In brief:
- A customer identification program (CIP) in banking is a set of procedures that US financial institutions must follow to identify — and verify the identities of — customers, both during and after onboarding.
- Any US business that could be considered a financial institution, as defined by the Bank Secrecy Act, must have a CIP.
- CIPs generally require notifying customers of needing their information for identity verification purposes, collecting this information, verifying it, screening it against sanctions lists (and other watchlists), maintaining copies of it for as long as is required by regulations, and having a general outline of how all of these things will be accomplished.
- Several factors can influence how a financial institution creates its CIP, such as its clientele, location, product offerings, operational procedures, and available resources.
The passing of the USA PATRIOT Act in 2001 did more than just enact measures to tighten the United States’ national security against terrorist acts. It also set the stage for requiring financial institutions (FIs) to be more vigilant against financial crimes that could fund terrorists and other unlawful people or groups.
A key way it did so was mandating a customer identification program, or CIP, for banking institutions and other businesses that tend to have high transaction volumes. We help you understand how to do this by covering the following:
First, we expand upon the definition of a CIP in banking. That includes which US laws and regulations govern the creation of CIPs.
In the financial services industry, "CIP" stands for Customer Identification Program.
CIP’s meaning in banking refers to a codified system of actions a US financial institution must have for identifying its customers before (and after) they open accounts. This includes what ID information is required, and how it is verified to ensure a customer is who (or what) they claim to be.
CIP compliance for banks
CIP compliance in banking is governed by the Bank Secrecy Act (BSA), as amended by Section 326 of the USA PATRIOT Act. Together, these laws mandate the creation of CIPs by US financial institutions to identify customers and assess the risks they present. The goal in doing so is to detect and prevent financial crimes such as money laundering and terrorism financing as early as possible.
CIP banking requirements apply to any US business that meets the BSA’s statutory definition of a financial institution. Such businesses include:
- Banks
- Credit unions
- Fintechs
- Lenders
- Payment service providers (such as credit card companies)
- Currency exchanges
- Securities brokers/dealers
- Investment managers
Also falling under this definition are businesses that may not be typically thought of as traditional financial institutions, but are still counted because they often deal with a significantly large volume of financial transactions. They include:
- Insurance companies
- Casinos and other gambling services
- Sellers of precious metals, stones, or jewels
- Travel agencies
- Vehicle sellers
- Pawnbrokers
- Real estate agencies
Some other types of businesses also develop CIPs despite not having a legal requirement to do so. Requiring customer information for verification helps businesses deliver safer and more secure products and services. First and foremost, a CIP ensures customers adhere to compliance requirements and helps them reduce risk. Being transparent about having a CIP also helps a business win customers’ trust that the business is operating honestly, and that all customers will deal fairly.
CIP rules in banking are covered by these six core requirements:
- Give customers adequate notice that their ID information is needed for verification
- Collect information from customers needed to identify them
- Verify each customer’s information is authentic and belongs exclusively to them
- Check each customer’s ID against sanctions lists and other risk-related information
- Retain customers’ information as needed for updating, auditing, and reporting
- Codify the above processes in a written version of the CIP
As long as these six CIP guidelines are followed, financial institutions have a fair degree of flexibility as to how they put together their CIPs. But how does an FI go about building a CIP that fits its needs? We cover that in the next section.
Formulating a CIP process in banking isn’t a strict one-size-fits-all task. While there are some general requirements, financial institutions have to make decisions based on their own risk profiles and risk appetites about how they will meet these mandates. Towards that end, here are some things they should consider.
1. Location(s) of operation
Legal and regulatory requirements can differ slightly depending on the jurisdiction(s) in which an FI does business. In addition, there may be overall higher or lower risks in certain jurisdictions based on the prevalence (or lack) of financial crime there. FIs should account for the peculiarities of where they operate, especially if they operate across multiple jurisdictions.
2. Number of customers
In general, the larger an FI’s client base, the greater the risk it exposes itself to. More clients means more work managing each of them for compliance, and a greater chance that one could slip through the cracks and present a legitimate threat. Therefore, FIs with greater volumes of customers typically need more comprehensive CIPs.
3. Average customer risk profile
The size of an FI’s client base isn’t always the most important factor in determining its risk. For example, an FI could have a small number of customers, but each of those customers is high-risk for one reason or another. They may be very wealthy, a politically exposed person (PEP), listed as being under increased financial supervision (or from a country listed as such), prone to complex transactions, previously involved in (financial) crime, and so on.
An FI needs to consider how risky its client base is on average, both on the whole and within specific jurisdictions.
4. Products and services offered
An FI needs to consider how the products and services it offers could be used for fraud and other financial crime. Accounts could be taken over. ATMs could be skimmed or hacked. Credit or debit cards could be stolen or copied. Money could be laundered through buying and reselling luxury goods, or by funneling it through cash-intensive businesses. Checks could be altered, forged, or used to commit fraud in many other ways.
An FI needs to design its CIP so it can accurately identify its clients in case one of its products or services is abused. This not only protects legitimate clients if they are victimized by identity theft, but also dissuades opportunistic criminals from trying to take advantage of the FI (because the FI can trace the illicit activity back to them).
5. Methods for opening accounts
Another part of an FI determining how to keep its products and services secure with a CIP is considering what’s involved with opening a product/service account. In what order are steps taken? Can it be done through a website or app, or does it have to be done at a physical branch? Does information need to be sent to third parties? How long does the process usually take?
For an FI, designing a CIP should be a balancing act. Products and services should be kept secure, but opening an account shouldn’t involve so much friction that a prospective customer is likely to abandon the process or avoid the FI altogether.
6. Verification methods available
An FI can verify its clients’ identity information in multiple ways: matching biometric data against official databases, obtaining copies of ID documents, and cross-checking details against other trusted institutions. An FI should decide which of these methods to use, and how many verifications need to be run (and with what identifying information) to reasonably establish that a customer is who or what they claim to be.
This decision should be based largely on the FI’s risk factors, as outlined above. However, it may also be based on what resources an FI has available (in a particular area) and what tools the FI can afford. As a baseline, an FI might want to look at industry standards and what solutions similar businesses are using.
7. Identification information required
Based on all of the above factors, the critical question is: what types of identifying information will an FI need to properly verify customer identities? At minimum, CIP banking compliance requires FIs to collect a full name, home address, date of birth, and government-issued ID number from each individual customer (or ultimate beneficial owner of a business). For business customers, the FI also needs to know the details of the business itself, including its registered name, operating address, EIN (or other tax ID), formation documents, and industry licensing.
Of course, an FI may choose to request additional types of identification from customers — phone numbers and email addresses being two common ones — in order to have a more robust CIP. Again, this is a balancing act between securing an FI’s operations and ensuring smooth customer experiences. It needs to take into account what resources an FI has available in relation to what types and magnitudes of risks it faces.
Learn how to automate CIP in your onboarding process with help from Middesk
If you’re starting a business that needs (or wants to have) a CIP, it may seem daunting given all we just told you. Take heart, though: many of the basic requirements aren’t all that different from those in anti-financial crime regulations that other types of businesses need to comply with, even if they don’t legally require a CIP. So having a customer identification platform like Middesk by your side gives you a solid foundation for building your own CIP.
Our Business Verification solution includes information about all US businesses: names, addresses, EINs, leadership, other registration documents/details, and sanctions status. If you need additional information to fit your risk profile, we can also screen your customers for adverse media, PEPs, global watchlists, and more.
Reach out to our sales team to learn how we can help your business put together its CIP — and meet its other regulatory requirements.
