Overview: Customer Identification Program (CIP)

← Blog home

Jump to ↓

It could happen to a long-established bank, a trusted community credit union, or a fast-growing fintech startup. If a compliance officer or other executive discovers that a supposedly reputable customer has been using the account to make millions in illegal transactions, the resulting fallout can be profoundly damaging.  

This is why financial services organizations of all kinds need an effective Customer Identification Program. A CIP is not only good business—it’s a legal requirement. Federal regulations mandate that financial organizations set up a CIP as a part of their know-your-customer (KYC) and anti-money laundering (AML) efforts. Given the numerous details and sources of these requirements, financial services risk and fraud professionals may understandably be unclear about the specific steps and the best practices for effective CIP implementation and compliance. This overview can help clarify that complexity. 

What is a Customer Identification Program (CIP)?

A Customer Identification Program (CIP) is a federal mandate requiring financial institutions to verify the identities of individuals and entities seeking to open new accounts. The CIP requirement was established under Section 326 of the USA PATRIOT Act, enacted in 2001 in the wake of 9/11 to prevent money laundering, terrorist financing, and other financial crimes by ensuring that institutions thoroughly vet potential customers and identify suspicious transactions.  

These federal rules require financial institutions—which now include not only banks, credit unions, and securities firms but also insurance companies, fintech businesses, and cryptocurrency exchanges–to collect specific identifying information from customers, develop verification procedures focused on uncovering potential risks, keep records of the data collected, and cross-check identifying information against government lists of known terrorists and criminals. While meeting CIP requirements entails time-consuming work and continual vigilance, an effective CIP also provides financial firms with crucial benefits:  

Risk mitigation

As global markets, digital currencies, and financial information continue to outpace the oversight capabilities of traditional systems and structures, risk assessment is becoming increasingly complicated, with hidden threats harder to spot. A CIP can help manage these risks, particularly fraud. 

Protection against financial crimes

Being victimized by embezzlers, money launderers, and terrorism financiers represents some of the biggest risks that financial services firms must manage. A CIP can boost fraud prevention efforts and help organizations protect themselves from bad actors who use stolen identities and other disguises.  

Outboarding efficiency

A CIP’s detailed processes can provide financial services firms a thoroughgoing, standardized approach to KYC and AML onboarding. 

Regulatory compliance assurance

Given the complexity of KYC and AML requirements, compliance can be extremely challenging. A rigorous CIP can help a financial services business meet often complicated federal objectives.   

Enhanced customer trust and reputation

An effective CIP can assure a financial services firm’s law-abiding clients that it is not only protecting itself but also their assets and their data. This can strengthen both its reputation and its marketing.  

Related blog Dive deep into the industry use cases, the implications, and the framework. Read blog →

CIP requirements

To maximize the effectiveness of a Customer Identification Program, financial services risk and fraud professionals should make themselves familiar with what such a program requires.  

As we noted earlier, Section 326 of the USA PATRIOT Act prescribes minimum identity verification standards for financial account applicants. The financial services firm is required to maintain records of the information it uses to verify a potential customer’s identity, including name, address, date of birth, and other identifying information (notably, a tax ID, Social Security Number, or other identification number). For a potential customer that is a business, the institution should gather public registration documents and the company’s registration identification number (CRN). It may also need to collect beneficial ownership information (BOI), though that the Trump Administration has thrown BOI enforcement into flux. 

In addition, a financial services business is required to determine whether names of individuals or the owners of entities seeking to open accounts appear on any lists of known or suspected terrorists or terrorist organizations that government agencies provide to financial institutions. It must also check to see whether a potential customer’s name appears on global sanctions lists and in politically exposed persons (PEPs) databases. What’s more, the USA PATRIOT Act requires financial institutions to keep customer identification records for five years after the account is closed.  

CIP requirements weren’t a major innovation when they were introduced. It could be said the foundation for CIPs was laid by the Bank Secrecy Act (BSA), passed in 1970 to strengthen ​​AML programs and updated several times since its original passage. The BSA also has several other requirements, including the development of internal controls and independent auditing.   

Clearly, a CIP can (and should) be integrated with a financial services firm’s overall KYC and AML practices. A CIP is a part of KYC, along with customer due diligence (CDD), which assesses the risks of a potential customer, and enhanced due diligence (EDD), a more rigorous form of CDD reserved for higher-risk applicants. 

CIP noncompliance can have serious consequences. If a financial institution fails to meet regulatory requirements, it could face fines of up to $1 million. There also could be non-monetary consequences, including restrictions on a financial services business’s operations. 

The CIP process

With these pitfalls, requirements, and benefits in mind, a financial services firm’s risk and fraud professionals need a stringent process to establish a truly effective Customer Identification Program.

The process

Here’s a summary of the specific steps an organization should follow:   

• Customer verification collection. These include specifying the identity verification data to be gathered.  
• Identity verification methods. These should include accessing both documentary and non-documentary sources, such as information from government agencies and credit bureaus. Particularly with nondomestic applications, financial services companies should incorporate adverse media and sanctions-list screening into their investigations. 
• Recordkeeping protocols. Federal regulations require a financial service firm to maintain identity verification records on file, even after a customer severs the business relationship.  
• Ongoing monitoring. This is necessary to ensure continued compliance–and also to detect transactions that might signal illegal activity. 

Challenges

The financial business’s CIP team should be prepared for several challenges that are likely to crop up during implementation:  

• Technology integration issues. It’s often not a simple matter to incorporate identification verification processes into the organization’s digital network. A financial firm’s IT staff will need to make sure that software platforms can “talk” to each other.  
• Staff training needs. An effective CIP requires appropriate resource allocation. This includes spending time and money educating employees about proper verification techniques.  
• Customer experience friction points. Customers don’t want to jump through time-consuming verification hoops just to make a single transaction. IT professionals call these slowdowns user friction.  
• Balancing security and convenience. This challenge is related to the friction issue. To keep (legitimate) customers happy, financial services organizations need to balance thorough identification protocols with ease of service access. 
• Handling “edge cases.” Verifying identities of noncitizens and legal entities based outside one’s home country is typically more complicated than those of potential customers located domestically.    

Best practices

To overcome roadblocks like these, an organization’s CIP team should familiarize itself with current best practices for effective implementation. One source is a CIP checklist put together by Thomson Reuters. The items in this checklist include:  

• Asking incisive questions to validate a potential customer’s identification. Take the time and effort to thoroughly investigate an account applicant.  
• Digging deep when assessing customer risk. Don’t simply take the applicant’s word regarding identification data. 
• Staying alert. Maintain monitoring even after building trust for your onboarding process. 
• Streamlining processes. Look for ways to incorporate technology and automation into CIP protocols. 

With our free checklist, financial services risk and fraud professionals can navigate the complexities of Customer Identification Program (CIP) implementation and compliance while protecting their operations, their customers, and the public.  

Checklist Optimize your CIP and ensure compliance View checklist ↗

Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.