Course/Module 2/Lesson 1
Module 2 · Lesson 1

Customer Identification Program (CIP) Requirements

Know Your Customer (KYC) Fundamentals

What the Law Actually Requires

The Customer Identification Program (CIP) is the bedrock of KYC compliance in the United States. Codified at 31 CFR 1020.220 for banks and 31 CFR 1022.210 for money services businesses, the CIP rule mandates that covered financial institutions implement reasonable procedures to verify the identity of each customer who opens an account.

The CIP rule was enacted under Section 326 of the USA PATRIOT Act and became effective in 2003. While the rule provides a framework, the specifics of your CIP must be tailored to your institution's size, location, customer base, and products — there is no one-size-fits-all template.

The Four Minimum Data Elements

At a minimum, your CIP must collect the following information from each customer before or during account opening:

  1. Full legal name — As it appears on government-issued identification. For businesses, this is the legal entity name.
  2. Date of birth — For individuals only. This is one of the strongest identity anchors and is required for OFAC screening.
  3. Address — A residential or business street address. For individuals, a P.O. Box is acceptable only if the individual does not have a residential address (e.g., military personnel). For non-U.S. persons, a residential or business address in the country of origin is acceptable.
  4. Identification number — For U.S. persons, this is the Social Security Number (SSN) or Taxpayer Identification Number (TIN). For non-U.S. persons, one or more of the following: TIN, passport number and country of issuance, alien identification card number, or number and country of issuance of any other government-issued document evidencing nationality or residence with a photograph.

Acceptable Identification Documents

The CIP rule requires verification through documentary or non-documentary methods (or a combination of both):

Documentary verification typically involves reviewing:

  • Government-issued photo ID (driver's license, state ID, passport)
  • For non-U.S. persons: passport, alien identification card, or other government-issued document evidencing nationality or residence with a photograph
  • For legal entities: articles of incorporation, government-issued business license, partnership agreement, or trust instrument

Non-documentary verification is critical for digital-first fintechs and may include:

  • Contacting the customer directly (phone, email, or video verification)
  • Comparing information provided by the customer with information obtained from consumer reporting agencies, public databases, or other reliable third-party sources
  • Checking references with other financial institutions
  • Using identity verification services that cross-reference multiple data sources (e.g., credit bureau data, utility records, DMV records)

Verification Procedures — Getting It Right

Your CIP must describe the specific procedures you use to verify identity. Key considerations:

  • Timing: You must collect the four minimum elements at or before account opening. However, "account opening" can be defined flexibly — some fintechs allow limited account functionality (e.g., funding but no transactions) while verification is pending, provided the account is fully verified within a reasonable time (the regulatory expectation is generally within a few business days).
  • Risk-based approach: Higher-risk customers may warrant additional verification. For example, a customer with a thin credit file and a newly issued ID might require a secondary verification method, such as a knowledge-based authentication (KBA) quiz or a video selfie match.
  • Record retention: You must retain a copy of any document relied upon for verification for five years after the account is closed. For non-documentary methods, retain a description of the methods used and the results for five years.
  • OFAC screening: While not technically part of the CIP rule, you must screen all customers against OFAC's Specially Designated Nationals (SDN) list at onboarding and on an ongoing basis. This is a separate obligation under 31 CFR Part 501, but it is functionally integrated into the CIP process.

Common CIP Pitfalls for Fintechs

  • Allowing transactions before verification is complete. Regulators have cited fintechs that let customers send or receive funds before CIP is finalized. If you use a delayed verification model, document the risk controls in place (e.g., transaction limits, hold periods).
  • Not verifying the ID document itself. Collecting a photo of a driver's license is not enough — you must have procedures to assess whether the document is genuine (e.g., checking for security features, using document authentication technology).
  • Ignoring discrepancies. If the name on the ID doesn't match the name provided, or the address doesn't match public records, you need a process to resolve the discrepancy before the account is fully operational.
  • Treating CIP as a one-time event. While CIP focuses on account opening, you must have procedures to update customer information periodically, especially for higher-risk accounts.

CIP Checklist

  • ☐ Collect all four minimum data elements (name, DOB, address, ID number) at or before account opening
  • ☐ Implement both documentary and non-documentary verification methods
  • ☐ Screen all customers against the OFAC SDN list before account activation
  • ☐ Define your "account opening" trigger clearly in your policies
  • ☐ Establish procedures for handling verification failures and discrepancies
  • ☐ Retain CIP records for five years after account closure
  • ☐ Include your CIP procedures in your BSA/AML program documentation
  • ☐ Test your CIP process with known-good and known-bad test cases at least quarterly
Previous
How Regulations Apply Differently to Fintechs vs Traditional Banks
Next
Customer Due Diligence vs Enhanced Due Diligence