Financial institutions (FIs) and other obliged entities must have “reasonable” procedures to gather and maintain information on customers’ identities, along with running watchlist checks on them. In the US, these Customer Identification Program (CIP) requirements, provisioned in the Patriot Act, have been designed to limit money laundering, funding for terrorism, corruption and other illegal activities.
What do regulators consider reasonable? How can these requirements be operationalized in an efficient, cohesive and compliant manner? How can an obliged entity create a CIP that can meet requirements and mitigate risk? Can the regulated entity fulfill its compliance and fraud prevention imperatives, while delivering a seamless onboarding experience to its customers at the same time?
These are vital questions.
Standards of identity verification
The minimum requirements to open an individual financial account are clearly delimited:
- Date of birth
- Identification number
While gathering this information at account opening is sufficient, the institution must verify the identity of the account holder “within a reasonable time.” Procedures for identity verification include documents, non-documentary methods (these may include comparing the information provided by the customer with consumer reporting agencies, public databases, among other due diligence measures), or a combination of both.
These procedures are at the core of CIP; as with other Anti-Money Laundering (AML) compliance requirements, these policies shouldn’t be followed willy-nilly. They need to be clarified and codified to provide continued guidance to staff, executives, and for the benefit of regulators.
The exact policies depend on the risk-based approach of the institution and may consider factors such as:
- The types of accounts offered by the bank
- The bank’s methods of opening accounts
- The types of identifying information available
- The bank’s size, location, and customer base, including the types of products and services used by customers in different geographic locations
The identity verification procedures must be robust enough to verify the identity of each customer to the extent “reasonable and practicable”.
Methods of identity verification
Traditionally, FIs would examine unexpired government-issued identification documents such as a driver’s license and/or passport. These documents, in general, should display a picture and the nationality of the individual. However, the FI procedures may stipulate other documents that reach the reasonable standard for identity verification. Best practices, however, call for furnishing more than one document to offset the risks presented by counterfeit and fraudulently obtained documents.
In today’s online era, when consumers deeply value convenience and instantaneity, a trip to the bank to set up an account is a big ask. Indeed, why place demands on the customer’s time, and require her to physically present herself, particularly when there are easier ways to sign up for an account online?
The case for electronic identity verification (eIDV)
These non-documentary methods are perfectly legal, provide the highest levels of risk mitigation and deliver a seamless onboarding experience. One method involves “independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source.” This is doable as an online process and is referred to as electronic identity verification (eIDV).
There are other non-documentary methods, such as contacting a customer, checking references with other financial institutions or obtaining a financial statement. However, these processes don’t offer the speed, convenience and reliability of eIDV.
FIs can also combine documentary and non-documentary methods. One increasingly popular method is using on-demand ID document verification combined with eIDV, to crosscheck ID documents electronically with the identity information, to further reduce the risk of fraud.
Dealing with edge cases
The CIP must also contain procedures to handle various edge cases – scenarios which may occasionally occur. What happens if a person does not have an identity document? What happens if a document type is unknown to the FI? What happens if the customer is never able to visit the FI, in person?
Regulations require that the FI’s CIP also incorporate procedures to handle situations where the risk level is higher than usual: For example, what happens when the FI can’t establish the true identity of an individual? When should it not open an account? When can it open the account, but require more information? When should it close an account or file a suspicious activity report (SAR)?
It’s not enough to collect identity information – the information must be maintained as long as the customer remains with the FI and five years after. This includes the actual identity information as well as a description of any document that was relied on to verify identity, noting the type of document, the identification number, the place of issuance, and, if any, the date of issuance and expiration date.
The FI must also check identities against domestic and international Anti-Money Laundering (AML), Counter Terrorist Finance (CTF), and sanctions watchlists.
The CIP also applies to corporations, partnerships, or trusts. In these cases, the procedures relate to the verification of the business entity: The existence of the business entity can be established by calling upon certified articles of incorporation, a government-issued business license, a partnership agreement, or trust instrument.
Business verification is also doable through non-documentary methods. Similar to how eIDV operates, real-time identification and verification of company records through official registers enables quick and seamless business onboarding.
It’s important to note that under the Final CDD Rule, collecting, maintaining and reporting of beneficial ownership information is now a requirement for financial institutions; FIs “must identify and verify the identity of the beneficial owners of all legal entity customers (other than those that are excluded) at the time a new account is opened (other than accounts that are exempted).”
A Customer Identification Program is a necessary element of AML and Know Your Customer (KYC) regulations. Beyond that, it’s part of an effective risk-mitigation strategy. Ensuring your CIP is strong, up-to-date and complete is fundamental to running a successful financial institution.
Find out how Koho uses Trulioo to provide its customers with a seamless onboarding experience while meeting its compliance obligations at the same time.