How CIPs Fail to Uphold AML and BSA

Customer Identification Programs (CIPs) were put in place to reduce identity fraud for individuals and banks, but these programs fall short in complying to various Anti-Money Laundering (AML) and Bank Secrecy Act (BSA) regulations and their requirements due to a number of reasons. Banks, savings associations, credit unions, and certain non-Federally regulated banks are held accountable by the CIPs, which outline a method for banks to establish reasonable belief to determine a customer is who they say they are. However, the requirements they must abide by do not fully ensure the protection of their customers. There are lax stipulations for verifying customer identity, insufficient standards for bank assessment, and too much flexibility for policy variation from bank to bank.

Reasons for Failure

A closer look at the requirements for proving identity reveals there are loopholes for thieves to falsify information.

CIPs doesn’t account for all possibilities of Suspicious Activity

The current regulations require each person, who is attempting to open an account, to provide a series of facts such as, name, date of birth, address, and identification number. Under the CIPs the banks may be able to halt account creation if sufficient and true identity is not provided. Still, there are no requirements for banks or other financial institutions to alert customers that some of their information was used to open an account. A person attempting impersonation may try again at another bank, where the regulations are not as strict and obtaining reasonable belief for identity is easier. This tactic is especially dangerous for financial accounts opened online, where documents are not provided and face to face interaction is non-existent. As part of AML/BSA, banks must report suspicious activity and coordinate with the government to protect its customers from fraud, but the CIPs do not account for all possibilities of suspicious activity.

Requirements are More Subjective Versus Objective

When a customer has established a reputation with a bank or financial institution, there is no requirement for the customer to provide identifying information for opening another account. As long as the institution is “reasonably satisfied” with understanding the customer’s identity, there is no further need to investigate the true identity. Although this rule may streamline the process for opening accounts, it also diminishes the power of the AML/BSA by allowing for banks to bypass security measures. If reasonable belief is left to the interpretation of banks, CIPs do not protect customers from having their accounts hacked, especially when the bank reasonably believes they are doing the right thing.

No Standardization in the Approach

With the number of banks and financial institutions available to customers today there is chance for too much variation in CIPs that create security hazards. The intention of CIPs was to create procedures for opening accounts that involve obtaining identity information and a verification process to assess the risks of new activity by a customer. Entailed in these risks are:

  • Which type of account is opened?
  • How does a customer attempt to open an account?
  • Which information is provided to identify the customer?
  • What is the scale of the financial institution that the customer is working with?

Already, in these few questions, there are many potential risks and pitfalls that a bank or financial institution may encounter. How each institution handles the risks is not fully standardized by the CIPs, which cause a failure to uphold the AML/BSA. Rather than outline a manner for handling risks, the CIPs allow too much flexibility for banks to manage security measures on their own terms. There are no outlines for the kind of suspicious activity that must be reported, nor is there a requirement for customers to be notified of potential threats and theft. AML/BSA set out to keep banks and financial institutions aware of fraudulent activity, while the CIPs were meant to carry out that mission. To see that CIPs are not as productive as they should be, shows that there is room for institutions to work together and create a benchmark for how risky situations are handled.

Looking Forward

CIPs are not operating as securely as they can be, and it is these failures that prevent the goals from AML/BSA from being fully realized. By creating a streamlined CIP across all banks and financial institutions, in which reasonable belief of customer identity is consistently reviewed and suspicious activity is reported, there is a potential for a more secure approach to upholding AML/BSA. Furthermore, there is a chance that creating a committee, with representatives from each financial institution, will help with consistent evaluations of CIP regulations. With these updates to CIPs, customers can be guaranteed more security for their financial accounts no matter where they conduct banking business. And, as a result,  AML and BSA will work more efficiently to serve the population and prevent identity fraud.