Online account opening is a major convenience many consumers expect their financial institution to offer. However, financial institutions offering the service can find themselves quickly out of compliance with a variety of regulations. This article addresses one large barrier many financial institutions encounter: compliance with the Bank Secrecy Act/Anti-Money Laundering (BSA) requirements. This article is intended to provide a starting point for institutions looking to expand the ability for consumers to open accounts online, as well as a touch base for those that already allow online account opening but want to make sure they remain current with regulatory expectations.
Accounts that are opened without face-to-face contact pose a higher risk for money laundering and terrorist financing for many reasons. These include difficulty in positively verifying the individual’s identity, the possibility of a consumer being outside of the institution’s targeted geographic area, nefarious persons perceiving the process as less transparent and utilizing this to their benefit, and the online account being used by a “front” company or unknown third party. Due to these risks, institutions should have the proper risk mitigation internal controls in place.
A sound BSA program will help mitigate the risk of accounts opened online, especially through effective internal controls in the areas of the Customer Identification Program (CIP), customer due diligence (CDD) monitoring, the BSA risk assessment and written program, suspicious activity monitoring, and training.
CIP Identification and the Beneficial Ownership Certification
Whether an account is opened online or in person, CIP and beneficial ownership certification requirements remain the same. The PATRIOT Act signage should be posted where a consumer would reasonably see it before they open an account, and the following information must be gathered:
- Address (residential or business street address)
- Date of birth, for individuals
- Officially issued identification number. For a U.S. person, this is a taxpayer identification number. For a non-U.S. person, one of the following: taxpayer identification number, passport number and country of issuance, alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing photograph or similar safeguard. For a foreign business or enterprise that does not have an identification number, the financial institution must request alternative government-issued documentation certifying the existence of the business or enterprise.
The Beneficial Ownership Certification form needs to be completed for legal entity customers at the time of account opening. In addition to gathering all this information, the identity of the person or entity opening an account with the institution must be verified to a degree of reasonableness.
This verification can be accomplished by checking an external, publicly available source such as Chexsystems, credit bureaus, Qualifile, state licensing offices for verifying businesses, and others. Through the system, the institution should ensure the government identification number and domestic address information matches the information provided by the consumer. In addition, the institution should verify the consumer against any available government list and OFAC listings, according to the procedures for OFAC compliance. Lastly, it is beneficial to ask “out of wallet” questions. A typical series of out-of-wallet questions may inquire about former employers, the lienholder on a loan, or zip codes for prior addresses.
Throughout the verification process, the institution may receive alerts that cause it to question the associated identity. Procedures should address instances in which the information provided is determined to be incorrect. Any discrepancy could cause the institution to deny the application, require the consumer to complete it in person or require additional internal review to complete the account opening process. Some internal control best practices to utilize when a “failed” notification/alert is received during the verification process are:
- Failed ID Match: Require copy of identification in person at branch.
- Failed SSN Match: Require documentation to prove valid social security number.
- Failed OFAC Check: Call OFAC Hotline at 1-800-540-6322 and follow OFAC procedure.
- Failed Name Match: Require documentation to prove valid name.
- Failed Address Match: Require proof of address (e.g., utility bill or bank statement).
- Failed Birth Date Match: Require identification proving DOB (e.g., driver’s license or birth certificate).
- Failed ID Authentication: Do not open the account online without management review.
The BSA requirements don’t stop with CIP. As with accounts opened in person, there are base CDD requirements which must be met. The object of CDD is to enable the institution to predict with relative certainty the type of transactions a consumer is likely to engage in. The institution should obtain information at account opening sufficient to develop an understanding of normal and expected activity for the consumer’s occupation or business operations.
If the institution utilizes a standard CDD checklist, it should be included in the online account opening process. This form may include the purpose of the account, source of any funds being deposited or used as a loan down payment, the occupation of the account owner(s), and deposit/withdrawal volumes and methods (checks, ATM, ACH, wire transfers, etc.).
CDD is not complete once an account has been opened, but instead continues through the ongoing monitoring process. The BSA officer or designated employee should periodically review accounts opened online for suspicious activity. New account activity reports, Internet Protocol (IP) address reports, identification of related or linked accounts, and transaction limitations are among the resources that can be used for the ongoing monitoring necessary for properly risk rating and reviewing online accounts until an adequate level of comfort with the account activity is gained. Accounts opened online may also be identified within the operating system with a warning code to assist staff in the identification of suspicious activity when processing transactions.
Risk Assessment and Written Program
To ensure the BSA risk assessment accurately reflects the institution’s risk profile, we recommend it quantify the approximate number of accounts opened online, the types of accounts that can be opened online and the controls the institution has put in place to mitigate the risk. Quantifying this information will support the underlying risk rating for this aspect of the risk assessment and may impact the institution’s overall rating.
Within the written program, the institution should state whether it opens accounts online and which accounts may be opened online. In addition, CIP procedures should be enhanced for opening a deposit account online, including the steps relied upon to ensure the validity of the information received from the applicant. In addition to outlining the verification process, the portions of the written program addressing the lack of verification, the circumstance in which the financial institution will not open an account as well as the exceptions to the CIP should be updated within the CIP policy and procedure. The CDD sections and associated internal controls should also be updated.
BSA compliance is a holistic approach to managing the institution’s risk. The training program should be enhanced so that those who will manage the account opening process from the front lines are brought up to speed on the risks and requirements. The online account opening process will include nondocumentary methods of identification for the most part, and the institution needs to be comfortable with the abilities of new accounts staff to consistently follow the practices it has put into place.
We are often asked how to address online account opening and account opening not completed in person. With the information outlined above, baseline procedures can be established. If you have any remaining questions, we are always just an email or phone call away. Feel free to contact me at email@example.com.