The Customer Identification Program (CIP) is a necessary due diligence procedure that financial organizations must complete to fulfill their Know Your Customer (KYC) obligations. The CIP establishes the basic criteria for onboarding new customers. However, businesses are flexible to customize their CIP programs.
CIP aims to detect and prevent illicit activities such as fraud, money laundering, terrorist financing, and other financial crimes. That said, it’s important to note that a CIP is only one component of a more comprehensive KYC program, which also includes customer due diligence (CDD) and ongoing monitoring.
We look into CIP, how it works, and the requirements you must meet to ensure compliance.
What is a Customer Identification Program?
A Customer Identification Program, or CIP, is a set of measures designed to verify the identity of customers. CIP is a due diligence practice that financial organizations must carry out to meet their Know Your Customer (KYC) compliance obligations.
What is CIP in Banking?
A CIP in banking includes all the procedures that banks and other financial institutions must go through to confirm the identities of their customers. The purpose of CIP programs for banks is to ensure the authenticity of customers’ identities. In brief, CIPs mandate that financial institutions determine the true identity of every customer when they open an account.
Minimal Customer Identification Program (CIP) Requirements
The general requirements of the CIP are defined in Section 326 of the USA PATRIOT Act. A Customer Identification Program should be tailored to the company’s size and nature of business and integrated into the firm’s anti-money laundering (AML) compliance program.
At the very minimum, your CIP must include the following processes:
- Identification and verification of any person who applies to open an account. This involves confirming the identity of anyone who wants to open an account with your organization. All CIP programs gather four essential pieces of information from customers, such as their name, address, date of birth, and government-issued identification number.
- Recordkeeping. This means you have to maintain detailed records of your customers and their account-opening processes. It’s crucial for regulatory compliance and helps in monitoring and auditing activities.
- Comparison with government lists. You must verify the gathered information using a combination of documentary and database verification methods. This involves checking the names of potential customers against government lists or databases, often to identify individuals or entities that might be subject to sanctions or other legal restrictions.
Companies should assess the risks associated with their customer base and service offerings based on the specific characteristics of the firm, including its size, location, and customer base.
Note: We’ll talk about all CIP requirements in more detail further in the blog post.
What is the Difference Between CIP and KYC?
KYC encompasses understanding a customer’s identity and the nature of their business activities. In contrast, CIP focuses on verifying the information provided by a customer. To put it simply, CIP is just a small part of a larger KYC program. Either way, the goal of CIP and KYC is to determine the level of risk a customer poses to the business.
This is achieved through specific processes that aren’t covered by the CIP framework, such as customer due diligence (CDD). CDD is a process where businesses or financial institutions gather information to understand their customers better, evaluate their potential risks, and ensure they are not involved in illegal activities.
Customers who are considered higher risk must undergo enhanced due diligence (EDD). This process helps the bank verify the legitimacy of the business, assess potential risks associated with the customer, and ensure compliance with KYC and AML regulations.
What Fundamental Principles Guide the Customer Identification Program (CIP)?
CIP principles and regulations are risk-oriented. That means banks and other financial institutions can be flexible when creating and executing programs tailored to their distinct risk profiles. Both FinCEN and federal bank regulators acknowledge that technology can be beneficial when creating CIPs.
The biggest shift towards technology happened because it allows customers to open a new account without needing to visit a bank branch in person. For example, AI-based compliance tools can empower banks to improve the efficiency and effectiveness of their AML compliance programs, including CIP.
Who is Subject to the CIP Rule?
The Customer Identification Program (CIP) rule applies to “financial institutions” as defined by the BSA and related regulations. This includes:
- Banks and credit unions
- Broker-dealers in securities
- Certain trust companies
- Travel agencies
- Automobile dealerships
- Real estate companies
- Loan or finance companies
- Cryptocurrency companies
- Insurance companies
- Operators of credit card systems
- Mutual funds
- Casinos and iGaming platforms
- Money services businesses (MSBs) like money transmitters and currency exchanges
- Dealers in precious metals, stones, jewels, or art
Many businesses, even if not legally obligated, establish a CIP because it enhances the customer experience and benefits their overall operations in terms of security. For example, online retailers can request additional customer information beyond what is legally required. This helps in preventing fraudulent transactions or ATO fraud, ensuring accurate deliveries, and personalizing the shopping experience.
Six General Customer Identification Program Requirements
In 2003, the Patriot Act amendment made it mandatory for CIP to be included as a component of the Bank Secrecy Act (BSA). Now, every customer identification program must adhere to six general requirements outlined in the CIP Final Rule.
CIP Final Rule mandates that companies must:
- Establish a documented CIP program.
- Collect four pieces of identifying information.
- Create identity verification processes.
- Maintain recordkeeping requirements.
- Compare customers against official government lists.
- Notify customers about the request to verify their identity.
Below, we explore CIP requirements in greater detail and how your CIP might look in practice.
1. A Documented CIP Program
A documented CIP program means that businesses must create a formal and documented plan or set of procedures outlining how they will identify and verify the identities of their customers. This plan serves as a blueprint for the organization’s compliance efforts and helps ensure consistency and thoroughness in customer identification processes.
A documented CIP program also provides a basis for internal training, auditing, and regulatory oversight to verify that the company is meeting its obligations under the rule. Considering this, it’s crucial that your company’s documentation also includes information about various risk factors. For instance, it should address situations where an individual is identified as a politically exposed person (PEP) or when they become the subject of adverse media reports.
2. Collection of Identifying Information
Your CIP should follow a set of requirements for collecting personal information during the onboarding process, both for customers and corporate clients (when checking the identities of potential business partners).
- Full name
- Date and place of birth
- Address information
- An identification number, such as the SSN, TIN, etc.
Beyond this minimum requirement, you can collect additional information. This depends on the risk factors the customer may pose. For example, many businesses collect phone number data and use phone number verification as part of their CIPs.
- Company name
- Business address
- Corporation date and issuance documents
- Ultimate Beneficial Ownership (UBO) information
- The company registration number (CRN)
3. Identity Verification Processes
The CIP rule mandates verifying the identity of new customers, but it doesn’t prescribe specific methods for this verification. As per FinCEN, a business doesn’t have to confirm every single detail of the customer’s identifying information. However, you must confirm enough information to believe you know the customer’s true identity reasonably.
According to the CIP Rule, the company’s identity verification processes must describe when it uses documents, non-documentary methods, or a combination of both methods to verify the identity of its customers.
The CIP rule suggests some examples of documents a company can use. For most individual customers, companies usually use document verification, which verifies a valid government ID with a photo, like a driver’s license or passport. But they can use other documents too, as long as they’re sure about the customer’s real identity.
Non-documentary methods can involve actions like reaching out to the customer and double-checking their identity by comparing the information they give with data from places like credit agencies or public records and databases. These databases can be ones that issue official documents managed by entities such as credit bureaus, phone carriers, and financial institutions.
You should not only collect but keep records of customer identifying information as long as that customer has an account with your company and plus five years counting from the day that account closes.
In general, companies need to keep records of the following things for five years after making the record:
- Any document used to check the customer’s identity, including details like the type of document, any identification numbers on it, where it was issued, and if applicable, the date it was issued and when it expires.
- Information about how they confirmed a customer’s identity using methods other than documents and what results they got. This is for certain customers who might need extra checks.
- How they fixed any major differences or mistakes they found while checking the customer’s information.
Furthermore, a robust CIP program means that your business should have rules in place to keep copies of the documents for various reasons, like helping with investigations into possible fraud cases.
5. Comparison With Government Lists
Your CIP program should follow steps to check if a customer is on a list of known or suspected terrorists or terrorist groups issued by a federal government agency. This list should be approved by the Treasury in consultation with the regulators.
In other words, CIP also involves checking customers against various official government lists, such as PEPs, sanctions, adverse media, or global watchlists. Individuals found on the mentioned databases indicate a higher probability of fraud or higher risk and a higher degree of scrutiny.
Comparing data with government lists isn’t a one-time thing. Keep in mind that your company must perform ongoing monitoring throughout the whole customer cycle to stay compliant and prevent fraud.
6. Adequate Customer Notice
You must have specific processes to let customers know that they need to provide information to verify their identity. The adequate notice should explain the ID requirements and be given to the customer in a way they can see it before opening their account. In a traditional way, banks do this by posting a notice in the bank’s lobby. In today’s digital way, you can show this information on your app or website.
A sample notice can sound like this for the customer: “When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask for your driver’s license or other identifying documents.”
CIP in Practice for Businesses
Collecting, verifying, and keeping records can be a hassle. At iDenfy, we do all of that and help you customize, build, and perfect your KYC compliance from scratch. With our easy integration policy and a variety of plug-ins, we guarantee that companies from various industries meet the requirements of the CIP Rule.
Streamlining your identity verification process and balancing out a seamless customer account opening process is possible. What’s best about our fraud prevention platform is that we have multiple automated tools in one place. That’s how we also help you ensure ongoing AML compliance, including real-time screening against sanctions and PEP lists, UBO checks, watchlist screening, or adverse media checks.