PDF NERC Reliability Standard CIP-014-1 Requirement 5 Practices Guide (C) Additional verification for certain customers. CIP requirements for businesses are governed by the CIP policy of a financial institution but will typically include documentary verification that establishes proof of existence of the entity. A: Some financial institutions are choosing to not open accounts that are not opened face-to-face. That said, the policy of a financial institution will dictate the actual requirements for the CIP requirements for POAs. Please help us keep BankersOnline FREE to all banking professionals. Energy Tech Review Award: The annual listing of 10 companies that are at the forefront of providing Power Plant Tech solutions and transforming businesses. (2) For a person other than an individual (such as a corporation, partnership, or trust), documents showing the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or trust instrument. What companies must have CIPs? However, you do not have to perform the same level of verification on all account owners. What about PODs (payable on death) or other beneficiaries?A: The CIP requirements do not apply to guarantors, persons listed as a POD or other beneficiaries, as they are not customers as defined in the final rule.Q2: What about non-profit organizations such as churches, Lion?s Club, Rotary, etc. 1786(q)(1) must implement a written Customer Identification Program (CIP) appropriate for the bank's size and type of business that, at a minimum, includes each of the requirements of paragraphs (a)(1) through (5) of this section. Unless your bank has a policy requirement that all customers provide you with a current physical address, I see no reason to close out the account of a customer who prefers not to provide one, nor can I imagine why you'd need to stop mailings. 8 For an individual: a residential or business street address, or if the individual does not have such an address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, the residential or business street address of next of kin or of another contact individual, or a description of the customer's physical location. (i) Customer information required(A) In general. Required logging of specific events are identified, alert requirements are defined based on event type, log retention requirements and review of those logs are covered. For example, in the State of Oklahoma ("State"), the State issues the same post office box number to all participants in its ACP. 1. (B) Exception for persons applying for a taxpayer identification number. Must we obtain new identification after the expiration date of the current document?A: No. Physical Address Requirement for CIP. And the testing and maintenance program of this standard requires entities to test electronic Physical Security Perimeter on an annual basis. Finally, these FAQs have been designed to help banks comply with the requirements of the CIP rule. (2) The bank's non-documentary procedures must address situations where an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard; the bank is not familiar with the documents presented; the account is opened without obtaining documents; the customer opens the account without appearing in person at the bank; and where the bank is otherwise presented with circumstances that increase the risk that the bank will be unable to verify the true identity of a customer through documents. The goal is a physical address at which a person can be found. The procedures must also require the bank to follow all Federal directives issued in connection with such lists. PDF Standard CIP-006-1 Cyber Security Physical Security 2023 Operations Compliance Triage Conference, 2023 Lending Compliance Triage Conference, 2023 BSA/AML Top Gun Conference ON-DEMAND. Q15: What are the consequences of not getting all four of the required collection items? (c) Other requirements unaffected. All rights reserved | Powered by Proteus Technologies, China Doubles Down on Renewables and Coal in Its Quest for Energy Security, The U.S. Gets Its First New Nuclear Reactor After 40 Years, New Star Trek-Style Device Harvests Clean Energy Out of Thin Air, How AI Can Improve Performance and Reduce Downtime in Utilities and Power Generators, Certrec Sentinels Interview with Kenath Carver at Texas RE, White Paper & Presentation Cybersecurity Critical Infrastructure Threats and Examples, White Paper Fundamentals of the NERC MOD-25 Standard, White Paper The importance of CIP in the Energy Sector, White Paper The Importance of the NERC PRC-005 Standard: Challenges and Audit Tips, White Paper Top 10 NERC Audit Tips and What to Watch Out for, CAISO Memo: A Compliant Solution for IBRs, Investments in Grid Infrastructure for a Clean Economy. CIP guidance is clear that non-documentary methods to verify a customers identity is not required. Answer: The proper use of Critical Cyber Assets; R2.2.2. Certrec has been recognized by the industry: CIOReview Award: The annual listing of 20 companies that are at the forefront of providing Compliance solutions and transforming businesses. Reliance on another financial institution. A reasonable explanation for a discrepancy between the addresses provided by the customer and their driver?s license might be that the customer has recently moved to your area for employment purposes.RECORDKEEPINGQ33: Are we required to keep copies of the documents used to verify the customer?s identification?A: No. BCIP. Protection of communication between control centers is the focus of CIP-012. Next, a CIP program must verify the identity of the person opening the account. 5318(h) and is regulated by a Federal functional regulator; and. (4) Identification number, which shall be: (i) For a U.S. person, a taxpayer identification number; or. ISO-NE PUBLIC 2 NERC CIP-014, Physical Security . FIN-2009-R003. Jamal El-Hindi The level of categorization is all about grading several BES Cyber Assets or Systems based on the degree of interruption to the power supply. Cross checking of the potential effects of the change, as it relates to other CIP standards, is required to ensure security requirements are not impacted by changes to the baseline. And any critical assets outside the boundaries of ESP must become part of the leading network via a dedicated Electronic Access Point (EAP). Answer: No, wire transfer record retention requirements and the accompanying Travel Rule (which pre-date CIP requirements by many years) do not require a physical address be obtained or sent. The NERC CIP-014 standard is the regulatory result of a significant physical security attack that happened a few years ago. This verification would most likely be accomplished through non-documentary procedures.Q3: What about informal (non-legal) organizations such as bowling teams, > A: These accounts are not exempt and the new rules do apply. In regards to Power of Attorney, the regulatory agencies have stated they will issue further guidance on this issue. A major transmission substation in Central California was attacked on April 16, 2013. MISCELLANEOUS Q39: When am I required to file a Suspicious Activity Report?A: A Suspicious Activity Report may be justified if during the verification process you suspect a phony ID or identity theft. Substitute addresses are accepted by state and local agencies. We are glad you have found us and look forward to collaborating in the future. The procedures must require the bank to make such a determination within a reasonable period of time after the account is opened, or earlier, if required by another Federal law or regulation or Federal directive issued in connection with the applicable list. There is no ongoing requirement that your bank have its customer's physical address on file at all times, although you are correct in saying that a physical address is needed for proper completion of a CTR, should the need arise. The CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. One challenge that financial institutions often have in understanding CIP requirements for existing customers is how CIP applies to existing customers who opened their accounts before the financial institution first established their procedures to form a reasonable belief to understand the true identity of their customers, when typically occurred in the early 2000s. The customer must provide the TIN to the bank within a reasonable time after account opening or the account should be closed. ?Q21: Is contact via email or cell phone a sufficient verification method?A: No. Testing in the appropriate environments, requirements for software verification and monitoring the baseline configuration for changes are addressed. What do we do?A: CIP applies to all owners of an account. Security management controls are addressed in CIP-003, and are designed to ensure that consistent and sustainable security controls are applied, based on the system categorization, to mitigate risk that could result in mis-operation or instability of the BES. Applicability: 4.1. Here, entities must prepare incident reports and create guidelines that work as a response. The CIP requirements for existing customer will first depend on a financial institutions established policy and procedures. Explanation/Purpose . If appropriate, a bank may use the following sample language to provide notice to its customers: To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. PDF NERC Standard CIP -014, Physical Security - ISO New England Customer Identification Program Rule Address Confidentiality Programs, Alerts/Advisories/Notices/Bulletins/Fact Sheets, Suspicious Activity Report (SAR) Advisory Key Terms, http://www.secstate.wa.gov/acp/aboutus.aspx, Public Posting Notice of Finding of Discrimination, Security and Vulnerability Disclosure Policies (VDP). Q34: If I take a copy of the consumer?s driver?s license as verification for a credit transaction is it a violation of Equal Credit Opportunity (Regulation B)?A: It is not, nor has it ever been, a violation of Regulation B to photocopy identification documents. Also note that any single entity may have more than one impact level, which is why it is important to understand all applicable impact levels so that the correct standards are applied based on the categorization. When opening an account for a foreign business or enterprise that does not have an identification number, the bank must request alternative government-issued documentation certifying the existence of the business or enterprise. ], Sincerely, Here, entities are required to develop baseline configurations for Operating Systems, open-source software, custom software, network ports and implemented security patches. Summary . Regulatory Requirements for Customer Identification Programs This section outlines the regulatory requirements for banks in 12 CFR Chapters I through III and VII, and 31 CFR Chapter X regarding CIPs.