Skip to content
 

Decisions, Decisions - Mary Beth Guard

Decisions, Decisions
by Mary Beth Guard, BOL Guru

Because the final CIP rules provide considerable flexibility, numerous decisions are left to each financial institution. You get to decide, for example, when you will use documentary means to verify identity and when you will resort to non-documentary means. And that's just the tip of the iceberg. Outlined below are numerous other areas where decision making will be necessary.

Notice:
How will you provide notice to customers? You must have procedures for providing customers with adequate notice that the bank is requesting information to verify their identities. The notice may be given orally, in writing, on a Web site, or by posting a notice in the lobby.

There are two tests for determining whether notice is adequate in a particular situation. The first test relates to the content of the notice. The rule says the notice is adequate, content-wise, if it "generally describes the identification requirements of the rule". A sample notice is included in the rule, consisting of a title and two paragraphs. You need to decide whether you want to mirror that language, or draft wording of your own. (My thought? Use the sample notice! It will be difficult for an examiner to criticize it, since it comes straight from the regulators!)

In terms of how the notice is provided, what is adequate will depend upon the manner in which the account is opened. The test is whether the notice is provided in a manner "reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account". Will you take the "passive" route, placing the notice in a spot reasonably designed to ensure the customer is able to view it, or will you take the "active" route, and actually give the notice to each customer? Either way, there are additional decisions to be made.

Here are a few possible options for providing the notice:

  • Post the notice in various places in your bank. The rule mentions posting a notice in the lobby, but I would urge you to concentrate on areas where a customer will be opening a "new account" (and remember, that would include loans, credit cards, safe deposit boxes, cash management services, etc.) You may want to think about printing out an attractive version of it and posting it on the front of the desks of your loan officers, CSRs, safe deposit attendants, investment specialists, private bankers, or anywhere else a person would go to open a new account.

  • Incorporate the notice into other disclosures you will be giving to customers. (The downside of this approach is that most other disclosures are consumer protection in nature and do not have to be given to non-consumers, whereas this notice must be given to anyone who meets the definition of a "customer" opening a "new account". Plus, in areas like safe deposit, the only "disclosure" you may currently be providing is the contract itself.")

  • Train your employees to provide notice orally to new customers with whom they have face-to-face dealings. Carefully script the language so that it will be consistent from one employee to the next. Utilize some sort of checklist to remind employees to give the oral disclosure. (If you choose this method, be aware that this will be the most difficult to prove compliance with. You will show that you properly trained all necessary employees to give the disclosure and that you occasionally monitor new account openings to make sure the disclosure is being given. Then, if you also require the employee to make a notation on the account record to indicate the disclosure was given, you will point to that as well.)

  • Construct a paper notice that can be mailed or faxed to customers who do not appear in person at the bank. It should be provided before the person opens an account.

  • Amend your application forms or contracts to include the notice language.

  • Post the notice on your Web site, particularly if you allow a person to apply for a new account of any sort over the Internet. Don't bury the notice on your site. Design it so that anyone applying for an account will first encounter the notice. You may even want to put it behind a non-bypassable link. [Here's how a non-bypassable link would work. Customer A is on your Web site and wants to apply for a mortgage loan. He clicks on the "Apply Now" button. Instead of it linking directly to the online application, it instead links to a page where the CIP Notice appears. Following the CIP Notice is a link the customer can then use to go to the actual application form.]

Watch out for joint accounts (and, again, we're including all types of "accounts" here - extensions of credit, safe deposit rentals, etc.) Under some regulations, it is permissible to give certain disclosures to any one of the joint account applicants. That does NOT appear to be the case with the CIP notice. Since each customer's identity will be subject to the identity verification requirements, each customer must be given the notice or must be able to view it.

Addresses:
If a customer has both a mailing address and a street address, will you obtain only the street address to satisfy the CIP rule, or also obtain the mailing address in order to communicate with the customer via the customer's preferred channel? What alternative addresses will you deem acceptable? If you agree to accept the address of next of kin or another contact person, what will your standard be forfirst determining the customer cannot readily provide a physical address? Will you plan to substantiate the notion that the contact person or next of kin will be able to help locate the customer, when necessary?

On businesses, will you collect multiple addresses? For example, you may wish to record, for a corporation, the address of the registered service agent, as well as both the street address and mailing address for the corporation's principal office. If an entity has locations in multiple states, you may wish to have the address of the location within your state, as well as the address for the main office, which may be in a different state.

Types of IDs:
What types of IDs will you be willing to accept for an individual who is a U.S. person? Keep in mind that the regulators encourage redundancy. (Basically, to some extent, more is better, different is better.) In a previous issue of The Informer, I included a laundry list of potential primary and secondary ID sources. Ask your frontline staff for additional suggestions.

What types of IDs will you be willing to accept for an individual who is a NOT a U.S. person? For example, will you accept the Matricula Consular for individuals from Mexico? How about a border crossing card? Alien I.D.? Foreign driver's license?

Reasonable time:
What guidance will you give your employees about what constitutes a "reasonable time" after account opening to verify identity, as well as to check any Section 326 list? Will you have different time frames for different situations? For example, if the customer is from out of state, or is not a U.S. person, will more time be needed for identity verification? How will you track the identity verifications to make sure they've been completed in a timely manner?

Recordkeeping
In addition to collecting and retaining (until five years after an account is closed, or, in the case of a credit card account, five years after it is either closed or becomes dormant), the customer's name, address, identifying number and, for individuals, date of birth, you must also keep a record describing how you verified the identity information.

Your decisions in this regard will involve who will make the record, whether it will be electronic or on paper, when it will be made, and where it will be stored.

If you verify the information through documentary means, you must keep a description of any document that was relied on, noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date.

If you verify the information through nondocumentary means, you must record a description of the methods and the results of the measures undertaken to verify the identity.

When identity can't be verified:
Think through the consequences of a situation where you open an account and subsequently find that you cannot verify the identity information the customer furnished to you. Decide, in advance, whether there are types of accounts or types of customers on which you will want to verify identity information before the account is opened, rather than within a reasonable time after account opening. As the old saying goes, "You can't put the toothpaste back into the tube." In most cases, it's going to be prudent to verify before you squeeze!

Identify instances where you will be willing to open the account, but may wish to put limitations on transactions until verification has occurred. Investigate the regulatory ramifications of imposing limitations, and make sure nothing you do violates any of your contract terms.

Last, but not least, try to figure out under what circumstances you would want to close an account if you determine, subsequent to its opening, that you are unable to form a reasonable belief as to the customer's true identity.

Go through each of your product lines and customer types and think through some hypothetical situations. Here are some examples:

  • Herb rents a safe deposit box. You determine afterwards that the identity information he gave you is bogus and the address is a mail drop. What now? Your contract may not give you the right to cancel or to freeze the box. On safe deposit box rentals, it may be better to both obtain identity information and verify it before you assign a box and give out keys. If you can't verify identity, don't rent the box.

  • Brenda brings in a power of attorney that supposedly appoints her attorney-in-fact for Arthur. She has a large check made payable to Arthur, and she wants to open a new account in his name. Arthur has never been a customer of your bank, so you don't have a specimen signature for him. The POA does not deal with real estate, so it hasn't been filed in the county records. Brenda has no prior relationship with your bank. She lives in an RV and travels the country. She's chosen your bank because of its location. She has no permanent address, but is willing to give you her sister's address to use on the account. Her signature on the deposit account agreement is considerably different from her out-of-state driver's license, but she attributes that to the fact she had a bad hangover the day she got her license renewed. Do you open the account and attempt to verify identity afterwards? Do you decline to open the account? Do you delay opening the account until you can form a reasonable believe as to the true identity of the customer? Who will have the authority to make the decision, and what will they be guided by?

  • Robert applies for a joint account with Mark. Mark never comes to the bank. Instead, Robert takes the paperwork with him, and brings it back with Mark's information and "signature" on it. The identity information for Mark matches what is in the credit report you pull, but a letter you send welcoming him as a customer gets returned as undeliverable, saying "Forwarding order expired" and the telephone number listed for him is disconnected. Now what?

  • Calvin got a quick car loan from you. You take a closer look at his credit report and see that it has a fraud alert on it. You call the number for Calvin shown in the fraud alert and find that the real Calvin knows nothing about the loan. Wouldn't it be better to require identity verification before loan proceeds are disbursed to avoid this kind of fraud?

    The original version appeared in the April 2003 edition of the Oklahoma Bankers Association Compliance Informer.

    First published on BankersOnline.com 9/8/03

First published on 09/08/2003

Filed under: 
Compliance
Filed under compliance as: 
CIP
Compliance/Compliance Management
Delinquent Accounts/loans
ID
Internet
USA PATRIOT Act

Report a problem with this page

Search Topics