What is the Customer Identification Program and its Requirements

Dr. Nick Oberheiden

Email

888-680-1745

Bio and Articles

Find Your Next Job !

Litigation Legal Support Specialist
Greenberg Traurig, LLP

Legal Support Specialist
Greenberg Traurig, LLP

Litigation Paralegal
Greenberg Traurig, LLP

Trusts & Estates Attorney / Estate Planning Lawyer
On Balance Search Consultants

Trusts & Estates Partner / Senior Attorney
On Balance Search Consultants

Chief Operating Officer / Business Manager
On Balance Search Consultants

Commercial Real Estate Transactional Attorney / Real Estate Lawyer
On Balance Search Consultants

Explore More Job Openings

Customer Identification Program Requirements

by: Dr. Nick Oberheiden of Oberheiden P.C. - Our Insights

Thursday, January 5, 2023

Print Mail Download info_icon_img

/>i

In the aftermath of the September 11 attacks, Congress became very concerned with how terrorists were getting their money. It quickly found that the loose requirements for creating accounts with banks and other financial institutions made it very easy to use legitimate financial systems for illegitimate ends without the bank ever even knowing who really owned the account.

In an attempt to rectify this, Congress included numerous provisions in the Patriot Act that gave the Financial Crimes Enforcement Network (FinCEN), a bureau of the Department of the Treasury, the power to implement regulations that required financial institutions in the U.S. to take certain steps to learn who their customers actually were.

Covered financial institutions have to take these steps, collectively known as a Customer Identification Program, or CIP, or face the costs of non-compliance. The CIP must also be incorporated into the bank's Bank Secrecy Act (BSA), subject to approval by the board of directors of the financial institutions.

Every CIP Compliance Strategy Has to Be Unique

Perhaps the most important thing to remember about a financial institution’s CIP obligations is that it has to be tailored to the institution’s needs and business model. Under one of the regulations promulgated by FinCEN to implement the law, 31 C.F.R. § 1020.220, every institution’s CIP procedures have to be “appropriate for the bank’s size and type of business.” It must include “risk-based procedures” that are designed to give the institution a “reasonable belief that it knows the true identity of each customer.” Those procedures “must be based on the bank’s assessment of the relevant risks.”

As corporate compliance lawyer Dr. Nick Oberheiden frequently points out, “These regulations strongly imply that cookie-cutter policies will not work. You have to conduct a risk assessment to determine what precautions are necessary and sufficient to enable your particular institution to get to know each customer’s true identity.”

Every CIP Has to Have These Six Elements

While every CIP must be unique and hand-crafted to suit the needs of your bank or financial institution, 31 C.F.R. § 1020.220 goes on to list six minimum elements that all of them need to effectively verify a customer’s identity:

The CIP policy has to be in writing
It has to require at least four pieces of identifying information from a customer
There has to be a procedure to verify the customer’s identity
The CIP has to create a recordkeeping policy
It has to make sure that the customer does not appear on a government-maintained list of terrorists or terrorist organizations
The customer has to be notified about the verification process

Each of these requirements deserves explication.

CIPs Have to be Written

Executives at financial institutions will generally fall into compliance with this obligation naturally, as an unwritten policy would be unwieldy, given how complicated CIPs can be. However, it is worth mentioning, especially as non-legal compliance personnel is likely to read the pertinent regulations and overlook the requirement that CIPs be in writing, which is hidden in the preamble to the listing of minimal CIP requirements.

Four Pieces of Customer Information are Required

31 C.F.R. § 1020.220(a)(2) says that, at a minimum, financial institutions must get four pieces of information from customers who want to open an account or conduct financial transactions with the institution. They are the customers:

Name
Date of birth, if the customer is an individual and not a business entity
Address
Identification number

The identification number gets complicated when the account applicant is not a U.S. citizen. In those cases, it can be any of the following:

Taxpayer identification number
Passport number, along with the country that issued it
Alien identification card number
Number and country of issuance of any government-issued document, so long as it:
Shows the applicant’s nationality or residence, and
Has a photograph or a similar safeguard

When the account applicant is a U.S. citizen, the identification number has to be a taxpayer identification number.

CIPs Must Have Procedures to Verify the Customer’s Identity

Regulations require that all CIPs state how the financial institution intends to verify the information that accounts applicants have proffered. The identity verification procedures can include the use of documentary evidence, non-documentary evidence, or a mixture of the two. CIPs must also cover the policies of the financial institution when the identity of an applicant cannot be verified using documentary and non-documentary evidence. Further, the CIP has to state the bank’s policy for when the institution cannot adequately identify the customer, including when the outcome will be to:

Refuse to open the account requested
State terms under which the customer can use the account while the bank takes additional steps to identify the customer
Close the account
File a Suspicious Activity Report (SAR) with law enforcement

Recordkeeping Policies

At a minimum, a financial institution’s CIP has to keep the following records:

All of the customer’s identifying information that was gathered
A description of any documentary evidence that the financial institution used to verify the customer’s true identity
The methods and results of any non-documentary evidence that was used to verify the customer’s identity
How any substantive discrepancy in the verification process was resolved

Banks have to keep these records for five years after the account is closed or, if it is a credit card account, becomes dormant. This is important: The five-year retention window begins when the account is closed, not when it is opened.

Check Government Watch Lists

The main reason for much of this information gathering is to ensure that the financial institution is not enabling money laundering activities that are associated with terrorism. Every CIP has to include the procedures that the institution takes to determine whether any account applicant is on a U.S. Treasury-designated list of known or suspected terrorists or terrorist organizations.

Customer Notification Requirements

Finally, the CIP has to include procedures for how bank customers or account applicants are notified that the bank is requesting information to verify their identity. Regulations require the notice to generally describe the identification requirements. The notice has to be made reasonably available to customers.