Financial Institution Customer Identification Programs Mandated by the USA PATRIOT Act

CRS Report for Congress
Financial Institution Customer Identification
Programs Mandated by the USA PATRIOT Act
M. Maureen Murphy
Legislative Attorney
American Law Division
Under the USA PATRIOT Act, P.L. 107-56, section 326, 31 U.S.C. § 5318(l), the
Secretary of the Treasury has prescribed minimum standards for banks, savings
associations, credit unions, and securities firms to establish Customer Identification
Programs (CIPs). To open a new account, U.S. individuals must provide a social
security number and non-U.S. persons, a government issued identification with a
photograph. The required information must be verified either by documents, such as
driver’s licenses, or by non-documentary means, such as inquiring with a credit
reporting agency. The institutions are to cross-check names of new account holders
against lists of terrorists and suspected terrorists that the federal government will
provide. The regulations permit financial institutions to rely on photograph-bearing-
foreign-government-issued documents, such as the matricula consular, issued by the
Mexican government, to identify new account-holders. Acceptance of the matricula
consular, issued by the Mexican government, would be authorized under H.R. 773 and
precluded by H.R. 3674. The 9/11 Commission Report included some information
about the use of bank accounts by terrorists and raised questions about further sharing
of information among government agencies, and the use of biometric identifiers for
foreign travelers, that may eventually have an impact on the CIP program. This report
will be updated as legislative developments warrant. Related CRS reports include CRS
Report RL32094, Consular Identification Cards: Domestic and Foreign Policy
Implications, the Mexican Case, and Related Legislation; CRS Report RS21627,
Implication of the Vienna Convention on Consular Relations Upon the Regulation of
Consular Identification Cards; CRS Report RL31377, The USA PATRIOT ACT: A
Legal Analysis; CRS Report RL31208, The International Money Laundering Abatement
and Anti-Terrorist Financing Act of 2001, Title III of P.L. 107-56 (USA PATRIOT Act);
and CRS Report RS21032, Money Laundering: Current Law and Proposals.
Customer Identification Programs (CIPs). On May 9, 2003, 68 Fed. Reg.

25090, Treasury’s Financial Crimes Enforcement Network, (FinCEN), together with

Congressional Research Service ˜ The Library of Congress

federal banking1 and securities2 industry regulators, issued customer identification rules
under section 326 of the USA PATRIOT Act, 31 U.S.C. § 5318(l). Section 326 of the
USA PATRIOT Act requires that these regulations prescribe minimum procedures for
financial institutions to use and their customers, after reasonable notice, to comply with,
to verify the identity of new account holders “to the extent reasonable and practicable.”
It also requires financial institutions to maintain records thereof; and, to consult “lists of
known or suspected terrorists or terrorist organizations provided to the financial
institution by any government agency to determine whether a person seeking to open an
account appears on any such list.” 31 U.S.C. §§ 5318(l)(2).
The law further provides that the federal regulators may exempt any financial
institution or type of account from the requirements under section 326 in accordance with
standards and procedures prescribed by the Secretary.
The rules issued on May 9, 2003, apply to certain financial institutions covered by
the anti-money laundering laws.3 They apply to banks, credit unions, savings
associations, broker-dealers, mutual funds, futures commission merchants and introducing
brokers, and certain non-federally regulated banking organizations. They require them
to institute, as part of their anti-money laundering or Bank Secrecy Act (BSA)4 programs,
customer identification programs (CIPs) to verify the identity of customers opening
accounts and cross check the information with government lists of terrorists and terrorist
FinCEN has proposed or issued rules requiring the establishment of anti-money
laundering programs by: persons involved in real estate closings and settlements, 68 Fed.
Reg. 17569 (April10, 2003); dealers in precious metals, stones, or jewels, 68 Fed. Reg.

8481 (February 21, 2003); travel agencies, 68 Fed. Reg. 8571 (February 24, 2003);

businesses engaged in vehicle sales, 68 Fed. Reg. 8568 (February 24, 2003); insurance
companies, 67 Fed. Reg. 60625 (September 26, 2002); unregistered investment
companies, 67 Fed. Reg. 60617 (September 26, 2002); and money services businesses,

67 Fed. Reg. 21114 (April 29, 2002); and operators of credit card systems, 67 Fed. Reg.

21121 (April 29, 2002). At this time, none of these require CIPs. Should CIPs be required
of them, regulations will be issued by FinCEN. All of FinCEN’s regulations and
issuances may be consulted at its website, [

1 Office of the Comptroller of the Currency (12 C.F.R. Part 21); Federal Reserve System (12
C.F.R. Parts 208 and 21); Federal Deposit Insurance Corporation (12 C.F.R. Part 326); Office
of Thrift Supervision (12 C.F.R. Part 563); and National Credit Union Administration (12 C.F.R.
Part 748).
2 On May 9, 2003, jointly with FinCEN, the Securities and Exchange Commission issued rules
requiring customer identification programs for broker-dealers, 68 Fed. Reg.25113, for mutual
funds, 58 Fed.Reg. 25113. Also on May 9, 2003, jointly with FinCEN, the Commodity Futures
Trading Commission issued rules for futures commission merchants and introducing brokers, 68
Fed. Reg. 25149.
3 “Financial institution” is defined to include casinos, card clubs, and telegraph companies. 31
C.F.R. § 103.11(n).
4 12 U.S.C. §§ 1829b and 1951 - 1959, and 31 U.S.C. §§ 5311 - 5322.

Verification of Identity of Customers Opening Accounts. The section 326
rules require each covered financial institution, by October 1, 2003, to implement a
Customer Identification Program (CIP) to verify the identity of individuals and other
legal persons, such as corporations, partnerships, trusts, associations, and foreign
governments, that establish a formal banking relationship or open a new account. After
October 1, 2003, anyone opening a new deposit account, establishing a new line of credit
or loan, contracting for a safety deposit box or for asset, cash, or trust management
services will be required to provide certain means of identification. The institution will
also have to outline a means of verifying the information. It must also specify procedures
for refusing to open an account, limiting account operations while verification of identity
is undertaken, closing an account when identity cannot be reasonably verified, and filing
reports of suspicious activity.5 The verification procedures do not apply to non-customers
who cash checks or purchase money orders, checks, or wire transfers. Nor do they apply
to existing customers who open new accounts or loans, provided the institution has a
reasonable belief that it knows the customer’s true identity. To verify the identity of new
customers, an institution must obtain certain information:
Minimum Requirements for CIP for Verifying Identity
Individuals–U.S. PersonsName, date of birth, residential or business
street address, and taxpayer identification
Individuals–Non-U.S. PersonsName, date of birth, residential or business
street address, and one or more of the
following: taxpayer identification number,
passport number and country of issuance;
alien identification card number, or number
and country of issuance of any other
government-issued document evidencing
nationality or residence and bearing a
photograph or other safeguard.
Persons other than IndividualsPrincipal place of business, local office, or
(Corporations, Trusts, Partnership,other physical location, and taxpayer
Associations, etc.)identification number (if U.S. person). For
non-U.S. person having no tax payer
identification number, bank must request
alternative government-issued
documentation certifying the existence of
the business enterprise.
There are specifications allowing for some circumstances in which one or more of
these requirements is not possible. For instance, military personnel may use military post
office boxes in lieu of a street address; persons who have applied for taxpayer
identification numbers may present evidence of the application. Trusted third party
sources, such as consumer reporting agencies, may be used to obtain information

5 31 C.F.R. § 103.21. The authority to require suspicious activity reports derives from 31 U.S.C.
§ 5314(h), authorizing the Secretary of the Treasury to require financial institutions to report
suspicious transactions, originally enacted as section 1518 of the Housing and Community
Development Act of 1992, P.L. 102-550, 106 Stat. 3672, 4059.

necessary for opening credit card accounts, thus, permitting continuance of the current
practice of doing this by telephone or at the point of sale. The comments accompanying
the promulgation of the regulations specifically noted that although date of birth and
taxpayer identification number (i.e., social security number–for U.S. individuals) are
required before any account is opened, for credit card accounts, it is not necessary for the
customer to provide them directly. In that situation, they may be obtained from trusted
third parties, such as consumer reporting agencies.6 In all circumstances, however, the
institution’s program must set forth procedures for verifying the identification, either
through examination of such documents as passports or driver’s licenses or certified
articles of incorporation, or by non-documentary means.7 Non-documentary means could
include contacting a customer, comparing information with information obtained from a
consumer reporting agency, or checking references. CIPs must also include procedures
to deal with situations in which the customer cannot produce the required documentary
evidence and must specify when the bank should not open an account or terms under
which a customer may have an account pending verification of identity.
In opening an account for an entity such as a corporation, association, or partnership,
a financial institution is not required to obtain identifying information for every person
having signature authority or control over such an account, but it must have procedures
for assessing the risks involved and obtaining the needed information in view of the
associated risks. Under the program, the institutions are not required to keep copies of
the documents accepted for verifying identity. They must retain a record of the
information obtained and a description of the documents and methods used to identify the
customer and retain them for five years beyond the closing of the account.
Cross-Checking Names of New Account Holders with Terrorist Lists.
The regulation also specifies that the customer identification program must include
procedures for determining whether the customer appears on lists of known or suspected
terrorists or terrorist organizations issued by any federal agency within a reasonable time.
In issuing the rules, the agencies noted that although no such lists have yet been
circulated, banks and other regulated financial institutions have long been obliged to
comply with sanctions against designated foreign countries, foreign nationals, and foreign
terrorists under various laws and regulations administered by Treasury’s of Office Foreign
Assets Control, 31 C.F.R., Part 500,8 that prohibit certain financial transactions and
include lists that must be cross-checked. Banks must have procedures in place to identify
and block transactions with OFAC’s periodically updated list of Specially Designated9
Nationalists and Blocked Persons under regulations specifying Special Information
Sharing Procedures to Deter Money Laundering and Terrorism, 31 C.F.R. Part 100,10
issued on September 25, 2002, and, under section 314(a) of the USA PATRIOT Act, 31
U.S.C. § 5311. Note, moreover, banking institutions are required to search for names on

6 An account may also be opened for a customer, individual or entity, that produces evidence of
having applied for a tax payer identification or an employer identification number.
7 The required information must be verified either by documents, such as driver’s licenses, or
by non-documentary means, such as inquiring with a credit reporting agency
8 See OFAC’s summary: [].
9 [].
10 67 Fed. Reg. 60519.

lists of possible terrorists and money launderers issued by FinCEN. If there is a match
with a name in the bank’s files, FinCEN is to be informed of the fact and provided with
the name of a contact person at the bank.
Cost of Compliance. In analyzing the cost of instituting CIPs under section 326,
the federal agencies determined that the effect of this regulatory regime would not add a
significant burden to the covered institutions, including the small banks. In reaching this
conclusion, the agencies considered the fact that other requirements of the anti-money
laundering laws and regulations have, along with prudent risk avoidance practices, already
motivated the institutions to install programs to identify customers. The financial
services industry may have another view of the accumulated cost of complying with the
CIP requirement and other requirements of the array of federal regulations promulgated
under the anti-money laundering laws and the USA PATRIOT Act. On June 9, 2003, for
example, the American Bankers Association issued the results of its survey of banking
companies with respect to cost and attitude toward complying with various federal
regulations. The survey is titled, The Nationwide Bank Compliance Officer Survey. Top
costs in the compliance area are assigned to complying with Bank Secrecy Act, anti-
money laundering and OFAC regulations.
Treasury’s Request for Comments on Retaining Photocopies of
Documents Verifying Identity of Foreign Nationals. On September 17, 2003,11
the Treasury Department announced that institutions must have customer identification
programs in place as originally scheduled in the final regulations; no changes were
required by the results of its July 1, 2003, request for comments on: (1) whether the
institutions should retain photocopies of the documents used to verify identity and (2)
whether there are circumstances under which the regulations should preclude reliance on
certain forms of foreign government-issued identification documents. Essentially, this
request for comments revived issues that were presumed settled when the final rules were
issued on May 9, 2003. As originally proposed, the regulations would have required
institutions to keep copies of documents used to verify identity. This requirement was
eliminated because of the number of comments calling it “overly burdensome.” 68 Fed.
Reg. 25090, 25101. The July 1, 2003, notice sought information on whether photocopying
documents is necessary in all cases or some and whether there should be regulations
regarding risk factors indicating the necessity of retaining photocopies. It also specifically
sought input from law enforcement, as well as the financial services industry. This may
indicate a heightened awareness of the potential importance of copies of identifying
photographs of new customers to law enforcement investigators. 68 Fed. Reg. 39039.
The issue of what documentation is to be required of non-U.S. persons was also
considered earlier. In its report to Congress on customer identification requirements for
foreign nationals, [],
as required under section 326(b) of the USA PATRIOT Act, 115 Stat. 272, 315, Treasury
recommended, that, because of the lack of a single, reliable system for verifying the
identity of foreign nationals opening accounts, financial institutions be given flexibility
in choosing reasonable means of verifying identity. This would mean that they be
required to make reasonable efforts to verify identity but be permitted to rely on existing
information and documents, including the matricula consular. The matricula consular

11 68 Fed. Reg. 55335 (September 25, 2003).

is a card, carrying an identifying photograph, issued to Mexican nationals by Mexican
consulate offices in the United States and used to open bank and credit union accounts
with U.S. financial institutions. Essentially, the approach taken in the final regulations,
issued on May 9, 2003, follows the recommendations of the earlier report to Congress.
On May 23, 2003, the House Judiciary’s Subcommittee on Immigration, Border
Security, and Claims held hearings on “the Issuance, Acceptance, and Reliability of
Consular Identifying Cards,” []. House
Judiciary Committee Chairman Sensenbrenner, directed letters to the Departments of the
Treasury, Homeland Security, and Justice, objecting to the elimination of the requirement
for maintaining copies of verification documents and to the authorization of matricula
consular to verify identity.12 The letter informed the agencies that Committee staff were
conducting an investigation of the use of documents such as the matricula consular and
asked that implementation of the regulations be delayed for six months.
The 9/11 Commission Report. Although 9/11 Commission Report made no
direct reference to the CIP program, some of its findings and recommendations may
eventually require reassessing the CIP regulations. The Commission noted that hijackers
used U.S. banks extensively. They opened accounts in their own names and gave bank
employees, some of whom filled in the Social Security number slot with a visa number13
or date of birth, no cause to file suspicious activity reports.
Legislation. H.J.Res. 58, disapproves of the customer identification rules issued
under section 326(a) of the USA PATRIOT Act; H.R. 773 amends section 326(a) to
authorize financial institutions to accept the matricula consular, issued by the Mexican
government, as a valid form of identification; and H.R. 3674 prohibits financial
institutions from using any form of identification issued by a foreign government other
than a passport to verify the identity of a person opening an account. By roll call vote no.
452, on September 14, 2004, the House approved an Oxley, Frank, Kolbe amendment to
H.R. 5025, the FY2005 Transportation/Treasury appropriations bill, to remove a provision
that would have prohibited the Department of the Treasury from using funds to enforce
the regulatory provisions that permit the use of the matricula consular as identification.
H.R. 10, H.R. 4104, H.R. 5024, H.R. 5040, S. 2774, and S. 2811, which are among
the bills introduced since the 9/11 Commission Report, address certain matters
recommended by the Commission14 that may have an impact on the CIP program. Each
of these bills covers at least one of the following: biometric screening of international
travelers; federal standards for identification documents, such as birth certificates and
driver’s licenses; and, Presidentially determined guidelines for information sharing
among government agencies and by the agencies with the private sector.

12 Richard Crowden, “Banking Groups Object to Treasury Inquiry into Possible Changes in
Customer ID Rules,” 127 Daily Report for Executives A-23 (July 2, 2003).
13 Final Report of the National Commission on Terrorist Attacks on the United States (Official
Government Edition 237, 528, n. 116 (2004)). []
14 Id., at 387-394.