See the CIP overview section in the FFIEC Bank Secrecy Act Examination Manual:
A bank’s CIP must include recordkeeping procedures. At a minimum, the bank must retain the identifying information (name, address, date of birth for an individual, TIN, and any other information required by the CIP) obtained at account opening for a period of five years after the account is closed. For credit cards, the retention period is five years after the account closes or becomes dormant. The bank must also keep a description of the following for five years after the record was made:
- Any document that was relied on to verify identity, noting the type of document, the identification number, the place of issuance, and, if any, the date of issuance and expiration date.
- The method and the results of any measures undertaken to verify identity.
- The results of any substantive discrepancy discovered when verifying identity.
For many banks, the easiest way to demonstrate compliance is to retain a copy of the customer’s driver’s license. And, there are certain teller software packages that use the driver’s license to identify the customer. However, while that complies with CIP, the question is what about Regulation B and the Equal Credit Opportunity Act.
This is a situation where there is a conflict between two regulations. Reg B generally prohibits collection of information about a customer’s race, ethnicity and gender for non-mortgage loans. The problem is that if you have a copy of driver’s license in the file, you have a picture which will indicate race and gender and the surname may indicate ethnicity. Also—it is illegal in some states to make a copy of driver’s license and it is illegal under federal law to make a copy of any government or military ID.
One solution that some banks have used in states where it’s permissible to keep a copy of a driver’s licenses is to create a firewall or barrier so that the bank’s lenders and underwriters do not have access to the files where the copy of a customer’s driver’s license is maintained. This is important if the bank does keep copies of a driver’s license in customer files.
Importantly, nowhere in Section 326 does it state that you must keep a copy of the identification provided. In fact, during the comment period for the final rule, the agencies discussed whether to require financial institutions to make a copy of the consumer’s identification but decided against it. The final regulation states that banks must keep the information and a description—not the documents themselves. The information on a driver’s license, for example, would be the name of the document (driver’s license), issuing party (state of X), issue date and expiration date. For a passport, a bank would retain the information relating to the country, issue date and expiration date. (Response provided July 2017.)
Answers are provided by Leslie Callaway, CRCM, CAFP, director of compliance outreach and development; Mark Kruhm, CRCM, CAFP, senior compliance analyst; and Rhonda Castaneda, CRCM, compliance analyst, ABA Center for Regulatory Compliance. Answers do not provide, nor are they intended to substitute for, professional legal advice. Answers were current as of the response date shown at the end of each item.