Customer Identification Program (CIP) and Know Your Customer (KYC) are two important terms that businesses need to understand to comply with governmental regulations and prevent illegal activity. Sometimes, people confuse CIP and KYC. However, there is a substantial difference between them, as CIP is part of US regulations while KYC isn’t. Sumsub prepared this article to explain CIP in detail and how it differs from KYC.
What is CIP?
Customer Identification Programs (CIP) are a US regulation requiring certain businesses to verify their customers during onboarding and transactions. CIP went into effect as part of the USA PATRIOT Act in 2003 to confront money laundering and terrorism financing.
CIP has to be implemented by all banks, credit unions, saving associations, and certain non-regulated banks operating in the US. The affected institutions need to have CIP in their BSA/AML compliance program. If institutions fail to comply with CIP requirements, they may be subject to severe federal penalties. For instance, violations of Bank Security Act (BSA) regulations, which include CIP compliance, may lead to a fine of $250,000 or five years imprisonment. It should be noted that such penalties may apply only when the obliged entity maliciously violates the law.
The difference between CIP and KYC
Some may think that CIP works the same way as Know Your Customer (KYC) does. However, there’s a clear difference, since CIP is an obligatory part of the BSA/AML compliance program required by the BSA.
CIP is for US-operating banks, credit unions, and saving associations while KYC is a set of practices employed by different businesses all over the world.
In essence, KYC is an umbrella term for identifying and verifying clients, sometimes used in local European AML guidelines even outside of an AML context. KYC may include all the elements of CIP, in addition to Customer Due Diligence (CDD) and different ongoing procedures.
CIP rules are intended to identify and verify information provided by clients.
Businesses must have a written CIP that is proportional to their size and nature. Therefore, they should specify what exact identification information will be required from their customers (in addition to what’s required), minimum and the corresponding circumstances for such requests, as well as the verification procedures to be applied further.
The main goal here is to establish a ‘reasonable belief’ that information provided by clients is authentic. The written CIP should also follow the minimum requirements of the Bank Security Act (BSA), including those for customer identification and verification.
Affected institutions need to collect identifying information from each customer during the registration process. This includes:
- date of birth;
- identification number.
Identification numbers can differ depending on whether or not the customer is a US person. For US persons, it usually means tax identification number. In other cases, it could mean:
- passport number;
- alien identification card number;
- any other identification number extracted from a government-issued document from another country (it should contain a photograph and nationality).
The CIP verification process ensures that customers are who they claim to be. While verifying documents, affected institutions need to have a solid basis to conclude that the provided documents and data are authentic.
Verification can take place by using:
- documentary methods;
- non-documentary methods.
When affected institutions verify provided information, they need to request government-issued documents that include the nationality of the customer and their photograph (e.g., passport). If an affected institution decides that a different type of document can satisfy the verification process, they may substitute it. To lower the risk of registering criminals with forged documents, affected institutions should request several documents, such as a passport and driver’s license.
In cases when customers are unable to provide the requested documents (or when the provided documents can’t be obtained by the business), a non-documentary method can be used. In such situations, businesses can contact the customer, compare the provided data to public databases or request financial statements from the customer.
If a business can’t verify a user’s identity, it should refuse to open the account.
Affected institutions need to keep records of their customers for at least five years after account closure. This includes all of the information collected during the identification process. Additionally, they should keep descriptions of the following documents:
- documents used during the verification process, especially the identification number, date and place of issuance;
- methods and results used during the non-documentary verification process;
- substantive discrepancies of the verification process and their results.
Businesses can also keep copies of verification documents.
Businesses should cross-compare all their customers against government lists terrorists, terrorist organizations, etc. These lists are issued by US federal agencies and then designated by the US Treasury. Such comparisons should occur within a reasonable amount of time after account opening.
Besides comparing customers against terrorist lists, it’s also important to include to screen designations lists, such as Office of Assets Control (OFAC) sanctions list, which is required by the BSA as well.
Before opening a new account, banks have to notify their customers that their information will be collected for purposes of preventing illegal activity. There are different ways of informing customers about this. For example, a bank can post a disclaimer on their website, or a bank employee can orally state this before opening the account. This step is necessary to ensure that customers are aware that their personal information is being collected.