In the United States, financial institutions (and some other businesses) have to implement both KYC and CIP for regulatory compliance and fraud prevention. In everyday conversations, these two processes are often discussed as if both terms mean the same thing. In actuality, they are two distinct (though closely related) concepts.
Let's take a closer look at KYC, CIP, how they differ, and what each means for US businesses in the context of regulatory compliance and fraud prevention.
What is KYC?
KYC stands for Know Your Customer. It refers to a collection of processes that financial institutions must use to understand who their customers are and what they're doing. Typically, there are three key components to a KYC program:
- Customer Identification Program (CIP). We'll discuss CIP processes in more detail shortly, but on a high level CIP is about establishing your customer's identity, typically at the point of account opening.
- Customer Due Diligence (CDD). Once the customer's identity is established through CIP, CDD processes assess the extent to which the customer represents a risk. In cases where a customer's profile suggests risk, Enhanced Due Diligence (EDD) processes may be used to more thoroughly assess the customer's risk profile.
- Ongoing Monitoring. Businesses must monitor customer activity throughout the life of the account to watch for things like different activity patterns leading to a different risk profile.
In short, KYC refers to a series of specific processes designed to help businesses understand who their customers are and then assess and monitor them for risk, criminal wrongdoing, and more.
Financial institutions in the US are required to implement KYC programs as a result of the Bank Secrecy Act, as well as various other anti-money laundering (AML) regulations.
What is CIP?
As just discussed, CIP stands for Customer Identification Program and refers to one specific element of the KYC process: verifying the customer's identity at the point of account opening.
To do this, financial institutions must collect information about the customer, including at least the customer's:
- Full legal name
- Date of birth
- Physical address
- Government-issued ID number (such as SSN, ITIN, or passport number)
Once this information has been collected, there are two primary ways of verifying a customer's identity in the CIP process: documentary and non-documentary methods.
Documentary methods involve asking the customer to upload an image of their government-issued ID, which is then assessed for legitimacy by software systems, human reviewers, or both. In high-risk cases, it may also involve "liveness checks" that require the applicant to appear on video with their documentation. This approach can be effective, but it introduces a lot of friction into the application process for genuine customers, as they have to photograph and upload their IDs.
(The rise of generative AI may also make documentary ID verification more vulnerable to fraud; more on that later in this article.)
Non-documentary methods involve simply asking the customer for their information and then checking that information against authoritative sources to assess its validity, and/or verifying it with the customer themselves via an established channel (such as MFA/OTP-based verification). An effective CIP product checks customer information against records from credit bureaus, telecom companies, public records, and utilities. Non-documentary checks may also assess information against government databases. For example, financial institutions can leverage eCBSV to check whether a given name, date of birth, and SSN match what the Social Security Administration has on file.
Non-documentary methods of CIP provide less friction for customers (who simply have to provide their information on a form), but their effectiveness hinges on both the specifics of the CIP tool being used and the data collected by the FI. In general, collecting more data will make it easier for CIP tools to accurately verify identities, but collecting more data also adds friction to the onboarding process as it requires customers to fill out longer forms.
KYC vs. CIP at a Glance
In short, CIP is one element of KYC. Here's a quick summary of how the two terms differ:
| |
KYC (Know Your Customer)
|
CIP (Customer Identification Program)
|
|
Scope
|
Comprehensive process that extends across the entire relationship an FI has with a customer.
|
Focused process that confirms the customer's identity at account opening.
|
|
Goal
|
Prevent fraud, money-laundering, and other illegal activities.
|
Confirm the identity of a person applying at an FI.
|
|
Regulatory basis
|
BSA (and other AML regulations)
|
USA Patriot Act, BSA (and other AML regulations)
|
|
Elements
|
CIP, CDD (and sometimes EDD), continuous monitoring
|
Documentary identity verification, non-documentary identity verification
|
Implementing CIP and KYC
Financial institutions are required to implement KYC and CIP by the Bank Secrecy Act, the USA Patriot Act, as well as other anti-fraud and anti-money-laundering (AML) regulations and directives. But the necessity for doing KYC and CIP well goes far beyond the simple need to comply with regulations (and the threat of fines for non-compliance). There is also a strong business case to be made for building robust and effective CIP and KYC programs.
Ultimately, these programs can help financial institutions profit in several ways:
- Reducing fraud losses by accurately identifying fraudsters, bad actors, and high-risk customers (ideally during CIP, before they've managed to open an account and potentially engage in illicit activities on the FI's platform).
- Increasing signups by accurately identifying low-risk customers who can be fast-tracked, reducing friction (and by extension increasing revenue) without similarly increasing fraud losses.
- Eliminating the risk of government penalties and the other downsides associated with providing sanctioned individuals or organizations and other bad actors access to US financial systems.
Of course, accomplishing both of these things accurately is easier said than done! FIs should carefully assess KYC and CIP tools against their own historical data to better understand the business case – some tools may be much more effective than others.
Separately, there's also the question of technical implementation. The details of this will vary quite a bit based on the FI in question and the tools they choose, but in general FIs should look towards KYC and CIP tools that can help in continuously evaluating risk levels and adjust thresholds to allow for better end-user experiences. Ideally, these tools can assess large amounts of data quickly and return results – such as an identity match – in near-real-time via API.
Fraud, GenAI, and the future of KYC
Any discussion of KYC and CIP in 2025 has to account for the reality that generative AI and other advanced AI tools are shifting the landscape when it comes to fraud and identity verification. Our CEO and founder Naftali Harris wrote about this topic last year, and the full piece is worth reading, but in short, we believe it has significant implications particularly for documentary verification methods in CIP.
While forgery and fake IDs have always been a potential attack vector for fraudsters looking to exploit documentary CIP systems, generative AI has made these fakes more sophisticated, and much faster and cheaper to create. We've already seen fraudsters experimenting with deepfake AI to exploit documentary and liveness checks, and these efforts will only ramp up in terms of both sophistication and scale. Whether FIs will be able to leverage AI to combat them remains an open question.
In the meantime, though, FIs can AI-proof some of their KYC and CIP systems by focusing on assessments that leverage historical data (such as past usage of emails, phone numbers, addresses, etc.) and authoritative data (such as using eCBSV to access SSA's database), which generative AI cannot fake.
