Patriot Act compliance for Finance
and Commercial Loan Organizations
Patriot Act Compliance
Charles Klingman, US Treasury Dept. – Present
proposed regulations for Finance and
Commercial Loan Companies
Debra Ponce de Leon, Bank of America Capital –
Provide an overview of how a bank leasing
subsidiary has interpreted and implemented
compliance
Kim Cartwright, Experian – Present compliance
solutions
©Experian 2003. All rights reserved. Confidential and proprietary.
US Treasury Regulations
On October 26, 2001, the President signed into
law the USA PATRIOT Act
Initial compliance required for banks, savings
associations, and credit unions; securities
brokers and dealers; mutual funds; futures
commission merchants and introducing brokers;
and credit unions.
Finance and Loan companies are required to
comply by Summer of 2005
©Experian 2003. All rights reserved. Confidential and proprietary.
Proposed Regulations
US Treasury has discretion to prescribe
minimum standards – Regulatory Authority
Section 326 will mirror the regulations for banks
– US Treasury is committed to a compliance
based on a level playing field
What is definition of a finance and loan
company?
Does a captive finance company fall under the
regs?
©Experian 2003. All rights reserved. Confidential and proprietary.
Regulations 326 and 352 will apply to
Finance and Loan companies
Section 326 directs the Department of the
Treasury and the federal functional regulators to
jointly issue regulations requiring financial
institutions to establish minimum procedures for
the identification and verification of customers
who open new accounts.
Section 352 requires the development of internal
policies, procedures, and controls; the designation of
a compliance officer; an ongoing employee training
program and an independent audit function to test
programs
This presentation will focus on Section 326
©Experian 2003. All rights reserved. Confidential and proprietary.
The Practitioner’s Point of View
Debra Ponce de Leon
©Experian 2003. All rights reserved. Confidential and proprietary.
Customer Disclosure
The Act requires each financial institution to provide
notices to their customers that the financial institution
is requesting information to verify their identities.
This notice must generally describe the identification
requirements of Section 326 and must be delivered
in a manner (written or verbal) reasonably designed
to ensure that customers are able to view the notice,
or are otherwise given notice, before opening an
account.
©Experian 2003. All rights reserved. Confidential and proprietary.
Collecting Information
As part of any CIP, financial institutions must collect, at a
minimum, the following information from customers prior
to opening an account:
•customer’s legal name;
•customer’s address;
•date of birth (for individuals and sole proprietors only);
and
•taxpayer identification number or a social security number
(for a U.S. person or entity, as applicable),
or
•passport number (and country of issuance), taxpayer
identification number, or number (and country of issuance)
from any other government-issued document that shows
nationality and includes a photograph or similar safeguard
(for a non-U.S. person or entity
©Experian 2003. All rights reserved. Confidential and proprietary.
Verifying Identity:
As part of any CIP, financial institutions must verify the
identity of the customer. Verification can be accomplished
using documents, non-documentary methods, or a
combination of both, and must enable financial institutions
to form a reasonable belief that it knows the true identity of
the customer.
The verification procedure must be based on each financial
institution’s assessment of the relevant risks, including
those presented by the various types of accounts
maintained by the financial institution, the various methods
of opening accounts provided by the financial institution,
the various types of identifying information available, and
the financial institution’s size, location, and customer base.
©Experian 2003. All rights reserved. Confidential and proprietary.
Checking terrorist lists:
Financial institutions must determine whether a
customer appears on any list of known or
suspected terrorists or terrorist organizations
issued by a Federal government agency and
designated as such by Treasury and Federal
regulators.
©Experian 2003. All rights reserved. Confidential and proprietary.
Maintaining records:
Institutions must maintain a record of all information obtained under a
CIP.
At a minimum, this record must include the following:
• All identifying information obtained about a customer (i.e., name, DOB,
address, and TIN or other ID number);
• A description of any document relied on in verifying the identity of the
customer, including the type of document, identification number
contained in the document, the place of issuance and, if any, the date of
issuance and expiration date;
• A description of the methods and the results of any non-documentary
or supplemental measures undertaken to verify the identity of the
customer; and
• A description of the resolution of any substantive discrepancy
discovered when verifying the information obtained.
Information must be retained for the duration of the relationship, and for a
period of (a) with respect to the information listed under bullet 1 above,
five (5) years after the account is closed, and (b) with respect to the
information listed under bullets 2-4 above, five (5) years after the record
is made.
©Experian 2003. All rights reserved. Confidential and proprietary.
Reliance on other financial institutions:
The final rule also contains a provision that
permits, under certain limited circumstances, a
financial institution to rely on another regulated
U.S. financial institution to perform any part of
the financial institution’s CIP.
For example, in the securities industry it is
common to have an introducing broker – who has
opened an account for a customer – conduct
securities trades on behalf of the customer
through a clearing broker. Under this regulation,
the introducing broker is required to identify and
verify the identity of their customers and the
clearing broker can rely on that information
without having to conduct a second redundant
verification, provided certain criteria are met.
©Experian 2003. All rights reserved. Confidential and proprietary.
Customer Information Program
Solutions
Kim Cartwright
Experian
©Experian 2003. All rights reserved. Confidential and proprietary.
Experian and the Experian marks herein are service marks or registered trademarks of Experian
Agenda
■
■
■
Review of Patriot Act
How vendor
solutions can help
Questions
©Experian 2003. All rights reserved. Confidential and proprietary.
U.S. Patriot Act
■
Three provisions of Act affect financial
institutions
◆
■
■
■
Found in Title III, the ‘International Money
Laundering Abatement and Anti-terrorist
Financing Act of 2001’
Section 314: Cooperative efforts to deter
money laundering
Section 326: Verification
of identification
Section 352: Anti-moneylaundering programs
©Experian 2003. All rights reserved. Confidential and proprietary.
Section 326
What is it?
■
■
■
■
Who does it apply to?
Requirement for
financial institutions
to establish a Customer
Identification Program
(CIP)
■
■
Document the CIP
Have CIP approved by
board
Incorporate CIP into
BSA program
©Experian 2003. All rights reserved. Confidential and proprietary.
Banks, savings
associations, credit
unions
Securities brokerdealers
■
Investment companies
■
Futures merchants
■
Insurance companies
Customer Identification Program
Establish procedures to
verify identity of persons
seeking to open an account
Determine whether person
appears on any lists of
known or suspected
terrorists issued by
federal government
Develop procedures for
determining when not to
open an account or close an
existing account as a result
of inability to verify identity
Maintain records of
information used to verify
a customer
Use risk-based procedures
for verification
Verify name, address,
taxpayer ID, date of birth
at a minimum
©Experian 2003. All rights reserved. Confidential and proprietary.
Verification
■
Documentary
◆
■
Unexpired government-issued identification
Non-documentary
◆
◆
◆
Encouraged even when documentary
verification is provided
Contact customer after account
is opened
Check references with other
financial institutions
◆
Negative verification
◆
Positive verification
◆
Logical verification
©Experian 2003. All rights reserved. Confidential and proprietary.
Non-documentary solutions logical and positive verification
©Experian 2003. All rights reserved. Confidential and proprietary.
Experian and the Experian marks herein are service marks or registered trademarks of Experian
Verification types
Type
Method
Sources
Negative
Check information
provided for association
with known incidents of
fraudulent behavior
Compare against known
fraud or bad check
databases
Positive
Compare information
provided with a trusted
third party source
Consumer reporting
agency
Logical
Analyze logical
consistency between
information provided
Commercial verification
products
©Experian 2003. All rights reserved. Confidential and proprietary.
Positive and logical verification
Validate customer data against known sources
Verify all identifying
information
■
Name
■
Address
■
SSN/EIN
■
Date of birth
■
Phone number
■
Driver’s license
Features
■
■
■
Address, SSN, EIN,
phone, DL validity
Name/address
verification to other
input elements
High risk address
and phone
■
OFAC screening
■
Verification score
©Experian 2003. All rights reserved. Confidential and proprietary.
Data Elements
Telephone
Telephone data,
data,
area
area code
code files
files
Credit
Credit header
header -includes
includes SSN
SSN
and
and DOB
DOB data
data
Address
Address data
data -standardization,
standardization, residential,
residential,
deliverable
deliverable address,
address,
change
change of
of address
address
verification database
OFAC
OFAC SDN
SDN list
list
Social
Social Security
Security
Administration
Administration
High
High risk
risk
address,
address, phone
phone
Business
Business data
data -address,
address, phone
phone
Driver’s
Driver’s
license
license data
data
©Experian 2003. All rights reserved. Confidential and proprietary.
Validating and verifying information
Element
Validation
Verification
Address
•Deliverable
•Standardized
•Residential or business
•Match to full name/surname
Phone
number
•Area code/format
•Prefix to zip
•Cell phone or pager
• Residential or business
• Match to full name/surname
and/or address
Social
security
number
• Format
• Issued - includes state
and years of issuance
• Deceased
• Match to full name/surname
and/or address
• Based on full SSN or last
four
Drivers
license
•Format correct for
state
•Match to full name/surname
and/or address
Date of birth •Full DOB or year only
• Match to input
• Comparison to SSN (if
provided)
©Experian 2003. All rights reserved. Confidential and proprietary.
Government list comparison
■
■
Reasonable procedure to
determine whether customer
appears on any list of known or
suspected terrorists or terrorist
organizations
Applies only to lists circulated by
federal government
◆
◆
OFAC specially designated
nationals
Bureau of Industry and
Security’s Denied Persons
©Experian 2003. All rights reserved. Confidential and proprietary.
Selecting a solution
Factors to consider
■
Data quality
■
Functionality
■
Where does solution apply
■
Cost
■
■
Applicability across
organization
Ease of implementation
©Experian 2003. All rights reserved. Confidential and proprietary.
Questions
©Experian 2003. All rights reserved. Confidential and proprietary.
Experian and the Experian marks herein are service marks or registered trademarks of Experian