Customer Identification Program Requirements Can Pose Complex Challenges

Customer identification program (CIP) requirements target money laundering, terrorism funding, corruption and other criminal activities.

Under a CIP, which is required through the USA PATRIOT Act, financial institutions must have reasonable procedures to gather and maintain customer identity information and run watchlist checks. According to the Financial Crimes Enforcement Network (FinCEN), CIP requirements apply to all financial institutions.

But those requirements raise questions. What do regulators consider reasonable? How can a financial institution efficiently integrate a CIP? Can organizations achieve compliance and fraud mitigation while delivering streamlined customer onboarding?

The Customer Identification Process

The minimum needed to open an individual financial account in the U.S. is name, birth date, address and an identification number, such as Social Security. Financial institutions can verify identities with documents, such as driver’s licenses, or nondocumentary methods, such as through credit bureaus and government databases.

Those procedures are central to a CIP. Organizations, as they do with other Anti-Money Laundering (AML) requirements, can take steps toward compliance by codifying the policies.

The policies may depend on an organization’s risk-based approach to verification and:

• The types of accounts the financial institution offers
• How people open accounts
• The available identity information
• The organization’s size, location and customer base

Digital Identity Verification and CIP Requirements

Financial institutions can conduct digital verification to meet consumer expectations for convenience and immediacy in a digital economy. Verification through nondocumentary methods can provide strong risk mitigation and fast onboarding.

Organizations can also combine identity document and nondocumentary verification to cross-check data and further reduce fraud risk.

While identity verification is core to a CIP, there are other requirements, including providing proper notice about document collection and identification processes. A CIP must also include procedures to handle edge cases, such as when a person doesn’t have an identity document or when a document type is unknown to the financial institution.

Regulations require that CIPs incorporate procedures to manage higher-risk situations. Those procedures can determine what happens when the institution can’t verify an identity, when to prevent account opening, when to request more information and when to file a suspicious activity report.

Organizations can rely on a separate qualified financial institution to administer the CIP program. The program must meet CIP standards, and the qualified entity must be regulated and have an AML program.

Written Procedures

Financial institutions must have a documented CIP process approved by the board of directors. The process should be part of a compliance program and include procedures for account opening, verification, screening, customer notification and recordkeeping.

Risk Assessment

Risk assessments, at the institutional and account level, are critical in creating a successful CIP.

Each institution can set its own policy for risk. For instance, a credit union with only individual customers from a local area can have less stringent CIP risk policy than an international bank.

Record Retention

Financial institutions must maintain identity information for five years after a customer closes an account. That includes a description and expiration date of any document used to verify identity, including the identification number.

Sanction Checks

Financial institutions must check identities against domestic and international AML, counter-terrorist financing and sanctions watchlists.

Business Verification

CIPs also apply to corporations, partnerships and trusts. Financial institutions can verify business entities by checking certified articles of incorporation, a government-issued business license, a partnership agreement or a trust instrument.

Business verification is also possible through nondocumentary methods. Real-time identification and verification of company records through official registers enables quick business onboarding.

Under the Customer Due Diligence Final Rule, financial institutions must now collect, maintaining and reporting beneficial ownership information.

“With respect to the requirement to obtain beneficial ownership information,” according to the rule, “financial institutions will have to identify and verify the identity of any individual who owns 25 percent or more of a legal entity, and an individual who controls the legal entity.”

Under the Corporate Transparency Act, U.S. companies must report their ultimate beneficial owner (UBO) information to FinCEN. Any new incorporation or significant UBO change must be reported.

A CIP is a necessary element of AML and Know Your Customer regulations, though it can present complex challenges. A sound digital strategy focused on integrated verification capabilities can position financial organizations to meet even the strictest compliance requirements.

This post was originally published in February 2019 and updated to reflect the latest industry news, trends and insights.