How ‘Know Your Customer’ rules changed after 9-11

By Adam Elliott
ID Insight president, co-founder

Adam Elliott

Adam Elliott

Not long ago, verifying the true identity of customers meant that financial institutions ran an off-the-shelf ID verification (IDV) solution and simply confirmed that all the identity credentials presented had been seen before. If the information checked out, then it was business as usual.

For more than three decades, legislation of the financial services sector designed to combat criminal money laundering, terrorism and, more recently, to address identity theft, has required financial providers to implement procedures to track customer information.

Fortunately, new tactics and procedures are now being developed to address the changing fraud landscape. But in order to understand where ID verification is going, it is important to begin with its history.


The Simple Beginnings

In 1970, the Foreign Transactions Reporting Act, known as the Bank Secrecy Act (BSA) provided the first regulation of bank practices aimed at curbing money-laundering activities. The BSA established record-keeping and reporting requirements for individuals, banks and other financial institutions and required that banks have a Customer Identification Program (CIP) that is appropriate for their size and type of business.

As part of the CIP, banks were required to use documentary or non-documentary methods of identification to form a reasonable belief that it knew the true identity of each customer.

For most banking institutions, this meant that when a prospective customer came into the branch to open a new account, the account opening representative simply got a copy of a driver’s license and dropped it into a file. It wasn’t a sophisticated solution, but it was effective enough at the time.

The Internet and “Not Present”

The next evolution in the ID verification market came in the mid to late 1990’s with the advent of the Internet and the subsequent dot-com explosion.

The banking industry realized that there would now be millions of “Not Present” transactions, as the customer would no longer be present at the bank branch; they would now be sitting at the other end of a computer connection.

As an industry, banks realized they would still need to “know the customer” even though they were not physically present.

This need gave way to new forms of electronic IDV. Instead of comparing identity credentials to a physical document (such as the driver’s license), IDV solutions emerged to compare identity credentials with a separate known repository of those same identity credentials.

Typically, this meant electronically verifying that the identity credentials matched these same credentials at a credit bureau. If the name, social security number and date of birth all matched, presumably that was the correct individual and financial services companies would be in compliance with BSA and the CIP requirements.

Then, just as the Internet had done in the 1990s, the Sept. 11, 2001 attacks changed everything again when the Twin Towers came roaring down.

9/11 Ups the Ante

Up to this point, IDV systems and solutions focused on combatting fraud and organized crime. With 9/11, however, the world of IDV changed once again. Suddenly it became about protecting ourselves from terrorism.

In the days after the attack, Congress enacted the USA PATRIOT Act, placing even more scrutiny on the individuals and organizations banks were doing business with.

This was based on the realization that many of the 19 hijackers had successfully opened and maintained banking accounts at some of the largest banking institutions in the country.

The fact that the terrorists had opened those accounts using false and fictitious information was difficult for banks to swallow.  IDV solutions were no longer about saving a few bucks, but protecting the home front.

Identity Theft Epidemic

Then, starting in 2003, identity theft became front-page news, rising at a rate of 30 to 40 percent annually with one in 20 consumers being impacted.

While this was alarming to the average consumer and certainly newsworthy, it really didn’t register for financial institutions as a major problem, as identity theft still represented a relatively small financial liability.

In talking to victims of identity theft, a common theme began to emerge. Repeatedly, victims described how identity thieves had used their identifying information to open up new accounts in their names.

The importance of correct address

They would apply for credit instruments using the victim’s correct name, social security number and date of birth. However, the thieves would then alter the physical address on the application. Why? Because when it was approved, the corresponding credit cards, debit cards, and statements would be delivered to the thief and not the real person.

This rise in identity theft gave rise to the Fair and Accurate Credit Transactions Act (FACT Act) of 2003, which added several new sections and amended the Fair Credit Reporting Act of 1970. With regards to this address loophole that the criminals exposed, Section 315 of the FACT Act now required that financial institutions resolve these address discrepancies.


Posted in Uncategorized and tagged , , , , , .