The Customer Identification Program (CIP) is a process financial institutions follow to verify the identity of their customers. This program is mandated by the USA PATRIOT Act and the Bank Secrecy Act to prevent illicit activities such as money laundering and terrorist financing.

CIP is an important measure for financial institutions to ensure the security of their operations and prevent financial crime. It requires financial institutions to verify customer identification information, such as name, address, date of birth and government-issued identification number before opening an account. CIP is also important for the entity’s anti-money laundering (AML) program as it helps them to comply with various regulatory requirements. Let’s delve into the details of the CIP process.

Verification of customer identity

The CIP compliant financial institutions must verify the customers’ identity using trusted and independent data sources. They can use different methods to verify their identity, such as government-issued identification documents, utility bills, credit reports, and other reliable information. Additionally, financial entities are bound to verify the customer’s identity within a specific time after opening the account, usually within five business days. If the business is unable to verify the customer’s identity or notices the risk, it must close the account.

  • Risk assessment

Financial institutions should conduct a risk assessment to determine the level of risk associated with each customer’s identity based on their past transactions and legal activities. Also, they must have a risk-based approach in place to determine the level of CIP required for each customer. High-risk customers require more in-depth customer due diligence, while low-risk customers require less.

  • Record keeping

The customer identification program requires financial businesses to maintain accurate records of CIP, techniques used to verify the customer’s identity and the results of their background checks. They also must keep records of any suspicious activity reports (SARs) filed in connection with the customer’s account and retain these records for at least five years after closing the account.

  • Training and oversight

Organizations must train their employees to detect and report suspicious activities along with providing regular training to keep them up-to-date with regulatory changes. Besides, they must also have oversight procedures in place to track the impact of the CIP process and ensure compliance with regulatory requirements. The board of directors or senior management should also approve the CIP process and monitor its implementation.

Penalties for non-compliance

Failure to comply with CIP requirements can result in severe penalties, including heavy fines, regulatory sanctions, and reputational damage. Businesses must ensure they have adequate controls in place to comply with regulatory requirements to mitigate financial crime risks.

Best practices for implementing an effective CIP

Financial institutions can adopt the following best practices to carry out a successful customer identification program:

  • Create written CIP policies and procedures that comply with regulatory requirements and ensure they are communicated to all relevant employees
  • Use risk-based customer due diligence to determine the adequate level of CIP required for each customer and update it often
  • Train employees to identify and report suspicious activities, provide regular training to keep them updated with regulatory changes, and maintain training records
  • Conduct independent testing and review of the CIP program to ensure its effectiveness and compliance with regulatory requirements
  • Use advanced technologies to automate the CIP process, reduce manual errors and enhance customer experience

Customer identification program requirements

customer identification program (CIP) requires financial institutions to “establish risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable.” CIP requirements stem from U.S. federal regulations, including the Bank Secrecy Act of 1970 (BSA), which requires financial institutions to assist U.S. government agencies in detecting and preventing money laundering. Compliance with the BSA includes financial institutions maintaining a Customer Identification Program to prove that the identities of new customers have been verified at account opening.

The current requirements for CIP were codified into law with the signing of the USA PATRIOT Act in 2001, requiring all financial institutions to have a CIP appropriate to their size and business.

CIP requirements include: 

  • Collecting customer information: Minimum customer information includes a name, date-of-birth, address, and a taxpayer identification number. A U.S. citizen’s social security number can serve as the taxpayer identification number. A government-issued photo ID is typically considered acceptable for a non-U.S. person. Each organization’s policy should address the types of identification accepted for identity verification.
  • Implementing identity verification procedures: A financial institution must be able to form a reasonable belief that it knows the customer’s true identity. However, CIP requirements do not mandate specific verification procedures to ensure this process. The two forms of verification acceptable to regulators are non-documentary verification and documentary verification.
  • Comparing with government lists: Institutions must confirm that the customer is not included on any sanctions list of known or suspected terrorists or terrorist organizations issued by any federal government agency.
  • Keeping written records: All information obtained during the identity verification process must be collected and maintained in written records. Necessary information includes all identifying data, a description of any document used for identity verification, an explanation of the methods and the results of any measures undertaken to verify the customer’s identity and the resolution of any substantive discrepancy discovered while verifying the identifying information obtained.
  • Retaining records: Customer data must be retained for five years after the closing of a bank account. For credit card accounts, the data must be stored for five years after the account is closed or becomes dormant.
  • Providing customer notice: Customers reserve the right to receive adequate notice that the bank is requesting information to verify their identities, and the process for providing notice should be documented by the bank.

How does a customer identification program relate to KYC?

CIP and KYC are both related to federal financial regulations designed to protect institutions against fraud, corruption, money laundering, and terrorist financing. CIP is the legal requirement for financial institutions to verify information provided by a consumer as outlined in the USA PATRIOT Act, whereas KYC is a more comprehensive view of customer risk. CIP is the start of the journey and KYC continues throughout the customer relationship. The law does not require that CIP re-occur but KYC must continue.

CIP is the first step in an effective KYC program, collecting and verifying customer information to establish a reasonable belief that the customer exists and is who they say they are. After completing CIP, a KYC program then includes a Customer Due Diligence (CDD) process to ensure that a customer is trustworthy and suitable to do business with. Finally, ongoing monitoring is required to identify the emergence of unusual activities or changes for existing customers.

Who is subject to the customer identification program rule?

Under section 326 of the USA PATRIOT Act, all financial institutions must comply with the customer identification program rule, including but not limited to:

  • Commercial banks
  • Agencies and branches of foreign banks in the U.S.
  • Thrifts
  • Credit unions
  • Private banks
  • Savings associations
  • Trust companies
  • Brokers and dealers in securities
  • Investment companies
  • Futures commission merchants
  • Insurance companies
  • Travel agents
  • Pawnbrokers
  • Dealers in precious metals
  • Check-cashers
  • Casinos
  • Telegraph companies
  • Certain non-federally regulated banks

Is CIP required for any organization types not on the list above?

CIP is not required under the law for non-regulated entities; however, there is certainly value in protecting customers, users, and the business from identity takeover, synthetic identity, and other issues. In most non-regulated entities, it is a matter of customer safety and security as opposed to a requirement under the law.

What is the difference between customer due diligence (CDD) and customer identification program (CIP)?

CDD and CIP are both integral components of an effective KYC program. CIP is the first step of KYC, designed to verify a customer’s identity within the reasonable belief that the customer exists and is who they say they are. After CIP is completed, the CDD program can commence. CDD ensures that a customer is trustworthy and suitable to do business with. The main difference between CIP and CDD is that CIP focuses on verifying the identity of new customers, while CDD focuses on the risk of the consumer and the types of transactions they desire to perform. Three different levels of CDD can be leveraged based on the risk of customers or transactions, including simplified due diligence (SDD), basic due diligence (BDD), and enhanced due diligence (EDD).