What is the difference between CIP and KYC? Customer Identification Program (CIP) and Know Your Customer (KYC) are both processes used to identify individuals based on their activities or information.
To verify a customer’s identity and ensure they are who they claim to be, companies must gather essential customer information and authenticate it. Companies achieve this by cross-referencing the provided information with authentic and independent identification documents. Understanding CIP and KYC requirements is crucial for businesses to comply with regulations and prevent all kinds of fraudulent activities.
We dig deeper into the differences between CIP and KYC, helping you find out when each process is applied and how to incorporate it into your business based on industry standards.
- The definition of CIP, the CIP Rule, and its requirements
- The definition of KYC and the core KYC compliance requirements
- The definition of CDD, CIP due diligence, and the difference between CIP
- A more in-depth look at the main differences between CIP and KYC
- Additional info about the CIP verification process and its types
- Required steps to complete an effective KYC program
- CIP and KYC with automation
What is CIP?
A Customer Identification Program (CIP) is a mandatory requirement of the USA Patriot Act, which was introduced in 2003. CIP outlines the minimum measures that financial institutions must take to establish a “reasonable belief” that they know the true identity of each customer.
CIP’s primary objective was to address issues related to money laundering and the financing of terrorism. Currently, this framework mandates that companies must verify their users during the customer onboarding process and later on for ongoing monitoring purposes.
The CIP Rule
As per guidance from the Federal Deposit Insurance Corporation (FDIC), the CIP Rule consists of six fundamental elements:
- Establishment of a written program.
- Collection of four key pieces of identifying information from customers (their name, date of birth, address, and identification number).
- Implementation of identity verification procedures.
- Maintenance of records related to customer identification.
- Regular comparison of customer information with government lists.
- Providing customers with appropriate notice regarding the CIP requirements.
Companies, even if not legally obligated to establish a CIP program, choose to do so voluntarily due to security advantages.
Entities Subject to the CIP Rule
The CIP Rule mandates that any business classified as a financial institution under the Bank Secrecy Act (BSA) must comply with its requirements. Some popular examples include banks, lenders, credit unions, brokerage firms, or savings associations, as well as other companies like cryptocurrency exchanges or gambling platforms.
Violations of regulations under the BSA, encompassing CIP compliance, can lead to severe penalties or even imprisonment for up to five years.
What is KYC?
Know Your Customer (KYC), also referred to as customer due diligence or know your client, involves the verification of the identities of current or future customers and evaluating the potential risks associated with conducting business with them.
“KYC” means that financial institutions and other obliged entities must:
- Confirm the customer’s identity.
- Understand the nature of the customer’s activities, with a primary focus on verifying the legitimacy of the source of the customer’s funds.
- Evaluate the potential money laundering risks linked to the customer, enabling the monitoring of their activities.
The goal of KYC compliance is to detect customers that would potentially be harmful to your business. This process is crucial for preventing the misuse of your company’s services. Companies conduct KYC during the account opening process and periodically re-verify customers based on their risk profiles.
KYC Compliance Requirements
KYC regulations were introduced through FINRA Rule 2090. Even though these requirements can differ based on each jurisdiction, KYC generally encompasses three core risk-based approaches aimed at preventing money laundering, identity theft, and other types of financial fraud.
The three main KYC requirements include:
- Establishing a customer identification program, which gathers and verifies key identifying details like the person’s name, date of birth, address, and identification number.
- Conducting customer due diligence (CDD), which obliges evaluating customer risk through the verification of customer identities, the creation of risk profiles, and ongoing monitoring of both customers and their transactions.
- Monitoring customers and reporting any suspicious activities to FinCEN and other law enforcement agencies.
📎 Related: Understanding Customer Due Diligence
What is the Difference Between CDD and CIP?
Customer due diligence (CDD) is the process that businesses use to evaluate customer risk. In contrast, a customer identification program (CIP) is designed to verify the identities of both new and existing customers. Both CDD and CP are crucial components of the broader KYC framework.
In short, a customer identification program involves a set of procedures that a business must create and stay compliant in order to confirm the identity of its customers or users. In the meantime, CDD refers to a certain process tailored to evaluate customer risk.
What Does CIP Due Diligence Mean?
CIP due diligence essentially signifies that a business has gained a clear understanding of the true identity of a customer. Typically, that’s established through a combination of ID verification methods, including document verification, database cross-referencing, and biometric verification.
CIP vs KYC
CIP is a mandatory component of the AML compliance program as mandated by the BSA. It is also used mainly for US-operating financial institutions, while KYC is a set of regulatory frameworks that are employed on a global scale by various businesses.
However, KYC can include all the elements of CIP, along with CDD and various ongoing procedures. The main difference between CIP and KYC lies in their focus and scope within the broader realm of customer identity verification and risk assessment:
1. CIP (Customer Identification Program)
- CIP primarily centers on the verification of the customer’s identity.
- It’s concerned with confirming the true identity of customers, often during the account opening process.
- CIP helps establish a reasonable belief that the company knows the customer’s true identity.
2. KYC (Know Your Customer)
- KYC has a broader focus that encompasses not only identity verification but also assessing the overall risk associated with the customer.
- It helps gather and analyze a range of data about the customer, including their identity, transactions, and risk profile.
- KYC aims to understand the customer better, assess their potential risks, and ensure that the company can effectively manage and monitor the customer relationship over time.
What is the CIP Verification Process?
Companies conduct the CIP verification process to guarantee that customers are indeed the individuals they claim to be. That said, your CIP verification should incorporate risk-based procedures designed to verify the identity of every customer to the extent that’s reasonable.
There are two primary approaches to CIP verification:
- Documentary methods. They involve comparing information from documents like IDs, passports, or driver’s licenses with data from authoritative databases.
- Non-documentary methods. Such measures check Personally Identifiable Information (PII) against globally recognized issuing authorities and other databases to ensure authenticity.
That said, the CIP verification process must follow the CIP rule. Other than that, the company can have the flexibility to determine whether an alternative document could effectively fulfill the verification process. However, to reduce the risk of approving individuals with fake and stolen documents, most companies tend to request multiple forms of identification, such as an additional selfie verification check.
When the business can’t obtain and verify the provided document or in cases when the customers can’t provide the requested documents for CIP verification, companies can use non-documentary methods. In such scenarios, businesses can reach out to the customer, cross-reference the provided data with public databases, or request financial statements from the customer.
What Components Complete the KYC Program?
As a business, accurate customer identification is absolutely vital. Therefore, establishing and implementing an effective KYC program means that obliged entities must have the following elements:
#1 Customer Identification Program
This is the mentioned process that companies conduct via documentary and non-documentary methods. It’s important to note that when collecting personal information during the account opening process, the company is required to verify the account holder’s identity within a reasonable timeframe.
Naturally, just like other rules to prevent money laundering, you can’t just follow them without instructions. They should be explained and written down to guide your internal teams and help regulators understand how your company is following the requirements.
The specific rules can vary based on how careful the company or the financial institution wants to be and can think about things like:
- What kinds of accounts they offer
- How they open accounts.
- What kinds of personal info customers give to identify themselves.
- How big the entity is, where it’s located, and who its customers are.
- The types of customers they have and what services they use in different places.
#2 Customer Due Diligence
After verifying the customer’s identity, the company must then conduct due diligence to assess the reliability and trustworthiness of that individual. CDD plays a pivotal role in efficiently managing risks and safeguarding against individuals like criminal or Politically Exposed Persons (PEPs) who may pose a threat.
CDD helps you perform background checks to determine the customer risk level. Here are the three levels of due diligence:
- Simplified Due Diligence (SDD) comes into play when the risk of fraud or theft is minimal. In such cases, identity document verification is not mandatory. This approach is only employed when the customer presents a very low or negligible risk of fraud.
- Standard Customer Due Diligence (CDD) involves gathering information from all customers to confirm their identity and evaluate the associated risks.
- Enhanced Due Diligence (EDD) consists of gathering extra information for customers who pose higher risks. This helps gain a deeper insight into their activities and reduces associated risks. Certain customers carry an elevated risk of involvement in fraudulent activities. This risk can come from a criminal record, or they might be a PEP or a sanctioned person who’s more susceptible to blackmail or bribery.
Additionally, you need to maintain all CDD/EDD records conducted on every customer, including potential customers, as a mandatory measure for regulatory audits.
📎 Related: What is the Difference Between CDD and EDD?
When to Conduct EDD?
You must also determine which customers actually need to go through EDD. This assessment can be an ongoing process because existing customers may shift into higher-risk categories over time. For this reason, conducting periodic due diligence evaluations on existing customers can be valuable.
These are the main factors to consider when determining the need for EDD:
- The person’s location
- The person’s occupation
- The nature of the transactions involved
- Expected methods of payment
- Anticipated patterns of activity in terms of transaction types, dollar values, and frequency
#3 Ongoing Monitoring
If you think that one single check at the account opening process is enough, you’re wrong. Since even honest customers might change over time, you must establish a robust fraud prevention program for continuous customer monitoring. This entails keeping an eye on financial transactions and accounts, guided by certain thresholds that are limited depending on the customer’s risk profile.
Some red flags in customer behavior include:
- Unusual spikes in activities, such as transfers of larger amounts than usual
- Activities outside the typical geographical region or unusual cross-border transactions
- If they’re suddenly listed on sanction lists, or transactions with anyone on a criminal or sanctions lists
- Negative mentions in the media (adverse media)
Typically, the extent of monitoring is determined based on a risk assessment. That means you must follow a risk-based approach, which focuses on tailoring measures to mitigate the specific risks a financial institution may face effectively. That said, companies operate within diverse environments. That’s why a risk-based approach cannot be a one-size-fits-all process for all regulated entities.
However, engaging in suspicious activities can oblige you to file a Suspicious Activity Report (SAR). At the very least, banks should maintain up-to-date risk reports to illustrate the financial and legal risks they are exposed to and the measures they have implemented to counter unlawful activities.
Automated CIP and KYC Processes
If you want to onboard your customers safely and swiftly, you should use automated CIP and KYC processes. AI-powered identity verification and fraud prevention tools help you comply with AML/BSA requirements, ensure accurate due diligence, determine risk scores, and conduct ongoing monitoring with real-time red flags without any hassle.
You’ve guessed it — iDenfy can assist you in automating your CIP and KYC procedures with fair and completely transparent pricing. Our team of internal KYC specialists double-checks each verification result to ensure accuracy 24/7. What’s even better is that our plugins and APIs make it easy for you to create a customized and user-friendly KYC process without the need for extensive coding.
Get started here.