CIP Requirements Under BSA
The Customer Identification Program (CIP) is a cornerstone of Anti-Money Laundering (AML) compliance under the Bank Secrecy Act (BSA). If you operate as a Money Services Business (MSB), broker-dealer, investment adviser, or cryptocurrency exchange, you're legally required to implement robust customer identification procedures.
CIP requirements stem from Section 326 of the USA PATRIOT Act, which amended the BSA to mandate that financial institutions verify the identity of any person seeking to open an account.
⚠ Legal Requirement, Not Optional
Failure to implement adequate KYC/CIP procedures can result in enforcement actions, civil penalties, criminal prosecution, and loss of regulatory licenses. FinCEN and state regulators actively examine MSBs for CIP compliance.
📚 31 CFR 1020.220 - Customer Identification Programs
Requires MSBs to implement a written CIP that includes risk-based procedures for:
- Collecting identifying information at account opening
- Verifying customer identity using documentary or non-documentary methods
- Maintaining records of information used to verify identity
- Determining whether the customer appears on any terrorist watch lists
Customer Information to Collect
At a minimum, you must collect the following information for every customer before opening an account or establishing a relationship:
✅ Required Customer Information
Full Legal Name
Individual's full name as it appears on government-issued ID, or legal entity name as registered with authorities
Date of Birth (Individuals)
Required for natural persons to verify identity and screen against OFAC lists
Physical Address
Street address of residence or business. PO boxes alone are insufficient for individuals
Identification Number
For US persons: SSN or EIN. For foreign persons: passport number, alien ID, or other government-issued ID number
Entity Information (If Applicable)
For businesses: formation documents, EIN, registered agent, business type, ownership structure
💡 Risk-Based Approach
While these are minimums, you should collect additional information based on risk. Higher-risk customers (large transaction volumes, international transfers, PEPs) warrant Enhanced Due Diligence (EDD) with additional documentation.
Identity Verification Methods
Collecting information is only half the battle. You must also verify that the information is accurate and that the customer is who they claim to be. The BSA permits two primary verification methods:
Documentary Verification
Examining documents that provide evidence of identity, such as:
- Government-Issued Photo ID - Driver's license, passport, state ID card
- Corporate Documents - Articles of incorporation, business licenses
- Financial Statements - Bank statements, tax returns
- Utility Bills - For address verification (secondary only)
Non-Documentary Verification
Using third-party data sources or procedures to verify identity:
- Database Checks - Credit bureaus, public records, commercial databases
- Knowledge-Based Authentication (KBA) - "Out of wallet" questions based on credit history
- Third-Party Verification Services - Specialized KYC/identity verification vendors
- Comparison Against Government Lists - OFAC screening, terrorist watch lists
⚠ Documentary vs Non-Documentary
Documentary methods are generally more reliable for initial verification. Non-documentary methods should be used when documents are unavailable, to supplement documentary verification, or when additional verification is necessary due to heightened risk.
Documentary vs Non-Documentary Verification
| Method | Advantages | Disadvantages | Best For |
|---|---|---|---|
| Documentary |
Direct evidence Visual verification Widely accepted |
Manual review required Document fraud risk Slower processing |
High-risk customers Large transactions Regulatory preference |
| Non-Documentary |
Faster processing Scalable automation Real-time results |
Less direct evidence Database accuracy risk May require backup docs |
Lower-risk customers Digital onboarding Supplemental checks |
Beneficial Ownership Rules
When your customer is a legal entity (corporation, LLC, partnership), you must identify and verify the identity of the beneficial owners under FinCEN's Beneficial Ownership Rule (31 CFR 1010.230).
Who Qualifies as a Beneficial Owner?
You must identify individuals who meet either of these criteria:
| Ownership Prong | Control Prong |
|---|---|
| Any individual who owns 25% or more of the equity interests in the legal entity | A single individual with significant management control over the entity (CEO, CFO, President, etc.) |
Required Beneficial Owner Information
- Name
- Date of birth
- Address (residential or business)
- Identification number (SSN or passport)
💡 Maximum of 5 Beneficial Owners
Under the rule, you'll typically identify between 1-5 beneficial owners: up to 4 individuals meeting the ownership threshold (25%+), and 1 individual with significant control.
Exemptions from Beneficial Ownership Requirements
The following entity types are exempt:
- Publicly traded companies (SEC reporting)
- Banks and credit unions
- Registered investment companies and advisers
- Public accounting firms registered with PCAOB
- Governmental entities
- Financial market utilities
Enhanced Due Diligence (EDD)
For higher-risk customers, standard KYC is insufficient. Enhanced Due Diligence requires additional scrutiny, documentation, and ongoing monitoring.
Risk-Based EDD Triggers
| Risk Factor | EDD Considerations |
|---|---|
| High Transaction Volume | Source of funds verification, business justification, ongoing transaction monitoring |
| Politically Exposed Persons (PEPs) | Source of wealth documentation, ongoing adverse media screening, senior management approval |
| High-Risk Jurisdictions | FATF high-risk country list, sanctions screening, enhanced address verification |
| Cash-Intensive Businesses | Business licenses, premises verification, SAR filing consideration |
| Anonymous Activity Indicators | IP analysis, device fingerprinting, behavior analytics, possible account closure |
| Crypto Mixing/Tumbling | Blockchain analysis, source of funds, transaction pattern review |
EDD Documentation Requirements
- Source of Wealth - How customer accumulated net worth (employment, inheritance, business sale)
- Source of Funds - Specific origin of money being deposited/transacted
- Purpose of Account - Detailed business rationale and expected activity
- Expected Transaction Patterns - Volume, frequency, counterparties, jurisdictions
- Supporting Documents - Tax returns, employment verification, business contracts, bank statements
⚠ PEP Requirements
Politically Exposed Persons require special handling. You must obtain senior management approval before establishing a relationship with a PEP, and conduct ongoing enhanced monitoring throughout the relationship.
Ongoing Monitoring Requirements
KYC is not a one-time event. You must continuously monitor customer activity to:
- Detect suspicious transactions requiring SAR filing
- Ensure customer information remains current
- Identify changes in risk profile
- Verify compliance with transaction limits
Periodic KYC Refresh Schedule
| Customer Risk Level | Refresh Frequency | Trigger Events |
|---|---|---|
| Low Risk | Every 3-5 years | Material change in activity, address change |
| Medium Risk | Every 1-2 years | Significant transaction increase, new business line |
| High Risk | Annually or more | Any material change, adverse media, unusual activity |
Transaction Monitoring
Implement automated systems to flag:
- Transactions inconsistent with customer profile
- Rapid movement of funds
- Structuring (breaking up transactions to avoid reporting)
- Transactions with high-risk jurisdictions
- Sudden increases in activity
KYC for Crypto Trading Platforms
Cryptocurrency exchanges and trading platforms face unique KYC challenges due to the pseudonymous nature of blockchain transactions.
Crypto-Specific KYC Elements
- Wallet Address Verification - Requiring customers to prove control of withdrawal addresses
- Blockchain Analysis - Screening deposit addresses for links to mixers, darknet markets, ransomware
- Travel Rule Compliance - Collecting originator/beneficiary information for transfers over $3,000
- Self-Hosted Wallet Disclosures - Identifying when customers withdraw to non-custodial wallets
- Token-Specific Risk Assessment - Enhanced scrutiny for privacy coins (Monero, Zcash)
⚠ Travel Rule Challenges
FinCEN's Travel Rule requires collecting and transmitting customer information for crypto transfers over $3,000. However, many crypto platforms lack standardized mechanisms for exchanging this data, creating compliance challenges.
Crypto KYC Red Flags
| Red Flag | Risk | Response |
|---|---|---|
| Deposits from mixing services | Money laundering | Enhanced monitoring, possible SAR, account restrictions |
| Rapid buying and withdrawal | Structuring, layering | Transaction holds, additional verification |
| P2P exchange patterns | Unlicensed MSB activity | Source of funds inquiry, possible account closure |
| Multiple accounts, same IP | Account fraud, limit evasion | Device fingerprinting, consolidation or termination |
Third-Party KYC Providers
Most platforms use third-party vendors to streamline identity verification. While you can outsource the process, you cannot outsource the liability—ultimate responsibility remains with you.
KYC Vendor Comparison
| Provider | Capabilities | Best For | Typical Cost |
|---|---|---|---|
| Jumio | ID verification, biometric matching, liveness detection, AML screening | Global platforms, high fraud risk | $1-3 per verification |
| Onfido | Document verification, facial recognition, watchlist screening | Digital-first companies, mobile onboarding | $1-2 per check |
| Trulioo | Global identity verification, business verification, ongoing monitoring | International expansion, emerging markets | $0.50-2 per verification |
| Sumsub | Full KYC/AML suite, transaction monitoring, case management | Crypto exchanges, fintech startups | $0.50-1.50 per check |
| ComplyAdvantage | AML screening, sanctions lists, PEP detection, adverse media | Risk and compliance teams, ongoing monitoring | Custom enterprise pricing |
| Chainalysis KYT | Blockchain transaction monitoring, risk scoring, sanctions screening | Crypto-native platforms, DeFi compliance | Custom based on volume |
Vendor Due Diligence
Before selecting a KYC provider, evaluate:
- Regulatory Coverage - Does it cover your jurisdictions and regulatory requirements?
- Data Sources - What databases and verification methods does it use?
- False Positive Rate - How often does it incorrectly reject legitimate customers?
- Integration Complexity - API documentation, developer support, testing environment
- Data Privacy - GDPR compliance, data residency, retention policies
- SOC 2 Certification - Third-party audit of security controls
- Pricing Model - Per verification, tiered, or subscription
💡 Multi-Vendor Strategy
Many platforms use multiple vendors: one for automated ID verification, another for AML screening, and a third for blockchain analytics. This reduces single points of failure and leverages best-of-breed solutions.
CIP Recordkeeping Requirements
You must maintain records of all information obtained through your CIP for 5 years after the account is closed.
Required Records
| Record Type | Contents | Retention Period |
|---|---|---|
| Identifying Information | Name, address, DOB, ID number collected at account opening | 5 years after closure |
| Verification Documentation | Copies of IDs, utility bills, database reports, verification methods used | 5 years after closure |
| Verification Results | Whether identity was verified, date, methods used, any discrepancies | 5 years after closure |
| Beneficial Ownership | Certification form, supporting documentation for beneficial owners | 5 years after closure |
| Enhanced Due Diligence | Source of wealth/funds documentation, risk assessments, approval records | 5 years after closure |
| Ongoing Monitoring | KYC refresh documentation, transaction monitoring alerts, SAR decisions | 5 years after event |
Record Format and Accessibility
- Records may be kept in paper or electronic format
- Must be readily accessible to regulators upon request
- Electronic records must be reproducible in hard copy
- Implement retention policies to prevent premature deletion
- Consider backup and disaster recovery for electronic records
⚠ Privacy Law Conflicts
GDPR and CCPA grant users the "right to be forgotten," but BSA recordkeeping requirements mandate 5-year retention. Your privacy policy should clearly state that deletion requests are subject to legal retention obligations.
Written CIP Documentation
You must maintain a written CIP that is approved by your board or senior management. This document should include:
- Procedures for collecting required customer information
- Risk-based verification methods (documentary and non-documentary)
- Procedures for customers who cannot provide standard documentation
- Recordkeeping practices and retention schedules
- OFAC and watchlist screening procedures
- Customer notice requirements
- Reliance on third parties (if applicable)
Implementation Checklist
To build a compliant KYC/CIP program:
- Draft Written CIP - Document your procedures in a formal policy
- Obtain Board Approval - Get senior management or board sign-off on CIP
- Select Verification Methods - Choose documentary, non-documentary, or hybrid approach
- Choose KYC Vendors - Conduct vendor due diligence and contract negotiations
- Integrate Systems - Build KYC into onboarding flow and backend systems
- Implement OFAC Screening - Screen against SDN list and other watchlists
- Build Risk-Rating Model - Create criteria for low, medium, high risk classification
- Develop EDD Procedures - Define triggers and documentation for enhanced due diligence
- Create Ongoing Monitoring - Set up transaction monitoring and periodic KYC refresh
- Establish Recordkeeping - Implement 5-year retention for all CIP records
- Train Staff - Ensure compliance team understands CIP requirements
- Test and Audit - Conduct independent testing of CIP effectiveness