FAQs: Final CIP Rule
The staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Financial Crimes Enforcement Network, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and the United States Department of the Treasury (“Agencies”) are issuing these frequently asked questions (“FAQs”) regarding the application of 31 C.F.R. § 103.121. This joint regulation implements section 326 of the USA PATRIOT Act and requires banks, savings associations, credit unions and certain non-federally regulated banks (“bank”) to have a Customer Identification Program (“CIP”).
While the purpose of the FAQs document is to provide interpretive guidance with respect to the CIP rule, the Agencies recognize that this document does not answer every question that may arise in connection with the rule. The Agencies encourage banks to use the basic principles set forth in the CIP rule, as articulated in these answers, to address variations on these questions that may arise, and expect banks to design their own programs in accordance with the nature of their business.
The Agencies wish to emphasize that a bank’s CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. It is critical that each bank develop procedures to account for all relevant risks including those presented by the types of accounts maintained by the bank, the various methods of opening accounts provided, the type of identifying information available, and the bank’s size, location, and type of business or customer base. Thus, specific minimum requirements in the rule, such as the four basic types of information to be obtained from each customer, should be supplemented by risk-based verification procedures, where appropriate, to ensure that the bank has a reasonable belief that it knows each customer’s identity.
The Agencies note that the CIP, while important, is only one part of a bank’s BSA/AML compliance program. Adequate implementation of a CIP, standing alone, will not be sufficient to meet a bank’s other obligations under the BSA, regulations promulgated by its primary Federal regulator, such as Suspicious Activity Reporting requirements, or regulations promulgated by the Office of Foreign Assets Control.
Finally, these FAQs have been designed to help banks comply with the requirements of the CIP rule. They do not address the applicability of any other Federal or state laws.
31 C.F.R. § 103.121(a)(1) -- Definition of “account”
1. The CIP rule applies to a “customer,” which is generally “a person that opens a new account.” (Emphasis added.) At what point does the CIP rule apply when the account is a loan? When is the account opened?
“Customer” does not include a person who does not receive banking services, such as a person whose loan application is denied. See 68 FR 25090, 25093 (May 9, 2003). Therefore, when the account is a loan, the account is opened when the bank enters into an enforceable agreement to provide a loan to the customer.
2. Are loan participations purchased from third parties and loans purchased from a car dealer or mortgage broker within the exclusion from the definition of “account” for loans acquired through an acquisition, merger, purchase of assets, or assumption of liabilities?
Yes, this exclusion is intended to cover loan participations purchased from third parties and loans purchased from a car dealer or mortgage broker. If, however, the bank is extending credit to the borrower using a car dealer or mortgage broker as its agent, then it must ensure that the dealer or broker is performing the bank’s CIP.
31 C.F.R. § 103.121(a)(2) -- Definition of “bank”
1. Is the CIP rule applicable to a bank’s foreign subsidiaries?
No. The CIP rule does not apply to any part of the bank located outside of the United States. Nevertheless, as a matter of safety and soundness, banks are encouraged to implement an effective CIP throughout their operations, including in their foreign offices, except to the extent that the requirements of the rule would conflict with local law.
31 C.F.R. § 103.121(a)(3) -- Definition of “customer”
1. Who is the “customer” when an account is opened by an individual who has power-of- attorney for a competent person who is the named owner of the account?
The CIP rule provides that a “customer” generally is “a person that opens a new account.” 31 C.F.R. § 103.121(a)(3)(i)(A). When an account is opened by an individual who has power-of-attorney for a competent person, the individual with a power-of-attorney is merely an agent acting on behalf of the person that opens the account. Therefore, the “customer” will be the named owner of the account rather than the individual with a power-of-attorney over the account. By contrast, an individual with power-of-attorney will be the “customer” if the account is opened for a person who lacks legal capacity. 31 C.F.R. § 103.121(a)(3)(i)(B)(1).
2. Is a person who becomes co-owner of an existing deposit account a “customer” to whom the CIP rule applies?
Yes, a person who becomes the co-owner of an existing deposit account is a “customer” subject to the CIP rule because that person is establishing a new account relationship with the bank.
3. Is a new borrower who is substituted for an existing borrower through an assumption of a loan a “customer” to whom the CIP rule applies?
Yes, a new borrower who is substituted for an existing borrower through an assumption of a loan is a “customer” because the new borrower is establishing a new account relationship with the bank.
4. The CIP rule requires a bank to verify the identity of each “customer.” Under the CIP rule, a “customer” generally is defined as “a person that opens a new account.” If a pension plan administrator chooses to remove a former employee from the plan pursuant to section 657(c) of the Economic Growth and Tax Relief Reconciliation Act of 2001 (EGTRRA), it is required by law to transfer these funds to a financial institution. In addition, an administrator of a terminated plan may remove former employees that it is unable to locate, by transferring their benefits to a financial institution. Would a plan administrator or the former employee be a bank “customer” where funds are transferred to a bank and an account established in the name of the former employee, in either of these situations?
In either situation, the administrator has no ownership interest in or other right to the funds, and therefore, is not the bank’s “customer.” Nor would we view the administrator as acting as the customer’s agent when the administrator transfers the funds of former employees in these situations. A customer relationship arises and the requirements of the rule are implicated when the former employee “opens” an account. While the former employee has a legally enforceable right to the funds that are transferred to the bank, the employee has not exercised that right until he or she contacts the bank to assert an ownership interest. Thus, in light of the requirements imposed on the plan administrator under EGTRRA, as well as the requirements in connection with plan terminations, the former employee will not be deemed to have “opened a new account” for purposes of the CIP rule until he or she contacts the bank to assert an ownership interest over the funds, at which time a bank will be required to implement its CIP with respect to the former employee.
This interpretation applies only to (1) transfers of funds as required under section 657(c) of EGTRRA, and (2) transfers to banks by administrators of terminated plans in the name of participants that they have been unable to locate, or who have been notified of termination but have not responded, and should not be construed to apply to any other transfer of funds that may constitute opening an account.
5. A bank is an agent for a (bank) credit card issuer. The cards are co-branded, the two banks share in the revenue from the cards issued. However, the issuer approves the credit card applications and handles collections. Is a person who obtains a credit card a customer of the agent bank or the card issuer?
A person who receives a credit card is receiving an extension of credit from, and therefore is establishing an account with, the issuing bank. The agent bank is compensated by the issuing bank and not by the customer. For these reasons, the issuing bank is responsible for ensuring that its CIP applies to the customer. However, the agent bank may perform parts of the CIP on behalf of the issuing bank. As with any other responsibility performed by an agent, the issuing bank ultimately is responsible for the agent’s compliance with the requirements of the CIP rule. See 68 FR 25090, 25104 (May 9, 2003). Alternatively, the issuing bank may rely upon the agent bank to perform elements of its CIP, provided that the issuing bank is able to satisfy the requirements of the reliance provision, 31 C.F.R. § 103.121(b)(6), including the requirement that the person be a customer of both the issuing and agent bank.
31 C.F.R. § 103.121(a)(3)(ii)(C) – Person with an existing account
1. A loan and a time deposit are each an “account” for purposes of the CIP rule. How do the requirements of the CIP rule apply to a loan that is renewed, or a certificate of deposit that is rolled over?
The CIP rule applies to a “customer,” generally, “a person that opens a new account.” 31 C.F.R. § 103.121(a)(3)(i). (Emphasis added.) “Account” means a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit. 31 C.F.R. § 103.121(a)(1)(i). For purposes of the CIP rule, each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established. However, the rule provides that the term “customer” does not include a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person. 31 C.F.R. § 103.121(a)(3)(ii)(C). In each of these cases, the customer has an existing account. Therefore, as long as the bank has a reasonable belief that it knows the person’s true identity, the bank need not perform its CIP when a loan is renewed or certificate of deposit is rolled over. However, if a new customer is added to the loan or deposit account, the bank would need to satisfy the CIP rule with respect to that new account relationship.
2. Does the exclusion from the definition of “customer” in 31 C.F.R. § 103.121(a)(3)(ii)(C) for a person with an existing account extend to a person who has had an account with the bank in the last twelve months but who no longer has an account?
No, this provision only excludes from the definition of “customer” a person that at the time a new account is opened currently “has an existing account with the bank,” and only if the bank has a reasonable belief that it knows the true identity of the person. Therefore, for example, when a person has a deposit account and subsequently obtains a loan, the person has an existing account with the bank. Conversely, a person would not be deemed to have an existing account at the bank if the person had a loan, paid it off, and twelve months later obtains a new loan.
3. How can a bank demonstrate that it has “a reasonable belief that it knows the true identity of a person with an existing account” with respect to persons that had accounts with the bank as of October 1, 2003?
Among the ways a bank can demonstrate that it has “a reasonable belief” is by showing that prior to the issuance of the final CIP rule, it had comparable procedures in place to verify the identity of persons that had accounts with the bank as of October 1, 2003, though the bank may not have gathered the very same information about such persons as required by the final CIP rule. Alternative means include showing that the bank has had an active and longstanding relationship with a particular person, evidenced by such things as a history of account statements sent to the person, information sent to the IRS about the person’s accounts without issue, loans made and repaid, or other services performed for the person over a period of time. This alternative, however, may not suffice for persons that the bank has deemed to be high risk.
4. Can a bank exclude from the definition of “customer” a person that has an existing account with its affiliate?
No, a person that has an existing account with a bank affiliate does not qualify as “a person who has an existing account with the bank” within the meaning of 31 C.F.R. § 103.121(a)(3)(ii)(C). However, the bank may be able to rely on its affiliate to perform elements of its CIP, as provided in 31 C.F.R. § 103.121(b)(6).
31 C.F.R. § 103.121(b)(2)(i) -- Information required
1. What address should be obtained for customers who live in rural areas who do not have a residential or business address or the residential or business address of next of kin or another contact individual? For example, is a rural route number acceptable?
Yes, the number on the roadside mailbox on a rural route is acceptable as an address. A rural route number, unlike a post office box number, is a description of the approximate area where the customer can be located. In the absence of such a number, and in the absence of a residential or business address for next of kin or another contact individual, a description of the customer’s physical location will suffice.
2. Can a bank open an account for a U.S. person that does not have a taxpayer identification number?
No, the bank cannot unless the customer has applied for a taxpayer identification number, the bank confirms that the application was filed before the customer opened the account, and the bank obtains the taxpayer identification number within a reasonable period of time after the account is opened. Note, however, that a bank does not need to obtain a taxpayer identification number when opening a new account for a customer that has an existing account, as long as the bank has a reasonable belief that it knows the true identity of the customer. A bank may also open an account for a person who lacks legal capacity with the identifying information, including taxpayer identification number, of an individual who opens an account for that person.
31 C.F.R. § 103.121(b)(2)(ii) -- Customer verification
1. Must a bank verify the accuracy of all of the identifying information it collects in connection with 31 C.F.R. § 103.121(b)(2)(i)?
The final rule provides that a bank’s CIP must contain procedures for verifying the identity of the customer, “using the information obtained in accordance with paragraph (b)(2)(i),” namely the identifying information obtained by the bank. 31 C.F.R. § 103.121(b)(2)(ii). A bank need not establish the accuracy of every element of identifying information obtained but must do so for enough information to form a reasonable belief it knows the true identity of the customer. See 68 FR 25090, 25099 (May 9, 2003).
2. Can a bank use an employee identification card as the sole means to verify a customer’s identity?
A bank using documentary methods to verify a customer’s identity must have procedures that set forth the documents that the bank will use. The CIP rule gives examples of types of documents that have long been considered primary sources of identification and reflects the Agencies’ expectation that banks will obtain government-issued identification from most customers. However, other forms of identification may be used if they enable the bank to form a reasonable belief that it knows the true identity of the customer. Nonetheless, given the availability of counterfeit and fraudulently obtained documents, a bank is encouraged to obtain more than a single document to ensure that it has a reasonable belief that it knows the customer’s true identity.
3. Can a bank use an electronic credential, such as a digital certificate, as a non-documentary means to verify the identity of a customer that opens an account over the Internet or through some other purely electronic channel?
A bank may obtain an electronic credential, such as a digital certificate, as one of the methods it uses to verify a customer’s identity. However, the CIP rule requires the bank to have a reasonable belief that it knows the true identity of the customer. Therefore, for example, the bank is responsible for ensuring that the third party uses the same level of authentication as the bank itself would use. See also FFIEC guidance titled “Authentication in an Electronic Banking Environment” (July 30, 2001).
4. How should a bank verify the identity of a partnership that opens a new account when there are no documents or non-documentary methods that will establish the identity of the partnership?
A bank opening an account for such a partnership must undertake additional verification by obtaining information about the identity of any individual with authority or control over the partnership account, in order to verify the partnership’s identity, as described in 31 C.F.R. § 103.121(b)(2)(ii)(C).
5. How should a bank verify the identity of a sole proprietorship that opens a new account, (such as an account titled in the name of an individual “doing business as” a sole proprietorship) when there are no documents or non-documentary methods that will establish the identity of the sole proprietorship?
In some states, sole proprietorships are required to file “fictitious” or “assumed name certificates.” Banks may choose to use these certificates as a means to verify the identity of a sole proprietorship, if appropriate. However, when there are no documents or non-documentary methods that will establish the identity of the sole proprietorship, the bank must undertake additional verification by obtaining information about the sole proprietor or any other individual with authority or control over the sole proprietorship account -- such as the name, address, date of birth, and taxpayer identification number of the sole proprietor, or any other individual with authority or control over the account -- in order to verify the sole proprietorship’s identity, as described in 31 C.F.R. § 103.121(b)(2)(ii)(C).
31 C.F.R. § 103.121(b)(3)(i) – Required records
1. Would it be acceptable to retain a description of the non-documentary customer verification method used (such as a consumer credit report or an inquiry to a fraud detection system) in a general policy or procedure instead of recording the fact that a particular method was used on each individual customer's record?
Yes, provided that the record cross-references the specific provision(s) of the risk-based procedures contained in the bank’s CIP used to verify the customer’s identity.
2. Can a bank keep copies of documents provided to verify a customer’s identity, in addition to the description required under 31 C.F.R. § 103.121(b)(3)(i)(B), even if it is not required to do so?
Yes, a bank may keep copies of identifying documents that it uses to verify a customer’s identity. A bank’s verification procedures should be risk-based and, in certain situations, keeping copies of identifying documents may be warranted. In addition, a bank may have procedures to keep copies of documents for other purposes, for example, to facilitate investigating potential fraud. (These documents should be retained in accordance with the general recordkeeping requirements in 31 C.F.R. § 103.38.) Nonetheless, a bank should be mindful that it must not improperly use any document containing a picture of an individual, such as a driver’s license, in connection with any aspect of a credit transaction.
31 C.F.R. § 103.121(b)(3)(ii) – Retention of records
1. Does the original information obtained during account opening have to be retained or can the bank satisfy the recordkeeping requirement by just keeping updated information about the customer, i.e., the customer’s current address?
The CIP rule requires that a bank retain the identifying information obtained about the customer at the time of account opening for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant. 31 C.F.R. § 103.121(b)(3)(ii). Updated information serves valuable, but different, purposes.
2. If the bank requires a customer to provide more identifying information than the minimum during the account opening process, does it have to keep this information for more than five years?
The bank must keep for five years after the account is closed, or in the case of credit card accounts, five years after the account is closed or becomes dormant, all identifying information it gathers about the customer to satisfy the requirements of § 103.121(b)(2)(i) of the CIP rule. 31 C.F.R. § 103.121(b)(3)(ii). This would include any identifying information, the bank will use, at the time the account is opened, to establish a reasonable belief it knows the true identity of the customer. So, for example, if the bank obtains other identifying information at account opening in addition to the minimal information required, such as the customer's phone number, then the bank must keep that information.
3. How does the record retention period apply to a customer who simultaneously opens multiple accounts in the bank?
If several accounts are opened for a customer simultaneously, all identifying information about a customer obtained under 31 C.F.R. § 103.121(b)(2)(i) must be retained for five years after the last account is closed or, in the case of credit card accounts, five years after the last account is closed or becomes dormant. All remaining records must be kept for five years after the records are made.
31 C.F.R. § 103.121(b)(4) -- Section 326 List
1. Has a list of known or suspected terrorists or terrorist organizations been designated for purposes of the CIP rule?
No such list has been designated to date. Banks will be contacted by their functional regulators when a list is issued. As of the time of publication, lists published by OFAC have not been designated as lists for purposes of the CIP rule. Of course, banks are separately obligated to check these lists in accordance with OFAC’s regulations.
31 C.F.R. § 103.121(b)(5) -- Customer notice
1. Does a bank have to provide notice to all owners of a joint account?
Yes, notice must be provided to all owners of a joint account. In addition, notice must be provided “in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account.” 31 C.F.R. § 103.121(b)(5)(ii). The Agencies agree that a bank may satisfy this requirement by directly providing the notice to any one accountholder of a joint account for delivery to the other owners of the account. Similarly, the bank may open a joint account using information about each of the accountholders obtained from one accountholder, acting on behalf of the other joint accountholders.
2. How should a bank provide notice to its customer when it engages in indirect lending through a third party such as a mortgage broker or car dealer?
When a mortgage broker or car dealer is acting as the bank's agent in connection with a loan, the bank may delegate to its agent the obligation to perform the requirements of the bank’s CIP rule. In contrast to the reliance provision in the CIP rule, the bank is ultimately responsible for its agent’s compliance with the rule. Depending upon the manner in which the account is opened, the agent can provide notice to the bank’s customer, for example, by posting a sign, printing the notice on the loan application given to the customer, orally providing the notice, or by providing the notice in any manner that is reasonably designed to ensure that the customer is given notice before opening an account.
31 C.F.R. § 103.121(b)(6) -- Reliance
1. Where a bank is entitled to “rely” on another financial institution to perform its CIP, whose CIP must the relied-upon financial institution implement?
The reliance provision does not impose on the other financial institution the obligation to duplicate the procedures in the bank’s CIP. The reliance provision permits a bank to rely on another financial institution to perform any of the procedures of the bank’s CIP, meaning, any of the elements that the CIP rule requires to be in a bank’s CIP: (1) identity verification procedures, which include collecting the required information from customers and using some or all of that information to verify the customers’ identities; (2) keeping records related to the CIP; (3) determining whether a customer appears on a designated list of known or suspected terrorists or terrorist organizations; and (4) providing customers with adequate notice that information is being requested to verify their identities.
Note that a bank can only use the reliance provision when the other financial institution is regulated by a Federal functional regulator and is subject to a general BSA compliance program rule, they share the customer, the bank can show its reliance upon the other financial institution’s performance of an element of the bank’s CIP was reasonable under the circumstances, and the requisite contract is signed and certifications provided.
2. When a longstanding customer of another financial institution (including an affiliate) opens a new account at the bank, can a bank rely on the other financial institution’s verification of the identity of the customer performed before a CIP procedure was required?
A bank that is subject to the CIP rule may rely on another financial institution’s verification of the identity of the customer if the requirements of the reliance provision are satisfied. The bank would have to be able to demonstrate that such reliance upon the other financial institution’s verification of the identity of the customer is reasonable under the circumstances. For example, the bank could do so by reviewing the relied-upon institution’s procedures to ensure that they were adequate although the institution was not yet subject to a CIP rule when it verified the customer’s identity.
In addition, even when a bank is relying on the verification of identity performed by another institution, the bank would continue to be responsible for complying with all remaining requirements of the CIP rule, namely, the requirement that it keep records, provide customer notice, and as soon as a section 326 list has been designated, check the list when a new account is opened.