By James Cook, General Counsel at SentiLink and Parag Patel, Senior Associate at Orrick
This is the final part in a series of posts that seek to demystify and explain in simple terms the KYC requirements for financial institutions in the United States. In discussions with clients, we have found an inconsistent understanding of this crucial and evolving area of law and compliance. In this series, we will define what KYC means for financial institutions in the United States, discuss how the requirements came about, and provide a clear roadmap for compliance in the face of a changing threat landscape._______________________________________________
As we’ve learned, financial KYC is far from static. The rules have evolved through history, and comprise a patchwork of laws and regulations that can be ambiguous at best. In this post, we try to provide practical guidance on how to minimize the possibility that you run afoul of financial regulators or law enforcement authorities.
A financial institution must have written policies, procedures, and processes outlining their BSA/AML compliance program. But it must also have practices that implement them. Internal controls refer to the implementation of a financial institution’s policies, procedures, and processes (including a customer identification program (CIP)) for complying with BSA/AML regulatory requirements and managing illicit financial activity risks, such as money laundering or identity theft. For example, internal controls should include systems to monitor for, identify, and report suspicious activity in customer accounts. They should also include mechanisms for informing the board of directors and senior management of BSA compliance issues and designating specific BSA compliance responsibilities to each relevant employee. A financial institution’s internal controls should be proportionate to the financial institution’s organizational structure, size, complexity, and—most importantly—money laundering risk.
In order to meet the requirements of the regulations, a financial institution must have a written CIP that is appropriate for its size and type of business, ranging from shorter, simpler policies and procedures for a small, lower-risk organization to potentially many volumes for a top 10 bank. It must include risk-based identity verification procedures to verify a customer’s identity and that enable the financial institution to form a reasonable belief that it knows the identity of each customer.
When determining what is reasonable, the procedures must consider the following risks, among other things: (i) types of accounts maintained by the financial institution; (ii) methods of opening accounts; (iii) types of identifying information available; and (iv) size, location, and customer base of the financial institution.
The reasonable belief also dictates the identifying information the financial institution must obtain from a customer in connection with opening an account (which must be listed in its CIP procedures). The minimum information which must be collected is: name, date of birth for an individual, address, and government identification number (for U.S. persons, tax identification or social security number). However depending on the risk level (e.g., among other things, the organization’s exposure to fraud threats such as identity theft or synthetic identity fraud), considerably more information may be required. For example, an applicant who comes from a location where money laundering regularly occurs should be put to an additional level of diligence. See more information about “risk-based” procedures below.
A financial institution must verify such information received from a customer within a reasonable amount of time after the account is opened, which for many digitally oriented organizations is hours or at most days. The financial institution must verify enough of the information provided to form a reasonable belief that it knows the identity of the customer. It’s important to note that there is no need to verify all information provided - just enough to satisfy the reasonable belief test.
The CIP must describe when the financial institution will use a documentary method (e.g., government-issued identification) or a non-documentary method (e.g., public database, credit reports, etc.) to verify a customer’s identity. Regulators expect a financial institution to have procedures in place to address situations where even with documentary methods, the financial institution cannot form a reasonable belief of identity. If the financial institution uses non-documentary methods, then the written procedures should address situations where the financial institution is presented with circumstances that they will be unable to verify the true identity of the customer through documents. A best practice CIP will contain both.
The CIP must contain procedures for addressing situations in which the financial institution cannot form a reasonable belief that it knows the identity of the customer and describe (i) the conditions under which a customer may use an account while the financial institution attempts to verify the customer’s identity; (ii) when the financial institution should close an account after identity verification attempts have failed; (iii) when the financial institution should file a suspicious activity report (“SAR”); and (iv) when the financial institution should refuse to open an account.
Finally, the CIP must contain procedures for creating and maintaining records of all information obtained and used to verify a customer’s identity. Such records must be maintained for at least five years following account closure.
The CIP identity verification procedures discussed above must be risk-based, which means that such procedures must take all relevant risks into account, including those arising from the products and services the financial institution offers, the various methods of onboarding customers, the kinds of identifying information available to the financial institution, and the financial institution’s location, size, and customer base. Ideally the identified risks will be based on a documented risk assessment. Accordingly, the risk-based verification procedures should supplement the minimum information requirements (e.g., collecting name, date of birth, address, and government identification number) to the extent appropriate.
For example, if a bank offers certain payment services to business customers (e.g., wire transfers, ACH transfers, etc.), the CIP identity verification procedures may address the risks presented by requiring the customer to provide information about its major customers and suppliers that it receives/sends payments from/to, in addition to the minimum information the bank must collect to verify the customer’s identity (i.e., name, date of birth, address, and government identification number).
For example, if a bank permits customers to open accounts remotely (e.g., through the bank’s website), the CIP identity verification procedures may address the risks presented by requiring a customer to provide certain identifying information, such as documents evidencing its source of funds (e.g., tax returns), in addition to the minimum information the bank must collect to verify the customer’s identity (i.e., name, date of birth, address, and government identification number).
It’s not controversial to state that too many organizations apply a “check the box” approach to meeting the CIP Rules. Essentially this means that the organization will look for the most efficient way to meet the letter of the CIP Rules, without considering the underlying goals of the rules. This approach carries risk.
This approach is favored by organizations that have minimal financial exposure to the effect of crime. For example, an organization that conducts commercial payments on a good fund basis has negligible economic exposure (from business-as-usual activities) from the services being used for criminal purposes – a money launderer's money is as economically productive as an honest citizens’. The same is true for other products, such as deposits, stock trading, cryptocurrency trading and online gambling. In short, the incentives to conduct procedures intended to prevent criminals from opening accounts are less strong when there is no pure economic exposure attached to the financial product. However this approach fails to price in the risk of violating law and the reputational and direct losses arising from regulatory action, litigation, or even criminal exposure. This ‘growth at all costs’ mentality can be extremely costly in the long-term and represents a high-risk strategy.
The CIP Rules provide for a degree of flexibility in responding to evolving threats without requiring regulatory change. The use of terms like “reasonable” and “risk based” place the onus on the financial institutions to regularly review the threat landscape and revise the procedures accordingly. On some occasions, risk can diminish, but in the majority of cases, financial institutions are pitted against fraudsters in an arms race.
One recent example is the use of DDA accounts for unemployment insurance fraud. Intuition may be that identity theft checks would not be required when opening a direct deposit account. After all, why would a fraudster put their own money in someone else’s name? However, in practice, it is apparent that opening a direct deposit account in someone’s name can be a very effective way of claiming and exfiltrating unemployment benefits in that person’s name. The scam goes like this--obtain someone’s name, address, date of birth and SSN, apply for a bank account in their name, apply for unemployment benefits in the same name, link the unemployment benefits to the bank account, withdraw or transfer the unemployment insurance money to an untraceable vehicle. As the investigation into the theft of billions of dollars of unemployment insurance continues, many financial organizations may wish they’d instituted identity theft checks before the account was opened.
As noted in Part 1 and above, a BSA/AML compliance program (including the CIP) is overseen by financial regulators, including the financial institution’s primary federal regulator. The role of these regulators includes examinations of the regulated entity to ensure compliance with the applicable regulations. Individual examiners build familiarity with the organizations they examine and also provide an advisory role to the regulated institution, insofar as the examination process provides an insight into what the regulator is looking for. To some extent, this means that the examiners, for all intents and purposes, interpret the BSA/AML compliance requirements of the regulators.
This can lull an organization into a false sense of security, assuming that past compliance is evidence of future compliance. However examiners can and will change their examination techniques and expectations, based on, for example, changes in industry practices and emerging risks. As a consequence, financial institutions are encouraged to regularly review and adapt their BSA/AML compliance program to respond to nascent threats, and periodically updated regulatory guidance, such that they can always be said to have a reasonable belief as to the identity of each customer in their portfolio.
Compliance with the CIP Rules begins with collecting four items of information - name, date of birth, identification number and address - but the extent to which these data need to be verified depends on a range of factors, including risk, cost, and ease of implementation. As a general rule, financial institutions should be looking to implement processes and tools that eliminate the biggest risk buckets based on their organization’s particular risk profile, whether that’s identity theft, synthetic identity or some other form of fraud. Adopting a ‘head in the sand’ mentality is dangerous, as the existence of a particular type of fraud in a portfolio may be prima facie proof that the CIP Rules were not sufficiently implemented, and refuting this presumption will be difficult for known threat vectors such as synthetic identities or identity theft in DDA accounts. Our recommendation to financial institutions are (i) do more than the bare minimum, (ii) regularly conduct risk assessments and review your procedures for new fraud typologies, and (iii) work closely with your examiners.
James Cook is General Counsel of SentiLink, where he has been leading the legal function since 2019. James has served as General Counsel for hyper-growth B2B SaaS start-ups since 2008, including 5 years supporting identity verification and fraud technology providers.
Parag Patel is a Senior Associate at Orrick focused on payments, financial technology and banking issues. He assists banks, non-bank lenders, payments and technology companies and their vendors with regulatory, compliance, supervision, enforcement, anti-fraud and anti-money laundering, and transactional matters.
Orrick is a global law firm focused on serving the technology & innovation, energy & infrastructure and finance sectors. Founded more than 150 years ago in San Francisco, Orrick today has offices in 25+ markets worldwide. Financial Times selected Orrick as the Most Digital Law Firm in North America of 2020. In addition, over the past five years, FT has named Orrick the Most Innovative Law Firm in North America three times and runner-up twice, including in 2020. For the sixth year in a row, Fortune named Orrick to its 2021 list of the 100 Best Companies to Work For.