Finance and banking are among the most regulated industries in the U.S., and it can be difficult to keep all the requirements straight. As part of Know Your Customer (KYC) and Anti-money Laundering (AML) compliance, financial institutions are required to verify customer identities through a Customer Identification Program (CIP).
CIPs became a legal requirement with the 2001 USA PATRIOT ACT and the Bank Secrecy Act. These laws established a regulatory framework for preventing, detecting and prosecuting financial crimes, and financial institutions must still abide by those guidelines today.
All financial institutions, including everyone from individual broker-dealers to large legal entities, must comply with CIP guidelines and compliance regulations. Let’s look at what those minimum requirements are.
General CIP Requirements
A Customer Identification Program is a written procedure that outlines how a bank or financial institution confirms the true identity of each customer. While the end goal of each CIP is the same, compliance requirements will vary.
Banks or financial institutions that take on greater risks may have stricter CIP requirements than companies with a lower risk profile. Factors that might influence a company’s CIP standards include:
- Types of accounts offered
- Process for opening new accounts
- Size, geolocation and customer base
- Exposure to high-risk or less-regulated markets (such as crypto)
This means there isn’t a one-size-fits-all list of requirements for every financial institution. A local credit union branch may face entirely different (and less strict) CIP compliance requirements than an international financial institution, and both of those might look dramatically different from CIP and KYC compliance in fintech.
However, there are minimum requirements that all CIPs must include procedures for, including:
- Obtaining and verifying customer identifying information, such as name, date of birth and address
- Checking customer information against federal government terrorist or suspected terrorist lists
- Recording and maintaining customer identifying information and verification
- Reporting suspicious activity in accordance with laws and regulations
A CIP might also include specific exclusions, if and when customer data is destroyed, and procedures for disabling an account and blocking a customer from re-opening a new account.
But beyond the mandated minimums, CIPs are flexible and can be adjusted to meet a bank or financial institution’s individual needs. Organizations can ask for as much (or as little) additional information as necessary to conduct risk assessments, run verification tests, and ensure they’re properly protecting themselves from fraud and other threats.
CIP Requirements for New Customers and New Accounts
CIP rules and requirements only apply to new customers and new accounts.
The customer is the individual or identity that will be an account holder. This can be a person or several individuals (such as a couple, a parent and child, or another joint account), or it can be an estate, trust, corporation or other legal entity. Regardless of who the customer is, banks are still required to verify their identity.
Someone assisting in opening a new account for a customer, such as a guardian or a broker-dealer, without intentions of being an account holder is not considered a customer. Therefore, they are not subject to the same CIP requirements.
CIP rules also apply to accounts — that is, instances where there is an ongoing relationship and continuous exchange of services between the bank and the customer. One-time transactions and interactions are not subject to CIP regulations. So, for example, a checking or savings account would require CIP procedures while cashing a check or issuing a money order do not.
CIP Customer Information Requirements
CIP has a large overlap with anti-money laundering compliance requirements and is designed to help prevent illegal activities by confirming customers’ identities and the source of their funds.
The minimum CIP requirements state that financial institutions must obtain the following information from new customers:
- Date of birth (for individuals)
- Identification number
- Social Security number for individuals
- Tax identification number for businesses or non-U.S. individuals
- Passport, driver’s license or other government-issued identification number and country of issuance
Banks may choose to collect additional information to align with their own security and anti-fraud measures or request additional information to perform verification and risk assessments. For example, phone numbers and email addresses are not required under CIP, but collecting that information from customers can allow for easier communication, more robust analysis and more efficient verification.
All bank-required information — even if it is not legally required under CIP rules — should be outlined in the CIP.
CIP Requirements for Customer Verification
When a new account is opened, the financial institution must collect the appropriate identification from new customers. The timeline for submitting all the information should be outlined in the CIP.
The customer verification process can be done in a couple of ways:
- Documentary verification: Uses approved documents to verify customer identity and information
- Non-documentary verification: Uses alternative methods to verify customer identity and information
- Combination verification: Uses both documentary and non-documentary verification methods
CIP Requirements for Documentary Verification
Documentary verification relies on forms, certificates and other issued documents to confirm that a customer’s information is valid. CIP requirements state that only specific documents can be used.
For individuals, approved verification documents include:
- Driver’s license or another state-issued identification card
- Social Security card
- Birth certificate
- Valid ease or utility bill
For legal entities, such as businesses, the accepted documents list includes:
- Articles of incorporation
- Business licenses
- Partnership agreements
- Third-party-issued certifications and acknowledgments
A financial institution may designate their specific document requirements, or designate specific documents as “secondary” or “supplementary” documents. For example, it’s not uncommon to require a government-issued photo identification card or passport, as well as a lease or utility bill.
Customers may also be asked to provide additional documentation if their ID information is outdated or inaccurate, such as when there is a name change after a marriage or divorce. A copy of a marriage license, divorce decree, or other legal document outlining the changes is usually enough to verify an identity under CIP requirements.
CIP Requirements for Non-Documentary Verification
Non-documentary verification uses knowledge-based authentication and biometrics to identify customers. These verification methods are not required under CIP regulations but can add extra security.
Non-documentary verification methods are particularly useful in high-risk industries or when working with individuals or businesses deemed high-risk. If the nature of the financial services provided requires additional identification verification requirements, it’s good practice to request beyond standard CIP requirements.
Non-documentary verification methods include:
- Asking customers questions based on public records
- Using fingerprint or facial recognition technology
- Checking references with other financial institutions or obtaining a financial statement
CIP Requirements for Existing Customers
Once a customer’s identity has been established, financial institutions don’t need to follow the same procedures if an existing customer wants to open a new or additional account. It’s only required that financial institutions form a reasonable belief about a customer’s identity once.
If customers opened accounts before the establishment of CIP requirements in the early 2000s, financial institutions can add a statement to their policy stating that they have a reasonable belief that long-time existing customers are who they say they are. It isn’t necessary to require customers who opened accounts before CIP requirements to undergo the same identity verification process.
Dig Deeper with a Free Resource from Fintrail and Jumio
Ongoing Customer Due Diligence and Remediations
CIP Requirements for Individuals
CIP regulations require financial institutions to include specific policy guidelines for verifying the identity of individual customers, such as the exact types of ID to be collected. CIP requirements also state that customers must be given adequate notice of the verification process.
Banks might have a notice in the lobby, on their website or included with an account application letting new customers know they will need to provide an unexpired government-issued photograph ID.
It’s also important to make note of any type of ID that won’t be accepted. Military IDs, for example, cannot be photocopied under the law. If a company’s CIP states that photocopies of customer identification documents will be stored and maintained, customers need to be notified that their military identification will not be accepted — or the CIP plan will need to be adjusted to make exemptions.
CIP Requirements for Business
CIP requirements for businesses are similar to those for individuals, but there are a few key differences. To comply with CIP requirements, banks and financial institutions need to verify the identity of the business, as well as any individuals acting on behalf of the business.
In addition to the individual CIP identification requirements already discussed, financial institutions need to collect and verify identifying information for the business. This includes:
- Legally registered business name
- Physical address
- IRS-issued tax identification number
Like CIP requirements for individuals, banks can request additional information from new business customers. Contact information, supplemental documentation and additional information for more accurate risk assessments can be added to a company’s unique CIP requirement list.
CIP Requirements for Power-of-Attorney (POAs)
A power-of-attorney (POA) is a legal document that grants someone (the “agent”) to act on behalf of the individual (the “principal”). It’s a relatively common practice for individuals who are aging, sick or otherwise unable to manage accounts themselves to use a POA.
If the customer uses a POA to conduct transactions on their behalf, the financial institution would need to follow CIP guidelines for both the customer and the POA agent. Even if the customer is an existing customer, CIP requirements would still apply to the added POA agent.
The financial institution may also need to verify the validity of the POA agreement. This may involve obtaining a copy of the POA document and verifying the identity of the person who executed the document.
CIP Requirements for Government Entities
Government entities are considered exempt from CIP requirements. Under BSA rules, most government entities are not considered “customers” and therefore do not need to follow the same CIP rules.
Customer Identification Program FAQs
Why are customer identification programs so important?
CIPs are designed to verify customer identities and prevent fraudulent activities, including money laundering, terrorism financing and identity theft. They work as part of a financial institution’s larger BSA/AML compliance program to ensure all the appropriate precautions are in place.
Can the CIP rule apply to an individual who becomes a co-owner of an already existing deposit account?
New individuals who become co-owners of a long-standing deposit account are still considered new customers and will need to establish and verify their identity in accordance with CIP rules.
What is the difference between a CIP checklist and a CIP audit?
A CIP checklist is used by banks or financial institutions to ensure all required CIP procedures have been appropriately implemented and completed. Other types of compliance checklists are commonly used within the banking and financial services industry.
A CIP audit is an evaluation of a financial institution’s CIP. This may be done by the bank itself to ensure policies and procedures are being followed appropriately, or it may be conducted by a third party to ensure CIP regulations and standards are being met.
How do the CIP requirements apply to loans that have been renewed or a certificate of deposit that has been rolled over?
Each situation is unique. If there are changes to the customer’s information, such as a new address or a legal name change, the issuing financial institution may need to verify the updated information to make relevant adjustments to the customer’s profile. The customer should be prepared to provide additional materials to verify their identity.
If there aren’t significant changes to the customer’s information and the bank already has confirmed the customer’s identity, they don’t need to re-collect and re-verify customer information. The loan or certificate of deposit can proceed as usual.
In the absence of documents or non-documentary methods that establish the identity of a partnership, how should a bank verify the identity of a partnership that opens a new account?
If a partnership does not have sufficient documentation to verify the partnership identity, the financial institution can follow its individual CIP procedures for the partners themselves. Rather than collecting partnership-related information, the bank would require IDs and other info from each partner involved.
The process must be completed for all account-holding partners. Any lawyers, accountants or other third-party professionals supporting the account opening process do not need to abide by CIP regulations if they are not ultimately seeking account-holding privileges.
The bank may also accept a certification or acknowledgment of the partnership from a third-party professional, such as a lawyer or an accountant. In cases where many partners are involved, obtaining an approved document may be easier and more efficient.
Can a bank meet the recordkeeping requirement by just keeping updated information about the customer?
No. All original documentation obtained during the account opening process must be retained to remain CIP compliant, including any and all documents used to verify the customer’s identity.
Even as updated information is obtained, the bank must store both the original and the updated information for the duration of the account relationship. Only after an account has been closed or dormant for five years can the customer information be deleted.
Is there a designated list of known or suspected terrorists or terrorist organizations for the purpose of CIP requirements?
Yes. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals and Blocked Persons (SDN) list. This list includes all known or suspected terrorists or terrorist organizations, and as part of CIP procedures, all financial institutions must check new customers against this list of names.
Stay Up to Date with the Latest CIP Requirements with Jumio Technology
Keeping up with CIP requirements can feel overwhelming. Here’s a quick recap of what you need to know about Customer Identification Program requirements:
- Banks and financial institutions must collect four main pieces of customer information: name, date of birth, address and government-issued identification number.
- All customer information must be stored as long as the account is open and active, and can only be destroyed after the account is closed or inactive for five years.
- Customer information must be checked against government-maintained terrorism and suspected terrorism lists.
- CIP rules only apply to new customers and new accounts.
- Banks and financial institutions can build individual CIP requirements beyond mandated minimums to ensure their own safety and security.
Remember: CIP rules are put in place to keep customers protected and ensure a safe and secure banking environment. They’re important to maintain. Thankfully, identity verification solutions can make meeting CIP requirements easier.
Jumio’s identity verification solutions provide a reliable and efficient way for banks and financial institutions to validate new customer identities. With the latest technology, CIP requirements are easier to manage, and the overall risk of fraud is reduced.