he Treasury Department has announced final rules implementing Section 326 of the USA Patriot Act, the law signed by President Bush on October 26, 2001 that provides a wide range of new tools to combat money laundering and the financing of terrorists. Included in the final rules are "important changes that increase the effectiveness of the rule while eliminating unnecessary burden on regulated institutions."

The rule requires that financial institutions develop a Customer Identification Program (CIP) that implements reasonable procedures to:

1. Collect identifying information about customers opening an account.
2. Verify that the customers are who they say they are.
3. Maintain records of the information used to verify their identity.
4. Determine whether the customer appears on any list of suspected terrorists or terrorist organizations.

The final rule also contains a provision that permits a financial institution to rely on another regulated U.S. financial institution to perform any part of the CIP. Whether you will be required to comply with these regulations will depend on your situation, but generally this information would be obtained when an individual would open up a DDA to receive the merchant's deposits and would not be required to open a merchant account with an ISO. You should check with your processor, member bank and/or legal counsel to determine what will be required in your particular situation.

As part of a Customer Identification Program, financial institutions will be required to develop procedures to collect relevant identifying information, including a customer's name, address, date of birth and a taxpayer identification number (for individuals, this likely will be a Social Security number).

Foreign nationals without a U.S. taxpayer identification number could provide a similar government-issued identification number, such as a passport number. The announced goal of what was finalized allows for taking many current and due diligence procedures already in place at most institutions and cross-applying them to Section 326.

Financial institutions should have started to conduct reviews of Section 326 compliance by doing an inventory of what is currently being done for anti-fraud measures and examining the tools used in that capacity.

Being able to cross-apply these measures is the crux of Section 326 - developing a CIP based on risk. The Feds are looking for scrutiny to be applied in varying levels depending on the amount of risk involved in not knowing your customer's identity at the opening of an account.

In other words, how comfortable are you that you know who this customer is? Are they who they say they are?

This critical underwriting question is not being asked enough by Merchant Level Salespeople and ISOs in today's "instant approval" market.

Along with not doing the card association physical inspections of the business premises of prospective merchants, too many accounts are being approved with no proof of who the person applying for the merchant account really is. This can be very risky in today's electronic world.

If you are not currently gathering this type of information during your merchant-application process, it might be a good time to start. Many processors and/or banks have required that documents verifying the identity of the principal applying for a merchant account be included in the application package; it can be a deterrent against "bust out" merchants and fraudulent "identity theft" applications.

Many vendors are including CIP enhancements to existing fraud-screening solution packages that are or will become available to sales reps. These enhancements include solutions for the fourth requirement above: determine whether the customer appears on any list of suspected terrorists or terrorist organizations. The government list can be checked along with other proprietary customer verification tools and credit reports that should be completed as part of a sound underwriting process.

ISOs and processors continue to approve merchants who should have been declined - often because of internal policies or risk parameters - without completing proper underwriting, then later terminate them for "cause" and hold funds. By doing so, they risk card association sanctions or fines for misuse of the Combined Terminated Merchant File (CTMF), FTC attention from complaining merchants and/or class-action lawsuits from affected merchants.

You need to become aware of the provisions of the Patriot Act and determine how it applies to your operation. Compliance is mandatory effective October 1, 2003.

The Patriot Act requires little more than what already should be done for sound underwriting: verifying the existence of a customer who opens up a merchant account.

David H. Press is Principal and President of Integrity Bankcard Consultants, Inc. Phone him at 630-637-4010, e-mail dhp@integritybankcard.net or visit www.integritybankcard.net.