Search Icon

Customer Identification Program (CIP)

The Customer Identification Program (CIP) is a process financial institutions follow to verify the identity of their customers. This program is mandated by the USA Patriot Act and the Bank Secrecy Act to prevent illicit activities such as money laundering and terrorist financing.

CIP is an important measure for financial institutions to ensure the security of their operations and prevent financial crime. It requires financial institutions to verify customer identification information, such as name, address, date of birth and government-issued identification number before opening an account. CIP is also important for the entity’s anti-money laundering (AML) program as it helps them to comply with various regulatory requirements. Let’s delve into the details of the CIP process.

Verification of customer identity

The CIP compliant financial institutions must verify the customers’ identity using trusted and independent data sources. They can use different methods to verify their identity, such as government-issued identification documents, utility bills, credit reports, and other reliable information. Additionally, financial entities are bound to verify the customer’s identity within a specific time after opening the account, usually within five business days. If the business is unable to verify the customer’s identity or notices the risk, it must close the account.

Risk assessment

Financial institutions should conduct a risk assessment to determine the level of risk associated with each customer’s identity based on their past transactions and legal activities. Also, they must have a risk-based approach in place to determine the level of CIP required for each customer. High-risk customers require more in-depth customer due diligence, while low-risk customers require less.

Record keeping

The customer identification program requires financial businesses to maintain accurate records of CIP, techniques used to verify the customer’s identity and the results of their background checks. They also must keep records of any suspicious activity reports (SARs) filed in connection with the customer’s account and retain these records for at least five years after closing the account.

Training and oversight

Organizations must train their employees to detect and report suspicious activities along with providing regular training to keep them up-to-date with regulatory changes. Besides, they must also have oversight procedures in place to track the impact of the CIP process and ensure compliance with regulatory requirements. The board of directors or senior management should also approve the CIP process and monitor its implementation.

Penalties for non-compliance

Failure to comply with CIP requirements can result in severe penalties, including heavy fines, regulatory sanctions, and reputational damage. Businesses must ensure they have adequate controls in place to comply with regulatory requirements to mitigate financial crime risks.

Best practices for implementing an effective CIP

Financial institutions can adopt the following best practices to carry out a successful customer identification program:

  • Create written CIP policies and procedures that comply with regulatory requirements and ensure they are communicated to all relevant employees
  • Use risk-based customer due diligence to determine the adequate level of CIP required for each customer and update it often
  • Train employees to identify and report suspicious activities, provide regular training to keep them updated with regulatory changes, and maintain training records
  • Conduct independent testing and review of the CIP program to ensure its effectiveness and compliance with regulatory requirements
  • Use advanced technologies to automate the CIP process, reduce manual errors and enhance customer experience

Customer identification program requirements

A customer identification program (CIP) requires financial institutions to “establish risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable.” CIP requirements stem from U.S. federal regulations, including the Bank Secrecy Act of 1970 (BSA), which requires financial institutions to assist U.S. government agencies in detecting and preventing money laundering. Compliance with the BSA includes financial institutions maintaining a Customer Identification Program to prove that the identities of new customers have been verified at account opening.

The current requirements for CIP were codified into law with the signing of the USA PATRIOT Act in 2001, requiring all financial institutions to have a CIP appropriate to their size and business.

CIP requirements include: 

  • Collecting customer information: Minimum customer information includes a name, date-of-birth, address, and a taxpayer identification number. A U.S. citizen’s social security number can serve as the taxpayer identification number. A government-issued photo ID is typically considered acceptable for a non-U.S. person. Each organization’s policy should address the types of identification accepted for identity verification.
  • Implementing identity verification procedures: A financial institution must be able to form a reasonable belief that it knows the customer’s true identity. However, CIP requirements do not mandate specific verification procedures to ensure this process. The two forms of verification acceptable to regulators are non-documentary verification and documentary verification. 
  • Comparing with government lists: Institutions must confirm that the customer is not included on any sanctions list of known or suspected terrorists or terrorist organizations issued by any federal government agency. 
  • Keeping written records: All information obtained during the identity verification process must be collected and maintained in written records. Necessary information includes all identifying data, a description of any document used for identity verification, an explanation of the methods and the results of any measures undertaken to verify the customer’s identity and the resolution of any substantive discrepancy discovered while verifying the identifying information obtained. 
  • Retaining records: Customer data must be retained for five years after the closing of a bank account. For credit card accounts, the data must be stored for five years after the account is closed or becomes dormant.
  • Providing customer notice: Customers reserve the right to receive adequate notice that the bank is requesting information to verify their identities, and the process for providing notice should be documented by the bank.

What is the purpose of the CIP?

The main goal of the CIP is to verify the identity of customers opening a new account at a financial institution.

What is CIP vs KYC?

CIP and KYC are both regulatory measures implemented by financial institutions, but CIP specifically focuses on verifying the identity of new customers while KYC focuses on assessing the risk of all customers.

What is CIP verification?

CIP verification is the process of verifying the identity of a customer opening a new account at a financial institution.

What is the difference between customer due diligence (CDD) and customer identification program (CIP)?

What are CIP requirements?

CIP requirements include identifying information such as name, date of birth, address and government-issued identification documents. Later, verifying that information through various methods such as comparing it to third-party databases or conducting in-person verification.

How does CIP verification differ for individuals vs. businesses?

CIP verification for individuals typically involves obtaining and verifying personal identification information. Whereas, CIP verification for businesses involves obtaining and verifying the business's identity as well as the identity of its beneficial owners or control persons.

What are the challenges of implementing effective CIP programs?

Some challenges of implementing effective CIP programs include balancing compliance requirements with customer experience, keeping up with regulatory changes and ensuring that the program is customized to the institution's specific risks and operations.

How does a customer identification program relate to KYC?

Who is subject to the customer identification program rule?

Is CIP required for any organization types not on the list above?

CIP is not required under the law for non-regulated entities; however, there is certainly value in protecting customers, users, and the business from identity takeover, synthetic identity, and other issues. In most non-regulated entities, it is a matter of customer safety and security as opposed to a requirement under the law.

3 3

Other terms related to Customer Identification Program