Attachment to Basel Committee publication No. 85 "Customer due diligence for banks"
1. The Basel Committee on Banking Supervision in its paper on Customer Due Diligence for Banks published in October 2001 referred to the intention of the Working Group on Cross-border Banking 1 to develop guidance on customer identification. Customer identification is an essential element of an effective customer due diligence programme which banks need to put in place to guard against reputational, operational, legal and concentration risks. It is also necessary in order to comply with anti-money laundering legal requirements and a prerequisite for the identification of bank accounts related to terrorism.
2. What follows is account opening and customer identification guidelines and a general guide to good practice based on the principles of the Basel Committee's Customer due diligence for banks paper. This document, which has been developed by the Working Group on Cross-border Banking, does not cover every eventuality, but instead focuses on some of the mechanisms that banks can use in developing an effective customer identification programme.
3. These guidelines represent a starting point for supervisors and banks in the area of customer identification. This document does not address the other elements of the Customer Due Diligence for banks paper, such as the ongoing monitoring of accounts. However, these elements should be considered in the development of effective customer due diligence, anti-money laundering and combating the financing of terrorism procedures.
4. These guidelines may be adapted for use by national supervisors who are seeking to develop or enhance customer identification programmes. However, supervisors should recognize that any customer identification programme should reflect the different types of customers (individual vs. institution) and the different levels of risk resulting from a customer's relationship with a bank. Higher risk transactions and relationships, such as those with politically exposed persons or organisations, will clearly require greater scrutiny than lower risk transactions and accounts.
5. Guidelines and best practices created by national supervisors should also reflect the various types of transactions that are most prevalent in the national banking system. For example, non-face-to-face opening of accounts may be more prevalent in one country than another. For this reason the customer identification procedures may differ between countries.
6. Some identification documents are more vulnerable to fraud than others. For those that are most susceptible to fraud, or where there is uncertainty concerning the validity of the document(s) presented, the bank should verify the information provided by the customer through additional inquiries or other sources of information.
7. Customer identification documents should be retained for at least five years after an account is closed. All financial transaction records should be retained for at least five years after the transaction has taken place.
8. These guidelines are divided into two sections covering different aspects of customer identification. Section A describes what types of information should be collected and verified for natural persons seeking to open accounts or perform transactions. Section B describes what types of information should be collected and verified for institutions and is in two parts, the first relating to corporate vehicles and the second to other types of institutions.
10. For natural persons the following information should be obtained, where applicable:
11. The bank should verify this information by at least one of the following methods:
12. The examples quoted above are not the only possibilities. In particular jurisdictions there may be other documents of an equivalent nature which may be produced as satisfactory evidence of customers' identity.
14. From the information provided in paragraph 10, financial institutions should be able to make an initial assessment of a customer's risk profile. Particular attention needs to be focused on those customers identified thereby as having a higher risk profile and additional inquiries made or information obtained in respect of those customers to include the following:
15. For one-off or occasional transactions where the amount of the transaction or series of linked transactions does not exceed an established minimum monetary value, it might be sufficient to require and record only name and address.
16. It is important that the customer acceptance policy is not so restrictive that it results in a denial of access by the general public to banking services, especially for people who are financially or socially disadvantaged.
17. The underlying principles of customer identification for natural persons have equal application to customer identification for all institutions. Where in the following the identification and verification of natural persons is involved, the foregoing guidance in respect of such persons should have equal application.
18. The term institution includes any entity that is not a natural person. In considering the customer identification guidance for the different types of institutions, particular attention should be given to the different levels of risk involved.
19. For corporate entities (i.e. corporations and partnerships), the following information should be obtained:
20. The bank should verify this information by at least one of the following methods:
21. The bank should also take reasonable steps to verify the identity and reputation of any agent that opens an account on behalf of a corporate customer, if that agent is not an officer of the corporate customer.
22. For corporations/partnerships, the principal guidance is to look behind the institution to identify those who have control over the business and the company's/partnership's assets, including those who have ultimate control. For corporations, particular attention should be paid to shareholders, signatories, or others who inject a significant proportion of the capital or financial support or otherwise exercise control. Where the owner is another corporate entity or trust, the objective is to undertake reasonable measures to look behind that company or entity and to verify the identity of the principals. What constitutes control for this purpose will depend on the nature of a company, and may rest in those who are mandated to manage funds, accounts or investments without requiring further authorisation, and who would be in a position to override internal procedures and control mechanisms. For partnerships, each partner should be identified and it is also important to identify immediate family members that have ownership control.
23. Where a company is listed on a recognised stock exchange or is a subsidiary of such a company then the company itself may be considered to be the principal to be identified. However, consideration should be given to whether there is effective control of a listed company by an individual, small group of individuals or another corporate entity or trust. If this is the case then those controllers should also be considered to be principals and identified accordingly.
24. For the account categories referred to paragraphs 26 to 34, the following information should be obtained in addition to that required to verify the identity of the principals:
25. The bank should verify this information by at least one of the following:
26. Where an occupational pension programme, employee benefit trust or share option plan is an applicant for an account the trustee and any other person who has control over the relationship (e.g. administrator, programme manager, and account signatories) should be considered as principals and the bank should take steps to verify their identities.
27. Where these entities are an applicant for an account, the principals to be identified should be considered to be those persons exercising control or significant influence over the organisation's assets. This will often include board members plus executives and account signatories.
28. In the case of accounts to be opened for charities, clubs, and societies, the bank should take reasonable steps to identify and verify at least two signatories along with the institution itself. The principals who should be identified should be considered to be those persons exercising control or significant influence over the organisation's assets. This will often include members of a governing body or committee, the President, any board members, the treasurer, and all signatories.
29. In all cases independent verification should be obtained that the persons involved are true representatives of the institution. Independent confirmation should also be obtained of the purpose of the institution.
30. When opening an account for a trust, the bank should take reasonable steps to verify the trustee(s), the settlor(s) of the trust (including any persons settling assets into the trust) any protector(s), beneficiary(ies), and signatories. Beneficiaries should be identified when they are defined. In the case of a foundation, steps should be taken to verify the founder, the managers/directors and the beneficiaries.
31. When a professional intermediary opens a client account on behalf of a single client that client must be identified. Professional intermediaries will often open "pooled" accounts on behalf of a number of entities. Where funds held by the intermediary are not co-mingled but where there are "sub-accounts" which can be attributable to each beneficial owner, all beneficial owners of the account held by the intermediary should be identified. Where the funds are co-mingled, the bank should look through to the beneficial owners; however, there may be circumstances which should be set out in supervisory guidance where the bank may not need to look beyond the intermediary (e.g. when the intermediary is subject to the same due diligence standards in respect of its client base as the bank).
32. Where such circumstances apply and an account is opened for an open or closed ended investment company, unit trust or limited partnership which is also subject to the same due diligence standards in respect of its client base as the bank, the following should be considered as principals and the bank should take steps to identify:
33. Where other investment vehicles are involved, the same steps should be taken as in paragraph 32 where it is appropriate to do so. In addition all reasonable steps should be taken to verify the identity of the beneficial owners of the funds and of those who have control of the funds.
34. Intermediaries should be treated as individual customers of the bank and the standing of the intermediary should be separately verified by obtaining the appropriate information drawn from the itemised lists included in paragraphs 19-20 above.