Bank Secrecy Act
Customer Identification Program
Objective. Assess the bank’s compliance with the statutory and regulatory requirements for the Customer Identification Program (CIP).
1. Verify that the bank’s policies, procedures, and processes include a comprehensive program for identifying customers who open an account after October 1, 2003. The written program must be included within the bank’s BSA/AML compliance program and must include, at a minimum, policies, procedures, and processes for the following:
- Identification of information required to be obtained (including name, address, taxpayer identification number (TIN), and date of birth, for individuals), and risk-based identity verification procedures (including procedures that address situations in which verification cannot be performed).
- Procedures for complying with recordkeeping requirements.
- Procedures for checking new accounts against prescribed government lists, if applicable.
- Procedures for providing adequate customer notice.
- Procedures covering the bank’s reliance on another financial institution or a third party, if applicable.
- Procedures for determining whether and when a SAR should be filed.
2. Determine whether the bank’s CIP considers the types of accounts offered; methods of account opening; and the bank’s size, location, and customer base.
3. Determine whether the bank’s policy for opening new accounts for existing customers appears reasonable.
4. Review board minutes and verify that the board of directors approved the CIP, either separately or as part of the BSA/AML compliance program (31 CFR 1020.220(a)(1)).
5. Evaluate the bank’s audit and training programs to ensure that the CIP is adequately incorporated (31 CFR 1020.220(a)(1)).
6. Evaluate the bank’s policies, procedures, and processes for verifying that all new accounts are checked against prescribed government lists for suspected terrorists or terrorist organizations on a timely basis, if such lists are issued (31 CFR 1020.220(a)(4)).
7. On the basis of a risk assessment, prior examination reports, and a review of the bank’s audit findings, select a sample of new accounts opened since the most recent examination to review for compliance with the bank’s CIP. The sample should include a cross-section of accounts (e.g., consumers and businesses, loans and deposits, credit card relationships, and Internet accounts). The sample should also include the following:
- Accounts opened for a customer that provides an application for a TIN or accounts opened with incomplete verification procedures.
- New accounts opened using documentary methods and new accounts opened using nondocumentary methods.
- Accounts identified as higher risk.51 Higher-risk accounts, for CIP purposes, may include accounts in which identification verification is typically more difficult (e.g., foreign private banking and trust accounts, accounts of senior foreign political figures, offshore accounts, and out-of-area and non-face-to-face accounts).
- Accounts opened by existing higher-risk customers.
- Accounts opened with exceptions.
- Accounts opened by a third party (e.g., indirect loans).
8. From the previous sample of new accounts, determine whether the bank has performed the following procedures:
- Opened the account in accordance with the requirements of the CIP (31 CFR 1020.220(a)(1)).
- Formed a reasonable belief as to the true identity of a customer, including a higher-risk customer. (The bank should already have a reasonable belief as to the identity of an existing customer (31 CFR 1020.220(a)(2)).)
- Obtained from each customer, before opening the account, the identity information required by the CIP (31 CFR 1020.220(a)(2)(i)) (e.g., name, date of birth, address, and identification number).
- Within a reasonable time after account opening, verified enough of the customer’s identity information to form a reasonable belief as to the customer’s true identity (31 CFR 1020.220(a)(2)(ii)).
- Appropriately resolved situations in which customer identity could not be reasonably established (31 CFR 1020.220(a)(2)(iii)).
- Maintained a record of the identity information required by the CIP, the method used to verify identity, and verification results (including results of discrepancies) (31 CFR 1020.220(a)(3)).
- Compared the customer’s name against the list of known or suspected terrorists or terrorist organizations, if applicable (31 CFR 1020.220(a)(4)).
- Filed SARs, as appropriate.
9. Evaluate the level of CIP exceptions to determine whether the bank is effectively implementing its CIP. A bank’s policy may not allow staff to make or approve CIP exceptions. However, a bank may exclude isolated, nonsystemic errors (such as an insignificant number of data entry errors) from CIP requirements without compromising the effectiveness of its CIP (31 CFR 1020.220(a)(1)).
10. On the basis of a risk assessment, prior examination reports, and a review of the bank’s audit, select a sample of relationships with third parties the bank relies on to perform its CIP (or portions of its CIP), if applicable. If the bank is using the "reliance provision":
- Determine whether the third party is a federally regulated institution subject to a final rule implementing the AML program requirements of(31 USC 5318(h).
- Review the contract between the parties, annual certifications, and other information, such as the third party’s CIP (31 CFR 1020.220(a)(6)).
- Determine whether reliance is reasonable. The contract and certification will provide a standard means for a bank to demonstrate that it has satisfied the "reliance provision," unless the examiner has reason to believe that the bank’s reliance is not reasonable (e.g., the third party has been subject to an enforcement action for AML or BSA deficiencies or violations).
11. If the bank is using an agent or service provider to perform elements of its CIP, determine whether the bank has established appropriate internal controls and review procedures to ensure that its CIP is being implemented for third-party agent or service-provider relationships (e.g., car dealerships).
12. Review the adequacy of the bank’s customer notice and the timing of the notice’s delivery (31 CFR 1020.220(a)(5)).
13. Evaluate the bank’s CIP record retention policy and ensure that it corresponds to the regulatory requirements to maintain certain records. The bank must retain the identity information obtained at account opening for five years after the account closes. The bank must also maintain a description of documents relied on, methods used to verify identity, and resolution of discrepancies for five years after the record is made (31 CFR 1020.220(a)(3)(ii)).
14. On the basis of examination procedures completed, including transaction testing, form a conclusion about the ability of policies, procedures, and processes to meet regulatory requirements associated with CIP.