What is a Customer Identification Program (CIP)?
A Customer Identification Program (CIP) is a mandatory identity verification process used by financial institutions to confirm a customer's identity and assess their risk. Such a program is typically required under Know Your Customer (KYC) and anti-money laundering (AML) regulations. The CIP involves collecting personal information and government-issued IDs and verifying data against watchlists and databases.
While the CIP establishes the minimum criteria for onboarding new customers, financial institutions have a certain degree of freedom to customise their programs. Furthermore, the CIP is only one of the key components in an organisation’s comprehensive KYC program, which also includes Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and ongoing transaction monitoring.
What is the purpose of a Customer Identification Program?
The purpose of a Customer Identification Program is to verify customers’ identity and assess their risk before allowing them to open an account or engage in financial transactions. By collecting and verifying personal information in advance via a CIP, an institution can ensure that only legitimate customers gain access to its financial services.
The CIP usually serves as the first line of defence against identity theft and financial crimes such as money laundering, tax evasion, and terrorist financing. It helps financial institutions ensure regulatory compliance by meeting requirements set by laws such as the USA PATRIOT Act, the Bank Secrecy Act (BSA), and the EU Anti-Money Laundering Directives (AMLDs).
What are the elements of a Customer Identification Program?
The specific mandatory requirements of a CIP can vary based on the jurisdiction and its governing laws.
With that said, a CIP should start by introducing an internal set of guidelines defining when and to whom the identity verification procedures should apply. It should also clarify how to proceed in cases where verification is lacking, and how to notify the customer about the status of their identity verification.
Once the foundation is set, the compliance team within the bank or financial institution can start applying the CIP.
The program usually comprises the following core elements:
Identity verification methods
Regulators mandate the use of two primary forms of verification: documentary and non-documentary.
Documentary verification involves reviewing information from official, government-issued passports, driver’s licenses, or national ID cards. These documents provide proof of identity and residence, ensuring the individual customer or business client is who they claim to be. Financial institutions may also require additional supporting documents, such as utility bills or business registration certificates for corporate clients.
Non-documentary verification can come in the form of direct customer contact, financial data checks, or cross-referencing information against public and private records or databases (sanctions lists, politically exposed persons databases, etc.).
Risk assessment procedures
Based on the collected and verified information, financial institutions assess factors such as customer type, country of residence, and behaviour to determine whether a customer poses a low, medium, or high financial crime risk.
High-risk individuals or entities, such as politically exposed persons (PEPs), customers from high-risk jurisdictions, or those with complex business structures, require Enhanced Due Diligence (EDD), which includes more in-depth identity verification, source of funds analysis, and continuous monitoring.
Based on the results of the risk-based assessments, financial institutions can determine whether to establish a business relationship with a prospective customer.
Automated tools like AI-driven risk scoring and identity verification software can help streamline the process.
Record keeping and documentation standards
Financial institutions obliged to have a CIP should maintain accurate and detailed records of customer identity verification and risk assessment procedures. The record-keeping requirements relate to:
Information obtained directly from the individual: Name, date of birth for an individual, address, and identification number
Data or documents used to verify their identity: Passports, IDs, utility bills, etc.
Results from background and non-document checks: CDD reports and risk scoring assessments, transaction monitoring logs, and Suspicious Activity Reports (SARs)
Depending on the jurisdictional requirements, all records should be kept for a specified duration, typically for as long as the individual or business remains a customer of the financial institution, plus an added period (e.g., five to ten years) after account closure. After that, entities are obliged to destroy their records.
Organisations might also be required to keep copies of documentation as a reference for regulatory audits or to assist investigations in possible fraud cases. Some jurisdictions allow records to be kept by third parties. Regardless of where they’re stored, all records should be made available to regulators upon request.
Challenges when implementing a CIP
Implementing a Customer Identification Program comes with several challenges, including:
Ensuring data integrity and fraud prevention. Financial criminals are adopting innovative technologies to generate fake identities and forge documents, which can complicate the identity verification process.
Performing deep and thorough identity verification and risk assessment. The procedures should balance documentary and non-documentary verification based on customer-provided information and third-party data (screening of sanctions lists, PEP databases, and adverse media) to produce comprehensive risk assessments.
Maintaining regulatory compliance across jurisdictions. Failure can result in hefty fines, legal penalties, and reputational damage. Organisations should also stay abreast of regulatory updates and collaborate proactively with oversight authorities and financial intelligence units (FIUs) to improve their defences against financial criminals.
Balancing compliance and user experience. Financial institutions should ensure accurate identity verification to mitigate financial crime risk and ensure regulatory compliance without slowing the onboarding process and deterring customers.
Ensuring the safe storage and responsible management of customer data. Organisations should store collected information securely and in compliance with data privacy regulations such as the General Data Protection Regulation (GDPR) or the California Consumer Privacy Act (CCPA).
Customer Identification Program FAQs
What’s the difference between CIP and KYC (Know Your Customer) requirements?
The CIP, which focuses only on verifying a customer’s identity during account opening, is one of the components of the broader KYC framework. The KYC procedure also includes processes such as Customer Due Diligence (CDD), Enhanced Due Diligence (EDD), and ongoing transaction monitoring.
What’s the difference between CIP and CDD requirements?
CIP is a part of Customer Due Diligence, which focuses on verifying a customer’s identity during account opening by collecting basic information such as name, date of birth, address, and government-issued ID. CDD goes beyond identity verification to include additional procedures such as ongoing monitoring, source of funds analysis, and EDD for high-risk customers.
What customer information must financial institutions collect under CIP regulations?
Under CIP regulations, financial institutions must collect four key pieces of customer information: full name, date of birth, address, and government-issued identification number (e.g., Social Security Number, ID, or passport number). Based on jurisdiction-specific requirements, institutions may request additional documents (e.g., utility bills) or non-documentary verification (e.g., direct customer contact) to confirm the customer’s identity.
How do CIP requirements apply to different types of customers (individuals, businesses, trusts, etc.)?
CIP requirements vary by customer type. For individuals, financial institutions must collect the full name, date of birth, address, and government-issued ID number. For corporate clients, they might need to verify the business registration certificates, the entity’s legal name and address, and ownership structure. For trusts, regulators might require obtaining information about individuals with control over the trust, data from trust agreements, and details on beneficiaries.
