A Customer Identification Program (CIP) is the U.S. regulatory framework that requires covered financial institutions to implement written, risk-based procedures to verify the identity of customers opening accounts. Under 31 CFR 1020.220, a bank’s CIP must enable it to form a reasonable belief that it knows the true identity of each customer. The FFIEC BSA/AML Manual describes CIP as a required component of the bank’s BSA/AML compliance program.
In the financial crime environment, CIP is significant because it is the first formal control point at which a financial institution tests whether the person or entity seeking access to the financial system is who they claim to be. That makes it a foundational defence against identity theft, synthetic identity abuse, application fraud, sanctions evasion, money laundering, terrorist financing, and other forms of criminal misuse. If identity integrity is weak at account opening, downstream controls such as transaction monitoring, suspicious activity review, and sanctions screening are all working from a compromised starting point. This is an inference supported by the CIP rule’s purpose of establishing a reasonable belief in the customer’s true identity and by the FFIEC’s placement of CIP within the BSA/AML control framework.
A professionally accurate understanding of CIP begins with its scope. The rule generally applies when a customer opens a new account, and FinCEN’s FAQ explains that a “customer” is generally a person who opens a new account. The FFIEC Manual also treats CIP as an account-opening requirement tied to identifying and verifying the customer at the start of the relationship.
From a control perspective, CIP is narrower than full customer due diligence but still central to AML and fraud prevention. CIP focuses on identity collection, verification, recordkeeping, comparison against government lists when required, and notice to customers. CDD goes further by considering beneficial ownership, relationship purpose, and risk profiling. FinCEN’s CDD framework and the CIP rule are therefore related but distinct: CIP establishes who the customer is, while wider CDD helps the institution understand the risk posed by that customer relationship. This is an inference based on the specific elements required in 31 CFR 1020.220 and the FFIEC’s separate treatment of CIP within the BSA/AML program.
The CIP rule requires several core elements. A bank must collect identifying information before account opening, maintain written procedures, verify identity using documentary or non-documentary methods, keep records, determine whether the customer appears on any government list when required, and provide customers with notice that information will be requested to verify identity. The eCFR text states that the verification procedures must be risk-based and “reasonable and practicable,” and must describe what the bank will do when it cannot form a reasonable belief that it knows the customer’s true identity.
That last point is especially important in the financial crime environment. A mature CIP is not just a process for collecting documents. It must also include a response framework for failed or incomplete verification. The eCFR states that the CIP should describe when the bank should not open an account, when a customer may use an account while verification is pending, and when the bank should close an account after failed verification attempts. In practical terms, this means CIP is both an onboarding control and a decision framework for how to handle uncertainty around identity.
The risk-based nature of CIP matters because institutions do not face identical identity risks across all products, channels, and customer types. The regulation itself says the procedures must be based on the bank’s assessment of relevant risks, including the types of accounts, methods of opening accounts, types of identifying information available, and the bank’s size, location, and customer base. That means remote onboarding, third-party onboarding, non-face-to-face account opening, and higher-risk customer profiles may justify stronger or different verification measures than lower-risk in-person relationships.
In practical financial crime terms, CIP helps address several specific threats. It reduces the risk that a criminal can open an account under a false or stolen identity. It helps institutions detect inconsistencies between customer-provided information and verification evidence. It also provides a documented basis for later customer review, transaction analysis, and suspicious activity escalation. None of this guarantees that fraud or money laundering will be prevented, but it materially improves the quality of the institution’s starting point. This is an inference supported by the rule’s requirement that the institution form a reasonable belief in the customer’s true identity and by the FFIEC’s treatment of CIP as a core BSA/AML control.
Operationally, CIP effectiveness depends on more than knowing the rule text. It depends on whether the institution’s data collection is accurate, whether documentary and non-documentary verification methods are appropriate, whether exceptions are handled consistently, whether records are retained properly, and whether staff know when to escalate identity concerns. The FFIEC examination procedures specifically direct examiners to verify that the bank has a written CIP appropriate for its size and type of business and that the program is included within the BSA/AML compliance program.
There are also targeted exceptions and updates in this area, which shows that CIP remains a live regulatory topic rather than a fixed historical requirement. For example, FinCEN issued a June 27, 2025 order related to the TIN exception process under the CIP rule, clarifying relief around customers who have applied for but not yet received a TIN. That is a narrow procedural development, but it illustrates that CIP continues to evolve operationally.
Ultimately, the Customer Identification Program is fundamental in the financial crime environment because it is the legal and operational mechanism through which covered U.S. financial institutions establish a reasonable basis for believing they know who their customer is at account opening. It is not the whole of KYC or CDD, but it is the essential first layer. Without an effective CIP, the institution’s broader AML, fraud, sanctions, and customer-risk framework is built on weak identity foundations.
