CIP Requirements for Banks and Credit Unions

One of the most challenging parts of any financial institution’s Bank Secrecy Act (BSA) program is to have an effective Customer Identification Program (CIP) that forms a reasonable belief that the institution knows the true identity of the person they are opening account for.  Understanding CIP requirements is essential as an insufficient CIP program can lead to significant consequences such as regulator enforcement actions and civil money penalties (fines).

While on the surface CIP requirements may seem fairly simple, they are actually quite complex when considering all of the different types of persons that may be opening account, such as:

  • CIP requirements for existing customers

  • CIP requirements for individuals

  • CIP requirements for businesses

  • CIP requirements for POAs (power-of-attorney)

  • CIP requirements for government entities

In order to understand the CIP requirements for some of the specific persons who may be opening an account, we must first understand the general CIP requirements for banks and credit unions.

General CIP Requirements

Each bank and credit union (and other financial institutions) must have a written Customer Identification Program (CIP) that is approved by the organization’s Board of Directors.  The program must be designed for the size, complexity, and risk profile of the organization. This means that a small, one branch financial institution located in the rural Midwest will most likely have a fairly straightforward and simple CIP program while a large financial institution that opens online accounts and has locations in Miami, FL and other high-risk geographies, will need to have a robust CIP program.

While CIP requirements set forth some minimum procedures that must be created, the ultimate goal of any CIP program is to have established policies and procedures that allow an organization to form a reasonable belief that it knows the true identity of each customer.  If a financial institution is unable to form a reasonable belief that they know the true identity of the customer, the account should not be established.

In establishing their CIP program, financial institutions must consider applicable risks related to potential money laundering and other financial crimes by considering:

  • The types of accounts offered by the bank.

  • The bank’s methods of opening accounts.

  • The types of identifying information available.

  • The bank’s size, location, and customer base, including types of products and services used by customers in different geographic locations.

CIP Requirements for New Customers and New Accounts

CIP requirements apply to each “customer” on an “account.”  In short, this means that CIP rules apply to any new customer relationship that is expected to continue on.  A “customer” is defined as a “person” which includes more than just natural persons. The CIP definition of a “customer” includes individuals, corporations, partnerships, trusts, estates, and other entities recognized as a legal person who either:

  1. Opens a new account;

  2. An individual who opens a new account for another individual who lacks legal capacity; and,

  3. An individual who opens a new account for an entity that is not a legal person.

Under CIP rules, an “account” is a formal banking relationship that provides or engages in services, dealings, or other financial transactions.  In other words, an account is an ongoing relationship with a financial institution like a deposit account, a transaction or asset account, a credit account or another extension of credit, and even a relationship established to provide a safe deposit box or cash management services.  Accounts do not include one-time interactions such as check cashing, ATM withdrawals, funds transfers, or the sale of a check or money order.

CIP Customer Information Requirements

Each CIP program must include account opening procedures that detail the identifying information that must be collected from each customer.  CIP rules require that at least the following must be collected from each customer:

  • Name

  • Date of birth (for individuals)

  • Address (physical location, not P.O. box)

  • Identification Number

    • For US persons this includes a Tax Identification number (TIN) like a Social Security number

    • For non-US persons this could include a TIN; a passport number and country of issuance; an alien identification card number; or a number and country of issuance of any other unexpired government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.

CIP Requirements for Customer Verification

Once a bank or credit union has collected the required CIP customer information, the CIP program must contain risk-based procedures for verifying the identity of the customer within a reasonable period of time after the account is opened.  These procedures must explain when the financial institution will verify the customer’s identity through:

  • Documentary verification

  • Non-documentary verification

  • A combination of both

CIP Requirements for Documentary Verification

When a financial institution utilizes documentary methods to verify a customer’s identity, they must have procedures that explain the minimum acceptable documents needed to open an account.  These procedures must establish the minimum requirements for both individuals as well as what is required for legal entities. Examples of documentary verification include a driver’s license or passport for individuals and for legal entities, documents that prove the legal existence of the entity such as articles of incorporation, a business license, or a partnership agreement.

CIP Requirements for Non-Documentary Verification

CIP guidance is clear that non-documentary methods to verify a customer’s identity is not required.  That said, most financial institutions will establish non-documentary verification for instances when documentary verification cannot be obtained.  Examples of non-documentary verification could include include contacting a customer; independently verifying the customer’s identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement.

CIP Requirements for Existing Customers

The CIP requirements for existing customer will first depend on a financial institution’s established policy and procedures.  That said, CIP rules specifically exclude existing customers from the definition of a “customer” as long as the financial institution has already established a reasonable belief that it knows the customer’s true identity.  The idea with CIP requirements is that a financial institution only needs to form the “reasonable belief” that they understand a customer’s identity once - meaning that once they are an established customer, there is no need to form a reasonable belief again for every other account they may open.

One challenge that financial institutions often have in understanding CIP requirements for existing customers is how CIP applies to existing customers who opened their accounts before the financial institution first established their procedures to form a reasonable belief to understand the true identity of their customer’s, when typically occurred in the early 2000’s.  For example, if a customer first established their accounts with a bank in the 1980’s, it is very likely that the bank did not collect all of the information they require today as CIP rules did not exist at that time. In order to address the challenges with long-time customers opening new accounts, most financial institutions have included a statement in their policy that they have a reasonable belief that they understand the true identity of their long-time existing customers (who opened accounts before CIP requirements were established).

CIP Requirements for Individuals

While CIP requirements for individuals should be addressed in a financial institution's CIP policy, most financial institutions will typically utilize documentary verification by requiring an unexpired government-issued ID bearing a photograph of the individual.  The most common types of documentary verification for individuals include driver’s licenses, state-issued ID cards, passports and military IDs. (It is important to note that military ID cards should never be photocopied as military rules prohibit servicemembers from allowing anyone -with a few minor exceptions- from making a copy of their identification.)

CIP Requirements for Businesses

CIP requirements for businesses are governed by the CIP policy of a financial institution but will typically include documentary verification that establishes proof of existence of the entity.  These documents often include things like Articles of Organization, a Partnership Agreement, or even proof of receipt of a TIN from the IRS. In addition to these documents, it is important for financial institutions to have a way to ensure that the individuals opening the account on behalf of the business have the authority to do so.  For this reason, many financial institutions will require the individual(s) opening the account to provide a corporate resolution to explain who has authority to manage the business while other institutions will require Board minutes authorizing the individual to establish the account on behalf of the business.

CIP Requirements for POAs (Power-of-Attorney)

The CIP requirements for a power-of-attorney (POA) will vary based on the legal capacity of the individual on whose behalf the account is being opened.  If the individual lacks legal capacity, BSA rules state that the “customer” is the person opening the account on behalf of the person lacking legal capacity.  On the other hand, if the person does not lack legal capacity, the POA is not your customer and is technically subject to CIP rules. That said, the policy of a financial institution will dictate the actual requirements for the CIP requirements for POAs.

CIP Requirements for Government Entities

Government entities are typically going to be exempt from CIP requirements as most government entities are not included in the definition of a “customer” under BSA rules.  Specifically, 31 CFR 103.22(d)(2)(ii) and (iii) include the following exemptions to the definition of a “customer”:

(ii) A department or agency of the United States, of any State, or of any political subdivision of any State;

(iii) Any entity established under the laws of the United States, of any State, or of any political subdivision of any State, or under an interstate compact between two or more States, that exercises governmental authority on behalf of the United States or any such State or political subdivision;"

Therefore, if a government agency falls within the definition of 103.22(d)(2)(ii) or (iii), it is technically exempt from CIP rules - unless the financial institutions CIP program does not exempt such agencies.


Fall 2018 CFPB Rulemaking Agenda

Regulation CC Lobby Disclosure Requirements

Regulation CC Lobby Disclosure Requirements