Financial firms get new guidelines on customer IDs

Computerworld - The U.S. Treasury Department has released final regulations designed to prevent the funding of terrorist activities and money laundering. The rules are part of the Customer Identification Program (CIP) of the USA Patriot Act.
Banks and other financial institutions have until Oct. 1 to comply with the federal regulations, which require them to put in place processes that allow for a risk-based identification of all new customers. Apart from collecting specific identifying information from customers, banks will be responsible for verifying that information and comparing it against government-issued lists containing the names of known or suspected terrorists or terrorist organizations.
The degree of complexity involved in complying with the new rules will vary by company and will depend to a large extent on the processes already in place, said Alan Abel, global practice leader of Money Laundering Compliance Services at PricewaterhouseCoopers in New York.
"Everyone has different mechanisms and has reacted very differently to the proposed rules," Abel said. While some have tried to be proactive about implementing changes to their customer identification processes, others have been waiting for the final rules to come out.
Implementing the new CIP requirements will mean putting in place processes for collecting, verifying, scanning and storing customer identification data. It will also mean making changes to written policies relating to online and in-person account creation, and training personnel on the new requirements.
Extensive auditing processes will be needed to ensure that companies comply with the requirements, said Brian Smith, a partner at Mayer, Brown, Rowe & Maw in Washington. "The requirements are reasonable, but they still impose quite a burden" on financial firms, Smith said.
Last fall the Securities Industry Association (SIA) raised concerns about the CIP, saying firms needed sufficient time after the final rule was announced to implement the required changes, according to Christine Conlon, an SIA spokeswoman.
Companies now have five months to implement the changes needed to comply with the regulations.
Meanwhile, new Securities and Exchange Commission rules governing the logging and retention of electronic communications by financial services firms went into effect this week. SEC Rule 17a-4 requires exchange members, brokers and dealers to capture and maintain a log of all electronic communications for at least six years.
Abel/Noser Corp., a New York-based broker, has just finished implementing new technology from Legato Systems Inc. to comply with the rules, said Ravi Jethmal, the firm's compliance officer. The software allows the compliance department to examine all e-mail generated within the company to spot language not allowed in the industry.
Abel/Noserhasn't yet put in place similar measures for dealing with instant messages generated inside the company, Jethmal said. But he said the company plans to do so soon.
Though SEC rules refer only to "electronic communications," companies should maintain a record of both e-mail and instant messages to be fully compliant, said Gary Refiman, co-founder of Communicator Inc., a New York-based provider of secure messaging services for companies such as The Goldman Sachs Group Inc., J.P. Morgan Chase & Co. and Lehman Brothers Holdings Inc.
An SEC spokesman said today that the requirements cover all electronic communications, but he didn't get more specific.

Read more about legislation/regulation in Computerworld's Legislation/Regulation Knowledge Center.