Financial institutions must develop a Customer Identification Program or CIP to verify their customer identity information and establish the true identities of their customers. This requirement is part of the USA PATRIOT Act of 2001, which is the acronym for Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept and Obstruct Terrorism. The CIP must be incorporated in writing into the Bank Secrecy Act/Anti-Money laundering compliance program, which is subject to approval by the financial institution's board of directors. Financial institutions include banks, savings associations, credit unions, private banks, and trust companies.
The Customer Identification Program is intended to enable the bank to form a reasonable assurance that it knows the true identity of each customer. The CIP must include account opening procedures which specify which identity components must be collected from each customer and how each identity component will be verified. As such, banks should conduct a risk assessment covering their customers and products.
At a minimum, financial institutions must obtain, verify and record customer name, date of birth, address, identification number and any other information necessary to achieve the CIP objective. Based on the risk assessment, a bank may require identifying information in addition to the items above for certain customers or product lines.
Financial institutions must implement reasonable procedures to verify the identity of any person requesting to open an account. Financial institutions must maintain as reasonably and practically as possible records of the information used to verify the person’s identity; and determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency. A bank does not need to establish the accuracy of every element of identifying information obtained, but it must verify enough information to form a reasonable belief that it knows the true identity of the customer. The bank’s procedures must describe when it will use documents, non-documentary methods, or a combination of both.
As such, financial institutions must perform risk assessments and consider the following:
Definition of an "Account"
An "account" is a formal banking relationship to provide or engage in services, dealings, or other financial transactions, and includes a deposit account, a transaction or asset account, a credit account, or another extension of credit. An account also includes a relationship established to provide a safe deposit box or other safekeeping services or to provide cash management, custodian, or trust services.
An account does not include:
Definition of a "Customer"
The Customer Identification Program applies to a person (an individual, a corporation, partnership, a trust, an estate, or any other entity recognized as a legal person) who opens a new account, an individual who opens a new account for another individual who lacks legal capacity, and an individual who opens a new account for an entity that is not a legal person.
A customer does not include:
Customer Verification Process
The Customer Identification Program must contain risk-based procedures for verifying the identity of the customer within a reasonable period of time after the account is opened. The verification procedures must use the information obtained in accordance with established Customer Identification Program policies and procedures. This verification must provide evidence of a customer’s nationality or residence and bear a photograph or similar safeguard such as a driver’s license or passport. However, other forms of identification may be used if they enable the bank to form a reasonable belief that it knows the true identity of the customer. Nonetheless, given the availability of counterfeit and fraudulently obtained documents, a bank is encouraged to review more than a single document to ensure that it has a reasonable belief that it knows the customer’s true identity.
Customer verification may include verification through minimum acceptable documents, and non-documentary methods such as contacting a customer, reviewing public databases, and checking references.
For a "person" other than an individual (such as a corporation, partnership, or trust), the bank should obtain documents showing the legal existence of the entity, such as certified articles of incorporation, an unexpired government-issued business license, a partnership agreement, or a trust instrument.
Lack of Verification
The Customer Identification Program must also have procedures for circumstances in which the bank cannot form a reasonable belief that it knows the true identity of the customer. These procedures should describe:
Recordkeeping and Retention Requirements
A bank’s Customer Identification Program must include record keeping procedures. At a minimum, the bank must retain the identifying information (name, address, date of birth for an individual, TIN, and any other information required by the CIP) obtained at account opening for a period of five years after the account is closed. For credit cards, the retention period is five years after the account closes or becomes dormant. The bank must also keep a description of the following for five years after the record was made:
Adequate Customer Notice
The Customer Identification Program must include procedures for providing customers with adequate notice that the bank is requesting information to verify their identities. The notice must generally describe the bank’s identification requirements and be provided in a manner that is reasonably designed to allow a customer to view it or otherwise receive the notice before the account is opened. Examples include posting the notice in the lobby, on a Web site, or within loan application documents.
The final rule became effective on October 1, 2003. Visit the law section for details.
Consider earning an identity management certification which meets your specific career goals. The CIAM program scope in governance calls for a customer identification program.