A Know Your Customer (KYC) procedure has many components, so some people may get lost when navigating the specific requirements for any given field. For instance, a Customer Identification Program (CIP) is a requirement developed by US lawmakers for local companies that seems to be a synonym for this procedure. However, they are not the same.
In this article, we will bring all the pieces together to give you a clear understanding of the purpose and significance of KYC and CIP. Spoiler: They indeed fall under one umbrella.
CIP: A short definition
A Customer Identification Program (CIP) is a set of procedures which financial institutions and similar companies must follow to comply with US law. This requirement is mandated by regulations such as the Bank Secrecy Act and the USA PATRIOT Act. CIP describes the procedures designed to screen customers to detect and deter occurrences of money laundering, fraud, terrorist financing, and other illicit financial activities.
Importantly, all CIP requirements target only financial institutions and businesses in the USA. However, their overseas offices may also follow these rules when they are consistent with local laws.
Key policies associated with a CIP are also described in examination manuals for financial supervisors. In this article, we consider the recommendations from the Bank Secrecy Act/Anti-Money Laundering Examination Manual Update issued in February 2021 by The Federal Financial Institutions Examination Council and Part 1020 – Rule For Banks by the US Department of the Treasury.
CIP vs. KYC: A quick explainer
KYC is associated with a batch of regulations that companies from the Banking sector must follow. All these guidelines reference the verification of current or potential customers regarding their identity, suitability, and attendant risks.
Therefore, KYC is not a single regulation/directive/law, but a practice or framework that helps businesses stay compliant with legal requirements, such as the Fifth Anti-Money Laundering Directive in the EU, and the Money Laundering Regulations in the UK. That is, each country has its own perception of what steps KYC should include.
According to US regulators, the KYC framework consists of three key elements:
Customer Identification Program (CIP)
Customer Due Diligence (CDD)
Enhanced Due Diligence (EDD)
The Basel Committee's interpretation
The Basel Committee on Banking Supervision (BCBS) is a forum of banking supervisory authorities from 28 countries, including the US, the UK, and Belgium; as such, the committee interprets KYC requirements. According to this BCBS consultative document, KYC must include four essential elements: customer acceptance policy, customer identification, ongoing monitoring of high-risk accounts, and risk management.
Which procedures to include in your CIP program
Firstly, CIP should have a written form in the bank’s documentation, which should also be incorporated into the bank’s BSA/AML compliance program and approved by the board directors.
Customer identity verification is at the heart of CIP. Let’s see in detail which procedures the program must describe.
Required customer data
To stay in compliance with the CIP rule, banks should collect at least four pieces of information from each customer who wants to open an account. The list includes:
Date of birth
Address, e.g., a residential, business street address, Army Post Office, or Fleet Post Office box number
Government-issued identification number, e.g., a taxpayer identification number for US residents or passport identification number for foreign citizens
Typically, this dataset can be obtained from the individual’s identity document(s). However, when opening credit card accounts, financial organizations may also acquire the customer’s information from third parties.
The next step involves checking whether a customer has a true identity. To do this, banks must verify all obtained information via document verification and/or non-documentary methods.
Document verification involves authenticity checks of the customer’s identity document(s). The document(s) must be valid (i.e., not expired) and provide the inspector with evidence of the individual’s nationality and/or residence, as well as their photo. The most common examples are passports and driver’s licenses.
The rule also highlights that banks can review more than one document to prevent cases involving fraudulently obtained or counterfeit IDs.
Non-documentary methods may include:
Contacting the customer
Verifying the individual’s identity by comparing their data against data from third-party sources, such as consumer reporting agencies or public databases
Checking the data from other financial institutions
Obtaining a financial statement if the customer represents a business
Banks also must have procedures for addressing challenges when there is a lack of verification. For instance, the bank should define the terms under which it won’t open an account.
This stage describes the mandatory procedures associated with current customers. Banks must retain all obtained personal data for five years after the account is closed or becomes dormant. They also can store copies of identity documents.
Additionally, the following descriptions must be kept:
The identity document data: its type, identification number, place and date of issuance, and expiration date
The verification data: the methods used for verification and the verification results
The discrepancy data: all discoveries made when checking the person’s information
Comparison with government lists
Either before or after the account is opened, banks must screen the customer against lists of known or suspected terrorists or terrorist organizations issued by federal government agencies.
There are no designated government lists created exclusively for CIP purposes. Typically, they include lists maintained by the US Treasury. Furthermore, banks should cross-reference customers with the Office of Foreign Assets Control list.
Finally, banks following the CIP rule must notify customers about collecting their data for identity verification. There are no set ways to do this, so businesses can seamlessly incorporate this element into their current identity verification flow.
Some examples of adequate notices cited by regulations include:
Posting a notice in the bank’s lobby
Publishing a notice on on the bank’s website
Including a notice with application documents
Businesses can also provide customers with other written or oral notices. Clients must understand and accept these notices before their account is established.
How Regula can help you stay compliant with CIP
Since identity verification (IDV) is a core of the CIP rule, you need a reliable solution to conduct such checks properly. Considering the growth of remote interaction between financial institutions and customers, the solution should also cover online verification scenarios.
Regula Document Reader SDK is a single-vendor identity verification solution that helps you build a smooth IDV flow while complying with CIP and KYC regulations. Thanks to the data entry automation, you can ensure that accurate client data is seamlessly integrated into your systems. The complete set of authenticity checks enables you to ensure that each new customer is a genuine individual with a real ID. This cross-platform solution can be easily implemented into your web platform or application.