Part 1 - An Overview
of CIP
Ramie Blakeman, former Legal & Compliance
Director
Introduction
If you have had a chance to read through the
final rule for Section 326 of the USA Patriot
Act you will undoubtedly note that it is not
as burdensome as it had been in the proposal
stage. Financial institutions are now left with
a requirement to develop a risk-based approach
to a Customer Identification Program (CIP).
To assist you with understanding this, I have
broken out the discussion of Section 326 into
a series of short articles, the first focusing
on an overview of a CIP. The second part will
detail the core components within a CIP: customer
identification, verification (both documentary
and non-documentary), record keeping, customer
notice, and data list screening (this is not
OFAC screening) and what to look for in solutions
or tools to assist you.
Who is affected?
In its conception Section 326 was very broad
in regard to industries included and proposed
guidelines/requirements. In final form, with
an October 1, 2007 deadline, those immediately
affected are:
- Banks
- Credit Unions
- Futures Commission Merchants
- Futures Introducing Merchants
- Mutual Funds
- Thrifts
- Trusts
- Securities Dealers
Regulators are finalizing their specific guidance,
so please check with them on their requirements
and the sectionfs application to your
industry.
The focus: a risk-based
CIP
The goal of what was finalized allows for taking
many current Know Your Customer (KYC) and Due
Diligence procedures already in place at most
institutions and cross-applying them to Section
326. Start your review of Section 326 compliance
by doing an inventory of what youfre currently
doing for anti-fraud measures, and the tools
used in that capacity. You may find that you
can easily repackage these for your CIP practices.
Being able to cross-apply these measures leads
to the crux of Section 326: develop your CIP
based on risk. They are looking for scrutiny
to be applied in varying levels depending upon
the amount of risk involved in not knowing your
customerfs identity at the opening of
an account. In other words, how comfortable
are you that you know who this customer is and
are they who they say they are?
Key Terms
Unearthing meaning from this risk-based language
lies partly within the definitions of the following
key terms in the final rule:
Account
A formal relationship to provide or engage in
services, dealings or other financial transactions:
Includes:
- Cash management
- Credit accounts and other extensions
- Custodian services
- Transaction or asset account,
- Trust services
Excludes:
A product or service without a gformalh
relationship, i.e. check cashing, wire transfer,
sale of a money order
Acquired accounts via acquisition, merger, asset
purchases, liability assumption
Customer
A person opening a new account and an individual
who opens a new account for one who lacks legal
capacity (i.e. a minor) or an entity that is
not a legal person (i.e. a civic group)
Excludes:
A person with an existing account, provided
you reasonable know their identity
Other domestic operated financial institutions,
government agencies or publicly traded companies
Bank
Banks subject to federal regulations and their
subsidiaries; state-regulated credit unions,
private banks, trust companies; and US offices
of foreign banks (not foreign branches of US
banks)
Assessment
After relying on these definitions as a foundation
to assess who and what must be covered in a
risk-based CIP you should next look to a fundamental
question: How risky are your products and services?
In answering this, you should evaluate:
the size of your institution
locations of business
customer base
types of accounts
methods of account opening
types of identifying information available to
you from the customer
You may find that using an interactive question
and answer process with your products will assist
you in crafting your CIP. One question based
on the bullet list above would be: Can customers
apply to open an account solely through the
web? If yes, it is then feasible that you could
have no idea who you are communicating with
on the other end. So, how will you go about
gathering their identity and then verifying
it?
After this assessment, you are ready to move
on to the second part in this series: learning
what identifying information can be used, how
to verify that identity, how to notify your
customers of this new process and how long to
retain your various records. This will develop
the main body of your CIP, which you can then
integrate into a larger anti-money laundering
program. Remember, spelling it all out for your
regulator in your policies and procedures is
always better than being general.
Don't forget that as your CIP will be a function
of and addendum to your BSA policies, it will
need approval from your Board of Directors.
