Are we required to delete copies of driver’s license images used to verify customer identities for online account openings? Are there any exceptions that apply under the Bank Secrecy Act (BSA)? If we are required to delete them, can we request that customers provide us with another image after account opening that we can retain? The retention of licenses or identification is currently part of our BSA policy.

Yes, we believe that you are required to delete images of driver’s licenses or personal identification cards used to verify customer identity for the purposes of online account opening. Further, we do not believe that you may request and retain those images again after account opening.

The 2018 Economic Growth, Regulatory Relief and Consumer Protection Act included the Making Online Banking Initiation Legal and Easy (MOBILE) Act, which allows financial institutions to scan driver’s licenses and personal identification cards or receive images of them during the online account opening process — but only for purposes of verifying the license’s authenticity, verifying the customer’s identity, and complying with a legal requirement to record, retain, or transmit personal information in connection with opening an account or obtaining a financial product or service. Additionally, you may use the image “as required to comply” with federal bank secrecy laws. After using the image for these purposes, financial institutions are required to permanently delete them.

FinCEN’s Customer Identification Program (CIP) regulations do not require financial institutions to retain images of driver’s licenses, although they do not prohibit this practice. Instead, the CIP regulations require that a “description of any document that was relied on” to verify identity be retained for five years after the date the account is closed. The required description must note “the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date.”

Because federal bank secrecy laws do not require you to record, retain, or transmit a copy of documents used to verify a customer’s identity, we believe financial institutions must delete images of driver’s licenses or personal identification cards after using them for the other specified purposes in the MOBILE Act — that is, after verifying the license’s authenticity and verifying the customer’s identity.

Unfortunately, for online account openings covered by the MOBILE Act, this means that your bank will have to comply with its CIP requirements by retaining a description of each driver’s license or personal identification card used to verify a customer’s identity, with the information specified in FinCEN’s CIP regulations, rather than simply retaining copies of those documents. In other words, the MOBILE Act makes online account opening “legal and easy” for the handful of states that prohibited banks from copying driver’s licenses or other IDs when it was enacted, but otherwise the law in fact complicates the online account opening process.

Additionally, we do not recommend requesting and retaining images of the same driver’s license after account opening. This approach would not comply with the spirit of the requirement to delete any images of driver’s licenses or personal identification cards used for online account opening.

For resources related to our guidance, please see:

  • MOBILE Act, 12 USC 1829c(b)(1) (“When an individual initiates a request through an online service to open an account with a financial institution or obtain a financial product or service from a financial institution, the financial institution may record personal information from a scan of the driver’s license or personal identification card of the individual, or make a copy or receive an image of the driver’s license or personal identification card of the individual, and store or retain such information in any electronic format for the purposes described in paragraph (2).”)
     
  • MOBILE Act, 12 USC 1829c(b)(2) (“Except as required to comply with Federal bank secrecy laws, a financial institution may only use the information obtained under paragraph (1)—

(A) to verify the authenticity of the driver’s license or personal identification card;

(B) to verify the identity of the individual; and

(C) to comply with a legal requirement to record, retain, or transmit the personal information in connection with opening an account or obtaining a financial product or service.”)
 

  • MOBILE Act, 12 USC 1829c(b)(3) (“A financial institution that makes a copy or receives an image of a driver’s license or personal identification card of an individual in accordance with paragraphs (1) and (2) shall, after using the image for the purposes described in paragraph (2), permanently delete

(A) any image of the driver’s license or personal identification card, as applicable; and

(B)   any copy of any such image.”)
 

  • FinCEN Regulations, 31 CFR 1020.220(a)(2)(ii) (“The CIP must contain procedures for verifying the identity of the customer, using information obtained in accordance with paragraph (a)(2)(i) of this section, within a reasonable time after the account is opened. The procedures must describe when the bank will use documents, non-documentary methods, or a combination of both methods as described in this paragraph (a)(2)(ii).

(A) Verification through documents. For a bank relying on documents, the CIP must contain procedures that set forth the documents that the bank will use. These documents may include:

  • (1) For an individual, unexpired government-issued identification evidencing nationality or residence and bearing a photograph or similar safeguard, such as a driver’s license or passport; and
     
  • (2) For a person other than an individual (such as a corporation, partnership, or trust), documents showing the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or trust instrument.”)
     
  • FinCEN Regulations, 31 CFR 1020.220(a)(3) (“The CIP must include procedures for making and maintaining a record of all information obtained under the procedures implementing paragraph (a) of this section.

(i) Required Records. At a minimum, the record must include:

  • (A) All identifying information about a customer obtained under paragraph (a)(2)(i) of this section;
     
  • (B) A description of any document that was relied on under paragraph (a)(2)(ii)(A) of this section noting the type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date;
     
  • (C) A description of the methods and the results of any measures undertaken to verify the identity of the customer under paragraph (a)(2)(ii)(B) or (C) of this section; and
     
  • (D) A description of the resolution of any substantive discrepancy discovered when verifying the identifying information obtained.

(ii) Retention of records. The bank must retain the information in paragraph (a)(3)(i)(A) of this section for five years after the date the account is closed or, in the case of credit card accounts, five years after the account is closed or becomes dormant. The bank must retain the information in paragraphs (a)(3)(i)(B), (C), and (D) of this section for five years after the record is made.”)