In brief:
- A Customer Identification Program, or CIP, is a system of practices a US financial institution must follow to identify — and verify the identities of — its customers.
- CIPs are important for financial institutions (FIs) and Fintechs to avoid unnecessary risks and to comply with US AML laws, such as the Bank Secrecy Act and USA PATRIOT Act.
- CIPs generally require financial institutions to codify processes related to giving advance notice of needing customer information for identification purposes, collecting this information, verifying it, checking it against sources of risk-based data, and keeping records of it for as long as is needed to comply with regulations.
Since the 9/11 terrorist attacks in 2001, the US has mandated its financial institutions (FIs) to perform stricter checks on their customers’ identities. Its goal in doing so has been to detect and block entities’ attempts at funding terrorism and committing other serious financial crimes. One of the key instruments towards this end has been requiring the establishment of Customer Identification Programs, or CIPs.
CIP requirements revolve around six core processes, but can otherwise be tailored to meet a financial institution’s risk appetite. This article explains what those processes are, in addition to giving a general overview of what CIPs are and why financial institutions need them.
First, we cover what a Customer Identification Program is and why CIPs are requirements for US financial institutions.
A Customer Identification Program, or CIP, is a set of procedures that US financial institutions must have for knowing who their customers are. That includes what happens when a new account is opened, what information is collected from customers, and how customer identities are verified.
Customer Identification Program requirements were introduced in 2003 after the passage of the USA PATRIOT Act. The aim was to legally require financial institutions to do more in-depth checks of their customers’ identities and activities, towards the end of ensuring those customers weren’t funding or committing terrorist acts.
Section 236 of the Patriot Act amended the Bank Secrecy Act (BSA) to make CIPs requirements under US law. Now any business that could be classified as a financial institution by the BSA must have a CIP in order to legally function.
Note that in terms of KYB and KYC, CIP requirements are just one piece of the puzzle. Financial institutions also need to conduct customer due diligence (CDD) — and sometimes enhanced due diligence (EDD) — to evaluate the potential risks of associating with a person or business as a customer. They also need to monitor customers on an ongoing basis to check if their risk profiles change, and take appropriate action.
What types of businesses need a CIP?
Any business that meets the statutory definition of a financial institution under the BSA is legally required to have a CIP. This includes institutions that traditionally handle money or other financial instruments, such as:
- Banks
- Credit unions
- Lenders
- Securities brokers/dealers
- Investment managers
- Currency (including cryptocurrency) exchanges
- Credit card companies and other payment processing service providers
- Fintechs
However, it also includes several other types of businesses, such as:
- Insurance agencies
- Casinos & gambling services
- Dealers of precious metals, stones, or jewels
- Travel agencies
- Vehicle sellers
- Pawn shops
- Real estate agents
Finally, many types of businesses choose to implement CIPs even though they aren’t legally required to. This is because it helps them reduce risk, provide safer and more secure services, and establish trust between everyone who uses their platform.
CIP program requirements can be broken down into the following six categories.
1. Document the details of the CIP
An overarching CIP requirement is for a financial institution to have an explicit written version of its CIP. This should outline the FI’s risk-based approach to the processes listed in the other 5 requirements. As such, it should consider factors such as:
- What types of services the FI offers
- What a customer (and the FI) must do to open an account for a specific service
- What identifying information the FI is able (or allowed) to collect from customers
- Where in the US the FI is located
- How many clients the FI has
- A general risk assessment of the FI’s overall client base
2. Notify customers that their information is needed
For an FI, one of the fundamental CIP requirements for new customers is to collect and verify their identifying information. That way, the FI can ensure that the people and businesses it’s dealing with are who (or what) they claim to be. However, to respect privacy laws, FIs need to first inform customers adequately ahead of time that this information (and any supporting documentation or other materials) will be needed.
This is a good opportunity for an FI to be upfront with customers about its CIP information requirements, including specifically how each detail/document/material will be used to verify a customer’s identity. This helps the FI establish trust with potential customers and make them feel more confident in signing up.
3. Collect information necessary for identifying customers
Bank CIP requirements typically mandate collecting and verifying a person’s full name, home address, date of birth, and a government-issued ID number. Depending on the FI’s risk appetite, however, it may choose to collect other pieces of information such as phone numbers and email addresses.
For KYB, FIs will also need information about the business itself (registered name, operating address, tax ID, formation documentation, industry-specific licensing, etc.) in addition to details about the business’s ultimate beneficial owners (UBOs).
4. Verify the identifying information of customers
Once an FI has information on its customers, it needs to be reasonably sure the information actually corresponds to the customer providing it. There are several ways to accomplish this.
One is by matching information against customers’ official government-issued ID documents (preferably including a photo of the person), such as passports, driver’s licenses, birth certificates, and so on. For business customers, this can also mean obtaining copies of their formation documents (articles of incorporation, partnership agreement, business license, etc.).
If documentary evidence is limited or missing, customer information can be verified against trustworthy databases from services they likely have interacted with. These include motor vehicle registrations, tax administrations, credit bureaus, telecom carriers, and (other) financial institutions. Individuals can also be verified against official sources using biometric data, such as fingerprints, facial features, voice prints, and retina scans.
FIs should use multiple pieces of evidence, and sometimes multiple methods, to meet CIP verification requirements. This cuts down on the chance of systems being fooled by fake or forged credentials. However, this must be balanced against not adding too much friction to the verification process.
5. Screen customers against potential risk sources
Verifying their customers are who (or what) they claim to be isn’t enough to meet CIP requirements for banks. They must also check certain information sources for signs that customers present unacceptable (including potentially criminal) risks in terms of financial crime and other dangerous conduct.
Usually, these are official lists from government or intergovernmental agencies. They denote individuals, groups, or countries that are under stricter financial supervision, or are even outright illegal to associate with (due to financial crime, terrorism, etc.). They can also denote politically exposed persons (PEPs) or their relatives and close associates (RCAs): individuals with administrative powers and privileges that give them greater opportunities to commit financial misconduct, or at least make them bigger targets for these sorts of crimes.
Certain other media sources, such as news stories or social network posts, may also contain damaging information about a person or business. Depending on its risk appetite, an FI may or may not want to screen customers against these sources as well.
It also must be noted that the information in these sources can change over time. So it’s important for FIs to check their customers against these sources on a routine basis, not just when a customer is onboarded.
6. Retain customer information
Finally, CIP programs require banks to hold onto all (copies of) information, documents, and other materials used to verify customer identities. This should be done for as long as a customer maintains an active account, plus five years after the account closes or shows a significant lack of activity.
There are a few reasons FIs need to do this. One is to update (and note changes in) a customer’s information throughout their lifecycle as a customer. Another is to show compliance with CIP identification requirements, for auditing purposes. A third is to have documented evidence if reporting to and/or cooperating with regulatory and law enforcement authorities to root out financial crime.
Middesk helps your FI fulfill its CIP obligations
Customer Identification Program requirements for banks mandate many of the same processes necessary for other types of businesses to comply with AML/CFT/CPF regulations. It makes sense to use similar kinds of tools to make compliance faster and more efficient.
Middesk’s Business Verification solution can find and verify information about a company, including name, address, tax ID, registration details, officer list, and US watchlist status. Middesk also offers a number of add-on packages that can screen a business for adverse media coverage, politically exposed persons, and presence on international watchlists.
Contact our sales team to learn more.
