The Customer Identification Program (CIP) requirements that govern financial institutions target money laundering, terrorism funding, corruption and other criminal activities but also present challenges for organizations. Under a CIP, which is required through the USA PATRIOT Act, entities must have “reasonable” procedures to gather and maintain customer identity information and run watchlist checks on them.
The Financial Crimes Enforcement Network (FinCEN) has stated CIP requirements should apply to all banks, regardless of whether they are federally regulated.
But those requirements raise questions: What do regulators consider reasonable? How can a financial institution integrate a CIP efficiently and cohesively? Can organizations achieve compliance and fraud mitigation while delivering efficient customer onboarding?
The customer identification process
The minimum identity requirements to open an individual financial account in the U.S. are name, birth date, address and an identification number, such as Social Security or Individual Taxpayer Identification.
Gathering that information at account opening is sufficient, but organizations must verify the account holder’s identity “within a reasonable time.” Procedures for identity verification include documents, such as a driver’s license, or nondocumentary methods, such as through credit bureaus and government databases.
Those procedures are at a CIP’s core, and organizations, as they do with other Anti-Money Laundering (AML) compliance requirements, can ensure compliance by codifying the policies. The exact policies depend on the organization’s risk-based approach and may include:
- The types of accounts offered
- The methods of opening accounts
- The types of identifying information available
- The organization’s size, location and customer base, including the types of products and services used by customers in different locations
The identity verification procedures must be robust enough to verify the identity of each customer to an extent that is “reasonable and practicable.”
The case for digital identity verification
Traditionally, financial institutions would examine unexpired government-issued identification documents such as a driver’s license or passport. However, best practices call for providing more than one document to offset the risks of counterfeit or fraudulently obtained identification.
Financial institutions can conduct that process online to meet consumer expectations for convenience and immediacy in a digital age. Digital identity verification through nondocumentary methods can provide strong risk mitigation and deliver fast onboarding. One method involves “independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source.”
There are other nondocumentary methods, such as contacting a customer, checking references with other financial institutions or obtaining a financial statement. However, those processes don’t often offer the speed, convenience and reliability of digital identity verification.
Financial institutions can also combine documentary and nondocumentary methods. One increasingly popular method is to use on-demand ID document verification combined with digital identity verification to cross-check ID documents electronically with the identity information to further reduce fraud risk.
Other CIP requirements
While obtaining and verifying the identity of each customer is core to the CIP, there are other requirements, including record retention, sanction checking and providing proper notice to customers about document collection and identification processes.
The CIP must also contain procedures to handle various edge cases, such as when a person doesn’t have an identity document, when a document type is unknown to the financial institution or when a customer can’t visit a branch.
Regulations require the financial institution’s CIP also incorporate procedures to manage situations when the risk level is higher than usual. Those procedures can answer questions such as: What happens when the institution can’t verify a person’s identity? When is it appropriate to prevent account opening? When is it OK to open the account but require more information? When should an organization close an account or file a suspicious activity report?
While a CIP is mandatory, organizations can rely on another qualified financial institution as the program provider. The qualified entity must be regulated and have an AML program, and the reliance must meet CIP standards.
Identity information must be maintained for five years past the customer’s relationship with the financial institution. That includes a description and expiration date of any document used to verify identity, including its identification number and the issuance date and location.
Financial institutions must also check identities against domestic and international AML, counter-terrorist financing and sanctions watchlists.
The CIP also applies to corporations, partnerships and trusts. In those cases, the procedures relate to verifying a business entity. The existence of the business entity can be established by calling upon certified articles of incorporation, a government-issued business license, a partnership agreement or a trust instrument.
Business verification is also possible through nondocumentary methods. Similar to digital identity verification, real-time identification and verification of company records through official registers enables quick business onboarding.
It’s important to note that under the Customer Due Diligence Final Rule, collecting, maintaining and reporting beneficial ownership information is now required for financial institutions, which “must identify and verify the identity of the beneficial owners of all legal entity customers (other than those that are excluded) at the time a new account is opened (other than accounts that are exempted).”
Under the Corporate Transparency Act, U.S. companies must report their Ultimate Beneficial Owner (UBO) information to FinCEN. Any new incorporation or significant UBO change must be reported, and any company formed before the effective date of the act will have two years to report.
A CIP is a necessary element of AML and Know Your Customer (KYC) regulations. Beyond that, it’s part of an effective risk-mitigation strategy. Ensuring your CIP is strong, up to date and complete is fundamental to running a successful financial institution.
This post was originally published on Feb. 5, 2019, and updated to reflect the latest industry news, trends and insights.
Business Verification (KYB)Enhanced Due Diligence Procedures for High-Risk Customers
Identity VerificationProof of Address — Quickly and Accurately Verify Addresses
Business Verification (KYB)How to Verify Legitimate Businesses and Merchants