OLR Research Report


By: Michelle Kirby, Senior Legislative Attorney

This report summarizes the major components of the customer identification program (CIP), which federal law requires banks to develop and implement.


The 2001 USA Patriot Act (P. L. 107-56) requires “banks” to verify, through a CIP, the identity of people wishing to open accounts with them. The CIP requirement was implemented by federal regulations in 2003. Under the regulations, banks must develop and implement a written CIP appropriate for its size and type of business that, at a minimum, includes procedures for:

1. performing risk-based identity verification using specified customer information,

2. keeping records and notifying customers, and

3. conducting comparisons with certain terrorist lists kept by the federal government.

The CIP must be a part of a bank's anti-money laundering compliance program (31 CFR 1020.220, et. seq.).

The regulations specify the minimum components of a CIP, including the information, documents, and methods that must be used for customer verification. Where necessary, the regulations establish separate standards for (1) individuals versus businesses and (2) U.S. persons versus non-U.S. persons.

With the Treasury secretary's approval, the appropriate federal regulator may exempt a bank or type of account from the CIP requirement, but such exemption must be consistent with the Bank Secrecy Act (31 CFR 1020.220(b)).


The CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must (1) enable the bank to form a reasonable belief that it knows the true identity of each customer and (2) be based on the bank's assessment of the relevant risks.

Relevant Risks. Risks may be based on the types of accounts offered; methods provided for opening accounts; types of identifying information available; and the bank's size, location, and customer base (31 CFR 1020.220(a)(2)).

Required Customer Information

The CIP must specify the identifying information that will be obtained from each customer opening an account. This must include the customer's name, date of birth (for an individual), address, and identification number (31 CFR 1020.220(a)(2)(i)).

Identification Number. A U.S. person must present a taxpayer identification number. A non–U.S. person must present one or more of the following:

1. taxpayer identification number,

2. passport number and country of issuance,

3. alien identification card number, or

4. number and country of issuance of any other government-issued document showing nationality or residence and bearing a photograph or similar safeguard.

If a foreign business does not have an identification number, the bank must request alternative government-issued documentation certifying the business's existence (31 CFR 1020.220(a)(2)(i)(A)).

According to the Internal Revenue Service (IRS), a person who is not eligible for a Social Security number may apply for an individual tax identification number (ITIN). The ITIN procedures were updated effective January 1, 2013 to include the requirement that supporting documents required by IRS, such as passports and birth certificates, must be original documents or certified copies. Additional information on the ITIN application process may be found on IRS's website.

Exception. The CIP may include procedures for opening an account for a customer that has applied for, but has not received, a taxpayer identification number. In such a case, the CIP must include procedures to (1) confirm that the application was filed before the customer opens the account and (2) obtain the taxpayer identification number within a reasonable period of time after the account is opened (31 CFR 1020.220(a)(2)(i)(B)).

Customer Verification

The CIP must contain procedures for verifying the identity of the customer, using the required information discussed earlier, within a reasonable time after the account is opened. The procedures must describe when the bank will use documents, non-documentary methods, or a combination of both (31 CFR 1020.220(a)(2)(ii)).

Verification Through Documents. For a bank relying on documents, the CIP must contain procedures that set forth the documents that the bank will use. These documents may include:

1. for an individual: unexpired government-issued identification, such as a driver's license or passport, showing nationality or residence and bearing a photograph or similar safeguard and

2. for a person other than an individual (such as a corporation, partnership, or trust): documents showing the existence of the entity, such as certified articles of incorporation, a government-issued business license, a partnership agreement, or trust instrument (31 CFR 1020.220(a)(2)(ii)(A)).

Verification Through Non-Documentary Methods. For a bank relying on non-documentary methods, the CIP must contain procedures that describe the non-documentary methods the bank will use.

These methods may include:

1. contacting a customer;

2. independently verifying the customer's identity through the comparison of information provided by the customer with information obtained from a consumer reporting agency, public database, or other source;

3. checking references with other financial institutions; and

4. obtaining a financial statement.

A bank's non-documentary procedures must address situations in which:

1. an individual is unable to present an unexpired government-issued identification document that bears a photograph or similar safeguard,

2. the bank is not familiar with the documents presented,

3. the account is opened without obtaining documents,

4. the customer opens the account without appearing in person at the bank, and

5. the bank is otherwise presented with circumstances that increase the risk that the bank will be unable to verify the customer's true identity through documents (31 CFR 1020.220(a)(2)(ii)(B)).

Customer Verification Failure

The CIP must include procedures for responding to circumstances in which the bank cannot form a reasonable belief that it knows the customer's true identity. These procedures should describe the terms under which a customer may use an account while the bank attempts to verify his or her identity. It should also describe when the bank should (1) not open an account; (2) close an account, after attempts to verify a customer's identity have failed; and (3) file a Suspicious Activity Report in accordance with applicable law and regulation (31 CFR 1020.220(a)(2)(iii)).


The CIP must include procedures for making and maintaining a record of all identifying information obtained from the customer and retain the information for five years after the date the account is closed or in the case of credit card accounts, five years after the account is closed or becomes dormant (31 CFR 1020.220(a)(3)).


The CIP must include procedures for determining whether the customer appears on any list of known or suspected terrorists or terrorist organizations issued by any federal agency. The procedures must require the bank to make such a determination within a reasonable period of time after the account is opened, or earlier, if required by another federal law, regulation, or directive issued in connection with the applicable list. The procedures must also require the bank to follow all federal directives issued in connection with such lists (31 CFR 1020.220(a)(4)).


The CIP must include procedures for providing bank customers with adequate notice that the bank is requesting information to verify their identities (31 CFR 1020.220(a)(5)).

Sample Notice

If appropriate, a bank may use the following sample language to provide notice to its customers:

Important Information About Procedures for Opening a New Account

To help the government fight the funding of terrorism and money laundering activities, federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.

What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver's license or other identifying documents.