What Is a Customer Identification Program (CIP)?
A customer identification program (CIP) is a set of processes that financial institutions and organizations such as payment service providers (PSPs) must follow to verify that their customers are who they say they are.
In the USA, operating a CIP is a legal requirement for many types of businesses, including banks, currency exchanges, and insurance companies. It falls under the Bank Secrecy Act (BSA) and the Patriot Act. Formal CIP-style programs are also legally mandated in other countries.
CIP is part of the compliance requirements for Know Your Customer (KYC) processes. The key requirement of all CIP programs is that they must collect and verify specific customer information, usually:
- Their name, address, and date of birth
- A government-issued ID number, such as that shown on a passport or social security number
How Much Information Should Businesses Obtain When Operating CIPs?
Guidance from the US Federal Financial Institution’s Examination Council (FFIEC) Bank Secrecy Act states that a business should gather “enough information to form a reasonable belief it knows the true identity of the customer.”
Businesses have considerable flexibility in how they achieve this, both in collecting and verifying information as part of a CIP. Many businesses choose to collect and verify information that goes beyond the core requirements.
A CIP should:
- Lay out exactly which information will be gathered and how it will be verified.
- Fully document the processes – to prove compliance and to provide the business with clear guidelines.
- Include precise guidelines around record keeping and data retention.
- Incorporate practices for communications with the customer around which data are collected and why.
Partner with SEON to reduce fraud rates in your business with real-time deep digital footprinting, machine learning, and advanced APIs.
Speak with an Expert
Why Do You Need a Customer Identification Program?
Operating a customer identification program is a legal requirement in many financial organizations. Other businesses that process financial transactions must often have (or choose to have) a CIP in place.
Such organizations include:
- investment management firms
- real estate businesses
- casinos and gaming sites
- insurance companies and brokers
- travel firms
- currency exchanges
- credit unions
The benefits of running a customer identification program include:
- compliance with KYC and Customer Due Diligence (CDD) legislation
- reduced risk of fraud
- improved customer confidence
- enhanced risk management
Documentation Vs Non-Documentary Methods of Identity Verification
Customer identification programs often make use of a combination of documentation and non-documentary identity verification methods. Here’s a closer look at the methods involved.
Documentation verification involves checking “primary sources.” These are the documents themselves. They could be:
- provided in their physical form (i.e. taken into a branch)
- scanned or photographed
- shown during ID verification calls
This traditional identity proofing method can be a valuable way to demonstrate due diligence, especially when documents are physically checked. In an in-person setting, it provides a way to check a photo ID against the human submitting it.
However, documentation verification is subject to forgery risk and the use of deepfakes when online. It can also be time-consuming to process, with a risk of human error.
Non-documentary methods include:
- Cross-referencing information against centralized databases or third-party data sources.
- The use of AI and digital footprinting to perform background validation on customers, such as checking their location and social media presence.
- The use of specialized digital identity verification tools for behavioral analysis and biometric authentication.
- The use of digital certificates and biometrics – especially as, according to Research and Markets, the financial sector is predicted to increase its expenditure on biometrics in the run-up to 2030.
These non-documentary methods can cut costs, automate processes, reduce customer friction, and detect fraud and identity theft that manual methods are more likely to miss.
However, some non-documentary methods may not meet compliance requirements, especially when used in isolation. Their digital nature also makes them vulnerable to hacks, spoofing, and impersonation attacks.
Knowing the importance of limiting friction, most companies combine documentation and non-documentary verification techniques to find a sweet spot between customer experience, fraud risk minimization, and legal compliance.
Conduct a Risk Assessment Before Creating a CIP
Before creating a CIP, businesses should ask themselves the following questions:
- Which mandatory legal and regulatory requirements does the business need to comply with?
- Where does the business conduct its operations? (Companies operating across borders will likely be required to comply with the law in all territories in which they operate.)
- How does the CIP tie in with overarching requirements around KYC, anti-money laundering (AML), and so on?
- What is considered industry best practice? What are competitors doing?
- Which technologies and verification methods are available?
- What expectations do customers have?
- Which specific challenges and risks is the business exposed to?
Answering the questions above will enable the business to conduct a risk assessment and a cost/benefit analysis specific to its operations and sector.
The exact design of the CIP processes is specific to each company and should consider its exposure to risk, compliance obligations, and industry-specific needs. For example, a high-street bank would need a far more stringent CIP than a pawnbroker dealing in smaller transactions. Nevertheless, the latter may wish to build in specific fraud prevention measures to counter risks specific to its sector.
SEON’s digital footprinting can elevate your digital onboarding to a frictionless tool to keep safe, streamline KYC, and better understand your customers to boost your growth.
Speak with an Expert
What Should a Customer Identification Program Include?
An effective customer identification program should include full documentation, data collection, identity verification, data retention, screening, and customer communication.
Let’s now take a closer look at each of these.
Full Documentation
It’s not enough to request and verify the key information listed above. A CIP should include full process documentation, meaning it details:
- which information is gathered
- how the information is verified
- how exceptions and manual reviews are handled, such as those for politically exposed persons (PEPs)
- internal roles and responsibilities
- details on data storage, privacy, security, and retention
CIP documentation should be detailed enough to facilitate internal training and process management – not just to prove compliance.
Data Collection
The CIP should consider exactly which data are collected from customers and how they are collected. For example, are customers required to attend appointments, send in documents, or use online ID verification methods?
While the US legislation for customer identification programs lists just a few mandatory data points (as detailed above), many companies will choose (or be required) to collect other supplementary information. This may be used in other areas of KYC and/or to undertake further checks.
A good example is the collection of email addresses or phone numbers, which can be used with reverse phone lookup solutions to carry out further due diligence on each customer.
Identity Verification
While CIP legislation is specific about the information organizations need to gather, it offers total discretion regarding how to verify it.
A customer identification program should lay out the exact processes for verifying customer data. This may include manual and automated checks, branching into specifics based on customers’ perceived risk levels.
For example, a business may use an AI-powered tool that flags high-risk customers for manual review or one that uses device fingerprinting to highlight when a customer’s location or computer configuration doesn’t ring true.
Data Retention
Companies must retain data processed during CIP procedures to prove compliance and due diligence. Exact data retention rules vary from country to country. Often, the requirement is that data are retained for the duration of the customer relationship and several years after its termination.
Companies must ensure data are kept securely and in a way that maintains customer privacy. Organizations with lapses in security can face significant penalties. The US Securities and Exchange Commission issued fines to eleven American banks in a record-keeping probe in 2022, with fines reaching $1.8 billion for “cybersecurity shortcomings.”
Screening
Organizations such as financial institutions are required to comply with AML legislation and check customers against various lists, such as PEP lists, sanctions lists, and watchlists.
Often, such checks can be automated via an ID verification system that references various global watchlists. As well as checking official government lists, these can identify customers subject to adverse media attention. Checks can be on companies as well as individuals.
Customer Communication
Customers must be informed about the data companies are collecting, why they are collecting them, how they will be used and stored – and for how long. Customers can also request copies of the data companies hold.
The laws on this vary around the globe. Examples include the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
As well as ensuring legal compliance, offering transparent customer communication can build customer confidence.
How Does Having a CIP Help You Fight Fraud?
A formal CIP provides a business with a fixed procedure for complying with ID verification law. Doing so minimizes fraud by ensuring all customers go through adequate document checks.
Furthermore, establishing a CIP encourages businesses to perform a detailed risk assessment. This can help tease out where fraud risks exist so that solutions can be implemented to minimize them. For example:
- The risk assessment may shed light on sector-specific risks that could be mitigated by implementing additional checks at the point of onboarding.
- The risk assessment could encourage discussion of past fraud incidents, leading to an examination of how to prevent them from reoccurring.
Businesses without a CIP put themselves at considerable risk, and if they do so in a sector where it’s mandatory, they are in direct breach of legislation.
Sources
- Federal Financial Institutions Examination Council (FFIEC): BSA/AML MANUAL
- Research and Markets: Biometrics for Banking and Financial Services: Global Strategic Business Report
- Security Intelligence: Cost of a data breach 2023: Financial industry impacts
- Banking Dive: SEC, CFTC Fine 11 Banks
Customer Identification Program FAQs
A CIP must establish a documented process to ensure that a business checks all its customers are who they purport to be. The core requirement is to verify names, addresses, and dates of birth alongside a formally issued government ID number (such as one from a driving license or passport). Additionally, a CIP should encompass how data are collected, checked, stored, and screened.
Your business will often need a CIP because it’s a legal requirement. For example, a CIP is mandatory in the US for many businesses processing financial transactions, from small travel companies to large banks. Even in cases where having a CIP isn’t legally mandated, it pays dividends to implement one to reduce fraud risks and prove due diligence when onboarding new customers.