CIP: It's What You Are Already Doing

Customer Identification was a leading topic at the 2003 ABA/ABA Anti-Money Laundering Conference, held in Washington, D.C. No surprise there. What was new was the way the experienced BSA managers approach anti-money laundering programs. Managing CIP is more than looking at identification of customers. CIP is or should be part of your overall program.

What's more, the entire anti-money laundering program must be actively managed. There is often a tendency with compliance to put something into place and move on to the next project. The message at the conference was clear: we cannot afford to do that. The entire BSA program should be managed with memories of September 11, 2001 freshly in mind because that is what the program is designed to prevent. If we do well, there won't be more terrorism acts because we'll be nipping them in the bud.

What's new?
Several speakers stressed that CIP is not really new. It is about what you are already doing. The USA PATRIOT Act and new regulations have simply put a new name and more attention onto the process. In doing this, it does not undo or replace similar or related responsibilities that exist under other laws.

Susan Tuccillo advised the audience that CIP should be part of an overall anti-money laundering program, along with information sharing, SAR filing, and more. In the words of the FinCEN speaker, it is but one part of an overall anti-money laundering program.Speakers made frequent reminders that CIP is only one element of the program and that other responsibilities, such as OFAC and SARs, should be given equal emphasis. A successful BSA program will bring these differing responsibilities into a workable BSA program rather than treat each one as a separate element. However, when splitting hairs or drawing fine lines, be careful to look to the statute and regulation that governs the specific activity.

Answers to some Questions
Several confusing questions have plagued those in charge of implementing CIP. And, in the words of John Byrne, ABA's BSA expert, "rumors abound." The conference was useful for putting some incorrect information to rest and answering troublesome questions.

First, what is that list thing about? The list is not about OFAC or any other list you know about. In fact, there is no list - yet. Any such list will be generated specifically under CIP rules. If and when one is developed, the regulators assured the audience that they would hear about it loud and clear.

Another favorite question is whether to make copies of identification documents. The corollary is whether an institution can do so without violating Regulation B. The answer from FinCEN is: it's up to you. With flexibility comes responsibility, which is a bureaucratic way of saying you have to find the balance between the two rules. FinCEN doesn't mind if you make copies, but you must also look to Regulation B to decide whether making copies is legal and appropriate. So the answer is that you should only make copies for non-credit transactions and for monitoring data transactions unless you want to be in trouble with ECOA.

Where CIP and business accounts are concerned, is the employer the customer or are the employees customers as well? Employees of a business customer are not customers for purposes of CIP. The employer is your customer and that is who or what you identify. If you are effective at cross-marketing, you may also bring in some of the employer's employees as customers, but in that case they become customers in their own right and not because of their status as employees of the business customer. In short, the regulation drafters tried to bring the definition came as close as possible to what a teller or CSR would think of as the account holder.

Third Party Reliance
To what extent may a financial institution rely on the identification of another entity? This, according to Stipano, is one of the stickiest areas of the regulation. The critical requirement is to make sure that someone performs all of the steps of CIP, including checking lists and follow-up.

If the third party, such as an affiliate, follows the same program you do, then accepting their identification fits with your program as long as the affiliate carried out their identification. However, if their process differs, be very careful.

Whatever you decide, the CIP elements must be there for each customer. This includes answers to the four pieces of information and the formation of a reasonable belief that the customer is identified.

Holding Company issues
Then there are the questions that arise within holding companies, such as whose customer is it? The customer of a business within a holding company is the customer of that business, not of the holding company as a whole. You may have designed a CIP to create a central database for your holding company, but the customer and the way in which they are identified stay within the silo which they entered. If customers deal with more than one component of your holding company, the information and identification may be shared but sharing must be in compliance with FCRA and Privacy. If your program supports it, you may rely on the identification performed by an affiliate. This identification must meet your CIP requirements and any sharing must not violate other laws.

Pam Johnson, BSA manager at the Federal Reserve, pointed out that CIP is an institution specific requirement that does not apply to holding companies. This raises some concerns about accepting identification from other elements in the holding company. Johnson suggested that, although not required, it would be a good idea to have consistent identification programs throughout the system, from the holding company on down. Holding companies, she noted, are not required to have a CIP but ideally, a program should be top-down beginning at the highest common denominator. In saying this, she reminded the audience that such an approach is not required and that institutions should develop programs that work best for their structure and business.

Managing the process
The CIP rules were intended to provide institutions with the ability to make risk-based decisions and to design a program that works in their institution and market. In the effort to find certainty, many BSA managers have asked for detailed guidance or been tempted to place rigid time lines into their programs. Johnson warned the audience against this. Specific dates or time frames in procedures, such as a requirement to have a reasonable belief within 30 days or close the account, may force short-sighted actions on the part of the institution. The time targets and required action may not always be appropriate to a specific situation. Instead, it is an invitation to examination and audit citations.

Surviving Examinations.
When examiners look at your CIP, they will be looking at your overall anti-money laundering program. Dan Stipano, OCC's BSA expert, told the audience that examiners will be focused on systems. They will be looking for policies, procedures, and controls. If they have any concerns with this level of review, they will look at specific transactions.

ACTION STEPS

Stand back and take a look at your CIP in light of the concerns and ideas raised in this article.
Review training and talk with some people on the front lines to find out how the program is working.
While talking with the front line, find out how the notification process is going. It's a good idea to check for compliance before we get too far down the road.
Compare your CIP with programs in affiliates and decide whether and how to share identifications.
Find out whether anyone is making copies of identification documents and where they may be putting those copies.