Auto dealerships and lenders are likely familiar with “know your customer” requirements, which typically involve obtaining identification information from customers and verifying that information.
Most lenders are also likely familiar with Customer Identification Program (CIP) requirements. This may be because they have worked with or for an institution subject to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network’s (FinCEN) regulations requiring that such a program be established as part of a Bank Secrecy Act and Anti- Money Laundering Program (BSA/AML Program), or because they have opened an account with an institution required to establish such a program and received an account opening notice. Such notices begin with the following disclosure:
“To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.”
At a high-level, institutions that are required to have a CIP must “develop risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable.” That program must include procedures for: identifying the information that will be obtained from each customer; verifying the customer’s identity using the information obtained; confirming whether the customer appears on governmental lists of known or suspected terrorists or terrorist organizations; and notifying each customer that the institution is requesting information to verify their identity.
It is common, however, for participants in the financial services space, including the automobile finance market, to believe they are subject to FinCEN’s CIP requirements, when in fact they have limited scope. Banks are required to have a BSA/AML program, including a CIP. Other participants in the automobile finance market, however, generally do not. Notably, certain non-bank loan or finance companies are required to have BSA/AML programs, but not aCIP. In addition, the loan or finance companies currently required to have BSA/AML programs are limited to residential mortgage originators and residential mortgage lenders. As a result, large segments of the auto finance industry are not covered by FinCEN’s CIP requirements.
This lack of a CIP requirement does not mean, however, that you do not need to know your customer. First, everyone, including auto dealerships and finance companies, is prohibited from doing business with certain specially designated nationals and blocked persons found on Office of Foreign Assets Control (OFAC) lists. In addition, participants in the auto finance industry, including dealerships extending credit, are required to develop and implement a written identity theft protection program designed to detect, prevent and mitigate identity theft. Also known as a “red flags” program, this will have elements of a customer identification and verification program. In addition, reliably identifying that your customer is who they purport to be allows appropriate credit underwriting; ensures you obtain a consumer report about the right person and have a permissible purpose to obtain that report; mitigates against potential losses due to fraud; and helps ensure you do not inadvertently violate other laws. Finally, a downstream market participant subject to FinCEN’s CIP requirements, like a bank, may contractually impose elements of its CIP on an originating dealer under an indirect installment sales transaction.
As a result, even non-banks need to know their customers and will obtain many of the same data elements that banks are required to obtain and verify as part of their CIP. While obtaining this information and notifying customers regarding why the information is being obtained, non-bank market participants should exercise caution.
For example, while there are legitimate and prudent reasons that a non-bank may obtain and verify customer information, it is not doing so because federal law requires it to assist in the fight against funding terrorism. As such, a non-bank should not misrepresent the reason and purpose for which customer information is being obtained.
Auto dealers and lenders should therefore understand why they are obtaining information about their customers, in part, so they do not make misrepresentations to their customers regarding those reasons.
Jeff Barringer is a member in McGlinchey’s Consumer Financial Services Compliance practice group based in Albany, N.Y. He advises financial services providers in connection with establishing and maintaining effective and compliant financing programs.