Suppose the customer is appearing in person with two forms of primary ID,(i.e a photo ID and Social Security Card) and has been living in our area for more than a year. Nothing seems out of the ordinary with this customer. In your opinion do we also need any non-documentary verification?

My CIP would not require non-documentary verification in the instance you describe, however, it would also not preclude it. The reasoning for this is that the CIP rules require documentary, non-documentary or a combination of both. If, in your risk based procedures you believe that you know the customer's true identity based on the DL and SS card, or say by the DL and using a service such as ChexSystems then you've fulfilled your obligation under the rules. (By the way, accepting a DL and running the SSN through ChexSystems would be a combination of both the documentary and the non-documentary methods of ID verification.)

You do not say whether or not you personally know the customer and, therefore, can validate the customer's identity. Otherwise, the FFIEC agencies' interpretation is that you "validate" the customer's (customers') identity (identities). When Muhammed Atta went through the airport, he had two forms of identification -- with pictures -- with a fraudulent social security number. The whole purpose in the Act's identification mandates is that institutions "validate" the information they are presented with by the prospective customer. The only way to really do this effectively is to either conduct a credit check, which shows the name, SS# and address together; or to perform some type of LexisNexis type of search to reconcile the name, SS# and address. In your example, you've not conducted any type of meaningful validation processs -- at least that will hold up to the FDIC examiner who was most aggressive in making this point to our institution.

What about the provision that we cannot give special treatment to new customers because we believe we know them? It says that "known to bank personnel" is subject to manipulation and therefore isn't good enough.

The reference to Atta is a red herring. Yes, he apparently had bogus ID documents. But the CIP regulations do not require that you go beyond the documents presented if your risk-based CIP calls for a documentary verification. There is no requirement that your CIP include a non-documentary verification if ID documents appear in order and sufficiently support the ID information provided by the applicant. Given the apparently innocuous (at the time and without benefit of hindsight) nature of the accounts opened, non-documentary verification might not have been done. And there is definitely no requirement in the regulation to verify the authenticy of apparently authentic ID documents.

It's personal opinion, but I believe that most of the 9-11 terrorists would have passed current CIP procedures but for hindsight, and references to their bogus identities are convenient Monday-morning quarterbacking that fits nicely into the cheerleading (such as it is) for the §326 rules.

Might a non-documentary check have "flagged" Atta's bogus SSN? I don't know. An OFAC check would not have revealed anything at the time.

As for the "known to bank personnel" conundrum, it's true that we cannot waive any CIP requirement (such as documentary verification) based solely on an employee's knowledge of the customer. The manipulation thing is one reason; another is bank employee turnover. But a bank employee's knowledge of the customer's ID might (properly, I believe) weigh in a decision to go beyond documentary verification if it's optional in the bank's CIP.

These CIP rules are nothing more than window dressing mandated by the federal government to make its citizens feel all cozy that they're doing something to prevent another 9/11. Fact is though that the CIP rules are a crock. If anything, they are barely more stringent than anything we all have had in place prior to 9/11! There are so many loopholes an exceptions that this program will only be effective for those persons (U.S. Citizens) who have established identities and credit reports and properties in the U.S. The Mohammed Atta's will continue to slip through. Heck, all they have to do is take their fake Matricula Consular card and a freakin ITIN to Bank of America, Wells Fargo, Chase, Citibank, etc. and they are in the system! How scary is that??? Even the FBI is warning that they can then go to those states that provide driver's licenses to Matricula Consular card holders and get themselves a dadgum driver's license. What do you think they can do with that??? Well what else, but buy firearms and ammo and camouflage, etc.

Like I said the CIP rules are nothing but a crock. The worst part is that certain banks, municipalities and states are paving the way for terrorist to establish a seeminly legitimate identity here and we the people are just going along like sheep. It is a certainty that there will be another attack. These people hate and despise us and they will hit us by taking advantage of our vulnerabilities and the CIP program is most likely at the top of their list!

(even if you don't agree with me, thanks for acknowledging my freedom of expression)

From my comment letter on the Notice of Inquiry:

Only unbounded naiveté can support a belief that the current requirements of this regulation will be an impediment to those wanting to use the U.S. banking system for illegal purposes.

The proposed regulation was flawed, but had enough teeth to make a difference. The final regulation is no more than a nuisance to the financial institutions who must comply with it.