News & Commentary

10:33 AM
Robert A. Irwin, On Deck Capital Inc. and Kurt L. Kicklighter, McKenna Long & Aldridge
Robert A. Irwin, On Deck Capital Inc. and Kurt L. Kicklighter, McKenna Long & Aldridge

Who is Your Borrower in a Virtual World?

Regulations are murky in defining how banks should verify customer identity when a new customer opens an account or credit line through digital channels, but best practices are emerging to help banks with customer identity verification in those instances.

How do you make sure you haven’t funded the next act of terrorism in the United States?

You get an application for credit online from a mobile device. Perhaps someone got referred to you by a lender aggregation site. The applicant’s information goes into your system, the loan is approved and notice to the customer is sent without an actual person evaluating anything. How can you verify the identity of the credit applicant? Ever wonder what would happen if a regulator really understood the system and the vendors you use and whether they would pass muster?

There is precious little guidance in Section 326 of the USA Patriot Act itself or in the implementing regulations (the “CIP Requirements”). This creates both flexibility and risk of being second-guessed by regulators if something goes wrong.

Fortunately, in the midst of the regulatory abyss, best practices are evolving to Know Your Customer.

The FFIEC Bank Secrecy Act/ Anti-Money Laundering Examination Manual states that a bank must have “non-documentary procedures” to address when a “customer opens the account without appearing in person.” Published guidance states that “a bank need not establish the accuracy of every element of identifying information obtained but must do so for enough information to form a reasonable belief it knows the true identity of the customer.” The same guidance establishes that a financial institution may use an electronic credential as a non-documentary means to verify the identity of a customer that opens an account over the Internet or through some other purely electronic channel. The regulatory test of such non-documentary methods is whether they provide the financial institution with a reasonable belief that it knows the true identity of the customer.

[See Related: Rewriting the KYC Playbook]

The traditional, documentary method of verifying the identity of a customer is for an employee of a financial institution to look at a government-issued photo ID and manually check it against customer-provided information. The non-documentary procedures start with obtaining information from the applicant that can be compared to information in the public record from third party sources.

The developing best practice is to cross check nonpublic personally identifiable information that is input by the applicant against the information on credit reports. Through API exchanges with the major credit reporting agencies the personal information input by the applicant can be verified against the information independently provided in the credit report. Establishing multiple independent data sources for identity verification greatly reduces the risk of identity fraud and protects the funds of the financial institution.

Relying on third party information aggregators, like LexisNexis, Idology or RDC, substitutes for the risk of human error in reviewing and collecting information, the risk of vendor error. When you utilize a third party service provider, you are shifting an important function outside of your financial institution and regulators will want you to demonstrate appropriate oversight to assure reliability.

• You can and should request and retain an SSAE 16 report (formerly SAS 70) from the third party service provider.

• Regularly review and retain the results of the non-documentary Know Your Customer process by taking a blind sampling of results and reviewing the actual credit reports and other sources of the data compared to the customer reported information.

• Review and retain reports provided by the third party service provider.

• Draft internal reports reviewing the risk associated with your specific non-documentary Know Your Customer process.

• Memorialize internal Know Your Customer procedures.

Satisfying the law is vital, but establishing a thorough non-documentary Know Your Customer system protects your financial institution’s assets and reputation in the market.

Key Take Aways:

• In a mobile banking and lending environment, non-documentary Know Your Customer procedures save your financial institution time and money and improve the customer experience.

• Non-documentary Know Your Customer procedures can satisfy the CIP Requirements so long as they are properly designed, regularly reviewed and accurately documented in a financial institution’s procedures.

• Third party service providers may supplement a financial institution’s internal Know Your Customer procedures by reviewing all the customers of a financial institution growing in the mobile banking and lending business.

Robert A. Irwin is Associate General Counsel of On Deck Capital, Inc., a small business lender.

Kurt L. Kicklighter is the California Executive Partner with McKenna Long & Aldridge LLP, where he represents financial institutions in a wide range of matters, including evaluating strategic alternatives, negotiating mergers and regulatory enforcement matters.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Janice, I think I've got a message from the code father!
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.