USA Patriot Act Section 326:
Highlights of Consumer Identification Program Rules for Depository Institutions
Section 326 of the USA Patriot Act requires all financial institutions to have "customer identification programs" to help prevent and detect money laundering and financing of terrorist activities. Regulations implementing these requirements for depository institutions were published in the May 9, 2003, Federal Register. Mandatory compliance with these regulations is required by October 1, 2003.
Basic Requirements for Customer Identification Programs (CIP)
- By October 1, 2003, financial institutions must have a written "customer identification program" approved by the institution's Board of Directors.
- For insured depository institutions, the CIP must be part of the institution's BSA (anti-money laundering) compliance program.
- A CIP must be appropriate for the size and type of business of the financial institution. At a minimum, it must include procedures for:
- Verifying the identity of each customer;
- Making and maintaining a record of information obtained to verify customer identities;
- Determining whether the customer appears on certain federal government issued lists of known or suspected terrorists or terrorist organizations; and
- Providing customers with notice that the financial institution is requesting information to verify their identities.
Verifying Customer Identity
- Procedures for verifying customer identity must enable the institution to form a reasonable belief that it knows the identity of each customer.
- "Customer" is each person establishing a formal relationship under which the institution will provide or engage in services, dealings, or other financial transactions.
- Verification procedures are not required for a person who has a existing relationship with the institution provided the institution has a reasonable belief that it knows the true identity of the person.
- Procedures for verifying customer identity are to be "risk-based." They should include assessment of risks presented by:
- Types of services, dealings, and financial transactions offered by the institution;
- Methods of obtaining services from the institution;
- Types of identifying information available; and
- Institution's size, location, and customer base.
- Procedures for verifying customer identity must specify the identifying information that will be obtained from customers. At a minimum, the institution must obtain a customer's:
- Legal name;
- Date of birth (for individuals);
- Street address (limited exceptions available); and
- U.S. taxpayer identification number or, if none exists, other government issued identification number.
- Procedures must describe when the institution will use documents, non-documentary methods, or both to verify customer identity.
- There must be procedures for responding to circumstances in which the institution cannot form a reasonable belief that it knows the true identity of a customer.
Making and Maintaining a Record
- The CIP must include procedures for making and maintaining a record of all information obtained in the identity verification process. At a minimum, the record must include:
- All identifying information obtained about the customer;
- Description of documents relied on;
- Description of non-documentary methods and additional verification methods undertaken to verify customer identity; and
- Description of the resolution of any substantive discrepancies discovered during verification process.
- The record created must be retained for prescribed periods.
- For the identifying information obtained about the customer, it must be retained by the institution for 5 years after the account is closed.
- For the descriptions of other information in the record, it must be retained for 5 years after the record is created.
Federal Government Issued Lists of Terrorists
- The CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations.
- As of August 21, 2003, the lists that need to be checked have not yet been identified by Treasury.
- Lists need to be checked within a reasonable period of time after the account is opened.
- The CIP must include procedures for providing customers with adequate notice that the institution is requesting information to verify customer identity.
- Notice is to be given before "opening an account".
For more information, please contact Chris Rahl.