The most important characteristic of the Customer Identification Program (CIP) is its requirement that financial institutions form a reasonable belief that they know the true identity of every customer who opens an account. Everything else in the program, from collecting personal data to keeping records, feeds into this single goal: verifying that each customer is who they claim to be. This verification requirement is what separates CIP from a simple data-collection exercise and makes it an effective tool against money laundering and terrorism financing.
Why Identity Verification Is the Core Requirement
Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account. The CIP rule, codified at 31 CFR 1020.220, grew out of the USA PATRIOT Act and sits at the foundation of every bank’s anti-money laundering compliance program. While collecting customer information matters, the regulation makes clear that collection alone is not enough. A bank must use that information to verify the customer’s identity to the extent reasonable and practicable.
The phrase “reasonable belief” is central. A bank does not need to confirm the accuracy of every single data point it collects. It does, however, need to verify enough information to reasonably conclude it knows who the customer actually is. This risk-based standard means the depth of verification scales with the level of risk a particular account, customer type, or account-opening method presents.
What Information Banks Must Collect
Before verification can happen, the bank needs raw material to work with. For individual customers, the CIP rule requires collecting four pieces of identifying information at account opening: name, date of birth, address, and an identification number (typically a Social Security number for U.S. persons or a passport number and country of issuance for non-U.S. persons).
For entities like corporations, partnerships, or trusts, banks collect the legal name, principal place of business address, and an employer identification number or equivalent. These data points serve as the starting inputs for the verification process, not as an end in themselves.
How Verification Works in Practice
Banks verify customer identities through two broad methods: documentary and non-documentary. Most institutions use a combination of both, and the CIP rule expects banks to have written procedures spelling out exactly which methods they rely on.
Documentary Verification
For most individual customers, this means reviewing an unexpired government-issued photo ID such as a driver’s license or passport. Regulators expect banks to obtain government-issued identification from the majority of customers, though other documents can work if they allow the bank to reach that reasonable-belief threshold. For business entities, acceptable documents include certified articles of incorporation, an unexpired government-issued business license, a partnership agreement, or a trust instrument.
Because counterfeit and fraudulently obtained documents are a known risk, regulators encourage banks to collect more than a single document when possible. A driver’s license paired with a utility bill, for example, provides a stronger basis for belief than either one alone.
Non-Documentary Verification
Non-documentary methods fill the gaps when documents are unavailable, unfamiliar, or when the account is opened remotely. These methods include contacting the customer directly, comparing the information the customer provided against data from a consumer reporting agency or public database, checking references with other financial institutions, or obtaining a financial statement.
Banks must specifically address several higher-risk scenarios in their non-documentary procedures: when a customer cannot present an unexpired government-issued photo ID, when the bank is unfamiliar with the documents presented, when the account is opened without any documents at all, and when the customer never appears in person. Each of these situations raises the risk that the bank cannot confirm the customer’s true identity, so the procedures need to account for them explicitly.
Risk-Based Procedures Tie It Together
The CIP is not a one-size-fits-all checklist. Each bank must develop verification procedures that account for its own risk profile, considering the types of accounts it maintains, how those accounts can be opened, the identifying information available for its customer base, and the bank’s size, location, and business model. A small community bank serving local customers faces different verification challenges than a large institution onboarding customers online across multiple countries.
This risk-based approach is what makes identity verification the defining characteristic of the program. Two banks can collect the same four data points yet have very different CIP procedures, because the verification step is tailored to each institution’s specific risks. The regulation intentionally gives banks flexibility in how they verify, but no flexibility in whether they verify.
Recordkeeping Supports Verification
Banks must retain all identifying information gathered at account opening for five years after the account is closed (or five years after a credit card account is closed or becomes dormant). They also need to keep records of the specific verification methods used for each customer, whether that means noting which documents were reviewed or cross-referencing the non-documentary procedures applied.
These records serve a practical purpose beyond regulatory compliance. If questions arise later about a customer’s identity, whether from law enforcement inquiries or internal reviews, the bank needs to demonstrate what steps it took and what information it relied on to reach its reasonable belief. Without solid recordkeeping, the verification process has no lasting value.
The Bigger Picture
CIP is one piece of a broader Bank Secrecy Act and anti-money laundering (BSA/AML) framework, but it is the front door. Every other compliance obligation, from monitoring transactions to filing suspicious activity reports, depends on the bank knowing who its customers are in the first place. That is why identity verification, not just data collection or recordkeeping, stands as the program’s most important characteristic. A bank that collects names and addresses but never meaningfully verifies them has a CIP on paper but not in practice.