Each depositor insured to at least $250,000 per insured bank



Home > News & Events > Financial Institution Letters




Financial Institution Letters

FAQs: Final CIP Rule

The staff of the Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Financial Crimes Enforcement Network, National Credit Union Administration, Office of the Comptroller of the Currency, Office of Thrift Supervision, and the United States Department of the Treasury (“Agencies”) are issuing these frequently asked questions (“FAQs”) regarding the application of 31 C.F.R. § 103.121. This joint regulation implements section 3261 of the USA PATRIOT Act and requires banks, savings associations, credit unions and certain non-federally regulated banks (“bank”) to have a Customer Identification Program (“CIP”).

While the purpose of the FAQs document is to provide interpretive guidance with respect to the CIP rule, the Agencies recognize that this document does not answer every question that may arise in connection with the rule. The Agencies encourage banks to use the basic principles set forth in the CIP rule, as articulated in these answers, to address variations on these questions that may arise, and expect banks to design their own programs in accordance with the nature of their business.

The Agencies wish to emphasize that a bank’s CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. It is critical that each bank develop procedures to account for all relevant risks including those presented by the types of accounts maintained by the bank, the various methods of opening accounts provided, the type of identifying information available, and the bank’s size, location, and type of business or customer base. Thus, specific minimum requirements in the rule, such as the four basic types of information to be obtained from each customer, should be supplemented by risk-based verification procedures, where appropriate, to ensure that the bank has a reasonable belief that it knows each customer’s identity.

The Agencies note that the CIP, while important, is only one part of a bank’s BSA/AML compliance program. Adequate implementation of a CIP, standing alone, will not be sufficient to meet a bank’s other obligations under the BSA, regulations promulgated by its primary Federal regulator, such as Suspicious Activity Reporting requirements, or regulations promulgated by the Office of Foreign Assets Control.

Finally, these FAQs have been designed to help banks comply with the requirements of the CIP rule. They do not address the applicability of any other Federal or state laws.

31 C.F.R. § 103.121(a)(1) -- Definition of “account”

  1. The CIP rule applies to a “customer,” which is generally “a person that opens a new account.” (Emphasis added.) At what point does the CIP rule apply when the account is a loan? When is the account opened?

    “Customer” does not include a person who does not receive banking services, such as a person whose loan application is denied. See 68 FR 25090, 25093 (May 9, 2003). Therefore, when the account is a loan, the account is opened when the bank enters into an enforceable agreement to provide a loan to the customer. (January 2004)

  2. Are loan participations purchased from third parties and loans purchased from a car dealer or mortgage broker within the exclusion from the definition of “account” for loans acquired through an acquisition, merger, purchase of assets, or assumption of liabilities?

    Yes, this exclusion is intended to cover loan participations purchased from third parties and loans purchased from a car dealer or mortgage broker. If, however, the bank is extending credit to the borrower using a car dealer or mortgage broker as its agent, then it must ensure that the dealer or broker is performing the bank’s CIP. (January 2004)

  3. Are data processing, data warehousing, and data transmission on behalf of a person an “account?”

    “Account” is defined to mean “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit. Account also includes a relationship established to provide a safety deposit box or other safekeeping services, or cash management, custodian and trust services.” The examples provided in 31 C.F.R. § 103.121(a)(1) of formal banking relationships included within the meaning of “account” focus on bank products and services that relate to the deposit, lending or custody of funds or other assets on behalf of a customer. Data processing, warehousing, and transmission services generally do not involve a service, dealing, or financial transaction that, taken alone, constitutes a “formal banking relationship” within the meaning of 31 C.F.R. § 103.121(a)(1). If, however, any of these services are part of the establishment of a formal banking relationship, then the CIP rule in 31 C.F.R. § 103.121 would apply. (April 2005)

31 C.F.R. § 103.121(a)(2) -- Definition of “bank”

  1. Is the CIP rule applicable to a bank’s foreign subsidiaries?

    No. The CIP rule does not apply to any part of the bank located outside of the United States. Nevertheless, as a matter of safety and soundness, banks are encouraged to implement an effective CIP throughout their operations, including in their foreign offices, except to the extent that the requirements of the rule would conflict with local law. (January 2004)

  2. Is the CIP rule applicable to bank holding companies and their non-bank subsidiaries, or to savings and loan holding companies and their non-savings association subsidiaries?

    No, the CIP rule in 31 C.F.R. § 103.121 applies only to a “bank.” A bank holding company is not subject to the rule solely because it owns a bank. However, a bank holding company may be subject to another CIP rule. For example, if the company is a broker-dealer in securities, it would be subject to 31 C.F.R. §103.122.

    Similarly, a non-bank subsidiary of a bank holding company is not subject to the CIP rule for banks solely as a result of being affiliated with a bank in a holding company structure. However, a non-bank subsidiary may be subject to one of the other CIP rules.

    Even if a bank holding company is not itself subject to the CIP rule under 31 C.F.R. § 103.121, it should, as a matter of safety and soundness, take appropriate measures throughout its organization to ensure that each entity is in compliance with any applicable CIP rule, to ensure that new accounts receive appropriate due diligence, and generally to protect the consolidated organization from risks associated with money laundering and financial crime.

    The analysis set forth above is equally applicable to savings and loan holding companies and their non-savings association subsidiaries. (April 2005)

  3. Should subsidiaries of a bank implement a customer identification program?

    Yes. The Federal banking agencies take the position that implementation of customer identification programs by subsidiaries of banks is appropriate as a matter of safety and soundness and protection from reputational risks. Subsidiaries (other than functionally regulated subsidiaries) of banks should comply with the customer identification program rule that applies to the parent bank when opening an account within the meaning of 31 C.F.R. § 103.121. In addition, a number of the Federal banking agencies have separately issued rules that require certain subsidiaries of banks to conduct their activities pursuant to the same terms and conditions that apply to the conduct of such activities by the parent bank. See, e.g., 12 C.F.R. § 5.34 (OCC); 12 C.F.R. § 559.3(h) (OTS).

    Some functionally regulated subsidiaries of banks are already subject to a customer identification program rule issued jointly by their functional regulator and FinCEN (i.e., 31 C.F.R. § 103.122 (broker-dealers); 31 C.F.R. § 103.131 (mutual funds); and 31 C.F.R. § 103.123 (futures commission merchants and introducing brokers)). For purposes of the requirements imposed under section 326 of the USA PATRIOT Act, functionally regulated subsidiaries are: broker-dealers, investment companies, investment advisers registered with the SEC, persons licensed to provide insurance, and any entity with respect to a financial activity that is subject to the jurisdiction of the CFTC (such as futures commission merchants, introducing brokers, commodity trading advisors, commodity pools, and commodity pool operators). See 31 U.S.C. § 5318(l)(4); 15 U.S.C. §§ 6805, 6809. Subsidiaries of banks that are functionally regulated by the SEC or the CFTC are required to comply with the applicable CIP rules issued by the SEC or CFTC, respectively, and FinCEN.

    The Federal banking agencies, SEC, CFTC, Department of the Treasury, and FinCEN have worked together to create uniform rules that minimize potential conflicts or differences between the agencies’ rules. In addition, Treasury and FinCEN intend to issue customer identification program rules applicable to other types of financial institutions in the future. (April 2005)

31 C.F.R. § 103.121(a)(3) -- Definition of “customer”

  1. Who is the “customer” when an account is opened by an individual who has power-of- attorney for a competent person who is the named owner of the account?

    The CIP rule provides that a “customer” generally is “a person that opens a new account.” 31 C.F.R. § 103.121(a)(3)(i)(A). When an account is opened by an individual who has power-of-attorney for a competent person, the individual with a power-of-attorney is merely an agent acting on behalf of the person that opens the account. Therefore, the “customer” will be the named owner of the account rather than the individual with a power-of-attorney over the account. By contrast, an individual with power-of-attorney will be the “customer” if the account is opened for a person who lacks legal capacity. 31 C.F.R. § 103.121(a)(3)(i)(B)(1). (January 2004)

  2. Is a person who becomes co-owner of an existing deposit account a “customer” to whom the CIP rule applies?

    Yes, a person who becomes the co-owner of an existing deposit account is a “customer” subject to the CIP rule because that person is establishing a new account relationship with the bank. (January 2004)

  3. Is a new borrower who is substituted for an existing borrower through an assumption of a loan a “customer” to whom the CIP rule applies?

    Yes, a new borrower who is substituted for an existing borrower through an assumption of a loan is a “customer” because the new borrower is establishing a new account relationship with the bank. (January 2004)

  4. The CIP rule requires a bank to verify the identity of each “customer.” Under the CIP rule, a “customer” generally is defined as “a person that opens a new account.” If a pension plan administrator chooses to remove a former employee from the plan pursuant to section 657(c) of the Economic Growth and Tax Relief Reconciliation Act of 2001 (EGTRRA), it is required by law to transfer these funds to a financial institution. In addition, an administrator of a terminated plan may remove former employees that it is unable to locate, by transferring their benefits to a financial institution. Would a plan administrator or the former employee be a bank “customer” where funds are transferred to a bank and an account established in the name of the former employee, in either of these situations?

    In either situation, the administrator has no ownership interest in or other right to the funds, and therefore, is not the bank’s “customer.” Nor would we view the administrator as acting as the customer’s agent when the administrator transfers the funds of former employees in these situations. A customer relationship arises and the requirements of the rule are implicated when the former employee “opens” an account. While the former employee has a legally enforceable right to the funds that are transferred to the bank, the employee has not exercised that right until he or she contacts the bank to assert an ownership interest. Thus, in light of the requirements imposed on the plan administrator under EGTRRA, as well as the requirements in connection with plan terminations, the former employee will not be deemed to have “opened a new account” for purposes of the CIP rule until he or she contacts the bank to assert an ownership interest over the funds, at which time a bank will be required to implement its CIP with respect to the former employee.

    This interpretation applies only to (1) transfers of funds as required under section 657(c) of EGTRRA, and (2) transfers to banks by administrators of terminated plans in the name of participants that they have been unable to locate, or who have been notified of termination but have not responded, and should not be construed to apply to any other transfer of funds that may constitute opening an account. (January 2004)

  5. A bank is an agent for a (bank) credit card issuer. The cards are co-branded, the two banks share in the revenue from the cards issued. However, the issuer approves the credit card applications and handles collections. Is a person who obtains a credit card a customer of the agent bank or the card issuer?

    A person who receives a credit card is receiving an extension of credit from, and therefore is establishing an account with, the issuing bank. The agent bank is compensated by the issuing bank and not by the customer. For these reasons, the issuing bank is responsible for ensuring that its CIP applies to the customer. However, the agent bank may perform parts of the CIP on behalf of the issuing bank. As with any other responsibility performed by an agent, the issuing bank ultimately is responsible for the agent’s compliance with the requirements of the CIP rule. See 68 FR 25090, 25104 (May 9, 2003). Alternatively, the issuing bank may rely upon the agent bank to perform elements of its CIP, provided that the issuing bank is able to satisfy the requirements of the reliance provision, 31 C.F.R. § 103.121(b)(6), including the requirement that the person be a customer of both the issuing and agent bank. (January 2004)

  6. Does the CIP rule prohibit a minor from opening an account?

    No, the CIP rule does not bar a minor from opening an account. It merely states that the bank’s “customer” is the individual who opens the account for an individual who lacks legal capacity, such as a minor. In other words, if a parent opens an account for a minor, the bank’s customer is the parent. If, however, a minor opens the account, then the minor is the bank’s customer. For example, where a bank sends its employees to elementary schools so that students may open savings accounts as part of a program to promote financial literacy, a student opening an account is the bank’s customer. In this situation, as for all customers, the bank should get the name, address, date of birth, and taxpayer identification number of the student. Since verification procedures are risk-based, banks can use any reasonable documentary or non-documentary method to verify a student’s identity. In this case, the bank might verify a student’s identity using a student identification card or by having the student’s teacher confirm the student’s identity. (April 2005)

  7. The definition of “account” excludes accounts opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974 (ERISA). In the case of a trust, custodial, or other administrative account established by an employer at a bank to maintain and administer assets under a non-ERISA employee retirement, benefit, or deferred compensation plan, who is the bank's "customer?" Is a participant in or beneficiary of such an account the “customer?”

    In the case of these accounts (including, for example, accounts established by governmental entities to administer retirement or benefit plans or by employers to administer stock option or restricted stock plans) that are established as trusts, the bank’s “customer” will be the trust established by the employer to maintain the assets. If the account is not a trust, the bank’s “customer” will be the employer that contracts with the bank to establish the account.* Based on the bank's risk assessment of any new account opened by a customer that is not an individual, the bank may need "to obtain information about" individuals with authority or control over such an account, including signatories, in order to verify the customer's identity. See 31 C.F.R. § 103.121(b)(2)(ii)(C).

    For purposes of the CIP rule, a participant in or beneficiary of such an account will not be deemed to be the bank’s “customer,” as such a person will not have initiated the relationship with the bank. The account will not be considered opened by the employee even if a subaccount is maintained in the employee’s name, or the employee is able to make deposits into the account, so long as such ability to make deposits is limited to rolling over assets from another plan, purchasing securities or exercising options to purchase securities issued by the employer, or repaying a loan, in accordance with the terms of the plan. By contrast, where an individual opens an individual retirement account in a bank, the individual who opens the account is the bank's "customer." (April 2005)

    * Note, however, that the CIP rule will not apply if the employer is exempt from the definition of “customer” under 31 C.F.R. § 103.121(a)(3)(ii).

  8. Does the definition of "customer" include the relationship with an investor that is established when a bank acts as a registered transfer agent for an issuer, for example, when it effects transactions for the investor in the securities of an issuer as part of the issuer's dividend reinvestment plan or as part of the plan or program for the purchase or sale of that issuer's shares in a manner that does not cause the bank to be a broker under the Securities Exchange Act of 1934?

    No. A bank that is a registered transfer agent is acting as agent of the issuer of securities. The relationship with the investor does not constitute a “formal banking relationship established to engage in services, dealings, or other financial transactions” with the investor in these situations. Thus, the bank’s relationship with the investor does not constitute a “customer” relationship. With respect to a bank acting as a transfer agent for its own securities, such bank is dealing with shareholders as shareholders and not as customers. (April 2005)

  9. Who is the “customer” for purposes of trust accounts? Does it make a difference whether the bank or a third party is trustee for the trust?

    In the case of a trust account, the “customer” is the trust whether or not the bank is the trustee for the trust. “A bank will not be required to look through trust, escrow, or similar accounts to verify the identities of beneficiaries and instead will only be required to verify the identity of the named accountholder.” See 68 FR 25090, 25094 (May 9, 2003). However, the CIP rule also provides that, based on the bank’s risk assessment of a new account opened by a customer that is not an individual, the bank may need “to obtain information about” individuals with authority or control over such an account, including signatories, in order to verify the customer’s identity. See 31 C.F.R. § 103.121(b)(2)(ii)(C). For example, in certain circumstances involving revocable trusts, the bank may need to gather information about the settlor, grantor, trustee, or other persons with the authority to direct the trustee, and who thus have authority or control over the account, in order to establish the true identity of the customer. (April 2005)

  10. Who is the “customer” for purposes of escrow accounts?

    An escrow account is an account generally established for the deposit of funds that are to be paid to a specified party on the fulfillment of escrow conditions or returned. If a bank establishes an account in the name of a third party, such as a real estate agent, who is acting as escrow agent, then the bank’s customer will be the escrow agent. If the bank is the escrow agent, then the person who establishes the account is the bank’s “customer.” For example, if the purchaser of real estate directly opens an escrow account and deposits funds to be paid to the seller upon satisfaction of specified conditions, the bank’s customer will be the purchaser. Further, if a company in formation establishes an escrow account for investors to deposit their subscriptions pending receipt of a required minimum amount, the bank’s customer will be the company in formation (or if not yet a legal entity, the person opening the account on its behalf). “A bank will not be required to look through trust, escrow, or similar accounts to verify the identities of beneficiaries and instead will only be required to verify the identity of the named accountholder.” See 68 FR 25090, 25094 (May 9, 2003). However, the CIP rule also provides that, based on the bank’s risk assessment of a new account opened by a customer that is not an individual, the bank may need “to obtain information about” individuals with authority or control over such an account, including signatories, in order to verify the customer’s identity. See 31 C.F.R. § 103.121(b)(2)(ii)(C). (April 2005)

31 C.F.R. § 103.121(a)(3)(ii)(C) – Person with an existing account

  1. A loan and a time deposit are each an “account” for purposes of the CIP rule. How do the requirements of the CIP rule apply to a loan that is renewed, or a certificate of deposit that is rolled over?

    The CIP rule applies to a “customer,” generally, “a person that opens a new account.” 31 C.F.R. § 103.121(a)(3)(i). (Emphasis added.) “Account” means a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit. 31 C.F.R. § 103.121(a)(1)(i). For purposes of the CIP rule, each time a loan is renewed or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is established. However, the rule provides that the term “customer” does not include a person that has an existing account with the bank, provided that the bank has a reasonable belief that it knows the true identity of the person. 31 C.F.R. § 103.121(a)(3)(ii)(C). In each of these cases, the customer has an existing account. Therefore, as long as the bank has a reasonable belief that it knows the person’s true identity, the bank need not perform its CIP when a loan is renewed or certificate of deposit is rolled over. However, if a new customer is added to the loan or deposit account, the bank would need to satisfy the CIP rule with respect to that new account relationship. (January 2004)

  2. Does the exclusion from the definition of “customer” in 31 C.F.R. § 103.121(a)(3)(ii)(C) for a person with an existing account extend to a person who has had an account with the bank in the last twelve months but who no longer has an account?

    No, this provision only excludes from the definition of “customer” a person that at the time a new account is opened currently “has an existing account with the bank,” and only if the bank has a reasonable belief that it knows the true identity of the person. Therefore, for example, when a person has a deposit account and subsequently obtains a loan, the person has an existing account with the bank. Conversely, a person would not be deemed to have an existing account at the bank if the person had a loan, paid it off, and twelve months later obtains a new loan. (January 2004)

  3. How can a bank demonstrate that it has “a reasonable belief that it knows the true identity of a person with an existing account” with respect to persons that had accounts with the bank as of October 1, 2003?

    Among the ways a bank can demonstrate that it has “a reasonable belief” is by showing that prior to the issuance of the final CIP rule, it had comparable procedures in place to verify the identity of persons that had accounts with the bank as of October 1, 2003, though the bank may not have gathered the very same information about such persons as required by the final CIP rule. Alternative means include showing that the bank has had an active and longstanding relationship with a particular person, evidenced by such things as a history of account statements sent to the person, information sent to the IRS about the person’s accounts without issue, loans made and repaid, or other services performed for the person over a period of time. This alternative, however, may not suffice for persons that the bank has deemed to be high risk. (January 2004)

  4. Can a bank exclude from the definition of “customer” a person that has an existing account with its affiliate?

    No, a person that has an existing account with a bank affiliate does not qualify as “a person who has an existing account with the bank” within the meaning of 31 C.F.R. § 103.121(a)(3)(ii)(C). However, the bank may be able to rely on its affiliate to perform elements of its CIP, as provided in 31 C.F.R. § 103.121(b)(6). (January 2004)

31 C.F.R. § 103.121(b)(2)(i) -- Information required
  1. What address should be obtained for customers who live in rural areas who do not have a residential or business address or the residential or business address of next of kin or another contact individual? For example, is a rural route number acceptable?

    Yes, the number on the roadside mailbox on a rural route is acceptable as an address. A rural route number, unlike a post office box number, is a description of the approximate area where the customer can be located. In the absence of such a number, and in the absence of a residential or business address for next of kin or another contact individual, a description of the customer’s physical location will suffice. (January 2004)

  2. Can a bank open an account for a U.S. person that does not have a taxpayer identification number?

    No, the bank cannot unless the customer has applied for a taxpayer identification number, the bank confirms that the application was filed before the customer opened the account, and the bank obtains the taxpayer identification number within a reasonable period of time after the account is opened. Note, however, that a bank does not need to obtain a taxpayer identification number when opening a new account for a customer that has an existing account, as long as the bank has a reasonable belief that it knows the true identity of the customer. A bank may also open an account for a person who lacks legal capacity with the identifying information, including taxpayer identification number, of an individual who opens an account for that person. (January 2004)

  3. The CIP rule requires a bank to obtain a taxpayer identification number from the customer prior to opening an account from a customer that is a U.S. person. When the bank’s customer is a trust, what taxpayer identification number should the bank obtain?

    The taxpayer identification number for a trust is the trust’s employer identification number (EIN). If the trust is not required to have an EIN under the tax laws, then the bank may obtain the grantor’s taxpayer identification number, consistent with section 6109 of the Internal Revenue Code and the regulations thereunder. (April 2005)

31 C.F.R. § 103.121(b)(2)(ii) -- Customer verification

  1. Must a bank verify the accuracy of all of the identifying information it collects in connection with 31 C.F.R. § 103.121(b)(2)(i)?

    The final rule provides that a bank’s CIP must contain procedures for verifying the identity of the customer, “using the information obtained in accordance with paragraph (b)(2)(i),” namely the identifying information obtained by the bank. 31 C.F.R. § 103.121(b)(2)(ii). A bank need not establish the accuracy of every element of identifying information obtained but must do so for enough information to form a reasonable belief it knows the true identity of the customer. See 68 FR 25090, 25099 (May 9, 2003). (January 2004)

  2. Can a bank use an employee identification card as the sole means to verify a customer’s identity?

    A bank using documentary methods to verify a customer’s identity must have procedures that set forth the documents that the bank will use. The CIP rule gives examples of types of documents that have long been considered primary sources of identification and reflects the Agencies’ expectation that banks will obtain government-issued identification from most customers. However, other forms of identification may be used if they enable the bank to form a reasonable belief that it knows the true identity of the customer. Nonetheless, given the availability of counterfeit and fraudulently obtained documents, a bank is encouraged to obtain more than a single document to ensure that it has a reasonable belief that it knows the customer’s true identity. (January 2004)

  3. Can a bank use an electronic credential, such as a digital certificate, as a non-documentary means to verify the identity of a customer that opens an account over the Internet or through some other purely electronic channel?

    A bank may obtain an electronic credential, such as a digital certificate, as one of the methods it uses to verify a customer’s identity. However, the CIP rule requires the bank to have a reasonable belief that it knows the true identity of the customer. Therefore, for example, the bank is responsible for ensuring that the third party uses the same level of authentication as the bank itself would use. See also FFIEC guidance titled “Authentication in an Electronic Banking Environment” (July 30, 2001). (January 2004)

  4. How should a bank verify the identity of a partnership that opens a new account when there are no documents or non-documentary methods that will establish the identity of the partnership?

    A bank opening an account for such a partnership must undertake additional verification by obtaining information about the identity of any individual with authority or control over the partnership account, in order to verify the partnership’s identity, as described in 31 C.F.R. § 103.121(b)(2)(ii)(C). (January 2004)

  5. How should a bank verify the identity of a sole proprietorship that opens a new account, (such as an account titled in the name of an individual “doing business as” a sole proprietorship) when there are no documents or non-documentary methods that will establish the identity of the sole proprietorship?

    In some states, sole proprietorships are required to file “fictitious” or “assumed name certificates.” Banks may choose to use these certificates as a means to verify the identity of a sole proprietorship, if appropriate. However, when there are no documents or non-documentary methods that will establish the identity of the sole proprietorship, the bank must undertake additional verification by obtaining information about the sole proprietor or any other individual with authority or control over the sole proprietorship account -- such as the name, address, date of birth, and taxpayer identification number of the sole proprietor, or any other individual with authority or control over the account -- in order to verify the sole proprietorship’s identity, as described in 31 C.F.R. § 103.121(b)(2)(ii)(C). (January 2004)

31 C.F.R. § 103.121(b)(3)(i) – Required records

  1. Would it be acceptable to retain a description of the non-documentary customer verification method used (such as a consumer credit report or an inquiry to a fraud detection system) in a general policy or procedure instead of recording the fact that a particular method was used on each individual customer's record?

    Yes, provided that the record cross-references the specific provision(s) of the risk-based procedures contained in the bank’s CIP used to verify the customer’s identity. (January 2004)

  2. Can a bank keep copies of documents provided to verify a customer’s identity, in addition to the description required under 31 C.F.R. § 103.121(b)(3)(i)(B), even if it is not required to do so?

    Yes, a bank may keep copies of identifying documents that it uses to verify a customer’s identity. A bank’s verification procedures should be risk-based and, in certain situations, keeping copies of identifying documents may be warranted. In addition, a bank may have procedures to keep copies of documents for other purposes, for example, to facilitate investigating potential fraud. (These documents should be retained in accordance with the general recordkeeping requirements in 31 C.F.R. § 103.38.) Nonetheless, a bank should be mindful that it must not improperly use any document containing a picture of an individual, such as a driver’s license, in connection with any aspect of a credit transaction. (January 2004)

31 C.F.R. § 103.121(b)(3)(ii) – Retention of records

  1. Does the original information obtained during account opening have to be retained or can the bank satisfy the recordkeeping requirement by just keeping updated information about the customer, i.e., the customer’s current address?

    The CIP rule requires that a bank retain the identifying information obtained about the customer at the time of account opening for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant. 31 C.F.R. § 103.121(b)(3)(ii). Updated information serves valuable, but different, purposes. (January 2004)

  2. If the bank requires a customer to provide more identifying information than the minimum during the account opening process, does it have to keep this information for more than five years?

    The bank must keep for five years after the account is closed, or in the case of credit card accounts, five years after the account is closed or becomes dormant, all identifying information it gathers about the customer to satisfy the requirements of § 103.121(b)(2)(i) of the CIP rule. 31 C.F.R. § 103.121(b)(3)(ii). This would include any identifying information, the bank will use, at the time the account is opened, to establish a reasonable belief it knows the true identity of the customer. So, for example, if the bank obtains other identifying information at account opening in addition to the minimal information required, such as the customer's phone number, then the bank must keep that information. (January 2004)

  3. How does the record retention period apply to a customer who simultaneously opens multiple accounts in the bank?

    If several accounts are opened for a customer simultaneously, all identifying information about a customer obtained under 31 C.F.R. § 103.121(b)(2)(i) must be retained for five years after the last account is closed or, in the case of credit card accounts, five years after the last account is closed or becomes dormant. All remaining records must be kept for five years after the records are made. (January 2004)

  4. How does the record retention period apply to a situation where a bank sells a loan but retains the servicing rights to the loan?

    When a bank sells a loan, the account is “closed” under the record retention provision (31 C.F.R. § 103.121(b)(3)(ii)), regardless of whether the bank retains the servicing rights to the loan. Thus, a bank should keep the records of identifying information about a customer for five years after the date that the loan is sold, as required by 31 C.F.R. § 103.121(b)(3)(i)(A). Any other record required by 31 C.F.R. § 103.121(b)(3)(i) must be kept for five years after the record is made. (April 2005)

31 C.F.R. § 103.121(b)(4) -- Section 326 List

  1. Has a list of known or suspected terrorists or terrorist organizations been designated for purposes of the CIP rule?

    No such list has been designated to date. Banks will be contacted by their functional regulators when a list is issued. As of the time of publication, lists published by OFAC have not been designated as lists for purposes of the CIP rule. Of course, banks are separately obligated to check these lists in accordance with OFAC’s regulations. (January 2004)

31 C.F.R. § 103.121(b)(5) -- Customer notice

  1. Does a bank have to provide notice to all owners of a joint account?

    Yes, notice must be provided to all owners of a joint account. In addition, notice must be provided “in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account.” 31 C.F.R. § 103.121(b)(5)(ii). The Agencies agree that a bank may satisfy this requirement by directly providing the notice to any one accountholder of a joint account for delivery to the other owners of the account. Similarly, the bank may open a joint account using information about each of the accountholders obtained from one accountholder, acting on behalf of the other joint accountholders. (January 2004)

  2. How should a bank provide notice to its customer when it engages in indirect lending through a third party such as a mortgage broker or car dealer?

    When a mortgage broker or car dealer is acting as the bank's agent in connection with a loan, the bank may delegate to its agent the obligation to perform the requirements of the bank’s CIP rule. In contrast to the reliance provision in the CIP rule, the bank is ultimately responsible for its agent’s compliance with the rule. Depending upon the manner in which the account is opened, the agent can provide notice to the bank’s customer, for example, by posting a sign, printing the notice on the loan application given to the customer, orally providing the notice, or by providing the notice in any manner that is reasonably designed to ensure that the customer is given notice before opening an account. (January 2004)

31 C.F.R. § 103.121(b)(6) -- Reliance

  1. Where a bank is entitled to “rely” on another financial institution to perform its CIP, whose CIP must the relied-upon financial institution implement?

    The reliance provision does not impose on the other financial institution the obligation to duplicate the procedures in the bank’s CIP. The reliance provision permits a bank to rely on another financial institution to perform any of the procedures of the bank’s CIP, meaning, any of the elements that the CIP rule requires to be in a bank’s CIP: (1) identity verification procedures, which include collecting the required information from customers and using some or all of that information to verify the customers’ identities; (2) keeping records related to the CIP; (3) determining whether a customer appears on a designated list of known or suspected terrorists or terrorist organizations; and (4) providing customers with adequate notice that information is being requested to verify their identities.

    Note that a bank can only use the reliance provision when the other financial institution is regulated by a Federal functional regulator and is subject to a general BSA compliance program rule, they share the customer, the bank can show its reliance upon the other financial institution’s performance of an element of the bank’s CIP was reasonable under the circumstances, and the requisite contract is signed and certifications provided. (January 2004)

  2. When a longstanding customer of another financial institution (including an affiliate) opens a new account at the bank, can a bank rely on the other financial institution’s verification of the identity of the customer performed before a CIP procedure was required?

    A bank that is subject to the CIP rule may rely on another financial institution’s verification of the identity of the customer if the requirements of the reliance provision are satisfied. The bank would have to be able to demonstrate that such reliance upon the other financial institution’s verification of the identity of the customer is reasonable under the circumstances. For example, the bank could do so by reviewing the relied-upon institution’s procedures to ensure that they were adequate although the institution was not yet subject to a CIP rule when it verified the customer’s identity.

    In addition, even when a bank is relying on the verification of identity performed by another institution, the bank would continue to be responsible for complying with all remaining requirements of the CIP rule, namely, the requirement that it keep records, provide customer notice, and as soon as a section 326 list has been designated, check the list when a new account is opened. (January 2004)


1 Section 326 of the Act adds a new subsection (l) to 31 U.S.C. § 5318 of the Bank Secrecy Act (“BSA”).


Last Updated 04/28/2005 communications@fdic.gov