CIP Requirements: What Financial Institutions Need to Know

Banks and financial institutions in the United States are required to implement a “Customer Identification Program” (CIP) to remain in compliance with the Bank Secrecy Act (BSA) and Anti-Money Laundering (AML) regulations. Often this is part of a broader KYC program, but CIP is distinct from KYC and comes with its own specific requirements. 

So what does it take to build a CIP? While some implementation details are left up to individual FIs, there are specific requirements that every FI’s CIP must conform to. In this article, we'll summarize the key requirements for FIs implementing a CIP, and then look at some best practices for building a best-in-class CIP.

(Disclaimer: this blog post is not legal advice, and is intended only to provide an overview of the major elements of CIP requirements).

Customer Identification Program (CIP) requirements

1. Your CIP must be a written, board-approved policy.

Banks, and in some cases their subsidiaries, must have a formal, written CIP policy that is "appropriate for its size and type of business" and that has been approved by the bank's board of directors. This policy must be incorporated into the bank's BSA/AML compliance program, and it must meet all of the other CIP requirements on this list.

2. Your CIP must have a procedure for customer identity verification 

A CIP must verify the identity of any customer opening an account "to the extent reasonable and practicable". Specifically, the CIP must allow the bank to "form a reasonable belief" that it knows the true identity of the customer–i.e., that the customer is who they say they are. This identity verification must also take into account an assessment of relevant risks, which will vary based on factors such as the type of account being opened, the type of identity information available, etc.

"Opening an account" here refers to establishing a formal banking relationship of some kind, so it doesn't apply to one-time procedures such as check-cashing, wire transfers, or the sale of a money order. 

CIP is specific to the customer onboarding process, so banks do not need to apply CIP procedures for existing accounts, accounts the bank has taken control of as part of an acquisition, or retirement accounts opened as part of an employee benefit plan. They also do not need to verify the identity of non-customers who aren't opening accounts, such as when a loan application is denied by a FI prior to conducting CIP procedures.

3. You must collect specific customer information

Although it's often a good idea to collect more than just this, banks are required to collect the following for each customer as part of their CIP:

• Full name
• Date of birth
• Address
• Government identification number

For US persons, the government identification number must be a TIN (typically an SSN, but ITINs are also acceptable), but for non-US persons it may also be evidence of application for a TIN, a passport number, an alien identification card number, or in some cases another government-issued identification that includes a number, country of citizenship, and a photo. Business applicants that do not have a TIN must provide some form of government-issued documentation certifying the existence of the business. 

(Note that some CIP solutions on the market do not support ITINs. SentiLink's CIP Match solution does.)

4. You must verify the information the customer provides

Your CIP must include procedures for verifying the identity information collected from the customer. While not required to verify every piece of information, the bank must verify enough to meet the "reasonable belief" standard that the customer is who they claim to be.

This can be accomplished through documentary verification, which refers to assessment of documents provided by the customer, such as a government-issued identification card. Or it can be accomplished via non-documentary verification, which might include a variety of methods such as contacting the customer, checking references with other financial institutions, or independently verifying the information the customer provided by comparing it against a verified source of information (e.g. consumer reporting agency records, public databases, etc.).

(Additional verification steps may also be required in some cases, such as when an account is opened by a customer that is not an individual.)

5. You must have procedures when a customer cannot be verified

Your CIP must include the ways in which the bank will respond when it cannot form a "reasonable belief" that it knows the customer's identity. These procedures should define when the bank should not open the account, when it should temporarily open the account while further verification takes place, when it should close an account when verification attempts fail, and when the bank should file a suspicious activity report (SAR) in accordance with the Bank Secrecy Act and other applicable law. 

6. You must keep records

Your CIP must include measures for making and keeping records of the information used to verify a customer's identity for at least five years after the account is closed (or becomes dormant in the case of credit card accounts). At a minimum, this means keeping the four required pieces of information described in #3.

Banks also must keep descriptions of any document that was used to verify an identity, the methods and results of measures employed to verify an identity, and how any discrepancies discovered were resolved.

Banks may also keep copies of the identifying documents themselves, but this is not required as part of a CIP (and banks that do choose to keep copies of these documents must ensure they remain in compliance with other regulations governing their storage and use).

7. You must check identities against government lists

Your CIP procedures must include checking applicant identities against relevant government lists such as OFAC’s lists of suspected or known terrorists or terrorist organizations. These checks must occur within "a reasonable period of time" after account opening or earlier, and banks must also comply with any regulations and directives associated with those lists.

8. You must give customers adequate notice

Your CIP procedures must include notifying customers that you are requesting information to verify their identity. Depending on the account being opened, this might look like a posted notice in the lobby of a physical bank location, a printed notice provided with application documents, or a notice on the bank's website.

CIP regulations also provide an example of appropriate language for such a notice:

Important Information About Procedures for Opening a New Account 

To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. 

What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you.  We may also ask to see your driver’s license or other identifying documents. 

Best practices for building an effective CIP

For most FIs, the critical metric by which a Customer Identification Program is judged is how many applicants can be positively identified automatically. The FI, after all, cannot transact with customers it cannot identify (per the terms of the CIP requirements outlined above), and every unidentified customer represents potential revenue lost. But putting too many applications into the "maybe" pile has costs, too — manual reviews and step-up verification treatments increase churn and operational expenses, reducing the overall profit associated with each signup.

SentiLink works with 400+ partners across the US, many of them FIs, and in working with them to build our CIP Match & Watchlists product we've learned a lot about the best way to balance these factors. In fact, we learned so much that we wrote an entire white paper about it. But we'll share two of the most impactful lessons here:

First, score applications for CIP and fraud risk at the same time. Many FIs put fraud detection after CIP in their funnel, but this risks wasting money on manual reviews and step-ups to confirm an identity for CIP, only to learn later in the funnel that the application represents a very high risk of fraud and should be rejected on those grounds. Scoring for both CIP and fraud at the same time allows FIs to avoid the operational expenses associated with CIP manual reviews and step-up treatments for these applications. 

Here's a sample diagram that outlines one way to structure this part of your sign-up flow, integrating fraud and CIP scoring at the same point:

Second, consider stacking CIP vendors. While some CIP will likely offer you better performance than others, in data studies with our partners we've found that stacking vendors almost always leads to the best overall ROI. 

For example, in all of SentiLink's data studies over the past 12 months (as of this writing), switching to SentiLink CIP Match and Watchlists alone provided an average approval lift of +8.5% over the FI's incumbent CIP solution. But using SentiLink combined with the FI's incumbent solution provided an even greater lift: an average +13.3% increase in approvals, with every FI tested seeing an increase of at least +4% and several FIs seeing increases of more than +10%. And of course, this increase in automatic CIP approvals comes with a corresponding decrease in the operational expenses associated with manual reviews and step-up treatment costs. 

To learn more about how this works — and some of the critical factors to consider when building a CIP solution or evaluating CIP vendors — check out our white paper. 

Other frequently-asked questions about CIP

Are there any exemptions from these CIP rules?

Generally speaking, no. Exemptions do happen (for example, federal regulators have exempted a specific type of loan, insurance premium finance loans, from CIP regulations, and federal regulators may choose to exempt specific banks or account types from these requirements), but they are relatively rare.

Can banks transact via third parties without violating CIP regulations?

Yes, banks can still transact via third parties – for example, a car dealer may act as a bank's agent when offering a loan to a customer. However, the bank remains the party responsible for applying its CIP procedures in compliance with the regulations.

How can you improve your company's customer identification program?

SentiLink uses comprehensive data sources and flexible configuration to help your CIP verify more customer identities. If you’re interested, you can learn more about how we help institutions meet these requirements.