loan/building and loan associations.
“FinCEN believes that CIP requirements should also apply to all banks, regardless of whether they are federally regulated.”
While a CIP is mandatory, there is the opportunity to rely on another qualified financial institution or bank as the provider of the program. If the reliance is reasonable under the circumstances, the other entity has an AML program and is regulated, and there’s contact which meets the CIP standards, then this type of arrangement is legal
The CIP also applies to corporations, partnerships and trusts. In these cases, the procedures relate to the verification of the business entity: The existence of the business entity can be established by calling upon certified articles of incorporation, a government-issued business license, a partnership agreement, or trust instrument.
Business verification is also possible through non-documentary methods. Similar to how eIDV operates, real-time identification and verification of company records through official registers enables quick and seamless business onboarding.
It’s important to note that under the CDD Final Rule, collecting, maintaining and reporting of beneficial ownership information is now a requirement for financial institutions, which “must identify and verify the identity of the beneficial owners of all legal entity customers (other than those that are excluded) at the time a new account is opened (other than accounts that are exempted).”
Under the Corporate Transparency Act, U.S. companies will have to report their Ultimate Beneficial Owner (UBO) information to FinCEN. In 2022, any new incorporation or significant UBO change will need to be reported and any company formed before the effective date of the Act will have two years to report.
A CIP is a necessary element of AML and Know Your Customer (KYC) regulations. Beyond that, it’s part of an effective risk-mitigation strategy. Ensuring your CIP is strong, up-to-date and complete is fundamental to running a successful financial institution.
This post was originally published February 5, 2019, updated to reflect the latest industry news, trends and insights.