Customer Identification Program Overview
The Customer Identification Program (CIP) is a mandatory component of every Anti-Money Laundering (AML) program for financial institutions and Money Services Businesses (MSBs). Codified in 31 CFR 1020.220, CIP requirements stem from Section 326 of the USA PATRIOT Act and establish minimum standards for verifying customer identities at account opening.
For trading platforms, cryptocurrency exchanges, broker-dealers, investment advisers, and money transmitters, implementing a compliant CIP is not optional—it is a legal obligation enforced by FinCEN, state regulators, and federal banking agencies. The CIP forms the foundation of your Know Your Customer (KYC) obligations and enables detection of money laundering, terrorist financing, and other financial crimes.
Federal Criminal Penalties
Operating a financial institution or MSB without an adequate Customer Identification Program violates federal law and can result in criminal prosecution under 18 U.S.C. 1960, civil money penalties up to $250,000 per violation, cease and desist orders, and loss of regulatory licenses. FinCEN and IRS examiners prioritize CIP compliance in BSA examinations.
Statutory Authority
The CIP requirement derives from multiple sources:
- Section 326 of the USA PATRIOT Act: Mandates financial institutions to implement reasonable procedures to verify customer identity
- 31 CFR 1020.220: FinCEN's implementing regulation establishing specific CIP requirements for MSBs
- 31 CFR 1010.230: Beneficial Ownership rule requiring identification of individuals who own or control legal entity customers
- Bank Secrecy Act (31 U.S.C. 5311 et seq.): Foundational anti-money laundering statute requiring recordkeeping and reporting
Who Must Comply?
CIP requirements apply to all MSBs and financial institutions, including:
- Money transmitters (including cryptocurrency exchanges and payment processors)
- Currency exchangers (fiat and virtual currency)
- Check cashers and issuers of stored value
- Broker-dealers registered with the SEC
- Investment advisers registered with the SEC or state regulators
- Banks, credit unions, and depository institutions
- Futures commission merchants and introducing brokers
Crypto and DeFi Applications
FinCEN has confirmed that administrators and exchangers of convertible virtual currency are money transmitters subject to full BSA/AML obligations, including CIP requirements. Even if your platform uses decentralized technology, if you have identifiable operators who facilitate exchanges or transmissions of digital assets, you likely qualify as an MSB requiring a CIP.
Four Required Identifying Information Elements
At the core of every CIP is the requirement to collect four specific pieces of identifying information from each customer before establishing a relationship. These are the statutory minimums—you may (and often should) collect additional information based on risk.
The Four Required Information Elements
31 CFR 1020.220(a)(2) mandates collection of these four data points for every customer
Individual Customer Requirements
For individual customers, you must collect:
| Information Element | Specification | Examples |
|---|---|---|
| Full Legal Name | Name as it appears on government ID | Driver's license name, passport name (including middle name/initial) |
| Date of Birth | Complete date: month, day, year | MM/DD/YYYY or DD/MM/YYYY format |
| Residential Address | Physical street address (not PO box alone) | 123 Main Street, Apt 4B, New York, NY 10001 |
| Identification Number | SSN (U.S.) or passport number (foreign) | SSN: XXX-XX-XXXX; Passport: USA 123456789 |
Legal Entity Customer Requirements
For legal entities (corporations, LLCs, partnerships, trusts), you must collect:
| Information Element | Specification | Examples |
|---|---|---|
| Entity Legal Name | Name as registered with state/government | ABC Trading LLC; XYZ Corporation |
| Principal Place of Business | Physical street address of main office | 456 Business Blvd, Suite 200, Austin, TX 78701 |
| Employer Identification Number | IRS-issued EIN (for U.S. entities) | XX-XXXXXXX |
| Formation Documents | Articles of incorporation, operating agreement, partnership agreement | Certificate of Formation filed with Delaware Secretary of State |
Beneficial Ownership Requirement
Collecting the four identifying elements for a legal entity is not sufficient. You must also identify and verify the beneficial owners—the individuals who ultimately own or control the entity. See the Beneficial Ownership section below for detailed requirements.
Identity Verification Methods
Collecting identifying information is only half of the CIP requirement. You must also verify that the information is accurate and that the customer is who they claim to be. The regulation provides flexibility in verification methods, permitting both documentary and non-documentary approaches based on your risk assessment.
Documentary Verification
Documentary verification involves examining physical or electronic documents that provide evidence of the customer's identity. This is generally considered the gold standard for identity verification because it provides direct evidence.
Acceptable Identity Documents for Individuals
Primary Identity Documents (Photo ID Required)
- U.S. Driver's License or State-Issued ID Card: Valid, unexpired license or ID card issued by a U.S. state or territory
- U.S. Passport or Passport Card: Current or recently expired U.S. passport (acceptable if expired within 5 years)
- Foreign Passport: Valid passport issued by a foreign government with photo and biographical information
- Permanent Resident Card (Green Card): Valid USCIS-issued permanent resident card
- Employment Authorization Document: USCIS work permit with photo
- Military ID: U.S. Armed Forces identification card
- Tribal Identification Card: Photo ID issued by federally recognized tribal authority
Secondary Documents (For Address or Supplemental Verification)
- Utility Bill: Recent (within 90 days) utility bill showing name and address
- Bank Statement: Official statement from a regulated financial institution
- Mortgage or Lease Agreement: Signed housing documentation
- Government Correspondence: Tax documents, benefits statements, voter registration
- Credit Card Statement: Recent statement from a major card issuer
Acceptable Documents for Legal Entities
- Articles of Incorporation or Organization: Filed and certified by the state
- Business License: Current license to operate issued by state or local government
- Partnership Agreement: Executed agreement among partners
- Trust Agreement: Declaration of trust or trust instrument
- IRS Letter (CP 575): Confirmation of EIN assignment
- Certificate of Good Standing: Issued by Secretary of State
- Tax Returns: Business tax filings showing entity name and EIN
Non-Documentary Verification
Non-documentary methods use third-party data sources, databases, or procedures to verify identity without relying solely on customer-provided documents. These methods are particularly useful for remote onboarding, digital-first platforms, and when documentary methods are unavailable or insufficient.
Acceptable Non-Documentary Methods
| Method | Description | Reliability | Best Use Case |
|---|---|---|---|
| Credit Bureau Verification | Confirm customer information against Equifax, Experian, TransUnion databases | High for U.S. residents | U.S. individual customers with credit history |
| Knowledge-Based Authentication (KBA) | "Out of wallet" questions based on credit report or public records data | Medium-High | Supplement to documentary verification; fraud prevention |
| Public Records Search | Verify name, address, DOB against government databases (DMV, property records, voter registration) | Medium | Address verification, deceased person screening |
| Commercial Database Services | Third-party identity verification platforms aggregating multiple data sources | Medium-High | Scalable automated verification for digital platforms |
| Reference Checks | Contact with prior financial institution or credible reference | Low-Medium | High-risk customers when other methods inconclusive |
| Physical Address Verification | Send mail to customer address requiring response or code entry | Medium | Address confirmation for remote customers |
| Financial Account Verification | Micro-deposit verification or account ownership confirmation | Medium-High | Verifying linked bank accounts for funding sources |
Documentary vs. Non-Documentary: When to Use Each
FinCEN regulations provide flexibility to use either documentary or non-documentary methods, or a combination of both. Your choice should be risk-based.
Risk-Based Verification Method Selection
| Customer Risk Profile | Recommended Approach | Rationale |
|---|---|---|
| Low Risk | Non-documentary methods acceptable (credit bureau, KBA, database checks) | Low transaction volumes, U.S. customers with verifiable credit history, established digital identity |
| Medium Risk | Documentary + non-documentary combination | Moderate transaction volumes, foreign customers, new customers without extensive credit history |
| High Risk | Documentary methods required, multiple forms, enhanced verification | High transaction volumes, high-risk jurisdictions, PEPs, cash-intensive businesses, prior suspicious activity |
| Unable to Verify | Do not open account or terminate existing account | If you cannot verify identity to a reasonable degree of certainty using available methods, decline the customer |
Best Practice: Layered Verification
Leading platforms use a layered approach: automated non-documentary checks for initial verification (credit bureau, database, KBA), followed by documentary verification for customers exceeding certain thresholds or presenting higher risk indicators. This balances user experience with compliance rigor.
Enhanced Due Diligence for High-Risk Customers
While the CIP regulation establishes baseline verification requirements, higher-risk customers warrant Enhanced Due Diligence (EDD)—more extensive information collection, verification, and ongoing monitoring. EDD is not optional for high-risk customers; it is a regulatory expectation based on the risk-based approach mandated by FinCEN.
High-Risk Customer Categories Requiring EDD
| Category | Risk Indicators | EDD Measures |
|---|---|---|
| Politically Exposed Persons (PEPs) | Current or former government officials, senior executives at state-owned enterprises, immediate family members of PEPs | Senior management approval required; source of wealth documentation; ongoing adverse media monitoring; enhanced transaction monitoring |
| High Net Worth Individuals | Customers with account balances or transaction volumes significantly above average for your platform | Source of wealth verification; employment/business documentation; tax returns or financial statements; purpose of account inquiry |
| High-Risk Jurisdictions | Customers from FATF high-risk countries, sanctioned jurisdictions, or countries with weak AML controls | Enhanced identity verification; source of funds inquiry; rationale for using your platform; ongoing sanctions screening |
| Cash-Intensive Businesses | Money services businesses, ATM operators, casinos, cannabis businesses, precious metals dealers | Business license verification; premises visit or verification; expected transaction patterns; SAR consideration for unusual activity |
| Non-Face-to-Face Customers | Customers onboarded entirely remotely without in-person interaction | Enhanced documentary verification; knowledge-based authentication; behavioral analytics; device fingerprinting |
| Cryptocurrency-Specific Risks | Customers depositing from mixers/tumblers, using privacy coins, operating OTC desks, or exhibiting rapid conversion patterns | Blockchain analysis; wallet ownership verification; source of crypto funds; Travel Rule compliance; enhanced transaction monitoring |
| Customers from Sanctioned Sectors | Arms dealing, precious metals/gems, certain import/export businesses, shell companies | Purpose of business inquiry; counterparty identification; ongoing sanctions screening; senior management review |
EDD Information to Collect
Beyond the four basic CIP elements, Enhanced Due Diligence typically includes:
- Source of Wealth: How the customer accumulated their net worth (employment income, business ownership, inheritance, investment gains, real estate)
- Source of Funds: Specific origin of the money being deposited or transacted (sale of business, salary, loan proceeds, crypto mining)
- Purpose of Account/Relationship: Why the customer is using your platform and what they intend to do
- Expected Transaction Activity: Anticipated volume, frequency, transaction types, counterparties, jurisdictions
- Occupation and Employer: For individuals, employer name, job title, industry
- Business Activities: For entities, detailed description of business operations, products/services, customer base
- Related Parties: Affiliated businesses, related accounts, authorized users, beneficial owners
- Financial Statements: Recent financial statements or tax returns (for high-value customers or entities)
PEP-Specific Requirements
Politically Exposed Persons present heightened corruption and bribery risks and require special handling:
PEP Enhanced Due Diligence Checklist
- Identify whether customer or beneficial owner is a PEP using screening tools or databases
- Classify PEP type: foreign PEP (highest risk), domestic PEP, or international organization PEP
- Determine PEP relationship: direct (the official), family member, or close associate
- Obtain senior management approval before establishing PEP relationship
- Collect detailed source of wealth documentation explaining how assets were accumulated
- Verify source of wealth through independent documentation (not customer attestation alone)
- Conduct adverse media screening for corruption, bribery, or financial crime allegations
- Document rationale for accepting or declining the PEP relationship
- Implement enhanced ongoing monitoring with lower transaction monitoring thresholds
- Review PEP status periodically (at least annually) and upon transaction alerts
- Consider ongoing adverse media monitoring through automated screening services
Senior Management Approval
FinCEN guidance and regulatory expectations require senior management approval before onboarding a PEP customer. This cannot be delegated to front-line staff or automated systems. Document the approval process, including the basis for the decision and risk mitigation measures.
Third-Party KYC Provider Reliance
Most trading platforms use third-party vendors to perform customer identification, verification, and screening functions. While outsourcing is permitted and common, it is critical to understand what you can rely on third parties for and where ultimate responsibility remains with you.
What You Can Outsource
Under 31 CFR 1020.220(a)(2)(ii)(A), you may rely on a third-party service provider to perform CIP functions, including:
- Collecting customer identifying information on your behalf
- Verifying customer identity through documentary or non-documentary methods
- Screening customers against OFAC sanctions lists and PEP databases
- Conducting adverse media searches
- Performing blockchain analytics and transaction monitoring
- Maintaining CIP records on your behalf
- Conducting periodic KYC refresh and ongoing due diligence
What You Cannot Outsource: Ultimate Responsibility
Even when using third-party providers, you retain ultimate legal responsibility for CIP compliance. You cannot outsource:
- Liability for Violations: If your KYC provider fails to properly verify customers, you are liable, not the vendor
- Regulatory Accountability: FinCEN and IRS examiners hold you accountable for deficiencies in your CIP, regardless of vendor reliance
- Policy Decisions: You must determine verification methods, risk thresholds, and EDD triggers appropriate for your business
- Oversight Responsibility: You must oversee and validate vendor performance on an ongoing basis
Regulatory Reliance Requirements
To rely on a third party for CIP functions, you must: (1) enter into a written contract specifying the third party's CIP responsibilities, (2) determine that the third party's CIP program satisfies the requirements of 31 CFR 1020.220, and (3) determine annually (or more frequently) that the third party is performing CIP functions satisfactorily.
Third-Party KYC Provider Evaluation Criteria
Before engaging a KYC vendor, conduct thorough due diligence:
| Evaluation Factor | Key Questions | Red Flags |
|---|---|---|
| Regulatory Expertise | Does the vendor understand BSA/AML requirements? Do they have experience with your industry (crypto, securities, forex)? | Vendor unfamiliar with FinCEN regulations; generic identity verification not tailored to financial services |
| Data Coverage | What databases and data sources does the vendor use? Do they cover your customer geographies? | Limited to U.S. data when you have international customers; outdated databases; single data source |
| Verification Methods | What documentary and non-documentary methods are available? Can you customize verification workflows? | One-size-fits-all approach; inability to adjust for risk levels; manual processes that don't scale |
| Accuracy and False Positives | What is the vendor's false positive rate? How often do they incorrectly reject valid customers? | High false positive rate creating customer friction; high false negative rate allowing fraud |
| Integration and API | How easy is integration? Is there comprehensive API documentation? What is uptime SLA? | Poor documentation; unreliable API; long implementation timeline; lack of sandbox testing environment |
| Security and Compliance | Is the vendor SOC 2 Type II certified? GDPR compliant? What are data retention and residency policies? | No security certifications; unclear data handling; lack of encryption; offshore data storage without adequate protections |
| Pricing Model | Per verification, tiered, subscription? Hidden fees? Volume discounts? | Opaque pricing; surprise fees; expensive for your expected volume; no flexibility |
| Customer Support | What support is available? Response times? Escalation procedures? | Email-only support; slow response times; no dedicated account manager for enterprise clients |
Popular Third-Party KYC Providers for Trading Platforms
| Provider | Core Capabilities | Best For | Typical Pricing |
|---|---|---|---|
| Jumio | ID document verification, biometric face matching, liveness detection, AML/sanctions screening | Global platforms with high fraud risk; strong document verification needed | $1-3 per verification |
| Onfido | Document authentication, facial recognition, watchlist screening, real-time verification | Digital-first fintechs; mobile-optimized onboarding; emerging markets | $1-2 per check |
| Trulioo | Global identity verification (195+ countries), business verification, ongoing monitoring | International expansion; emerging markets; cross-border platforms | $0.50-2 per verification |
| Sumsub (Sum&Substance) | Full KYC/KYB suite, transaction monitoring, case management, customizable workflows | Crypto exchanges; iGaming; fintech startups needing end-to-end solution | $0.50-1.50 per check |
| Shufti Pro | ID verification, AML screening, address verification, biometric authentication | Crypto platforms; global coverage; flexible pricing | $0.40-1.20 per verification |
| ComplyAdvantage | AML screening, sanctions lists, PEP detection, adverse media monitoring, ongoing screening | Established platforms needing advanced risk intelligence; compliance teams | Custom enterprise pricing |
| Chainalysis KYT | Blockchain transaction monitoring, wallet risk scoring, sanctions screening, Travel Rule compliance | Crypto-native platforms; DeFi compliance; blockchain-specific risks | Custom based on transaction volume |
| Elliptic | Crypto transaction screening, wallet risk assessment, sanctions compliance, DeFi monitoring | Cryptocurrency exchanges and custodians; institutional crypto platforms | Custom enterprise pricing |
Vendor Oversight Requirements
Your written contract with a third-party KYC provider must include:
- Specification of CIP functions the vendor will perform on your behalf
- Certification that the vendor's CIP complies with 31 CFR 1020.220
- Obligation to provide you with verification results and supporting documentation
- Agreement that you may audit the vendor's CIP procedures
- Recordkeeping commitments (5-year retention of CIP records)
- Data security and confidentiality provisions
- Right to terminate for non-performance or compliance deficiencies
You must also conduct ongoing oversight:
- Annual Review: At least annually, assess whether the vendor is performing CIP functions satisfactorily
- Performance Metrics: Track verification success rates, false positives/negatives, processing times, customer complaints
- Quality Sampling: Periodically sample vendor verification decisions to validate accuracy
- Independent Audit: Review vendor's SOC 2 reports or conduct independent audits of vendor systems
- Regulatory Updates: Ensure vendor adapts to new FinCEN guidance, sanctions updates, and regulatory changes
Multi-Vendor Strategy
Many sophisticated platforms use multiple KYC vendors to reduce single points of failure and leverage best-of-breed capabilities: one vendor for automated document verification, another for sanctions and PEP screening, a third for blockchain analytics, and a fourth for ongoing monitoring. This approach increases resilience but requires more complex vendor management.
CIP Recordkeeping Requirements (5-Year Retention)
Comprehensive recordkeeping is essential to CIP compliance. You must maintain detailed records of the information collected, verification methods used, and results obtained. The standard retention period is five years from the date the account is closed.
Required CIP Records
| Record Category | Specific Records | Retention Period |
|---|---|---|
| Identifying Information | Name, date of birth, address, identification number (the four required elements) | 5 years after account closure |
| Verification Documentation | Copies of documents used for verification (driver's license, passport, utility bills, etc.) | 5 years after account closure |
| Verification Methods Used | Description of documentary or non-documentary methods used; name of database or third-party service | 5 years after account closure |
| Verification Results | Whether identity was successfully verified; date of verification; any discrepancies or unresolved issues | 5 years after account closure |
| Beneficial Ownership Information | Beneficial ownership certification form; identifying information for each beneficial owner; verification documentation | 5 years after account closure |
| Enhanced Due Diligence Records | Source of wealth/funds documentation; financial statements; employment verification; senior management approvals | 5 years after account closure |
| Customer Risk Rating | Risk classification (low/medium/high); factors used to determine risk; date of assessment | 5 years after account closure |
| Account Opening Documentation | Application forms; account agreements; disclosures provided to customer | 5 years after account closure |
| Ongoing Monitoring Records | Periodic KYC refresh documentation; updated identifying information; re-verification records | 5 years from date of refresh |
| Third-Party Reliance Documentation | Contracts with KYC vendors; certifications; annual review/oversight records | 5 years after termination |
Recordkeeping Format and Accessibility
FinCEN does not mandate a specific format for CIP records, but they must meet certain standards:
- Retrievable: Records must be organized to allow prompt retrieval in response to regulatory requests (typically 5-10 business days for large requests)
- Legible: Records must be clear and readable throughout the retention period
- Accurate: Records must be complete and faithful reproductions of original information
- Reproducible: Electronic records must be capable of being reproduced in hard copy if requested by regulators
- Accessible: Records must be available for examination by FinCEN, IRS, or other appropriate authorities
Electronic Recordkeeping Best Practices
Most trading platforms maintain CIP records electronically. Key considerations:
- Data Integrity: Implement controls to prevent unauthorized alteration or deletion of records
- Audit Trails: Maintain logs of who accessed or modified records and when
- Backup Systems: Regularly back up records to prevent data loss from system failures or disasters
- Indexing and Search: Organize records with customer identifiers, account numbers, dates to enable efficient searching
- Encryption: Encrypt sensitive PII (SSNs, passport numbers, DOB) at rest and in transit
- Access Controls: Limit access to CIP records to authorized compliance personnel only
- Disaster Recovery: Test restoration procedures periodically to verify records remain accessible
- Documentation: Document your electronic recordkeeping system, retention policies, and disposal procedures
Privacy Law Conflicts: GDPR Right to Erasure
The GDPR and similar privacy laws grant individuals the "right to be forgotten"—to request deletion of their personal data. However, BSA recordkeeping requirements mandate 5-year retention and prohibit premature deletion. Your privacy policy must explicitly state that deletion requests are subject to legal retention obligations, and you may refuse deletion requests for records subject to BSA requirements.
Record Retention Calculation
The 5-year retention period begins at account closure, not account opening. Key principles:
- Account Closure Date: Retention period starts when the customer relationship is formally terminated
- Dormant Accounts: If an account becomes dormant but is not formally closed, the retention period has not begun
- Partial Closures: If a customer closes one account but maintains others, retain records for the closed account for 5 years from that closure
- Ongoing Monitoring Records: For records generated during the relationship (periodic refreshes, transaction monitoring alerts), retain for 5 years from the date the record was created
- SAR-Related Records: If you file a SAR, retain supporting documentation (including CIP records) for 5 years from the SAR filing date, even if longer than the standard CIP retention
CIP Compliance Checklist
Use this checklist to assess your Customer Identification Program's compliance with 31 CFR 1020.220:
CIP Compliance Audit Checklist
- Written CIP policy approved by board or senior management
- CIP policy includes procedures for collecting the four required identifying information elements
- Procedures specify documentary and/or non-documentary verification methods
- Risk-based approach to verification (more rigorous methods for higher-risk customers)
- Procedures for verifying customers who cannot provide standard documentation
- Customer notice requirement satisfied (account opening documentation discloses identity verification)
- OFAC and terrorist watchlist screening procedures implemented
- Recordkeeping procedures documented with 5-year retention specified
- Beneficial ownership identification procedures for legal entity customers (25% threshold)
- Enhanced Due Diligence procedures for high-risk customers (PEPs, high-risk jurisdictions, high-value accounts)
- Third-party vendor contracts specify CIP responsibilities and compliance obligations
- Annual review of third-party vendor performance documented
- Customer risk rating methodology documented and applied consistently
- Periodic KYC refresh procedures for existing customers based on risk
- Procedures for handling inability to verify customer identity (account denial or closure)
- CIP training provided to relevant staff (customer service, compliance, onboarding)
- Independent testing of CIP as part of annual BSA/AML audit
- CIP records maintained in retrievable format for 5 years after account closure
- Electronic recordkeeping system includes data integrity controls and backup procedures
- Procedures for responding to law enforcement and regulatory requests for CIP records
Customer Onboarding Flow Diagram
A compliant customer onboarding process integrates CIP requirements at each stage. This diagram illustrates the typical flow:
CIP-Compliant Customer Onboarding Process
Detailed Onboarding Steps
- Step 1 - Information Collection: Collect the four required identifying elements (name, DOB, address, ID number) plus any additional information required by your risk-based procedures
- Step 2 - Identity Verification: Verify customer identity using documentary methods (photo ID upload, document authentication) or non-documentary methods (credit bureau check, database verification, KBA)
- Step 3 - Watchlist Screening: Screen customer name and identifying information against OFAC SDN list, UN sanctions lists, PEP databases, and adverse media sources
- Step 4 - Risk Rating: Assign customer a risk rating (low/medium/high) based on predefined criteria (transaction volume, jurisdiction, business type, funding sources)
- Step 5 - Enhanced Due Diligence: If customer is rated high risk or triggers EDD criteria (PEP, high-risk jurisdiction, large transactions), collect additional documentation (source of wealth, business rationale, financial statements) and obtain senior management approval
- Step 6 - Account Approval: If identity is verified, no watchlist matches, and risk is acceptable (or mitigated through EDD), approve account. If verification fails or risk is unacceptable, deny account and document rationale
Risk-Based Customer Categorization
A risk-based approach is mandatory under FinCEN guidance. You must categorize customers by risk level and apply verification and monitoring procedures proportionate to the risk.
Customer Risk Rating Framework
| Risk Level | Characteristics | Verification Requirements | Monitoring Frequency |
|---|---|---|---|
| Low Risk |
• U.S. individuals with verified employment • Small transaction volumes (under $10k/month) • No prior suspicious activity • Established credit history • Low-risk jurisdiction |
• Non-documentary verification acceptable (credit bureau, database) • Standard OFAC screening • Periodic KYC refresh every 3-5 years |
• Automated transaction monitoring with standard thresholds • Annual KYC review or upon material change |
| Medium Risk |
• Foreign individuals or entities • Moderate transaction volumes ($10k-$100k/month) • New customer with limited history • Business accounts (non-high-risk industries) • Mixed funding sources |
• Documentary + non-documentary verification • Enhanced OFAC and PEP screening • Beneficial ownership identification for entities • KYC refresh every 1-2 years |
• Enhanced transaction monitoring (lower thresholds) • Biannual or annual KYC review • Alert investigation within 3-5 days |
| High Risk |
• Politically Exposed Persons (PEPs) • High-risk jurisdictions (FATF list, sanctions) • High transaction volumes (>$100k/month) • Cash-intensive businesses • Cryptocurrency mixing or privacy coins • Prior suspicious activity or SAR filing |
• Multiple documentary verification methods required • Enhanced Due Diligence (source of wealth/funds) • Senior management approval • In-depth beneficial ownership investigation • Ongoing adverse media monitoring • KYC refresh every 6-12 months |
• Real-time or near-real-time transaction monitoring • Quarterly KYC review • Immediate alert investigation (within 24-48 hours) • Continuous sanctions and adverse media screening |
| Prohibited |
• OFAC SDN list match • Sanctioned jurisdiction (Iran, North Korea, Syria, Crimea) • Unable to verify identity • Refused to provide required information • Known terrorist or criminal affiliation |
• Do not onboard • Immediately terminate if existing customer • Block assets if OFAC match • File SAR if suspicious activity suspected • Report blocked property to OFAC within 10 days |
• N/A - no account established or maintained |
Risk Rating Factors
Consider multiple factors when assigning customer risk ratings:
- Customer Type: Individual vs. entity; retail vs. institutional; regulated vs. unregulated entity
- Geographic Risk: Customer location; transaction counterparty locations; high-risk or sanctioned jurisdictions
- Product/Service Risk: Type of account or services used; high-value vs. low-value; anonymous or privacy-enhancing features
- Transaction Risk: Volume, frequency, and patterns; cross-border vs. domestic; sudden increases or unusual patterns
- Delivery Channel Risk: Face-to-face vs. remote onboarding; mobile vs. web; use of VPNs or IP obfuscation
- Occupation/Industry: High-risk industries (MSBs, casinos, cannabis, import/export, arms dealing); cash-intensive businesses
- Politically Exposed Person Status: Government officials, state-owned enterprise executives, family members or close associates
- Adverse Information: Prior SARs filed; customer complaints; law enforcement inquiries; negative news or media reports
Sample CIP Procedures Template
Your written CIP must be tailored to your specific business, but this template provides a framework for the required components:
Customer Identification Program - Sample Procedures Template
1. Program Overview and Purpose
[Your Company Name] has implemented this Customer Identification Program (CIP) pursuant to 31 CFR 1020.220 to verify the identity of customers opening accounts and to enable [Your Company Name] to form a reasonable belief that it knows the true identity of each customer.
- Scope: This CIP applies to all customers opening accounts for money transmission, currency exchange, trading, or other financial services.
- Effective Date: [Date]
- Approval: Approved by Board of Directors on [Date]
- Responsible Officer: [Name], Chief Compliance Officer
2. Customer Definition
For purposes of this CIP, a "customer" means any person or entity that opens an account or establishes a financial relationship with [Your Company Name]. This includes:
- Individual retail customers
- Business entities (corporations, LLCs, partnerships, trusts)
- Institutional customers and counterparties
- Authorized users or signatories on existing accounts
3. Required Identifying Information
Prior to opening an account, [Your Company Name] will collect the following information for each customer:
For Individuals:
- Full legal name
- Date of birth
- Residential street address (PO boxes not acceptable as sole address)
- Social Security Number (U.S. persons) or passport number and country of issuance (non-U.S. persons)
For Legal Entities:
- Legal entity name as registered with government authorities
- Principal place of business street address
- Employer Identification Number (EIN) or equivalent foreign tax identifier
- Formation documents (articles of incorporation, operating agreement, partnership agreement, trust instrument)
- Beneficial ownership information (see Section 6)
4. Verification Procedures
[Your Company Name] will verify customer identity using risk-based documentary and/or non-documentary methods:
Documentary Verification:
- For individuals: Government-issued photo ID (driver's license, passport, state ID, permanent resident card)
- For entities: Formation documents certified by state; business licenses; IRS EIN confirmation letter
- Documents will be examined for authenticity, validity, and consistency with provided information
Non-Documentary Verification:
- Credit bureau database verification (Equifax, Experian, TransUnion)
- Knowledge-based authentication (out-of-wallet questions)
- Third-party identity verification services ([List vendors used, e.g., Jumio, Onfido, Trulioo])
- Public records database searches
Risk-Based Method Selection:
- Low-risk customers: Non-documentary methods acceptable
- Medium-risk customers: Documentary + non-documentary combination
- High-risk customers: Multiple documentary methods required
5. Watchlist Screening
All customers will be screened against the following lists before account opening and on an ongoing basis:
- OFAC Specially Designated Nationals (SDN) list
- OFAC Consolidated Sanctions List
- FBI Most Wanted Terrorists list
- UN Security Council Sanctions List
- EU Sanctions List
- Politically Exposed Persons (PEP) databases
- Adverse media and negative news sources
Screening will be performed using [Name of screening vendor/system]. Matches will be investigated and resolved before account approval.
6. Beneficial Ownership Identification
For legal entity customers (other than exempt entities), [Your Company Name] will identify and verify beneficial owners using FinCEN's Beneficial Ownership Certification Form or equivalent:
- Identify individuals who own 25% or more of the entity (up to 4 individuals)
- Identify one individual with significant management control (CEO, CFO, President, Managing Member)
- Collect the four required identifying information elements for each beneficial owner
- Verify beneficial owner identities using the same methods as for individual customers
- Maintain beneficial ownership certification forms and supporting documentation for 5 years after account closure
7. Risk Rating and Enhanced Due Diligence
Each customer will be assigned a risk rating (Low, Medium, High) based on [Your Company Name]'s risk assessment methodology. High-risk customers will be subject to Enhanced Due Diligence:
EDD Triggers:
- Politically Exposed Persons (PEPs)
- Customers from high-risk jurisdictions
- High transaction volumes (exceeding $[threshold] per month)
- Cash-intensive businesses or high-risk industries
- Cryptocurrency mixing, tumbling, or privacy coin use
EDD Procedures:
- Collect source of wealth and source of funds documentation
- Obtain senior management approval before onboarding
- Conduct enhanced OFAC and adverse media screening
- Implement enhanced ongoing monitoring (lower transaction thresholds)
- Perform quarterly or more frequent KYC reviews
8. Recordkeeping
[Your Company Name] will maintain the following CIP records for 5 years after account closure:
- All identifying information collected (name, DOB, address, ID number)
- Copies of documents used for verification
- Description of verification methods used and results
- Beneficial ownership certification forms and supporting documentation
- Risk rating determinations and supporting rationale
- Enhanced due diligence documentation
- OFAC screening results and match resolution records
Records will be maintained in electronic format with appropriate backup, security, and retrieval capabilities.
9. Inability to Verify Identity
If [Your Company Name] cannot verify a customer's identity using available methods, we will:
- Request additional documentation from the customer
- Attempt alternative verification methods
- If verification remains unsuccessful, decline to open the account
- If existing customer, consider restricting or closing the account
- Assess whether circumstances warrant Suspicious Activity Report (SAR) filing
- Document the rationale for account denial or closure
10. Reliance on Third Parties
[Your Company Name] relies on the following third-party service providers for CIP functions:
- [Vendor Name 1]: [CIP functions performed]
- [Vendor Name 2]: [CIP functions performed]
Written contracts are in place with each vendor specifying CIP responsibilities. [Your Company Name] conducts annual reviews of vendor performance and maintains oversight of vendor CIP procedures.
11. Customer Notice
[Your Company Name] provides notice to customers that we are requesting information to verify their identity. This notice is included in account opening documentation and states:
"To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents."
12. Program Review and Updates
This CIP will be reviewed and updated:
- At least annually by the Chief Compliance Officer
- Upon material changes to business operations, products, or customer base
- In response to new FinCEN guidance or regulatory requirements
- Following independent testing or examination findings
Updates require approval by senior management or the Board of Directors.
13. Training
All employees involved in customer onboarding, compliance, or account administration will receive CIP training:
- Initial training within 30 days of hire
- Annual refresher training
- Training on updates to CIP procedures or regulatory requirements
Training records will be maintained for 5 years.