BASEL COMMITTEE ON BANKING SUPERVISION

Sound know-your-customer (KYC) policies and procedures are supporting the overall safety and soundness of banks; they likewise protect the integrity of the banking system by reducing the likelihood of banks being used for money laundering, terrorist financing and other illegal activities.

In October 2001, the Basel Committee on Banking Supervision published a paper on "Customer Due Diligence for Banks", which was supplemented in February 2003 by the "General Guide to Account Opening and Customer Identification". The aim of the paper was to provide a customer identification and know-your customer  framework that may serve as a benchmark for banking supervisors to establish national practices and for banks to design their own KYC programs. The guidance provided in the paper enjoys broad international support from banking regulators. This paper identifies four essential elements for a sound KYC programme, as follows: customer acceptance policy, customer identification,  ongoing monitoring of higher-risk accounts, risk management.

The Basel Committee on Banking Supervision is an institution created by the central bank Governors of the Group of Ten nations. It was created in 1974 and meets regularly four times a year. Its membership is now composed of senior representatives of bank supervisory authorities and central banks from the G-10 countries (Belgium, Canada, France, Germany, Italy, Japan, the Netherlands, Sweden, Switzerland, the United Kingdom and the United States), and representatives from Luxembourg and Spain. It usually meets at the Bank for International Settlements in Basel, where its 12 member permanent Secretariat is located.

The Basel Committee formulates broad supervisory standards and guidelines and recommends statements of best practice in banking supervision in the expectation that member authorities and other nation's authorities will take steps to implement them through their own national systems, whether in statutory form or otherwise.

The purpose of the committee is to encourage convergence toward common approaches and standards. BCBS is not a classical multilateral organization. It has no founding treaty, and it does not issue binding regulation. Rather, its main function is to act as an informal forum to find policy solutions and to promulgate standards.

GENERAL GUIDE TO ACOUNT OPENING AND CUSTOMER IDENTIFICATION – ATTACHMENT TO BASEL COMMITTEE PUBLICATION No 85 ‘CUSTOMER DUE DILIGENCE FOR BANKS’ (FEBRUARY 2003)

The Basel paper requires banks to develop clear customer acceptance policies and procedures, including a description of the types of customer that are likely to pose a higher than average risk to a bank. In preparing such policies, factors such as a customer’s background, country of origin, public or high profile position, linked accounts and business activities should be considered. These policies and procedures should be graduated to require more extensive due diligence for higher risk customers.

The paper is sensitive to the needs of the financially or socially disadvantaged. It allows client acceptance policies that may require the most basic account-opening requirements for a working individual with a small account balance. The paper also stresses that “it is important that the customer acceptance policy is not so restrictive that it results in a denial of access by the general public to banking services, especially for people who are financially or socially disadvantaged.”

Basel Committee's Customer due diligence for banks paper has been developed by the Working Group on Cross-border Banking. The Working Group on Cross-border Banking is a joint group consisting of members of the Basel Committee and of the Offshore Group of Banking Supervisors. Customer due diligence for banks paper  does not cover every eventuality, but instead focuses on some of the mechanisms that banks can use in developing an effective customer identification programme. These guidelines represent a starting point for supervisors and banks in the area of customer identification and they may be adapted for use by national supervisors who are seeking to develop or enhance customer identification programs. However, supervisors should recognize that any customer identification programme should reflect the different types of customers (individual vs. institution) and the different levels of risk resulting from a customer's relationship with a bank. Higher risk transactions and relationships, such as those with politically exposed persons or organizations, will clearly require greater scrutiny than lower risk transactions and accounts.

Guidelines and best practices created by national supervisors should also reflect the various types of transactions that are most prevalent in the national banking system. For example, non-face-to-face opening of accounts may be more prevalent in one country than another. For this reason the customer identification procedures may differ between countries.  Some identification documents are more vulnerable to fraud than others. For those that are most susceptible to fraud, or where there is uncertainty concerning the validity of the document(s) presented, the bank should verify the information provided by the customer through additional inquiries or other sources of information.

Customer identification documents should be retained for at least five years after an account is closed. All financial transaction records should be retained for at least five years after the transaction has taken place.

These guidelines are divided into two sections covering different aspects of customer identification. Section A describes what types of information should be collected and verified for natural persons seeking to open accounts or perform transactions. Section B describes what types of information should be collected and verified for institutions and is in two parts, the first relating to corporate vehicles and the second to other types of institutions.

A. Natural Persons

For natural persons the following information should be obtained, where applicable:

- legal name and any other names used (such as maiden name);

- correct permanent address (the full address should be obtained; a Post Office box number is not sufficient);

- telephone number, fax number, and e-mail address;

- date and place of birth;

- nationality;

- occupation, public position held and/or name of employer;

- an official personal identification number or other unique identifier contained in an unexpired official document (e.g. - passport, identification card, residence permit, social security records, driving licence) that bears a photograph of the customer;

- type of account and nature of the banking relationship;

- signature.

The bank should verify this information by at least one of the following methods:

- confirming the date of birth from an official document (e.g. birth certificate, passport, identity card, social security records);

- confirming the permanent address (e.g. utility bill, tax assessment, bank statement, a letter from a public authority);

- contacting the customer by telephone, by letter or by e-mail to confirm the information supplied after an account has been opened (e.g. a disconnected phone, returned mail, or incorrect e-mail address should warrant further investigation);

- confirming the validity of the official documentation provided through certification by an authorized person (e.g. embassy official, notary public).

The examples quoted above are not the only possibilities. In particular jurisdictions there may be other documents of an equivalent nature, which may be produced as satisfactory evidence of customers' identity.  Financial institutions should apply equally effective customer identification procedures for non-face-to-face customers as for those available for interview.

From the information provided financial institutions should be able to make an initial assessment of a customer's risk profile. Particular attention needs to be focused on those customers identified thereby as having a higher risk profile and additional inquiries made or information obtained in respect of those customers to include the following:

- evidence of an individual's permanent address sought through a credit reference agency search, or through independent verification by home visits;

- personal reference (i.e. by an existing customer of the same institution);

- prior bank reference and contact with the bank regarding the customer;

- source of wealth;

- verification of employment, public position held (where appropriate).

For one-off or occasional transactions where the amount of the transaction or series of linked transactions does not exceed an established minimum monetary value, it might be sufficient to require and record only name and address. It is important that the customer acceptance policy is not so restrictive that it results in a denial of access by the general public to banking services, especially for people who are financially or socially disadvantaged.

B. Institutions

The underlying principles of customer identification for natural persons have equal application to customer identification for all institutions. Where in the following the identification and verification of natural persons is involved, the foregoing guidance in respect of such persons should have equal application. The term institution includes any entity that is not a natural person. In considering the customer identification guidance for the different types of institutions, particular attention should be given to the different levels of risk involved.

I. Corporate Entities

For corporate entities (i.e. corporations and partnerships), the following information should be obtained:

- name of institution;

- principal place of institution's business operations;

- mailing address of institution;

- contact telephone and fax numbers;

- some form of official identification number, if available (e.g. tax identification number);

- the original or certified copy of the Certificate of Incorporation and Memorandum and Articles of Association;

- the resolution of the Board of Directors to open an account and identification of those who have authority to operate the account;

- nature and purpose of business and its legitimacy.

The bank should verify this information by at least one of the following methods:

- for established corporate entities - reviewing a copy of the latest report and accounts (audited, if available);

- conducting an enquiry by a business information service, or an undertaking from a reputable and known firm of lawyers or accountants confirming the documents submitted;

- undertaking a company search and/or other commercial enquiries to see that the institution has not been, or is not in the process of being, dissolved, struck off, wound up or terminated;

- utilizing an independent information verification process, such as by accessing public and private databases;

- obtaining prior bank references;

- visiting the corporate entity, where practical;

- contacting the corporate entity by telephone, mail or e-mail.

The bank should also take reasonable steps to verify the identity and reputation of any agent that opens an account on behalf of a corporate customer, if that agent is not an officer of the corporate customer.

Corporations/Partnerships

For corporations/partnerships, the principal guidance is to look behind the institution to identify those who have control over the business and the company's/partnership's assets, including those who have ultimate control. For corporations, particular attention should be paid to shareholders, signatories, or others who inject a significant proportion of the capital or financial support or otherwise exercise control. Where the owner is another corporate entity or trust, the objective is to undertake reasonable measures to look behind that company or entity and to verify the identity of the principals. What constitutes control for this purpose will depend on the nature of a company, and may rest in those who are mandated to manage funds, accounts or investments without requiring further authorization, and who would be in a position to override internal procedures and control mechanisms. For partnerships, each partner should be identified and it is also important to identify immediate family members that have ownership control.

Where a company is listed on a recognized stock exchange or is a subsidiary of such a company then the company itself may be considered to be the principal to be identified. However, consideration should be given to whether there is effective control of a listed company by an individual, small group of individuals or another corporate entity or trust. If this is the case then those controllers should also be considered to be principals and identified accordingly.

II. Other Types of Institution

For the account categories referred to paragraphs below, the following information should be obtained in addition to that required to verify the identity of the principals:

- name of account;

- mailing address;

- contact telephone and fax numbers;

- some form of official identification number, if available (e.g. tax identification number);

- description of the purpose/activities of the account holder (e.g. in a formal constitution);

- copy of documentation confirming the legal existence of the account holder (e.g. register of charities).

The bank should verify this information by at least one of the following:

- obtaining an independent undertaking from a reputable and known firm of lawyers or accountants confirming the documents submitted;

- obtaining prior bank references;

- accessing public and private databases or official sources.

Retirement Benefit Programs

Where an occupational pension programme, employee benefit trust or share option plan is an applicant for an account the trustee and any other person who has control over the relationship (e.g. administrator, programme manager, and account signatories) should be considered as principals and the bank should take steps to verify their identities.

Mutual Funds/Friendly Societies, Cooperatives and Provident Societies

Where these entities are an applicant for an account, the principals to be identified should be considered to be those persons exercising control or significant influence over the organization’s assets. This will often include board members plus executives and account signatories.

Charities, Clubs and Associations

In the case of accounts to be opened for charities, clubs, and societies, the bank should take reasonable steps to identify and verify at least two signatories along with the institution itself. The principals who should be identified should be considered to be those persons exercising control or significant influence over the organization’s assets. This will often include members of a governing body or committee, the President, any board members, the treasurer, and all signatories.

In all cases independent verification should be obtained that the persons involved are true representatives of the institution. Independent confirmation should also be obtained of the purpose of the institution.

Trusts and Foundations

When opening an account for a trust, the bank should take reasonable steps to verify the trustee(s), the settlor(s) of the trust (including any persons settling assets into the trust) any protector(s), beneficiary(ies), and signatories. Beneficiaries should be identified when they are defined. In the case of a foundation, steps should be taken to verify the founder, the managers/directors and the beneficiaries.

Professional Intermediaries

When a professional intermediary opens a client account on behalf of a single client that client must be identified. Professional intermediaries will often open "pooled" accounts on behalf of a number of entities. Where funds held by the intermediary are not co-mingled but where there are "sub-accounts" which can be attributable to each beneficial owner, all beneficial owners of the account held by the intermediary should be identified. Where the funds are co-mingled, the bank should look through to the beneficial owners; however, there may be circumstances, which should be set out in supervisory guidance where the bank may not need to look beyond the intermediary (e.g. when the intermediary is subject to the same due diligence standards in respect of its client base as the bank).

Where such circumstances apply and an account is opened for an open or closed ended investment company, unit trust or limited partnership which is also subject to the same due diligence standards in respect of its client base as the bank, the following should be considered as principals and the bank should take steps to identify:

- the fund itself;

- its directors or any controlling board where it is a company;

- its trustee where it is a unit trust;

- its managing (general) partner where it is a limited partnership;

- account signatories;

- any other person who has control over the relationship e.g. fund administrator or manager.

Where other investment vehicles are involved, the same steps should be taken as described in paragraph above. In addition all reasonable steps should be taken to verify the identity of the beneficial owners of the funds and of those who have control of the funds.

Intermediaries should be treated as individual customers of the bank and the standing of the intermediary should be separately verified by obtaining the appropriate information drawn from the itemized lists mentioned above.