Our

Affiliates

 

News

Financial Institutions must now comply with USA PATRIOT ACT "KNOW YOUR CUSTOMER" requirements

On April 30, 2003, the joint final rule on Customer Identification Programs for Banks, Savings Associations, Credit Unions and Certain Non-Federally Regulated Banks was issued by the Department of the Treasury and the federal financial regulators. Although the rule became effective on June 9, 2003, mandatory compliance was not required until October 1, 2003.

Under the USA PATRIOT Act, the Secretary of the Treasury was charged with prescribing regulations "setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution." The regulations were to require financial institutions to implement reasonable procedures for verifying the identity of any person seeking to open an account, to the extent reasonable and practicable; to maintain information used to verify the person's identity, including name, address, and other identifying information; and to determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency.

Many mortgage lenders may think they are exempt from the application of this rule, because they do not fall within the definition of "financial institution." The Department of the Treasury and the Financial Crimes Enforcement Network added to the confusion when they proposed separate rules in April for financial institutions involved in real estate settlements. The bottom line, however, is that while the rules discussed below apply to banks, thrifts, credit unions and entities regulated by the Federal Reserve Board, other lenders acquire responsibility for complying with the rule through their associations with those governed by the rule. For example, a subsidiary of a bank or thrift is required to comply with the rule. Also, if you sell loans to investors to whom the rule applies, those investors will generally require compliance with the rule as a condition precedent to any purchase.

Every financial institution is now required to have established a written Customer Identification Program, appropriate for its size and type of business, which includes the following:

  • Identity Verification Procedures. The Program must include procedures to collect identifying information from a customer, including, at a minimum, the customer's name, date of birth (for an individual, as opposed to age), address and identification number, and verify the customer's identity within a reasonable time after an account is opened. Documents used to verify identity may include a driver's license or passport for an individual, or certified articles of incorporation, a government-issued business license, a partnership agreement or a trust agreement for a non-individual. In addition, verification may occur through non-documentary methods, such as contacting a customer, comparing the information received with information obtained from a consumer reporting agency, obtaining information from public databases, checking a reference with other financial institutions, and obtaining a financial statement. The Program must describe when a financial institution will use documents, non-documentary evidence or both to verify the identity of a customer, what documents or non-documentary evidence will be required and how it will respond to circumstances in which it cannot form a reasonable belief as to the true identity of the customer.
  • Recordkeeping. The Program must include procedures for making and maintaining a record of all information obtained from a customer, including at a minimum:
    • The identifying information;
    • A description of the document used to verify the information, including the type of document, identification number, place of issuance, date of issuance and expiration date;
    • A description of the non-documentary methods used to verify the information and the results; and
    • A description of the resolution of any substantive discrepancy discovered when verifying the identifying information.
  • The identifying information must be retained for five years after the date the account is closed, and other information must be retained for five years after the record of the information is made. Electronic records are permissible, as long as they are accurate and accessible.
  • Comparison with Government Lists. The Program must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any federal agency within a reasonable period of time after the account is opened or earlier.
  • Notice. The Program must include procedures for providing financial institution customers with adequate notice that the financial institution is requesting information in order to verify their identities. Depending upon the manner in which the account is opened, this could include posting a notice in the lobby or on its web site, including the notice on its account applications or using any other form of written or oral notice. The rule provides a sample form of notice. The notice must be provided before the account relationship is established.
  • Exemptions. Financial institutions need not collect identifying information on its existing customers, but must be able to determine who its existing customers are, and confirm the relationship. In addition, acquired accounts are exempt. A correspondent relationship may well fall within this exemption. Nevertheless, some investors are conservatively requiring that the information be collected.
Back