What is a Customer Identification Program (CIP)?

Customer Identification Programs (CIP) and Know Your Customer (KYC) are two important procedures that businesses need to understand to comply with regulations and prevent illegal activity. Sumsub prepared this article to explain CIP and how it differs from KYC.

What is a Customer Identification Program (CIP)?

Customer Identification Programs (CIP) are required of certain business in the US. The purpose of a CIP is to verify customers during onboarding and transactions. CIPs went  into effect as part of the USA PATRIOT Act in 2003 to confront money laundering and terrorism financing.

CIP has to be implemented by all banks, credit unions, saving and loan associations (S&Ls) operating in the US as part of  their BSA/AML compliance program. 

If institutions fail to comply with CIP requirements, they may be subject to severe federal penalties. Violations of Bank Security Act (BSA) regulations, which include CIP compliance, may lead to a fine of $250,000 or five years imprisonment. It should be noted that such penalties may apply only when the obliged entity maliciously violates the law.

What is the difference between CIP and KYC?

KYC involves establishing a customers’ identity and the business activities they engage in.  By contrast, CIP involves verifying the information provided by the customer. 

In essence, KYC is an umbrella term for identifying and verifying clients, used in local European AML guidelines even outside of an AML context. KYC may include all the elements of CIP, in addition to Customer Due Diligence (CDD) and different ongoing procedures.

Some may think that CIP works the same way as Know Your Customer (KYC). However, there’s a clear difference, since CIP is an obligatory part of the BSA/AML compliance program required by the BSA. CIP is for US-operating banks, credit unions, and savings associations while KYC is a set of practices employed by different businesses all over the world.

Who is subject to the CIP Rule?

The Customer Identity Program (CIP) is a critical component of the broader regulatory framework designed to combat financial crimes, such as money laundering and terrorist financing. As outlined by the USA PATRIOT Act, CIP rules apply to a wide range of financial institutions operating within the United States.

The entities primarily subject to CIP rules include, but are not limited to:

• Banks and credit unions: Both national and state-chartered institutions, including savings associations and trust companies, must comply with CIP regulations.
• Broker-dealers: Firms involved in the buying, selling, or trading of securities are required to implement CIPs to verify customer identities.
• Mutual funds: Companies that pool funds from investors to purchase a diversified portfolio of securities are also covered under CIP requirements.
• Futures Commission Merchants (FCMs) and Introducing Brokers (IBs): Such entities in the commodities trading sector must adhere to CIP regulations.
• Certain Non-Bank Financial Institutions: This includes money services businesses (MSBs), insurance companies, and other financial service providers engaged in activities that could be exploited for money laundering or terrorist financing.

CIP rules are not limited to specific institutions and extend to any entity opening a new account or establishing a new customer relationship. This includes the opening of deposit accounts, the establishment of credit facilities, or the issuance of credit cards. While CIP rules are broadly applicable, certain exceptions do exist. However, these exemptions are narrowly defined, and financial institutions must be diligent in determining whether an exemption is applicable.

Six-step Customer Identification Program (CIP)

CIP rules are intended to identify and verify information provided by clients.

Written CIP

Businesses must have a written CIP policy that is proportional to their size and nature. This should specify what exact identification information will be obtained from their customers (in addition to what’s required), minimum and the corresponding circumstances for such requests, as well as the verification procedures to be applied further.

The main goal here is to establish a ‘reasonable belief’ that information provided by clients is authentic. The written CIP should also follow the minimum requirements of the Bank Security Act (BSA), including those for customer identification and verification.

What information is required for customer identification under a CIP?

Affected institutions need to collect identifying information from each customer during the registration process. This includes:

• Name
• Date of birth
• Address
• Identification number

Identification numbers can differ depending on whether the customer is a US person. For US persons, it usually means tax identification number. In other cases, it could mean:

• Passport number
• Alien identification card number
• Any other identification number extracted from a government-issued document from another country (it should contain a photograph and nationality).

CIP verification process

The CIP verification process ensures that customers are who they claim to be. When verifying documents for this purpose, affected institutions need to have a solid basis to conclude that the provided documents and data are authentic.

Verification can take place by using: 

• Documentary methods
• Non-documentary methods

When affected institutions verify provided information, they need to request government-issued documents that include the nationality of the customer and their photograph (e.g., passport). If an affected institution decides that a different type of document can satisfy the verification process, they may substitute it. To lower the risk of registering criminals with forged documents, affected institutions should request several documents, such as a passport and driver’s license.

In cases when customers are unable to provide the requested documents (or when the provided documents can’t be obtained by the business), a non-documentary method can be used. In such situations, businesses can contact the customer, compare the provided data to public databases, or request financial statements from the customer.

If a business can’t verify a user’s identity, it should refuse to open the account.

Recordkeeping

Affected institutions need to keep records of their customers for at least five years after account closure. This includes all of the information collected during the identification process. Additionally, they should keep descriptions of the following documents:

• Documents used during the verification process, especially the identification number, date, and place of issuance
• Methods and results used during the non-documentary verification process
• Substantive discrepancies of the verification process and their results

Businesses can also keep copies of verification documents.

Comparison with government lists

Businesses should cross-compare all their customers against government lists of terrorists, terrorist organizations, etc. These lists are issued by US federal agencies and designated by the US Treasury. Such comparisons should occur within a reasonable amount of time after account opening.

It’s also important to include to screen designations lists, such as Office of Assets Control (OFAC) sanctions list, which is required by the BSA.

Customer notice

Before opening a new account, banks have to notify customers that their information will be collected for purposes of preventing illegal activity. There are different ways of informing customers about this. For example, a bank can post a disclaimer on their website—or a bank employee can orally state this before opening the account. This step is necessary to ensure that customers are aware that their personal information is being collected.

How to successfully implement a CIP in your business

To effectively comply with Customer Identification Program (CIP) requirements, businesses must implement robust processes that ensure accurate identification and verification of their customers. By integrating the following practices into their systems, companies can meet regulatory standards and mitigate the risk of financial crimes:

• Automated identity verification: Integrate third-party identity verification services that can automatically validate customer information against government databases, watchlists, and other trusted sources.
• Multi-factor authentication (MFA): Require customers to provide multiple forms of identification (e.g., government-issued ID) before allowing them to create an account.
• Real-time document verification: Use AI-powered tools to verify the authenticity of documents such as passports, driver’s licenses, and other identification forms in real-time during the account registration process.
• Training and compliance audits: Regularly train staff on CIP procedures and conduct internal audits to ensure that the system is effectively verifying customer information according to regulatory requirements.

By integrating these practices, companies can effectively comply with CIP requirements, ensuring robust customer identification and reducing the risk of financial crimes.

FAQ

• What is a CIP in banking?

  Customer Identification Programs (CIP) are a US regulation requiring certain businesses to verify their customers during onboarding and transactions. CIP went into effect as part of the 2003 USA PATRIOT Act to confront money laundering and terrorism financing.

• What are the CIP requirements?

  The list of CIP requirements includes the following:

  • Collecting information and verifying identity

  • Implementing risk-based procedures

  • Screening the customer’s data against sanction lists and other watchlists

  • Recordkeeping

  • Introducing internal policies and procedures

  • Implementing ongoing compliance and monitoring

• How is CIP different from CDD?

  CIP verifies a customer’s identity during account opening, ensuring the bank knows who they are. CDD digs deeper, assessing the customer’s risk profile by understanding their business, sources of funds, and transaction patterns to prevent illicit activity.