Skip to content
 

A Dozen Steps to CIP Compliance - Mary Beth Guard

A Dozen Steps to CIP Compliance
by Mary Beth Guard, BOL Guru

We've identified 12 steps for coming into compliance with the CIP requirements. To establish your timeline, work backwards from the mandatory compliance date of October 1, 2003.

Step 1: Determine what is required.
Start by understanding the requirements. There's no substitute for reading the actual rule, and much can be learned from studying the preamble as well.

Step 2: Perform a risk assessment and make your choices.
The CIP rules are designed to be flexible, but the procedures in your CIP should be risk-based. Analyze your risk factors, then decide how you wish to proceed. Determine which types of accounts pose a greater risk. Compare types of identifying information you might rely upon. Examine all the methods used to open accounts at your institution. Make decisions, for example, about such issues as under what circumstances, when you are unable to verify identity, will you either decline to open an account or, if an account has already been opened, close an account? What will you consider a "reasonable time" for verifying identity after an account has been opened? Consult the "Decisions, Decisions" portion of this article to see a list of decisions you will need to make.

Step 3: Experiment to determine what will work.
The last thing you want is to be saddled with a Customer Identification Program that prescribes procedures that are not feasible for your institution. Solicit the input of persons who deal with each product line, as well as those who are responsible for training, recordkeeping, technology, and customer service. Consider doing a trial run of the procedures after you have designed them - and before you solicit board approval - in order to work out any kinks. Make any necessary adjustments before you ask for the board to sign off on the CIP.

Step 4: Write your CIP.
Use the "Must List" below to help guide you on what the CIP must contain. Keep in mind that the rule sets forth minimum standards. You may wish to go beyond the basics. In any event, keep the language loose enough to provide you with adequate flexibility., but make it clear enough to give your staff guidelines they can understand and follow. The last thing you want is for an examiner to cite you for a violation of your own policy!

Step 5: Obtain board approval for the CIP.
Before you seek your board's approval, educate board members about the nature and substance of the requirements. An executive summary is included here. You may wish to provide it well in advance of the date when the actual vote is to be taken on the proposed CIP. When it's time for a vote, the minutes of the board meeting should reflect the discussion and decision.

Step 6: Determine how you will document compliance.
Your employees will need to record three types of information: l) minimum identifying information about each customer (name, address, etc.); 2) a description of any document relied upon to verify identity, as well as a description of any non-documentary means used to verify identity; and 3) if any substantive discrepancy is discovered when verifying the identifying information obtained from the customer, a description of the resolution of the discrepancy. Begin to decide now how and where this information will be recorded. Have you conferred with your software providers to learn about modifications to existing systems that will facilitate recording this data? Will you be using a third-party source for verifying the data? If so, does it maintain a record of the verification process, and how is that record retrievable? Will you need to instead rely on paper documentation for areas like safe deposit? What about mobile loan officers? How will you expect them to document the methods they used to verify identity? Are you going to develop documentation forms in-house, or use something developed by a third-party? Will you have a standard method for documenting the resolution of discrepancies? For example, Bob Barnett fills out an online loan application and, due to his dyslexia, transposes two of the digits in his SSN. After he leaves the bank, an employee attempts to pull a credit report and discovers the SSN is bogus. A follow-up call to Bob clears up the confusion. Where will this be noted? Do you want your employee to initial the record of the discrepancy resolution and date it? Allow time for necessary customization.

Step 7: Train staff on the new procedures.
The more significant the changes, the more time you'll need to devote to the training process. You may wish to use our training scenarios below to help you illustrate the different types of situations employees might encounter. You can then detail how each such scenario should be handled, based upon your own CIP. Throughout your trial run period, encourage employees to report any problems with the procedures so they may be addressed.

Step 8: Deal with agent issues.
If you utilize car dealers, mortgage brokers, or other third parties to act as your agent, the rule says you can have them obtain customer identity information for you, since that task must generally be done prior to opening an account. If you do rely on agents, you'll need to train them so they understand the requirements, you'll need to decide what your course of action will be if you receive incomplete information from them, and you will need to figure out how whether you will have the agent verify the information and make a record of the methods they used to verify it, or if you will verify the identity information after it is received from the agent.

Consider constructing a cheat sheet that explains precisely what you want the agent to do. Put the burden on the agent, contractually, to carry out the task. Build in consequences for failure to do so.

Step 9: Give your customers notice of identity verification.
Customers must be provided adequate notice about the verification of identity requirements. Give notice in a manner reasonably designed to ensure a customer is able to view the notice, or is otherwise given notice, before opening an account.

Step 10: Implement your CIP
Start obtaining, verifying, and recording information that identifies each person who opens an account. Closely monitor compliance with the requirements, especially in the initial stages of implementation.

Step 11: Retain records
There is a bifurcated record retention requirement. You must retain records describing what you relied upon to verify identity for five years after the record is made. The actual identity information itself, however, (name, address, identifying number and, on individuals, date of birth) must be retained for five years after the account is closed. How and where will you store the records in a manner that will allow you to demonstrate compliance to examiners?

Step 12: Check Section 326 Lists
At the present time, no list has been designated a "list of known or suspected terrorists or terrorist organizations under Section 326". The regulators indicate that financial institutions will be notified directly when there is such a list and a determination will need to be made about whether a customer appears on the list either l) within a reasonable time after an account is opened; or 2) earlier, if a federal law, regulation, or directive issued in connection with the applicable list requires the determination to be made earlier.

The original version appeared in the April 2003 edition of the Oklahoma Bankers Association Compliance Informer.

First published on BankersOnline.com 9/8/03

First published on 09/08/2003

Filed under: 
Compliance
Filed under compliance as: 
CIP
Compliance/Compliance Management
SSN
USA PATRIOT Act

Report a problem with this page

Search Topics