Customer Identification Regulations for Mutual Funds

August 18, 2003

On June 9, 2003, the U.S. Securities and Exchange Commission (the “SEC”), the U.S. Department of the Treasury (the “Treasury”) and several other federal financial regulators jointly adopted a final rule (the “CID Rule”) under the USA PATRIOT Act (the “Patriot Act”) requiring certain financial institutions, including mutual funds, to establish minimum procedures for identifying and verifying the identity of customers seeking to open new financial accounts.  The CID Rule (Treasury Rule 103.131; SEC Rule 0-11 under the Investment Company Act of 1940) requires every mutual fund to fully implement a Customer Identification Program by October 1, 2003.

In addition to mutual funds and other registered investment companies, the CID Rule also applies to the following financial institutions: banks and trust companies, savings associations, credit unions, securities brokers and dealers, futures commission merchants and futures introducing brokers. The CID Rule does not extend to private investment companies (i.e., hedge funds).  Hedge funds and other unregistered investment companies remain subject to a separate rule proposal issued September 18, 2002 and expected to be adopted later this year.  Nevertheless, this discussion of the CID Rule may be of assistance to hedge fund managers developing their own anti-money laundering compliance programs.

Background: Section 326 of the Patriot Act

On October 26, 2001, President Bush signed the Patriot Act into law.  Section 326 of the Patriot Act requires the Treasury jointly with the SEC to establish regulations setting forth minimum anti-money laundering standards for financial institutions relating to the determination and verification of the identity of any person who applies to open an account.  Section 326 provides that the regulations must require, at a minimum, that financial institutions implement reasonable procedures for:  (1) verifying the identity of customers, to the extent reasonable and practicable, when accounts are opened; (2) maintaining records of the information used to verify the person’s identity, including name, address and other identifying information; and (3) determining whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any U. S. government agency.

All “financial institutions” are subject to Section 326.  The term encompasses a variety of entities, including investment companies, banks, agencies and branches of foreign banks in the United States, thrifts, credit unions, brokers and dealers in securities or commodities, insurance companies, travel agents, pawnbrokers, dealers in precious metals, check-cashers, casinos and telegraph companies, among many others.

Although all “investment companies” are included in the term financial institutions, the CID Rule applies only to entities, including mutual funds, that are required to register with the SEC as investment companies under Section 8 of the Investment Company Act of 1940 (“Investment Company Act”).  Thus, the CID Rule does not apply to foreign mutual funds that meet the statutory definition but are not subject to the registration requirements of the Investment Company Act of 1940 or to hedge funds and other private investment companies that are not required to register under the Investment Company Act.

Customer Identification Program

The CID Rule requires that mutual funds establish, document and maintain a written Customer Identification Program (“CIP”). The CIP procedures must enable the mutual fund to form a reasonable belief that it knows the true identity of every customer.

The term “customer” is defined under the CID Rule to be a person that opens a new account.  For example, in the case of a trust account, the “customer” would be the trust.  For purposes of the CID Rule, a mutual fund is not required to look through a trust, or similar account to verify the identities of beneficiaries, and instead is required only to verify the identity of the named accountholder.  Similarly, with respect to an omnibus account established by an intermediary, a mutual fund generally is not required to look through the intermediary to the underlying beneficial owners.

The CID Rule clarifies the treatment of a minor child or an informal group with a common interest (e.g., a civic club), where there is no legal entity.  In those circumstances, “customer” includes an individual who opens a new account for (1) an individual who lacks capacity, such as a minor; or (2) an entity that is not a legal person, such as a civic club.

The CID Rule excludes from the definition of “customer” certain readily identifiable entities, including: (1) financial institutions regulated by a federal functional regulator; (2) banks regulated by a state bank regulator; and (3) governmental agencies and instrumentalities and companies that are publicly traded. 

Furthermore, “customer” does not include persons authorized to effect transactions in the account of a shareholder of record.  Rather, a mutual fund’s CIP must address situations in which the mutual fund will take additional steps to verify the identity of a customer that is not an individual (such as a corporation or partnership) by seeking information about individuals with authority or control over the account, including persons with authority to effect transactions in the account.

Additionally, the definition of “customer” excludes a person that has an existing account with a mutual fund provided that the mutual fund has a reasonable belief that it knows the true identity of the person.

A person that is a shareholder of record of a mutual fund prior to the effective date of the final rule would not be a “customer.” If such shareholder was to become a shareholder of record or be granted trading authorization in a different account after the effective date, however, the shareholder would be considered a “customer” of the new account.  It is important to note that under the CID Rule a person becomes a “customer” each time he opens a different type of account.  For example, after the effective date, if a person opens a taxable account and subsequently opens an IRA account, the person is a “customer” subject to the requirements of the CID Rule on both occasions.  However, a shareholder who exchanges shares of one fund for shares of another fund within the same account (or initiates any other transaction that does not involve the opening of a separate account) does not become a “customer” for the purposes of the CID Rule.

The requirements of the CID Rule do not apply to persons seeking information about a mutual fund such as a prospectus or profile.  In addition, transfers of accounts from one mutual fund to another that are not initiated by the customer (e.g., as a result of a merger, acquisition, purchase of assets or assumption of liabilities from any third party) are not covered by the CID Rule.

Certain minimum identifying information and acceptable verification methods for CIPs are described in the CID Rule (see “Required Identification Information” and “Required Verification Procedures,” below).  In developing their own CIPs, mutual funds should consider the type of identification information and verification methods that are most appropriate for their particular situation.  Such procedures must enable the mutual fund to form a reasonable belief that it knows the true identity of each customer.  After developing a CIP, a mutual fund should actively update its CIP on an on-going basis as new information and verification methods become available.

A CIP must be based upon an assessment of the relevant risk factors.  The CID Rule identifies the following four (4) relevant risk factors to be considered:

* Size of the Fund.  A large mutual fund opening many new accounts daily will have different risks than a small fund opening only a few new accounts.

* Methods for Opening Accounts. Accounts opened exclusively on-line or by telephone present different, and perhaps greater, risks than those opened during face-to-face interviews.

* Types of Accounts Offered.  Mutual funds should assess the relative risks (and degrees of risk) associated with the different types of accounts they offer (e.g., taxable, IRA, 401(k) and 403(b) accounts).

* Customer Base.  Different types of customers pose different risks.  Are accounts being opened for customers located in countries the Secretary of the Treasury (the “Secretary”) determines to be of “primary money laundering concern.” If so, additional verification procedures may be required.  In addition, for example, individuals and certain types of business entities, such as closely held corporations, may pose greater risks than institutional investors.

A mutual fund’s CIP need not include procedures for verifying identities of persons whose transactions are conducted though an omnibus account. 

A mutual fund’s CIP may include procedures that specify when the fund will rely on performance by another financial institution of any procedures of the fund’s CIP and thereby satisfy the mutual fund’s obligations under the Rule.  Reliance is permitted if a customer of the mutual fund is opening, or has opened, an account or has established a similar business relationship with the other financial institution to provide or engage in services, dealings, or other financial transactions.

In order for a mutual fund to rely on the other financial institution:

(1) such reliance must be reasonable under the circumstances,

(2) the financial institution must be subject to a rule implementing the anti-money laundering compliance program requirements of 31 U.S.C. 5318(h) and be regulated by a Federal functional regulator, and

(3) the other financial institution must enter into a contract with the mutual fund requiring it to certify annually to the mutual fund that it has implemented an anti-money program and will perform (or its agent will perform) the specified requirements of the mutual fund’s CIP.

Because mutual funds typically conduct their operations through third parties, which may or may not be affiliated, some elements of the CIP should probably be performed by those third parties.  A mutual fund may contractually delegate parts of its CIP to a service provider such as a transfer agent. However, the mutual fund will remain responsible for assuring compliance with the CID Rule. As such, the mutual fund must actively monitor the operation of its CIP program and assess its effectiveness.

Required Identification Information

The CID Rule provides that a mutual fund’s CIP must require customers to provide certain specified information before an account is opened or a customer is granted trading authority over an account. The specific information includes, at a minimum, each customer’s:

(1) name,

(2) date of birth,

(3) - -(a) for an individual, the residence or business address, or,

- - - - -(b) for an individual who does not have a residence or business address, either an Army Post Office or Fleet Post Office box number or the residence or business address of next of kin or another contact individual, or

- - - - -(c) for an entity, a principal place of business, and

(4) identification number.

If the customer is a U.S. person, a U.S. taxpayer identification number (i.e., social security number or employer identification number (“EIN”)) is required.  If the customer is a non-U.S. person, a U.S. taxpayer identification number, an alien identification card number, or the number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard (e.g., driver’s license or passport) must be provided.  The term “similar safeguard” is included to permit the use of any biometric identifiers (e.g., fingerprints) in addition to, or instead of, photographs.

Mutual funds should determine whether obtaining identifying information beyond the minimum requirements might be necessary to form a reasonable belief as to the true identity of each customer.  Taking the relevant risk factors, including those discussed above, into consideration, there may be circumstances when a mutual fund should obtain additional information.  Each mutual fund is expected to include in its CIP guidelines regarding what those circumstances are and what additional information should be obtained in such circumstances.

A new business may need to open a mutual fund account before it has received an EIN.  Currently, the IRS indicates that the issuance of an EIN can take up to five weeks.  Thus, the CID Rule contains a limited exception to the requirement that an EIN be provided prior to establishing an account.  If an account is being opened for either a natural person or a non-individual (such as a corporation, partnership or trust) that has applied for an EIN, the EIN may be provided within a reasonable period of time after an account is established.  The CID Rule permits the fund to exercise discretion to determine how to confirm that a customer has filed an application for an EIN.  Follow-up procedures designed to ensure that the EIN number will be received within the period determined by the mutual fund to constitute a reasonable period of time need to be included in the CIP.

Required Verification Procedures

A mutual fund must take steps to verify some, or all, of a customer’s identifying information in order to form the requisite reasonable belief that it knows the true identity of the customer.  The mutual fund’s CIP must include procedures for verifying customer identifying information to the extent reasonable and practicable.  The verification procedures must be undertaken within a reasonable time before or after a customer’s account is opened.  The CID Rule does not require verification if a person is granted authority to effect transactions with respect to an account.

The mutual fund need not verify each piece of identifying information if it is able to form a reasonable belief that it knows the customer’s identity after verifying only some of the information.

A mutual fund may choose to place limits on the account, such as temporarily limiting additional purchases in an account until the customer’s identity is verified.  Appropriate disclosure to that effect is, however, required.  Mutual funds will, therefore, have the flexibility to use a risk-based approach to determine the timing of customer identity verification relative to the opening of an account or granting of trading authority.

A person or entity becomes a customer each time a new account with a mutual fund is opened.  However, if a customer whose identification has been previously verified opens a new account, the mutual fund would not need to follow its verification procedures again, so long as it continues to have a reasonable belief that it knows the customer’s true identity.

The CID Rule provides for two methods of verifying identifying information: through documentary and/or through non-documentary means. 

* For natural persons, suitable documents for verification include unexpired government-issued identification documents evidencing nationality or residence and bearing a photograph or similar safeguard (e.g., driver’s license, passport or state identity card). 

* For entities, suitable documents must evidence the existence of the entity, such as registered articles of incorporation, a government-issued business license, a partnership agreement or a trust instrument.

A mutual fund’s CIP needs to address both methods.  Depending on the type of customer and the method of opening an account, it may be more appropriate to use one method or the other, or both. The CIP should set forth the guidelines describing when documents, non-documentary methods, or a combination of both will be used and identify documents that will be used for verification.  These guidelines should be based on the mutual fund’s assessment of the relevant risk factors.

A mutual fund’s CIP must contain procedures that set forth the documents that the mutual fund will use for verification.  Each mutual fund will conduct its own risk-based analysis of the types of documents that it believes will enable it to verify customer identities, given the risk factors that are relevant to the mutual fund.  A mutual fund is encouraged to obtain more than one type of documentary verification to ensure that it has a reasonable belief that it knows the customer’s true identity, and to use a variety of methods to verify the identity of a customer, especially when the mutual fund does not have the ability to examine original documents.  Identity verification procedures must be based on a mutual fund’s assessment of the applicable risk factors. When the risk is heightened, additional verification methods should be utilized.

The CID Rule does not require verification of the identity of any person authorized to effect transactions in a shareholder’s account with a mutual fund, except for circumstances when a customer poses a heightened risk of not being properly identified.  In such instances, a mutual fund’s CIP must prescribe additional measures that may be used to obtain information about the identity of the individuals associated with the customer when standard documentary or non-documentary methods prove to be insufficient.  The risk that the mutual fund will not know the customer’s true identity may be heightened for certain types of accounts.  Such accounts may include accounts opened in the name of a corporation, partnership, or trust that is created or conducts substantial business in a jurisdiction that has been designated by the United States as a primary money laundering concern or has been designated as non-cooperative by an international body (such as the Financial Action Task Force on Money Laundering (FATF), whose list of non-cooperative jurisdictions is available at http://www.oecd.org/fatf/NCCT_en.htm). Therefore, the CID Rule requires that when a new account is opened in the name of an entity, a mutual fund’s CIP must address circumstances where the mutual fund will also obtain information about individuals with authority or control over the account in order to verify the customer’s identity. 

The CIP must describe non-documentary identity verification methods and when such methods will be employed in addition to or instead of, documentary verification. The CID Rule allows for the exclusive use of non-documentary methods because some accounts are opened by telephone, mail, or over the Internet.  However, even if documentary identity verification is employed, it may be appropriate to use non-documentary methods also. Ultimately, the mutual fund is responsible for employing sufficient verification methods to form the requisite reasonable belief that it knows the true identity of the customer.

The CID Rule sets forth certain non-documentary methods that would be suitable for verifying identity.  These include:

* contacting a customer after the account is opened;

* obtaining a financial statement;

* comparing the identifying information provided against fraud and bad check databases to determine whether any of the information is associated with known incidents of fraudulent behavior;

* comparing the identifying information with information available from a trusted third-party source, such as a credit report from a consumer reporting agency; and

* checking references with other financial institutions. 

The mutual fund also may wish to check whether there is logical consistency to the information provided, such as the customer’s name, street address, ZIP code, telephone number (if provided), date of birth, and social security number.  The Social Security Administration is reportedly working to develop an Internet-based system to permit the verification of social security numbers.

The CIP must require the use of non-documentary methods in certain cases. These are:

* when an account is opened for a natural person who does not meet face-to-face with a mutual fund representative;

* when a natural person is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard;

* when unfamiliar documents are presented to verify the identity of a customer;

* when the mutual fund does not obtain documents to verify the identity of a customer;

* when circumstances otherwise suggest that there is an increased risk that the mutual fund will not be able to verify the true identity of a customer through documents.

Mutual funds are encouraged (but not required) to use non-documentary methods, even when a customer has provided identification documents.
Government Lists

The CID Rule requires that a mutual fund’s CIP must include reasonable procedures for determining whether a customer’s name appears on any list of known or suspected terrorists or terrorist organizations issued by any Federal government agency and designated as such by the Treasury in consultation with the Federal functional regulators.  However, mutual funds will not have an affirmative duty under this rule to seek out all lists of known or suspected terrorists or terrorist organizations compiled by the Federal government.  Instead, mutual funds will receive notification by way of separate guidance regarding the lists that they must consult for purposes of this provision. 

The CIP’s procedures must require the mutual fund to determine whether a customer appears on a list “within a reasonable period of time” after the account is opened, or earlier if required by another Federal law or regulation or by a Federal directive issued in connection with the applicable list.

In addition, the CID Rule obligates mutual funds to follow all Federal directives issued in connection with such lists.  A mutual fund must have procedures for responding when a customer’s name appears on such a list.

Customer Notice

A mutual fund’s CIP must include procedures for providing adequate notice to customers that the mutual fund is requesting information to verify their identities.  The CID Rule provides that notice is adequate if the mutual fund generally describes the identification requirements of the CID Rule and provides notice in a manner reasonably designed to ensure that a customer views the notice, or is otherwise given notice, before opening an account.  Such notice must be provided before an account is opened or trading authority is granted.  A mutual fund may satisfy the notice requirement by generally notifying its customers about the procedures the fund must comply with to verify their identities.  If an account is opened electronically, such as through an Internet web site, electronic notice is permissible.

Lack of Verification

A mutual fund’s CIP must include procedures for responding to circumstances in which it cannot form a reasonable belief that it knows the true identity of a customer.  The CIP should specify what actions are to be taken when it cannot form a reasonable belief that it knows the customer’s true identity.  Among the matters a CIP should address are:

(1) guidelines for when an account will not be opened (e.g., when the required information is not provided),

(2) the terms under which a customer may conduct transactions in an account while the mutual fund attempts to verify the customer’s identity,

(3) when the mutual fund should place limitations on additional purchases or close an account after attempts to verify a customer’s identity have failed, and

(4) when the mutual fund should file a Suspicious Activity Report (SAR) in accordance with applicable law.

The staff of the SEC has indicated that closing an account by redeeming shares at their net asset value next calculated after the mutual fund decides to close an account is permissible if despite reasonable efforts a mutual fund is unable to verify a customer’s identity.

Mutual funds are encouraged, but not required, to adopt procedures for voluntarily filing SARs with the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) and for reporting suspected terrorist activities to FinCEN using its Financial Institutions Hotline (866-566-3974). FinCEN’s web site, http://www.ustreas.gov/fincen, contains information on the process of reporting suspicious activities to the government. A SAR may be particularly important when a mutual fund’s efforts to verify a customer’s identity are unsuccessful.

Recordkeeping

Section 326 of the Patriot Act requires procedures for maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information.  The CID Rule sets forth recordkeeping procedures that must be included in a mutual fund’s CIP.  These procedures must provide for the maintenance of all information obtained pursuant to the CIP, including records of each customer’s name, date of birth (if applicable), addresses, and identification numbers provided. 

A mutual fund’s records must maintain descriptions of any documents that were relied on to verify the identity of a customer, but need not include a copy.  Such descriptions should include a notation of the type of document, any included identification number, the place of issuance, and the issuance and expiration dates, if any.  For example, if a customer produces a driver’s license, the mutual fund must make a record that includes a description of the driver’s license that clearly indicates it is a driver’s license and includes the license number, the state of issuance, and the issuance and expiration dates on the license.

A mutual fund’s records also must include a description of the methods and results of any measures undertaken to verify the identity of a customer.  The documents generated in connection with these measures are not required to be recorded.  For example, if a credit bureau report is obtained, a description of the document must be recorded.  A mutual fund also must make and maintain a description of the resolution of any discrepancy in the identifying information obtained, rather than the documents generated in connection with these measures.  For example, if a customer provides a residence address that is different than the address shown on a credit report, the mutual fund’s record must include a description on how it resolves this discrepancy or, if the discrepancy is not resolved, how it forms a reasonable belief that the mutual fund knows the true identity of the customer, notwithstanding the discrepancy. 

The mutual fund must retain all records of identifying information about a customer for five (5) years after the date the account is closed.  The fund need only retain records of (i) descriptions of any documents relied on to verify a customer’s identity, (ii) descriptions of the methods and the results of any measures undertaken to verify a customer’s identity, and (iii) descriptions of the resolution of any substantive discrepancy discovered when verifying a customer’s identifying information, for five (5) years after the record is made.  A mutual fund may use electronic records to satisfy the requirements of the CID Rule.

Approval of Program

A mutual fund’s board of directors must approve the CIP by October 1, 2003.  A mutual fund with an AML program that the board has approved as required, must nonetheless obtain board approval of a new CIP.  The addition of the CIP is a material change that must be approved by the board.  The board must also periodically assess the effectiveness of the CIP, and receive periodic reports regarding the CIP from whomever is responsible for monitoring the mutual fund’s anti-money laundering program.

Exemptions

The Secretary and the Federal functional regulator jointly issuing the rule may by order or regulation exempt any financial institution or type of account from this regulation in accordance with such standards and procedures as the Secretary may prescribe.  The CID Rule provides that the SEC, with the concurrence of the Secretary, may exempt any mutual fund or type of account from the requirements of the CID Rule.

For additional information on this topic, you may contact Howard A. Neuman or Carol Spawn Desmond.