Get to Know Your Customer:

1
Get to Know Your Customer

• Complying with New Regulations Under USA PATRIOT
  Act Section 326

2
Welcome

• THOMAS ROLLAUER
• Partner
• Deloitte Touche

3
Agenda

• Welcome
• Thomas Rollauer, Partner, Deloitte Touche
• Overview of Section 326 Regulations
• Susan Levey, Director, Deloitte Touche
• Key Issues and Industry Perspectives Section 326
  Requirements Challenges
• Vincent J. Weltz, Vice President-AML Officer,
  Risk Management Investigations, Charles Schwab
  Co.
• Judith C. Gruenbaum, Interim BSA/AML Compliance
  Officer, Bank One Corporation
• Other Key Issues for Consideration
• Bob Molloy, Sr. Manager, Deloitte Touche
• Questions Answers

4
Overview of Section 326 Regulations

• SUSAN LEVEY
• Director
• Deloitte Touche

5
Background

• On May 9th 2003, the Department of the Treasury
  ("Treasury"), Financial Crimes Enforcement
  Network ("FinCEN"), and the various federal
  functional regulators published in the Federal
  Register four final Bank Secrecy Act ("BSA")
  regulations implementing the customer
  identification provisions of Section 326 of the
  USA PATRIOT Act, 31 U.S.C. 5318(l). 68 Fed.
  Reg. 25,089 25,149.
• Effective Date The regulations are effective 30
  days from the date of publication in the Federal
  Register.
• Compliance Date Financial institutions will
  have until October 1, 2003, to comply with the
  new rules.

6
Background

• Final customer identification regulations issued
  by Treasury for the following financial
  institutions
• Banks, savings associations, federally-insured
  credit unions, and uninsured state-licensed
  credit unions, private banks and trust companies
  that do not have a federal functional regulator
• Securities broker-dealer
• Mutual funds
• Futures commission merchants ("FCMs") and
  introducing brokers ("IBs")
• Treasury to propose separate customer
  identification rules for
• Insurance Companies
• Loan and Finance Companies
• Other non-bank financial institutions (that are
  not regulated by a federal functional regulator)

7
Background

• Section 326 of the USA PATRIOT Act, Customer
  Identification and Verification regulation
  (CIP) require financial institutions to, at a
  minimum, implement reasonable procedures to
• Verify the identity of a person seeking to open
  an account (to the extent reasonable and
  practical)
• Maintain records of information used to verify
  the person's identity, including name, address
  and other identifying information
• Determine whether the person seeking to open an
  account appears on any government lists of known
  or suspected terrorists organizations

8
Background

• One Size Does Not Fit All
• Your CIP Program should be risked-based and
  tailored to your financial institutions
  business. Risk factors that should be considered
  include
• Size of your financial institution
• Location of your customer base
• Customer base (e.g., high risk entities)
• Methods for opening accounts (e.g., on-line
  accounts)
• Types of accounts and types of transactions

9
Background

• Customer Identification Rules vs. Know Your
  Customer Rules
• Section 326 Regulations focus on identification
  of customer
• Identifying a named accountholder
• Ensuring the accountholder is the person
  represented to be
• Information must be obtained prior to opening an
  account
• Compliance with these regulations is not a
  substitute for conducting appropriate risk-based
  due diligence.
• Know Your Customer Rules require ongoing
  responsibility
• To gain an understanding of customer and expected
  activity in account
• To continually monitor activity given the
  financial institutions understanding of expected
  customer behavior

10
Background

• Overview of Comment Letters
• Commenters objected to the requirement that
  financial institutions verify the identity of an
  existing customer seeking to open a new account.
• Result Final rule excludes from the definition
  of customer a person with an existing account
  at a financial institution, provided the
  financial institution has a reasonable belief it
  knows the true identity of the person.
• Commenters concerned about proposed requirements
  that financial institutions verify identity of
  signatories on accounts or persons authorized to
  effect transactions.
• Result Definition of customer no longer
  includes "signatories" to a bank account or
  persons authorized to effect transactions through
  a securities account. A CIP should address
  situations where additional steps will be taken
  to verify the identity of a customer, including
  information about individuals with authority or
  control over the account and signatories.

11
Background

• Overview of Comment Letters, continued
• Commenters suggested clarification to extent to
  which they could rely on a third party,
  especially an affiliate, to perform some or all
  aspects of its CIP.
• Result Provisions have been added to the Final
  Rules, setting forth the circumstances under
  which a financial institution can rely on another
  regulated financial institution, including an
  affiliate, to perform some or all of the
  financial institution's customer identification
  and verification responsibilities.

12
Definitions

• Definition of a Customer
• A person that opens a new account the named
  accountholder
• An individual who opens a new account for
• (1) An individual who lacks legal capacity,
  such as a minor or
• (2) An entity that is not a legal person, such
  as a civic club.
• Exclude accounts with the named customer as the
  following
• A financial institution regulated by a federal
  functional regulator
• Banks regulated by a state bank regulator
• Governmental agencies and domestic operations of
  companies that are publicly traded or
• A person that has an existing account with a
  financial institution, provided that the
  financial institution has a reasonable belief
  that it knows the true identity of the person.

13
Minimum Requirements

• General
• Each financial institution must establish,
  document and maintain a Customer Identification
  Program (CIP).
• CIP must be appropriate for the financial
  institutions size, location, customer base, type
  of business and method of opening accounts.
• CIP must be a part of the financial institutions
  anti-money laundering compliance program.
• Identity Verification Procedures
• At minimum, following information must be
  obtained prior to opening account
• Name
• Date of birth
• Address
• Identification number
• US SS, TIN, or employee identification number
  Non-US TIN, passport number including country of
  origin, alien identification card, or number
  country of issuance of any other government
  issued document evidencing nationality)

14
Minimum Requirements

• Identity Verification Procedures (continued)
• CIP must include risk-based procedures for
  verifying identity of each customer to the extent
  reasonable and practicable
• CIP must include procedures describing when
  financial institution will use documents,
  non-documentary methods, or a combination of both
  methods, to verify identities
• CIP must set forth non-documentary methods
  financial institution will use (if it is relying
  on non-documentary methods)
• CIP must address circumstances in which
  additional verification of customer
  identification is required use a risk-based
  approach
• CIP should contain procedures on when not to open
  account, the terms under which the customer may
  use account while verification is pending, when
  to file a SAR, and when to close an account after
  verification procedures fail.
• (Customer verification should be performed
  within a reasonable time before or after the
  account is opened.)

15
Minimum Requirements

• Recordkeeping Required Records
• CIP must include procedures for making and
  maintaining records related to customer
  verification.
• Record must include
• Identifying information about a customer
• A description of the documents relied on, noting
• Type of document
• Any identification number contained in document
• Place of issuance
• Issuance and expiration dates
• Description of methods and results of any
  measures undertaken to verify identity
• Description of resolution of any substantive
  discrepancy discovered when verifying
  identifying information obtained

16
Minimum Requirements

• Recordkeeping Retention of Records
• Customer identification information must be
  retained for five years after an account is
  closed (or, for credit card accounts, after the
  account becomes dormant)
• Records related to verification of customer
  identification must be retained for five years
  after the record is made.

17
Minimum Requirements

• Comparison with Government Lists
• CIP must include procedures for determining
  whether a customer appears on any list of known
  or suspected terrorists or terrorist
  organizations issued by any Federal government
  agency and designated as such by Treasury.
• Treasury and federal functional regulators have
  not designated a Section 326 list. Law
  enforcement is developing list differing from
  Office of Foreign Assets Control ("OFAC") lists
  (which must be checked without respect to new
  regulations) and Section 314 lists of suspected
  terrorists and money launderers (which financial
  institutions receive periodically and Treasury
  has indicated generally should not be used in
  conjunction with opening account relationships,
  but only to identify accounts or transactions
  with the listed persons in the past).
• Customer Notification
• The CIP must include procedures for providing
  customers with adequate notice that the financial
  institution is requesting information to verify
  their identities.
• Notice may be posted in the financial
  institutions lobby, website, account
  applications, or other form of oral and written
  notice or
• Be given prior to the opening of an account.

18
Minimum Requirements

• Reliance on Other Financial Institutions
• CIP may include procedures for identifying
  circumstances under which a bank, broker-dealer,
  mutual fund, FCM or IB (collectively the
  Financial Entity) will rely on another financial
  institutions performance of CIP
• Reliance must be reasonable
• The other financial institution must be subject
  to Section 352 and
• The other financial institution must enter into a
  contract requiring it to certify annually to the
  Financial Entity that it has implemented an
  anti-money laundering program and will perform
  specified requirements of the Financial Entitys
  CIP.

19
CIP Approval

• Banks
• Treasury regards addition of CIP to banks BSA
  compliance program to be a material change in BSA
  compliance program that requires board approval.
• Broker-Dealers
• Final rule requires a broker-dealers CIP to be
  part of overall AML programs pursuant to NASD
  Rule 3011 and NYSE Rule 445.
• Mutual Funds
• AML programs already required to be approved by
  mutual funds board. As CIP is a part of funds
  AML program, separate approval is not required.
• FCMs and IBs
• Final rule requires CIP to be part of AML
  program required of FCMs and IBs under 31 U.S.C.
  5318(h). NFA Compliance Rule 2-9(c) requires AML
  programs be approved in writing by member of
  FCMs or IBs senior management.
• (A broker-dealer or mutual fund with AML
  program approved as required must obtain approval
  of a new CIP, as it would be a material change to
  the AML program.)

20
Section 326 Requirements Challenges

• VINCENT J. WELTZ
• Vice President AML Officer
• Risk Management Investigations
• Charles Schwab Co.

21
Section 326 Requirements Challenges

• All firms must conduct a re-evaluation of
  processes to ensure specific verification steps
  are documented and followed in practice
• Verification processes must be documented and
  articulated (when, how, why, etc.)
• Documentary verification
• When this process is used
• Recording identification media
• Acceptable identification media
• Acceptable alternatives if required documentation
  is not available
• Non-documentary verification
• When this process is used
• Recording results
• Acceptable feedback from vendors

22
Section 326 Requirements Challenges

• Client denial processes must articulate steps
  to be taken, depending on fact pattern
• Credit risk issues
• Bad credit
• NSF history
• Firms hot file
• Client notification
• Inadequate documents
• No credit history
• (e.g., recently issued SSN)
• No bank or credit references
• Client notification

• Client
• Refusal to provide documents
• Privacy issues
• Deception
• Fraudulent documents/ID theft
• Stolen identification media
• Altered identification media
• Manufactured identification media
• No client notification escalation
• to Risk/AML function

23
Section 326 Requirements Challenges

• Escalation procedures will vary with the specific
  issues in need of resolution
• Evaluation of inadequate documentation
• Lack of history
• Remediation process
• Lack of cooperation vs. intent to deceive
• Unsophisticated client
• Dishonest client escalation to Risk/AML
  function
• Escalation to Risk/AML function
• Evaluation of facts relating to the matter at
  hand
• Investigation steps to be taken to resolve the
  verification conflict
• Documentation of the rationale as to whether or
  not a SAR needs to be filed

24
Key Issues Industry PerspectivesChallenges
for Large Institutions

• JUDITH C. GRUENBAUM
• Interim BSA/AML Compliance Officer
• Bank One Corporation

25
Challenges for Large Institutions

• Who is an existing customer?
• Final regs provided relief from requirement to
  verify existing customers, but only to extent
  that institution has reasonable belief it still
  knows true identify of customer
• Banks struggling with defining reasonable
  belief? There is no regulatory guidance
• Reasonable belief might be
• Customer has been customer for some defined
  period of time
• Account has operated without incident
• Customer information for second account is same
  identifying information for first account

26
Challenges for Large Institutions

• Proving compliance through record keeping and
  retention
• Retention of identifying information for 5 years
  after account is closed is required.
• Retention of verification information is required
  for 5 years after information recorded.
• If documentary verification is to be relied upon,
  and photocopies of IDs not retained, then the
  following information must be retained for each
  document type of document identification
  number date of issuance, place of issuance, and
  expiration date.
• Non-documentary requires description of method
  and results.
• Both types of verification require a record of
  how substantive discrepancies were resolved.

27
Challenges for Large Institutions

• Employee training
• Training regarding technology changes to account
  opening systems.
• General awareness training about the requirements
  of the USA PATRIOT Act
• Procedural training for resolving situations
  where initial attempts to verify customer have
  failed and specific steps that must be taken,
  including possible account closure and recording
  actions taken for record keeping purposes.

28
Challenges for Large Institutions

• Technology implementation by 10/1/03
• Front-end account opening systems will need to be
  modified to comply with capturing of all
  required data elements.
• Foreign ID number and country of issuance, not
  just SSN or TIN
• For applications that only permit a single
  address, that address required is a physical
  address. If mailing address will be different,
  that field will need to be added.
• Store information centrally or on individual
  systems?
• Indicator fields for whether documentary,
  non-documentary verification, no verification
  required, channel opened (e.g., Internet,
  telephone).
• Regs provide flexibility but require institutions
  to make decisions quickly.
• Technology changes take time will you be ready
  by 10/1/03?

29
Other Key Issues for Consideration

• BOB MOLLOY
• Senior Manager
• Deloitte Touche

30
Other Key Issues for Consideration

• Reasonableness standard and risk-based tenet
• Must ensure CIP has minimum standards
• Must create and utilize risk grid
• Must document procedures
• Give Backs are not always as they seem
• BSA needs board approval
• Must capture residential (and mailing) address
• Dont need to retain records you need to create
  record
• Dont need to screen signatories do you?
• Infrastructure changes
• Incorporate risk grid
• Initiate enhanced due diligence
• Document work effort

31
Other Key Issues for Consideration

• Time and resources
• Define regulatory requirements
• Determine how to implement across all business
  sectors
• Identify issues and gaps
• Determine appropriate remedies
• Find and contract vendors
• Build a risk-assessment grid
• Work with IT to implement grid, reroute
  investigative efforts, make changes to
  data-capture screens and capture workflow
• Document all requirements, procedures and
  determinations to your CIP
• Incorporate your CIP in your BSA and get board
  approval
• Craft an employee training program
• Train internal audit or contract for outside
  review

All in just over 4 months!!
32
Quick Poll

33
Poll What is the completion status of your
institution's Se...

• PlaceWare Multiple Choice Poll. Use PlaceWare gt
  Edit Slide Properties... to edit.
• Under 20
• 21-50
• 51-80
• Over 80

34
Poll How will you assess the riskiness of a
customer?

• PlaceWare Multiple Choice Poll. Use PlaceWare gt
  Edit Slide Properties... to edit.
• Automated risk grid/scoring model
• Manual risk checklist
• Combination of the above
• Don't know yet

35
Poll How will you document the customer's
identification?

• PlaceWare Multiple Choice Poll. Use PlaceWare gt
  Edit Slide Properties... to edit.
• Electronically document and capture
• Manually document and capture electronically
  later
• Manually document and store paper documentation
• Don't know yet

36
Poll Will you document verification procedures
the same way...

• PlaceWare Yes/No Poll. Use PlaceWare gt Edit
  Slide Properties... to edit.
• Yes
• No

37
Poll How high a priority is complying with
Section 326 with...

• PlaceWare Multiple Choice Poll. Use PlaceWare gt
  Edit Slide Properties... to edit.
• Very high
• High
• Moderate
• Low
• Very low

38
Poll Which level of effort will your institution
have to un...

• PlaceWare Multiple Choice Poll. Use PlaceWare gt
  Edit Slide Properties... to edit.
• Major effort
• Moderate effort
• Minor effort
• Already in compliance
• Dont know

39
Questions Answers

40
Contacts

• Thomas Rollauer, Partner, Regulatory Services,
  212-436-4802, trollauer_at_deloitte.com
• Susan Levey, Director, Regulatory Services,
  973-683-8418, slevey_at_deloitte.com
• Bob Molloy, Sr. Manager, National 326 Leader,
  404-220-3525, rmolloy_at_deloitte.com
• Judith C. Gruenbaum, Bank One, 614-244-0874,
  judith_c_gruenbaum_at_bankone.com
• Vincent J. Weltz, Charles Schwab, 415-636-3324,
  vincent.weltz_at_schwab.com

41
Get to Know Your Customer

• Complying with New Regulations Under USA PATRIOT
  Act Section 326