Money launderers often use financial institutions to deposit, hide, transfer, and ultimately launder illicit funds, thus posing a serious threat to the financial institution itself and the integrity of the financial system as a whole.
One specific requirement of AML legislation is the obligation for financial institutions to implement a customer identification program (CIP). A CIP is an important risk management tool that provides organizations with a better understanding of the business relationships they are entering into with potential customers.
The Origin of CIP Rules
The BSA provides the foundation for Know Your Customer (KYC) requirements, including customer identification and verification. However, it wasn’t until after the 9/11 terrorist attacks that CIP requirements were finally formalized. These requirements are contained in Section 326 of the USA PATRIOT Act, which directs the U.S. Treasury Department to implement regulations requiring U.S. financial institutions to establish a CIP. As a result, in 2003, the Financial Crimes Enforcement Network (FinCEN) promulgated a rule imposing CIP requirements on financial institutions. These requirements became known as the CIP rule.
What is a Customer Identification Program
FinCEN requires each financial institution to have a written CIP that is incorporated into its BSA/AML compliance program, which is subject to approval by the institution’s board of directors.
A CIP is a set of procedures through which businesses verify the identity of their customers. A CIP enables businesses to know that their customers are indeed who they say they are, and to anticipate and understand the types of transactions in which their customers are likely to engage.
Customer identification and verification processes and procedures help financial institutions ensure that their customers will not use the institution in further of illicit activity and thereby expose the business to reputational, legal, and operational risk.
CIP Rule Requirements
An institution’s CIP must include account opening procedures that detail the identifying information that will be collected from each customer. The CIP must also include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. Identity verification must be performed within a reasonable time after the account is opened.
There are six minimum requirements outlined in the CIP rule that must be met. These requirements include:
- Establish a documented CIP program
- Collect four specific pieces of identifying customer information:
- customer’s name,
- address (physical location, not P.O. Box),
- date of birth (for individuals), and
- government-issued identification number (such as a Social Security number for U.S. persons, or a passport number and country of issuance for non-U.S. persons)
- Establish identity verification procedures (these procedures must explain when the financial institution will verify the customer’s identity through documentary verification, non-documentary verification, or a combination of both)
- Meet recordkeeping requirements
- Compare the individual against official government lists
- Establish a process for providing customers with notice that information is being requested to verify their identity
As long as the requirements listed above are met, organizations have a lot of flexibility in customizing their CIP so that it aligns with the institution’s size, geographic location, complexity, nature of its business, including the products and services offered, and risk profile. These procedures should be designed to ensure that the institution has a reasonable belief that it knows each customer’s identity.
In other words, a customized and risk-based CIP means that a small, single-branch bank located in a rural area with a limited customer base will have a rather basic and simple CIP, while a large financial institution that has branches in high-risk geographies, will need to have a robust CIP.
Which Businesses Are Subject to the CIP Rule?
Banks and other “financial institutions” are subject to the requirements of the CIP rule. The BSA defines the term “financial institution” in 31 U.S.C. § 5312(a)(2).
The types of institutions to which the BSA pertains have been expanded over the years to encompass non-bank financial institutions and include a range of businesses including credit unions, insurance companies, broker-dealers, investment management companies, money services businesses, casinos and card clubs, and others.
Even if your organization isn’t required to perform customer identity verification, doing so provides a number of benefits, such as increased transparency and trust in the business, greater customer service, and improved risk management. As a result, businesses other than financial institutions may also choose to perform customer identity verification.
What Else Do Financial Institutions Need to Know About the CIP Rule?
The CIP rule requires an institution to verify the identity of each “customer” on an “account.”
Under the rule, a “customer” is generally defined as “a person that opens a new account.” However, the rule states that the term “customer” does not include a person that has an existing account with the bank, provided that the bank has a reasonable belief that it already knows the true identity of the person. Additionally, if a new customer is added to an existing loan or deposit account, the bank would need to verify the new customer’s identity to satisfy the requirements of the CIP rule.
The term “account” refers to an ongoing, formal banking relationship that is established to provide or engage in financial transactions and services. It includes deposit accounts, transaction or asset accounts, credit accounts, or other extensions of credit. Each time a loan is renewed, or a certificate of deposit is rolled over, the bank establishes another formal banking relationship and a new account is created. However, accounts do not include one-time interactions such as check cashing, ATM withdrawals, funds transfers, or the sale of a check or money order.
According to guidance from FinCEN, reliance on another financial institution to perform CIP is permitted providing that such reliance is reasonable under the circumstances and that the relied-upon financial institution is also subject to the CIP requirement and regulated by a federal functional regulator. Additionally, institutions may rely on third parties, such as agents or service providers, to perform services on their behalf. However, it is the financial institution that is ultimately responsible for compliance with the requirements of the CIP rule, regardless of any reliance upon another institution or third-party.
Finally, when it comes to record retention, the CIP rules mandate that identifying customer information obtained at account opening be retained for a period of five years after the date the account is closed. In the case of credit card accounts, the information should be kept for five years after the account is closed or becomes dormant.
Money laundering often encompasses complex transactions as well as transactions that are nearly indistinguishable from legitimate transactions. Therefore, money laundering is exceedingly difficult to detect, especially when relying on manual processes.
Alessa offers a comprehensive range of automated compliance solutions that can help your organization meet CIP requirements, avoid high-risk relationships, and detect and deter money laundering, including:
- Identity Verification Software
- Watchlist and Sanctions Screening
- Real-Time Transaction Monitoring
- A 360° View of Client Risk
To learn more about how Alessa can help your organization stay in compliance with AML obligations, contact an Alessa representative today.