This review guide has been developed to help compliance officers, AML specialists, and other regulatory compliance professionals in developing and managing well-defined and well-documented anti-money laundering (AML) Customer Identification Programs.

Customer Identification Program (CIP) 

The Customer Identification Program, commonly referred to as CIP (pronounced “SIP”), is a mandatory requirement that is stipulated by Section 326 of the USA PATRIOT Act

As required by FinCEN, all financial institutions are required to have a written and well-documented Customer Identification Program (CIP) incorporated into their AML compliance program. 

CIP Rule - Final Rule

Objective of a CIP Program

The objective of each firm’s CIP program is to enable the firm to form a reasonable belief that it knows the true identity of each customer.

Each firm’s CIP needs to be risk-based and in accordance with the firm’s size, type of business, customer type, and overall risk.

Customer Identification Programs must be in writing (well-documented) and be part of a company’s overall anti-money laundering program.

Anti-Money Laundering (AML) Lifecycle

The Customer Identification Program is the first of many phases that make up the anti-money laundering/know your customer lifecycle. 

During the onboarding phase, CIP is the first stage through which banks and other financial institutions identify and verify the true identity of new clients looking to open new accounts.

Five Key Requirements Process of a Customer Identification Program (CIP)

Each bank, financial, or non-banking financial institution is required to develop a Customer Identification Program that is tailored to its individual circumstances and type of clients. 

At a minimum, the CIP rule requires firms to implement the five pillars below as part of their CIP structure.

1. Gather Client Documentation

A key CIP procedure involves collecting client documentation, data, and information. 

Institutions must ensure that they have adequate procedures in place that list the relevant information and documentation that should be obtained from each customer.

There is a minimum requirement of CIP documentation/information that needs to be collected for individual and non-individual (i.e., corporations) clients. 

2. Verify Client Information 

In addition to collecting client information, financial firms also have to verify the information collected using risk-based measures.

Banks and other financial institutions are not mandated to establish the accuracy of every element of obtained client information. 

However, they must verify enough information to form a reasonable belief that they know the true identity of the individual or entity seeking to open an account. 

3. Provide CIP Notice to Customers

Section 326 of the USA PATRIOT Act requires firms to provide adequate CIP notice to new customers, informing them that the firm is reviewing or has reviewed identification information to verify their identities.

Such notification must be given during the onboarding process before the account is opened.

Here is a sample of the notice that firms have to send to customers: Customer Identification Program Notice.

4. Conduct Sanctions Screening

As part of CIP, financial firms are also required to screen their new customers against OFAC and other sanctions lists and databases.

5. Enforce Adequate Record Retention Policies

In addition to the four CIP requirements presented above, institutions are also required to retain any obtained customer identifying information and data.

Such information or documentation must be retained throughout the relationship and up to five years after the relationship has been terminated. 

In the case of credit card accounts, financial firms are required to retain the customer’s identifying information for a period of five years after (1) the account is closed or (2) after the account becomes dormant.  

All-in-One Change Management Tools

Top Rated Toolkit for Change Managers.

Get Your Change Management Tool Today...

Risk-Based Approach to CIP

A risk-based approach to CIP happens when a financial firm identifies its overall exposure to money laundering and terrorist financing risks and then ensures it has developed enterprise-wide efficient processes to mitigate the assessed risks.

Such processes and procedures may vary based on the account types being opened, the domicile of the customer, how the account is opened (face-to-face or electronically), the nature of the customer’s business, the customer’s client base, and a wide range of other factors.

The overall objective of a risk-based approach is that a financial institution must be able to form a “reasonable belief” that it knows the true identity of the new customer.

CIP Is Not Enough  Regulators Require Firms to Do More

Federal regulators have noted that although the Customer Identification Program is very important, it should only be considered as one part of a firm’s anti-money laundering/Bank Secrecy Act compliance program. 

They advise that “adequate implementation of a CIP, standing alone, will not be sufficient to meet a bank’s other obligations under the Bank Secrecy Act.” 

In addition to the CIP, banks and other financial institutions are required to have additional AML/KYC procedures and processes in place, including customer due diligence, risk assessment and rating, suspicious activity monitoring, sanctions screening, and periodic KYC reviews.

AdvisoryHQ (AHQ) Disclaimer:

Reasonable efforts have been made by AdvisoryHQ to present accurate information, however all info is presented without warranty. Review AdvisoryHQ’s Terms for details. Also review each firm’s site for the most updated data, rates and info.

Note: Firms and products, including the one(s) reviewed above, may be AdvisoryHQ's affiliates. Click to view AdvisoryHQ's advertiser disclosures.