Mobile security

Digital Banking Resources

Customer Identification Programs 101: A Guide for Banks and Credit Unions

June 10, 2022

The customer identification program (CIP) is an essential part of the daily operations of banks and credit unions. In the U.S., financial institutions are required by the federal government to verify the identity of their customers. Implemented in 2003, CIP is a provision of the USA Patriot Act. It requires banks and credit unions to reasonably believe they know the true identities of their customers.

Long gone are the days of greeting each user at the teller window or shaking hands across the desk. After nearly two decades of use, it hasn’t gotten any easier for banks and credit unions to know who their users are. Emerging digital capabilities improve the customer experience, but wreak havoc on security. Further, with each passing year, criminal enterprise becomes ever more savvy and able to circumvent the laws and regulations intended to protect institutions and their honest users and prevent fraud. These difficulties underscore the importance of CIP. 

Today, it’s more critical than ever that banks and credit unions understand what’s at stake and how to ensure the integrity of their CIP processes. 

What Is CIP?

At its essence, CIP is how banks and credit unions ensure that users are who they say they are. Of course, in reality, there is more context to understand. So let’s start by defining the terms

As defined by law, a user is a person who:

  • Opens a new account on their own behalf.
  • Opens an account for another individual who may or may not have legal capacity.
  • Opens a new account for an entity, i.e., not a legal person.

The bank or credit union provides services or other financial transactions on an ongoing basis. Ongoing relationships include, for example, the following types of accounts: deposit, transaction, asset or credit account, as well as, for example, a safety deposit box. Branch visitors that engage in one-time interactions such as check cashing and ATM withdrawals, are not users for CIP purposes.

The identification requirements depend on the type of user. There are six main categories. Users can belong to more than one category, for example; a power of attorney could also be an individual:

  • New users
  • Existing users
  • Individuals
  • Businesses
  • Power of attorneys (POA)
  • Government entities

New Users

One of the most important aspects of the program is the new account opening procedure that specifies the types of identification that must be obtained. CIP specifies certain account opening procedures. For a new user, the bank or credit union must collect basic information including:

  • Name
  • Date of birth
  • Physical street address
  • Identification number

The identification number for a U.S. citizen is a social security number or tax identification number (TIN). For non-citizens, a TIN, passport, alien identification card or other form of valid government-issued photo identification and evidence of residency is required.

The financial institution will require additional documentary support. At a minimum, a driver’s license or passport is required. They may also require non-documentary evidence, as well, although this is not in the CIP guidelines. Non-documentary evidence may include, for example, contacting the customer, requesting a financial statement, verifying through public databases or checking references with another financial institution.

Other risk-based procedures may be taken to mitigate, avoid, limit, or in some cases, accept, the possibility of risk.

Existing Users

There is no need to redo the CIP for every new product or service added. In many institutions, however, there are long-standing existing users who opened their first account prior to 2003. If the bank or credit union has a reasonable belief that they know the true identity of these old account holders, they are essentially grandfathered in with no CIP requirement.  

However, many financial institutions consider it a best practice to note in the CIP policy that they have this reasonable belief about their long-term users. 

Individuals

For individuals, documentary verification such as a driver’s license, state identification, passport or military identification is required. 

Businesses

Documentary verification may include articles of incorporation, business license, partnership agreement or proof of receipt of TIN from the IRS. The bank or credit union must also ensure that the person opening the account is authorized. They can provide proof with a corporate resolution outlining who manages the business or via board minutes, for example.

Power of Attorney (POA)

The verification requirements for POA vary based on the legal capacity of the individual or entity for whom the POA is enacted. If, for example, the individual lacks legal capacity, then the POA is considered the userr and must be verified as such. Otherwise, the account owner is the user.

Government Entities

Government entities are not included in the CIP definition of user and are, therefore, exempt from CIP requirements. An organization is considered a government agency under the following conditions:

  • They are a department or agency of the U.S., any other state or any political subdivisions within a state.
  • They are established by and exercise governing authority on behalf of U.S. laws, state laws, political subdivisions of any state or interstate compacts between states.

This exemption is in place unless the CIP program does not exclude them.

Why CIP Matters

But, what’s really at stake for banks and credit unions? Failure to comply means that the institution may suffer reputational risk and incur fines. However, the consequences of having insufficient user identification controls go beyond regulatory hand-slapping and stiff penalties. 

The USA Patriot Act was implemented to address the growing threat of terrorism, money laundering, corruption and a bundle of other criminal activities that are detrimental to economic stability and society as a whole. 

The bigger the financial institution, the more robust the program will be. But that doesn’t mean that the smaller banks and credit unions can fly under the radar. It’s increasingly important for institutions of all sizes to have solid programs in place. Regulators are watching.

How To Set Up a CIP Program

The CIP Program is established in writing and incorporated into the bank or credit union’s Bank Secrecy Act and Anti-Money Laundering compliance program. It includes the following provisions:

  1. Collect and verify basic CIP information during the user onboarding process.
  2. Provide a user notice prior to account opening that tells the user what information may be collected and when. Ask for multiple forms of identification.
  3. Use automated identity verification (vs. manual processes) during onboarding for greater accuracy.
  4. Check users against government lists of sanctions for known and suspected terrorists.
  5. Establish additional verification procedures according to a rules-based risk assessment. 
  6. Establish clear rules for the process, including:
    1. When the bank or credit union should not open an account.
    2. What the user is allowed to do before verification of identity.
    3. When the account should be closed.
  7. Establish record-keeping and retention protocols
    1. Records must be maintained for five years after account closure.
    2. The financial institution should record everything used to verify identification including the type of document, identification number, date and location issued and expiration date.
    3. Record a description of the results from measures taken or the resolution of significant discrepancies.

Is CIP Another Name for KYC?

Although the terms are often used interchangeably, they are not the same. Know Your Customer (KYC) is intended to protect financial institutions from fraud, corruption, money laundering and terrorist financing. CIP is just one component — albeit a very important one — of the KYC program. More specifically:

CIP: A legal requirement outlined in the USA Patriot Act, CIP is used to verify the information provided by the user so that financial institutions have a reasonable belief that they know their users’ true identities.

KYC: A specific process used by financial institutions to verify a user’s identity and understand their business activities before engaging with them.

CIP Made Easier

Compliance with CIP is more essential than ever. This is particularly true in the increasingly digital environment. Customer identification is the all-important first step. It’s not only important to know who you’re dealing with, it’s also important to prevent turning away good customers during your onboarding process. 

Lumin Digital helps banks and credit unions deploy the next generation solutions so that they continue to grow, providing their users with the digital capabilities they demand right now. Lumin Digitial uses advanced machine learning and artificial intelligence to provide the platform you need to meet today’s stringent CIP regulations. Admittedly, CIP processes can create friction for your users. It doesn’t have to be that way, however. Contact Lumin Digital to learn more. 

Pamela Michaels Fay is a business, financial, technology, legal and lifestyle writer, whose work is informed by over 20 years of strategy, leadership and organizational development consulting for Fortune 500 companies.

Sources:

Office of the Director of US National Intelligence – USA Patriot Act

Federal Deposit Insurance Corporation (FDIC) – Customer Identification Program