FDIC Home - Federal Deposit Insurance Corporation
FDIC Home - Federal Deposit Insurance Corporation

 
Skip Site Summary Navigation   Home     Deposit Insurance     Consumer Protection     Industry Analysis     Regulations & Examinations     Asset Sales     News & Events     About FDIC  


Home > Regulation & Examinations > Bank Examinations > Risk Management Manual of Examination Policies



Risk Management Manual of Examination Policies

Section TOC | Manual Home | Manual Index

Section 8.1 - Bank Secrecy Act, Anti-Money Laundering and Office of Foreign Assets Control

Introduction to the Bank Secrecy Act
The Financial Recordkeeping and Reporting of Currency and Foreign Transactions Act of 1970 (31 U.S.C. 5311 et seq.) is referred to as the Bank Secrecy Act (BSA). The purpose of the BSA is to require United States (U.S.) financial institutions to maintain appropriate records and file certain reports involving currency transactions and a financial institution's customer relationships. Currency Transaction Reports (CTRs) and Suspicious Activity Reports (SARs) are the primary means used by banks to satisfy the requirements of the BSA. The recordkeeping regulations also include the requirement that a financial institution's records be sufficient to enable transactions and activity in customer accounts to be reconstructed if necessary. In doing so, a paper and audit trail is maintained. These records and reports have a high degree of usefulness in criminal, tax, or regulatory investigations or proceedings.

The BSA consists of two parts: Title I Financial Recordkeeping and Title II Reports of Currency and Foreign Transactions. Title I authorizes the Secretary of the Department of the Treasury (Treasury) to issue regulations, which require insured financial institutions to maintain certain records. Title II directed the Treasury to prescribe regulations governing the reporting of certain transactions by and through financial institutions in excess of $10,000 into, out of, and within the U.S. The Treasury's implementing regulations under the BSA, issued within the provisions of 31 CFR Part 103, are included in the FDIC's Rules and Regulations and on the FDIC website.

The implementing regulations under the BSA were originally intended to aid investigations into an array of criminal activities, from income tax evasion to money laundering. In recent years, the reports and records prescribed by the BSA have also been utilized as tools for investigating individuals suspected of engaging in illegal drug and terrorist financing activities. Law enforcement agencies have found CTRs to be extremely valuable in tracking the huge amounts of cash generated by individuals and entities for illicit purposes. SARs, used by financial institutions to report identified or suspected illicit or unusual activities, are likewise extremely valuable to law enforcement agencies.

Several acts and regulations expanding and strengthening the scope and enforcement of the BSA, anti-money laundering (AML) measures, and counter-terrorist financing measures have been signed into law and issued, respectively, over the past several decades. Several of these acts include:
  • Money Laundering Control Act of 1986,
  • Annuzio-Wylie Anti-Money Laundering Act of 1992,
  • Money Laundering Suppression Act of 1994, and
  • Money Laundering and Financial Crimes Strategy Act of 1998.
Most recently, the Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act (more commonly known as the USA PATRIOT Act) was swiftly enacted by Congress in October 2001, primarily in response to the September 11, 2001 terrorist attacks on the U.S. The USA PATRIOT Act established a host of new measures to prevent, detect, and prosecute those involved in money laundering and terrorist financing.

Financial Crimes Enforcement Network Reports and Recordkeeping Requirements
    Currency Transaction Reports and Exemptions
    U.S. financial institutions must file a CTR, Financial Crimes Enforcement Network (FinCEN) Form 104 (formerly known as Internal Revenue Service [IRS] Form 4789), for each currency transaction over $10,000. A currency transaction is any transaction involving the physical transfer of currency from one person to another and covers deposits, withdrawals, exchanges, or transfers of currency or other payments. Currency is defined as currency and coin of the U.S. or any other country as long as it is customarily accepted as money in the country of issue.

    Multiple currency transactions shall be treated as a single transaction if the financial institution has knowledge that the transactions are by, or on behalf of, any person and result in either cash in or cash out totaling more than $10,000 during any one business day. Transactions at all branches of a financial institution should be aggregated when determining reportable multiple transactions.

      CTR Filing Requirements

      Customer and Transaction Information
      All CTRs required by 31 CFR 103.22 of the Financial Recordkeeping and Reporting of Currency and Foreign Transactions regulations must be filed with the IRS. Financial institutions are required to provide all requested information on the CTR, including the following for the person conducting the transaction:

      • Name,
      • Street address (a post office box number is not acceptable),
      • Social security number (SSN) or taxpayer identification number (TIN) (for non-U.S. residents), and
      • Date of birth.

      The documentation used to verify the identity of the individual conducting the transaction should be specified. Signature cards may be relied upon; however, the specific documentation used to establish the person's identity should be noted. A mere notation that the customer is "known to the financial institution" is insufficient. Additional requested information includes the following:

      • Account number,
      • Social security number or taxpayer identification number of the person or entity for whose account the transaction is being conducted (should reflect all account holders for joint accounts), and
      • Amount and kind of transaction (transactions involving foreign currency should identify the country of origin and report the U.S. dollar equivalent of the foreign currency on the day of the transaction).

      The financial institution must provide a contact person, and the CTR must be signed by the preparer and an approving official. Financial institutions can also file amendments on previously filed CTRs by using a new CTR form and checking the box that indicates an amendment.

      CTR Filing Deadlines
      CTRs filed with the IRS are maintained in the FinCEN database, which is made available to Federal Banking Agencies1 and law enforcement. Paper forms are to be filed within 15 days following the date of the reportable transaction. If CTRs are filed using magnetic media, pursuant to an agreement between a financial institution and the IRS, a financial institution must file a CTR within 25 calendar days of the date of the reportable transaction. A third option is to file CTRs using the Patriot Act Communication System (PACS), which also allows up to 25 calendar days to file the CTR following the reportable transaction. PACS was launched in October 2002 and permits secure filing of CTRs over the Internet using encryption technology. Financial institutions can access PACS after applying for and receiving a digital certificate.

      Examiners reviewing filed CTRs should inquire with financial institution management regarding the manner in which CTRs are filed before evaluating the timeliness of such filings. If for any reason a financial institution should withdraw from the magnetic tape program or the PACS program, or for any other reason file paper CTRs, those CTRs must be filed within the standard 15 day period following the reportable transaction.

      Exemptions from CTR Filing Requirements
      Certain "persons" who routinely use currency may be eligible for exemption from CTR filings. Exemptions were implemented to reduce the reporting burden and permit more efficient use of the filed records. Financial institutions are not required to exempt customers, but are encouraged to do so. There are two types of exemptions, referred to as "Phase I" and "Phase II" exemptions.
      "Phase I" exemptions may be granted for the following "exempt persons":

      • A bank2, to the extent of its domestic operations;
      • A Federal, State, or local government agency or department;
      • Any entity exercising governmental authority within the U.S. (U.S. includes District of Columbia, Territories, and Indian tribal lands);
      • Any listed entity other than a bank whose common stock or analogous equity interests are listed on the New York, American, or NASDAQ stock exchanges (with some exceptions);
      • Any U.S. domestic subsidiary (other than a bank) of any "listed entity" that is organized under U.S. law and at least 51 percent of the subsidiary's common stock is owned by the listed entity.

      "Phase II" exemptions may be granted for the following:

      • A "non-listed business," which includes commercial enterprises that do not have more than 50% of the business gross revenues derived from certain ineligible businesses. Gross revenue has been interpreted to reflect what a business actually earns from an activity conducted by the business, rather than the sales volume of such activity. "Non-listed businesses" must also be incorporated or organized under U.S. laws and be eligible to do business in the U.S. and may only be exempted to the extent of its domestic operations.
      • A "payroll customer," which includes any other person not covered under the "exempt person" definition that operates a firm that regularly withdraws more than $10,000 in order to pay its U.S. employees in currency. "Payroll customers" must also be incorporated and eligible to do business in the U.S. "Payroll customers" may only be exempted on their withdrawals for payroll purposes from existing transaction accounts.

      Commercial transaction accounts of sole proprietorships can qualify for "non-listed business" or "payroll customer" exemption.

      Exemption of Franchisees
      Franchisees of listed corporations (or of their subsidiaries) are not included within the definition of an "exempt person" under "Phase I" unless such franchisees are independently exempt as listed corporations or listed corporation subsidiaries. For example, a local corporation that holds an ABC Corporation franchise is not a "Phase I" "exempt person" simply because ABC Corporation is a listed corporation; however, it is possible that the local corporation may qualify for "Phase II" exemption as a "non-listed business," assuming it meets all other exemption qualification requirements. An ABC Corporation outlet owned by ABC Corporation directly, on the other hand, would be a "Phase I" "exempt person" because ABC Corporation's common stock is listed on the New York Stock Exchange.

      Ineligible Businesses
      There are several higher-risk businesses that may not be exempted from CTR filings. The nature of these businesses increases the likelihood that they can be used to facilitate money laundering and other illicit activities. Ineligible businesses include:

      • Non-bank financial institutions or agents thereof (this definition includes telegraph companies, and money services businesses [currency exchange, check casher, or issuer of monetary instruments in an amount greater than $1,000 to any person in one day]);
      • Purchasers or sellers of motor vehicles, vessels, aircraft, farm equipment, or mobile homes;
      • Those engaged in the practice of law, medicine, or accountancy;
      • Investment advisors or investment bankers;
      • Real estate brokerage, closing, or title insurance firms;
      • Pawn brokers;
      • Businesses that charter ships, aircraft, or buses;
      • Auction services;
      • Entities involved in gaming of any kind (excluding licensed para mutual betting at race tracks);
      • Trade union activities; and
      • Any other activities as specified by FinCEN.

      Additional Qualification Criteria for Phase II Exemptions
      Both "non-listed businesses" and "payroll customers" must meet the following additional criteria to be eligible for "Phase II" exemption:

      • The entity has maintained a transaction account with the financial institution for at least twelve consecutive months;
      • The entity engages in frequent currency transactions that exceed $10,000 (or in the case of a "payroll customer," regularly makes withdrawals of over $10,000 to pay U.S. employees in currency); and
      • The entity is incorporated or organized under the laws of the U.S. or a state, or registered as, and eligible to do business in the U.S. or state.

      The financial institution may treat all of the customer's transaction accounts at that financial institution as a single account to qualify for exemption. There may be exceptions to this rule if certain accounts are exclusively used for non-exempt portions of the business. (For example, a small grocery with wire transfer services has a separate account just for its wire business).

      Accounts of multiple businesses owned by the same individual(s) are generally not eligible to be treated as a single account. However, it may be necessary to treat such accounts as a single account if the financial institution has evidence that the corporate veil has been pierced. Such evidence may include, but is not limited to:

      • Businesses are operated out of the same location and/or utilize the same phone number;
      • Businesses are operated by the same daily management and/or board of directors;
      • Cash deposits or other banking transactions are completed by the same individual at the same time for the different businesses;
      • Funds are frequently intermingled between accounts or there are unexplained transfers from one account to the other; or
      • Business activities of the entities cannot be differentiated.

      More than one of these factors must typically be present in order to provide sufficient evidence that the corporate veil has been pierced.

      Transactions conducted by an "exempt person" as agent or on behalf of another person are not eligible to be exempted based on being transacted by an "exempt person."

      Exemption Qualification Documentation Requirements
      Decisions to exempt any entity should be based on the financial institution taking reasonable and prudent steps to document the identification of the entity. The specific methodology for performing this assessment is largely at the financial institution's discretion; however, results of the review must be documented. For example, it is acceptable to document that a stock is listed on a stock market by relying on a listing of exchange stock published in a newspaper or by using publicly available information through the Securities and Exchange Commission (SEC). To document the subsidiary of a listed entity, a financial institution may rely on authenticated corporate officer's certificates or annual reports filed with the SEC. Annually, management should also ensure that "Phase I" exempt persons remain eligible for exemption (for example, entities remain listed on National exchanges.)

      For "non-listed businesses" and "payroll customers," the financial institution will need to document that the entity meets the qualifying criteria both at the time of the initial exemption and annually thereafter. To perform the annual reviews, the financial institution can verify and update the information that it has in its files to document continued eligibility for exemption. The financial institution must also indicate that it has a system for monitoring the transactions in the account for suspicious activity as it continues to be obligated to file Suspicious Activity Reports on activities of "exempt persons," when appropriate. SARs are discussed in detail within the "Suspicious Activity Reporting" section of this chapter.

      Designation of Exempt Person Filings and Renewals
      Both "Phase I" and "Phase II" exemptions are filed with FinCEN using Form TD F 90-22.53 - Designation of Exempt Person. This form is available on the Internet at FinCEN's website. The designation must be made separately by each financial institution that treats the person in question as an exempt customer. This designation requirement applies whether or not the designee has previously been treated as exempt from the CTR reporting requirements within 31 CFR 103. Again, the exemption applies only to transactions involving the "exempt person's" own funds. A transaction carried out by an "exempt person" as an agent for another person, who is the beneficial owner of the funds involved in a transaction in currency can not be exempted.

      Exemption forms for "Phase I" persons need to be filed only once. A financial institution that wants to exempt another financial institution from which it buys or sells currency must be designated exempt by the close of the 30 day period beginning after the day of the first reportable transaction in currency with the other financial institution. Federal Reserve Banks are excluded from this requirement.

      Exemption forms for "Phase II" persons need to be renewed and filed every two years, assuming that the "exempt person" continues to meet all exemption criteria, as verified and documented in the required annual review process discussed above. The filing must be made by March 15th of the second calendar year following the year in which the initial exemption was granted, and by every other March 15th thereafter. When filing a biennial renewal of the exemption for these customers, the financial institution will need to indicate any change in ownership of the business. Initial exemption of a "non-listed business" or "payroll customer" must be made within 30 days after the day of the first reportable transaction in currency that the financial institution wishes to include under the exemption. Form TD F 90-22.53 can be also used to revoke or amend an exemption.

      CTR Backfiling
      Examiners may determine that a financial institution has failed to file CTRs in accordance with 31 CFR 103, or has improperly exempted customers from CTR filings. In situations where an institution has failed to file a number of CTRs on reportable transactions for any reason, examiners should instruct management to promptly contact the IRS Detroit Computing Center (IRS DCC), Compliance Review Group for instructions and guidance concerning the possible requirement to backfile CTRs for those affected transactions. The IRS DCC will provide an initial determination on whether CTRs should be backfiled in those cases. Cases that involve substantial noncompliance with CTR filing requirements are referred to FinCEN for review. Upon review, FinCEN may correspond directly with the institution to discuss the program deficiencies that resulted in the institution's failure to appropriately file a CTR and the corrective action that management has implemented to prevent further infractions.

      When a backfiling request is necessary, examiners should direct financial institutions to write a letter to the IRS at the IRS Detroit Computing Center, Compliance Review Group Attn: Backfiling, P.O. Box 32063, Detroit, Michigan, 48232-0063 that explains why CTRs were not filed. Examiners should also provide the financial institution a copy of the "Check List for CTR Filing Determination" form available on the FDIC's website. The financial institution will need to complete this form and include it with the letter to the IRS.

      Once an institution has been instructed to contact IRS DCC for a backfiling determination, examiners should notify both their Regional Special Activities Case Manager (SACM) or other designees and the Special Activities Section (SAS) in Washington, D.C. Specific contacts are listed on the FDIC's Intranet website. Requisite information should be forwarded electronically via e-mail to these contacts.

    Currency and Banking Retrieval System
    The Currency and Banking Retrieval System (CBRS) is a database of CTRs, SARs, and CTR Exemptions filed with the IRS. It is maintained at the IRS Detroit Computing Center. The SAS, as well as each Region's SACM and other designees, has on-line access to the CBRS. Refer to your Regional Office for a full listing of those individuals with access to the FinCEN database.

    Examiners should routinely receive volume and trend information on CTRs and SARs from their Regional SACM or other designees for each examination or visitation prior to the pre-planning process. In addition, the database information may be used to verify CTR, SAR and/or CTR Exemption filings. Detailed FinCEN database information may be used for expanded BSA reviews or in any unusual circumstances where examiners suspect certain forms have not been filed by the financial institution, or where suspicious activity by individuals has been detected.

    Examiners should provide all of the following items they have available for each search request:

    • The name of the subject of the search (financial institution and/or individual/entity);
    • The subject's nine-digit TIN/SSN (in Part III of the CTR form if seeking information on the financial institution and/or Part I of the CTR form if seeking information on the individual/entity); and
    • The date range for which the information is requested.

    When requesting a download or listing of CTR and SAR information, examiners should take into consideration the volume of CTRs and SARs filed by the financial institution under examination when determining the date range requested. Except under unusual circumstances, the date range for full listings should be no greater than one year. For financial institutions with a large volume of records, three months or less may be more appropriate.

    Since variations in spellings of an individual's name are possible, accuracy of the TIN/SSN is essential in ensuring accuracy of the information received from the FinCEN database. To this end, examiners should also identify any situations where a financial institution is using more than one tax identification number to file their CTRs and/or SARs. To reduce the possibility of error in communicating CTR and SAR information/verification requests, examiners are requested to e-mail or fax the request to their Regional SACM or other designee.

    Other FinCEN Reports

      Report of International Transportation of Currency or Monetary Instruments
      Treasury regulation 31 CFR 103.23 requires the filing of FinCEN Form 105, formerly Form 4790, to comply with other Treasury regulations and U.S. Customs disclosure requirements involving physical transport, mailing or shipping of currency or monetary instruments greater than $10,000 at one time out of or into the U.S. The report is to be completed by or on behalf of the person requesting the transfer of the funds and filed within 15 days. However, financial institutions are not required to report these items if they are mailed or shipped through the postal service or by common carrier. Also excluded from reporting are those items that are shipped to or received from the account of an established customer who maintains a deposit relationship with the bank, provided the item amounts are commensurate with the customary conduct of business of the customer concerned.

      In situations where the quantity, dollar volume, and frequency of the currency and/or monetary instruments are not commensurate with the customary conduct of the customer, financial institution management will need to conduct further documented research on the customer's transactions and determine whether a SAR should be filed with FinCEN. Please refer to the discussion on "Customer Due Diligence" and "Suspicious Activity Reporting" within this chapter for detailed guidance.

      Reports of Foreign Bank Accounts
      Within 31 CFR 103.24, the Treasury requires each person who has a financial interest in or signature authority, or other authority over any financial accounts, including bank, securities, or other types of financial accounts, maintained in a foreign country to report those relationships to the IRS annually if the aggregate value of the accounts exceeds $10,000 at any point during the calendar year. The report should be filed by June 30 of the succeeding calendar year, using Form TD F 90-22.1 available on the FinCEN website. By definition, a foreign country includes all locations outside the United States, Guam, Puerto Rico, the Virgin Islands, the Northern Mariana Islands, American Samoa, and Trust Territory of the Pacific Islands. U.S. military banking facilities are excluded. Foreign assets including securities issued by foreign corporations that are held directly by a U.S. person, or through an account maintained with a U.S. office of a bank or other institution are not subject to the BSA foreign account reporting requirements. The bank is also not required to report international interbank transfer accounts ("nostro accounts") held by domestic banks. Also excluded are accounts held in a foreign financial institution in the name of, or on behalf of, a particular customer of the financial institution, or that are used solely for the transactions of a particular customer. Finally, an officer or employee of a federally-insured depository institution branch, or agency office within the U.S. of a foreign bank that is subject to the supervision of a Federal bank regulatory agency need not report that he or she has signature or other authority over a foreign bank, securities or other financial account maintained by such entities unless he or she has a personal financial interest in the account.

    FinCEN Recordkeeping Requirements

      Required Records for Sales of Monetary Instruments for Cash
      Treasury regulation 31 CFR 103.29 prohibits financial institutions from issuing or selling monetary instruments purchased with cash in amounts of $3,000 to $10,000, inclusive, unless it obtains and records certain identifying information on the purchaser and specific transaction information. Monetary instruments include bank checks, bank drafts, cashier's checks, money orders, and traveler's checks. Furthermore, the identifying information of all purchasers must be verified. The following information must be obtained from a purchaser who has a deposit account at the financial institution:

      • Purchaser's name;
      • Date of purchase;
      • Type(s) of instrument(s) purchased;
      • Serial number(s) of each of the instrument(s) purchased; and
      • Amounts in dollars of each of the instrument(s) purchased.

      If the purchaser does not have a deposit account at the financial institution, the following additional information must be obtained:

      • Address of the purchaser (a post office box number is not acceptable);
      • Social security number (or alien identification number) of the purchaser;
      • Date of birth of the purchaser; and
      • Verification of the name and address with an acceptable document (i.e. driver's license).

      The regulation requires that multiple purchases during one business day be aggregated and treated as one purchase. Purchases of different types of instruments at the same time are treated as one purchase and the amounts should be aggregated to determine if the total is $3,000 or more. In addition, the financial institution should have procedures in place to identify multiple purchases of monetary instruments during one business day, and to aggregate this information from all of the bank branch offices.

      If a customer first deposits the cash in a bank account, then purchases a monetary instrument(s), the transaction is still subject to this regulatory requirement. The financial institution is not required to maintain a log for these transactions, but should have procedures in place to recreate the transactions.

      The information required to be obtained under 31 CFR 103.29 must be retained for a period of five years.

      Funds Transfer and Travel Rule Requirements
      Treasury regulation 31 CFR Section 103.33 prescribes information that must be obtained for funds transfers in the amount of $3,000 or more. There is a detailed discussion of the recordkeeping requirements and risks associated with wire transfers within the "Banking Services and Activities with Greater Potential for Money Laundering and Terrorist Financing Vulnerabilities" discussion within this chapter.

      Records to be Made and Retained by Financial Institutions
      Treasury regulation 31 CFR 103.33 states that each financial institution must retain either the original or a microfilm or other copy/reproduction of each of the following:

      • A record of each extension of credit in an amount in excess of $10,000, except an extension of credit secured by an interest in real property. The record must contain the name and address of the borrower, the loan amount, the nature or purpose of the loan, and the date the loan was made. The stated purpose can be very general such as a passbook loan, personal loan, or business loan. However, financial institutions should be encouraged to be as specific as possible when stating the loan purpose. Additionally, the purpose of a renewal, refinancing, or consolidation is not required as long as the original purpose has not changed and the original statement of purpose is retained for a period of five years after the renewal, refinancing or consolidation has been paid out.
      • A record of each advice, request, or instruction received or given regarding any transaction resulting in the transfer of currency or other monetary instruments, funds, checks, investment securities, or credit, of more than $10,000 to or from any person, account, or place outside the U.S. This requirement also applies to transactions later canceled if such a record is normally made.

      Required Records for Deposit Accounts
      Treasury regulation 31 CFR 103.34 requires banking institutions to obtain and retain a social security number or taxpayer identification number for each deposit account opened after June 30, 1972, and before October 1, 2003. The same information must be obtained for each certificate of deposit sold or redeemed after May 31, 1978, and before October 1, 2003. The banking institution must make a reasonable effort to obtain the identification number within 30 days after opening the account, but will not be held in violation of the regulation if it maintains a list of the names, addresses, and account numbers of those customers from whom it has been unable to secure an identification number. Where a person is a nonresident alien, the banking institution shall also record the person's passport number or a description of some other government document used to verify his/her identity.

      Furthermore, 31 CFR 103.34 generally requires banks to maintain records of items needed to reconstruct transaction accounts and other receipts or remittances of funds through a bank. Specific details of these requirements are in the regulation.

      Record Retention Period and Nature of Records
      All records required by the regulation shall be retained for five years. Records may be kept in paper or electronic form. Microfilm, microfiche or other commonly accepted forms of records are acceptable as long as they are accessible within a reasonable period of time. The record should be able to show both the front and back of each document. If no record is made in the ordinary course of business of any transaction with respect to which records are required to be retained, then such a record shall be prepared in writing by the financial institution.
Customer Identification Program
Section 326 of the USA PATRIOT Act, which is implemented by 31 CFR 103.121, requires banks, savings associations, credit unions, and certain non-federally regulated banks to implement a written Customer Identification Program (CIP) appropriate for its size and type of business. For Section 326, the definition of financial institution encompasses a variety of entities, including banks, agencies and branches of foreign banks in the U.S., thrifts, credit unions, private banks, trust companies, investment companies, brokers and dealers in securities, futures commission merchants, insurance companies, travel agents, pawnbrokers, dealers in precious metals, check cashers, casinos, and telegraph companies, among many others identified at 31 USC 5312(a)(2) and (c)(1)(A). As of October 1, 2003, all institutions and their operating subsidiaries must have in place a CIP pursuant to Treasury regulation 31 CFR 103.121.

The CIP rules do not apply to a financial institution's foreign subsidiaries. However, financial institutions are encouraged to implement an effective CIP throughout their operations, including their foreign offices, except to the extent that the requirements of the rule would conflict with local law.
    Applicability of CIP Regulation
    The CIP rules apply to banks, as defined in 31 CFR 103.11 that are subject to regulation by a Federal Banking Agency and to any non-Federally-insured credit union, private bank or trust company that does not have a Federal functional regulator. Entities that are regulated by the U.S. Securities and Exchange Commission (SEC) and the Commodity Futures Trading Commission (CFTC) are subject to separate rulemakings. It is intended that the effect of all of these rules be uniform throughout the financial services industry.

    CIP Requirements
    31 CFR 103.121 requires a bank to develop and implement a written, board-approved CIP, appropriate for its size and type of business that includes, at a minimum, procedures for:

    • Verifying a customer's true identity to the extent reasonable and practicable and defining the methodologies to be used in the verification process;
    • Collecting specific identifying information from each customer when opening an account;
    • Responding to circumstances and defining actions to be taken when a customer's true identity cannot be appropriately verified with "reasonable belief;"
    • Maintaining appropriate records during the collection and verification of a customer's identity;
    • Verifying a customer's name against specified terrorist lists; and
    • Providing customers with adequate notice that the bank is requesting identification to verify their identities.

    While not required, a bank may also include procedures for:

    • Specifying when it will rely on another financial institution (including an affiliate) to perform some or all of the elements of the CIP.

    Additionally, 31 CFR 103.121 provides that a bank with a Federal functional regulator must formally incorporate its CIP into its written board-approved anti-money laundering program. The FDIC expanded Section 326.8 of its Rules and Regulations to require each FDIC-supervised institution to implement a CIP that complies with 31 CFR 103.121 and incorporate such CIP into a bank's written board-approved BSA compliance program (with evidence of such approval noted in the board meeting minutes). Consequently, a bank must specifically provide:

    • Internal policies, procedures, and controls;
    • Designation of a compliance officer;
    • Ongoing employee training programs; and
    • An independent audit function to test program.

    The slight difference in wording between the Treasury's and FDIC's regulations regarding incorporation of a bank's CIP within its anti-money laundering program and BSA compliance program, respectively, was not intended to create duplicative requirements. Therefore, an FDIC-regulated bank must include its CIP within its anti-money laundering program and the latter included under the "umbrella" of its overall BSA/AML program.

      CIP Definitions
      As discussed above, both Section 326 of the USA PATRIOT Act and 31 CFR 103.121 specifically define the terms financial institution and bank. Similarly, specific definitions are provided for the terms person, customer, and account. Both bank management and examiners must properly understand these terms in order to effectively implement and assess compliance with CIP regulations, respectively.

      Person
      A person is generally an individual or other legal entity (such as registered corporations, partnerships, and trusts).

      Customer
      A customer is generally defined as any of the following:

      • A person that opens a new account (account is defined further within the discussion of CIP definitions);
      • An individual acting with "power of attorney"(POA)3 who opens a new account to be owned by or for the benefit of a person lacking legal capacity, such as a minor;
      • An individual who opens an account for an entity that is not a legal person, such as a civic club or sports boosters;
      • An individual added to an existing account or one who assumes an existing debt at the bank; or
      • A deposit broker who brings new customers to the bank (as discussed in detail later within this section).

      The definition of customer excludes:

      • A financial institution regulated by a Federal Banking Agency or a bank regulated by a State bank regulator4;
      • A department or agency of the U.S. Government, of any state, or of any political subdivision of any state;
      • Any entity established under the laws of the U.S., of any state, or of any political subdivision of any state, or under an interstate compact between two or more states, that exercises governmental authority on behalf of the U.S. or any such state or political subdivision (U.S. includes District of Columbia and Indian tribal lands and governments); or
      • Any entity, other than a bank, whose common stock or analogous equity interests are listed on the New York or American Stock Exchanges or whose common stock or analogous equity interests have been designated as a NASDAQ National Market Security listed on the NASDAQ Stock Market (except stock or interests listed under the separate "NASDAQ Small-Cap Issues" heading). A listed company is exempted from the definition of customer only for its domestic operations.

      The definition of customer also excludes a person who has an existing account with a bank, provided that the bank has a "reasonable belief" that it knows the true identity of the person. So, if the person were to open an additional account, or renew or roll over an existing account, CIP procedures would not be required. A bank can demonstrate that is has a "reasonable belief" that it knows the identity of an existing customer by:

      • Demonstrating that it had similar procedures in place to verify the identity of persons prior to the effective date of the CIP rule. (An "affidavit of identity" by a bank officer is not acceptable for demonstrating "reasonable belief.")
      • Providing a history of account statements sent to the person.
      • Maintaining account information sent to the IRS regarding the person's accounts accompanied by IRS replies that contain no negative comments.
      • Providing evidence of loans made and repaid, or other services performed for the person over a period of time.

      These actions may not be sufficient for existing account holders deemed to be high risk. For example, in the situation of an import/export business where the identifying information on file only includes a number from a passport marked as a duplicate with no additional business information on file, the bank should follow all of the CIP requirements provided in 31 CFR 103.121 since it does not have sufficient information to show a "reasonable belief" of the true identity of the existing account holder.

      Account
      An account is defined as a formal, ongoing banking relationship established to provide or engage in services, dealings, or other financial transactions including:

      • Deposit accounts;
      • Transaction or asset accounts ;
      • Credit accounts, or any other extension of credit;
      • Safety deposit box or other safekeeping services;
      • Cash management, custodian, and trust services; or
      • Any other type of formal, ongoing banking relationship.

      The definition of account specifically excludes the following:

      • Product or service where a formal banking relationship is NOT established with a person. Thus CIP is not intended for infrequent transactions and activities (already covered under other recordkeeping requirements within 31 CFR 103) such as:
        • Check cashing,
        • Wire transfers,
        • Sales of checks,
        • Sales of money orders;
      • Accounts acquired through an acquisition, merger, purchase of assets, or assumption of liabilities (as these "new" accounts were not initiated by customers);5 and
      • Accounts opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974 (ERISA).

      Furthermore, the CIP requirements do not apply to a person who does not receive banking services, such as a person who applies for a loan but has his/her application denied. The account in this circumstance is only opened when the bank enters into an enforceable agreement to provide a loan to the person (who therefore also simultaneously becomes a customer).

      Collecting Required Customer Identifying Information
      The CIP must contain account opening procedures that specify the identifying information obtained from each customer prior to opening the account. The minimum required information includes:

      • Name.
      • Date of birth, for an individual.
      • Physical address6, which shall be:
        • for an individual, a residential or business street address (An individual who does not have a physical address may provide an Army Post Office [APO] or a Fleet Post Office [FPO] box number, or the residential or business street address of next of kin or of another contact individual. Using the box number on a rural route is acceptable description of the physical location requirement.)
        • for a person other than an individual (such as corporations, partnerships, and trusts), a principal place of business, local office, or other physical location.
      • Identification number including a SSN, TIN, Individual Tax Identification Number (ITIN), or Employer Identification Number (EIN).

      For non-U.S. persons, the bank must obtain one or more of the following identification numbers:

      • Customer's TIN,
      • Passport number and country of issuance,
      • Alien identification card number, and
      • Number and country of issuance of any other (foreign) government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.

      When opening an account for a foreign business or enterprise that does not have an identification number, the bank must request alternative government-issued documentation certifying the existence of the business or enterprise.

      Exceptions to Required Customer Identifying Information
      The bank may develop, include, and follow CIP procedures for a customer who at the time of account opening, has applied for, but has not yet received, a TIN. However, the CIP must include procedures to confirm that the application was filed before the customer opens the account and procedures to obtain the TIN within a reasonable period of time after the account is opened.

      There is also an exception to the requirement that a bank obtain the above-listed identifying information from the customer prior to opening an account in the case of credit card accounts. A bank may obtain identifying information (such as TIN) from a third-party source prior to extending credit to the customer.

      Verifying Customer Identity Information
      The CIP should rely on a risk-focused approach when developing procedures for verifying the identity of each customer to the extent reasonable and practicable. A bank need not establish the accuracy of every element of identifying information obtained in the account opening process, but must do so for enough information to form a "reasonable belief" that it knows the true identity of each customer. At a minimum, the risk-focused procedures must be based on, but not limited to, the following factors:

      • Risks presented by the various types of accounts offered by the bank;
      • Various methods of opening accounts provided by the bank;
      • Various sources and types of identifying information available; and
      • The bank's size, location, and customer base.

      Furthermore, a bank's CIP procedures must describe when the bank will use documentary verification methods, non-documentary verification methods, or a combination of both methods.

      Documentary Verification
      The CIP must contain procedures that set forth the specific documents that the bank will use. For an individual, the documents may include:

      • Unexpired government-issued identification evidencing nationality or residence, and bearing a photograph or similar safeguard, such as a driver's license or passport.

      For a person other than an individual (such as a corporation, partnership, or trust), the documents may include:

      • Documents showing the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, trust instrument, a certificate of good standing, or a business resolution.

      Non-Documentary Verification
      Banks are not required to use non-documentary methods to verify a customer's identity. However, if a bank chooses to do so, a description of the approved non-documentary methods must be incorporated in the CIP. Such methods may include:

      • Contacting the customer,
      • Checking references with other financial institution,
      • Obtaining a financial statement, and
      • Independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from consumer reporting agencies (for example, Experian, Equifax, TransUnion, Chexsystems), public databases (for example, Lexis, Dunn and Bradstreet), or other sources (for example, utility bills, phone books, voter registration bills).

      The bank's non-documentary procedures must address situations such as:

      • The inability of a customer to present an unexpired government-issued identification document that bears a photograph or similar safeguard;
      • Unfamiliarity on the bank's part with the documents presented;
      • Accounts opened without obtaining documents;
      • Accounts opened without the customer appearing in person at the bank (for example, accounts opened through the mail or over the Internet); and
      • Circumstances increasing the risk that the bank will be unable to verify the true identity of a customer through documents.

      Many of the risks presented by these situations can be mitigated. A bank that accepts items that are considered secondary forms of identification, such as utility bills and college ID cards, is encouraged to review more than a single document to ensure that it has formed a "reasonable belief" of the customer's true identity. Furthermore, in instances when an account is opened over the Internet, a bank may be able to obtain an electronic credential, such as a digital certificate, as one of the methods it uses to verify a customer's identity.

      Additional Verification Procedures for Customers
      (Non-Individuals)
      The CIP must address situations where, based on a risk assessment of a new account that is opened by a customer that is not an individual, the bank will obtain information about individuals with authority or control over such accounts, in order to verify the customer's identity. These individuals could include such parties as signatories, beneficiaries, principals, and guarantors. As previously stated, a risk-focused approach should be applied to verify customer accounts. For example, in the case of a well-known firm, company information and verification could be sufficient without obtaining and verifying identity information for all signatories. However, in the case of a relatively new or unknown firm, it would be in the bank's best interest to obtain and verify a greater volume of information on signatories and other individuals with control or authority over the firm's account.

      Inability to Verify Customer Identity Information
      The CIP must include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of a customer. These procedures should describe, at a minimum, the following:

      • Circumstances when the bank should not open an account;
      • The terms or limits under which a customer may use an account while the bank attempts to verify the customer's identity (for example, minimal or no funding on credit cards, holds on deposits, limits on wire transfers);
      • Situations when an account should be closed after attempts to verify a customer's identity have failed; and
      • Conditions for filing a SAR in accordance with applicable laws and regulations.

      Recordkeeping Requirements
      The bank's CIP must include recordkeeping procedures for:

      • Any document that was relied upon to verify identity noting the type of document, the identification number, the place of issuance, and, if any, the dates of issuance and expiration;
      • The method and results of any measures undertaken to perform non-documentary verification procedures; and
      • The results of any substantive discrepancy discovered when verifying the identifying information obtained.

      Banks are not required to make and retain photocopies of any documents used in the verification process. However, if a bank does choose to do so, it must ensure that these photocopies are physically secured to adequately protect against possible identity theft. In addition, such photocopies should not be maintained with files and documentation relating to credit decisions in order to avoid any potential problems with consumer compliance regulations.

      Required Retention Period
      All required customer identifying information obtained in the account opening process must be retained for five years after the account is closed, or in the case of credit card accounts, five years after the account is closed or becomes dormant. The other "required records" (descriptions of documentary and non-documentary verification procedures and any descriptions of substantive discrepancy resolution) must be retained for five years after the record is made. If several accounts are opened at a bank for a customer simultaneously, all of the required customer identifying information obtained in the account opening process must be retained for five years after the last account is closed, or in the case of credit card accounts, five years after the last account is closed or becomes dormant. As in the case of a single account, all other "required records" must be kept for five years after the records are made.

      Comparison with Government Lists of Known or Suspected Terrorists
      The CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by the Treasury in consultation with the other Federal functional regulators.

      The comparison procedures must be performed and a determination made within a reasonable period of time after the account is opened, or earlier, as required and directed by the issuing agency. Since the USA PATRIOT Act Section 314(a) Requests, discussed in detail under the heading entitled "Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activities," are one-time only searches, they are not applicable to the CIP.

      Adequate Customer Notice
      The CIP must include procedures for providing customers with adequate notice that the bank is requesting information to verify their identities. This notice must indicate that the institution is collecting, verifying, and recording the customer identity information as outlined in the CIP regulations. Furthermore, the customer notice must be provided prior to account opening, with the general belief that it will be clearly read and understood. This notice may be posted on a lobby sign, included on the bank's website, provided orally, or disclosed in writing (for example, account application or separate disclosure form). The regulation provides sample language that may be used for providing adequate customer notice. In the case of joint accounts, the notice must be provided to all joint owners; however, this may be accomplished by providing notice to one owner for delivery to the other owners.

      Reliance on Another Financial Institution's CIP
      A bank may develop and implement procedures for relying on another financial institution for the performance of CIP procedures, yet the CIPs at both entities do not have to be identical. The reliance can be used with respect to any bank customer that is opening or has opened an account or similar formal relationship with the relied-upon financial institution. Additionally, the following requirements must be met:

      • Reliance is reasonable, under the circumstances;
      • The relied-upon financial institution (including an affiliate) is subject to the same anti-money laundering program requirements as a bank, and is regulated by a Federal functional regulator (as previously defined); and
      • A signed contract exists between the two entities that requires the relied-upon financial institution to certify annually that it has implemented its anti-money laundering program, and that it will perform (or its agent will perform) the specified requirements of the bank's CIP.

      To strengthen such an arrangement, the signed contract should include a provision permitting the bank to have access to the relied-upon institution's annual independent review of its CIP.

    Deposit Broker Activity
    The use of deposit brokers is a common funding mechanism for many financial institutions. This activity is considered higher risk because each deposit broker operates under its own operating guidelines to bring customers to a bank. Consequently, the deposit broker may not be performing sufficient Customer Due Diligence (CDD), Office of Foreign Assets Control (OFAC) screening (refer to the detailed OFAC discussion provided elsewhere within this chapter), or CIP procedures. The bank accepting brokered deposits relies upon the deposit broker to have sufficiently performed all required account opening procedures and to have followed all BSA and AML program requirements.

      Deposit Broker is Customer
      Regulations contained in 31 CFR 103.121 specifically defines the term customer as a person (individual, registered corporation, partnership, or trust). Therefore, according to this definition, if a deposit broker opens an account(s), the customer is the deposit broker NOT the deposit broker's clients.

      Deposit Broker's CIP
      Deposit brokers must follow their own CIP requirements for their customers. If the deposit broker is registered with the SEC, then it is required to follow the same general CIP requirements as banking institutions and is periodically examined by the SEC for compliance. However, if the deposit broker does not come under the SEC's jurisdiction, they may not be following any due diligence laws or guidelines.

      As such, banks accepting deposit broker accounts should establish policies and procedures regarding the brokered deposits. Policies should establish minimum due diligence procedures for all deposit brokers providing business to the bank. The level of due diligence a bank performs should be commensurate with its knowledge of the deposit broker and the broker's known business practices.

      Banks should conduct enhanced due diligence on unknown and/or unregulated deposit brokers. For protection, the bank should determine that the:

      • Deposit broker is legitimate;
      • Deposit broker is following appropriate guidance and/or regulations;
      • Deposit broker's policies and procedures are sufficient;
      • Deposit broker has adequate CIP verification procedures;
      • Deposit broker screens clients for OFAC matches;
      • BSA/OFAC audit reviews are adequate and show compliance with requirements; and
      • Bank management is aware of the deposit broker's anticipated volume and transaction type.

      Special care should be taken with deposit brokers who:

      • Are previously unknown to the bank;
      • Conduct business or obtain deposits primarily in another country;
      • Use unknown or hard-to-contact businesses and banks for references;
      • Provide other services which may be suspect, such as creating shell corporations for foreign clients;
      • Advertise their own deposit rates, which vary widely from those offered by banking institutions; and
      • Refuse to provide requested due diligence information or use methods to get deposits placed before providing information.

      Banks doing business with deposit brokers are encouraged to include contractual requirements for the deposit broker to establish and conduct procedures for minimum CIP, CDD, and OFAC screening.

      Finally, the bank should monitor brokered deposit activity for unusual activity, including cash transactions, structuring, and funds transfer activity. Monitoring procedures should identify any "red flags" suggesting that the deposit broker's customers (the ultimate customers) are trying to conceal their true identities and/or their source of wealth and funds.

    Additional Guidance on CIP Regulations
    Comprehensive guidance regarding CIP regulations and related examination procedures can be found within FDIC FIL 90-2004, Guidance on Customer Identification Programs. On January 9, 2004, the Treasury, FinCEN, and the Federal Financial Institutions Examination Council (FFIEC) regulatory agencies issued joint interpretive guidance addressing frequently asked questions (FAQs) relating to CIP requirements in FIL-4-2004. Additional information regarding CIP can be found on the FinCEN website.
Special Information Sharing Procedures to Deter Money Laundering and Terrorist Activities
Section 314 of the USA PATRIOT Act covers special information sharing procedures to deter money laundering and terrorist activities. These are the only two categories that apply under Section 314 information sharing; no information concerning other suspicious or criminal activities can be shared under the provisions of Section 314 of the USA PATRIOT Act. Final regulations of the following two rules issued on March 4, 2002, became effective on September 26, 2002:
  • Section 314(a), codified into 31 CFR 103.100, requires mandatory information sharing between the U.S. Government (FinCEN, Federal law enforcement agencies, and Federal Banking Agencies) and financial institutions.
  • Section 314(b), codified into 31 CFR 103.110, encourages voluntary information sharing between financial institutions and/or associations of financial institutions.
    Section 314(a) - Mandatory Information Sharing Between the U.S. Government and Financial Institutions
    A Federal law enforcement agency investigating terrorist activity or money laundering may request that FinCEN solicit, on its behalf, certain information from a financial institution or a group of financial institutions on certain individuals or entities. The law enforcement agency must provide a written certification to FinCEN attesting that credible evidence of money laundering or terrorist activity exists. It must also provide specific identifiers such as date of birth, address, and social security number of the individual(s) under investigation that would permit a financial institution to differentiate among customers with common or similar names.

      Section 314(a) Requests
      Upon receiving an adequate written certification from a law enforcement agency, FinCEN may require financial institutions to perform a search of their records to determine whether they maintain or have maintained accounts for, or have engaged in transactions with, any specified individual, entity, or organization. This process involves providing a Section 314(a) Request to the financial institutions. Such lists are issued to financial institutions every two weeks by FinCEN.

      Each Section 314(a) request has a unique tracking number. The general instructions for a Section 314(a) Request require financial institutions to complete a one-time search of their records and respond to FinCEN, if necessary, within two weeks. However, individual requests can have different deadline dates. Any specific guidelines on the request supercede the general guidelines.

      Designated Point-of-Contact for Section 314(a) Requests
      All financial institutions shall designate at least one point-of-contact for Section 314(a) requests and similar information requests from FinCEN. FDIC-supervised financial institutions must promptly notify the FDIC of any changes to the point-of-contact, which is reported on each Call Report.

      Financial Institution Records Required to be Searched
      The records that must be searched for a Section 314(a) Request are specified in the request itself. Using the identifying information contained in the 314(a) request, financial institutions are required to conduct a one-time search of the following records, whether or not they are kept electronically (subject to the limitations below):

      • Deposit account records;
      • Funds transfer records;
      • Sales of monetary instruments (purchaser only);
      • Loan records;
      • Trust department records;
      • Securities records (purchases, sales, safekeeping, etc.);
      • Commodities, options, and derivatives; and
      • Safe deposit box records (but only if searchable electronically).

      According to the general instructions to Section 314(a), financial institutions are NOT required to research the following documents for matches:

      • Checks processed through an account for a payee,
      • Monetary instruments for a payee,
      • Signature cards, and
      • CTRs and SARs previously filed.

      The general guidelines specify that the record search need only encompass current accounts and accounts maintained by a named subject during the preceding twelve (12) months, and transactions not linked to an account conducted by a named subject during the preceding six (6) months. Any record described above that is not maintained in electronic form need only be searched if it is required to be kept under federal law or regulation.

      Again, if the specific guidelines or the timeframe of records to be searched on a Section 314(a) Request differ from the general guidelines, they should be followed to the extent possible. For example, if a particular Section 314(a) Request asks financial institutions to search their records back eight years, the financial institutions should honor such requests to the extent possible, even though BSA recordkeeping requirements generally do not require records to be retained beyond five years.

      Reporting of "Matches"
      Financial institutions typically have a two-week window to complete the one-time search and respond, if necessary to FinCEN. If a financial institution identifies an account or transaction by or on behalf of an individual appearing on a Section 314(a) Request, it must report back to FinCEN that it has a "positive match," unless directed otherwise. When reporting this information to FinCEN, no additional details, unless otherwise instructed, should be provided other than the fact that a "positive match" has been identified. In situations where a financial institution is unsure of a match, it may contact the law enforcement agency specified in the Section 314(a) Request. Negative responses to Section 314(a) Requests are not required; the financial institution does not need to respond to FinCEN on a Section 314(a) Request if there are no matches to the institution's records. Financial institutions are to be reminded that unless a name is repeated on a subsequent Section 314(a) Request, that name does not need to be searched again.

      The financial institution must not notify a customer that he/she has been included on a Section 314(a) Request. Furthermore, the financial institution must not tell the customer that he/she is under investigation or that he/she is suspected of criminal activity.

      Restrictions on Use of Section 314(a) Requests
      A financial institution may only use the information identified in the records search to report "positive matches" to FinCEN and to file, when appropriate, SARs. If the financial institution has a "positive match," account activity with that customer or entity is not prohibited; it is acceptable for the financial institution to open new accounts or maintain current accounts with Section 314(a) Request subjects; the closing of accounts is not required. However, the Section 314(a) Requests may be useful as a determining factor for such decisions if the financial institution so chooses. Unlike OFAC lists, Section 314(a) Requests are not permanent "watch lists." In fact, Section 314(a) Requests are not updated or corrected if an investigation is dropped, a prosecution is declined, or a subject is exonerated, as they are point-in-time inquiries. Furthermore, the names provided on Section 314(a) Requests do not necessarily correspond to convicted or indicted persons; rather, a Section 314(a) Request subject need only be "reasonably suspected," based on credible evidence of engaging in terrorist acts or money laundering to appear on the list.

      SAR Filings
      If a financial institution has a positive match within its records, it is not required to automatically file a SAR on the identified subject. In other words, the subject's presence on the Section 314(a) Request should not be the sole factor in determining whether to file a SAR. However, prudent BSA compliance practices should ensure that the subject's accounts and transactions be scrutinized for suspicious or unusual activity. If, after such a review is performed, the financial institution's management has determined that the subject's activity is suspicious, unusual, or inconsistent with the customer's profile, then the timely filing of an SAR would be warranted.

      Confidentiality of Section 314(a) Requests
      Financial institutions must protect the security of the Section 314(a) Requests, as they are confidential. As stated previously, a financial institution must not tip off a customer that he/she is the subject of a Section 314(a) Request. Similarly, a financial institution cannot disclose to any person or entity, other than to FinCEN, its primary Federal functional regulator, or the Federal law enforcement agency on whose behalf FinCEN is requesting information, the fact that FinCEN has requested or obtained information from a Section 314(a) Request.

      FinCEN has stated that an affiliated group of financial institutions may establish one point-of-contact to distribute the Section 314(a) Requests for the purpose of responding to requests. However, the Section 314(a) Requests should not be shared with foreign affiliates or foreign subsidiaries (unless the request specifically states otherwise), and the lists cannot be shared with affiliates or subsidiaries of bank holding companies that are not financial institutions.

      Notwithstanding the above restrictions, a financial institution is authorized to share information concerning an individual, entity, or organization named in a Section 314(a) Request from FinCEN with other financial institutions and/or financial institution associations in accordance with the certification and procedural requirements of Section 314(b) of the USA PATRIOT Act discussed below. However, such sharing shall not disclose the fact that FinCEN has requested information on the subjects or the fact that they were included within a Section 314(a) Request.

      Internal Financial Institution Measures for Protecting Section 314(a) Requests
      In order to protect the confidentiality of the Section 314(a) Requests, these documents should only be provided to financial institution personnel who need the information to conduct the search and should not be left in an unprotected or unsecured area. A financial institution may provide the Section 314(a) Request to third-party information technology service providers or vendors to perform/facilitate the record searches so long as it takes the necessary steps to ensure that the third party appropriately safeguards the information. It is important to remember that the financial institution remains ultimately responsible for the performance of the required searches and to protect the security and confidentiality of the Section 314(a) Requests.

      Each financial institution must maintain adequate procedures to protect the security and confidentiality of requests from FinCEN. The procedures to ensure confidentiality will be considered adequate if the financial institution applies procedures similar to those it has established to comply with Section 501 of the Gramm-Leach-Bliley Act (15 USC 6801) with regard to the protection of its customers' non-public personal information.

      Financial institutions should keep a log of all Section 314(a) Requests received and any "positive matches" identified and reported to FinCEN. Additionally, documentation that all required searches were performed is essential. The financial institution should not need to keep copies of the Section 314(a) Requests, noting the unique tracking number will suffice. Some financial institutions may choose to destroy the Section 314(a) Requests after searches are performed. If a financial institution chooses to keep the Section 314(a) Requests for audit/internal review purposes, it should not be criticized for doing so, as long as it appropriately secures them and protects their confidentiality.

      FinCEN has provided financial institutions with general instructions, FAQs, and additional guidance relating to the Section 314(a) Request process. These documents are revised periodically and may be found on FinCEN's Web site.

    Section 314(b) - Voluntary Information Sharing
    Section 314(b) of the USA PATRIOT Act encourages financial institutions and financial institution associations (for example, bank trade groups and associations) to share information on individuals, entities, organizations, and countries suspected of engaging in possible terrorist activity or money laundering. Section 314(b) limits the definition of "financial institutions" used within Section 314(a) of USA PATRIOT Act to include only those institutions that are required to establish and maintain an anti-money laundering program; this definition includes, but is not limited to, banking entities regulated by the Federal Banking Agencies. The definition specifically excludes any institution or class of institutions that FinCEN has designated as ineligible to share information. Section 314(b) also describes the safe harbor from civil liability that is provided to financial institutions that appropriately share information within the limitations and requirements specified in the regulation.

      Restrictions on Use of Shared Information
      Information shared on a subject from a financial institution or financial institution association pursuant to Section 314(b) cannot be used for any purpose other than the following:

      • Identifying and, where appropriate, reporting on money laundering or terrorist activities;
      • Determining whether to establish or maintain an account, or to engage in a transaction; or
      • Assisting in the purposes of complying with this section.

      Annual Certification Requirements
      In order to avail itself to the statutory safe harbor protection, a financial institution or financial institution association must annually certify with FinCEN stating its intent to engage in information sharing with other similarly-certified entities. It must further state that it has established and will maintain adequate procedures to protect the security and confidentiality of the information, as if the information were included in one of its own SAR filings. The annual certification process involves completing and submitting a "Notice for Purposes of Subsection 314(b) of the USA PATRIOT Act and 31 CFR 103.110." The notice can be completed and electronically submitted to FinCEN via their website. Alternatively, the notice can be mailed to the following address: FinCEN, P.O. Box 39, Mail Stop 100, Vienna, VA 22183. It is important to mention that if a financial institution or financial institution association improperly uses its Section 314(b) permissions, its certification can be revoked by either FinCEN or by its Federal Banking Agency.

      Failure to follow the Section 314(b) annual certification requirements will result in the loss of the financial institution or financial institution association's statutory safe harbor and could result in a violation of privacy laws or other laws and regulations.

      Verification Requirements
      A financial institution must take reasonable steps to verify that the other financial institution(s) or financial institution association(s) with which it intends to share information has also performed the annual certification process discussed above. Such verification can be performed by reviewing the lists of other 314(b) participants that are periodically provided by FinCEN. Alternatively, the financial institution or financial institution association can confirm directly with the other party that the certification process has been completed.

      Other Important Requirements and Restrictions
      Section 314(b) requires virtually the same care and safeguarding of sensitive information as Section 314(a), whether the bank is the "provider" or "receiver" of information. Refer to the discussions provided above and within "Section 314(a) - Mandatory Information Sharing Between the U.S. Government and Financial Institutions" for detailed guidance on:

      • SAR Filings and
      • Confidentiality of Section 314(a) Requests (including the embedded discussion entitled "Internal Financial Institution Measures for Protecting Section 314(a) Requests").

      Actions taken pursuant to shared information do not affect a financial institution's obligations to comply with all BSA and OFAC rules and regulations. For example, a financial institution is still obligated to immediately contact law enforcement and its Federal regulatory agency, by telephone, when a significant reportable violation requiring immediate attention (such as one that involves the financing of terrorist activity or is of an ongoing nature) is being conducted; thereafter, a timely SAR filing is still required.

      FinCEN has provided financial institutions with general instructions, registration forms, FAQs, and additional guidance relating to the Section 314(b) information sharing process. These documents are revised periodically and may be found on FinCEN's website.
Customer Due Diligence (CDD)
The cornerstone of strong BSA/AML programs is the adoption and implementation of comprehensive CDD policies, procedures, and controls for all customers, particularly those that present a higher risk for money laundering and terrorist financing. The concept of CDD incorporates and builds upon the CIP regulatory requirements for identifying and verifying a customer's identity.

The goal of a CDD program is to develop and maintain an awareness of the unique financial details of the institution's customers and the ability to relatively predict the type and frequency of transactions in which its customers are likely to engage. In doing so, institutions can better identify, research, and report suspicious activity as required by BSA regulations. Although not required by statute or regulation, an effective CDD program provides the critical framework that enables the institution to comply with regulatory requirements.
    Benefits of an Effective CDD Program
    An effective CDD program protects the reputation of the institution by:

    • Preventing unusual or suspicious transactions in a timely manner that potentially exposes the institution to financial loss or increased expenses;
    • Avoiding criminal exposure from individuals who use the institution's resources and services for illicit purposes; and
    • Ensuring compliance with BSA regulations and adhering to sound and recognized banking practices.

    CDD Program Guidance
    CDD programs should be tailored to each institution's BSA/AML risk profile; consequently, the scope of CDD programs will vary. While smaller institutions may have more frequent and direct contact with customers than their counterparts in larger institutions, all institutions should adopt and follow an appropriate CDD program.

    An effective CDD program should:

    • Be commensurate with the institution's BSA/AML risk profile, paying particular attention to higher risk customers,
    • Contain a clear statement of management's overall expectations and establish specific staff responsibilities, and
    • Establish monitoring systems and procedures for identifying transactions or activities inconsistent with a customer's normal or expected banking activity.

    Customer Risk
    As part of an institution's BSA/AML risk assessment, many institutions evaluate and apply a BSA/AML risk rating to its customers. Under this approach, the institution will obtain information at account opening sufficient to develop a "customer transaction profile" that incorporates an understanding of normal and expected activity for the customer's occupation or business operations. While this practice may not be appropriate for all institutions, management of all institutions should have a thorough understanding of the money laundering or terrorist financing risks of its customer base and develop and implement the means to adequately mitigate these risks.

    Due Diligence for Higher Risk Customers
    Customers that pose higher money laundering or terrorist financing risks present increased exposure to institutions. Due diligence for higher risk customers is especially critical in understanding their anticipated transactions and implementing a suspicious activity monitoring system that reduces the institution's reputation, compliance, and transaction risks. Higher risk customers and their transactions should be reviewed more closely at account opening and more frequently throughout the term of the relationship with the institution.

    The USA PATRIOT Act requires special due diligence at account opening for certain foreign accounts, such as foreign correspondent accounts and accounts for senior foreign political figures. An institution's CDD program should include policies, procedures, and controls reasonably designed to detect and report money laundering through correspondent accounts and private banking accounts that are established or maintained for non-U.S. persons. Guidance regarding special due diligence requirements is provided in the next section entitled "Banking Services and Activities with Greater Potential for Money Laundering and Enhanced Due Diligence Procedures."
Banking Services and Activities with Greater Potential for Money Laundering and Enhanced Due Diligence Procedures
Certain financial services and activities are more vulnerable to being exploited in money laundering and terrorist financing activities. These conduits are often utilized because each typically presents an opportunity to move large amounts of funds embedded within a large number of similar transactions. Most activities discussed in this section also offer access to international banking and financial systems. The ability of U.S. financial institutions to conduct the appropriate level of due diligence on customers of foreign banks, offshore and shell banks, and foreign branches is often severely limited by the laws and banking practices of other countries.

While international AML and Counter-Terrorist Financing (CTF) standards are improving through efforts of several international groups, U.S. financial institutions will still need effective systems in their AML and CTF programs to understand the quality of supervision and assess the integrity and effectiveness of controls in other countries. Higher risk areas discussed in this section include:
  • Non-bank financial institutions (NBFIs), including money service businesses (MSBs);
  • Foreign correspondent banking relationships;
  • Payable-through accounts;
  • Private banking activities;
  • Numbered accounts;
  • Pouch activities;
  • Special use accounts;
  • Wire transfer activities; and
  • Electronic banking.
Financial institutions offering these higher risk products and services must enhance their AML and CDD procedures to ensure adequate scrutiny of these activities and the customers conducting them.
    Non-Bank Financial Institutions and Money Service Businesses
    Non-bank financial institutions (NBFIs) are broadly defined as institutions that offer financial services. Traditional financial institutions ("banks" for this discussion) that maintain account relationships with NBFIs are exposed to a higher risk for potential money laundering activities because these entities are less regulated and may have limited or no documentation on their customers. Additionally, banks may likewise be exposed to possible OFAC violations for unknowingly engaging in or facilitating prohibited transactions through a NBFI account relationship.

    NBFIs include, but are not limited to:

    • Casinos or card clubs;
    • Securities brokers/dealers; and
    • Money Service Businesses (MSBs)
      • currency dealers or exchangers;
      • check cashers;
      • issuers, sellers, or redeemers of traveler's checks, money orders, or stored value cards;
      • money transmitters; and
      • U.S. Post Offices (money orders).

      Money Service Businesses
      As indicated above, MSBs are a subset of NBFIs. Regulations for MSBs are included within 31 CFR 103.41. All MSBs were required to register with FinCEN using Form TD F 90-22.55 by December 31, 2001, or within 180 days after the business begins operations. Thereafter, each MSB must renew its registration every two years.

      MSBs are a major industry, and typically operate as independent businesses. Relatively few MSBs are chains that operate in multiple states. MSBs can be sole-purpose entities but are frequently tied to another business such as a liquor store, bar, grocery store, gas station, or other multi-purpose entity. As a result, many MSBs are frequently unaware of their legal and regulatory requirements and have been historically difficult to detect. A bank may find it necessary to inform MSB customers about the appropriate MSB regulations and requirements.

      Most legitimate MSBs should not refuse to follow regulations once they have been informed of the requirements. If they do, the bank should closely scrutinize the MSBs activities and transactions for possible suspicious activity.

      MSBs typically do not establish on-going customer relationships, and this is one of the reasons that MSB customers are considered higher risk. Since MSBs do not have continuous relationships with their clients, they generally do not obtain key due diligence documentation, making customer identification and suspicious transaction identification more difficult.

      Banks with MSB customers also have a risk in processing third-party transactions through their payment and other banking systems. MSB transactions carry an inherent potential for the facilitation of layering. MSBs can be conduits for illicit cash and monetary instrument transactions, check kiting, concealing the ultimate beneficiary of the funds, and facilitating the processing of forged or fraudulent items such as treasury checks, money orders, traveler's checks, and personal checks.

      MSB Agents
      MSBs that are agents of such commonly known entities as Moneygram or Western Union should be aware of their legal requirements. Agents of such money transmitters, unless they offer another type of MSB activity, do NOT have to independently register with FinCEN, but are maintained on an agency list by the "actual" MSB (such as Western Union). However, this "actual" MSB is responsible for providing general training and information requirements to their agents and for aggregating transactions on a nationwide basis, as appropriate.

      Check Cashers
      FinCEN defines a check casher as a business that will cash checks and/or sell monetary or other instruments over $1,000 per customer on any given day. If a company, such as a local mini-market, will cash only personal checks up to $100 per day AND it provides no other financial services or instruments (such as money orders or money transmittals), then that company would NOT be considered a check casher for regulatory purposes or have to register as an MSB.

      Exemptions from CTR Filing Requirements
      MSBs are subject to BSA regulations and OFAC sanctions and, as such, should be filing CTRs, screening customers for OFAC matches, and filing SARs, as appropriate. MSBs cannot exempt their customers from CTR filing requirements like banks can, and banks may not exempt MSB customers from CTR filing, unless the "50 Percent Rule" applies.

      The "50 Percent Rule" states that if a MSB derives less than 50 percent of its gross cash receipts from money service activities, then it can be exempted. If the bank exempts a MSB customer under the "50 Percent Rule," it should have documentation evidencing the types of business conducted, receipt volume, and estimations of MSB versus non-MSB activity.

      Policies and Procedures for Opening and Monitoring NBFI and MSB Relationships
      Banks that maintain account relationships with NBFIs or MSBs should perform greater due diligence for these customers given their higher risk profile. Management should implement the following due diligence procedures for MSBs:

      • Identify all NBFI/MSB accounts;
      • Determine that the business has met local licensing requirements;
      • Ascertain if the MSB has registered or re-registered with FinCEN and obtain a copy of the filing or verify the filing on FinCEN's website;
      • Determine if the MSB has procedures to comply with BSA regulations and OFAC monitoring;
      • Establish the types and amounts of currencies/instruments handled, and any additional services provided;
      • Note the targeted customer base;
      • Determine if the business sends or receives international wires and the nature of the activity;
      • Determine if the MSB has procedures to monitor and report suspicious activity; and
      • Obtain a copy of the MSBs independent BSA review, if available.

      Management should document in writing the responses to the items above and update MSB customer files at least annually. In addition, management should continue to monitor these higher risk accounts for suspicious activity. The FDIC does not expect the bank to perform an examination of the MSB; however, the bank should take reasonable steps to document that MSB customers are aware of and are complying with appropriate regulations.

      For additional information, examiners should instruct bank management to consult the FinCEN website developed specifically for MSBs. This website contains guidance, registration forms, and other materials useful for MSBs to understand and comply with BSA regulations. Bank customers who are uncertain if they are covered by the definition of MSBs can also visit this site to determine if their business activities qualify.

    Foreign Correspondent Banking Relationships
    Correspondent accounts are accounts that financial institutions maintain with each other to handle transactions for themselves or for their customers. Correspondent accounts between a foreign bank and U.S. financial institutions are much needed, as they facilitate international trade and investment. However, these relationships may pose a higher risk for money laundering.

    Transactions through foreign correspondent accounts are typically large and would permit movement of a high volume of funds relatively quickly. These correspondent accounts also provide foreign entities with ready access to the U.S. financial system. These banks and other financial institutions may be located in countries with unknown AML regulations and controls ranging from strong to weak, corrupt, or nonexistent.

    The USA PATRIOT Act establishes reporting and documentation requirements for certain high-risk areas, including:

    • Special due diligence requirements for correspondent accounts and private banking accounts which are addressed in 31 CFR 103.181.
    • Verification procedures for foreign correspondent account relationships which are included in 31 CFR 103.185.
    • Foreign banks with correspondent accounts at U.S. financial institutions must produce bank records, including information on ownership, when requested by regulators and law enforcement, as detailed in Section 319 of the USA PATRIOT Act and codified at 31 CFR 103.185.

    The foreign correspondent records detailed above are to be provided within seven days of a law enforcement request and within 120 hours of a Federal regulatory request. Failure to provide such records in a timely manner may result in the U.S. financial institution's required termination of the foreign correspondent account. Such foreign correspondent relationships need only be terminated upon the U.S. financial institution's written receipt of such instruction from either the Secretary of the Treasury or the U.S. Attorney General. If the U.S. financial institution fails to terminate relationships after receiving notification, the U.S. institution may face civil money penalties.

    The Treasury was also granted broad authority by the USA PATRIOT Act (codified in 31 USC 5318[A]), allowing it to establish special measures. Such special measures can be established which require U.S. financial institutions to perform additional recordkeeping and/or reporting or require a complete prohibition of accounts and transactions with certain countries and/or specified foreign financial institutions. The Treasury may impose such special measures by regulation or order, in consultation with other regulatory agencies, as appropriate.

    Shell Banks
    Sections 313 and 319 of the USA PATRIOT Act implemented (by 31 CFR 103.177 and 103.185, respectively) a new provision of the BSA that relates to foreign correspondent accounts. Covered financial institutions (CFI) are prohibited from establishing, maintaining, administering, or managing a correspondent account in the U.S. for or on behalf of a foreign shell bank.

    A correspondent account, under this regulation, is defined as an account established by a CFI for a foreign bank to receive deposits from, to make payments or other disbursements on behalf of a foreign financial institution, or to handle other financial transactions related to the foreign bank. An account is further defined as any formal banking or business relationship established to provide:

    • Regular services,
    • Dealings, and
    • Other financial transactions,

    and may include:

    • Demand deposits,
    • Savings deposits,
    • Any other transaction or asset account,
    • Credit account, or
    • Any other extension of credit.

    A foreign shell bank is defined as a foreign bank without a physical presence in any country. Physical presence means a place of business that:

    • Is maintained by a foreign bank;
    • Is located at a fixed address (other than solely an electronic address or a post-office box) in a country in which the foreign bank is authorized to conduct banking activities;
    • Provides at that fixed address:
      • One or more full-time employees,
      • Operating records related to its banking activities; and
    • Is subject to inspection by the banking authority that licensed the foreign bank to conduct banking activities.

    There is one exception to the shell bank prohibition. This exception allows a CFI to maintain a correspondent account with a foreign shell bank if it is a regulated affiliate. As a regulated affiliate, the shell bank must meet the following requirements:

    • The shell bank must be affiliated with a depository institution (bank or credit union, either U.S. or foreign) in the U.S. or another foreign jurisdiction.
    • The shell bank must be subject to supervision by the banking authority that regulates the affiliated entity.

    Furthermore, in any foreign correspondent relationship, the CFI must take reasonable steps to ensure that such an account is not being used indirectly to provide banking services to other foreign shell banks. If the CFI discovers that a foreign correspondent account is providing indirect services in this manner, then it must either prohibit the indirect services to the foreign shell bank or close down the foreign correspondent account. This activity is referred to as "nested" correspondent banking and is discussed in greater detail below under "Foreign