Compliance Blog

As part of compliance with the Bank Secrecy Act (BSA), credit unions are required to have a written Customer Identification Program (CIP), which should be designed so that the credit union can verify the identity of each “customer.” The Customer Identification Program (CIP) rules are found in section 748.2(b)(2) of the NCUA regulations and section 1020.220  of the FinCEN regulations. Let’s start off with a quick refresher. In general, what information does a credit union have to collect and verify under CIP? Well, under section 1020.220(a)(2)(i)(A) it states:

“In general. The CIP must contain procedures for opening an account that specify the identifying information that will be obtained from each customer. Except as permitted by paragraphs (a)(2)(i)(B) and (C) of this section, the bank must obtain, at a minimum, the following information from the customer prior to opening an account:

(1) Name;

(2) Date of birth, for an individual;

(3) Address, which shall be:

(i) For an individual, a residential or business street address;

(ii) For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual; or

(iii) For a person other than an individual (such as a corporation, partnership, or trust), a principal place of business, local office, or other physical location;

(4) Identification number, which shall be:

(i) For a U.S. person, a taxpayer identification number; or

(ii) For a non-U.S. person, one or more of the following: A taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.” (Emphasis added).

So, a credit union is required to obtain, at a minimum, information such as a name, date of birth, an address, and an identification number prior to a customer opening an account. Okay, so the credit union needs to gather certain information before a customer can open a new account. Does the credit union have to notify them of this? And if so, how does the credit union provide such notice?

Section 1020.220(a)(5)(i) states that:

“(5)

(i) Customer notice. The CIP must include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities.” (Emphasis added).

Under the above, adequate notice that the credit union is requesting information to verify identity must be provided to all credit union “customers”.

Who exactly is considered a “customer” for purposes of CIP? The FFIEC’s BSA/AML Examination Manual sheds light on this and states that a “customer” means:

• “A person that opens a new account; and
• An individual who opens a new account for:
• An individual who lacks legal capacity, such as a minor; or
• An entity that is not a legal person, such as a civic club.”

As such, a customer is defined as “a person that opens a new account”. However, a customer is also defined as “an individual who opens a new account for an individual who lacks legal capacity” or an “individual who opens a new account for an entity that is not a legal person”.

Now that we know who is considered a customer and as such is required to receive notice as to why certain identifying information is being requested from them, how are credit unions supposed to provide such notice?

Section 1020.220(a)(5)(ii) discusses adequate notice and provides that:

“(ii) Adequate notice. Notice is adequate if the bank generally describes the identification requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a bank may post a notice in the lobby or on its Web site, include the notice on its account applications, or use any other form of written or oral notice.” (Emphasis added).

Based on the above, credit unions can provide adequate notice if they generally describe “the identification requirements” and by providing “the notice in a manner reasonably designed to ensure that the customer is able to view the notice, or is otherwise given notice, before opening an account.” The rule goes on to provide examples that hinge on the “manner in which the account is opened”, such as “post[ing] a notice in the lobby” or posting it on a credit union’s website. Credit unions can also “include the notice on its account applications, or use any other form of written or oral notice.” So, it appears that there is quite a bit of flexibility regarding how adequate notice can be provided, so long as it is given before a customer opens an account.

Additionally, section 1020.220(a)(5)(iii) provides a sample notice that may be helpful to review.

--------------------------------------------------------------------------------------

⏰ Hurry – Registration closes 9/30! Regulatory Compliance School On-Demand 

Master CU compliance from A to Z on your schedule, from anywhere. Plus, earn your NCCO credential when you pass the optional exams. Learn More & Enroll 

 

 🚀 Online Compliance Training Subscriptions: Industry experts cover the hottest topics in a fast, convenient way. Master the most challenging areas of CU compliance—all accessible by your entire credit union staff 24/7/365. Subscribe now.