Around the globe, financial institutions such as banks, lenders, credit unions, insurers, and other businesses are required to have a clear picture of who they are doing business with.
This requirement — established by laws such as the Bank Secrecy Act and USA PATRIOT Act (in the United States) — is designed to help spot and prevent instances of money laundering, fraud, the financing of terrorism, and other financial crime. The procedures that businesses establish and follow to comply with these requirements are broadly known as Know Your Customer (KYC).
The customer identification program (CIP) is an important piece of KYC. Below, we take a closer look at what a customer identification program is and how it works. We also discuss the requirements all CIP programs must meet to comply with the law, and walk through the key steps involved in the customer identification procedure.
What is a customer identification program?
A customer identification program is a set of procedures that a business must establish and follow to verify the identity of its customers or users.
The goal of CIP programs is to ensure customers are who they say they are. Customer identification programs are an important means of identifying and deterring instances of money laundering, identity theft, fraud, and other financial crimes.
While we will discuss CIP requirements in greater detail below, all CIP programs must collect four critical pieces of information — the customer’s name, address, date of birth, and a government-issued identification number — and then verify that information with a mix of documentary and database verifications. Other identity verification methods can be layered on top of these basic processes as desired.
CIP vs KYC
While the terms customer identification program and Know Your Customer are sometimes used interchangeably, they’re not exactly the same.
To put it simply, your customer identification program is just one piece of your broader KYC strategy. Other crucial parts of your KYC program which do not fall under the CIP umbrella include customer due diligence (CDD) and continuous monitoring:
- Customer due diligence refers to specific processes designed to assess customer risk. In situations that involve less risk, a simplified due diligence process may be leveraged. On the other hand, situations that involve a greater degree of risk may require an enhanced due diligence (EDD) process.
- Continuous monitoring consists of the ongoing monitoring of individuals and their transactions to identify suspicious activity — which must be reported to FinCEN and any other relevant regulatory bodies.
Who is subject to the CIP rule?
Any business that’s considered a financial institution under the Bank Secrecy Act and related laws must establish a CIP program as a part of its broader KYC program.
This includes obvious financial institutions like banks, lenders, and brokers. But it also extends to less obvious businesses, such as insurance agencies, gambling services, payment companies, cryptocurrency exchanges, fintech companies, and many more.
It’s also worth noting that many businesses that are not required to implement a CIP program by law still choose to do so simply because it benefits their customers and business. Social media and online dating services, as just one example, may implement CIP programs to build trust and provide a safer, more secure platform for their users.
Customer identification program requirements
All customer identification programs must meet six general requirements outlined in the CIP Final Rule as established in the USA PATRIOT Act. This includes:
- Establishing a documented CIP program
- Collecting four specific pieces of identifying information: the customer’s name, address, date of birth, and government-issued identification number
- Establishing identity verification procedures
- Meeting recordkeeping requirements established by the law
- Comparing the individual against official government lists
- Establishing a process for providing customers with notice that you are requesting information to verify their identity
That said, the CIP Final Rule does not establish any hard rules outside of these requirements. So long as you meet the requirements listed above, you have a lot of flexibility in customizing your CIP program.
Customer identification procedure
Below, we take a closer look at the requirements outlined in the CIP Final Rule and how they might translate into your customer identification program.
1. A documented program
If your business is subject to the CIP Rule, it isn’t enough to simply have a customer identification program. The program must also be clearly written and dispersed amongst all employees who may play a role in the process.
This document must thoroughly outline your CIP processes from start to finish. Your goal is to create a document that is so complete that if you were to hand the document to a member of your CIP team, you would be confident that they could do their job with no additional instruction.
With this in mind, it’s important that your documentation goes beyond simply listing the steps involved. It should also provide information about risk factors that your team should be aware of — for example, when an individual is determined to be a politically exposed person (PEP) or when they are the subject of adverse media. It should also include instructions for steps to take in riskier cases, such as manual review processes, as these instances will naturally require additional scrutiny.
Additionally, your program should document your business’s privacy and security policies, including the proper way to collect, store, retrieve, and access customer information.
2. Collection of identifying information
Your CIP program must collect four key pieces of information for every new customer who wishes to do business with you:
- Date of birth
- Identification number (SSN, TIN, passport number, etc.)
While these are the only four pieces of information you’re specifically required to collect by law, they are by no means the only information you can collect. Depending on the unique needs and risk factors of your business, you may decide to collect and verify additional information beyond this minimum.
Phone numbers and email addresses are, for example, commonly connected because they serve a role in customer communications. But they can also be leveraged as a part of your CIP processes, allowing you to perform phone verification, phone carrier verification, or email risk assessments (amongst other methods).
3. Identity verification procedures
The CIP rule requires that you verify the identity of all new customers, but it does not specify how you need to verify them.
According to FinCEN, “[a business] need not establish the accuracy of every element of identifying information obtained, but must do so for enough information to form a reasonable belief it knows the true identity of the customer.”
That being said, identity verification can take many different forms, including:
- Documentary verification requires the customer to upload a photo of official documents, which is then used to verify the information previously provided by the individual. The most common required documents include driver’s licenses, mobile driver’s licenses (mDLs), passports, and other government-issued photo IDs. However, other examples include birth certificates, Social Security cards, military cards, permanent resident cards, etc. When verifying a business entity instead of an individual, acceptable documents typically include business licenses, partnership agreements, and articles of incorporation.
- Database verification checks user-supplied information against the information stored in trusted databases. This can include issuing databases, such as AAMVA (for DMV records) and TIN (for IRS records). It can also include other authoritative databases such as those managed by credit bureaus, phone carriers, and financial institutions.
- Biometric verification leverages a person’s physical traits — such as facial scans, fingerprint scans, and retina scans — to verify their identity and protect against spoofing. These data points are analyzed by sophisticated algorithms and matched against official records. Selfie identification is an example of biometric verification.
In addition to collecting customer information, you must retain said information for as long as the individual has an account with your business, plus five years from the date that the account closes or becomes dormant. This includes all information collected directly from the individual, as well as any data or documents used to verify their identity.
5. Screening against government lists
The CIP rule also requires you to screen customers against a number of official government lists.
The goal is to ensure that you are not doing business with anyone who has been sanctioned or who is a suspected or known terrorist. Additionally, you are required to screen for politically exposed persons (PEP) and adverse media, which typically indicates a higher degree of risk and, therefore, a higher degree of scrutiny during your KYC process. Importantly, these screenings shouldn’t just be completed during account opening, but also in a continuous manner.
Social media screenings, address lookups, and email/phone risk screenings can also be leveraged, but are not specifically required as a part of your CIP process.
6. Customer notice
Finally, you are required to provide your customers with adequate notice about the fact that you are requesting information, documentation, and other materials (as necessary) to verify their identities.
You may be able to leverage this step to build trust by telling customers why you’re collecting this data. If they know what it’s being used for, they may be more willing to submit the required information.
CIP and your business
If your business operates in the financial industry, having a robust and thorough customer identification program that meets the requirements of the CIP Rule is a necessity. But even if your business isn’t required to perform customer identity verification, doing so can bring a number of benefits, including increased trust in your platform or community.
Here at Persona, we understand the critical role that CIP plays in your business. Our Verifications and Reports solutions allow you to design the customer identification program that is right for your business — whether that means strictly following the requirements of the CIP rule or including additional checks that go above and beyond what is required.