Customer Identification ProgramCIP
A Customer Identification Program (CIP) is the written identity verification program every US bank must maintain under Section 326 of the USA PATRIOT Act (31 CFR 1020.220). It requires collecting and verifying identifying information from every person opening an account, keeping records of the verification, and checking applicants against government lists.
The four required data points
Before opening an account, the bank must collect, at minimum: name, date of birth, address, and an identification number (SSN or TIN for US persons). Collection is only the start; the program must then verify identity through documents, non-documentary methods, or both, within a reasonable time of account opening.
Documentary vs. non-documentary verification
Documentary verification inspects credentials: a driver’s license, a passport. Non-documentary verification checks the claimed identity against independent sources: consumer reporting data, public databases, authoritative services like eCBSV, or contacting the customer through verified channels. Most modern programs run both, because documents alone miss the current failure mode: synthetic identities whose documents are technically genuine.
The program must also address recordkeeping (identity records kept five years after account closure), customer notice that identity will be verified, and procedures for when verification fails. Examiners test whether the written program matches actual practice, and whether the bank can reconstruct, for any customer, what was verified, when, and against which source.
CIP is a floor, not a fraud program
CIP compliance answers the regulatory question: did you verify identity as your program requires? It does not by itself answer the business question: is this applicant going to defraud you? First-party fraud, in particular, walks through CIP untouched, because the identity is real. Banks increasingly treat CIP as the base layer of a verification stack that also confirms income, employment, funding accounts, and fraud-risk signals in the same flow.
Common questions
What are the CIP requirements?
Collect name, date of birth, address, and an ID number from every account opener; verify identity via documentary or non-documentary methods within a reasonable time; keep verification records five years after closure; give notice; and check government lists as required.
Does CIP require a physical ID document?
No. The rule permits documentary verification, non-documentary verification, or a combination. Fully digital account opening satisfies CIP when non-documentary methods reliably verify identity.
What do examiners look for in a CIP review?
That the written program is risk-based and board-approved, that actual practice matches it, and that the bank can produce verification records showing what was checked, when, and against what source for any given customer.