USA Patriot Act:
Additional Guidance Could Improve Implementation of Regulations Related to Customer Identification and Information Sharing Procedures
GAO-05-412: Published: May 6, 2005. Publicly Released: Jun 6, 2005.
Title III of the USA PATRIOT Act of 2001, passed after the September 11 terrorist attacks, amended U.S. anti-money laundering laws and imposed new requirements on financial institutions. Section 326 of the act required the development of minimum standards for verifying the identity of financial institution customers. Section 314 required the development of regulations encouraging the further sharing of information between law enforcement agencies and the financial industry and between the institutions themselves. Because of concerns about the implementation of these new provisions, GAO determined how (1) the government developed the regulations, educated the financial industry on them, and challenges it encountered; (2) regulators have updated guidance, trained examiners, and examined firms for compliance; and (3) the new regulations have affected law enforcement investigations.
Treasury (including its Financial Crimes Enforcement Network (FinCEN)), the federal financial regulators, and self-regulatory organizations (SRO) overcame challenges to create regulations that apply consistently to a diverse financial sector and have used several outreach mechanisms to help the financial industry understand and comply with Customer Identification Program (CIP) requirements under section 326 and information sharing requirements under section 314. However, several implementation challenges remain. Industry officials told us some of their concerns have been addressed but they are still concerned about (1) how some CIP requirements will be interpreted during compliance examinations, (2) the lack of feedback from law enforcement on information provided by financial institutions through section 314(a), and (3) the extent to which they can share information with each other under section 314(b). The six federal financial regulators and five SROs in our review have issued examination guidance covering sections 326 and 314, subsequently trained examiners, and begun examining financial institutions for compliance with CIP and section 314. GAO's review of examinations showed progress, but coverage varied in part because the examinations were conducted during early implementation. One aspect of CIP that was not always covered in examinations was whether financial institutions had adequately developed a CIP appropriate for their business lines and types of customers. However, this aspect of CIP is critical for ensuring that the identification and verification procedures are appropriate for types of customers and accounts that are at higher risk of being linked to money laundering or terrorist activities. Some examinations also revealed implementation difficulties related to CIP that could lead to inconsistencies in the way examiners conduct examinations. For example, some examiners did not differentiate between the CIP requirement and other procedures that require customer identification information. Coverage in the examinations GAO reviewed of how institutions had implemented section 314 requirements was somewhat lower than for CIP, in part, because CIP received more attention from examiners and information sharing between financial institutions is voluntary. In the examinations GAO reviewed, apparent violations of the CIP requirement and section 314(a) regulations were mostly addressed through informal actions between the institution and the regulator. Officials from the Department of Justice and other law enforcement agencies told us that CIP and section 314 have assisted them in the investigation of money laundering and terrorist financing cases. Some officials said that CIP has been useful because financial institutions have more information on their customers so they obtain more useful information when issuing grand jury subpoenas and other requests for information. Many officials said the 314(a) process had improved coordination between the law enforcement community and the financial industry and increased the speed and efficiency of investigations.
Recommendations for Executive Action
Status: Closed - Implemented
Comments: In August 2005, in conjunction with the publication of the FFIEC BSA/AML examination manual, FinCEN and the banking regulators held nationwide conference calls and outreach meetings all of which included a discussion of the Customer Identification Program (CIP) regulation. In October 2005, FinCEN hosted an inter-agency meeting to identify options and develop an action plan for developing additional guidance relating to best practices and verification techniques for high-risk customers. In 2006, FinCEN and the banking regulators issued an updated BSA/AML manual that contained specific examination procedures for a bank's Customer Identification Program, which included transaction testing procedures for high-risk customers. The manual also includes expanded examination procedures for such customers as nonresident aliens and foreign individuals, politically exposed persons, embassy and foreign consulate accounts, and domestic and foreign business entities, among others. FinCEN issued FAQs jointly with CFTC addressing omnibus account relationships in February 2006. FinCEN developed and sent CIP Frequently Asked Questions (FAQs)to SEC and CFTC for their review in March 2006.
Recommendation: To build on education and outreach efforts and help financial institutions subject to the CIP requirement effectively implement their programs, the Secretary of the Treasury, through FinCEN and in coordination with the federal financial regulators and SROs, should develop additional guidance covering ongoing implementation issues related to the CIP requirement. Specifically, additional guidance on the CIP requirement that provides examples or alternatives of how to verify the identity of high-risk customers, such as foreign individuals and companies, could help financial institutions develop better risk-based procedures.
Agency Affected: Department of the Treasury
Status: Closed - Implemented
Comments: FinCEN and the banking regulators issued the FFIEC BSA/AML examination manual in June 2005. After its publication, FinCEN participated in a series of nationwide conference calls and regional outreach meetings in August 2005, to educate examiners and the industry on the guidance contained in the manual including how to examine industry Customer Identification Programs(CIPs). In 2006, FinCEN and the banking regulators issued an updated BSA/AML manual that included examination procedures for transaction testing to be done on the basis of a risk assessment. The manual specifically states that Customer Identification Programs must contain risk-based procedures for verifying the identity of the customer. The manual also includes examination procedures for customer due diligence policies, procedures and processes, which explains that this concept begins with verifying the customer's identity--a key component of CIP. The CIP examination procedures clarify requirements for checking government lists and how to apply CIP to existing customers. To address other industries, FinCEN signed a Memorandum of Understanding with the SEC in December 2006, to share information including examination procedures and was working to reach a similar agreement with CFTC. FinCEN received some of the SEC's examination procedures including procedures for reviewing compliance with the CIP regulations.
Recommendation: To enhance examination guidance covering the CIP requirement and ensure that examiners are well-informed about CIP requirements, the Director of FinCEN should work with the federal financial regulators to develop additional guidance for examiners to use in conducting Bank Secrecy Act examinations. Specifically, the guidance should clarify that complying with the CIP requirement is more than determining whether the minimum customer identification information has been obtained--the examiner should determine whether a financial institution's CIP contains effective risk-based procedures for verifying the identity of customers. Secondly, the guidance should clarify how CIP fits into other customer due diligence practices, such as know-your-customer procedures. Finally, the guidance should reflect the FAQs on CIP issued for industry, which addressed the difficulties in interpretation we observed for checking government lists and applying the CIP requirement to existing customers.
Agency Affected: Department of the Treasury: Financial Crimes Enforcement Network