Connect ► twitter| youtube|  Log In ► Members Only  |  Corporate One Safekeeping  |  Search

BSA/AML Hot Topics: What is the cost of customer identification?

Naomi Glass, AVP, BSA/AML Compliance Officer

COVID-19 Update

On July 30, FinCEN released its third advisory (FIN-2020-A005) related to the coronavirus pandemic. This advisory focuses on cybercrime and cyber-enabled crime. It addresses the various ways in which criminals are exploiting the pandemic through malware and phishing schemes, extortion, business email compromise fraud, and exploitation of remote applications, especially against financial and healthcare systems. I would encourage your BSA staff to review this advisory, along with all others issued by FinCEN in response to the pandemic, as they provide useful guidance to financial institutions to aid in the detection, prevention, and reporting of suspected criminal activity.

This article is the second in a two-part series that examines how burdensome it is for financial institutions to comply with certain BSA-related compliance processes. Last month’s article focused on the estimated burden (time, effort or financial resources) expended by financial institutions with respect to filing suspicious activity reports (SARs) to FinCEN. This month we are going to take a look at the estimated burden for financial institutions in complying with Customer Identification Program (CIP) rules and regulations. (Note: For purposes of this article, the term “customer” will be used instead of “member” to ensure that the information being provided aligns with the language contained within the regulation.)

CIP requirements

Before we crunch any numbers, it is important to have a clear understanding of what customer identification entails from a regulatory standpoint. Financial institutions are required to develop and implement CIPs, which are designed to allow them to form a reasonable belief that they know the true identity of each customer. A CIP must include, at minimum, the following five requirements:

  • A written CIP as part of the written AML program;
  • Identity verification procedures (risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable); 
  • Recordkeeping (procedures for making and maintaining a record of all information obtained under the CIP requirements); 
  • Consultation of government lists (procedures to determine whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any federal government agency, and designated as such by Treasury in consultation with the federal functional regulators); and,
  • Customer notice (procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities).

FinCEN is aware that adhering to these requirements takes time and money. That is why it published a notice on August 13, focusing on the development of an updated process that more accurately calculates the estimated burden associated with the CIP requirements. This update is part of the government’s continuing effort to reduce paperwork and burden to financial institutions.

The current process

FinCEN’s current process only estimates the burden associated with two of the five CIP requirements:

  • Time and money spent each year on maintaining and updating the written CIP, and,
  • Time and money spent each year on providing customers with notification of the CIP.

Regarding the amount of time financial institutions spend each year on maintaining and updating their written CIP, FinCEN estimates that this takes 10 hours. Updating a CIP may be warranted if a financial institution makes changes to the types of accounts it maintains for customers or if it modifies its account opening procedures or customer verification processes. Obtaining management approval of CIP changes is also factored into the estimate.

In order for FinCEN to estimate the cost associated with this compliance process, it calculated the hourly wage of those who would be carrying out these job functions. For annually maintaining and updating the CIP (estimated at 10 hours), the breakdown would consist of:

  • One hour at $133, representing the cost of enlisting the board of directors’ or senior management’s review and approval, and,
  • Nine hours of work by other staff, averaging $48/hour.

Regarding the amount of time financial institutions spend each year on providing customers with notification of its CIP, FinCEN estimates that this takes one hour. The hourly wage for carrying out this function averages $32/hour.

The results

Based on the figures contained within FinCEN’s notice, the estimated annual CIP burden for federally regulated credit unions can be summarized as follows:

  • For maintaining and updating the CIP: 52,360 person-hours with a total cost of $2,958,340.
  • For notification: 5,236 person-hours with a total cost of $167,552.

The path forward: FinCEN requests comments from financial institutions

FinCEN recognizes that its current process for estimating hourly burden is insufficient as it does not take into account the implementation of the other three CIP requirements (i.e. verification and recordkeeping requirements, and consulting government lists). It further acknowledges that the scope and criteria for the current process may be flawed, as well.

Fortunately, FinCEN knows what it doesn’t know and is calling on the industry for help! It is requesting comments from financial institutions that have practical experience employing CIP processes within their institutions and can provide greater insight into how to adequately measure burden with respect to CIP compliance. The comment period ends October 13, so do not delay. Get your comments in today.