Customer Identification Program

Financial institutions must develop a Customer Identification Program or CIP to verify their customer identity information and establish the true identities of their customers. This requirement is part of the USA PATRIOT Act of 2001, which is the acronym for Uniting and Strengthening America by Providing Appropriate Tools Required To Intercept and Obstruct Terrorism. The CIP must be incorporated in writing into the Bank Secrecy Act/Anti-Money laundering compliance program, which is subject to approval by the financial institution's board of directors. Financial institutions include banks, savings associations, credit unions, private banks, and trust companies.

Objective

The Customer Identification Program is intended to enable the bank to form a reasonable assurance that it knows the true identity of each customer. The CIP must include account opening procedures which specify which identity components must be collected from each customer and how each identity component will be verified. As such, banks should conduct a risk assessment covering their customers and products.

Scope

At a minimum, financial institutions must obtain, verify and record customer name, date of birth, address, identification number and any other information necessary to achieve the CIP objective. Based on the risk assessment, a bank may require identifying information in addition to the items above for certain customers or product lines.

Requirements

Financial institutions must implement reasonable procedures to verify the identity of any person requesting to open an account. Financial institutions must maintain as reasonably and practically as possible records of the information used to verify the person’s identity; and determine whether the person appears on any lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency. A bank does not need to establish the accuracy of every element of identifying information obtained, but it must verify enough information to form a reasonable belief that it knows the true identity of the customer. The bank’s procedures must describe when it will use documents, non-documentary methods, or a combination of both.

As such, financial institutions must perform risk assessments and consider the following:

  • The types of accounts offered by the institution,
  • The methods for opening accounts,
  • The types of identifying information available and requested from customers, and
  • The institution's size, location, and customer base.

Definition of an "Account"

An "account" is a formal banking relationship to provide or engage in services, dealings, or other financial transactions, and includes a deposit account, a transaction or asset account, a credit account, or another extension of credit. An account also includes a relationship established to provide a safe deposit box or other safekeeping services or to provide cash management, custodian, or trust services.

An account does not include:

  • Products or services for which a formal banking relationship is not established with a person, such as check cashing, funds transfer, or the sale of a check or money order.
  • Any account that the bank acquires. This may include single or multiple accounts as a result of a purchase of assets, acquisition, merger, or assumption of liabilities.
  • Accounts opened to participate in an employee benefit plan established under the Employee Retirement Income Security Act of 1974.

Definition of a "Customer"

The Customer Identification Program applies to a person (an individual, a corporation, partnership, a trust, an estate, or any other entity recognized as a legal person) who opens a new account, an individual who opens a new account for another individual who lacks legal capacity, and an individual who opens a new account for an entity that is not a legal person.

A customer does not include:

  • a person who does not receive banking services, such as a person whose loan application is denied.
  • an existing customer as long as the bank has a reasonable belief that it knows the customer’s true identity.

Customer Verification Process

The Customer Identification Program must contain risk-based procedures for verifying the identity of the customer within a reasonable period of time after the account is opened. The verification procedures must use the information obtained in accordance with established Customer Identification Program policies and procedures. This verification must provide evidence of a customer’s nationality or residence and bear a photograph or similar safeguard such as a driver’s license or passport. However, other forms of identification may be used if they enable the bank to form a reasonable belief that it knows the true identity of the customer. Nonetheless, given the availability of counterfeit and fraudulently obtained documents, a bank is encouraged to review more than a single document to ensure that it has a reasonable belief that it knows the customer’s true identity.

Customer verification may include verification through minimum acceptable documents, and non-documentary methods such as contacting a customer, reviewing public databases, and checking references.

For a "person" other than an individual (such as a corporation, partnership, or trust), the bank should obtain documents showing the legal existence of the entity, such as certified articles of incorporation, an unexpired government-issued business license, a partnership agreement, or a trust instrument.

Lack of Verification

The Customer Identification Program must also have procedures for circumstances in which the bank cannot form a reasonable belief that it knows the true identity of the customer. These procedures should describe:

  • Circumstances in which the bank should not open an account.
  • The terms under which a customer may use an account while the bank attempts to verify the customer’s identity.
  • When the bank should close an account, after attempts to verify a customer’s identity have failed.
  • When the bank should file a Suspecious Activity Report or SAR in accordance with applicable law and regulation.

Recordkeeping and Retention Requirements

A bank’s Customer Identification Program must include record keeping procedures. At a minimum, the bank must retain the identifying information (name, address, date of birth for an individual, TIN, and any other information required by the CIP) obtained at account opening for a period of five years after the account is closed. For credit cards, the retention period is five years after the account closes or becomes dormant. The bank must also keep a description of the following for five years after the record was made:

  • Any document that was relied on to verify identity, noting the type of document, the identification number, the place of issuance, and, if any, the date of issuance and expiration date.
  • The method and the results of any measures undertaken to verify identity.
  • The results of any substantive discrepancy discovered when verifying identity.

Adequate Customer Notice

The Customer Identification Program must include procedures for providing customers with adequate notice that the bank is requesting information to verify their identities. The notice must generally describe the bank’s identification requirements and be provided in a manner that is reasonably designed to allow a customer to view it or otherwise receive the notice before the account is opened. Examples include posting the notice in the lobby, on a Web site, or within loan application documents.

The final rule became effective on October 1, 2003. Visit the law section for details.

Consider earning an identity management certification which meets your specific career goals. The CIAM program scope in governance calls for a customer identification program.

Identity Management Certifications

Identity Theft Courses