Skip to main content
OCC Flag

An official website of the United States government

OCC Bulletin 2003-22 | June 3, 2003

Bank Secrecy Act/Anti-Money Laundering (BSA/AML): Final Rule–Customer Identification Programs for Banks, Savings Associations, and Credit Unions


Chief Executive Officers and Compliance Officers of All National Banks, Federal Branches and Agencies, Department and Division Heads, and All Examining Personnel

This bulletin transmits a joint final rule published in the Federal Register on May 9, 2003, that requires all banks to establish procedures to verify the identity of customers. The final rule implements section 326 of the USA PATRIOT Act for banks, savings associations, credit unions and certain non-federally regulated banks (banks) and is codified at 31 CFR 103.121. In addition, it transmits an amendment of the Comptroller of the Currency's regulation 12 CFR 21.21, which has been modified specifically to require national banks to establish and maintain procedures to assure compliance with the new final rule implementing section 326.

Banks must comply with the final rule by October 1.

The final rule requires all banks to implement a Customer Identification Program (CIP) that is appropriate given the bank's size, location, and type of business. The CIP must be written, incorporated into the bank's BSA/AML program, and approved by the bank's board of directors. The final rule requires that the CIP include:

  • Risk-based procedures to verify the identity of customers (generally, persons opening new accounts) including procedures that:
    • Specify the identifying information that the bank must obtain from any customer, at a minimum, name, address, identification number, and, for individuals, date of birth;
    • Describe how the bank will verify the identity of the customer using documents, non-documentary methods, or a combination of both methods; and
    • Respond to circumstances in which the bank cannot form a reasonable belief that it knows the true identity of the customer.
  • Procedures to record the identifying information provided by the customer, a description of any document relied on, the methods and results of any measures undertaken to verify the identity of the customer, and the resolution of any substantive discrepancies discovered when verifying the identifying information obtained. Identifying information generally must be retained for five years after the account is closed. The remaining records need only be retained for five years after the records are made.
  • Procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations provided to the bank by any federal government agency and designated as such by the Department of the Treasury in consultation with the federal functional regulators (326 list). The procedures must also require the bank to follow all federal directives issued in connection with such a list. (Currently no 326 list has been designated.)
  • Procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities. The final rule includes a model notice that a bank may use to provide notice to its customers, if appropriate.

The final rule also describes when a bank may rely on another financial institution to perform all or part of the bank's CIP.

A link to the final rule can be found on the Financial Crimes Enforcement Network (FinCEN) Website at [ ].

Questions about the final regulation may be directed to your OCC supervisory office or OCC Compliance Division (202) 649-5470

David G. Hammaker
Deputy Comptroller for Compliance

Related Links