Regulated companies such as banks must abide by customer identification requirements and implement a written Customer Identification Program (CIP) appropriate for their size and type of business. A CIP must be approved by their boards of directors and could be part of an existing anti-money laundering compliance program. Below are a few areas that must be addressed by the CIP:
Identity verification procedures - The CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the organization to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the organization’s assessment of the relevant risks, including those presented by the various types of accounts maintained, the various methods used for opening accounts, the various types of identifying information available, and the company’s size, location, and customer base.
The verification process may include a combination of documentary and/or non-documentary evidence to verify customer information such as name, date of birth, address, nationality, photo, and identification number.
Non-documentary verification methods may include contacting a customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other institutions; and obtaining a financial statement.
Lack of verification - The CIP must include procedures for responding to circumstances in which an organization can not form a reasonable belief that it knows the true identity of a customer. These procedures should describe when an account can not be opened, limited use of an account by the customer while the identity is being verified, and reporting of a Suspicious Activity Report.
Recordkeeping - The CIP must include procedures for making and maintaining a record of all information obtained including identifying information, description of document types and methods of verification, and any discrepancy resolution. All records must be retained for a period of five (5) years after the account closure date, or if the account becomes dormant in the case of credit card accounts.
Comparison with government lists - The CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any government agency. The procedures must require the bank to make such a determination within a reasonable period of time after the account is opened, or earlier.
Customer notice - The CIP must include procedures for providing customers with adequate notice that the requested information is for verifying their identities and describe the customer identification requirements. Notices may be posted to the company’s website, account applications, or expressed in any other written or oral form of notice.
Reliance on another institution - The CIP may include procedures specifying when the company will rely on the performance by another institution (including an affiliate) of any procedures of the bank’s CIP, with respect to any customer of the bank that is opening or has opened an account, or has established a similar formal business relationship with the other institution to engage in services, dealings, or other transactions, provided that a) such reliance is reasonable under the circumstances, b) the other institution is subject to similar regulation, and c) certifies annually that it has implemented a program to perform (or its agent will perform) the specified customer identification requirements of the CIP.