Kirkpatrick & Lockhart LLP
Bank & Thrift Regulatory UPDATE
JUNE 2003
Final Customer Identification Program Regulations
for Depository Institutions and Trust Companies
On May 9, 2003, the Department of the Treasury
(“Treasury”), the Office of the Comptroller of the
Currency, the Board of Governors of the Federal
Reserve System, the Federal Deposit Insurance
Corporation, the Office of Thrift Supervision (“OTS”),
and the National Credit Union Administration (together,
the “Agencies”) published final regulations
(“Regulations”) in the Federal Register regarding
customer identification programs (“CIPs”) for banks,
trust companies, savings associations, credit unions, and
certain non-federally regulated banks and the
subsidiaries of those entities.1 The effective date of the
Regulations is June 9, 2003; compliance by covered
institutions is required no later than October 1, 2003.
This Alert summarizes the Regulations.
(iv) credit unions. Financial institutions also include
non-federally insured (i) credit unions, and (ii) private
banks and trust companies that do not have a federal
functional regulator. A financial institution does not
include the foreign branches of an insured U.S. bank.
(In this Alert, any entity subject to the CIP requirements
shall be referred to as a “bank.”) A bank’s CIP must
apply throughout the bank’s U.S. operations, including
its subsidiaries, except that subsidiaries that are in
compliance with a separately applicable industry
specified rule will be deemed to be in compliance with
the bank CIP rule.
SUMMARY
An account for purposes of the Regulations is defined as
a business relationship for the provision of financial
products and services including deposit accounts,
transaction accounts, asset accounts, credit accounts,
and other extensions of credit, including mortgage
loans. Accounts also include safety-deposit boxes, cash
management, and custodian and trust services. The
definition of account excludes products and services
without a banking relationship, such as check cashing,
wire transfers, and sales of bank checks and money
orders. (The Regulations do not modify other
regulations that already require identification in certain
circumstances, such as for wire transfers or bank check
sales of $3,000 or more.)
Under the Regulations, financial institutions must, at a
minimum, implement written policies and procedures
to: (i) verify the identity of any person seeking to open a
new account, to the extent practicable; (ii) maintain
records of the information used to verify a person’s
identity; and (iii) determine if the person appears on any
list of known or suspected terrorists. Overall, the
Regulations offer a risk-based approach so that banks of
varying size and complexity will be able to develop
CIPs that are tailored to their own business and the risks
that they face.
INSTITUTIONS SUBJECT TO REGULATIONS
The Regulations define the term “financial institution”
broadly to mean, among other things, federally
regulated (i) commercial banks and trust companies,
(ii) private banks, (iii) savings associations, and
COVERED CUSTOMER ACCOUNTS
Account
A bank has to obtain identification information only
when it opens a new account for a customer; accounts
acquired through acquisition, merger, or a purchase of
assets and assumption of liabilities are excluded from
The Regulations were published in the Federal Register on May 9, 2003, beginning at page 25090. On July 23, 2002, Treasury
and the Agencies had published a joint notice of proposed rulemaking concerning CIPs (67 Fed. Reg. 48290).
1
Kirkpatrick & Lockhart LLP
Bank & Thrift Regulatory UPDATE
JUNE 2003
the definition of account. Further, a bank does not have
to verify the identity of existing customers who are
opening additional accounts if the bank has a reasonable
belief that it knows the true identity of the existing
customer. In addition, the definition of account
excludes accounts opened for the purpose of
participating in an employee benefit plan under ERISA,
since such accounts are less susceptible to use for
money laundering.2
CUSTOMER INFORMATION TO BE OBTAINED
The following information (which is substantially as
originally proposed, with certain increased flexibility, as
discussed below) must be obtained prior to opening an
account:
n
Name;
n
Date of birth, for an individual;
n
Address (as simplified under the Regulations):
– for an individual, a residential or business
street address;
Customer
The Regulations define a “customer” simply as “a
person that opens a new account.” Each person on a
joint account is, thus, a customer whose identification
must be verified. A customer does not include each
signatory on an account, but only persons in whose
name the account is opened. The definition of a
“customer” also excludes: (i) publicly traded companies
(traded on the New York or American Stock Exchange
or the NASDAQ National Market System);3
(ii) financial institutions regulated by a federal
functional regulator; (iii) banks regulated by state
banking authorities; and (iv) governmental agencies and
instrumentalities.
Fiduciary and Other Activities
For trust or escrow accounts, the customer is the trust,
or escrow account holder. The bank is not required to
look through the trust or escrow to verify the identity of
the beneficiaries. For brokered deposits, the customer
is the broker who opens the omnibus account, not the
broker’s customers represented by the individual
subaccounts. In the case of accounts for those who lack
legal capacity to open an account and for entities that
are not legal persons, such as civic clubs, the bank must
verify the identity only of the individual who opens the
account.
– for an individual who does not have a
residential or business street address, an Army
Post Office or Fleet Post Office box number, or
the residential or business street address of
next of kin or of another contact individual; or
– for a person other than an individual, a
principal place of business, local office or
other physical location; and
n
Identification number (as simplified under the
Regulations):4
– for a U.S. person, a taxpayer identification
number; or
– for a non-U.S. person, one or more of the
following types of information that permits a
bank to establish a reasonable belief that it
knows the identity of its customer: taxpayer
identification number; passport number and
country of issuance; alien identification card
number; or number and country of issuance of
any other government-issued document
evidencing nationality or residence and bearing
a photograph or similar safeguard.
This exclusion applies at the individual participant level. The ERISA Plan or Trust would be a “customer.” For IRA accounts,
the “customer” would be the individual who established the account.
3
The exclusion applies only to the publicly traded company, not to any foreign office, subsidiary or affiliate opening a new
account.
4
Exceptions may be made for persons, including natural persons, who have applied for, but have not yet received a taxpayer
identification number, as long as the bank’s CIP contains procedures to confirm the application was filed before the account is
opened and to obtain the taxpayer identification number within a reasonable period of time thereafter.
2
2
BANK & THRIFT REGULATORY UPDATE
Bank & Thrift Regulatory UPDATE
JUNE 2003
There is an exception in the Regulations for credit card
accounts. For those accounts only, accounts which are
often opened at a high-pressure point of sale, the bank
may obtain certain basic information about the customer
directly from the customer and obtain the rest of the
information from a third party, such as a credit reporting
agency, prior to the extension of credit.
VERIFICATION OF A CUSTOMER’S IDENTITY
The CIP must describe when a bank will use
documents, non-documentary methods, or some of each
to verify a customer’s identity. The Agencies
recommend that each bank use a variety of methods to
verify the identity of customers, especially in situations
where the bank does not review original documents.
Documentary Verification
The CIP must contain procedures that set forth the
documents the bank will rely on when verifying a
customer through documents, based on its own riskbased analysis of the types of documents it believes will
enable it to verify the customer’s identity. For
individuals, such documents may include unexpired
government-issued identification evidencing nationality
or residence and bearing a photograph or similar
safeguard (e.g., driver’s license or passport). For
persons other than individuals, documents showing the
existence of the entity (e.g., certified articles of
incorporation, government-issued business license,
partnership agreement or trust instrument). Banks are
not required to verify whether or not a document has
been validly issued and generally may rely on
government-issued identification as verification unless
the document shows obvious indications of fraud.
Non-Documentary Verification
If relying on non-documentary methods in addition to
or instead of documentary verification, the CIP must
contain procedures that describe the methods that will
be used. Non-documentary methods may include
contacting the customer or independently verifying the
customer’s identity through a comparison of
information provided by the customer with information
from a third-party source (e.g., verifying information
through credit bureaus, public databases and other
sources, checking references with other financial
institutions, and obtaining a financial statement).
Non-documentary procedures must address certain
specific circumstances, including those in which an
individual is unable to present an unexpired
government-issued identification document that bears a
photograph or similar safeguard, the bank is not familiar
with the documents presented, the account is opened
without obtaining documents, the customer opens the
account without appearing in person, or other
circumstances increase the risk that the bank will be
unable to verify the true identity of a customer through
documents. In any event, the Regulations encourage
banks to use non-documentary methods to confirm
identity even when the customer has provided
documentary information.
Additional Verification
Although the requirement to identify signatories has
been removed from the Regulations in most situations,
the Regulations include a requirement that the CIP
address situations in which there may be a heightened
risk that the bank will not know the customer’s true
identity, such as accounts opened in the name of a
corporation, partnership or trust that is created or
conducts substantial business in a jurisdiction
designated by the U.S. as a primary money laundering
concern or by an international body as non-cooperative.
In those cases, where the bank cannot otherwise
adequately verify the customer’s identity, the bank must
obtain information about individuals with authority or
control over the account, including persons authorized
to effect transactions in the account.
Lack of Verification
The CIP must include procedures for responding to
circumstances in which the bank cannot form a
reasonable belief that it knows the true identity of a
customer. In particular, the procedures should describe:
n
When not to open an account;
n
Terms under which a customer may use an
account while its identity is being verified;
n
When to file a Suspicious Activity Report; and
n
When to close an account after attempts to verify
a customer’s identity have failed.
Kirkpatrick & Lockhart LLP
3
Bank & Thrift Regulatory UPDATE
JUNE 2003
RECORDKEEPING
The recordkeeping requirements under the Regulations
are less burdensome than as originally proposed. The
CIP must include procedures for making and
maintaining a record of all information obtained under
the CIP procedures. The identifying customer
information collected (e.g., age, address) is the only
information that must be retained for five years after the
account is closed. All other required information need
only include a description, rather than a copy, and need
only be retained for five years after the record is made.
GOVERNANCE
Since the board of directors must adopt the bank’s Bank
Secrecy Act (“BSA”) compliance program and the CIP
is a material amendment to that program, board
approval of the BSA compliance program, as amended
with the bank’s CIP, is required.
ADDITIONAL PROVISIONS
Comparison with Government Lists
The Regulations do not address obligations outside of
the BSA, such as compliance with Treasury’s Office of
Foreign Assets Control, or OFAC, rules prohibiting
transactions with certain foreign countries or their
nationals. The Regulations do require that the CIP
include procedures for determining whether the name of
the customer appears on any list (none of which
currently exists) of known or suspected terrorists or
terrorist organizations issued by any federal government
agency, designated as such by Treasury, and about
which notice has been provided. Absent any
requirement to the contrary, the CIP procedures must
require that the determination be made within a
reasonable period of time after the account is opened or
earlier if required by law. The procedures must also
require the bank to follow all federal directives in
connection with such lists.
Customer Notice
The CIP must include procedures for providing
customers with adequate notice that certain information
is being requested from the customer by the bank for the
purpose of verifying the customer’s identity. Notice is
deemed adequate if it generally describes the
identification requirements of the Regulations and is
reasonably designed to ensure that a customer views the
notice before opening an account, such as a notice
posted in the lobby, on a website or on the account
application. The Regulations include sample language.
Relying on Other Financial Institutions
A bank may include procedures in its CIP that enable it
to rely on the performance of other financial
institutions, including affiliates, for certain procedures
required under the CIP. For a bank to rely on another
financial institution’s procedures, the reliance must be
reasonable, the other financial institution must be
subject to Anti-Money Laundering (“AML”) program
requirements, and the other financial institution must be
regulated by a federal functional regulator.
The bank must enter into a written agreement whereby
the financial institution on which the bank is relying
agrees to certify annually to the bank that it has
implemented its AML program and that it will follow
the requirements of the bank’s CIP. As long as reliance
was reasonable and the bank received the certification
required under the agreement, a bank will not be
responsible if the other financial institution does not
adequately perform the bank’s responsibilities.
REBECCA H. LAIRD
202.778.9038
rlaird@kl.com
SAM A. OZECK
202.778.9085
sozeck@kl.com
4
BANK & THRIFT REGULATORY UPDATE
Bank & Thrift Regulatory UPDATE
JUNE 2003
Kirkpatrick & Lockhart LLP has over 700 lawyers in 10 offices around the United States. Our Bank and Thrift
Regulatory practice is an important segment of the firm’s general financial services practice. That practice
extends to all major segments of the financial services industry, including investment managers, investment
advisers, investment banking, broker-dealers, mortgage bankers and custodians, as well as banks and thrifts.
Our Bank and Thrift Regulatory practice group provides legal advice primarily to depository institutions and
their holding companies, but also to various other clients with concerns relating to bank and/or thrift regulatory
matters. This advice covers all aspects of regulatory applications and analysis, mergers and acquisitions,
corporate reorganizations and developments with respect to specific financial products, particularly in the
lending, securities and insurance areas.
For more information about our Bank and Thrift Regulatory practice group’s capabilities, please contact one of
the attorneys listed below. Also, we invite you to visit our website at http://www.kl.com for more information
on our Bank and Thrift Regulatory practice group.
BOSTON
Stephen E. Moore
Stanley V. Ragalevsky
Sean P. Mahoney
617.951.9191
617.951.9203
617.951.3202
smoore@kl.com
sragalevsky@kl.com
smahoney@kl.com
HARRISBURG
Raymond P. Pepe
717.231.5988
rpepe@kl.com
LOS ANGELES
William P. Wade
310.552.5071
NEW YORK
Robert M. McLaughlin
Thomas C. Russler
John D. Vaughan
Jerome Walker
212.536.3924
212.536.4068
212.536.4006
212.536.4850
PITTSBURGH
Kristen L. Stewart
J. Robert Van Kirk
412.355.8975
412.355.6480
kstewart@kl.com
rvankirk@kl.com
SAN FRANCISCO
Jonathan D. Joseph
415.249.1012
jjoseph@kl.com
202.778.9032
202.778.9038
202.778.9371
202.778.9079
202.778.9350
202.778.9207
hjudy@kl.com
rlaird@kl.com
dmiller@kl.com
dsmith@kl.com
itannenbaum@kl.com
jvitale@kl.com
WASHINGTON
Henry L. Judy
wwade@kl.com
Rebecca H. Laird
Dean E. Miller
Donald W. Smith
rmclaughlin@kl.com
Ira L. Tannenbaum
trussler@kl.com
Joseph P. Vitale
jvaughan@kl.com
jwalker@kl.com
®
Kirkpatrick & Lockhart LLP
Challenge us.®
www.kl.com
.............................................................................................................................................................
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein
should not be used or relied upon in regard to any particular facts or circumstances without first consulting
a lawyer.
LLP
Kirkpatrick & Lockhart
©
2003 KIRKPATRICK & LOCKHART LLP. ALL RIGHTS RESERVED.
5