Opening Deposit Accounts Online
Supplement
2016Presented by:
Gettechnical, Inc.
Phone: (800) 354-3051
The material used in this text has been drawn from sources believed to be reliable. Every effort has been made to assure the accuracy of the material; however, the accuracy of this information is not guaranteed. The laws are often changed without prior notice from the government. OPENING DEPOSIT ACCOUNTS ONLINE 2016 manual is sold with the understanding that the publisher and the editor are not engaging in the practice of law or accounting. We are not responsible for the actions of your company's employees.
The text is designed to address most deposit account documentation issues. However, you will wish to consult your attorney when you are unsure of an answer.
Published by:
gettechnical inc 800 E Morris Hill RdCovington VA 24426Office: 1-800-354-3051
E-mail: [email protected] Website: www.gettechnicalinc.com
All rights reserved. This material may not be reproduced in whole or in part in any form or by any means without written permission from the publisher.
Printed in the United States of America.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
2
INSTRUCTOR
Deborah Crawford is the President of gettechnical inc, a Virginia-based firm, specializing in the education of banks and credit unions across the nation. Her 27+ years of banking and teaching experience began at Hibernia National Bank in New Orleans. She graduated from Louisiana State University with both her bachelor's and master’s degrees. Deborah's specialty is in the deposit side of the financial institution where she teaches seminars on regulations, documentation, insurance and Individual Retirement Accounts. [email protected] (e-mail)
www.gettechnicalinc.com (website)
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
3
TABLE OF CONTENTS
UNIT #1 CIP AND CDD COMPONENTS ...................................................................... 8 CUSTOMER IDENTIFICATION PROGRAM (CIP): BSA REQUIREMENTS.....9CIP COMPLIANCE THE BIG PICTURE......................................................................10IS IT AN ACCOUNT OR CUSTOMER AS DEFINED IN CIP?............................11ACCOUNT................................................................................................................12CUSTOMER..............................................................................................................13THE INFORMATION...............................................................................................14INFORMATION REQUIRED BY CIP.....................................................................15WORKSHEET ON INFORMATION.......................................................................17DOCUMENTARY AND NONDOCUMENTARY VERIFICATION.....................19THE DOCUMENTS..................................................................................................21EXPANDED IDENTIFICATION FOR NONRESIDENT ALIENS (NRA)............23WORKSHEET ON DOCUMENTS..........................................................................25WORKSHEET ON DOCUMENTS FOR BUSINESS AND ENTITY....................26ACCOUNTS..............................................................................................................26NONDOCUMENTARY VERFICATION................................................................31LACK OF VERIFICATION—CIP PROCEDURES................................................33CLOSING AN ACCOUNT SOME SUGGESTIONS...............................................34CUSTOMER NOTICE FOR CIP..............................................................................37BSA EXAM ISSUES ON CUSTOMER DUE DILIGENCE....................................38SAMPLE BUSINESS CUSTOMER PROFILE WORKSHEETS................................41EXAMPLES OF HIGH RISK CUSTOMERS FROM BSA EXAM MANUAL YOU WILL NEED ENHANCED DUE DILIGENCE QUESTIONS FOR THIS GROUP....................................................................................................................................42EXAMPLE: NONRESIDENT ALIENS ENHANCED DUE DILIGENCE............43BSA EXAM MANUAL: EXPANDED EXAMINATION OVERVIEW AND PROCEDURES FOR PERSONS AND ENTITIES – NONRESIDENT ALIENS AND FOREIGN INDIVIDUALS OVERVIEW.......................................................44SAMPLE PERSONAL CUSTOMER IDENTIFICATION WORKSHEET.............46SAMPLE OF ENHANCED DUE DILIGENCE FOR HIGH RISK CUSTOMER: MONEY SERVICE BUSINESS QUESTIONNAIRE..............................................48OVERVIEW: PUTTING IT ALL TOGETHER......................................................49WORKSHEET ON PERSONAL ACCOUNTS........................................................50WORKSHEET BUSINESS ACCOUNTS................................................................55GUIDELINES ON IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION............................................................................................................59WORKSHEET FOR IDENTITY THEFT PREVENTION PROGRAM..................62EXAMPLES OF RED FLAGS..................................................................................64
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
4
UNIT #2 SIGNATURE CARDS, FEDERAL REGULATIONS AND W-9 ISSUES ............................................................................................................................................ 67
SIGNATURE CARDS: OVERVIEW......................................................................68SIGNATURE CARDS: FLOW CHART #1.............................................................69SIGNATURE CARDS: FLOW CHART #2.............................................................70FEDERAL REGULATIONS.....................................................................................71NOTES OVERVIEW: SSN, EIN OR ITIN..............................................................72OVERVIEW: TAXPAYER IDENTIFICATION NUMBERS................................73FLOWCHART: REGULAR OWNERSHIP.............................................................77FLOWCHART: FIDUCIARY...................................................................................78FIDUCIARY ACCOUNTS.......................................................................................79CONTRACT AND DISCLOSURE CHECKLIST....................................................80
UNIT #3 PRODUCTS AND FUNDING THE ACCOUNT .......................................... 82 PRODUCTS...............................................................................................................83FUNDING THE ACCOUNT....................................................................................84
UNIT #4 RISK .................................................................................................................. 85 BSA/AML PROGRAM.............................................................................................86AFTER GATHERING THE INFORMATION ASSIGN RISK...............................88HIGH INTENSITY DRUG TRAFFICKING AREAS..............................................89PUBLICATION 519..................................................................................................91
UNIT #5 OTHER COMPLIANCE ISSUES ................................................................. 92 THE UNIFORM ELECTRONIC TRANSACTIONS ACT (UETA)........................93THE ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT (E-SIGN ACT)..........................................................................96AUTHENTICATION IN AN INTERNET BANKING ENVIRONMENT............101
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
5
OVERVIEW OPENING ACCOUNTS ONLINE
Why open accounts online?
It is the future. Most large financial institutions allow you to open accounts online and make things very easy for the hardworking public. Many American now do all their shopping and banking without ever entering an institution, it is important to find a way to bank the internet market.
To open bank accounts online you will have to think out the various compliance issues and hire a really good web design company to help you build it.
Unit # 1 CIP and CDDUnit #2 Signature Cards, Federal Regulations, and W-9 IssuesUnit #3 Products and FundingUnit #4 RiskUnit #5 Other Regulatory Issues
Many of the online systems have some kind of introductory page. These vary in order and in conversational style but eventually the same units as above have to be accomplished. It is pretty standard but not a compliance issue to tell the customer what the steps they will walk through will be. Many of the online financial institutions do not open accounts for retirement, business or nonresident aliens on line. These will be decisions that you make before you begin. Also one CIP requirement is to give the notice requiring the information from the customer because of the Patriot Act. The online systems frequently put it on the opening page or on the signature card contract. It seems to fit nicely in the beginning where we explain what we will need and why.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
6
SIGN ME UP!OPEN A BANK ACCOUNT TODAY!ETC.
These are the steps that must be completed to open your online bank account:
1. Tell us about yourself2. Confirm your identity 3. Complete the contract4. Customize and fund your account
Stop application or Continue
IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
7
Unit #1 CIP and CDD COMPONENTS
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
8
CUSTOMER IDENTIFICATION PROGRAM (CIP): BSA REQUIREMENTS
1. Overview
The regulations are added to the Bank Secrecy Act in an attempt to deter terrorism and money laundering. These regulations require all financial institutions to implement a Customer Identification Program. Identify the customer once at the beginning of the relationship.
2. Purpose
The regulations must contain certain requirements. At a minimum the regulations must require financial institutions to implement reasonable procedures for
Verifying the identity of any person who opens an account to the extent reasonable and practicable;
Maintaining records of the information used to verify the person’s identity, including name, address, and other identifying information; and
Determining whether the person appears on any lists of known or suspected terrorists of terrorist organizations provided to the financial institution by any government agency.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
9
CIP COMPLIANCE THE BIG PICTURE
Information Required(Prior to opening an account)
+Verification through documents
(Reasonable time after opening account*) +
Nondocumentary verification(Reasonable time after opening account*)
+326 Government List Check
+Recordkeeping
+ Customer Notice
=
CIP COMPLIANCE*Some banks require documents and nondocument verification before accounts is opened. You must follow your CIP.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
10
IS IT AN ACCOUNT OR CUSTOMER AS DEFINED IN CIP?
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
11
CIP DEFINITIONS
ACCOUNT
Is it a deposit account or safekeeping account where the customer signed a contract? Make sure you count Certificates of Deposit
CUSTOMER
Does this customer have an existing account with the bank? If no, then needs CIP.If yes, still have to do Customer Due Diligence
If it is an existing account we have much less work to do and much less risk for CIP purposes
ACCOUNT
1. Account
“Account means a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit. Account also includes a relationship established to provide a safety deposit box or other safekeeping services, or cash management, custodian, and trust services.”
“Account does not include:a. A product or service where a formal banking relationship is not
established with a person, such as check-cashing, wire transfer, or sale of a check or money order;
b. An account that the bank acquires through an acquisition, merger, purchase of assets, or assumption of liabilities; or
c. An account opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.”
Key points:
“Business relationship” was deleted from the final definition to exclude the bank’s own business dealings in the operation of the bank.
The new revised definition now has a list of what is included. The new definition also has a list of what is excluded such as sales of money orders, wires, etc. These already have recordkeeping requirements.
Also, the new definition excludes any accounts acquired through merger, acquisition, purchase of assets, or assumption of liabilities from any third party. These transfers are not initiated by the customer and therefore do not constitute an account.
The new definition excluded accounts of employee benefit plans since these come generally from payroll deductions and are not high risk for money laundering and terrorism.
CUSTOMER
“Customer means:i) A person that opens a new account; and ii) An individual who opens a new account for:
a. An individual who lacks legal capacity, such as a minor; orb. An entity that is not a legal person, such as a civic club.”
“Customer does not include:i) A financial institution regulated by a Federal functional regulator or a bank
regulated by a state bank regulator;ii) A person described in 31 CFR X; or These are Phase I Exemptionsiii) A person that has an existing account with the bank, provided that the bank
has a reasonable belief that it knows the true identity of the person.” (To do this you had to grandfather existing customers 10-1-2003 in your policy).
Verification of identification will not be required for existing customers of a bank if the bank has a reasonable belief that it knows the identity of the customer.
The new definition does not include Phase I exemptions—government entities, business traded on the stock exchanges, their subsidiaries, financial institutions
The new definition “a person that opens a new account” would not require the bank to look through trust, escrow, or similar accounts to verify the identities of beneficiaries and instead would only require the bank to identify the named accountholder.
In the case of brokered deposits, the “customer” will be the broker that opens the deposit account.
The final rule provides that “customer” means “an individual who opens a new account for (1) an individual who lacks legal capacity, such as a minor; or (2) an entity that is not a legal person, such as a civic club.”
The final rule took out signatories as customers but stated on risk based assessment of a new account, a bank may need to take additional steps to verify the identity of the customer by seeking information about individuals with ownership or control over the account in order to identify the customer. You will have to address situations when you will take additional steps to verify the identity of the customer.
CIP has many exemptions on businesses but this only applies to their domestic operations
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
13
THE INFORMATION
*To open an account for a nonresident alien. CIP says ITIN, Passport or other such number. W-8BEN instructions require an ITIN on an interest-bearing account.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
Information Required
Name (As it appears on Primary Identification)
Date of birth if individual
Identification Number (US Person versus Non Us Person*)Residential or business address of customer
14
INFORMATION REQUIRED BY CIP
(i) Customer information required.
(A) In general. The CIP must contain procedures for opening an account that specify the identifying information that will be obtained from each customer. Except as permitted by paragraphs (b) (2) (i) (B) and (C) of this section, the bank must obtain, at a minimum, the following information from the customer prior to opening an account:
(1) Name; (2) Date of birth, for an individual; (3) Address, which shall be:
(i) For an individual, a residential or business street address; (ii) For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual; or (iii) For a person other than an individual (such as a corporation, partnership, or trust), a principal place of business, local office, or other physical location; and
(4) Identification number, which shall be: (i) For a U.S. person, a taxpayer identification number; or (ii) For a non-U.S. person, one or more of the following: a taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.
Note to paragraph (b) (2) (i) (A) (4) (ii): When opening an account for a foreign business or enterprise that does not have an identification number, the bank must request alternative government-issued documentation certifying the existence of the business or enterprise.
(B) Exception for persons applying for a taxpayer identification number. Instead of obtaining a taxpayer identification number from a customer prior to opening the account, the CIP may include procedures for opening an account for a customer that has applied for, but has not received, a taxpayer identification number. In the case, the CIP must include procedures to confirm that the application was filed before the customer opens the account and to obtain the taxpayer identification number within a reasonable period of time after the account is opened.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
15
Here is what you will need to open an account online today:
Have the following ready for each person to be listed on the account:
Social Security Number (You will have to make a decision on whether to open nonresident alien accounts online. You could refer the customer to an 800 phone number or to a local branch)
Driver’s license or state-issued identification
E-mail address (You can send disclosures electronically or have a package sent to the customer afterwards and have them sign and send back.)
Your bank information and routing numbers
Home address (Physical address)
Birth date
If a nonresident alien, a Green Card or complete passport and on interest bearing accounts an ITIN number (If you decide to bank nonresident aliens online because of the high risk status)
Email address
After completing the application we will mail you a packet containing the account acceptance form and other important information concerning your account. You should receive this within 10 business days. You will need to sign the forms and get them back to us in a postage-paid envelope.
Are you an existing customer of ABC Bank? Remember much less to do if an existing customer.
Yes No
Don’t forget your FDIC logo!Continue Cancel
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
16
WORKSHEET ON INFORMATION
CIP PROFILE PERSONAL ACCOUNTSCOMPLETE CIP PROFILE FOR EACH OWNER OR FIDUCIARY ON ACCOUNT (SOME BANKS MAY REQUIRE ONE ON EVERY SIGNER)
CUSTOMER NAME(AS IT APPEARS ON PRIMARY IDENTIFICATION)
PHYSICAL ADDRESS
DATE OF BIRTH
SSN OR ITIN(IF NO SSN OR ITIN, PASSPORT NUMBER OR OTHER IDENTIFICATION NUMBER)
Some points to remember:
You will need this information on every owner of the account.
If you are going to allow agents or authorized signers you will need to check state law issues. Some banks require CIP on signatories too. You will need to identify signatories if that is your policy. Because of the higher risk of online bank accounts, you may wish to have information on every person that touches the account. These decisions are risk based decisions and are made individually by your financial institution.
You can also ask for a mailing address if different than the physical address. Some people still like mail to go to a P. O. Box number for many reasons.
If you plan to send electronic disclosures and confirmation you may ask for an email address.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
17
CIP PROFILE BUSINESS ACCOUNTS COMPLETE CIP PROFILE
IF YOUR BANK REQUIRES INFORMATION ON ALL SIGNERS THEN USE PERSONAL SHEET ABOVE
BUSINESS NAME OR DBA NAME(AS IT APPEARS ON GOVERNMENT ISSUED DOCUMENT)
PHYSICAL ADDRESS
SSN OR EIN
Sole Proprietors and Single member LLCs may use SSN of the owner
Some points to remember in opening business accounts:
Your customer is the business. However some banks require CIP on all signatories. If this is your policy your screens with have to allow the individuals with control over the business to be identified. It seems that you might want some information on the owners for identification purposes down the road. Whether or not you run full CIP is up to your CIP policy.
You will be getting EINs or SSNs depending on the business type. Again here if the business is a non US business you may want them to call the 800 number or go to a local branch.
Many banks do not open business accounts online unless it is an existing customer. Business accounts are higher risk. Sometimes on the screen you will see a screen that says “If this is a business account, call 1-800-XXX-XXXX”.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
18
DOCUMENTARY AND NONDOCUMENTARY VERIFICATION
Customer Verification. The CIP must contain procedures for verifying the identity of the customer, using information obtained in accordance with paragraph (b) (2) (i) of this section, within a reasonable time after the account is opened. The procedures must enable the bank to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank’s size, location, and customer base. At a minimum, these procedures must contain the elements described in this paragraph (b) (2).
A) Verification through documents.For a bank relying on documents, the Customer Identification Program must contain procedures that set forth the documents that the bank will use. These documents may include:
1) For an individual, unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, such as a driver’s license or passport; and
2) For a person other than an individual (such as corporations, partnerships, or trust), documents showing the existence of the entity, such as certified articles of incorporation, a government-issued business license, partnership agreement, or trust instrument.
B) Verification through non-documentary methods.For a bank relying on non-documentary methods, the CIP must contain procedures that describe the non-documentary methods the bank will.
1) These methods may include contacting a customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement.
2) The bank’s nondocumentary procedures must address situations where an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard; the bank is not familiar with the documents presented; the account is opened without obtaining documents; the customer opens the account without appearing in person at the bank; and where the bank is otherwise presented with circumstances that increase the risk that the bank will be unable to verify the true identity of a customer through documents.
C) Additional verification for certain customers.The CIP must address situations where, based on the bank’s risk assessment of a new account opened by a customer that is not an individual, the bank will obtain information about the individuals with authority or control over such account,
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
19
including signatories, in order to verify the customer’s identity. This verification method applies only when the bank cannot verify the customer’s true identity using the verification methods described in paragraphs (b) (2) (ii) (A) and (B) of this section.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
20
THE DOCUMENTS
It has always been due diligence to require two forms of identification such as one primary and a secondary piece of identification to prevent fraud and money laundering at new accounts.
Some thoughts about how to handle the documents:
First, it was never required that you use documents to verify identity. It does appear that many online banks require document numbers and use this information to confirm identification. So you do not have to “see” documents. Most banks in their normal account opening procedures that are face-to-face do require looking at the identification. Some copy the documents and some record the documents. It also gives you an opportunity to resolve discrepancies. So if you change your practice for online bank accounts you will need to amend CIP policy to address how you open accounts online.
Second, if you open accounts online and mail out a package to the customer to sign in so many days then you can request the identification on both the personal accounts and business accounts be sent in at that time. Or you can rely on nondocumentary verification as long as your write this into your BSA policy change from normal account opening procedures.
Third, you may do the application part online and still require the customer to visit a branch for the final piece. If you open accounts online, in this manner the actual opening is still done at a branch and the funding so it is easy to have the customer bring copies of his or her identification.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
21
SUMMARY OF TYPES OF IDENTIFICATIONGENERALLY, RECOMMENDED THAT YOU GET ONE PRIMARY AND A SECONDARY PIECE
OF IDENTIFICATION
PRIMARY SECONDARY UNACCEPTABLE
SHOULD INCLUDE PICTURE, DESCRIPTION AND
SIGNATURE
HAS SOME BUT NOT ALL OF THE COMPONENTS OF
PRIMARY ID
EASILY STOLEN, EASILY REPRODUCED—NOT
ACCEPTED AS ID GENERALLY
Driver’s License/ non driver’s identification card
Passport US Government US Military Alien registration card
Primary identification—includes picture, description of person, and signature. Should be accompanied with a second piece of identification.Use “bar books” to verify primary identification. See http://www.idcheckingguide .com
Social Security card Voter’s registration Birth Certificate Credit cards Bank cards State government Local government Company identification Police identification Insurance Cards
Secondary identification—has components of primary but not considered as primary. Acceptable as a second piece of identification. Never acceptable to open an account alone.
Hunting license Marriage license Rotary club card Library card Blockbuster video card Sam’s club card Panty hose card Country club card
Never acceptable as identification. This is a short list. There are many, many forms of identification which are unacceptable.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
22
EXPANDED IDENTIFICATION FOR NONRESIDENT ALIENS (NRA)
You can keep to a very narrow Customer Identification Program (CIP). You can say no passport no account. This makes things very simple for the bank. However depending on your market, you may want to write into your BSA/CIP policy a specific policy for nonresident aliens.
PRIMARY SECONDARY
SHOULD INCLUDE PICTURE, DESCRIPTION
AND SIGNATURE
HAS SOME BUT NOT ALL OF THE
COMPONENTS OF PRIMARY ID
State issued non driver’s identification card
Passport
Primary identification—Should include a picture, description of person, and signature. Should be accompanied with a second piece of identification.Use “bar books” to verify primary identification. See http://www.idcheckingguide.com/
Social Security cardWith ITIN numberthat starts with a “9”
Secondary identification—has components of primary but not considered as primary. Acceptable as a second piece of identification. Never acceptable to open an account alone.
CIP is your bank’s decision based on your risk profile. Your market may dictate a more liberal approach to nonresident aliens. You might just list all of the forms of identification you will accept and require two with one of them with picture, description and signature.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
23
Use the ID Checking Guide to help with these types of identification. There is also an international version for Mexico Driver’s Licenses and other countries.
PRIMARY SECONDARY
SHOULD INCLUDE PICTURE, DESCRIPTION
AND SIGNATURE
HAS SOME BUT NOT ALL OF THE
COMPONENTS OF PRIMARY ID
Driver’s License/ non driver’s identification card
Passport National identification
card (must show photo, name, current address, date of birth, and expiration date)
Temporary Resident Card Form I-688
Employment Authorization Card Form I-688A, I-688B, I-766
Nonimmigrant Visa & Border Crossing Card
Refugee Travel Document Form I-571
US Department of State Driver’s Licenses
VISA Consular ID Cards Mexico Driver’s License
(32) Canada Driver’s LicensePrimary identification—Should include a picture, description of person, and signature. Should beaccompanied with a second piece of identification.Use “bar books” to verify primary identification. See http://www.idcheckingguide.com/
Social Security card Voter’s registration Birth Certificate Credit cards Civil birth certificate Foreign driver's license U.S. state identification
card Foreign voter's
registration card Foreign military
identification card Visa U.S. Citizenship and
Immigration Services (USCIS) photo identification
Medical records (dependents - under 14 years old - only)
School records (dependents and/or students - under 25 years old - only)
Secondary identification—has components of primary but not considered as primary. Acceptable as a second piece of identification. Never acceptable to open an account alone.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
24
WORKSHEET ON DOCUMENTS
SECTION TWO DOCUMENTS
PRIMARY DOCUMENTS ACCEPTED BY FINANCIAL INSTITUTION SECONDARY DOCUMENTS ACCEPTED BY FINANCIAL
INSTITUTIONS
Driver’s License ______________State _____________Exp
Nondriver’s ID Card __________State ______________Exp
Passport ______________________Country Issued ____Exp
Alien Registration Card ___Number _________Exp
US Military____________Type______ Exp___________
Social security card Voter’s registration Birth certificates Insurance cards Gun permits Company issued identification Credit Cards Birth certificates Student identification Tax return Pay stub
Number if any_______________Expiration date if any_________
There are many types of secondary identification. You make a list that your institution can justify to examiners based on your risk.
Expanded Primary Identification for Nonresident aliens
Mexico Matricular Card National Identification Card Driver’s License from their country Visas(See above notes about bank’s decisions on identification for nonresident aliens)
Expanded Secondary identification for Nonresident aliens
ITIN Cards Any of the primary if have another
primary (Mexico Matricular Cards, Visa, National Identification Cards etc)
Birth certificates Voter’s registration Tax return
Does document verify residence or nationality?
If so which one?
If not, how did the financial institution resolve the discrepancy?
Additional Comments:
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
25
WORKSHEET ON DOCUMENTS FOR BUSINESS AND ENTITYACCOUNTS
Section Two Documents
Sole Proprietor Assumed Name/Trade Name/Occupational LicenseCircle One
General Partnership
Partnership Agreement, if any Partnership Registration, if any
Limited Liability Partnership
Partnership Agreement Partnership Registration
Limited Partnership
Partnership Agreement Partnership Registration
Corporation Minutes of the Board MeetingCertificate of Incorporation or Articles Stamped “Filed”
Limited Liability Company
Operating Agreement, if anyCertificate of Formation or Articles stamped “filed”
Agent, Escrow, Iolta, Public funds or other type of entity
Document as required by state or bank Otherwise have to identify all signers
Nonprofit organization or club
Charter, By-laws, minutesOtherwise have to identify all signers
Formal Trusts Trust Documents
Other
Note: If your bank’s CIP policy is to identify all of the signers as well as the business then you will have to do both. Also, Phase I business exemptions for CTRs are also eligible for exemption under CIP. But you will want to do some due diligence to make sure business exists and dealing with appropriate person.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
26
Are you opening this account for just yourself?
Yes, if yes will you name a beneficiary or beneficiaries on this account?o Yeso No
No
If no, is this account joint or a custodial account? Joint Custodial
Enter your information:
Legal First Name:Middle Initial:Legal Last Name:Suffix:Citizenship: Select Citizenship statusSocial Security Number:Date of birth:Identification: Select type (You can have them copy this and send it to you if you give them a package to sign and send back to you)
Other information:E-mail address:Mailing address Line 1:Mailing address Line 2:City:State: Select StateZip Code:Primary Phone Secondary Phone or Cell Phone:
Check here if your permanent address is the same as your mailing address
Have you lived at your current address more than two years? Yes No
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
27
Citizenship information:
Are you a US Citizen? Yes No
If you are not a US Citizen, what is your tax status? Resident alien Nonresident alien
Employment Information
EmployerAddressTelephone Job description
Banking and Account Information:
Source of IncomePurpose of Account
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
28
Enter the joint owner information: (Same for custodians, authorized signers, business signers if you run CIP on business signers)
Legal First Name:Middle Initial:Legal Last Name:Suffix:Citizenship: Select Citizenship statusSocial Security Number:Date of birth:Identification: Select type (You can have them copy this and send it to you if you give them a package to sign and send back to you)
Other information:E-mail address:Mailing address Line 1:Mailing address Line 2:City:State: Select StateZip Code:Primary Phone Secondary Phone or Cell Phone:
Check here if your permanent address is the same as your mailing address
Have you lived at your current address more than two years? Yes No
Citizenship information:
Are you a US Citizen? Yes No
If you are not a US Citizen, what is your tax status? Resident alien Nonresident alien
Employment Information
EmployerAddressTelephone Job description
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
29
Banking and Account Information:
Source of IncomePurpose of Account
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
30
NONDOCUMENTARY VERFICATION
Recognizing that some accounts are opened by telephone, by mail, and over the Internet, the final rules asked that you take that into consideration when writing your policy.
You must address the situation where you will open an account for someone not appearing at your bank.
Types of nondocumentary verification include:
Check systems, telecheck, credit reportsCustomer telephone call Letter of welcome Site visitPrevious bank reference Verification of employment whitepages.comgoogle.comSecretary of State- online
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
31
Personalized Identification Verification
The questions below are based on information from an external credit reporting agencies. This does not affect your credit score in any way.
Your credit report indicates that you have a mortgage loan opened in or around October 2001. Which institution is it with?
Have the online applicant choose between several credit providers
Your mortgage payment is in the following parameters?
Give different ranges of payments and have online customer check a box.
Your credit file also indicates a car loan. Who is the bank this loan is with?
Have the online applicant choose between several credit providers
Your car payment is in the following parameters?
Give different ranges of payments and have online customer check a box.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
32
LACK OF VERIFICATION—CIP PROCEDURES
Lack of VerificationThe CIP must include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of a customer. These procedures should describe:
1. When the bank should not open an account;2. The terms under which a customer may use an account while the
bank attempts to verify the customer’s identity;3. When the bank should close an account, after attempts to verify a
customer’s identity have failed; and4. When the bank should file a Suspicious Activity Report in
accordance with applicable law and regulation.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
33
CLOSING AN ACCOUNT SOME SUGGESTIONS
1. Stick to your policy
It is generally much easier to get information before the account is opened than after. If you stick to your policy on identification prior to opening account then it is easier on your financial institution in the long run.
2. Closing an account
If you took a risk-based approach and allowed the customer a time frame to get all the information to you, and he or she failed to meet the time frame then you should notify them in writing preferable certified mail that within a stated time period the account will be closed. This varies depending on your bank and location. You probably want to notify them twice before the account is actually closed.
This is really going to be important for online banking customers. If part of your CIP, is that the customer will provide us with copies of his or her identification and that he or she has a certain number of days to return the paperwork in an envelope then you will have to go back and close if they do. So this may also go into your account agreement.
CIP gives us a “reasonable time after opening account” to receive our documentary or nondocumentary verification. You then have to have procedures in place to close. These can be completely different than your face-to-face rules.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
34
SECTION THREE DOCUMENTS
Nondocument verification Check systems, telecheck, credit reports Customer telephone call Letter of welcome Site visit Previous bank reference Verification of employment whitepages.com google.com Secretary of State- online at
www. sos.state.tx.us
OFAC Check Yes/No Circle OneIf match, false positive or complete matchResults:_____________________________
Resolve conflict in documents: Additional Comments:
OPENING DEPOSIT ACCOUNTS ONLINE 2016 © gettechnical incwww.gettechnicalinc.com
35
CHECK OFFICE OF FOREIGN ASSETS CONTROL (OFAC)
1. Overview
The Office of Foreign Assets Control (OFAC) is a division of the U.S. Treasury. OFAC’s purpose is to enforce sanctions against foreign countries, their agents, terrorists or other threats against the United States national security. It is not just the countries but also individuals called “Specially Designated Nationals” also called a “Blocked Person”. We are required to block or freeze any accounts for these individuals or countries within 10 days from the occurrence of the activity. Your institution can be fined and penalized for failure to comply with OFAC.
2. The List
The OFAC list is updated frequently and should be kept up to date at your financial institution. Before we open an account, it is a good idea to check the list to make sure that the person or entity opening the account is not on the list. That way we can prevent subsequent action of blocking and freezing assets. Your financial institution should have established procedures to continually audit and check for compliance with OFAC guidelines. Since the list is updated often, an account that you opened up last year may now be on this list. This is not something that you can prevent at the new accounts desk.
Website for OFAC list:www.treasury.gov/offices/enforcement/ofac/sdn
OPENING DEPOSIT ACCOUNTS ONLINE 2016 36© gettechnical incwww.gettechnicalinc.com
CUSTOMER NOTICE FOR CIP
Customer noticeThe CIP must include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities.(ii) Adequate notice. Notice is adequate if the bank generally describes the identification requirements of this section and provides the notice in a manner reasonably designed to ensure that a customer is able to view the notice, or is otherwise given notice, before opening an account. For example, depending upon the manner in which the account is opened, a bank may post a notice in the lobby or on its website, include the notice on its account applications, or use any other form of written or oral notice.(iii) Sample notice. If appropriate, a bank may use the following sample language to provide notice to its customers:
IMPORTANT INFORMATION ABOUT PROCEDURES FOR OPENING A NEW ACCOUNT
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 37© gettechnical incwww.gettechnicalinc.com
BSA EXAM ISSUES ON CUSTOMER DUE DILIGENCE
The cornerstone of a strong BSA/AML compliance program is the adoption and implementation of comprehensive CDD policies, procedures, and processes for all customers, particularly those that present a high risk for money laundering and terrorist financing. The objective of CDD procedures should be to enable the bank to predict with relative certainty the types of transactions in which a customer is likely to engage. These procedures assist the bank in determining when transactions are potentially suspicious. The concept of CDD begins with verifying the customer’s identity and assessing the risks associated with that customer. Procedures should also include enhanced CDD for high risk customers and ongoing due diligence of the customer base. Effective CDD policies, procedures, and processes provide the critical framework that enables the bank to comply with regulatory requirements and to report suspicious activity. CDD policies, procedures, and processes are critical to the bank because they can aid in: • Detecting and reporting unusual or suspicious transactions that potentially expose the bank to financial loss, increased expenses, or reputational risk. • Avoiding criminal exposure from persons who use or attempt to use the bank’s products and services for illicit purposes.• Adhering to safe and sound banking practices.
CUSTOMER DUE DILIGENCE GUIDANCEBSA/AML policies, procedures, and processes should include CDD guidelines that:• Are commensurate with the bank’s BSA/AML risk profile, paying particular attentionto high-risk customers.• Contain a clear statement of management’s overall expectations and establish specific staff responsibilities, including who is responsible for reviewing or approving changes to a customer’s risk rating or profile, as applicable.• Ensure that the bank possesses sufficient customer information to implement an effective suspicious activity monitoring system.• Provide guidance for documenting analysis associated with the due diligence process, including guidance for resolving issues when insufficient or inaccurate information is obtained.• Ensure the bank maintains current customer information.
CUSTOMER RISKManagement should have a thorough understanding of the money laundering or terrorist financing risks of the bank’s customer base. Under this approach, the bank will obtain information at account opening sufficient to develop an understanding of normal and expected activity for the customer’s occupation or business operations. Much of the CDD information can be confirmed through an information-reporting agency, banking
OPENING DEPOSIT ACCOUNTS ONLINE 2016 38© gettechnical incwww.gettechnicalinc.com
references (for larger accounts), correspondence and telephone conversations with the customer, and visits to the customer’s place of business.
Additional steps may include obtaining third-party references or researching public information (e.g., on the Internet or commercial databases). CDD procedures should include periodic monitoring of the customer relationship to determine whether there are substantive changes to the original CDD information (e.g., change in employment or business operations).
ENHANCED DUE DILIGENCE FOR HIGH-RISK CUSTOMERSCustomers that pose high money laundering or terrorist financing risks present increased exposure to banks and due diligence policies, procedures, and processes should be enhanced as a result. Enhanced due diligence for high-risk customers is especially critical in understanding their anticipated transactions and implementing a suspicious activity monitoring system that reduces the bank’s reputation, compliance, and transaction risks.
High-risk customers and their transactions should be reviewed more closely at account opening and more frequently throughout the term of their relationship with the bank. The bank may determine that a customer poses a high risk because of the customer’s business activity, ownership structure, anticipated or actual volume and types of transactions, including those transactions involving high-risk jurisdictions. If so, the bank should consider obtaining, both at account opening and throughout the relationship, the following information on the customer:• Purpose of the account.• Source of funds and wealth.• Beneficial owners of the accounts, if applicable.• Customer’s (or beneficial owner’s) occupation or type of business.• Financial statements.• Banking references.• Domicile (where the business is incorporated).• Proximity of the customer’s residence, place of employment, or place of business to the bank.• Description of the customer’s primary trade area and whether international transactions are expected to be routine.• Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers.• Explanations for changes in account activity.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 39© gettechnical incwww.gettechnicalinc.com
SAMPLE PERSONAL CUSTOMER PROFILE WORKSHEETS
SECTION FOUR QUESTIONS Type of customer:
New Existing customer adding new service
Account opening method: In person all parties present In person, less than all parties present Mail Telephone Email, website
Type of person: US Person Non US person
Type of deposit: Cash On us transfer or
check Payroll check Government Check
Cashier’s check
Wire Foreign
funds
Location of customer: HIDT County Non HIDT County
What brought you to our bank? Product Relationship with banker Location Dissatisfied with current bank Other____________________
Do you have any deposits come in automatically?
Social Security Pay Roll Investment Other______________________
Do you use automatic withdrawals? Utilities House noteOther_____________________
Do you plan to use the following: Internet banking ATM Other branches? If so where______________________________ Wire services?If so where______________________________ Lending Over Draft Protection
Safe Deposit Boxes
Do you know how many deposits you will make a month?
1-5 6-10 11 or more
Do you know how many checks or withdrawals you plan to make a month?
1-5 6-10 11 or more
OPENING DEPOSIT ACCOUNTS ONLINE 2016 40© gettechnical incwww.gettechnicalinc.com
SAMPLE BUSINESS CUSTOMER PROFILE WORKSHEETS
SECTION FOUR QUESTIONS Type of customer:
New Existing customer adding new service
Account opening method: In person all parties present In person, less than all parties present Mail Telephone Email, website
Type of person: US Person Non US person
Type of deposit: Cash On us transfer
or check Payroll check
Government Check
Cashier’s check
Wire Foreign
Fund
Type of business: Money Service Business (check cashing, wires, issuer or
redeemer of cashier’s checks, etc--Fill out MSB questionnaire)
Buying or selling motor vehicles of any kind, vessels, aircraft, farm equipment, or mobile homes
Practicing law Accounting Practicing medicine Auctioning goods Chartering or operating ships, buses, or aircraft Gaming of any kind (other than licensed pari-mutuel betting
at race tracks) Real estate brokerage Pawn brokerage Title insurance and real estate closing Trade union activities Other___________________________________________
Location of customer: HIDT County Non HIDT County
What brought you to our bank? Product Relationship with banker Location Dissatisfied with current bank Other____________________
What is the purpose of the account? Pay Roll Operating Account Other______________________
How close is your office? 1-5 miles 6-10 miles 11+ miles
Do you have any deposits come in automatically?
YES NO
Do you use automatic withdrawals? Sweep Accounts Utilities Other______________________
Do you plan to use the following: Internet banking ATM, Debit Cards Other branches? If so where_________________________ Wire services?If so where________________________ Lending Safe Deposit Boxes ACH Lockbox
Do you know how many deposits you will make a month? 1-5 6-10 11 or more
Do you know how many checks or withdrawals you plan to make a month?
1-5 6-10 11 or more
Do you have any cash needs for our branch? YES If “yes”, how
OPENING DEPOSIT ACCOUNTS ONLINE 2016 41© gettechnical incwww.gettechnicalinc.com
much____________.
EXAMPLES OF HIGH RISK CUSTOMERS FROM BSA EXAM MANUAL YOU WILL NEED ENHANCED DUE DILIGENCE QUESTIONS FOR THIS GROUP
ASK MORE QUESTIONS FOR ENHANCED DUE DILIGENCE IF YOU BANK ANY OF THE FOLLOWING. LOOK AT WHAT THE EXAMINERS WILL BE
LOOKING FOR EACH OF THESE GROUPS OF CUSTOMERS!
Purpose of the account.• Source of funds and wealth.• Beneficial owners of the accounts, if applicable.• Customer’s (or beneficial owner’s) occupation or type of business.• Financial statements.• Banking references.• Domicile (where the business is incorporated).• Proximity of the customer’s residence, place of employment, or place of business to the bank.• Description of the customer’s primary trade area and whether international transactions are expected to be routine.• Description of the business operations, the anticipated volume of currency and total sales, and a list of major customers and suppliers.• Explanations for changes in account activity.
HIGH RISK ON THE BSA EXAM
Private Banking
Trust and Asset Management Services
Nonresident Aliens and Foreign Individuals
Politically Exposed Persons
Embassy and Foreign Consulate Accounts
Non-Bank Financial Institutions
Professional Service Providers
Non-Governmental Organizations and Charities
Business Entities (Domestic and Foreign)
OPENING DEPOSIT ACCOUNTS ONLINE 2016 42© gettechnical incwww.gettechnicalinc.com
Cash-Intensive Businesses
OPENING DEPOSIT ACCOUNTS ONLINE 2016 43© gettechnical incwww.gettechnicalinc.com
EXAMPLE: NONRESIDENT ALIENS ENHANCED DUE DILIGENCE
NONRESIDENT ALIENS ENHANCED DUE DILIGENCE
TASK # 15 Opening Accounts for Nonresident Aliens
Job #1 Resident or nonresident alienIf the customer is a resident alien, then he or she is treated as a US Person and can sign a W-9
Job #2 Purpose NRA is opening account: Asset preservation, business expansion and investments.
Job #3 Identify the accountholder
Job #4 Identify the sources of the funds and the wealth
Job #5 Identify the country and determine the risk with that particular country
Job #6 Is the individual a Politically Exposed Person (PEP) See BSA Exam manual for Enhanced Due Diligence
Job #7 Determine the kinds of products and services the nonresident alien plans to use and evaluate for risk.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 44© gettechnical incwww.gettechnicalinc.com
BSA EXAM MANUAL: EXPANDED EXAMINATION OVERVIEW AND PROCEDURES FOR PERSONS AND ENTITIES – NONRESIDENT ALIENS AND FOREIGN INDIVIDUALS OVERVIEW
EXPANDED EXAMINATION OVERVIEW AND PROCEDURES FOR PERSONS AND ENTITIES
Nonresident Aliens and Foreign Individuals — Overview
Objective. Assess the adequacy of the bank’s systems to manage the risks associated with transactions involving accounts held by nonresident aliens (NRAs) and foreign individuals, and management’s ability to implement effective due diligence, monitoring, and reporting systems.
Foreign individuals maintaining relationships with U.S. banks can be divided into two categories: resident aliens and nonresident aliens. For definitional purposes, an NRA is a non-U.S. citizen who: (i) is not a lawful permanent resident of the United States during the calendar year and who does not meet the substantial presence test,1 or (ii) has not been issued an alien registration receipt card, also known as a green card. The Internal Revenue Service determines the tax liabilities of a foreign person and officially defines the person as a “resident” or “nonresident.”
Although NRAs are not permanent residents, they may have a legitimate need to establish an account relationship with a U.S. bank. NRAs use bank products and services for asset preservation (e.g., mitigating losses due to exchange rates), business expansion, and investments. The amount of NRA deposits in the U.S. banking system has been estimated to range from hundreds of billions of dollars to about $1 trillion. Even at the low end of the range, the magnitude is substantial, both in terms of the U.S. banking system and the economy.
Risk Factors
Banks may find it more difficult to verify and authenticate an NRA accountholder’s identification, source of funds, and source of wealth, which may result in BSA/AML risks. The NRA’s home country may also heighten the account risk, depending on the secrecy laws of that country. Since the NRA is expected to reside outside of the United
1 A foreign national is a resident alien if the individual is physically present in the United States for at least 31 days in the current calendar year and present 183 days or more based on counting: all days present during the current year, plus 1/3 of the days present in the preceding year, plus 1/6 of the days present in the second preceding year. Certain days of presence are disregarded, such as (i) days spent in the United States for a medical condition that developed while the foreign national was present in the United States and unable to leave, (ii) days regular commuters spend traveling to or from Canada or Mexico, (iii) a day of less than 24 hours spent while in transit between two locations outside the United States., and (iv) days when the foreign national was an exempt individual. The individual is considered a resident alien for federal income and employment tax purposes from the first day of physical presence in the United States in the year that the test is satisfied. Refer to the Internal Revenue Service web site: www.irs.gov .
OPENING DEPOSIT ACCOUNTS ONLINE 2016 45© gettechnical incwww.gettechnicalinc.com
States, funds transfers or the use of foreign automated teller machines (ATMs) may be more frequent. The BSA/AML risk may be further heightened if the NRA is a politically exposed person (PEP). Refer to the expanded examination procedures, “Politically Exposed Persons,” for further information.
Risk Mitigation
Banks should establish policies, procedures, and processes that provide for sound due diligence and verification practices, adequate risk assessment of NRA accounts, and ongoing monitoring and reporting of unusual or suspicious activities. The following factors are to be considered when determining the risk level of an NRA account:
• The accountholder’s home country.
• The types of products and services used.
• Forms of identification.
• The source of wealth and funds.
• Unusual account activity.
NRA customers may request W-8 status for U.S. tax withholding. In such cases, the NRA customer completes a W-8 form, which attests to the customer’s foreign and U.S. tax-exempt status. While it is an Internal Revenue Service (IRS) form, a W-8 is not sent to the IRS, but is maintained on file at the bank to support the lack of any tax withholding from earnings.2
The bank’s Customer Identification Program (CIP) should detail the identification requirements for opening an account for an NRA. The program should include the use of documentary and nondocumentary methods to verify a customer. In addition, the Patriot Act amended the BSA to require special due diligence for private banking accounts for non-U.S. persons, including those held for PEPs or senior foreign political figures.
2 Additional information can be found at www.irs.gov/formspubs. See also IRS Bulletin 515 “Withholding of Tax on Nonresident Aliens and Foreign Entities.”
OPENING DEPOSIT ACCOUNTS ONLINE 2016 46© gettechnical incwww.gettechnicalinc.com
SAMPLE PERSONAL CUSTOMER IDENTIFICATION WORKSHEET
CUSTOMER IDENTIFICATION WORKSHEETNon Resident Alien Account
SECTION V INFORMATION
New Customer Existing Customer US Person (See US
Person Worksheet) Non US Person
(Attach W-8) Business Account
(Complete Business Worksheet)
Personal Account
Name (As it appears on Primary Identification)________________________________
Nationality___________________________________________________________Residential/Street Address_____________________________________________________________SSN/ITIN_____________________________________Date of Birth___________________________________
Home phone ___________________ Work phone _______________________
Employment/Student______________________________________________________Contact Individual _______________________________________________________
Documentary Verification
Type of Identification: Select Two and one form of identification must have picture, description and signature
Passport Temporary Resident Card Form I-688 Employment Authorization Card Form I-688A, I-688B, I-766 Nonimmigrant Visa & Border Crossing Card Refugee Travel Document Form I-571 US Department of State Driver’s Licenses VISA Consular ID Cards Social Security Card Mexico Driver’s License (32) Canada
Card__________ Expiration __________ Nationality_________ Number _________Card __________Expiration__________ Nationality __________Number_________
Non documentary Verification
Type of Nondocumentary Verification
Letter of Welcome Third party verification: Type Check Systems, Credit report OFAC Other_____________________________________
Resolution of Discrepancies
OPENING DEPOSIT ACCOUNTS ONLINE 2016 47© gettechnical incwww.gettechnicalinc.com
____________________________________________________________________________________________________________________________________________________________________________________________________________________
Risk Assessment:
Type of customer: New Existing customer
adding new service
Account opening method: In person all parties present In person, less than all parties
present Mail Telephone Email, website
Location of customer: Nationality_______________
Do you use automatic withdrawals? Utilities House note Other________________
_
Type of person: US Person Non US person
Purpose of the account: Safety of US Banking System Family in the US Travel Frequently in the US
What brought you to our bank? Product Relationship with banker Location Dissatisfied with current
bank Other________________
_
Source of funds: Are the funds coming
from home? ___________________
Where are the funds coming from to open this account? ____________
Bank where the funds are currently located ___________________
Type of deposit: Cash On us transfer or check Payroll check Government Check Cashier’s check Wire Foreign funds
Do you have any deposits come in automatically?
Social Security Pay Roll Investment Other________________
_
Do you plan to use the following: Internet banking ATM Other branches? If so where______________ Wire services?If so where______________ Lending Over Draft
Protection Safe Deposit
Boxes
Do you know how many deposits you will make a month?
1-5 6-10 11 or more
Do you know how many checks or withdrawals you plan to make a month?
1-5 6-10 11 or more
OPENING DEPOSIT ACCOUNTS ONLINE 2016 48© gettechnical incwww.gettechnicalinc.com
OPENING DEPOSIT ACCOUNTS ONLINE 2016 49© gettechnical incwww.gettechnicalinc.com
SAMPLE OF ENHANCED DUE DILIGENCE FOR HIGH RISK CUSTOMER: MONEY SERVICE BUSINESS QUESTIONNAIRE
Money Service Business Questionnaire
SECTION FIVEIn your money service business, which of the following activities does your business engage in?
Check Cashing Currency Exchange Issuers of traveler’s checks,
money orders or stored value Sellers of traveler’s checks,
money orders or stored value Redeemers of traveler’s checks,
money orders or stored value
If you checked any of the above are these activities $1000 or more for any one customer in any one business day?
Yes No
Are you engaged in the business of wire transfers?
Yes No
In your money service business identify yourself as one of the following:
Principal Agent (Attach documentation
proving agency status)Is your business: New business Date
Formed:___________ Existing business Years in
business:________Are the money service business activities
_____Primary source of income _____Secondary source of income
What percentage of income is derived from the money service side of your business?
_________________%Do you only do business In the United States International Both
If your business is in the United States, is it Local in your state Out of state Both
What will be the primary purpose of this account? What is your anticipated volume in this account?
Internal use only: Initial Assessment—See internal risk sheetLow Risk__________Medium Risk_______High Risk__________
OPENING DEPOSIT ACCOUNTS ONLINE 2016 50© gettechnical incwww.gettechnicalinc.com
OVERVIEW: PUTTING IT ALL TOGETHER
* To do enhanced Due Diligence on High Risk Accounts you have to go farther.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 51© gettechnical incwww.gettechnicalinc.com
WORKSHEETS
Personal Account Business Account
Personal Account QuestionnaireSections I-IV
Business Account QuestionnaireSections I-IV
Example Section V:Add Non-Resident Alien
Questionnaire
Example Section V:Add MSB Questionnaire
for High Risk
WORKSHEET ON PERSONAL ACCOUNTS
New Existing
CIP PROFILE PERSONAL ACCOUNTSCOMPLETE CIP PROFILE FOR EACH OWNER OR FIDUCIARY ON ACCOUNT (SOME BANKS MAY REQUIRE ONE ON EVERY SIGNER)
SECTION ONE INFORMATION
CUSTOMER NAME(AS IT APPEARS ON PRIMARY IDENTIFICATION)
PHYSICAL ADDRESS
DATE OF BIRTH
SSN OR ITIN(IF NO SSN OR ITIN, PASSPORT NUMBER OR OTHER IDENTIFICATION NUMBER)
SECTION TWO DOCUMENTS
PRIMARY DOCUMENTS ACCEPTED BY FINANCIAL INSTITUTION SECONDARY DOCUMENTS ACCEPTED BY FINANCIAL
INSTITUTIONS Driver’s License
________________ State ________Exp
Nondriver’s ID Card _____________
State ______________Exp
Passport _________________Country Issued ____Exp
Alien Registration Card_____________
Number _________Exp
Social security card Voter’s registration Birth certificates Insurance cards Gun permits Company issued identification Credit Cards Birth certificates Student identification Tax return Pay stubNumber if any_______________Expiration date if any_________
* There are many types of secondary identification. You
OPENING DEPOSIT ACCOUNTS ONLINE 2016 52© gettechnical incwww.gettechnicalinc.com
US Military____________Type______ Exp___________
make a list that your institution can justify to examiners based on your risk.
Expanded Primary Identification for Nonresident aliens
Mexico Matricular Card National Identification Card Driver’s License from their country Visas(See above notes about bank’s decisions on identification for nonresident aliens)
Expanded Secondary identification for Nonresident aliens
ITIN Cards Any of the primary if have another primary
(Mexico Matricular Cards, Visa, National Identification Cards etc)
Birth certificates Voter’s registration Tax return
Does document verify residence or nationality?
If so which one?
If not, how did the financial institution resolve the discrepancy?
Additional Comments:
SECTION THREE DOCUMENTS
Nondocument verification Check systems, telecheck, credit reports Customer telephone call Letter of welcome Site visit Previous bank reference Verification of employment whitepages.com google.com Secretary of State- online at www. sos.state.tx.us
Regulation CC Hold Yes/No Circle One
OFAC Check Yes/No Circle OneIf match, false positive or complete matchResults:_____________________________
Resolve conflict in documents: Additional Comments:
SECTION FOUR
OPENING DEPOSIT ACCOUNTS ONLINE 2016 53© gettechnical incwww.gettechnicalinc.com
QUESTIONS Type of customer:
New Existing customer adding new service
Account opening method: In person all parties present In person, less than all parties present Mail Telephone Email, website
Type of person: US Person Non US person
Type of deposit: Cash On us transfer or check Payroll check Government Check Cashier’s check Wire Foreign funds
Location of customer: HIDT County Non HIDT County
What brought you to our bank? Product Relationship with banker Location Dissatisfied with current bank Other____________________
Do you have any deposits come in automatically?
Social Security Pay Roll Investment Other______________________
Do you use automatic withdrawals? Utilities House noteOther_____________________
Do you plan to use the following: Internet banking ATM Other branches? If so where______________________________ Wire services?If so where______________________________ Lending Over Draft Protection
Safe Deposit Boxes
Do you know how many deposits you will make a month?
1-5 6-10 11 or more
Do you know how many checks or withdrawals you plan to make a month?
1-5 6-10 11 or more
OPENING DEPOSIT ACCOUNTS ONLINE 2016 54© gettechnical incwww.gettechnicalinc.com
SECTION FIVE NON RESIDENT ALIEN ALTERNATE WORKSHEET
New Customer Existing Customer US Person (See US
Person Worksheet) Non US Person
(Attach W-8) Business Account
(Complete Business Worksheet)
Personal Account
Name (As it appears on Primary Identification)
Nationality_________________________________________________________________Residential/Street Address____________________________________________________SSN/ITIN_____________________________________Date of Birth___________________________________
Home phone ___________________ Work phone _______________________
Employment/Student______________________________________________________Contact Individual _______________________________________________________
Documentary Verification
Type of Identification: Select Two and one form of identification must have picture, description and signature
Passport Temporary Resident Card Form I-688 Employment Authorization Card Form I-688A, I-688B, I-766 Nonimmigrant Visa & Border Crossing Card Refugee Travel Document Form I-571 US Department of State Driver’s Licenses VISA Consular ID Cards Social Security Card Mexico Driver’s License (32) Canada
Card__________ Expiration __________ Nationality_________ Number _________Card __________Expiration__________ Nationality __________Number_________
Non documentary Verification
Type of Nondocumentary Verification
Letter of Welcome Third party verification: Type Check Systems, Credit report OFAC Other_____________________________________
Resolution of Discrepancies
____________________________________________________________________________________________________________________________________________________________________________________________________________________
OPENING DEPOSIT ACCOUNTS ONLINE 2016 55© gettechnical incwww.gettechnicalinc.com
Risk Assessment:
Type of customer: New Existing customer
adding new service
Account opening method: In person all parties present In person, less than all parties
present Mail Telephone Email, website
Location of customer: Nationality_______________
Do you use automatic withdrawals? Utilities House note Other________________
_
Type of person: US Person Non US person
Purpose of the account: Safety of US Banking System Family in the US Travel Frequently in the US
What brought you to our bank? Product Relationship with banker Location Dissatisfied with current
bank Other________________
_
Source of funds: Are the funds coming
from home? ___________________
Where are the funds coming from to open this account? ____________
Bank where the funds are currently located ___________________
Type of deposit: Cash On us transfer or check Payroll check Government Check Cashier’s check Wire Foreign funds
Do you have any deposits come in automatically?
Social Security Pay Roll Investment Other________________
_
Do you plan to use the following: Internet banking ATM Other branches? If so where_________________ Wire services?If so where_________________ Lending Over Draft
Protection Safe Deposit
Boxes
Do you know how many deposits you will make a month?
1-5 6-10 11 or more
Do you know how many checks or withdrawals you plan to make a month?
1-5 6-10 11 or more
OPENING DEPOSIT ACCOUNTS ONLINE 2016 56© gettechnical incwww.gettechnicalinc.com
WORKSHEET BUSINESS ACCOUNTS
New Existing Exempt
CIP PROFILE BUSINESS ACCOUNTSCOMPLETE CIP PROFILE
IF YOUR BANK REQUIRES INFORMATION ON ALL SIGNERS THEN USE PERSONAL SHEET ABOVE
SECTION ONE INFORMATION
BUSINESS NAME OR DBA NAME(AS IT APPEARS ON GOVERNMENT ISSUED DOCUMENT)
PHYSICAL ADDRESS
SSN OR EIN
Sole Proprietors and Single member LLCs may use SSN of the owner
SECTION TWO DOCUMENTS
Sole Proprietor Assumed Name/Trade Name/Occupational LicenseCircle One
General Partnership
Partnership Agreement, if any Partnership Registration, if any
Limited Liability Partnership
Partnership Agreement Partnership Registration
Limited Partnership
Partnership Agreement Partnership Registration
OPENING DEPOSIT ACCOUNTS ONLINE 2016 57© gettechnical incwww.gettechnicalinc.com
Corporation Minutes of the Board MeetingCertificate of Incorporation or Articles Stamped “Filed”
Limited Liability Company
Operating Agreement, if anyCertificate of Formation or Articles stamped “filed”
Agent, Escrow, Iolta, Public funds or other type of entity
Document as required by state or bank Otherwise have to identify all signers
Nonprofit organization or club
Charter, By-laws, minutesOtherwise have to identify all signers
Formal Trusts Trust Documents
Other
SECTION THREE DOCUMENTS
Nondocument verification
Check systems, telecheck, credit reports Customer telephone call Letter of welcome Site visit Previous bank reference Verification of employment whitepages.com google.com Secretary of State- online at www. sos.state.tx.us
Regulation CC Hold Yes/No Circle One
OFAC Check Yes/No Circle OneIf match, false positive or complete matchResults:_____________________________
Resolve conflict in documents:
Additional Comments:
OPENING DEPOSIT ACCOUNTS ONLINE 2016 58© gettechnical incwww.gettechnicalinc.com
SECTION FOUR QUESTIONS Type of customer:
New Existing customer adding new service
Account opening method: In person all parties present In person, less than all parties present Mail Telephone Email, website
Type of person: US Person Non US person
Type of deposit: Cash On us transfer
or check Payroll check
Government Check
Cashier’s check
Wire Foreign
Fund
Type of business: Money Service Business (check cashing, wires, issuer or
redeemer of cashier’s checks, etc--Fill out MSB questionnaire)
Buying or selling motor vehicles of any kind, vessels, aircraft, farm equipment, or mobile homes
Practicing law Accounting Practicing medicine Auctioning goods Chartering or operating ships, buses, or aircraft Gaming of any kind (other than licensed pari-mutuel betting
at race tracks) Real estate brokerage Pawn brokerage Title insurance and real estate closing Trade union activities Other___________________________________________
Location of customer: HIDT County Non HIDT County
What brought you to our bank? Product Relationship with banker Location Dissatisfied with current bank Other____________________
Do you have any deposits come in automatically?
Pay Roll Operating Account Other______________________
How close is your office? 1-5 miles 6-10 miles 11+ miles
Do you have any deposits come in automatically?
YES NO
Do you use automatic withdrawals? Sweep Accounts Utilities Other______________________
Do you plan to use the following: Internet banking ATM, Debit Cards Other branches? If so where____________________________ Wire services?If so where___________________________ Lending Safe Deposit Boxes ACH Lockbox
Do you know how many deposits you will make a month? 1-5 6-10 11 or more
Do you know how many checks or withdrawals you plan to make a month?
1-5 6-10 11 or more
Do you have any cash needs for our branch? YES If “yes”, how
much____________.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 59© gettechnical incwww.gettechnicalinc.com
SECTION FIVEIn your money service business, which of the following activities does your business engage in?
Check Cashing Currency Exchange Issuers of traveler’s checks,
money orders or stored value Sellers of traveler’s checks,
money orders or stored value Redeemers of traveler’s checks,
money orders or stored value
If you checked any of the above are these activities $1000 or more for any one customer in any one business day?
Yes No
Are you engaged in the business of wire transfers?
Yes No
In your money service business identify yourself as one of the following:
Principal Agent (Attach documentation
proving agency status)
Is your business: New business Date
Formed:___________ Existing business Years in
business:________Are the money service business activities
_____Primary source of income _____Secondary source of income
What percentage of income is derived from the money service side of your business?
_________________%
Do you only do business In the United States International Both
If your business is in the United States, is it Local in your state Out of state Both
What will be the primary purpose of this account? What is your anticipated volume in this account?
Internal use only: Initial Assessment—See internal risk sheetLow Risk__________Medium Risk_______High Risk__________
OPENING DEPOSIT ACCOUNTS ONLINE 2016 60© gettechnical incwww.gettechnicalinc.com
GUIDELINES ON IDENTITY THEFT DETECTION, PREVENTION, AND MITIGATION
In your financial institution’s identity theft program you are required to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account.
Covered account means: (i) An account that a financial institution or creditor offers or maintains, primarily for personal, family, or household purposes, that involves or is designed to permit multiple payments or transactions, such as a credit card account, mortgage loan, automobile loan, margin account, cell phone account, utility account, checking account, or savings account; and (ii) Any other account that the financial institution or creditor offers or maintains for which there is a reasonably foreseeable risk to customers or to the safety and soundness of the financial institution or creditor from identity theft, including financial, operational, compliance, reputation, or litigation risks.
These guidelines are intended to assist financial institutions and creditors in the formulation and maintenance of a Program that satisfies the requirements:
I. The Program
In designing its Program, a financial institution or creditor may incorporate, as appropriate, its existing policies, procedures, and other arrangements that control reasonably foreseeable risks to customers or to the safety and soundness of the financial institution or creditor from identity theft.
II. Identifying Relevant Red Flags
(a) Risk Factors. A financial institution or creditor should consider the following factors in identifying relevant Red Flags for covered accounts, as appropriate:
(1) The types of covered accounts it offers or maintains;
(2) The methods it provides to open its covered accounts;
(3) The methods it provides to access its covered accounts; and
(4) Its previous experiences with identity theft.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 61© gettechnical incwww.gettechnicalinc.com
(b) Sources of Red Flags. Financial institutions and creditors should incorporate relevant Red Flags from sources such as:
(1) Incidents of identity theft that the financial institution or creditor has experienced;
(2) Methods of identity theft that the financial institution or creditor has identified that reflect changes in identity theft risks; and
(3) Applicable supervisory guidance.
(c) Categories of Red Flags.
The Program should include relevant Red Flags from the following categories, as appropriate. Examples of Red Flags from each of these categories are appended as Supplement A to this Appendix J.
(1) Alerts, notifications, or other warnings received from consumer reporting agencies or service providers, such as fraud detection services;
(2) The presentation of suspicious documents;
(3) The presentation of suspicious personal identifying information, such as a suspicious address change;
(4) The unusual use of, or other suspicious activity related to, a covered account; and
(5) Notice from customers, victims of identity theft, law enforcement authorities, or other persons regarding possible identity theft in connection with covered accounts held by the financial institution or creditor.
III. Detecting Red Flags.
The Program’s policies and procedures should address the detection of Red Flags in connection with the opening of covered accounts and existing covered accounts, such as by:
(a) Obtaining identifying information about, and verifying the identity of, a person opening a covered account, for example, using the policies and procedures regarding identification and verification set forth in the Customer Identification Program rules.; and
OPENING DEPOSIT ACCOUNTS ONLINE 2016 62© gettechnical incwww.gettechnicalinc.com
(b) Authenticating customers, monitoring transactions, and verifying the validity of change of address requests, in the case of existing covered accounts.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 63© gettechnical incwww.gettechnicalinc.com
WORKSHEET FOR IDENTITY THEFT PREVENTION PROGRAM
New Existing
Page One
IDENTITY THEFT PREVENTION PROGRAM
SECTION ONE INFORMATION
CUSTOMER NAME(AS IT APPEARS ON PRIMARY IDENTIFICATION)
PHYSICAL ADDRESS
DATE OF BIRTH
SSN OR ITIN(IF NO SSN OR ITIN, PASSPORT NUMBER OR OTHER IDENTIFICATION NUMBER)
SECTION TWO TYPES OF RED FLAGS
Alerts, Notifications, or Warnings
Explanation:
Suspicious Documents
Explanation:
Suspicious Personal Identifying
Explanation:
OPENING DEPOSIT ACCOUNTS ONLINE 2016 64© gettechnical incwww.gettechnicalinc.com
Information
Unusual use of or suspicious activity related to the covered account
Explanation:
Notified by customer or law enforcement authority
Explanation:
Other Explanation:
SECTION THREE RESPONSE TO RED FLAG
New Customer: Turn down account Ask customer to present better documents Refer to officer Open account but place on high risk Refer to security officer Verification of employment
Existing Customer: Turn down account Ask customer to present better documents Refer to officer Open account but place on high risk Refer to security officer Verification of employment Send letter to former address Call at previous phone number Check signatures against current signature cards Rerun full CIP
Resolve conflict in documents:
Additional Comments:
OPENING DEPOSIT ACCOUNTS ONLINE 2016 65© gettechnical incwww.gettechnicalinc.com
EXAMPLES OF RED FLAGS
Alerts, Notifications or Warnings from a Consumer Reporting Agency
1. A fraud or active duty alert is included with a consumer report.
2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a notice of address discrepancy.
4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:
a. A recent and significant increase in the volume of inquiries;b. An unusual number of recently established credit relationships; c. A material change in the use of credit, especially with respect to recently
established credit relationships; or d. An account that was closed for cause or identified for abuse of account
privileges by a financial institution or creditor.
Suspicious Documents
5. Documents provided for identification appear to have been altered or forged.
6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.
9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.
Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or
OPENING DEPOSIT ACCOUNTS ONLINE 2016 66© gettechnical incwww.gettechnicalinc.com
creditor. For example: a. The address does not match any address in the consumer report; or b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.
11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is the same as the address provided on a fraudulent application; or b. The phone number on an application is the same as the number provided on a fraudulent application.
13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example: a. The address on an application is fictitious, a mail drop, or a prison; or b. The phone number is invalid, or is associated with a pager or answering service.
14. The SSN provided is the same as that submitted by other persons opening an account or other customers.
15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.
Unusual Use of, or Suspicious Activity Related to, the Covered Account
19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for a new, additional, or replacement card or a cell phone, or for the addition of authorized users on the account.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 67© gettechnical incwww.gettechnicalinc.com
20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns.
For example: a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); orb. The customer fails to make the first payment or makes an initial payment but no subsequent payments.
21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example: a. Nonpayment when there is no history of late or missed payments; b. A material increase in the use of available credit; c. A material change in purchasing or spending patterns; d. A material change in electronic fund transfer patterns in connection with a deposit account; or e. A material change in telephone call patterns in connection with a cellular phone account.
22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements.
25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.
Notice From Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection With Covered Accounts Held by the Financial Institution or Creditor
26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 68© gettechnical incwww.gettechnicalinc.com
Unit #2 Signature Cards, Federal Regulations and W-9 Issues
OPENING DEPOSIT ACCOUNTS ONLINE 2016 69© gettechnical incwww.gettechnicalinc.com
SIGNATURE CARDS: OVERVIEW
Most signature cards have five basic components
1
OWNERSHIP
2
TITLE
3
FEDERAL REGULATIONS
5
TAXPAYER IDENTIFICATION NUMBER
4
SIGNATURES (Access)
OPENING DEPOSIT ACCOUNTS ONLINE 2016 70© gettechnical incwww.gettechnicalinc.com
SIGNATURE CARDS: FLOW CHART #1
Signature cards must be consistent.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 71© gettechnical incwww.gettechnicalinc.com
Ownership
___ Single Party or Individual
___ Joint___ Trust___ ______________
Title
Signatures
Must Match
Must Match
SIGNATURE CARDS: FLOW CHART #2
Some signatures add special features.
Special Feature #1
Special Feature #2
Special Feature #3
OPENING DEPOSIT ACCOUNTS ONLINE 2016 72© gettechnical incwww.gettechnicalinc.com
POD/ TrustName of Beneficiaries
Number of Signatures Required
1 2
Agents or Authorized Signers
Some signature cards allow signers (as permitted by card) on individual or joint accounts.
Some signature cards allow a 2 signature requirement.
POD pay at death to the list of beneficiaries.
Only put on personal accounts.
FEDERAL REGULATIONS
1. Adverse Action—Fair Credit Reporting
If your institution uses a third party vendor to make a decision to open or not open an account, you must give the individual an adverse action notice if you decline the account based on the information provided by the third party.
2. Regulation CC
Your institution must give a Regulation CC disclosure on availability to all transaction accounts both personal and business before an account is opened or a service provided. This applies to checking, NOW accounts, and savings and money market accounts tied to point of sale items.
3. Regulation DD
A Regulation DD disclosure is given to all personal deposit accounts held for personal, family or household purposes. Does not apply to groups, businesses, or any accounts held in a professional or legal capacity. Like Regulation CC it must be given before the account is opened or service provided.
4. Regulation E
A Regulation E disclosure is given in the event of an electronic device being issued which can debit or credit a consumer’s accounts.
5. TIN Compliance
The W-9 and W-8 BEN forms are used to insure TIN compliance and backup withholding for taxpayers. Use the W-9 or similar statement on signature card for accounts with a Social Security number. Use W-8 BEN for those without a Social Security number (foreign accounts). The W-8 BEN is renewed every three years. See CIP chapter of manual.
6. Regulation P
Regulation P disclosure gives the customer information about the bank use of their information with third parties and allows the customer to “opt out.”
OPENING DEPOSIT ACCOUNTS ONLINE 2016 73© gettechnical incwww.gettechnicalinc.com
NOTES OVERVIEW: SSN, EIN OR ITIN
OPENING DEPOSIT ACCOUNTS ONLINE 2016 74© gettechnical incwww.gettechnicalinc.com
When your customer uses an SSN, EIN or ITIN…
Social Security Number (SSN)
Employer Identification Number (EIN)
Individual Taxpayer Identification Number (ITIN)
U.S. Person Resident Alien
Nonresident Alien with Employment
Authorization
Applies for SSN with SS-5 Form
Customer Signs W-9
Except Nonresident Aliens who always
sign W-8
Business AccountNonprofit
Organization Irrevocable Trust
Applies for EIN using SS-4 Form
Customer signs W-9
Customer is not eligible for a social security number but has a “tax purpose” for needing a tax identification number.
Customer applies for ITIN with W-7 Form
To get an ITIN the customer may have
to be turned down for a SSN first and then
apply for the ITIN. To get an account for banking purposes, the customer may
have to prove the “tax purpose”. See letter to give customer to
get ITIN.
ITINs start with a “9”.
W-8 BEN required on every owner or you
must withhold. Expires every three
years
OVERVIEW: TAXPAYER IDENTIFICATION NUMBERS
1. CIP Requirements
For U.S. persons a bank must obtain a U.S. taxpayer identification number (e.g., social security number, individual taxpayer identification number, or employer identification number). For non U.S persons a bank must obtain one or more of the following: a taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.
2. W-9 (Usually on signature card)
Use a Form W-9 when the customer is a U.S. person (including a resident alien). The customer must certify that:
He or she is giving you the correct TIN He or she is not subject to backup withholding Has an exemption
Name: If the customer is an individual, the customer must generally enter the name shown on his/her social security card. However, if the customer has changed his/her last name, for instance, due to marriage without informing the Social Security Administration of the name change, enter the first name, the last name shown on the social security card, and her new last name.
If the account is in joint names, list first and then circle the name of the person or entity whose number the customer enters in Part I of the form.
Sole proprietor: Enter the customer’s individual name as shown on the social security card on the “Name” line. The customer may enter the business, trade, or “doing business as” (DBA) name on the “Business name” line.
Limited liability company (LLC): If the customer is a single-member LLC (including a foreign LLC with a domestic owner) that is disregarded as an entity separate from its owner under Treasure regulations section 301.7701-3, enter the owner’s name on the “Name” line. Enter the LLC’s name on the “Business name” line.
Other entities: Enter the customer’s business name as shown on required Federal tax documents on the “Name” line. This name should match the name shown on the charter or other legal document creating the entity. The customer may enter any business, trade, or DBA name on the “Business name” line.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 75© gettechnical incwww.gettechnicalinc.com
Exempt form backup withholding: If the customer is exempt, enter his/her name as described above, then check the “Exempt from backup withholding” box in the line following the business name, sign and date the form.Individuals (including sole proprietors) are not exempt from backup withholding. Corporations are exempt from backup withholding for certain payments, such as interest and dividends. For more information on exempt payees, see the instructions for the Requester of Form W-9.
If the customer is a nonresident alien or a foreign entity not subject to backup withholding, give the requester the appropriate completed Form W-8.
Note: If the customer is exempt from backup withholding, the customer should still complete this form to avoid possible erroneous backup withholding.
3. W-8 BEN
If the customer receives certain types of income, the customer must provide Form W-8BEN to:
Establish that the customer is a foreign person; Claim that the customer is the beneficial owner of the income for which
Form W-8BEN is being provided; and If applicable, claim a reduced rate of, or exemption from, withholding as a
resident of a foreign country with which the United States has an income tax treaty.
Expiration of Form W-8BEN. Generally, a Form W-8BEN provided without a U.S. taxpayer identification number (TIN) will remain in effect for a period starting on the date the form is signed and ending on the last day of the third succeeding calendar year, unless a change in circumstances makes any information on the form incorrect. For example, a Form W-8BEN signed on September 30, 2001, remains valid through December 31, 2004. A Form W-8BEN furnished with a U.S. TIN will remain in effect until a change in circumstances makes any information on the form incorrect, provided that the withholding agent reports on Form 1042-S at least one payment annually to the beneficial owner who provided the Form W-8BEN. See Line 6 on page 3 for circumstances under which the customer must provide a U.S. TIN.
DefinitionsBeneficial owner. For payments other than those for which a reduced rate of withholding is claimed under an income tax treaty, the beneficial owner of income is generally the person who is required under U.S. tax principles to include the income in gross income on a tax return. A person is not a beneficial owner of income, however, to the extent that person is receiving the income as a nominee, agent, or custodian, or to the extent the person is a conduit whose participation in a transaction is disregarded. In the case of amounts paid that do not constitute income beneficial ownership is determined as if the payment were income.
Foreign partnerships, foreign simple trusts, and foreign grantor trusts are not the beneficial owners of income paid to the partnership or trust. The beneficial owners of
OPENING DEPOSIT ACCOUNTS ONLINE 2016 76© gettechnical incwww.gettechnicalinc.com
income paid to a foreign partnership are generally the partners in the partnership, provided that the partner is not itself a partnership, foreign simple or grantor trust, nominee or other agent. The beneficial owners of income paid to a foreign simple trust [i.e., a foreign trust that is described in section 651(a)] are generally the beneficiaries of the trust, if the beneficiary is not a foreign partnership, foreign simple or grantor trust, nominee or other agent. The beneficial owners of income paid to a foreign grantor trust (i.e., a foreign trust to the extent that all or a portion of the income of the trust is treated as owned by the grantor or another person under sections 671 through 679) are the persons treated as the owners of the trust. The beneficial owner of income paid to a foreign complex trust (i.e., a foreign trust that is not a foreign simple trust or foreign grantor trust) is the trust itself.
The beneficial owner of income paid to a foreign estate is the estate itself.
Nonresident alien individual. Any individual who is not a citizen or resident of the United States is a nonresident alien individual. An alien individual meeting either the “green card test” or the “substantial presence test” for the calendar year is a resident alien. Any person not meeting either test is a nonresident alien individual. Additionally, an alien individual who is a resident of a foreign country under the residence article of an income tax treaty, or an alien individual who is a resident or Puerto Rice, Guam, the Commonwealth of the Northern Mariana Islands, the U.S. Virgin Islands, or American Samoa is a nonresident alien individual. See Pub. 519, U.S. Tax Guide for Aliens, for more information on resident and nonresident alien status.
4. W-7
Use Form W-7 to apply for an IRS individual taxpayer identification number (ITIN). An ITIN is a nine-digit number issued by the U.S. Internal Revenue Service (IRS) to individuals who are required to have a U.S. taxpayer identification number but who do not have and are not eligible to obtain, a social security number (SSN).
The ITIN is for tax purposes only. It does not entitle you to social security benefits, and creates no inference regarding your immigration status or your right to work in the United States. Any individual who is eligible to be legally employed in the United States must have an SSN.
Note: Individuals filing tax returns using an ITIN are not eligible for the earned income credit (EIC).
OPENING DEPOSIT ACCOUNTS ONLINE 2016 77© gettechnical incwww.gettechnicalinc.com
Signature Card Instructions
To complete the application, you must confirm your tax status and whether or not you are subject to backup withholding by pressing the “Submit” button below.
I certify, under penalty of perjury, that:1. The number show below is my correct taxpayer identification number.2. Backup withholding
I am subject to backup withholding because I have been notified by the Internal Revenue Service (IRS) that I am currently subject to backup withholding due to failure to report all interest and dividends on my tax return.
I am not subject to backup withholding because: -I am exempt from backup withholding, or -I have not been notified by the IRS that I am subject to backup withholding as a result of a failure to report all interest or dividends, or -The IRS has notified me that I am no longer subject to backup withholding
3. I am a U.S. Person (including a U.S. resident alien)
OPENING DEPOSIT ACCOUNTS ONLINE 2016 78© gettechnical incwww.gettechnicalinc.com
FLOWCHART: REGULAR OWNERSHIP
OPENING DEPOSIT ACCOUNTS ONLINE 2016 79© gettechnical incwww.gettechnicalinc.com
TYPES OF OWNERSHIP
SINGLE OR
INDIVIDUA
JOINT WROS AND
TRUST ACCOUNTSPOD/ITF/ATF
AGENTS OR
SIGNERS
One owner
Set up by state law and
contract
Signers allowed as per
signature contract
Two owners can create survivorship or not
Set up by state law and signature card
No other signers allowed
Revocable trust –One or more owners and one or
more
Set up on signature card
CIP owners and OFAC all
parties
Signs for the owner or owners
Set up by the signature card
Signers are not required to
be run through CIP many bank
policy requires it.
FLOWCHART: FIDUCIARY
OPENING DEPOSIT ACCOUNTS ONLINE 2016 80© gettechnical incwww.gettechnicalinc.com
When one person is named legally to act for another
Powers of Attorney
UTMA Social Security
Rep. Payee
Estates
Powers of Attorney act
for owner
Set up by contract
Signers allowed as per
signature contract
Custodian acts for child
Set up by state law and signature card
No other signers allowed
Rep. Payee acts for
beneficiary/owner
Set up by Social
Security
No other signers allowed
Executor or Administrator
acts for decedent
Set up by court and by
will
No other signers allowed
FIDUCIARY ACCOUNTS
Definition: When one person is named to act for another by contract, by law, by court or other legal arrangement they are considered in a fiduciary capacity.
Type Set up by
1. Authorized Signers, AgentsIn-house Power of Attorney
Signature card or attachments
2. Power of Attorney Outside Document Outside contract
3. Custodians On signature card through state law
4. Social Security Representative Payees On check by Social Security
5. Executors/Administrators Court
6. Tutor, Curator Court
7. Trustees Contract
GENERAL RULES FOR FIDUCIARY ACCOUNTS
1. No PODs may be attached to these accounts 3-7.
2. No other authorized signers or power of attorneys may be listed on accounts numbers 3-7.
3. Except for authorized signers, the type of ownership is not individual or joint but “fiduciary” or the specific ownership for each category on your platform system. If you have cards, check the “other” box and list the type of fiduciary.
4. Fiduciaries should sign name and job title. For example, “Jane Smith, trustee”.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 81© gettechnical incwww.gettechnicalinc.com
CONTRACT AND DISCLOSURE CHECKLIST
OPENING DEPOSIT ACCOUNTS ONLINE 2016 82© gettechnical incwww.gettechnicalinc.com
Checklist Contract and Disclosure Issues
____ Law governing agreement (state law issues addressed here.
____ CIP Disclosure
____ All Reg DD issues
____ Legal proceedings and dispute
____ Credit Reports
____ Kinds of accounts you can open (ownership)
____ Joint accounts WROS versus WOROS
____ Facsimile Signatures
____ Power of attorney
____ Disclosures (Privacy, Regulation E, Regulation CC, TISA)
____ Amendment rights to contracts
Terms and Conditions
Please read the following terms and conditions and then indicate your acceptance below.
Disclosures will appear in separate pop-up blocker, please disable it before clicking on the links below.
To protect your information, your session will end automatically in XX minutes.
Please write down the application number at the top of the screen and call us at 1-800-XXX-XXXX if your application times out.
OR Check this box to indicate that you have read and accept the
Disclosures and consent to receive disclosures electronically and also consent to receive amendments and other documents related to your account electronically.
Check this box to indicate that you have read and accept the Terms and Conditions
Check this box to indicate that you have read and accept the Electronic Transfer Agreement.
Type of Product
CD—36 months Certificate of deposit Rate Disclosure Privacy Policy Account agreement
I agree and accept I do not agree and do not accept
OPENING DEPOSIT ACCOUNTS ONLINE 2016 83© gettechnical incwww.gettechnicalinc.com
Unit #3 Products and Funding the Account
OPENING DEPOSIT ACCOUNTS ONLINE 2016 84© gettechnical incwww.gettechnicalinc.com
PRODUCTS
Some thoughts about deposit products:
Some of the online banks offer products first and then begin the account opening process.
We all have basic checking, savings, certificates of deposit and money market funds.
Whether you open online or in person, you have to follow federal disclosures and rules
At least one of the banks looked at would not open CDs online without the customer first having a checking account. If you wanted the other products and would not agree to a checking account, then the online banker was directed to an 800 number or to a branch in his or her area.
If you decide to open IRAs online this adds a whole new dimension to the job. These particular rules are complex and you will need to bring in your IRA expert.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 85© gettechnical incwww.gettechnicalinc.com
FUNDING THE ACCOUNT
Most of the banks are allowing customers to fund the account electronically or to mail in a check.
Funding your account:
How would you like to fund your account? I would like to fund this electronically. I would like to mail in a check.
Continue
Enter your account information:
Account you are debiting:Account number ABA Routing/Transit Number
Initial Deposit Amount:
IF funding electronically, the following may help you:
OPENING DEPOSIT ACCOUNTS ONLINE 2016 86© gettechnical incwww.gettechnicalinc.com
Continue Cancel
Unit #4 Risk
OPENING DEPOSIT ACCOUNTS ONLINE 2016 87© gettechnical incwww.gettechnicalinc.com
BSA/AML PROGRAM
OPENING DEPOSIT ACCOUNTS ONLINE 2016 88© gettechnical incwww.gettechnicalinc.com
RISK ASSESSMENT
IDENTIFY & MEASURE RISKProducts, Services, Customers and
Geographies
INTERNAL CONTROLSDevelop applicable:
Policies, Procedures, Systems and Controls
Risk based compliance program
Internal Controls Audit Type BSA Compliance
Officer Training
OPENING DEPOSIT ACCOUNTS ONLINE 2016 89© gettechnical incwww.gettechnicalinc.com
ANTI MONEY LAUNDERING PROGRAM
Customer Identification Program & Training
Increased risk when not opened in person
Customer Due Diligence, Customer Monitoring Programs & Training
Suspicious Activity Awareness and Reporting by Staff and Management
AFTER GATHERING THE INFORMATION ASSIGN RISK
Customer Identification Programs (CIP) risk is related to many items. You will probably consider accounts to be high risk if they were:
Not Opened in person Opened by non resident aliens
Opened without all documents
Opened without proper identification
Opened for a minor (What is your bank’s policy on joint accounts for identification?
OPENING DEPOSIT ACCOUNTS ONLINE 2016 90© gettechnical incwww.gettechnicalinc.com
HIGH INTENSITY DRUG TRAFFICKING AREAS
HIDTA Headquarters
Southwest Border Regions
http://www.whitehousedrugpolicy.gov/hidta/index.html
OPENING DEPOSIT ACCOUNTS ONLINE 2016 91© gettechnical incwww.gettechnicalinc.com
OPENING DEPOSIT ACCOUNTS ONLINE 2016 92© gettechnical incwww.gettechnicalinc.com
PUBLICATION 519
Note to participants: You may wish to print all of Publication 519 with these materials. It may prove useful to you.
Figure 1-A. Nonresident Alien or Resident Alien?
OPENING DEPOSIT ACCOUNTS ONLINE 2016 93© gettechnical incwww.gettechnicalinc.com
Unit #5 Other Compliance Issues
OPENING DEPOSIT ACCOUNTS ONLINE 2016 94© gettechnical incwww.gettechnicalinc.com
THE UNIFORM ELECTRONIC TRANSACTIONS ACT (UETA)
UETA is one of the several United States Uniform Acts proposed by the National Conference of Commissioners on Uniform State Laws (NCCUSL). Since then 47 States, the District of Columbia, Puerto Rico, and the U.S. Virgin Islands have adopted it into their own laws. Its overarching purpose is to bring into line the differing State laws over such areas as retention of paper records (checks in particular), and the validity of electronic signatures, thereby supporting the NCCUSL
Before adoption of this Act, most states required banks to retain physical copies of all checks they process. Obviously, keeping these checks in electronic form only would vastly simplify storage and access concerns for banks. UETA aims to rectify this by streamlining and unifying these to laws to allow for electronic retention. In much the same fashion, UETA addresses the need to retain paper copies of other records and contracts, effectively giving legally binding status to electronic documents and signatures.
Definitions are given in Section 2 namely [2]
(7) Electronic record - means a record created, generated, sent, communicated, received, or stored by electronic means.(8) Electronic signature - means an electronic sound, symbol, or process attached to or logically associated with a record and executed or adopted by a person with the intent to sign the record.Another important aspect of this definition lies in the necessity that the electronic signature be linked or logically associated with the record. In the paper world, it is assumed that the symbol adopted by a party is attached to or located somewhere in the same paper that is intended to be authenticated, e.g., an allonge firmly attached to a promissory note, or the classic signature at the end of a long contract. These tangible manifestations do not exist in the electronic environment, and accordingly, this definition expressly provides that the symbol must in some way be linked to, or connected with, the electronic record being signed. This linkage is consistent with the regulations promulgated by the Food and Drug Administration. 21 CFR Part 11 (March 20, 1997).
Section 3 gives the scope of the ActThe Scope of this Act is inherently limited by the fact that it only applies to transactions related to business, commercial (including consumer) and governmental matters. Consequently, transactions with no relation to business, commercial or governmental transactions would not be subject to this Act. Unilaterally generated electronic records and signatures which are not part of a transaction also are not covered by this Act.
Section 4 states that the Act "...applies to any electronic record or electronic signature created, generated, sent, communicated, received, or stored"
OPENING DEPOSIT ACCOUNTS ONLINE 2016 95© gettechnical incwww.gettechnicalinc.com
Section 5(a) states that transactions are not required to be in electronic form and 5(b) states
(b) This [Act] applies only to transactions between parties each of which has agreed to conduct transactions by electronic means. Whether the parties agree to conduct a transaction by electronic means is determined from the context and surrounding circumstances, including the parties' conduct.
Section 6 - The application and intended purpose of the Act is listed. Namely "to facilitate and promote commerce and governmental transactions by validating and authorizing the use of electronic records and electronic signatures"Section 7 gives legal recognition to electronic signatures, records and contracts
(a) A record or signature may not be denied legal effect or enforceability solely because it is in electronic form.(b) A contract may not be denied legal effect or enforceability solely because an electronic record was used in its formation.(c) If a law requires a record to be in writing, an electronic record satisfies the law.(d) If a law requires a signature, an electronic signature satisfies the law.
Section 8 provides that the information be available to all parties.(a) ...An electronic record is not capable of retention by the recipient if the sender or its information processing system inhibits the ability of the recipient to print or store the electronic record.(c) If a sender inhibits the ability of a recipient to store or print an electronic record, the electronic record is not enforceable against the recipient.
Section 9 discusses the attribution and effect of electronic record and electronic signatures
(a) An electronic record or electronic signature is attributable to a person if it was the act of the person. The act of the person may be shown in any manner, including a showing of the efficacy of any security procedure applied to determine the person to which the electronic record or electronic signature was attributable.(b) The effect of an electronic record or electronic signature attributed to a person under subsection (a) is determined from the context and surrounding circumstances at the time of its creation, execution, or adoption, including the parties' agreement, if any, and otherwise as provided by law.
Section 10 defines the conditions if a change or error in an electronic record occurs in a transmission between parties to a transaction.Section 11 This Section permits a notary public and other authorized officers to act electronically, effectively removing the stamp/seal requirements.Section 12 states that the requirement of "retention of records" is satisfied by retaining an electronic record
(a) If a law requires that a record be retained, the requirement is satisfied by retaining an electronic record of the information in the record which: (1) accurately reflects the information set forth in the record after it was first generated in its final form as an electronic record or otherwise; and(2) remains accessible for later reference.(c) A person may satisfy subsection (a) by using the services of another person if the requirements of that subsection are satisfied.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 96© gettechnical incwww.gettechnicalinc.com
Section 13 "In a proceeding, evidence of a record or signature may not be excluded solely because it is in electronic form."Section 14 discusses automated transactions.
(1) discussed situations where "...contract may be formed by the interaction of electronic agents of the parties, even if no individual was aware of or reviewed the electronic agents' actions or the resulting terms and agreements."(2) applies to a contract that "may be formed by the interaction of an electronic agent and an individual".
Section 15 defines the "Time and Place" aspects of electronic transmissions.Comment 1. This section provides default rules regarding when and from where an electronic record is sent and when and where an electronic record is received. This section does not address the efficacy of the record that is sent or received. That is, whether a record is unintelligible or unusable by a recipient is a separate issue from whether that record was sent or received. The effectiveness of an illegible record, whether it binds any party, are questions left to other law.
Section 16 outlines transferable records(c) A system satisfies subsection (b), and a person is deemed to have control of a transferable record, if the transferable record is created, stored, and assigned in such a manner that: (1) a single authoritative copy of the transferable record exists which is unique, identifiable, and, except as otherwise provided in paragraphs (4), (5), and (6), unalterable;
Section 17-19 have been bracketed as optional provisions to be considered for adoption by each State. Among the barriers to electronic commerce are barriers which exist in the use of electronic media by State governmental agencies - whether among themselves or in external dealing with the private sector.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 97© gettechnical incwww.gettechnicalinc.com
THE ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT (E-SIGN ACT)
Introduction
The Electronic Signatures in Global and National Commerce Act (E-Sign Act)2, signed into law on June 30, 2000, provides a general rule of validity for electronic records and signatures for transactions in or affecting interstate or foreign commerce. The E-Sign Act allows the use of electronic records to satisfy any statute, regulation, or rule of law requiring that such information be provided in writing, if the consumer has affirmatively consented to such use and has not withdrawn such consent. Subject to certain exceptions, the substantive provisions of the law were effective on October 1, 2000. Record retentionrequirements became effective on March 1, 2001. The E-Sign Act grandfathers existing agreements between a consumer and an institution to deliver information electronically. However, agreements made on or after October 1, 2000, are subject to the requirements of the E-Sign Act.
Summary of Major Provisions Consumer Disclosures Prior Consent, Notice of Availability of Paper Records
Prior to obtaining their consent, financial institutions must provide the consumer, a clear and conspicuous statement informing the consumer: • of any right or option to have the record provided or made available on paper or in a non-electronic form, and the right to withdraw consent, including any conditions, consequences, and fees in the event of such withdrawal; • whether the consent applies only to the particular transaction that triggered the disclosure or to identified categories of records that may be provided during the course of the parties’ relationship; • describing the procedures the consumer must use to withdraw consent and to update information needed to contact the consumer electronically; and informing the consumer how the consumer may nonetheless request a paper copy of a record and whether any fee will be charged for that copy. See Section 101(c)(1)(B).1 This section fully incorporates the examination procedures issued under DSC RD Memo 08-035: Regulation E - Amended Interagency Examination Procedures.2 Public Law 106-229, June 30, 2000.
Hardware and Software Requirements; Notice of Changes
OPENING DEPOSIT ACCOUNTS ONLINE 2016 98© gettechnical incwww.gettechnicalinc.com
Prior to consenting to the use of an electronic record, a consumer must be provided with a statement of the hardware and software requirements for access to and retention of electronic records. See Section 101(c)(1)(i). If the consumer consents electronically, or confirms his or her consent electronically, it must be in a manner that reasonably demonstrates the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent. See Section 101(c)(1)(C)(ii).If a change in the hardware or software requirements need to access or retain electronic records creates a material risk that the consumer will not be able to access or retain subsequent electronic records subject to the consent, a financial institution must:• provide the consumer with a statement of (a) the revised hardware and software requirements for access to and retention of electronic records, and (b) the right towithdraw consent without the imposition of any condition, consequence, or fee for such withdrawal; and • again comply with the requirements of subparagraph (c) of this section. See Section 101(c)(1)(D).Oral communications or a recording of an oral communication shall not qualify as an electronic record. See Section 101(c)(6).
Record Retention
The E-Sign Act requires a financial institution to maintain electronic records accurately reflecting the information contained in applicable contracts, notices or disclosures and that they remain accessible to all persons who are legally entitled to access for the period required by law in a form that is capable of being accurately reproduced for later reference.See Section 101(d).
Agreements reached with consumers prior to October 1, 2000, to deliver information electronically are exempt from the requirements of Section 101(d). However, for any agreements made with new or existing customers on or after October 1, 2000, the requirements of Section 101(c)(1) will supersede all other consumer consent procedures relating to the use of electronic disclosures set forth in other regulations.
Regulatory and Other Actions
The consumer consent provisions in the E-Sign Act became effective October 1, 2000, and did not require implementing regulations. Nonetheless, on March 30, 2001, the Federal Reserve Board (FRB)
OPENING DEPOSIT ACCOUNTS ONLINE 2016 99© gettechnical incwww.gettechnicalinc.com
adopted interim final rules (Interim Final Rules) establishing uniform standards for the X. Other – E-Sign ActX-3.2 FDIC Compliance Manual — June 2009electronic delivery of federally mandated disclosures for five consumer protection regulations: Regulation B, Equal Credit Opportunity; Regulation E, Electronic Fund Transfers; Regulation M, Consumer Leasing; Regulation Z, Truth in Lending, and Regulation DD, Truth in Savings. The Interim Final Rules provided guidance on the timing and delivery of electronic disclosures. Pursuant to the Interim Final Rules, disclosures can be provided by e-mail or can be made available at another location such as the institution’s web site. If a disclosure, such as an account statement or a notice of change of terms, is provide at a web site, an institution must notify the consumer of the disclosure’s availability by e-mail. In addition, the disclosures must remain available on the web site for 90 days.On August 3, 2001, the FRB lifted the mandatory compliance date of October 1, 2001, and directed institutions to follow their existing procedures3 or, alternatively, to comply with the Interim Final Rules until permanent rules are issued. Once permanent final rules are issued, the Board expects to afford institutions a reasonable period of time to comply with those rules.
Definitions
“Consumer” – The term “consumer” means an individual who obtains, through a transaction, products or services which are used primarily for personal, family, or household purposes, and also means the legal representative of such an individual.
“Electronic” – The term “electronic” means relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic, or similar capabilities.
“Electronic Agent” – The term “electronic agent” means a computer program or an electronic or other automated means used independently to initiate an action to respond to electronic records or performances in whole or in part without review or action by an individual at the time or the action or response.“Electronic Record” – The term “electronic record” means a contract or other record created, generated, sent, communicated, received, or stored by electronic means.
“Electronic Signature” – The term “electronic signature” means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by
OPENING DEPOSIT ACCOUNTS ONLINE 2016 100© gettechnical incwww.gettechnicalinc.com
a person with the intent to sign the record. 3 Existing procedures of the institutions are expected to be compliant with Federal Reserve Regulations E and DD.
“Federal Regulatory Agency” – The term “Federal regulatory agency” means an agency as that term is defined in section 552(f) of Title 5, United States code.
“Information” – The term “information” means data, text, images, sounds, codes, computer programs, software, databases, or the like.
“Person” – The term “person” means an individual, corporation, business trust, estate, trust, partnership, Limited Liability Company, association, joint venture, governmental agency, public corporation or any other legal or commercial entity.
“Record” – The term “record” means information, that is inscribed on a tangible medium or that is stored in an electronic or other medium and is retrievable in perceivable form.“Requirement” – The term “requirement” includes a prohibition.
“Self-Regulatory Organization” – The term “self-regulatory organization” means an organization or entity that is not a Federal regulatory agency or a State, but that is under the supervision of a Federal regulatory agency and is authorized under Federal law to adopt and administer rules applicable to its members that are enforced by such organization or entity, by a Federal regulatory agency, or by another self-regulatory organization.
“State” – The term “State” includes the District of Columbia and the territories and possessions of the United States.
“Transaction” – the term “transaction” means an action or set of actions relating to the conduct of business, consumer, or commercial affairs between two or more persons, including any of the following types of conduct:1. the sale, lease, exchange, licensing, or other disposition of
(i) personal property, including goods and intangibles, (ii) services, and (iii) any combination thereof; and
2. the sale, lease, exchange, or other disposition of any interest in real property, or any combination thereof.
Examination Procedures
OPENING DEPOSIT ACCOUNTS ONLINE 2016 101© gettechnical incwww.gettechnicalinc.com
1. Determine if and to what extent the financial institution electronically delivers compliance-related notices or disclosures subject to the consumer consent provisions of the Act.2. Determine if the financial institution has established procedures to ensure compliance with the provisions of this Act.3. Determine that the consumer, prior to consenting, is provided with a clear and conspicuous statement informing
X. Other – E-Sign Act
FDIC Compliance Manual — June 2009 X-3.3the consumer of any right or option to have the record provided or made available on paper or in non-electronic form, and the right to withdraw the consent, including any conditions, consequences, or fees in the event of such withdrawal. Verify that the statement contains the following:a. informs the consumer whether the consent applies only to the particular transaction that triggered the disclosure or to identified categories of records that may be provided during the course of the parties’ relationship;b. describes the procedures the consumer must use to withdraw consent and to update information needed to contact the consumer electronically; andc. informs the consumer how the consumer may nonetheless request a paper copy of a record and whether any fee will be charged for that copy.4. Determine that the consumer, prior to consenting, is provided with a statement of the hardware and software requirements for access to and retention of electronic records.5. Determine that the consumer provides affirmative consent electronically, or confirms his or her consent electronically, in a manner that reasonably demonstrates the consumer can access information in the electronic form that will be used to provide the information that is the subject of the consent.NOTE: Oral communications shall not qualify as an electronic record.6. If a change in the hardware or software requirements needed to access or retain electronic records creates a material risk that the consumer will not be able to access or retain subsequent electronic records subject to the consent, verify that the financial institution provides the consumer with the following:a. statement of the revised hardware and software requirements for access to and retention of electronic records;b. the right to withdraw consent without the imposition of any condition, consequence, or fee for such withdrawal; andc. the consumer provides a new affirmative consent as previously outlined.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 102© gettechnical incwww.gettechnicalinc.com
7. Determine that the financial institution maintains a single “authoritative” copy of any transferable record relating to a loan secured by real property. Such record must be “unique”, “identifiable”, and “unalterable”. 8. Determine that the financial institution maintains electronic records accurately reflecting the information contained in applicable contracts, notices, or disclosures and that they remain accessible to all persons who are legally entitled to access for the period required by law in a form that is capable of being accurately reproduced for later reference.ReferencesFIL 79-98: Interagency Guidance on Electronic FinancialServices and Consumer ComplianceGuidance AttachmentFIL 66-2001: Lifting of Mandatory Compliance Date forInterim Rules Amending Regulations B, E, M, Z, and DDFIL 40-2001: Interim Final Rules Amending Regulations B,E, M, Z, and DD Regarding Electronic Delivery of RequiredDisclosuresFIL 72-2000: Notice of Consumer Consent RequirementsApplicable to the Electronic Delivery of Consumer DisclosuresDCA RD Memo 96-044: Electronic Banking ActivitiesFIL 14-97: Examination Guidance on the Safety andSoundness Aspects of Electronic Banking ActivitiesFIL 70-2001: FDIC Seeks Comment on Study of BankingRegulations Regarding the Online Delivery of BankingServicesFIL 30-2003: Federal Bank and Credit Union RegulatoryAgencies Jointly Issue Guidance on the Risk Associated with Weblinking
OPENING DEPOSIT ACCOUNTS ONLINE 2016 103© gettechnical incwww.gettechnicalinc.com
AUTHENTICATION IN AN INTERNET BANKING ENVIRONMENT
Purpose
On August 8, 2001, the FFIEC agencies[See Footnote 1] (agencies) issued guidance entitled Authentication in an Electronic Banking Environment (2001 Guidance). The 2001 Guidance focused on risk management controls necessary to authenticate the identity of retail and commercial customers accessing Internet-based financial services. Since 2001, there have been significant legal and technological changes with respect to the protection of customer information;[See Footnote 2] increasing incidents of fraud, including identity theft; and the introduction of improved authentication technologies. This updated guidance replaces the 2001 Guidance and specifically addresses why financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services.
This guidance applies to both retail and commercial customers and does not endorse any particular technology. Financial institutions should use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a service provider. Although this guidance is focused on the risks and risk management techniques associated with the Internet delivery channel, the principles are applicable to all forms of electronic banking activities.
Summary of Key Points
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of
Footnote 1 -- Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, National Credit Union Administration, Office of the Comptroller of the Currency, and Office of Thrift Supervision.[End of Footnote 1] Footnote 2 -- Customer information means any record containing nonpublic personal information as defined in the Interagency Guidelines Establishing Information Security Standards at section I.C.2. 12 CFR Part 30, app. B (OCC); 12 CFR Part 208, app. D-2 and Part 225, app. F (FRB); 12 CFR Part 364, app. B (FDIC); 12 CFR Part 570, app. B (OTS); and 12 CFR Part 748, app. A (NCUA).[End of Footnote 2]
OPENING DEPOSIT ACCOUNTS ONLINE 2016 104© gettechnical incwww.gettechnicalinc.com
single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
Consistent with the FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002, financial institutions should periodically:
• Ensure that their information security program: – Identifies and assesses the risks associated with Internet-based products and services, – Identifies risk mitigation actions, including appropriate authentication strength, and – Measures and evaluates customer awareness efforts;
• Adjust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information; and
• Implement appropriate risk mitigation strategies.
Background
Financial institutions engaging in any form of Internet banking should have effective and reliable methods to authenticate customers. An effective authentication system is necessary for compliance with requirements to safeguard customer information,[See Footnote 3] to prevent money laundering and terrorist financing,[See Footnote 4] to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions. The risks of doing business with unauthorized or incorrectly identified persons in an Internet banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data, or unenforceable agreements.
There are a variety of technologies and methodologies financial institutions can use to authenticate customers. These methods include the use of customer passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types of “tokens”, transaction profile scripts, biometric identification, and others. (The appendix to this guidance contains a more detailed discussion of authentication techniques.) The level of risk protection afforded by each of these techniques varies. The selection and use of authentication technologies and methods should depend upon the results of the financial institution’s risk assessment process. Footnote 3 -- The Interagency Guidelines Establishing Information Security Standards that implement section 501(b) of the Gramm–Leach–Bliley Act, 15 USC 6801, require banks and savings associations to safeguard the information of persons who obtain or have obtained a financial product or service to be used primarily for personal, family or household purposes, with whom the institution has a continuing relationship. Credit unions are subject to a similar rule. [End of Footnote 3] Footnote 4 -- The regulations implementing section 326 of the USA PATRIOT Act, 31 USC § 5318(l), require banks, savings associations and credit unions to verify the identity of customers opening new accounts. See 31 CFR 103.121; 12 CFR 21.21 (OCC); 12 CFR 563.177 (OTS); 12 CFR 326.8 (FDIC); 12 CFR 208.63 (state member banks), 12 CFR 211.5(m) (Edge or agreement corporation or any branch or subsidiary thereof), 12 CFR 211.24(j) (uninsured branch, an agency, or a representative office of a foreign financial institution operating in the United States (FRB); and 12 CFR Part 748.2 (NCUA).[End of Footnote 4]
OPENING DEPOSIT ACCOUNTS ONLINE 2016 105© gettechnical incwww.gettechnicalinc.com
Existing authentication methodologies involve three basic “factors”: • Something the user knows (e.g., password, PIN); • Something the user has (e.g., ATM card, smart card); and • Something the user is (e.g., biometric characteristic, such as a fingerprint). Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include “out–of–band”[See Footnote 5]
controls for risk mitigation. The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans. Risk Assessment The implementation of appropriate authentication methodologies should start with an assessment of the risk posed by the institution’s Internet banking systems. The risk should be evaluated in light of the type of customer (e.g., retail or commercial); the customer transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of customer information being communicated to both the institution and the customer; the ease of using the communication method; and the volume of transactions. Prior agency guidance has elaborated on this risk-based and “layered” approach to information security.[See Footnote 6]
An effective authentication program should be implemented to ensure that controls and authentication tools are appropriate for all of the financial institution’s Internet-based products and services. Authentication processes should be designed to maximize interoperability and should be consistent with the financial institution’s overall strategy for Internet banking and electronic commerce customer services. The level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application. A comprehensive approach to authentication requires development of, and adherence to, the institution’s information security standards, integration of authentication processes within the overall information security framework, risk assessments within lines of businesses supporting
Footnote 5 -- Out–of–band generally refers to additional steps or actions taken beyond the technology boundaries of a typical transaction. Callback (voice) verification, e-mail approval or notification, and cell–phone based challenge/ response processes are some examples.[End of Footnote 5] Footnote 6 -- FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002; FFIEC Information Technology Examination Handbook, E-Banking Booklet, August 2003.[End of Footnote 6]
OPENING DEPOSIT ACCOUNTS ONLINE 2016 106© gettechnical incwww.gettechnicalinc.com
selection of authentication tools, and central authority for oversight and risk monitoring. This authentication process should be consistent with and support the financial institution’s overall security and risk management programs.
The method of authentication used in a specific Internet application should be appropriate and reasonable, from a business perspective, in light of the reasonably foreseeable risks in that application. Because the standards for implementing a commercially reasonable system may change over time as technology and other procedures develop, financial institutions and technology service providers should develop an ongoing process to review authentication technology and ensure appropriate changes are implemented.
The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Single-factor authentication tools, including passwords and PINs, have been widely used for a variety of Internet banking and electronic commerce activities, including account inquiry, bill payment, and account aggregation. However, financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming,[See Footnote 7] malware,[See Footnote 8] and the evolving sophistication of compromise techniques. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.
The risk assessment process should:
• Identify all transactions and levels of access associated with Internet-based customer products and services;
• Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and
• Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access.
Account Origination and Customer Verification
With the growth in electronic banking and commerce, financial institutions should use reliable methods of originating new customer accounts online. Moreover, customer identity verification during account origination is required by section 326 of the USA PATRIOT Act and is important in reducing the risk of identity theft, fraudulent account applications, and unenforceable account agreements or transactions. Potentially significant risks arise when a financial institution accepts new customers through the Internet or other electronic channels because of the absence of the physical cues that financial institutions traditionally use to identify persons.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 107© gettechnical incwww.gettechnicalinc.com
One method to verify a customer’s identity is a physical presentation of a proof of identity credential such as a driver's license. Similarly, to establish the validity of a business and the authority of persons to perform transactions on its behalf, financial institutions typically review articles of incorporation, business credit reports, board resolutions identifying officers and authorized signers, and other business credentials. However, in an Internet banking environment, reliance on these traditional forms of paper-based verification decreases substantially. Accordingly, financial institutions need to use reliable alternative methods. (The appendix to this guidance describes verification processes in more detail.)
Monitoring and Reporting
Monitoring systems can determine if unauthorized access to computer systems and customer accounts has occurred. A sound authentication system should include audit features that can assist in the detection of fraud, money laundering, compromised passwords, or other unauthorized activities. The activation and maintenance of audit logs can help institutions to identify unauthorized activities, detect intrusions, reconstruct events, and promote employee and user accountability. In addition, financial institutions should report suspicious activities to appropriate regulatory and law enforcement agencies as required by the Bank Secrecy Act.[See Footnote 9]
Financial institutions should rely on multiple layers of control to prevent fraud and safeguard customer information. Much of this control is not based directly upon authentication. For example, a financial institution can analyze the activities of its customers to identify suspicious patterns. Financial institutions also can rely on other control methods, such as establishing transaction dollar limits that require manual intervention to exceed a preset limit.
Adequate reporting mechanisms are needed to promptly inform security administrators when users are no longer authorized to access a particular system and to permit the timely removal or suspension of user account access. Furthermore, if critical systems or processes are outsourced to third parties, management should ensure that the appropriate logging and monitoring procedures are in place and that suspected unauthorized activities are communicated to the institution in a timely manner. An independent party (e.g., internal or external auditor) should review activity reports documenting the security administrators’ actions to provide the necessary checks and balances for managing system security.
Customer Awareness
Financial institutions have made, and should continue to make, efforts to educate their customers. Because customer awareness is a key defense against fraud and identity theft, financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary. Management should implement a customer awareness program
OPENING DEPOSIT ACCOUNTS ONLINE 2016 108© gettechnical incwww.gettechnicalinc.com
and periodically evaluate its effectiveness. Methods to evaluate a program’s effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e.g., ID/password), the number of clicks on information security links on Web sites, the number of statement stuffers or other direct mail communications, the dollar amount of losses relating to identity theft, etc.
Conclusion
Financial institutions offering Internet-based products and services should have reliable and secure methods to authenticate their customers. The level of authentication used by the financial institution should be appropriate to the risks associated with those products and services. Financial institutions should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The agencies consider single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties.
Footnote 9 Footnote 7 -- Similar in nature to e-mail phishing, pharming seeks to obtain personal information by directing users to spoofed Web sites where their information is captured, usually from a legitimate–looking form.[End of Footnote 7] Footnote 8 -- Short for malicious software, such as software designed to capture and forward private information such as ID’s, passwords, account numbers, and PINs.[End of Footnote 8] -- 31 USC 5318; 12 CFR 21.11 (OCC); 12 CFR 563.180 (OTS); 12 CFR 353 (FDIC); 12 CFR 208.62 [state member banks]; 12 CFR 211.5 (k) [edge or agreement corporation, or any branch or subsidiary thereof]; 12 CFR 211.24 (f) [uninsured branch, an agency, or a representative office of a foreign financial institution operating in the United States]; 12 CFR 225.4 (f) [bank holding company or any non bank subsidiary thereof] (FRB); and 12 CFR Part 748.1 and Part 748.2 (NCUA).[End of Footnote 9]
OPENING DEPOSIT ACCOUNTS ONLINE 2016 109© gettechnical incwww.gettechnicalinc.com
Appendix[See Footnote 10]
Background
The term authentication, as used in this guidance, describes the process of verifying the identity of a person or entity. Within the realm of electronic banking systems, the authentication process is one method used to control access to customer accounts and personal information. Authentication is typically dependent upon customers providing valid identification data followed by one or more authentication credentials (factors) to prove their identity.
Customer identifiers may be a bankcard for ATM usage, or some form of user ID for remote access. An authentication factor (e.g. PIN or password) is secret or unique information linked to a specific customer identifier that is used to verify that identity.
Generally, the way to authenticate customers is to have them present some sort of factor to prove their identity. Authentication factors include one or more of the following:
• Something a person knows—commonly a password or PIN. If the user types in the correct password or PIN, access is granted.
• Something a person has—most commonly a physical device referred to as a token. Tokens include self-contained devices that must be physically connected to a computer or devices that have a small screen where a one-time password (OTP) is displayed, which the user must enter to be authenticated.
• Something a person is—most commonly a physical characteristic, such as a fingerprint, voice pattern, hand geometry, or the pattern of veins in the user’s eye. This type of authentication is referred to as “biometrics” and often requires the installation of specific hardware on the system to be accessed.
Authentication methodologies are numerous and range from simple to complex. The level of security provided varies based upon both the technique used and the manner in which it is deployed. Single-factor authentication involves the use of one factor to verify customer identity. The most common single-factor method is the use of a password. Two-factor authentication is most widely used with ATMs. To withdraw money from an ATM, the customer must present both an ATM card (something the person has) and a password or PIN (something the person knows). Multifactor authentication utilizes two or more factors to verify customer identity. Authentication methodologies based upon multiple factors can be more difficult to compromise and should be considered for high-risk situations. The effectiveness of a particular authentication technique is dependent upon the integrity of the selected product or process and the manner in which it is implemented and managed.
Footnote 10 -- This Appendix is based (December 14, 2004) and the FDIC Study Supplement (June 17, 2005).[End of Footnote 10]7
OPENING DEPOSIT ACCOUNTS ONLINE 2016 110© gettechnical incwww.gettechnicalinc.com
Authentication Techniques, Processes, and Methodologies
Material provided in the following sections is for informational purposes only. The selection and use of any technique should be based upon the assessed risk associated with a particular electronic banking product or service.
Shared Secrets
Shared secrets (something a person knows) are information elements that are known or shared by both the customer and the authenticating entity. Passwords and PINs are the best known shared secret techniques but some new and different types are now being used as well. Some additional examples are:
• Questions or queries that require specific customer knowledge to answer, e.g., the exact amount of the customer’s monthly mortgage payment.
• Customer-selected images that must be identified or selected from a pool of images.
The customer’s selection of a shared secret normally occurs during the initial enrollment process or via an offline ancillary process. Passwords or PIN values can be chosen, questions can be chosen and responses provided, and images may be uploaded or selected.
The security of shared secret processes can be enhanced with the requirement for periodic change. Shared secrets that never change are described as “static” and the risk of compromise increases over time. The use of multiple shared secrets also provides increased security because more than one secret must be known to authenticate.
Shared secrets can also be used to authenticate the institution’s Web site to the customer. This is discussed in the Mutual Authentication section.
Tokens
Tokens are physical devices (something the person has) and may be part of a multifactor authentication scheme. Three types of tokens are discussed here: the USB token device, the smart card, and the password-generating token.
USB Token Device
The USB token device is typically the size of a house key. It plugs directly into a computer’s USB port and therefore does not require the installation of any special hardware on the user’s computer. Once the USB token is recognized, the customer is prompted to enter his or her password (the second authenticating factor) in order to gain access to the computer system.
USB tokens are one-piece, injection-molded devices. USB tokens are hard to duplicate and are tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials. The device has the ability to store digital certificates that can be used in a public key infrastructure (PKI) environment.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 111© gettechnical incwww.gettechnicalinc.com
The USB token is generally considered to be user-friendly. Its small size makes it easy for the user to carry and, as noted above, it plugs into an existing USB port; thus the need for additional hardware is eliminated.
Smart Card
A smart card is the size of a credit card and contains a microprocessor that enables it to store and process data. Inclusion of the microprocessor enables software developers to use more robust authentication schemes. To be used, a smart card must be inserted into a compatible reader attached to the customer’s computer. If the smart card is recognized as valid (first factor), the customer is prompted to enter his or her password (second factor) to complete the authentication process.
Smart cards are hard to duplicate and are tamper resistant; thus, they are a relatively secure vehicle for storing sensitive data and credentials. Smart cards are easy to carry and easy to use. Their primary disadvantage as a consumer authentication device is that they require the installation of a hardware reader and associated software drivers on the consumer’s home computer.
Password-Generating Token
A password-generating token produces a unique pass-code, also known as a one-time password each time it is used. The token ensures that the same OTP is not used consecutively. The OTP is displayed on a small screen on the token. The customer first enters his or her user name and regular password (first factor), followed by the OTP generated by the token (second factor). The customer is authenticated if (1) the regular password matches and (2) the OTP generated by the token matches the password on the authentication server. A new OTP is typically generated every 60 seconds—in some systems, every 30 seconds. This very brief period is the life span of that password. OTP tokens generally last 4 to 5 years before they need to be replaced.
Password-generating tokens are secure because of the time-sensitive, synchronized nature of the authentication. The randomness, unpredictability, and uniqueness of the OTPs substantially increase the difficulty of a cyber-thief capturing and using OTPs gained from keyboard logging.
Biometrics
Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological or physical characteristic (something a person is). Physiological characteristics include fingerprints, iris configuration, and facial structure. Physical characteristics include, for example, the rate and flow of movements, such as the pattern of data entry on a computer keyboard. The process of introducing people into a biometrics-based system is called “enrollment.” In enrollment, samples of data are taken from one or more physiological or physical characteristics; the samples are converted into a mathematical model, or template; and the template is registered into a database on which a software application can perform analysis.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 112© gettechnical incwww.gettechnicalinc.com
OPENING DEPOSIT ACCOUNTS ONLINE 2016 113© gettechnical incwww.gettechnicalinc.com
Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer. The results of a live scan, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access.
Biometric identifiers are most commonly used as part of a multifactor authentication system, combined with a password (something a person knows) or a token (something a person has).
Various biometric techniques and identifiers are being developed and tested, these include:
• fingerprint recognition; • face recognition; • voice recognition; • keystroke recognition; • handwriting recognition; • finger and hand geometry; • retinal scan; and • iris scan.
Two biometric techniques that are increasingly gaining acceptance are fingerprint recognition and face recognition.
Fingerprint Recognition
Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along with small unique marks known as minutiae, which are the ridge endings and bifurcations or branches in the fingerprint ridges. The data extracted from fingerprints are extremely dense and the density explains why fingerprints are a very reliable means of identification. Fingerprint recognition systems store only data describing the exact fingerprint minutiae; images of actual fingerprints are not retained. Fingerprint scanners may be built into computer keyboards or pointing devices (mice), or may be stand-alone scanning devices attached to a computer.
Fingerprints are unique and complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are among the most mature and accurate of the various biometric methods of identification.[See Footnote 11]
Although end users should have little trouble using a fingerprint-scanning device, special hardware and software must be installed on the user’s computer. Fingerprint recognition implementation will vary according to the vendor and the degree of sophistication required. This technology is not portable since a scanning device needs to be installed on each participating user’s computer. However, fingerprint biometrics is generally considered easier
Footnote 11 -- Currently, some financial technologies to authenticate ATM users, are eliminating the need for an ATM card and the expense of replacing lost or stolen cards.[End of Footnote 11]10
OPENING DEPOSIT ACCOUNTS ONLINE 2016 114© gettechnical incwww.gettechnicalinc.com
to install and use than other, more complex technologies, such as iris scanning. Enrollment can be performed either at the financial institution’s customer service center or remotely by the customer after he or she has received setup instructions and passwords. According to fingerprint technology vendors, there are several scenarios for remote enrollment that provide adequate security, but for large-dollar transaction accounts, the institution should consider requiring that customers appear in person.
Face Recognition
Most face recognition systems focus on specific features on the face and make a two-dimensional map of the face. Newer systems make three-dimensional maps. The systems capture facial images from video cameras and generate templates that are stored and used for comparisons. Face recognition is a fairly young technology compared with other biometrics like fingerprints.
Facial scans are only as good as the environment in which they are collected. The so-called “mug shot” environment is ideal. The best scans are produced under controlled conditions with proper lighting and proper placement of the video device. As part of a highly sensitive security environment, there may be several cameras collecting image data from different angles, producing a more exact scan. Certain facial scanning applications also include tests for liveness, such as blinking eyes. Testing for liveness reduces the chance that the person requesting access is using a photograph of an authorized individual.
Non-Hardware-Based One-Time-Password Scratch Card
Scratch cards (something a person has) are less-expensive, “low-tech” versions of the OTP generating tokens discussed previously. The card, similar to a bingo card or map location look-up, usually contains numbers and letters arranged in a row-and-column format, i.e., a grid. The size of the card determines the number of cells in the grid.
Used in a multifactor authentication process, the customer first enters his or her user name and password in the established manner. Assuming the information is input correctly, the customer will then be asked to input, as a second authentication factor, the characters contained in a randomly chosen cell in the grid. The customer will respond by typing in the data contained in the grid cell element that corresponds to the challenge coordinates.
Conventional OTP hardware tokens rely on electronics that can fail through physical abuse or defects, but placing the grid on a wallet-sized plastic card makes it durable and easy to carry. This type of authentication requires no training and, if the card is lost, replacement is relatively easy and inexpensive.
Out-of-Band Authentication
Out-of-band authentication includes any technique that allows the identity of the individual originating a transaction to be verified through a channel different from the one the customer is using to initiate the transaction. This type of layered authentication has been used in the commercial banking/brokerage business for many years. For example, funds transfer requests,
OPENING DEPOSIT ACCOUNTS ONLINE 2016 115© gettechnical incwww.gettechnicalinc.com
purchase authorizations, or other monetary transactions are sent to the financial institution by the customer either by telephone or by fax. After the institution receives the request, a telephone call is usually made to another party within the company (if a business-generated transaction) or back to the originating individual. The telephoned party is asked for a predetermined word, phrase, or number that verifies that the transaction was legitimate and confirms the dollar amount. This layering approach precludes unauthorized transactions and identifies dollar amount errors, such as when a $1,000.00 order was intended but the decimal point was misplaced and the amount came back as $100,000.00.
In today’s environment, the methods of origination and authentication are more varied. For example, when a customer initiates an online transaction, a computer or network-based server can generate a telephone call, an e-mail, or a text message. When the proper response (a verbal confirmation or an accepted-transaction affirmation) is received, the transaction is consummated.
Internet Protocol Address (IPA) Location and Geo-Location
One technique to filter an online transaction is to know who is assigned to the requesting Internet Protocol Address. Each computer on the Internet has an IPA, which is assigned either by an Internet Service Provider or as part of the user’s network. If all users were issued a unique IPA that was constantly maintained on an official register, authentication by IPA would simply be a matter of collecting IPAs and cross-referencing them to their owners. However, IPAs are not owned, may change frequently, and in some cases can be “spoofed.” Additionally, there is no single source for associating an IPA with its current owner, and in some cases matching the two may be impossible.
Some vendors have begun offering software products that identify several data elements, including location, anonymous proxies, domain name, and other identifying attributes referred to as “IP Intelligence.” The software analyzes this information in a real-time environment and checks it against multiple data sources and profiles to prevent unauthorized access. If the user’s IPA and the profiled characteristics of past sessions match information stored for identification purposes, the user is authenticated. In some instances the software will detect out-of-character details of the access attempt and quickly conclude that the user should not be authenticated.
Geo-location technology is another technique to limit Internet users by determining where they are or, conversely, where they are not. Geo-location software inspects and analyzes the small bits of time required for Internet communications to move through the network. These electronic travel times are converted into cyberspace distances. After these cyberspace distances have been determined for a user, they are compared with cyberspace distances for known locations. If the comparison is considered reasonable, the user's location can be authenticated. If the distance is considered unreasonable or for some reason is not calculable, the user will not be authenticated.
IPA verification or geo-location may prove beneficial as one factor in a multifactor authentication strategy. However, since geo-location software currently produces usable
OPENING DEPOSIT ACCOUNTS ONLINE 2016 116© gettechnical incwww.gettechnicalinc.com
OPENING DEPOSIT ACCOUNTS ONLINE 2016 117© gettechnical incwww.gettechnicalinc.com
results only for land-based or wired communications, it may not be suitable for some wireless networks that can also access the Internet such as cellular/digital telephones.
Mutual Authentication
Mutual authentication is a process whereby customer identity is authenticated and the target Web site is authenticated to the customer. Currently, most financial institutions do not authenticate their Web sites to the customer before collecting sensitive information. One reason phishing attacks are successful is that unsuspecting customers cannot determine they are being directed to spoofed Web sites during the collection stage of an attack. The spoofed sites are so well constructed that casual users cannot tell they are not legitimate. Financial institutions can aid customers in differentiating legitimate sites from spoofed sites by authenticating their Web site to the customer.
Techniques for authenticating a Web site are varied. The use of digital certificates coupled with encrypted communications (e.g. Secure Socket Layer, or SSL) is one; the use of shared secrets such as digital images is another. Digital certificate authentication is generally considered one of the stronger authentication technologies, and mutual authentication provides a defense against phishing and similar attacks.
Customer Verification Techniques
Customer verification is a related but separate process from that of authentication. Customer verification complements the authentication process and should occur during account origination. Verification of personal information may be achieved in three ways:
• Positive verification to ensure that material information provided by an applicant matches information available from trusted third party sources. More specifically, a financial institution can verify a potential customer's identity by comparing the applicant's answers to a series of detailed questions against information in a trusted database (e.g., a reliable credit report) to see if the information supplied by the applicant matches information in the database. As the questions become more specific and detailed, correct answers provide the financial institution with an increasing level of confidence that the applicant is who they say they are.
• Logical verification to ensure that information provided is logically consistent (e.g., do the telephone area code, ZIP code, and street address match).
• Negative verification to ensure that information provided has not previously been associated with fraudulent activity. For example, applicant information can be compared against fraud databases to determine whether any of the information is associated with known incidents of fraudulent behavior. In the case of commercial customers, however, the sole reliance on online electronic database comparison techniques is not adequate since certain documents (e.g., bylaws) needed to establish an individual's right to act on a company's behalf are not available from databases. Institutions still must rely on traditional forms of personal identification and document validation combined with electronic verification tools.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 118© gettechnical incwww.gettechnicalinc.com
Another authentication method consists of the financial institution relying on a third party to verify the identity of the applicant. The third party would issue the applicant an electronic credential, such as a digital certificate, that can be used by the applicant to prove his/her identity. The financial institution is responsible for ensuring that the third party uses the same level of authentication that the financial institution would use itself.
OPENING DEPOSIT ACCOUNTS ONLINE 2016 119© gettechnical incwww.gettechnicalinc.com