What are CIP requirements in financial services?

CIP requirements protect companies and consumers but create challenges for financial organizations. Here's how tech is streamlining the process.

Updated on July 08, 2026

Danielle-profile-picture
Danielle Antosz

Danielle is a fintech industry writer who covers topics related to payments, identity verification, lending, and more. She's been writing about tech for over a decade and is passionate about the impact of tech on everyday life.

Financial companies are swimming in regulatory requirements and acronyms. From the Bank Secrecy Act (BSA) to anti-money laundering (AML), staying compliant with all the requirements can be a challenge. 

Today, many financial companies and institutions leverage advanced digital tools to complete these processes faster without increasing risk, including for CIP (Customer Identification Program) requirements.

This article outlines what you need to know about CIP, including what it is, the different CIP requirements, and how technology streamlines the process and improves the onboarding process.

Key takeaways:

  • A Customer Identification Program (CIP) is a written process that financial institutions must follow to verify customer identities before opening an account. 

  • CIP is required under the Bank Secrecy Act, and it applies to banks, credit unions, broker-dealers, and other regulated institutions. 

  • The five required CIP components cover identity data collection, verification methods, government list screening, record retention, and account refusal procedures.

  • CIP is one piece of a broader Know Your Customer (KYC) framework that also includes Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD). 

  • Digital identity verification tools help companies meet customer identification program rules faster while improving the onboarding experience.

What is CIP (Customer Identification Program) in banking? 

A Customer Identification Program (CIP) is a mandatory procedure for many entities that are identified as financial institutions under the Bank Secrecy Act (BSA). The program must outline the steps taken to verify the identity of customers who open an account with the financial institution. CIP is a component of the BSA as amended by the USA PATRIOT Act Section 326, which was implemented on June 9, 2003. 

An organization's CIP must include risk-based procedures for verifying a customer's identity to a reasonable extent. The procedures must be based on the financial institution’s assessment of relevant risks, including:

  • Types of accounts the organization holds

  • How accounts are opened 

  • Types of identifying information 

  • The organization's size, location, and type of customers 

For financial companies, CIP processes are important to reduce risk and safeguard users' information in a digital world.

How are CIP, KYC, CDD, and EDD different?

CIP, KYC, CDD, and EDD are related yet distinct concepts within financial compliance. Here’s how each one fits into the regulatory framework and where they overlap:

What is the difference between CIP and KYC?

CIP and KYC are often used interchangeably, however, there are noticeable differences between the two concepts. 

CIP refers to a documented process financial institutions must have to outline how they identify their customers before they open an account. It is a required piece of an AML program that ensures companies take reasonable steps to determine who customers are. 

KYC is a broader concept that includes guidelines financial and investment institutions should follow to identify customers, assess risk, and monitor transactions for suspicious activities. KYC does not refer to specific regulations; rather it is a catch-all phrase for regulations surrounding identity verification procedures related to AML and BSA compliance.

What is the difference between CIP and CDD?

While CIP is a one-time verification step, CDD is a continuous process that spans the life of the account. CIP verifies a customer’s identity at account opening, and CDD may enhance that process and continues where CIP leaves off. Under FinCEN’s 2018 CDD rule, financial institutions must understand the nature of each customer relationship, assess ongoing risk, and identify beneficial owners of legal entity customers. 

What is the difference between CIP and EDD?

CIP and EDD operate at different levels of scrutiny within the KYC process. CIP establishes baseline identity verification for every customer at account opening, applying the same standard regardless of risk level. EDD applies additional review to customers who present elevated risk, such as politically exposed persons (PEPs), customers in high-risk jurisdictions, or accounts with unusual transaction patterns. 

EDD measures may include deeper source-of-funds analysis, more frequent transaction monitoring, and senior management approval.

Rethinking fraud in the AI era

AI is reshaping fraud. It’s time to rethink trust.

What are the five required components of a CIP?

Banks and some other financial companies must have a written CIP program incorporated into their BSA/AML requirements. The program must include practical, reasonable, and risk-based procedures for verifying a customer's identity. 

The rules should apply to any customer who opens an account for themselves or for another person or organization. The rules do not apply to an individual who does not formally open an account — for example, someone who applies for a car loan but is denied.

There are five main components of CIP banking requirements:

1. What identity information is collected

At a minimum, it must include name, date of birth, address, and identification number, such as a TIN or SSN.

For individuals: CIP rules require four data points for individual customers — full legal name, date of birth, residential address, and an identification number, such as a Social Security number (SSN) or taxpayer identification number (TIN) or a passport number for non-U.S. persons.

For entities: For entity customers, institutions must collect the legal name of the organization, its principal place of business or registered office address, and an employer identification number (EIN) or equivalent tax ID.

2. How the information is verified

The organization must be able to verify that the documents and information provided are accurate to a reasonable degree.

Document verification: Acceptable documents include unexpired government-issued photo identification, such as a passport, driver’s license, or state ID card. For entities, institutions may accept formation documents, business licenses, or a partnership agreement.

Non-documentary verification: When documents aren’t available, institutions can use credit bureau checks, authoritative database lookups, or digital identity verification tools to confirm customer information.

Verification timing: Identity verification must occur before or at the time of account opening. If an institution opens an account before verification is complete, it must document the exception and have procedures to resolve outstanding verifications within a reasonable period.

3. Comparison of identity to government lists

How the organization compares customers to a list of known or suspected terrorists.

SDN and government list screening: Institutions must check each customer against OFAC’s Specially Designated Nationals (SDN) list and other government lists specified by their regulator before completing account opening. Government lists under the CIP rule refer to lists designated by FinCEN through the Federal Register, which only require screening for terrorists. On the other hand, the SDN list is much broader, covering sanctioned individuals and entities. OFAC screening is a separate but related obligation that most institutions handle within the same compliance workflow.

4. How records are retained and stored

A CIP must also include descriptions of the documents collected, how they are collected, and how they are stored.

Documentary records: Institutions must retain copies or descriptions of identification documents for five years after the date the record was made.

Verification records: Records related to the methods and results of identity verification must be retained for five years after the account is closed.

Examiner access: All CIP records must be organized and retrievable so federal banking regulators can review them during examination.

5. Establish protocols for different scenarios

Outline when the organization should not open an account and when to file a suspicious activity report (SAR).

Refusal and delay conditions: Institutions should document the specific conditions under which account opening should be refused or delayed, such as when identity documents appear fraudulent or verification results are inconclusive.

SAR escalation: Clear escalation paths must be defined for filing a SAR with FinCEN when account activity or identity discrepancies meet reporting thresholds.

Account restoration: If a customer’s identity cannot be verified within a reasonable period after account opening, the institution should have procedures in place to restrict account access or close the account entirely.

In the past, building a CIP meant organizations had to outline how to collect and verify documents in person. Today, however, the digital identity verification process makes the process easier. That makes creating a CIP easier, too.

How financial companies meet CIP requirements digitally

Traditionally, opening a bank or investment account took hours—if not days. Customers would go into their local bank branch, meet with a bank manager, and hand over identity documents like their driver's license, social security card, and mail proving their address. If you didn't have official mail (say, because you just moved) or your license has expired, you couldn't open a bank account. After collecting the documents, the bank manager would make photocopies and verify they were real. All those efforts required a huge time investment. 

These requirements limited some consumers' access to financial accounts and tools. Some customers might have to take an afternoon off work—just to open a bank account or access a line of credit. Similarly, banks could spend a massive amount of time gathering, verifying, and storing documentation. 

Times have changed. Now, customers can upload a picture of their driver's license, take a selfie, and—presto—identity verified. Digital identity verification allows financial companies to verify identification documents, phone numbers, names, dates of birth, ID numbers, addresses, and more digitally—often right from a customer's phone or tablet. 

Digital identity verification enhances efficiency in the financial industry. Plaid Identity Verification uses multiple verification methods to verify identification documents, including authoritative data sources and selfie checks to prevent third-party fraud. This limits risks for synthetic identity fraud and presentation attacks

The software increases security and makes verification easier. That makes it easier for companies to create a CIP and increases conversions by improving the onboarding process for customers.

How to implement a CIP: a practical guide for financial services companies

Building a compliant CIP means creating a structured, repeatable process that teams can complete and regulators can review. Here are five implementation steps that cover the ground from initial risk analysis through ongoing documentation and audit: 

  1. Conduct a risk assessment: Identify the account types, customer segments, and channels that shape your organization's risk profile. Products or customer types that carry elevated risk — such as business accounts or cross-border transactions — need more robust verification.

  2. Define your identity data collection workflow: Map out the required fields at onboarding for individuals and entities. Your data collection process must capture all four required elements (name, date of birth, address, and identification number) before account opening is finalized.

  3. Choose verification methods: Document which documentary and non-documentary methods you'll use and when each applies. For digital-first financial services companies, this typically includes document capture and authentication (driver's license, passport), authoritative database checks (credit bureaus, DMV records), and selfie or biometric matching to guard against fintech fraud and presentation attacks.

  4. Build exception handling and EDD escalation paths: Define what happens when identity can't be verified. Consider how long accounts stay pending, what outreach is required, and when to escalate to Enhanced Due Diligence, file a SAR, or use fraud intelligence.

  5. Document, test, and audit: Your CIP must be a written program approved by a board or senior management. Maintain audit logs of all verification decisions, record retention schedules, and list-screening results so they're ready for examiner review.

CIP requirements help reduce risks to both companies and consumers. Requiring banks and financial organizations to document how they gather, store, and analyze identification data limits bad actors' ability to access funds, but there are other benefits as well 

Digital identity verification tools make it easier for financial services companies to comply with regulations—and improve the onboarding process for customers. That results in better conversions for companies and increased access for consumers.

→ Learn more about how Plaid Identity Verification helps you onboard new customers and meet regulatory requirements.

Find out how Plaid can help your business grow

By submitting this form, I confirm that I have read and understood Plaid’s Privacy Statement.

This form goes to our sales team. If you have questions about connecting your financial accounts to a Plaid-powered app, visit our consumer help center for more information.

Learn more

Recommended reading

  • Enhanced due diligence: What is EDD in banking?

    Read article

  • KYC for crypto: Ensuring crypto security and compliance

    Read article

  • The rise of fintech fraud and how to protect your company

    Read article