What does a law constructed to prevent terrorist attacks in the U.S. have to do with mortgages? If you’re a mortgage loan originator (MLO), a lot, it turns out.

The 2001 Patriot Act amended the Bank Secrecy Act, which was enacted in 1970 to combat money laundering and terrorist financing. [31 United States Code §5311 et seq.]

The Bank Secrecy Act requires banks have proper safeguards in place to inform law enforcement when they suspect banking activity points to terrorist activity or money laundering. The Patriot Act’s main change was to require each financial institution operating in the U.S. to have a Customer Identification Program (CIP).

Financial institutions include:

  • persons involved in real estate closings and settlements (including MLOs);
  • insured banks;
  • commercial banks or trust companies;
  • private bankers;
  • credit unions;
  • brokers or dealers registered with the Securities and Exchange Commission; and
  • investment bankers and companies. [31 USC 5312 et seq.]

What a CIP does

The purpose of financial institution’s CIP is to verify borrowers’ and mortgage applicants’ identities and alert law enforcement when suspicious activity or individuals are identified.

A financial institution’s CIP needs to:

  • identify mortgage applicants’ verification procedures;
  • contain procedures for verifying mortgage applicants’ information, which need to include at minimum each applicant’s:
    • name;
    • date of birth for individuals; and
    • residential or business address for individuals; or
    • an Army Post Office (APO) or Fleet Post Office (FPO) number; or
    • the residential or business street address of the individual’s next of kin; or
    • when the mortgage applicant is a corporation or partnership (not an individual), they need to provide the address for their principal place of business, local office or other physical location; and
  • customer identification number, which will be:
    • for a U.S. resident an individual taxpayer identification number (ITIN); or
    • for a non-U.S. resident, at least one of the following:
      • a taxpayer identification number;
      • passport number and country of issuance;
      • alien identification card number; or
      • number and county of issuance of any other government-issued photo identification document showing nationality or residence. [31 Code of Federal Regulations 1020.200 et seq.]

When a mortgage applicant has applied for an ITIN before opening an account with the institution but has not yet received one, the CIP may include procedures for dealing with this situation. When the financial institution includes such a procedure, the procedure needs to show how they will confirm the ITIN was applied for before opening an account and that they will receive the ITIN within a reasonable period of time when an account is opened. [31 CFR §1020.200(a)(i)(B)]

The CIP needs to include a procedure for notifying mortgage applicants that they are requesting information to verify their identity. [31 CFR §1020.200(a)(5)(i)]

Suspicious activity identified

When the financial institution cannot verify an individual’s identity, they need to have a procedure in place for responding to these situations. The procedures need to cover:

  • when the financial institution won’t open the account;
  • the terms with which a borrower may use their account while the institution is attempting to verify their identity;
  • when the institution will close an account after the borrower’s identity cannot be verified; and
  • when the institution needs to file a Suspicious Activity Report (SAR). [31 CFR 1020.200(a)(iii)]

When the financial institution feels it necessary, they file a SAR. This is filed no later than 30 days following the detection of suspicious information through the Bank Secrecy Act E-Filing System, accessed here. However, when no individual suspect is identified by the institution, they may delay filing the Suspicious Activity Report for up to 60 days from initial detection. When a suspicious activity requires immediate attention, the institution will notify law enforcement and the Office of the Comptroller of Currency (OCC) immediately by phone. [12 CFR §21.11(d)]

The CIP needs to also include a procedure for comparing individuals with government lists of known or suspected terrorists. [31 CFR §1020.200(a)(4)]

Related article:

Identity theft prevention for MLOs and MLBs

Record keeping

Each financial institution is required to keep records of all the information gathered during their required CIP procedures. It also won’t surprise you to learn that a procedure for keeping these records is required in the CIP. [31 CFR §1020.200(a)(3)]

The records need to contain at minimum:

  • all identifying information collected;
  • descriptions of any documents used to verify the individual’s or entity’s identity;
  • descriptions of the methods and results of measures taken to verify the identity of the individual or entity; and
  • when a discrepancy is identified, a description of the steps taken by the institution to file a SAR.

Records of all identifying information collected need to be kept for at least five years after the date an account is closed. All other records mentioned above need to be kept for at least five years after the account is made. [31 CFR §1020.200(a)(3) et seq.]