USA Patriot Act: Additional Guidance Could Improve Implementation of Regulations Related to Customer Identification and Information Sharing Procedures

GAO-05-412 Published: May 06, 2005. Publicly Released: Jun 06, 2005.
Jump To:
Skip to Highlights

Title III of the USA PATRIOT Act of 2001, passed after the September 11 terrorist attacks, amended U.S. anti-money laundering laws and imposed new requirements on financial institutions. Section 326 of the act required the development of minimum standards for verifying the identity of financial institution customers. Section 314 required the development of regulations encouraging the further sharing of information between law enforcement agencies and the financial industry and between the institutions themselves. Because of concerns about the implementation of these new provisions, GAO determined how (1) the government developed the regulations, educated the financial industry on them, and challenges it encountered; (2) regulators have updated guidance, trained examiners, and examined firms for compliance; and (3) the new regulations have affected law enforcement investigations.

Skip to Recommendations


Recommendations for Executive Action

Agency Affected Recommendation Status
Department of the Treasury To build on education and outreach efforts and help financial institutions subject to the CIP requirement effectively implement their programs, the Secretary of the Treasury, through FinCEN and in coordination with the federal financial regulators and SROs, should develop additional guidance covering ongoing implementation issues related to the CIP requirement. Specifically, additional guidance on the CIP requirement that provides examples or alternatives of how to verify the identity of high-risk customers, such as foreign individuals and companies, could help financial institutions develop better risk-based procedures.
Closed – Implemented
In August 2005, in conjunction with the publication of the FFIEC BSA/AML examination manual, FinCEN and the banking regulators held nationwide conference calls and outreach meetings all of which included a discussion of the Customer Identification Program (CIP) regulation. In October 2005, FinCEN hosted an inter-agency meeting to identify options and develop an action plan for developing additional guidance relating to best practices and verification techniques for high-risk customers. In 2006, FinCEN and the banking regulators issued an updated BSA/AML manual that contained specific examination procedures for a bank's Customer Identification Program, which included transaction testing procedures for high-risk customers. The manual also includes expanded examination procedures for such customers as nonresident aliens and foreign individuals, politically exposed persons, embassy and foreign consulate accounts, and domestic and foreign business entities, among others. FinCEN issued FAQs jointly with CFTC addressing omnibus account relationships in February 2006. FinCEN developed and sent CIP Frequently Asked Questions (FAQs)to SEC and CFTC for their review in March 2006.
Financial Crimes Enforcement Network To enhance examination guidance covering the CIP requirement and ensure that examiners are well-informed about CIP requirements, the Director of FinCEN should work with the federal financial regulators to develop additional guidance for examiners to use in conducting Bank Secrecy Act examinations. Specifically, the guidance should clarify that complying with the CIP requirement is more than determining whether the minimum customer identification information has been obtained--the examiner should determine whether a financial institution's CIP contains effective risk-based procedures for verifying the identity of customers. Secondly, the guidance should clarify how CIP fits into other customer due diligence practices, such as know-your-customer procedures. Finally, the guidance should reflect the FAQs on CIP issued for industry, which addressed the difficulties in interpretation we observed for checking government lists and applying the CIP requirement to existing customers.
Closed – Implemented
FinCEN and the banking regulators issued the FFIEC BSA/AML examination manual in June 2005. After its publication, FinCEN participated in a series of nationwide conference calls and regional outreach meetings in August 2005, to educate examiners and the industry on the guidance contained in the manual including how to examine industry Customer Identification Programs(CIPs). In 2006, FinCEN and the banking regulators issued an updated BSA/AML manual that included examination procedures for transaction testing to be done on the basis of a risk assessment. The manual specifically states that Customer Identification Programs must contain risk-based procedures for verifying the identity of the customer. The manual also includes examination procedures for customer due diligence policies, procedures and processes, which explains that this concept begins with verifying the customer's identity--a key component of CIP. The CIP examination procedures clarify requirements for checking government lists and how to apply CIP to existing customers. To address other industries, FinCEN signed a Memorandum of Understanding with the SEC in December 2006, to share information including examination procedures and was working to reach a similar agreement with CFTC. FinCEN received some of the SEC's examination procedures including procedures for reviewing compliance with the CIP regulations.

Full Report