How’s your CIP/KYC program?

The Customer Identification Program (CIP), also known as “Know Your Customer“ (KYC), is a compliance component of the account opening process where bank trustees/custodians need to, put in simple terms, ensure that the customer is who they say they are.  This is easy to do in person, when they are face to face with the customer at a branch.  HSA providers have many different processes they use to run their CIP/KYC programs for opening accounts online, which is for most the majority of their business.  There are many HSA trustees/custodians that work with HSA administrators, and some pass the CIP/KYC obligation to the administrator by contract, so administrators have to follow the same rules banks do. Below we’ve provided a compilation of myths, best practices and some benchmarking data.  We hope you can compare them to your existing practices and achieve higher pass rates on your own CIP/KYC process.

  • Running a Credit Score on the customer is not required to open HSA accounts and is not a required step for CIP/KYC.  While some banks do so, HSAs have low to no credit risk (depending on the product design). As a best practice HSA administrators should minimize or eliminate the opportunity for accounts to be overdrawn, although some banks do not because overdraft fees are a source of revenue.  Running a credit score as part of the decision process to open an HSA will create unnecessary failures in enrollments and overall create customer dissatisfaction.
  • Initial failure rates for most HSA providers run from 1% to 13% of enrollment records.  The range is quite high, with banks running credit scores ranking sometimes higher than 13% of records not getting accounts opened.  The range varies based on many factors listed here, from how the CIP data scoring is done, how many databases are checked, if credit scores are used, if employer relationship is factored in, etc.
  • Most organizations run the eligibility/enrollment data against banking industry databases/datasets, using services from the likes of Experian, TransUnion, etc.
  • Some organizations run the data comparison first against one database and then run the failed records against a second database.  This increases the pass rates as sometimes address changes are not updated in all data sets, and the address mismatch is a common cause of failure.
  • In our experience, failures should arise primarily from OFAC or Social Security number issues; when those are the predominant issues, the failure rates end up around 1%.
  • Some companies document their processes to include the relationship the individual has with the employer who facilitated the enrollment and the fact they were already vetted by the employer.  

Some companies also have their own processes to vet the employer. We have seen issues with fake employers so it’s a good practice to verify them via Dun and Bradstreet or other methods even if they don’t open a bank account for their HSA administration. This is important for fraud prevention.

  • Some companies have their enrollment process set up in a way that a file from the employer with accountholder data (direct or via another party) will be used to open the accounts.  Other companies get the file from the employer and chase the customer for final approvals, agreements, etc.  The practice of automatically opening accounts yields close to 100% of records to have open accounts (impacted by the CIP/KYC process).  Chasing the customer yields much lower numbers, averaging 25-50% open rates (impacted by employer involvement and incentives, such as healthy employer contributions). 
  • Some providers open almost all accounts (minus OFAC and bad SSN) and leave accounts with pending CIP/KYC on a “frozen” status while they chase the customer to resolve any outstanding CIP/KYC issues.  Sometimes they allow an employer to make contributions while the CIP/KYC issue is resolved. 
  • Many companies struggle with the entire process, timing and reconciliation of employer contributions, returning funds for accounts never opened or accounts that failed CIP.  Missteps and timing issues with employer contributions create work for HR and Payroll teams, impact customers, and sometimes even impact the establishment date of HSAs.

If the CIP/KYC programs are not optimized, they can create extra work and overhead, not to mention customer dissatisfaction. The CIP/KYC process should be there to ensure HSA organizations know their customers, meet their regulatory compliance burdens, confirm a prospective customer’s identity with a high degree of confidence, and assure that customers are not on any government lists of people that should not have bank accounts.  A good CIP/KYC program will have pass rates in the 90% range, and great ones will be in the 95-98% range.

If you need assistance making your process more efficient, more competitive, or more compliant, contact us.  Otherwise, we hope this helped validate your current program or gave you ideas on how you can make improvements to your program.