Customer Identification Program
Table of Contents
I. In a Nutshell: What is the Customer Identification Program?
II. Why does the Customer Identification Program exist?
III. The Details: Customer Identification Program Requirements & Compliance
IV: How does the Customer Identification Program affect your business?
V: Customer Identification Program Information Resources
In a Nutshell: What is the Customer Identification Program?
The Customer Identification Program, or CIP for short, requires that financial institutions, such as banks, take the appropriate steps to have the reasonable belief that all customers who enter into a formal banking relationship with them are who they say they are. The requirement went into effect on June 9, 2003, is implemented through Section 326 of the Patriot Act, and is a mandatory Bank Secrecy Act (BSA) compliance element. The CIP is also commonly referred to as the ‘know your customer’ program.
Why does the Customer Identification Program exist?
The Customer Identification Program was enacted as a mandatory component of the Bank Secrecy Act via an amendment implemented through the Patriot Act. Prior to June 9, 2003, the Bank Secrecy Act did not have a CIP component.
The Patriot Act amended the Bank Secrecy Act to include a requirement for financial institutions to essentially make sure that their customers are who they are say are, in order to prevent, detect, and prosecute international money laundering and the finance of terrorism. In other words, financial institutions are responsible for ensuring that financial transactions that they conduct do not directly, indirectly, or unknowingly stem from a risky customer.
The rationale is that by preventing customers who are deemed risks from conducting financial transactions, international money laundering and the finance of terrorism can be effectively prevented, at least through US financial institutions. After all, who would use their real identity, especially if their deal identity was already deemed suspicious, to facilitate transactions that can ultimately be tied to money laundering or the finance of terrorism? Chances are - in order to facilitate these types of transactions - criminals will use stolen or fake identities.
And in this modern age of regular, massive data breaches, stolen/fake identities are aplenty1, which makes CIP regulation compliance more important than ever.
The Details: Customer Identification Program Requirements & Compliance
Financial institutions need to comply with CIP regulations whenever a customer opens a new account: when a customer opens an account, the customer’s identity needs to be authenticated in such a way that the financial institution has a reasonable belief that customer’s identity is true and valid.
A financial institution is an entity, such as a bank, that provides financial services, such as opening a checking account.
A customer is one who opens a new account or opens a new account on behalf of another individual (who lacks the capacity to do so) or entity, and can be:
- an individual
- a corporation
- a partnership
- a trust
- an estate
Customers are not:
- A person who ultimately does not enter into a formal banking relationship with a financial institution; i.e. a person whose loan application was denied
- An existing customer whose identity has given the financial institution the ‘reasonable belief’ to be true
- Federally regulated banks
- Banks regulated by a state bank regulator
- Governmental entities
- Publicly traded companies
Opening a new account is defined as the establishment of a formal banking relationship between a customer and a financial institution in which the financial institution provides or engages in services, dealings, or other financial transactions, including:
- opening a deposit account
- opening a transaction or asset account
- opening a credit account
- obtaining an extension of credit
- opening a safe deposit box
- cash management services
- financial custodian services
- financial trust services
Opening an account does not include the following types of financial transactions:
- Products and services provided by the financial institution that does not require the establishment of a formal banking relationship with the customer. Such transactions include:
∙ Check cashing
∙ Funds transfer
∙ The sale of a check or money order - The acquisition of single or multiple accounts from the purchase of assets, acquisition, merger, or assumption of liabilities
- The opening of an account for the purposes of participating in an employee benefit plan that is established under the Employee Retirement Income Security Act of 1974
Once it has been determined that a customer is opening a new account with a financial institution, there are six minimum requirements that need to be met in order for said financial institution to comply with CIP:
- A written, customized CIP
- The collection and record of 4 pieces of identifying information per customer:
∙ Name
∙ Address
∙ Date of Birth
∙ Identification Number - Identity verification procedures
- Recordkeeping procedures
- Comparison procedures with government lists
- Customer notification
*To be clear, each financial institution has its own CIP; this CIP needs to follow the federal CIP regulations mandated within the BSA. The federal CIP regulations set a minimum standard for the six requirements that each financial institution needs to meet in order to be compliant. These minimum requirements help ensure that even smaller financial institutions can incorporate a CIP that is appropriate for its size and the types of transactions with which it deals, and to fully meet federal CIP regulations.*
The six requirements are explained in further detail below.
Requirements of a written, customized CIP
There are 2 major overarching requirements that need to be met by each financial institution’s CIP:
- The CIP needs to be appropriate for its size and type of financial institution
- The CIP needs to be incorporated into its BSA compliance procedures
The goal of this program is to make sure that the financial institution can establish a ‘reasonable belief’ that each customer’s identity is true. In order to establish this ‘reasonable belief’, each CIP is required to include the following:
- A list of the identifying information that will be collected from each customer when an account is opened
- A list of the reasonable and practical risk-based procedures that will be used to ascertain the identity of each customer using the information that is collected
Each financial institution has to consider their own characteristics – their customer base and their product offerings – in order to product a list of risk-based procedures that is both reasonable and practical. These procedures need to consider:
- the types of accounts offered by the bank
- the methods used to open accounts
- the types of identifying information that are able to be collected
- the financial institution’s size, location, and the types of products and services used by their customer base
What is an Identification Number?
The type of identification number needed depends on whether or not a customer is a “U.S. person” or a “non-U.S. person”.
- U.S. person: a person who is a United States citizen, either by birth or naturalization; a person who has a US green card; a person who has political asylum in the US
- Non-U.S. person: any person who does not have any of the statuses listed for a “U.S. person”
The identification number needed for a U.S. person is the:
- Tax identification number2
The identification number for a non-U.S. person needs to be one of the following:
- Tax identification number2
- Passport number and county of issuance
- Alien ID card number
- Number and country of issuance of any other government-issued document that:
∙ evidences nationality of issuance
∙ bears a portrait photograph or a similar safeguard
Identity Verification Procedures
Financial institutions need to have procedures in place on how to verify the identity information collected on each customer. Verification procedures should be done within a reasonable amount of time from the opening of the account.
The procedures should allow the financial institution to verify enough of the identity information that a reasonable belief can be formed about the true identity of a customer. In other words, customer identity verification procedures are not required to verify each and every piece of identity information collected – the only requirement is to check as much identity information as needed to establish the reasonable belief.
There are two methods on how identity information can be verified:
- Using documents
- Using non-documentary methods
The procedures can use either documents, non-documentary methods, or a combination of both to verify identities.
• Documents Needed to Verify Individual Customers:
- An unexpired government-issued identification document that lists nationality/residence and bears a photograph (or similar safeguard) of the individual, such as:
∙ Driver's license
∙ Passport
• Documents needed to Verify Entities, such as a corporation:
- A document that evidences the existence of the entity, such as:
∙ Certified articles of incorporation
∙ Government-issued business license
∙ Partnership agreement
∙ Trust instrument
• Verifying Identity via Non-Documentary Methods:
- Contacting the customer
- Comparing identity information with identity information obtained from a consumer reporting agency, public database, or another source
- Checking with any other financial institution given as a reference
- Obtaining a financial statement
• Non-documentary methods need to be able to address the following situations:
- An individual is unable to present government-issued identification as described above
- Identity documents presented by the individual are not familiar
- An account is opened without obtaining proper identity documents
- An account is opened without the physical presence of the customer
- Any situation in which the risk of being unable to verify the true identity of a customer is increased
There are situations in which a customer’s identity will not be able to be verified. In such incidents, financial institutions need to have procedures in place in order to know how to respond. These procedures need to be established for the following situations:
- When the financial institution should not open an account
- When a customer can use an account while the financial institution attempts to verify the customer’s identity
- When the financial institution should close an account
- When the financial institution should file a Suspicious Activity Report
Recordkeeping Procedures
A record of all information collected on a customer needs to be maintained and retained for at least five years after the closing of the account. The following is the information that is needed to be collected for the record:
- Identifying information about the customer
- A description of any identity documents presented that also lists:
∙ any identification number(s) on the document
∙ the place of issuance
∙ the date of issuance and/or the expiration date - A description of the methods used to verify the true identity of the customer as well as the methods’ results
- A description of any substantive discrepancies discovered during the verification process and how they were resolved
Comparison Procedures with Government Lists
The purpose of comparing customer identity data with government lists is to determine whether or not the customer is on a government list as a known or suspected terrorist or a member of a terrorist organization. These lists are procured and issued by the U.S. Treasury in conjunction with federal banking regulators. Once these lists are issued, financial institutions are required to use the lists as comparisons for customer identity information.
Customer Notice
There needs to be adequate notice given to customers that opening an account means certain identity information will be collected and used to verify customer’s identities. The notice needs be reasonably designed such that customer have the opportunity to view/receive the notice before an account is opened. The following are examples of acceptable notice locations:
- posted in the lobby
- posted on the financial institution’s website
- written within loan application documents
How does the Customer Identification Program affect your business?
Unless your business is not one of the types of financial institutions listed below, CIP regulations do not apply to you. In other words, you are not required to have a Customer Identification Program and are not affected by CIP regulations.
The following types of financial institutions need to comply with CIP regulations:
- Commercial Banks
- Foreign banks that have agencies/branches within the United States
- Certain non-federally regulated banks; i.e. private banks
- Savings associations
- Credit unions
- Thrifts
- Trust companies
- Securities brokers and dealers
- Investment companies
- Futures commission merchants
- Insurance companies
- Travel agents
- Pawnbrokers
- Dealers in precious metals
- Check-cashers
- Casinos
- Telegraph companies
Customer Identification Program Information Resources
Much of the CIP rules and regulations have been covered, but there are certain details that are too nuanced to sufficiently address here.
- For more information about the CIP and its requirements, please refer to this PDF on the Federal Deposit Insurance Corporation (FDIC) website
CIP-related Blog Posts
- BSA/CIP Client Identification and Verification Requirements
- ID Verification: Red Flags and Customer ID Programs
1 Read our blog post about modern-day data breaches to see just how problematic they are. Click here to read the post.
2 A Tax Identification Number can apply to both U.S. persons and non-U.S. persons. There are five different types of Tax Identification Numbers: the Social Security Number (SSN), the Employer Identification Number (EIN), the Individual Taxpayer Identification Number (ITIN), the Taxpayer Identification Number for Pending U.S. Adoptions (ATIN), and the Preparer Taxpayer Identification Number (PTIN). The EIN, ITIN, ATIN, and PTIN can be issued to non-U.S. persons.
Learn more about:
Want To Protect Your Business From Fraud?
Our team of fraud prevention specialists is here to guide and provide support for all your fraud prevention needs!