The customer identification program (CIP) requirements that govern financial institutions target money laundering, terrorism funding, corruption and other criminal activities but also present challenges for organizations. Under a CIP, which is required through the USA PATRIOT Act, entities must have “reasonable” procedures to gather and maintain customer identity information and run watchlist checks on them.
The Financial Crimes Enforcement Network (FinCEN) has stated CIP requirements should apply to all banks, regardless of whether they are federally regulated.
But those requirements raise questions: What do regulators consider reasonable? How can a financial institution integrate a CIP efficiently and cohesively? Can organizations achieve compliance and fraud mitigation while delivering efficient customer onboarding?
The Customer Identification Process
The minimum identity requirements to open an individual financial account in the U.S. are name, birth date, address and an identification number, such as Social Security or Individual Taxpayer Identification.
Gathering that information at account opening is sufficient, but organizations must verify the account holder’s identity “within a reasonable time.” Procedures for identity verification include documents, such as a driver’s license, or nondocumentary methods, such as through credit bureaus and government databases.
Those procedures are at a CIP’s core, and organizations, as they do with other Anti-Money Laundering (AML) compliance requirements, can ensure compliance by codifying the policies. The exact policies depend on the organization’s risk-based approach and may include:
- The types of accounts offered
- The methods of opening accounts
- The types of identifying information available
- The organization’s size, location and customer base, including the types of products and services used by customers in different locations
The identity verification procedures must be robust enough to verify the identity of each customer to an extent that is “reasonable and practicable.”
The Case for Digital Identity Verification
Traditionally, financial institutions would examine unexpired government-issued identification documents such as a driver’s license or passport. However, best practices call for providing more than one document to offset the risks of counterfeit or fraudulently obtained identification.
Financial institutions can conduct that process online to meet consumer expectations for convenience and immediacy in a digital age. Digital identity verification through nondocumentary methods can provide strong risk mitigation and deliver fast onboarding. One method involves “independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source.”
There are other nondocumentary methods, such as contacting a customer, checking references with other financial institutions or obtaining a financial statement. However, those processes don’t often offer the speed, convenience and reliability of digital identity verification.
Financial institutions can also combine documentary and nondocumentary methods. One increasingly popular method is to use on-demand ID document verification combined with digital identity verification to cross-check ID documents electronically with the identity information to further reduce fraud risk.
Other CIP Requirements
While obtaining and verifying the identity of each customer is core to the CIP, there are other requirements, including providing proper notice to customers about document collection and identification processes.
The CIP must also contain procedures to handle various edge cases, such as when a person doesn’t have an identity document, when a document type is unknown to the financial institution or when a customer can’t visit a branch.
Regulations require the financial institution’s CIP also incorporate procedures to manage situations when the risk level is higher than usual. Those procedures can answer questions such as: What happens when the institution can’t verify a person’s identity? When is it appropriate to prevent account opening? When is it OK to open the account but require more information? When should an organization close an account or file a suspicious activity report?
While a CIP is mandatory, organizations can rely on another qualified financial institution as the program provider. The qualified entity must be regulated and have an AML program, and the reliance must meet CIP standards.
Have a Written Procedure
As stated in the CIP, your institution needs an accurate, documented process approved by the board of directors. This process should be a part of the compliance program and include procedures for opening accounts, account verification, screening accounts, customer notification, and recordkeeping.
A critical element to a successful CIP is a risk assessment, both on the institutional level and on procedures for each account. While the CIP provides guidance, it’s up to the individual institution to determine the exact level of risk and policy for that risk level. If you’re a credit union with only individual customers from a small, local area, your CIP can be far less stringent than an international bank with clients from a terrorist hotbed. Ensure your policy is “reasonable and practicable,” documented, and updated. Note the CIP is only one element of a broad range of AML (anti-money laundering) and KYC (know your customer) policies from various regulatory agencies.
Record Retention
Identity information must be maintained for five years past the customer’s relationship with the financial institution. That includes a description and expiration date of any document used to verify identity, including its identification number and the issuance date and location.
Sanction Checks
Financial institutions must also check identities against domestic and international AML, counter-terrorist financing and sanctions watchlists.
Business Verification
The CIP also applies to corporations, partnerships and trusts. In those cases, the procedures relate to verifying a business entity. The existence of the business entity can be established by calling upon certified articles of incorporation, a government-issued business license, a partnership agreement or a trust instrument.
Business verification is also possible through nondocumentary methods. Similar to digital identity verification, real-time identification and verification of company records through official registers enables quick business onboarding.
It’s important to note that under the Customer Due Diligence Final Rule, collecting, maintaining and reporting beneficial ownership information is now required for financial institutions, which “must identify and verify the identity of the beneficial owners of all legal entity customers (other than those that are excluded) at the time a new account is opened (other than accounts that are exempted).”
Under the Corporate Transparency Act, U.S. companies must report their Ultimate Beneficial Owner (UBO) information to FinCEN. Any new incorporation or significant UBO change must be reported, and any company formed before the effective date of the act will have two years to report.
A CIP is a necessary element of AML and Know Your Customer (KYC) regulations. Beyond that, it’s part of an effective risk-mitigation strategy. Ensuring your CIP is strong, up to date and complete is fundamental to running a successful financial institution.
Frequently Asked Questions
Learn more about the customer identification program.
A customer identification program (CIP) are the procedures U.S. regulated organizations use to identify customers to counter money laundering and terrorism funding. They are requirements under the USA PATRIOT Act.
The four pieces of a customer identification program are to verify identities of customers, including business customers, have written procedures that outline the risk-based approach of the organization, retain identity records, and perform watchlist screening on all customers.
The three main steps for a customer identification program are to have reasonable procedures for verifying the identity of any person, maintaining records of that information including name and address, and performing watchlist screening on that person.
The CIP is a necessary element of performing Know Your Customer (KYC) in the U.S. KYC requirements are more extensive, requiring due diligence to understand the risk profile of the customer and perform ongoing monitoring.
This post was originally published in February 2019 and updated to reflect the latest industry news, trends and insights.
Solutions
Regulatory Compliance
Optimize Identity Verification for Regulatory Compliance
Featured Blog Posts
Individual Verification (KYC)
KYC: 3 Steps to Achieving Know Your Customer ComplianceBusiness Verification (KYB)
Enhanced Due Diligence Procedures for High-Risk CustomersIdentity Verification
Proof of Address — Quickly and Accurately Verify AddressesIndividual Verification (KYC)
Top 10 Questions About Beneficial Ownership for AML/KYC ComplianceBusiness Verification (KYB)
How to Verify Legitimate Businesses and MerchantsIndividual Verification (KYC)
Customer Due Diligence Checklist — Five Steps to Improve Your CDD