USA PATRIOT Act - Long-Awaited Final Customer Identification Regulations
That Apply to Banks, Broker Dealers, Trust Companies, Mutual Funds and Other
By Carl Fornaris, Greenberg
Traurig, Miami Office
View or download the PDF version of this Alert
On April 30, 2003, the United States Department of the Treasury, the
Financial Crimes Enforcement Network and seven other federal financial services
regulatory agencies issued final regulations that require banks, savings
associations, broker dealers, trust companies, credit unions, mutual funds,
futures commission merchants and futures introducing brokers to adopt written
customer identification programs (“CIPs”) that will require these institutions
to: (1) verify the identity of any person seeking to open an account; (2)
maintain records of the information used to verify identity; and (3) consult
government known or suspected terrorist lists to determine whether the customer
appears on any such list.
|"Legal and compliance departments
of financial institutions nationwide should carefully review their
CIPs to ensure that those CIPs, at a minimum, contain all of the
requirements published in the final CIP regulations."
Financial institutions have until October 1, 2003 to come into compliance
with these final regulations, which implement the CIP requirements of Section
326 of the landmark USA PATRIOT Act. Especially after October 1, all financial
institutions should expect their federal banking agency examiners or self-regulatory
organization examiners, as the case may be, to specifically request to see
a copy of the institution’s AML program to examine compliance with the CIP
final regulations. Legal and compliance departments of financial institutions
nationwide should update their existing CIPs to ensure that those CIPs,
at a minimum, contain all of the requirements published in the final CIP
Below is a summary outline of the final CIP regulations:
- Covered Customers
- Under the final regulations, identification must be verified for:
- individuals that are new customers of the institution;
- legal entities that are new customers of the institution;
- each person named on a joint account; and
- the deposit broker (not each subaccount) in the case of brokered
- Under the final regulations, financial institutions do not
have to verify identity for:
- an existing customer;
- another financial institution regulated in the United States;
- signatories on a corporate account.
- Covered Accounts
- The institution must verify identity for customers that want to
open a new “account.” An “account” broadly means a “formal relationship”
with a bank or broker dealer to conduct banking business or effect securities
transactions, such as:
- a deposit account;
- a credit or loan account;
- a securities account;
- a cash management account; and
- a safety deposit box service.
- An “account” does not include services or products that lack a “formal
- wire transfers;
- money order or certified check sales; and
- accounts acquired from a merger or acquisition.
- CIP – Minimum Requirements
Each financial institution must implement a written CIP appropriate for
its size and risk profile that is incorporated into the institution’s
overall written anti-money laundering (“AML”) program.
- Identity Information Gathering
Prior to opening a new account with a covered customer, the institution
must obtain, at a minimum:
- date of birth;
- residential or work address for individuals, or
physical location address for legal entities;
- a TIN for U.S. citizens or legal entities organized under state
- for lawful permanent residents or non-immigrants, a TIN, passport
number and country of issuance, alien identification card number,
or number and country of issuance of any other government-issued document
evidencing nationality or residence and bearing a photo; and
- for non-U.S. legal entities with no TIN, a government-issued
certificate of existence or good standing.
- Identity Verification Procedures
- Risk-Based Procedures
Institutions opening a new account must be able to form a “reasonable
belief” – an objective standard – that it knows the identity of each
new customer. CIP identity verification procedures must be risk-based
to take into account the institution’s size, customer base, location
and the like. In other words, there is no “one size fits all” approach
to achieving compliance, but examiners will specifically assess the
efficacy of the institution’s CIP against its risk profile.
- Verify Identity Within “Reasonable Time”
Institutions must verify identification “within a reasonable time
after the account is opened.”
- Documentary and Non-Documentary Verification
The CIP must describe when an institution will use documents, documentary
methods or both.
- Documentary verification must be described in CIP and may include:
- for individuals, an unexpired, photo-bearing, government-issued
identification evidencing nationality or residence (e.g.,
driver license or passport); or
- for legal entities, certified articles of incorporation, certificate
of good standing, business license, partnership agreement, or
- Non-documentary verification must be described in CIP and may
- contacting a customer after opening an account; or
- comparing customer identification information against credit
reports, public databases such as real property records and financial
- Enhanced Due Diligence for Corporate Customers
The CIP must address situations where, based on risk assessment
of a new corporate account (e.g., corporate account from
FATF jurisdiction) whose identity cannot be verified through documentary
or non-documentary methods, the institution will obtain information
about “individuals” with “authority or control” over
an account, including signatories, in order to verify customer’s
identity. According to the final regulation, this verification procedure
applies “only” where the institution cannot verify the customer’s
true identity through documentary or non-documentary methods.
- Failure to Verify Identification.
Where an institution cannot form a reasonable belief that it knows
the true identity of the customer, CIP procedures “should” describe:
- when the institution should not open the account;
- the terms under which a customer can use an account while the
institution continues to verify identity;
- when the institution should close the account after identification
efforts have failed; and
- when the institution should file a SAR.
- Recordkeeping Obligations
- What Must Be Retained?
- all identifying information obtained before opening the account
(e.g., name, address, DOB, TIN);
- a description of any document relied upon noting the
type of document, any identification number contained in the document,
place of issuance, date of issuance and expiration date;
- a description of any non-documentary methods used;
- a description of the resolution of any substantive discrepancies
discovered when verifying the identifying information; and
- descriptions of the foregoing are sufficient; photocopies of
the source document do not need to be retained.
- How Long Must Records Be Retained?
- all identifying information obtained before opening the account
(e.g., name, address, DOB, TIN) must be retained five years
after the date of account closure.
- descriptions of documentary and non-documentary verification
must be retained five years after the date the record is made.
- Electronic record-keeping is permissible. For broker dealers,
electronic records must be preserved in non-rewritable and non-erasable
format. See SEC Release No. 34-47806 (May 7, 2003).
- Government List Comparison Requirement
- What Lists?
After the account is opened and identification is verified, a financial
institution’s CIP must include procedures for determining whether
the customer’s name appears on any list of known or suspected terrorists
or terrorist organizations issued by any federal government agency
(e.g., OFAC, FBI lists).
Institutions will receive separate guidance regarding the lists that
must be consulted.
The comparison must be made “within a reasonable period of time after
the account is opened,” or earlier if required by applicable federal
- Customer Notice Requirement
- Financial institutions must notify their customers, before opening
an account, either in writing or verbally, that the institution is
requesting information to verify their identities.
- Notice may be furnished in writing or verbally.
- Notice may be posted in lobby, on Website, on an account application.
- Sample notice:
“To help the government fight the funding of terrorism and money laundering
activities, Federal law requires all financial institutions to obtain,
verify, and record information that identifies each person who opens
an account. What this means for you: When you open an account, we
will ask for your name, address, date of birth, and other information
that will allow us to identify you. We may also ask to see your driver’s
license or other identifying documents.”
Should you have any questions regarding this Alert, please do not hesitate
to contact Carl Fornaris at 305-579-0626 or any of the individuals listed
on the following page.
© 2003 Greenberg Traurig
For more information, please review our Corporate & Securities Practice
description, or feel free to contact one of our attorneys.
This GT ALERT is issued for general purposes only and is not intended
to be construed or used as legal advice. Greenberg Traurig attorneys provide
practical, result-oriented strategies and solutions tailored to meet our
clients’ individual legal needs. The Firm’s responsive approach to client
service often cuts across legal subject matter, applying the right experience
and resources to provide cost-effective solutions.