Connie M. Friesen May 23 2003 Final Rule on Customer Identification Programmes for Banks Sidley Austin LLP | Banking & Financial Services - USA Connie M. Friesen Banking & Financial Services Background Definitions Customer Identification Programme Requirements Recommendations On April 30 2003 the US Department of Treasury and other federal banking agencies jointly issued a final rule to implement Section 326 of the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act 2001 (USA Patriot Act). The final rule requires financial institutions - including banks, savings associations, credit unions, private banks and trust companies - to implement certain minimum procedures as part of their know-your-customer programmes. While the effective date of the final rule is officially June 9 2003, a transition period has been included to facilitate compliance. The deadline for banks' implementation of the requirements of the final rule is October 1 2003.In order to assure their compliance with the final rule, banks should review their policies and procedures relating to current customer identification and amend them where necessary to comply with the new standards prescribed by the Final Rule.BackgroundSection 326 of the act provides that the Department of Treasury must issue regulations to require financial institutions to adopt customer identification programmes (CIPs) that will, at a minimum, provide for: verification of the identity of any person seeking to open an account; maintenance of records of the information used to verify a person's identity; and determination as to whether the person appears on any lists of known or suspected terrorist organizations. In July 2002 the Department of Treasury and other agencies published a proposed rule implementing the above requirements of Section 326. After review and discussion of the comments, the Department of Treasury adopted the final rule as discussed below. DefinitionsDuring the prolonged comment period, it became apparent that there was considerable industry confusion over the meaning of key terms, especially 'account' and 'customer'. Account The proposed rule defined 'account' as each formal banking or business relationship established to provide ongoing services, dealings or other financial transactions, and included each of a deposit account, transaction or asset account, a credit account or other extension of credit as an 'account'. The proposed rule was not intended to cover infrequent transactions such as the occasional purchase of a money order or a wire transfer.Under the final rule, the Department of Treasury and the agencies have deleted references to the term 'business relationship' to clarify that the regulation applies generally to a bank's provision of financial services. The definition now contains examples of products and services that constitute an 'account'. These include safety deposit box and other safekeeping services, and cash management, custodian and trust services. The definition of 'account' also specifies a list of products and services that will not be deemed an account for purposes of the CIP requirements of the final rule. These include: a product or service where no formal banking relationship is established, such as cheque-cashing, a wire transfer, or sale of a cheque or money order; an account that a bank acquires through an acquisition, merger, purchase of assets or assumption of liabilities; or an account opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Security Act 1974.Bank The proposed rule applied to (i) any financial institution defined as a 'bank' in 31 Code of Federal Regulations 103.11(c) and subject to regulation by one of the agencies, including banks, savings associations, credit unions, Edge Act and agreement corporations, and branches and agencies of foreign banks; and (ii) certain other financial institutions defined as a 'bank' under Code of Federal Regulations 103.11(c) that do not have a federal functional regulator. The proposed definition also included a foreign branch of an insured US bank. The final rule adopted the definition as set forth in the proposed rule, except that a 'bank' now does not include any of the foreign (non-US) branches of a bank. Nevertheless, the Department of Treasury and the agencies encourage each bank to implement a CIP, as required by the final rule, throughout its organization, including in its foreign branches, except to the extent that the requirements of the final rule would conflict with local law. Customer The proposed rule defined a 'customer' to mean any person seeking to open a new account, regardless of whether that person already had an account, and included a signatory on an account. The final rule defines a 'customer' as (i) a person that opens a new account, and (ii) an individual who opens a new account for an individual who lacks legal capacity, such as a minor, or for an entity that is not a legal person, such as a civic club. Each person named on a joint account is a customer, unless otherwise provided. The final rule also excludes from the definition of 'customer' entities such as: financial institutions regulated by a federal functional regulator; banks regulated by a state bank regulator; governmental agencies and instrumentalities; and companies that are publicly traded as described in Section 103.22(d)(2)(ii)-(iv).After reviewing the comments received, the Department of Treasury deleted the controversial proposed requirement to verify the identity of all signatories to an account. Also, in the case of accounts for legal entities other than individuals, the 'customer' will now be the entity. For purposes of this rule, a bank will not be required to look through trust, escrow or similar accounts to verify the identities of beneficiaries, and instead will only be required to verify the identity of the named account holder. However, the final rule does require a bank's CIP to address situations when the bank will take additional steps to verify the identity of a customer account holder that is not an individual by seeking information about individuals with authority or control over such account (including signatories) in order to verify the customer's identity. The final rule also excludes from the definition of 'customer' a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person. Other definitions The final rule defines a 'federal functional regulator' as meaning each of the agencies, the Securities Exchange Commission and the Commodity Futures Trading Commission. The final rule also includes a new definition for the term 'financial institution' that cross-references the Bank Secrecy Act, 31 United States Code 5312(a) (2) and (c)(1), and includes entities such as futures commission merchants and introducing brokers. The final rule also defines a 'US person' as an individual who is a US citizen, or an entity established or organized under the laws of a state or the United States. A 'non-US person' is defined as a person who does not satisfy either of these criteria. Customer Identification Programme RequirementsThe proposed rule required each bank to implement a CIP appropriate to its size, location and type of business. A bank's CIP had to contain the statutorily prescribed procedures, describe these procedures and detail certain minimum elements that each of the procedures was to contain. In addition, the proposed rule required that the CIP be written, and that it be approved by the bank's board of directors or a committee of the board. The proposed rule also stated that the CIP must be incorporated into the bank's Bank Secrecy Act compliance programme and should not be a separate programme. A bank's Bank Secrecy Act compliance programme must be written, approved by the board and noted in the board's minutes. It must include: internal policies, procedures and controls to ensure ongoing compliance; designation of a compliance officer; an ongoing employee training programme; and an independent audit function to test these programmes. The final rule removes the requirement that a bank's board of directors or a committee must separately approve the bank's CIP. Since the CIP is part of the more inclusive anti-money laundering programme which is approved by the board, the Department of Treasury determined this requirement to be redundant. The final rule requires the board of directors to determine that (i) the bank's CIP meets minimum requirements of this final rule, and (ii) the bank's identity verification procedures are designed to enable the bank to form a reasonable belief that it knows the true identity of the customer. Responsibility for the development, implementation and day-to-day administration of the CIP may be delegated to the bank management. Contents The final rule provides that a bank's CIP must include risk-based procedures for verifying the identity of each customer in a manner that will enable a bank to form a reasonable belief that it knows the true identity of the customer. A bank's affirmative obligation to verify the identity of its customer applies to 'any person' rather than only to a person whose identity is suspect. The final rule requires the identity verification procedures to be based upon relevant risks, including those presented by: the types of accounts maintained by a bank; the various methods of opening accounts provided by a bank; and the types of identifying information available. In addition to these risk factors, the procedures should take into account the bank's size, location, and type of business or customer base. The final rule provides that a bank's CIP must specify the identifying information to be obtained from each customer prior to opening an account. Before opening an account, a bank must obtain: a name; an address (a residential or business street address for individuals, and principal place of business or local office or other physical location address for a person other than an individual); date of birth for individuals; and an identification number. The final rule clarifies that a bank is not required to obtain more than a single address for a customer. Based upon an assessment of risks described above, a bank may require a customer to provide additional information to establish the customer's identity. The 'identification number' to be obtained for US persons would normally be a driver's licence, social security number or passport number. For a non-US person, a bank must obtain one or more of the following: a taxpayer identification number (social security number, individual taxpayer identification number or employer identification number); passport number and country of issuance; an alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.For a customer, including an individual, who has applied for but has not yet received a taxpayer identification number, a bank may (instead of obtaining such number prior to opening an account) provide for procedures in its CIP to confirm that such an application was made and obtain the tax identification number within a reasonable period of time. Customer verification A bank's CIP must contain procedures for verifying the identity of a customer seeking to open an account. A bank need not establish the accuracy of every element of the identifying information obtained, but must do so for enough information to form a reasonable belief that it knows the true identity of the customer. A bank must verify the identifying information using documentary or non-documentary methods, or a combination of both, within a reasonable time after the account is opened. A CIP must provide details as to when a bank will use a particular method to verify customer identity.Verification through documents A bank generally may rely on government-issued identification for verification of a customer's identity. However, if a document shows obvious indications of fraud, the bank must consider that factor in determining whether it can form a reasonable belief that it knows the true identity of a customer. The rule gives examples of types of documents that are considered reliable. However, a bank is encouraged to obtain more than one type of documentary verification to ensure that it has a reasonable belief that it knows the true identity of a customer. Non-documentary verification For a bank relying on non-documentary verification methods, the CIP must contain procedures that describe the non-documentary methods the bank will use. The final rule indicates that these methods may include: contacting a customer; independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency or public database; checking references with other financial institutions; and obtaining a financial statement.High-risk customers Though the final rule does not define a 'high-risk customer', it indicates that the term includes accounts where a bank cannot adequately verify the identity of the customer and such other accounts opened in the name of a corporation, partnership or a trust that is created or conducts substantial business in a jurisdiction that has been designated by the United States as being of primary money-laundering concern. A bank's CIP must prescribe additional measures to verify the identity of such customers, which may include obtaining information about individuals with authority or control over such accounts, including signatories to verify the customer's identity. Lack of verification. The final rule requires that a bank's CIP include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of the customer. The procedures should describe the following: when a bank should decline to open an account for a potential customer; the terms under which a customer may use an account while the bank attempts to verify the customer's identity; when the bank should close an account after attempts to verify a customer's identity have failed; and when the bank should file a suspicious activity report in accordance with applicable law and regulation.The final rule does not specifically require a bank to close the account of a customer whose identity the bank cannot verify, but instead leaves this determination to the discretion of the bank.Recordkeeping and retention Recordkeeping The Department of Treasury and the agencies have reconsidered and modified the recordkeeping requirements of the proposed rule. The final rule provides that a bank's CIP must include procedures for making and maintaining a record of all information obtained from a customer. The final rule states that a bank's records are to include "a description", but not necessarily a copy, of any document upon which the bank has relied in order to verify the identity of the customer. A bank must note: the type of document; any identification number contained in the document; the place of issuance; and if any, the date of issuance and expiration date of such document.Record retention The final rule now prescribes a record retention schedule consistent with the general five-year retention requirement of the Bank Secrecy Act. First, the bank must retain the information regarding the name, date of birth, address and identification number of a customer for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant. Second, the bank need only retain the records relating to the description of the documents (but not the documents themselves) relied upon to verify the identity of a customer for five years after the record is made.Comparison with government lists The final rule states that a bank's CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorist organizations issued by any federal government agency and designated as such by the Department of Treasury in consultation with the federal functional regulators within a reasonable period of time, and follow all federal directives issued in connection with such lists. Banks will not have any affirmative duty under this rule to seek out all lists of known or suspected terrorist organizations compiled by the federal government. Instead, banks will receive notification by way of separate guidance regarding the lists that must be consulted for purposes of this provision.Customer notice A bank must give notice to its customers that it is requesting information to verify their identity. The final rule states that such a notice is adequate if it describes the identification requirements of the final rule and is provided so that a customer can view it before opening an account. The final rule also states that a bank may post a notice in the lobby or on its website, include the notice on its account applications, or use any other form of oral or written notice, depending upon the manner in which an account is opened. In addition, the final rule includes sample language that will be deemed adequate notice.Reliance on third parties The final rule provides that a bank's CIP may include procedures specifying when a bank will rely on the verification performed by another financial institution, including an affiliate of the bank. Reliance is permitted if a customer of the bank is opening or has opened an account, or has established a similar banking or business relationship with the other financial institution to provide or engage in services, dealings or other financial transactions. Such reliance must be reasonable under the circumstances, and the other financial institution must be subject to a rule implementing the anti-money laundering programme requirements and be regulated by a federal functional regulator. The other financial institution must also enter into a contract requiring it to certify annually to the bank that it has implemented its anti-money laundering programme and that it will perform (or its agent will perform) the specified requirements of the bank's CIP.The bank will not be held responsible for the failure of the other financial institution adequately to fulfil the bank's CIP responsibilities, provided the bank can establish that its reliance was reasonable and that it has obtained the requisite contracts and certifications.A bank may contract with a third-party service provider to keep its records even when the bank does not act under the reliance provision. However, the performance of these services for federally regulated banks will be subject to regulation and examination by the agencies under other applicable laws and regulations.Exceptions The appropriate federal functional regulator, with the consent of the Department of Treasury, may by order or regulation exempt any bank or type of account from the CIP requirements. For banks without a federal functional regulator, the Department of Treasury alone will make a determination regarding exemptions. RecommendationsEven though banks may have know-your-customer programmes in operation already, they should review them carefully to determine whether they comply with the final rule issued by the Department of Treasury and other agencies. It may thus be advisable for banks to begin the process of assessing their current policies and amending them well in advance of the final deadline.For further information on this topic please contact Connie Friesen at Sidley Austin Brown & Wood LLP by telephone (+1 212 839 5507) or by fax (+1 212 839 5599) or by email ([email protected]).