Join the 7/21 live chat & demo: How to turn KYB & KYC into your competitive advantage


What is a Customer Identification Program (CIP)?

Learn what a CIP is, how it works, and what requirements CIPs need to meet.

Read time:
Share this post
Table of contents
⚡ Key takeaways
  • A customer identification program is a set of procedures that a business must establish and follow to verify the identity of its customers or users.
  • A CIP is just one piece of your broader KYC strategy. Other crucial parts of KYC include customer due diligence (CDD) and continuous monitoring.
  • Any business that’s considered a financial institution under the Bank Secrecy Act and related laws must establish a CIP.
  • As long as you meet the six main CIP requirements, you have a lot of flexibility in customizing your CIP program.

Around the globe, financial institutions such as banks, lenders, credit unions, insurers, and other businesses are required to have a clear picture of who they are doing business with. 

This requirement — established by laws such as the Bank Secrecy Act and USA PATRIOT Act (in the United States) — is designed to help spot and prevent instances of money laundering, fraud, the financing of terrorism, and other financial crime. The procedures that businesses establish and follow to comply with these requirements are broadly known as Know Your Customer (KYC).

The customer identification program (CIP) is an important piece of KYC. Below, we take a closer look at what a customer identification program is and how it works. We also discuss the requirements all CIP programs must meet to comply with the law, and walk through the key steps involved in the customer identification procedure. 

What is a customer identification program?

A customer identification program is a set of procedures that a business must establish and follow to verify the identity of its customers or users. 

The goal of CIP programs is to ensure customers are who they say they are. Customer identification programs are an important means of identifying and deterring instances of money laundering, identity theft, fraud, and other financial crimes. 

While we will discuss CIP requirements in greater detail below, all CIP programs must collect four critical pieces of information — the customer’s name, address, date of birth, and a government-issued identification number — and then verify that information with a mix of documentary and database verifications. Other identity verification methods can be layered on top of these basic processes as desired. 


While the terms customer identification program and Know Your Customer are sometimes used interchangeably, they’re not exactly the same. 

To put it simply, your customer identification program is just one piece of your broader KYC strategy. Other crucial parts of your KYC program which do not fall under the CIP umbrella include customer due diligence (CDD) and continuous monitoring:

  • Customer due diligence refers to specific processes designed to assess customer risk. In situations that involve less risk, a simplified due diligence process may be leveraged. On the other hand, situations that involve a greater degree of risk may require an enhanced due diligence (EDD) process.
  • Continuous monitoring consists of the ongoing monitoring of individuals and their transactions to identify suspicious activity — which must be reported to FinCEN and any other relevant regulatory bodies. 

Who is subject to the CIP rule?

Any business that’s considered a financial institution under the Bank Secrecy Act and related laws must establish a CIP program as a part of its broader KYC program. 

This includes obvious financial institutions like banks, lenders, and brokers. But it also extends to less obvious businesses, such as insurance agencies, gambling services, payment companies, cryptocurrency exchanges, fintech companies, and many more. 

It’s also worth noting that many businesses that are not required to implement a CIP program by law still choose to do so simply because it benefits their customers and business. Social media and online dating services, as just one example, may implement CIP programs to build trust and provide a safer, more secure platform for their users.  

Free white paper
See how experts evaluate CIP solutions

Customer identification program requirements 

All customer identification programs must meet six general requirements outlined in the CIP Final Rule as established in the USA PATRIOT Act. This includes:

  1. Establishing a documented CIP program
  2. Collecting four specific pieces of identifying information: the customer’s name, address, date of birth, and government-issued identification number
  3. Establishing identity verification procedures
  4. Meeting recordkeeping requirements established by the law
  5. Comparing the individual against official government lists
  6. Establishing a process for providing customers with notice that you are requesting information to verify their identity

That said, the CIP Final Rule does not establish any hard rules outside of these requirements. So long as you meet the requirements listed above, you have a lot of flexibility in customizing your CIP program.

Customer identification procedure

Below, we take a closer look at the requirements outlined in the CIP Final Rule and how they might translate into your customer identification program. 

1. A documented program

If your business is subject to the CIP Rule, it isn’t enough to simply have a customer identification program. The program must also be clearly written and dispersed amongst all employees who may play a role in the process. 

This document must thoroughly outline your CIP processes from start to finish. Your goal is to create a document that is so complete that if you were to hand the document to a member of your CIP team, you would be confident that they could do their job with no additional instruction. 

With this in mind, it’s important that your documentation goes beyond simply listing the steps involved. It should also provide information about risk factors that your team should be aware of — for example, when an individual is determined to be a politically exposed person (PEP) or when they are the subject of adverse media. It should also include instructions for steps to take in riskier cases, such as manual review processes, as these instances will naturally require additional scrutiny.

Additionally, your program should document your business’s privacy and security policies, including the proper way to collect, store, retrieve, and access customer information. 

2. Collection of identifying information

Your CIP program must collect four key pieces of information for every new customer who wishes to do business with you:

  • Name
  • Date of birth
  • Address
  • Identification number (SSN, TIN, passport number, etc.) 

While these are the only four pieces of information you’re specifically required to collect by law, they are by no means the only information you can collect. Depending on the unique needs and risk factors of your business, you may decide to collect and verify additional information beyond this minimum. 

Phone numbers and email addresses are, for example, commonly connected because they serve a role in customer communications. But they can also be leveraged as a part of your CIP processes, allowing you to perform phone verification, phone carrier verification, or email risk assessments (amongst other methods).

3. Identity verification procedures

The CIP rule requires that you verify the identity of all new customers, but it does not specify how you need to verify them. 

According to FinCEN, “[a business] need not establish the accuracy of every element of identifying information obtained, but must do so for enough information to form a reasonable belief it knows the true identity of the customer.”

That being said, identity verification can take many different forms, including:

  • Documentary verification requires the customer to upload a photo of official documents, which is then used to verify the information previously provided by the individual. The most common required documents include driver’s licenses, mobile driver’s licenses (mDLs), passports, and other government-issued photo IDs. However, other examples include birth certificates, Social Security cards, military cards, permanent resident cards, etc. When verifying a business entity instead of an individual, acceptable documents typically include business licenses, partnership agreements, and articles of incorporation. 
  • Database verification checks user-supplied information against the information stored in trusted databases. This can include issuing databases, such as AAMVA (for DMV records) and TIN (for IRS records). It can also include other authoritative databases such as those managed by credit bureaus, phone carriers, and financial institutions. 
  • Biometric verification leverages a person’s physical traits — such as facial scans, fingerprint scans, and retina scans — to verify their identity and protect against spoofing. These data points are analyzed by sophisticated algorithms and matched against official records. Selfie identification is an example of biometric verification. 

4. Recordkeeping

In addition to collecting customer information, you must retain said information for as long as the individual has an account with your business, plus five years from the date that the account closes or becomes dormant. This includes all information collected directly from the individual, as well as any data or documents used to verify their identity.

5. Screening against government lists

The CIP rule also requires you to screen customers against a number of official government lists. 

The goal is to ensure that you are not doing business with anyone who has been sanctioned or who is a suspected or known terrorist. Additionally, you are required to screen for politically exposed persons (PEP) and adverse media, which typically indicates a higher degree of risk and, therefore, a higher degree of scrutiny during your KYC process. Importantly, these screenings shouldn’t just be completed during account opening, but also in a continuous manner

Social media screenings, address lookups, and email/phone risk screenings can also be leveraged, but are not specifically required as a part of your CIP process. 

6. Customer notice

Finally, you are required to provide your customers with adequate notice about the fact that you are requesting information, documentation, and other materials (as necessary) to verify their identities. 

You may be able to leverage this step to build trust by telling customers why you’re collecting this data. If they know what it’s being used for, they may be more willing to submit the required information.

CIP and your business

If your business operates in the financial industry, having a robust and thorough customer identification program that meets the requirements of the CIP Rule is a necessity. But even if your business isn’t required to perform customer identity verification, doing so can bring a number of benefits, including increased trust in your platform or community. 

Here at Persona, we understand the critical role that CIP plays in your business. Our Verifications and Reports solutions allow you to design the customer identification program that is right for your business — whether that means strictly following the requirements of the CIP rule or including additional checks that go above and beyond what is required. 

Interested in learning more? Start for free or get a demo today.

Frequently asked questions

What does CIP mean in banking?

A customer identification program, or CIP, encompasses all the processes banks and other financial institutions must complete in order to verify the identity of their customers. 

What is the difference between CDD and CIP?

A customer identification program (CIP) is primarily concerned with verifying the identity of new and existing customers. Customer due diligence (CDD), on the other hand, refers to processes that businesses put in place to assess customer risk. CIP and CDD are related to one another and share some overlap; both are a part of a business’s broader Know Your Customer (KYC) program.

What is CIP due diligence?

CIP due diligence simply means that a business has established a reasonable belief that it knows the true identity of a customer. This belief is typically established via multiple identity verification techniques, such as documentary verification, database verification, and biometric verification.

How does CIP apply to businesses?

Any business deemed to be a financial institution under the Bank Secrecy Act is required to comply with the CIP Rule. This includes, but is not limited to:

  • Banks
  • Credit unions
  • Thrift institutions 
  • Broker-dealers
  • Investment management companies
  • Currency exchanges
  • Insurance companies
  • Pawnbrokers
  • Dealers of precious metals and gems
  • Travel agencies
  • Automobile dealerships
  • Real estate companies
  • Casinos and gaming establishments

It is important to note that many businesses that are not strictly required to perform customer identity verification still choose to do so for other reasons. Social media and online dating companies, for example, often choose to perform CIP to protect their users and platform from abuse. Likewise, online learning companies, ecommerce platforms, and digital health providers leverage CIP to build trust in their systems.

Continue reading

Continue reading

Social Security number (SSN) verification: What it is and why it matters

Social Security number (SSN) verification: What it is and why it matters

Learn about common types of SSN verification — plus the potential shortcomings of relying solely on a person’s SSN for verification purposes.

How marketplaces like Neighbor design trust & safety programs to mitigate and fight fraud

How marketplaces like Neighbor design trust & safety programs to mitigate and fight fraud

Learn about key moments when fraudsters are likely to strike, Neighbor’s approach to fighting fraud, and more.

What is driver’s license verification?

What is driver’s license verification?

Learn about this common way to verify someone’s identity or age.

Ready to get started?

Get in touch or start exploring Persona today.