"Customer Identification Program" or CIP
The Statutory Provisions
(Sec. 326): The Act requires the Secretary to issue regulations requiring institutions to verify the identity of a customer opening an account. The regulations must, at a minimum, require procedures for (1) verifying the identity of a person opening an account, (2) maintaining the records of information used to identify the person opening an account, and (3) consulting lists of known or suspected terrorists or terrorist organizations provided to the financial institution by any government agency to determine whether a person seeking to open an account appears on any such list.
The Act says that the regulations must be in effect within one year following the enactment date, which was October 26, 2001. The Treasury announced in October of 2002, however, that the regulations would not be available by this deadline, and institutions subject to the rules would not have to comply until final regulations are issued and become effective. See Treasury’s Office of Public Affairs, PO-3530, October 11, 2002.
The Treasury Department and the federal financial institution regulatory agencies jointly issued a final regulation in May of 2003. [Federal Register, May 12, 2003, beginning at page 25089] This regulation has a mandatory compliance date of October 1, 2003.
Treasury's regulation
he regulation requires that you “implement a written Customer Identification Program (CIP)….” [31 CFR 1010.220(a)] In other words, you must have this program in writing and you must implement the program. The regulation and our description of it often talk in terms of what your written program must contain. But don’t forget that you are also required to implement your written program.
The purpose of the regulation and the goal of your program are to enable you to have a reasonable belief that you know the true identity of your customers.
Scope of your program
Your program must apply to “customers” who open a new “account.” This term is defined as “a formal banking relationship established to provide or engage in services, dealings, or other financial transactions including a deposit account, a transaction or asset account, a credit account, or other extension of credit.” [31 CFR 1020.100(a)]
Note that the definition refers to a “relationship.” This implies something ongoing, something beyond a single transaction, and the definition goes on to specifically exclude transactions that lack that ongoing quality: “’Account’ does not include…a product or service where a formal banking relationship is not established with a person, such as check-cashing, wire transfer, or sale of a check or money order.” [31 CFR 1020.100(a)]
Also excluded are accounts you acquire through acquisition, merger, purchase of assets, or assumption of liabilities. [31 CFR 1020.100(a)] “Account” also does not include an account opened for the purpose of participating in an employee benefit plan established under the Employee Retirement Income Security Act of 1974. [31 CFR 1020.100(a)]
If a person with power of attorney opens an account on behalf of someone else, the person on whose behalf the account is opened is the “customer” whose identity you need to verify, if that person is competent. If that person is not competent, then the person with power of attorney is the “customer” whose identity needs to be verified. Also, if a person becomes a co-owner of an account, that person is a “customer” whose identity must be verified. “Customer” does not include a person who has an existing account with the institution when opening the new account, as long as the institution has a reasonable belief it knows the true identity of the person. As a result, the verification procedures need not be applied when a time deposit is automatically renewed. [31 CFR 1020.100(a) and Joint Agency FAQs: Final CIP Rule, January 2004]
Finally, be aware that “account” is not limited to deposit accounts. It also includes credit arrangements.
Components of the CIP
The regulation requires that your CIP have some minimum components. They are: (1) procedures for verifying the identity of a customer opening a new account; (2) record-keeping procedures; (3) procedures for checking the customer’s name against federal government lists of known or suspected terrorists or terrorist organizations; and (4) procedures for notifying customers that you are collecting and verifying identifying information.
Before we look at the details of these components, however, you should know why we refer to these as minimum components. We do this because the regulation establishes a general requirement that your CIP be “risk-based.” This means that, in putting together your CIP, you must take into account the level of risk presented to you by factors such as the size and location of your institution, your customer base, the different types of accounts you offer, the methods by which a customer can open an account, and so on. [31 CFR 1020.100(a)]
Also, before we get into the details, we should define “customer.” This term means: (1) A person that opens a new account; or (2) An individual who opens a new account for an individual who lacks legal capacity (e.g., a minor) or an entity that is not a legal person, such as a civic club. [31 CFR 1020.100(c)] Excluded from the definition are most financial institutions, federal and state agencies, quasi-governmental agencies, and entities listed on major stock exchanges. [31 CFR 1020.100(c)) and (B)] Also, and perhaps most important, “customer” does not include someone opening an account if the person has a preexisting account with the financial institution, and the institution has a reasonable belief that it knows the true identity of the person. [31 CFR 1020.100(c)]
Verification procedures. First, your policy must be to collect basic identification information. The following items are required [31 CFR 1020.220(a)]: (1) the customer’s name; (2) the customer’s date of birth (if the customer is an individual as opposed to an entity, such as a corporation, partnership, etc.); (3) the customer’s address (if the customer is an individual, then you need the customer’s residential or business street address—rural route number is acceptable (see Joint Agency FAQs: Final CIP Rule, January 2004); if the customer is not an individual, then get the address of the principal place of business, local office, or other physical location); (4) an identification number (if the customer is a U.S. person, get the taxpayer identification number (TIN)—a social security or employer identification number; otherwise, get a TIN if available or a passport number with country of issuance, alien identification number, or some other number from a government-issued document with a photo identification showing nationality or residence along with country of issuance).
Two qualifications: First, if the customer is a foreign business without an identification number, you must obtain government-issued documents that prove the existence of the business. [31 CFR 1020.220(a)] Second, your CIP can include procedures for opening an account for a customer who has no TIN but has applied for one. Your procedures must include confirming that the customer has filed an application and obtaining the TIN within a reasonable time. [31 CFR 1020.220(a)] The regulation has no guidance on how to confirm the filing of an application.
Once you have the basic identifying information, your policy must provide for verifying the customer’s identity using the information you collect and doing so within a reasonable period of time. [31 CFR 1020.220(a)] You can do this through examining documents or in some other fashion.
Documentary verification means looking at documents that tend to prove that the identifying information you have collected is correct. Your CIP should specify what sorts of documents you will use to make this verification. For example, you could use a driver’s license or a passport or some other unexpired, government-issued identification that shows nationality or residence and has a photograph. [31 CFR 1020.220(a)] Other documents, such as an employee identification card, would be sufficient if they provide the institution with a reasonable belief that it knows the true identity of the customer. [Joint Agency FAQs: Final CIP Rule, January 2004] Of course, if the customer is someone other than an individual, it won’t have a driver’s license. That customer should be able to provide some government-issued document that tends to prove that it exists—such as certified articles of incorporation if the customer is a corporation. A business license, a partnership agreement, or a trust instrument might work for other entities. [31 CFR 1020.220(a)]
There may be times when you need to verify information in some way other than by looking at a document. For example, the customer may not have a driver’s license or similar document, or you may not be familiar with the documents the customer does produce. Or the customer may open the account without being at the institution in person or may open it in some other way such that no documents are presented. There may even be circumstances where you think the risk of not knowing the true identity of your customer is high even if normal documents are produced and you feel obligated to make further verification efforts.
If you think that will be the case and you intend to rely on some other means of verifying information, your CIP must address those circumstances and describe those means. [31 CFR 1020.220(a)] The regulation provides some examples: contacting the customer; independently verifying the customer’s identity through the comparison of information obtained from a consumer reporting agency, public database, or other source; checking references with other financial institutions; and obtaining a financial statement. [31 CFR 1020.220(a)]
The regulation specifically requires that your CIP address another situation—where the customer is an entity of some sort rather than an individual, and you are unable to verify the entity’s true identity through the normal documentary and nondocumentary means. Your CIP must address identity verification aimed not at the entity but at those individuals with ownership or control over the account, including those who are acting on the entity’s behalf in opening the account. [31 CFR 1020.220(a)]
Finally, you may see situations where, no matter what you do, you simply cannot verify the identity of the customer. Your CIP must address those circumstances and spell out what your institution’s response will be. Possible responses include: refusing to open the account; establishing terms under which the customer may operate the account while you are attempting to verify identity; closing the account if you are not able to verify identity; and filing a Suspicious Activity Report. [31 CFR 1020.220(a)]
Record-keeping requirements. The basic record-keeping rule is that you must make and keep a record of all the information you obtain in the course of implementing your CIP. More specifically, the regulation imposes the following minimum requirements: (1) You must retain all the identifying information you collect about the customer (name, address, date of birth, TIN, etc. —if the customer changes addresses, you must still retain the original address [Joint Agency FAQs: Final CIP Rule, January 2004]); (2) You must make and retain a description of any documents you rely on to verify the identifying information (driver’s license, passport, etc.—you need not make a copy, though a copy would probably satisfy the “description” requirement. The description must include the type of document, any identification number, place and date of issuance, and expiration date.); (3) You must make and retain a description of any nondocumentary verification efforts you made; and (4) You must make and retain a description of how you resolved any discrepancies you discovered in the course of your verification process. [31 CFR 1020.220(a)]
You must keep the identifying information [number (1) in the previous paragraph] for five years after the account is closed (or, if the account is a credit card account, for five years after the account is closed or becomes dormant). [31 CFR 1020.220(a)] The rest of the records [numbers (2), (3), and (4) in the preceding paragraph] you need only keep for five years after you make the record. [31 CFR 1020.220(a)]
Checking the customer’s name against federal government lists. Your CIP must provide that you check your customer’s name against lists designated by the Treasury as lists of known or suspected terrorists or terrorist organizations. At the time of this writing, the Treasury had not yet designated any lists. The CIP must provide that this check will be done within a reasonable time after account opening, but also that the check will be earlier if required by federal law or directive. The CIP must also provide that the check will comply with any other federal directives. [31 CFR 1020.220(a)]
Notice to the customer. The purpose of the notice requirement is to let the customer know that you are collecting and verifying certain identifying information. The notice must generally describe the identification requirements of the CIP regulation. You’re allowed to provide the notice in any way that allows the customer a reasonable opportunity to see it prior to opening an account. You can also give the notice to the customer before opening the account. The regulation authorizes posting the notice in the lobby or on your web site, and putting the notice on account applications, or any other form of written or even oral notice. The regulation also provides a nonmandatory sample form for the notice. [31 CFR 1020.220(a)] The notice must be provided to all owners of a joint account. [Joint Agency FAQs: Final CIP Rule, January 2004]
A final thought on the CIP regulation: You are allowed to contract with a different financial institution to perform some or all of the duties you have in implementing your CIP. Relying on another financial institution is subject to some conditions, however. First, your reliance must be “reasonable.” This implies some level of due diligence on your part when deciding whether to rely on the other financial institution. Second, the other financial institution must be subject to a rule implementing 31 USC 5318(h) and regulated by a “federal functional regulator.” The USC section requires anti-money laundering programs, and federal functional regulators are the federal financial institution regulatory agencies and a few others. Third, the contract must require the other financial institution to certify annually that it has implemented its anti-money laundering program and that it or its agent will perform the duties under your institution’s CIP. [31 CFR 1020.220(a)]