Customer Identification Programs (CIPs) are a component of financial institutions’ Anti-Money Laundering (AML) efforts. The United Nations estimates that between $800 billion and $2 trillion USD is laundered globally in a single year, and regulations such as the USA PATRIOT Act require the use of CIPs to prevent financial crimes including money laundering and terrorist financing.

CIPs are the first line of defense for financial systems. They ensure that financial systems can verify customer identities, which minimizes the risk of illicit activities. These programs are part of broader customer due diligence (CDD) processes that include ongoing monitoring of customer transactions to detect and report suspicious activities.

Below, we’ll discuss the benefits of using CIPs, how to set up a CIP, and best practices for applying CIPs in your business.

What’s in this article?

• How do Customer Identification Programs work?
  
• Benefits of using a Customer Identification Program
  
• Differences between Customer Identification Programs and Know Your Customer (KYC)
  
• Who needs to follow CIP rules?
  
• How to set up a Customer Identification Program
  
• Best practices for applying Customer Identification Programs
  

How do Customer Identification Programs work?

Customer Identification Programs (CIPs) use a series of steps to verify customer identity.

• Customer information collection: First, CIPs gather information from the customer including their full legal name, date of birth, address, and government-issued identification number (such as a Social Security number or passport number). Depending on the customer’s risk profile or the type of account being opened, CIPs might collect additional information.

• Information verification: Next, CIPs verify the provided information.

  • Document verification: Check the validity of government-issued identification documents. This might be done in person, through a secure online portal, or using specialized software to analyze the document’s features.
    
  • Database verification: Compare the provided information against public and private databases to confirm its accuracy and consistency.
    
  • Non-document verification: Contact the customer directly to verify their identity or check references with other financial institutions.
    

• Risk assessment: Assess the risk associated with the customer based on the collected and verified information. Factors to consider might include the customer’s occupation, source of funds, and country of residence.

• Ongoing monitoring: Monitor of the customer’s transactions and activities for any suspicious behavior. This might involve reviewing their account activity, transaction history, and any changes in their personal information.

• Updating information: Update customer information periodically so the information on file remains accurate and reflects any changes in the customer’s circumstances.

• Recordkeeping: Maintain records of all customer information, verification methods, and risk assessments, in compliance with regulatory requirements and to demonstrate due diligence in case of audits or investigations.

Benefits of using a Customer Identification Program

CIPs benefit businesses in many different ways. These include:

• Risk mitigation: CIPs mitigate the risk of financial crimes such as money laundering, terrorist financing, and fraud. By verifying the identity of their customers, institutions can prevent these illegal activities and avoid potential legal and reputational damage.

• Regulatory compliance: CIPs are a legal requirement for financial institutions in many countries, including the US. Failure to use CIPs can incur penalties and fines.

• Stronger security: CIPs create a more secure financial environment by preventing unauthorized access to accounts and services, which protects the institution and its legitimate customers from financial losses.

• Improved customer due diligence: CIPs enable institutions to perform more effective customer due diligence (CDD), by assessing the risk associated with each customer and tailoring services accordingly.

• Operational efficiency: While CIPs require an initial investment in systems and processes, they can improve operational efficiency over time. Automating verification processes and simplifying onboarding procedures can save time and resources in the long run.

• Customer fraud protection: CIPs protect customers from identity theft and fraud by ensuring that only authorized individuals can access their accounts, which safeguards financial assets and personal information.

• Greater customer trust: Customers are more likely to trust institutions with strong security measures, such as CIPs.

• Faster onboarding: CIP processes can lead to faster and more convenient onboarding for new customers, improving customer satisfaction and encouraging them to use the institution’s services.

• Access to more services: CIPs enable institutions to offer customers a wider range of financial products and services. By verifying customer identities, institutions can offer services that might otherwise be restricted due to regulatory concerns.

Differences between Customer Identification Programs and Know Your Customer (KYC)

Customer Identification Programs (CIPs) and Know Your Customer (KYC) are processes used to identify and verify customers, but they have distinct focuses and scopes. The use of CIPs is a specific regulatory requirement focused on verifying customer identity, while KYC is a broader process encompassing identity verification, risk assessment, and ongoing monitoring. CIP is the initial step in the broader KYC process: while CIP establishes the customer’s identity, KYC goes further by uncovering their financial behavior and assessing their risk profile.

Customer Identification Program (CIP)

CIPs focus on verifying the identity of a customer during the onboarding process. The CIP process involves collecting and verifying specific identifying information such as name, date of birth, address, and government-issued identification number. The purpose of CIPs is to establish a reasonable belief that the institution knows the identity of the customer, thereby preventing identity theft and fraud.

Know Your Customer (KYC)

The KYC process is broader in scope than the CIP process. It encompasses not only identity verification but also an understanding of the customer’s financial activities and risk profile. The primary purpose of KYC is to assess the overall risk associated with a customer and verify that their activities align with the institution’s risk appetite and regulatory requirements. The KYC process involves collecting and analyzing a wider range of information than CIPs assess. Typically, the information includes the customer’s occupation, source of funds, transaction history, and risk tolerance.

Sample CIP vs. KYC processes

When opening a bank account, a customer must provide their identification documents (e.g., passport, driver’s license) to fulfill the CIP requirement. The bank’s KYC process, however, might involve asking about their occupation, income source, and intended use of the account to assess their risk level.

Who needs to follow CIP rules?

In many countries, AML guidelines require financial institutions and certain companies to implement CIPs. In the US, for example, a variety of regulatory agencies enforce CIP requirements, including the Financial Crimes Enforcement Network (FinCEN), the Federal Reserve Board, the Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC). In addition to the types of companies listed below, other businesses might need to implement a CIP if they engage in financial activities that are susceptible to money laundering or terrorist financing.

• Banks: Commercial banks, savings banks, and investment banks.

• Credit unions: Cooperative financial institutions owned and operated by their members.

• Securities brokers and dealers: Firms that buy and sell securities on behalf of clients or for their own accounts.

• Mutual funds: Investment companies that pool money from investors to purchase a diversified portfolio of securities.

• Futures commission merchants (FCMs): Individuals or firms that solicit or accept orders for the purchase or sale of futures contracts and options on futures contracts.

• Introducing brokers (IBs): Individuals or firms that solicit or accept orders for the purchase or sale of futures contracts and options on futures contracts but do not accept money or securities from customers.

• Commodity trading advisors (CTAs): Individuals or firms that advise others on buying or selling futures contracts and options on futures contracts.

• Commodity pool operators (CPOs): Individuals or firms that operate commodity pools, which are investment vehicles that pool funds from investors to trade in commodities.

• Money services businesses (MSBs): Businesses that provide services such as money transmission, check cashing, currency exchange, or the sale of money orders or traveler’s checks.

How to set up a Customer Identification Program

Designing and implementing a CIP involves a series of steps that you will need to customize to your business’s size, scope, and layout. Consider working with legal counsel or compliance experts, who can provide you with guidance on how to establish a CIP. Train your staff on CIP requirements and procedures so they can implement them consistently, and communicate to customers the importance of the CIP.

Below are the basic steps to develop a strong CIP. For more detailed information and specific requirements, refer to the CIP rules and regulations published by the relevant regulatory agencies (e.g., FinCEN, FDIC).

Develop a written CIP policy

Outline the specific procedures your institution will follow to collect and verify customer identification information. Specify the types of accounts the CIP will cover (e.g., deposit accounts, credit accounts) and explain how you will handle exceptions or alternative procedures for certain customers (e.g., those without a Social Security number).

Collect customer information

Obtain the following four pieces of information from each customer:

• Full legal name

• Date of birth

• Residential or business street address

• Identification number (e.g., Social Security number, passport number)

Collect this information when the customer opens their account, or before the customer can conduct transactions.

Verify customer identity

Verify the information the customer provides using independent, reliable sources. Acceptable methods include:

• Checking government-issued identification documents (e.g., driver’s license, passport)

• Using third-party identity verification services

• Obtaining information from a consumer reporting agency or public database

Document the verification methods you used and the results of the verification process.

Compare against government lists

Check the customer’s name against lists of known or suspected terrorists or other criminals provided by the government (e.g., OFAC’s SDN list). If you find a match, take appropriate action, such as freezing the account and reporting the information to the authorities.

Maintain records

Maintain records of all customer identification information and verification results for at least five years after the account is closed. Make these records available to regulators upon request.

Manage CIPs over time

Designate a compliance officer or team that will be responsible for overseeing the CIP for your business. This person or team should be in charge of reviewing and updating the CIP policy regularly, so it remains effective and complies with any regulatory changes. They should also conduct periodic risk assessments to identify and address any vulnerabilities in the program.

Best practices for applying Customer Identification Programs

Follow these best practices—technical, operational, and ethical—to help your business apply CIPs effectively.

Technical best practices

• Unique and consistent IDs: Assign each customer a unique identifier that remains consistent across all interactions and platforms. This identifier could be a randomly generated number, a hashed email address, or a combination of relevant information.

• Secure storage: Protect customer IDs using encryption and secure storage methods. Limit access to authorized personnel only.

• Data integration: Integrate customer IDs across all systems and databases within your company to create a holistic view of the customer that facilitates personalized experiences.

• Data quality: Maintain accurate and up-to-date customer ID information. Implement data validation and cleansing processes for consistency and reliability.

• Scalability: Choose a customer ID system that can scale with your business and handle large volumes of data.

Operational best practices

• Consent: Obtain explicit consent from customers before collecting and using their IDs.

• Privacy protection: Implement privacy-enhancing technologies (PETs) to anonymize customer IDs or use pseudonyms.

• Data minimization: Collect only the minimum customer information you need for legitimate business purposes. Avoid collecting sensitive data unless absolutely necessary.

• Access control: Establish strict access controls and audit trails for customer ID data. Limit access to authorized personnel only and monitor usage.

• Incident response plan: Develop a comprehensive incident response plan to address any data breaches or security incidents involving customer IDs.

Ethical best practices

• Customer autonomy: Empower customers by giving them control over their data. Allow customers to access, update, or delete their information at any time.

• Non-discrimination: Never use customer IDs to discriminate against or unfairly profile individuals based on their personal attributes or behavior.

• Transparency: Use customer IDs in a fair and transparent manner. Communicate to customers how you will use these IDs and avoid any deceptive or misleading practices.

• Accountability: Take responsibility for the ethical use of customer IDs. Implement regular audits and reviews for compliance with best practices and ethical standards.