What is Customer Identification Procedure?

Angela Marrujo Fornaca

Content Writer

Customer Identification Procedure exists to prevent individuals from using financial institutions to commit financial crime by establishing and verifying their true identity. It was created as part of the USA PATRIOT Act and is a requirement under the Bank Secrecy Act. There are six steps to the procedure; financial institutions can customize their procedure so long as it meets the required steps.


The terrorist attacks of September 11, 2001, fundamentally changed much about the United States and the world. One of the most significant outcomes of that tragedy was the creation of the USA PATRIOT Act, which US Congress enacted and President George W. Bush signed into law in October of that year.

Congress, focused on preventing future terrorist attacks, felt it was crucial to require banks to verify the identities of their customers to help prevent terrorism financing and money laundering. So they created the Customer Identification Procedure (CIP) as part of the PATRIOT Act and made it a requirement under the Bank Secrecy Act (BSA).

What is CIP, what are the steps involved, and why is it important to stay compliant? (Beyond just “because it’s the law.”)

The Six Steps to CIP

CIP exists to prevent individuals from using financial institutions (FIs) to commit financial crime by establishing and verifying their true identity. It’s a critical component of the Know Your Customer (KYC) process (and is not the same thing as KYC, but one part of a broader KYC strategy, which we’ll cover in a bit).

Financial institutions have the freedom to customize their CIPs to whatever works best for their organization. The only requirement is that it meet these six guidelines:

  1. Clearly document your CIP: Financial institutions must thoroughly outline and explain their CIP and identify steps individuals must take in order to become customers. It should also identify risk factors your team should look out for (i.e. the potential customer is a politically exposed person) and your FI’s privacy and security policies.
  2. Collect four pieces of identifying information: Name, date of birth, address, and SSN (tax ID numbers or government-issued identification numbers for non-US citizens). While these are the minimum required pieces, you can collect additional information from the potential customer if necessary.
  3. Establish identity verification procedures: They should be practical, risk-based, and give the FI confidence that they know the customer’s real identity. FinCEN doesn’t specify which procedures you need to use, but there are a variety to choose from, including biometric, documentary, database, and more.
  4. Comply with record-keeping requirements: By law, financial institutions must keep record of all customer information while they remain a customer and for at least five years after a customer’s account is closed.
  5. Check customers against government lists: Compare the names of potential customers against government terrorist watch lists. You must also screen for politically exposed people and whether potential customers have been the subject of adverse media.
  6. Give customers proper notice: Create a procedure to give potential customers adequate notice that you will be requesting additional information from them to verify their identity.

So CIP and KYC Aren’t the Same Thing?

Not exactly. While both processes seek to establish the same information — true customer identity — KYC is a strategy while CIP is one part of that strategy. The other two parts of the KYC process include:

  • Conducting Customer Due Diligence (CDD): The procedure that assesses customer risk. Depending on the individual’s level of risk, you will need to conduct either Standard, Simplified, or Enhanced Due Diligence.
  • Ongoing monitoring: Customers should be regularly monitored to ensure no red flags or suspicious behaviors go unchecked and unreported. The frequency of the monitoring should directly correlate with their level of risk.

Wrap Up

It’s important that FIs create a solid, thorough CIP and stay compliant to help mitigate the risk of their institution being used to facilitate financial crime. All FIs are required to establish a CIP, but even businesses outside of the industry benefit from CIPs. Many businesses have created CIPs to establish trust and safety and build a reputation for going the extra mile to ensure their platforms are safe for their users. Whether required or not, CIPs are a powerful tool in global AML efforts.

Stay Connected

Subscribe to receive new content from Hummingbird