The Customer Identification Program (CIP) protocols were first implemented in the United States in 2003, as part of the USA PATRIOT Act. The Act was passed in response to the terrorist attacks of September 11, 2001, and included a number of provisions aimed at enhancing national security and preventing money laundering and terrorist financing activities.

One of the key provisions of the USA PATRIOT Act was the requirement for financial institutions to establish and maintain a CIP as part of their anti-money laundering (AML) compliance programs. The CIP regulations require financial institutions to verify the identities of their customers when opening accounts and to maintain records of the information used to verify those identities.

Under the CIP, financial institutions must verify the identity of their customers using various methods, such as obtaining government-issued identification, verifying the identity of the customer through non-documentary methods, and checking the customer against various databases. Financial institutions must also maintain records of their verification methods and customer identities, monitor accounts for suspicious activity, and report suspicious transactions to the appropriate authorities.

Overall, the CIP is a crucial part of the US government’s efforts to combat financial crimes, and financial institutions must comply with the regulations to maintain the integrity of the financial system.

Which types of businesses are required to have a CIP?

Financial institutions that are subject to the Bank Secrecy Act (BSA) are required to have a Customer Identification Program (CIP). The BSA applies to a wide range of financial institutions, including banks, credit unions, broker-dealers, mutual funds, futures commission merchants, and introducing brokers in commodities.

Under the BSA, these financial institutions are required to implement a risk-based approach to their CIPs, taking into account factors such as the type of customer, the nature of the account, and the risk of money laundering or terrorist financing. The CIP must be documented in writing and must include procedures for verifying customer identities, maintaining records, and monitoring accounts for suspicious activity.

In addition to financial institutions, certain other businesses that engage in financial activities or provide financial services may also be subject to CIP requirements. For example, businesses that issue or redeem money orders or traveler’s checks, and businesses that provide certain types of prepaid access, may be required to implement a CIP under the BSA.

It’s important to note that the specific requirements for a CIP may vary depending on the type of business and the nature of its financial activities. Therefore, businesses should consult with their legal and regulatory advisors to determine their specific obligations under the BSA and other applicable laws and regulations.

What technologies do businesses use to comply with CIP?

Financial institutions and other businesses subject to CIP requirements typically use a range of technologies to comply with the regulations.

Customer Identification and Digital Identity Verification Software

These are software applications that use artificial intelligence and machine learning to automate the identity verification process. These systems can quickly scan and validate customer identification documents such as passports, driver’s licenses, and other forms of government-issued ID, reducing the time and cost of manual verification. Additionally, they remove the risk of typos, fat fingers, or manual error by automatically ingesting accurate data directly from the government-issued document.

Risk Assessment and Scoring Tools

Risk assessment tools allow businesses to assess the risk of each customer based on various factors such as their location, transaction history, and type of account. This information is used to prioritize customers for additional verification or monitoring. Businesses that are subject to Customer Identification Program (CIP) requirements may have different risk tolerances depending on the nature of their business, the types of products and services they offer, and the regulatory environment in which they operate. In general, businesses that are more susceptible to money laundering, terrorist financing, or other financial crimes may have a lower risk tolerance and may need to implement more stringent customer identification and verification procedures to manage these risks.

For example, businesses in industries such as banking, securities trading, and money services may have a lower risk tolerance due to the higher likelihood of financial crimes occurring in these industries. Similarly, businesses that operate in high-risk jurisdictions or that have customers who have a history of financial crimes may also have a lower risk tolerance. Enhanced Due Diligence (EDD): EDD is a process that involves conducting additional research and analysis on high-risk customers to better understand their risk profile. This may involve verifying the identity of the customer using additional sources of information, such as credit reports, public records, and other third-party databases.

Know Your Customer (KYC) Data Sources

These are databases that contain information about customers’ identities, risk profiles, and transaction history. They are used to verify the accuracy of customer information and to help identify potential risks or fraud. KYC AML platforms will query lists such as the Office of Foreign Asset Control, EU/UN Sanctions Lists, Politically Exposed Persons lists, and other sources that catalog individuals deemed high-risk for money laundering or criminal activity.

Overall, the technologies used to comply with CIP are designed to improve efficiency, accuracy, and security in the customer identification and verification process, helping businesses to meet regulatory requirements and maintain the integrity of their financial systems.

What are the typical requirements for customer identification software under CIP regulations?

There are no specific requirements for customer identification software under CIP regulations. Instead, financial institutions and other businesses subject to the CIP regulations are required to implement a risk-based approach to customer identification and verification, taking into account factors such as the type of customer, the nature of the account, and the risk of money laundering or terrorist financing.

Identity Verification

The software should be able to verify the identity of customers based on a range of government-issued identification documents, such as passports, driver’s licenses, and national identity cards.

Document Validation

Document validation software should be able to authenticate the documents presented by customers, to ensure that they are not fraudulent and have not been tampered with.

Compliance Reporting

The software should be able to generate reports and audit trails that document the customer identification and verification process, to demonstrate compliance with the CIP regulations. This is important in the event that a financial institution is fined or does illegal business.

What are the risks or fines for businesses that fail to comply with CIP requirements?

Financial institutions and other businesses that are subject to Customer Identification Program (CIP) requirements and fail to comply with the regulations can face significant fines and penalties from regulatory agencies. Regulatory agencies such as the Financial Crimes Enforcement Network (FinCEN) and the Office of the Comptroller of the Currency (OCC) have the authority to impose civil monetary penalties for violations of CIP regulations. The fines can range from a few thousand dollars to millions of dollars, depending on the severity of the violation.

In July 2020, Capital One was fined $80 million by the Office of the Comptroller of the Currency (OCC) for deficiencies in its CIP and anti-money laundering (AML) programs. The OCC found that Capital One had failed to establish and maintain an effective CIP, which had resulted in inadequate customer due diligence and the failure to detect and report suspicious activity. Bank of America, Citigroup, and American Express Bank have also been fined under the Banking Secrecy Act for failure to adequately verify customer identity.

Financial institutions and other businesses that fail to comply with CIP regulations may also be subject to regulatory sanctions such as cease and desist orders, civil injunctions, and restrictions on business activities. In some cases, violations of CIP regulations can result in criminal charges and penalties, such as fines, imprisonment, and forfeiture of assets. In 2012, Standard Chartered Bank agreed to pay $340 million to the New York Department of Financial Services (NYDFS) for violations of AML regulations, including deficiencies in its CIP. As part of the settlement, Standard Chartered Bank agreed to implement extensive reforms to its AML compliance program.

Additionally, reputational damage can have a lasting impact on the credibility of banks and financial institutions with potential customers and partners.

Looking for an affordable CIP solution?

Contact our team or request a demo of our CIP software here.