Across the world, banks, lenders, credit unions, insurers, various enterprises and other financial institutions are obligated to gain a comprehensive understanding of their customer base and assess potential risks. This obligation, mandated by various legislation over the world, aims to detect and stop instances of money laundering, fraud, terrorist financing, and other financial crimes. The protocols that businesses institute and adhere to in order to meet these requirements are widely recognised as Know Your Customer (KYC).
A pivotal aspect of KYC is the Customer Identification Program (CIP). In the following article, we’ll delve into the nature of a customer identification program, its operational mechanisms, the essential criteria that all CIP programs must fulfil to align with Anti-Money Laundering (AML) regulations, and a step-by-step exploration of the customer identification procedure.
Requirements for Customer Identification Programs
In order to combat money laundering, all customer identification programs are required to fulfill six key criteria as outlined in the CIP Final Rule, originally established under the USA Patriot Act and closely adapted in other countries. These criteria include:
- Establishing a well-documented CIP program.
- Collecting four specific pieces of identifying information from customers: their name, proof of address, date of birth, and government-issued identification number.
- Implementing customer Identity Verification (IDV) procedures.
- Adhering to record-keeping requirements mandated by the law.
- Conducting comparisons against official government registries to ensure compliance.
- Instituting a systematic process for notifying customers that their information is being requested for identity verification.
It’s important to note that while the CIP Final Rule provides a framework with these requirements, it does not impose rigid rules beyond them. As long as the outlined requirements are met, businesses have considerable flexibility in tailoring their CIP programs to suit their specific needs.
The Customer Identification Procedure in Detail
Let’s take a look at the requirements outlined in the CIP Final Rule and how they might look for your customer identification program:
If your business is subject to the CIP Rule, merely having a customer identification program isn’t sufficient. It must be meticulously documented and shared with all employees involved in the process. This comprehensive document should outline the entire CIP process, including instructions for potential risk scenarios, such as politically exposed persons (PEP) or reputational risk media. Additionally, it should encompass your business’ privacy and security policies, detailing the proper methods for collecting, storing, retrieving, and accessing customer information.
Collection of Identifying Information
Your CIP program is required to collect four key pieces of information for each new customer: Name, Date of Birth, Address, and an Identification Number (e.g., SSN, TIN, passport number). While these are the mandated minimum, businesses can choose to collect and verify additional information based on unique needs and risk factors. Commonly connected data, such as phone numbers and email addresses, can also be incorporated into your CIP processes for enhanced verification methods.
Identity Verification Procedures
The CIP rule mandates IDV for all new customers, but it doesn’t prescribe specific verification methods. According to FinCEN, a business does not need to establish the accuracy of every element but should do so for enough information to form a reasonable belief in the true identity of the customer. Verification methods can include document verification, database checks, and biometric verification, each leveraging different aspects for authentication.
Beyond collecting customer information, businesses must retain this data for the duration of the individual’s account and an additional five years after closure. This encompasses all information collected directly from the individual, as well as any documents or data used for identity verification.
Screening Against Government Lists
The CIP rule necessitates screening customers against official government lists to avoid engaging with sanctioned or suspected individuals, known terrorists, or politically exposed persons. Continuous screening is crucial, not just during account opening but throughout the customer relationship. While not mandatory, businesses may also leverage social media screenings, address lookups, and email/phone risk screenings for additional scrutiny.
Businesses are required to provide customers with adequate notice when requesting information, documentation, or other materials for IDV. This step can be leveraged to build trust by explaining the purpose of data collection, making customers more willing to submit the required information.
Distinguishing CIP from KYC
While the terms “customer identification program” and “Know Your Customer” are often used interchangeably, it’s important to note that they are not precisely synonymous. In simple terms, your customer identification program is just one component of your comprehensive KYC strategy.
Other integral elements of your KYC program, which fall outside the scope of CIP, include customer due diligence (CDD) and continuous monitoring:
Customer due diligence involves specific processes crafted to evaluate customer risk. For situations with lower risk, a streamlined due diligence process may suffice, while situations presenting higher risk may necessitate an enhanced due diligence (EDD) approach.
Ongoing monitoring entails the ongoing scrutiny of individuals and their transactions to detect any suspicious activities. Any such findings must be promptly reported to FinCEN and any other relevant regulatory bodies.
Who Falls Under the Jurisdiction of the CIP Rule?
Any entity identified as a financial institution according to the Bank Secrecy Act and its associated laws is obligated to establish a CIP program. This encompasses not only conventional financial institutions like banks, lenders, and brokers but also extends to other entities, such as insurance agencies, gambling services, payment companies, cryptocurrency exchanges, fintech firms, and various others.
It’s noteworthy that several businesses, even those not mandated by law to implement a CIP program, choose to do so voluntarily. This decision is often driven by the desire to enhance customer experience and overall business benefits. For instance, social media platforms and online dating services may opt for CIP programs to instill trust and provide a more secure environment for their users.
In an era where digital interactions shape financial landscapes, a well-implemented Customer Identification Program is not just a checkbox on a regulatory list; it’s a commitment to building a secure and trustworthy business environment. As technologies evolve, so will CIP strategies, ensuring businesses stay ahead in the ongoing battle against financial crimes.