March 08, 2013

How do you make sure you haven’t funded the next act of terrorism in the United States?

You get an application for credit online from a mobile device. Perhaps someone got referred to you by a lender aggregation site. The applicant’s information goes into your system, the loan is approved and notice to the customer is sent without an actual person evaluating anything. How can you verify the identity of the credit applicant? Ever wonder what would happen if a regulator really understood the system and the vendors you use and whether they would pass muster?

There is precious little guidance in Section 326 of the USA Patriot Act itself or in the implementing regulations (the “CIP Requirements”). This creates both flexibility and risk of being second-guessed by regulators if something goes wrong.

Fortunately, in the midst of the regulatory abyss, best practices are evolving to Know Your Customer.

The FFIEC Bank Secrecy Act/ Anti-Money Laundering Examination Manual states that a bank must have “non-documentary procedures” to address when a “customer opens the account without appearing in person.” Published guidance states that “a bank need not establish the accuracy of every element of identifying information obtained but must do so for enough information to form a reasonable belief it knows the true identity of the customer.” The same guidance establishes that a financial institution may use an electronic credential as a non-documentary means to verify the identity of a customer that opens an account over the Internet or through some other purely electronic channel. The regulatory test of such non-documentary methods is whether they provide the financial institution with a reasonable belief that it knows the true identity of the customer.

[See Related: Rewriting the KYC Playbook]

The traditional, documentary method of verifying the identity of a customer is for an employee of a financial institution to look at a government-issued photo ID and manually check it against customer-provided information. The non-documentary procedures start with obtaining information from the applicant that can be compared to information in the public record from third party sources.

The developing best practice is to cross check nonpublic personally identifiable information that is input by the applicant against the information on credit reports. Through API exchanges with the major credit reporting agencies the personal information input by the applicant can be verified against the information independently provided in the credit report. Establishing multiple independent data sources for identity verification greatly reduces the risk of identity fraud and protects the funds of the financial institution.

Relying on third party information aggregators, like LexisNexis, Idology or RDC, substitutes for the risk of human error in reviewing and collecting information, the risk of vendor error. When you utilize a third party service provider, you are shifting an important function outside of your financial institution and regulators will want you to demonstrate appropriate oversight to assure reliability.

• You can and should request and retain an SSAE 16 report (formerly SAS 70) from the third party service provider.

• Regularly review and retain the results of the non-documentary Know Your Customer process by taking a blind sampling of results and reviewing the actual credit reports and other sources of the data compared to the customer reported information.

• Review and retain reports provided by the third party service provider.

• Draft internal reports reviewing the risk associated with your specific non-documentary Know Your Customer process.

• Memorialize internal Know Your Customer procedures.

Satisfying the law is vital, but establishing a thorough non-documentary Know Your Customer system protects your financial institution’s assets and reputation in the market.

Key Take Aways:

• In a mobile banking and lending environment, non-documentary Know Your Customer procedures save your financial institution time and money and improve the customer experience.

• Non-documentary Know Your Customer procedures can satisfy the CIP Requirements so long as they are properly designed, regularly reviewed and accurately documented in a financial institution’s procedures.

• Third party service providers may supplement a financial institution’s internal Know Your Customer procedures by reviewing all the customers of a financial institution growing in the mobile banking and lending business.

Robert A. Irwin is Associate General Counsel of On Deck Capital, Inc., a small business lender.

Kurt L. Kicklighter is the California Executive Partner with McKenna Long & Aldridge LLP, where he represents financial institutions in a wide range of matters, including evaluating strategic alternatives, negotiating mergers and regulatory enforcement matters.