Companies that offer financial services of any kind need a Know Your Customer (KYC) approach, and there’s no better way than with a strong Customer Identification Program (CIP).
In fact, having a CIP isn’t optional: All financial organizations are mandated by the Bank Secrecy Act to have one. However, there’s no one-size-fits-all model for how companies should structure a CIP.
Companies almost always attempt to build their own CIP to some extent. It’s a common practice because there has historically not really been any true all-in-one solution on the market before.
Numerous factors come into play when it comes to CIPs, including size and type of the business. It’s unlikely that a national bank, a community credit union, a popular casino, and a private wealth management firm will have the same sort of program requirements. So when companies attempt to build out a process for verifying their customers’ identities, many of them discover pretty quickly that it’s too complex to orchestrate and difficult to maintain. Before the team creates a CIP system from scratch, consider the challenges — and alternatives.
Beware of ambiguity
The CIP rules stipulate that financial organizations need to form a “reasonable belief” that they know the true identity of their customers, and they need to have “reasonable procedures” in place for verifying the identity of any person seeking to open an account.
Unfortunately, this leaves a lot of factors open to interpretation. The onus falls on organizations and their teams to understand the right approach for a CIP, based on size and operations. Sorting through the details can take time, talent, and resources companies could use for more mission critical projects.
Look out for technicalities
Creating a CIP that meets an organization’s needs while complying with regulations demands specialized knowledge. Security teams need to know all the different ways to verify identity, the various types of fraud and how to detect them, and the distinct policies and protocols across all of the jurisdictions in which the company operates.
The stakes are high, and small missteps or misinterpretations can carry big consequences. At best, a business may be found in noncompliance. At worst, authorities may accuse the company of being complicit in criminal activity or corrupt business practices.
Don’t underestimate the effort that building a compliant CIP entails. Small companies may attempt to tackle it themselves because of a lack of understanding of the complexities. Ultimately, lots of companies also end up building something too simple that overlooks some of the most important aspects of a strong CIP. Even large institutions and enterprises can fall into a similar trap. They may have the resources to build a program more effectively, but they often lack the niche expertise necessary for anticipating edge cases and covering all their bases.
The six essentials to an effective CIP
The Final Rule issued by the Treasury Department's Financial Crimes Enforcement Network (FinCEN) lists out the six broad requirements that all programs need. Here’s the breakdown:
- Identify the right information: All CIPs require a complete account of the identifying information and risk-based procedures that let the company verify customers’ identities. This includes addressing situations in which the team can’t form a reasonable belief that they know the true identity of the customer. Develop a plan for the following: Instances where the company would not and should not open an account; situations where the customer can use an account while their information remains under scrutiny; circumstances when the company must close current account; and scenarios in which the company needs to take it a step further and file a Suspicious Activity Report.
- Collect the info from customers: There are four pieces of identifying information that the team needs to collect for every customer: name, address, date of birth, and identification number. While it’s normally a tax identification number, there are other options for those who don’t have citizenship, a green card, or political asylum with the U.S.
- Decide on a verification method: All CIPs have to include a primary method for identity verification and the appropriate procedures: documentary verification may include government-issued identification proving nationality or residence, and bearing a photograph or similar safeguard; or non-documentary verification may include contacting the customer, independently comparing the information they provide with information obtained from other sources, checking references with other financial institutions, and obtaining a financial statement.
- Set record-keeping procedures: All information collected on a customer must remain available for at least five years after the account closes.
- Develop a cross-checking procedure. Check customer identities using government lists to make sure customers are not suspected terrorists or members of terrorist organizations.
- Create a confirmation process. Have a process that confirm that all customers are aware that their information will be collected and used to verify their identities.
Ticking all the boxes
Many financial organizations have modernized their KYC and anti-money laundering (AML) compliance with automation, and these tools can certainly help with CIPs. Having a robust, automated identity verification and antifraud solution streamlines processes. It helps to go with a solution that screens customer identities against hundreds of official data sources and global government watchlists.
Before the team embarks on the complex process of building a customer identification program, make sure it evaluates and partner with a trusted identity verification services and compliance solution provider. One that can protect the company from fraud and comply with regulations while the team can focus its efforts and resources on the company’s actual mission. And finally, one that stays updated with the latest watchlists and compliant with the most recent regulations.
Alain Meier, co-founder and CEO, Cognito
