Table of Contents
I. In a Nutshell: What is the Customer Identification Program?
II. Why does the Customer Identification Program exist?
III. The Details: Customer Identification Program Requirements & Compliance
IV: How does the Customer Identification Program affect your business?
V: Customer Identification Program Information Resources
The Customer Identification Program, or CIP for short, requires that financial institutions, such as banks, take the appropriate steps to have the reasonable belief that all customers who enter into a formal banking relationship with them are who they say they are. The requirement went into effect on June 9, 2003, is implemented through Section 326 of the Patriot Act, and is a mandatory Bank Secrecy Act (BSA) compliance element. The CIP is also commonly referred to as the ‘know your customer’ program.
The Customer Identification Program was enacted as a mandatory component of the Bank Secrecy Act via an amendment implemented through the Patriot Act. Prior to June 9, 2003, the Bank Secrecy Act did not have a CIP component.
The Patriot Act amended the Bank Secrecy Act to include a requirement for financial institutions to essentially make sure that their customers are who they are say are, in order to prevent, detect, and prosecute international money laundering and the finance of terrorism. In other words, financial institutions are responsible for ensuring that financial transactions that they conduct do not directly, indirectly, or unknowingly stem from a risky customer.
The rationale is that by preventing customers who are deemed risks from conducting financial transactions, international money laundering and the finance of terrorism can be effectively prevented, at least through US financial institutions. After all, who would use their real identity, especially if their deal identity was already deemed suspicious, to facilitate transactions that can ultimately be tied to money laundering or the finance of terrorism? Chances are - in order to facilitate these types of transactions - criminals will use stolen or fake identities.
And in this modern age of regular, massive data breaches, stolen/fake identities are aplenty1, which makes CIP regulation compliance more important than ever.
Financial institutions need to comply with CIP regulations whenever a customer opens a new account: when a customer opens an account, the customer’s identity needs to be authenticated in such a way that the financial institution has a reasonable belief that customer’s identity is true and valid.
A financial institution is an entity, such as a bank, that provides financial services, such as opening a checking account.
A customer is one who opens a new account or opens a new account on behalf of another individual (who lacks the capacity to do so) or entity, and can be:
Customers are not:
Opening a new account is defined as the establishment of a formal banking relationship between a customer and a financial institution in which the financial institution provides or engages in services, dealings, or other financial transactions, including:
Opening an account does not include the following types of financial transactions:
Once it has been determined that a customer is opening a new account with a financial institution, there are six minimum requirements that need to be met in order for said financial institution to comply with CIP:
*To be clear, each financial institution has its own CIP; this CIP needs to follow the federal CIP regulations mandated within the BSA. The federal CIP regulations set a minimum standard for the six requirements that each financial institution needs to meet in order to be compliant. These minimum requirements help ensure that even smaller financial institutions can incorporate a CIP that is appropriate for its size and the types of transactions with which it deals, and to fully meet federal CIP regulations.*
The six requirements are explained in further detail below.
There are 2 major overarching requirements that need to be met by each financial institution’s CIP:
The goal of this program is to make sure that the financial institution can establish a ‘reasonable belief’ that each customer’s identity is true. In order to establish this ‘reasonable belief’, each CIP is required to include the following:
Each financial institution has to consider their own characteristics – their customer base and their product offerings – in order to product a list of risk-based procedures that is both reasonable and practical. These procedures need to consider:
The type of identification number needed depends on whether or not a customer is a “U.S. person” or a “non-U.S. person”.
The identification number needed for a U.S. person is the:
The identification number for a non-U.S. person needs to be one of the following:
Financial institutions need to have procedures in place on how to verify the identity information collected on each customer. Verification procedures should be done within a reasonable amount of time from the opening of the account.
The procedures should allow the financial institution to verify enough of the identity information that a reasonable belief can be formed about the true identity of a customer. In other words, customer identity verification procedures are not required to verify each and every piece of identity information collected – the only requirement is to check as much identity information as needed to establish the reasonable belief.
There are two methods on how identity information can be verified:
The procedures can use either documents, non-documentary methods, or a combination of both to verify identities.
• Documents Needed to Verify Individual Customers:
• Documents needed to Verify Entities, such as a corporation:
• Verifying Identity via Non-Documentary Methods:
• Non-documentary methods need to be able to address the following situations:
There are situations in which a customer’s identity will not be able to be verified. In such incidents, financial institutions need to have procedures in place in order to know how to respond. These procedures need to be established for the following situations:
A record of all information collected on a customer needs to be maintained and retained for at least five years after the closing of the account. The following is the information that is needed to be collected for the record:
The purpose of comparing customer identity data with government lists is to determine whether or not the customer is on a government list as a known or suspected terrorist or a member of a terrorist organization. These lists are procured and issued by the U.S. Treasury in conjunction with federal banking regulators. Once these lists are issued, financial institutions are required to use the lists as comparisons for customer identity information.
There needs to be adequate notice given to customers that opening an account means certain identity information will be collected and used to verify customer’s identities. The notice needs be reasonably designed such that customer have the opportunity to view/receive the notice before an account is opened. The following are examples of acceptable notice locations:
Unless your business is not one of the types of financial institutions listed below, CIP regulations do not apply to you. In other words, you are not required to have a Customer Identification Program and are not affected by CIP regulations.
The following types of financial institutions need to comply with CIP regulations:
Much of the CIP rules and regulations have been covered, but there are certain details that are too nuanced to sufficiently address here.
1 Read our blog post about modern-day data breaches to see just how problematic they are. Click here to read the post.
2 A Tax Identification Number can apply to both U.S. persons and non-U.S. persons. There are five different types of Tax Identification Numbers: the Social Security Number (SSN), the Employer Identification Number (EIN), the Individual Taxpayer Identification Number (ITIN), the Taxpayer Identification Number for Pending U.S. Adoptions (ATIN), and the Preparer Taxpayer Identification Number (PTIN). The EIN, ITIN, ATIN, and PTIN can be issued to non-U.S. persons.