Banks and financial institutions in the United States are required to implement a “Customer Identification Program” (CIP) to remain in compliance with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations.
But what does that actually mean? While some implementation details are left up to individual FIs, there are specific requirements that every FI’s CIP must conform to. In this article, we'll summarize the key requirements for FIs implementing a CIP.
(Disclaimer: this blog post is not legal advice, and is intended only to provide an overview of the major elements of CIP requirements).
Customer Identification Program (CIP) requirements
1. Your CIP must be a written, board-approved policy.
Banks, and in some cases their subsidiaries, must have a formal, written CIP policy that is "appropriate for its size and type of business" and that has been approved by the bank's board of directors. This policy must be incorporated into the bank's BSA/AML compliance program, and it must meet all of the other CIP requirements on this list.
2. Your CIP must have a procedure for customer identity verification
A CIP must verify the identity of any customer opening an account "to the extent reasonable and practicable". Specifically, the CIP must allow the bank to "form a reasonable belief" that it knows the true identity of the customer–i.e., that the customer is who they say they are. This identity verification must also take into account an assessment of relevant risks, which will vary based on factors such as the type of account being opened, the type of identity information available, etc.
"Opening an account" here refers to establishing a formal banking relationship of some kind, so it doesn't apply to one-time procedures such as check-cashing, wire transfers, or the sale of a money order.
CIP is specific to the customer onboarding process, so banks do not need to apply CIP procedures for existing accounts, accounts the bank has taken control of as part of an acquisition, or retirement accounts opened as part of an employee benefit plan. They also do not need to verify the identity of non-customers who aren't opening accounts, such as when a loan application is denied by a FI prior to conducting CIP procedures.
3. You must collect specific customer information
Although it's often a good idea to collect more than just this, banks are required to collect the following for each customer as part of their CIP:
- Full name
- Date of birth
- Address
- Government identification number
For US persons, the government identification number must be a TIN (typically an SSN, but ITINs are also acceptable), but for non-US persons it may also be evidence of application for a TIN, a passport number, an alien identification card number, or in some cases another government-issued identification that includes a number, country of citizenship, and a photo. Business applicants that do not have a TIN must provide some form of government-issued documentation certifying the existence of the business.
(Note that some CIP solutions on the market do not support ITINs. SentiLink's CIP Match solution does.)
4. You must verify the information the customer provides
Your CIP must include procedures for verifying the identity information collected from the customer. While not required to verify every piece of information, the bank must verify enough to meet the "reasonable belief" standard that the customer is who they claim to be.
This can be accomplished through documentary verification, which refers to assessment of documents provided by the customer, such as a government-issued identification card. Or it can be accomplished via non-documentary verification, which might include a variety of methods such as contacting the customer, checking references with other financial institutions, or independently verifying the information the customer provided by comparing it against a verified source of information (e.g. consumer reporting agency records, public databases, etc.).
(Additional verification steps may also be required in some cases, such as when an account is opened by a customer that is not an individual.)
5. You must have procedures when a customer cannot be verified
Your CIP must include the ways in which the bank will respond when it cannot form a "reasonable belief" that it knows the customer's identity. These procedures should define when the bank should not open the account, when it should temporarily open the account while further verification takes place, when it should close an account when verification attempts fail, and when the bank should file a suspicious activity report (SAR) in accordance with the Bank Secrecy Act and other applicable law.
6. You must keep records
Your CIP must include measures for making and keeping records of the information used to verify a customer's identity for at least five years after the account is closed (or becomes dormant in the case of credit card accounts). At a minimum, this means keeping the four required pieces of information described in #3.
Banks also must keep descriptions of any document that was used to verify an identity, the methods and results of measures employed to verify an identity, and how any discrepancies discovered were resolved.
Banks may also keep copies of the identifying documents themselves, but this is not required as part of a CIP (and banks that do choose to keep copies of these documents must ensure they remain in compliance with other regulations governing their storage and use).
7. You must check identities against government lists
Your CIP procedures must include checking applicant identities against relevant government lists such as OFAC’s lists of suspected or known terrorists or terrorist organizations. These checks must occur within "a reasonable period of time" after account opening or earlier, and banks must also comply with any regulations and directives associated with those lists.
8. You must give customers adequate notice
Your CIP procedures must include notifying customers that you are requesting information to verify their identity. Depending on the account being opened, this might look like a posted notice in the lobby of a physical bank location, a printed notice provided with application documents, or a notice on the bank's website.
CIP regulations also provide an example of appropriate language for such a notice:
Important Information About Procedures for Opening a New Account
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
Are there any exemptions from these CIP rules?
Generally speaking, no. Exemptions do happen (for example, federal regulators have exempted a specific type of loan, insurance premium finance loans, from CIP regulations, and federal regulators may choose to exempt specific banks or account types from these requirements), but they are relatively rare.
Can banks transact via third parties without violating CIP regulations?
Yes, banks can still transact via third parties – for example, a car dealer may act as a bank's agent when offering a loan to a customer. However, the bank remains the party responsible for applying its CIP procedures in compliance with the regulations.
How can you improve your company's customer identification program?
SentiLink uses comprehensive data sources and flexible configuration to help your CIP verify more customer identities. If you’re interested, you can learn more about how we help institutions meet these requirements.
