Customer Identification & Identity Verification (CIP)

The Customer Identification Program, or CIP, is where onboarding starts. Under 31 CFR 1010.220, which implements Section 326 of the USA PATRIOT Act, a bank must collect at minimum four pieces of identifying information before opening an account.

Memorize these, because an assessment loves to ask: name; date of birth, for individuals; a physical address — not a P.O. box alone for an individual; and an identification number, such as a Social Security number, a taxpayer identification number, or for a non-U.

S. person a passport number or similar. Collecting the four elements is step one.

The rule then requires you to verify them, which is where the real work begins. A quick clarifying note: the regulation sets the minimum, and many institutions collect more — but you must always capture at least these four, every time.

Here's the distinction the exam-style questions hinge on. CIP isn't just collecting data — it's forming a reasonable belief that you know the customer's true identity. The regulation gives you two verification paths.

You can verify through documents, or through non-documentary methods, or you can combine them. And the program must be risk-based: a low-risk retail customer might be fine with a single verified ID, while a higher-risk profile warrants more. The rule deliberately doesn't dictate one rigid checklist, because a one-size approach would be both over-burdensome and easy for criminals to game.

One more nuance the exam rewards: a bank may rely on another financial institution to perform parts of CIP under specific conditions, but reliance never transfers away your own accountability for getting identity right.

Let's define the two paths. Documentary verification means checking an actual document — for an individual, an unexpired government-issued photo ID like a driver's license or passport; for a business, formation documents such as articles of incorporation. Non-documentary verification means confirming identity without relying on a presented document: comparing the information against a credit bureau, public records, or a trusted database, or contacting the customer.

The FFIEC manual notes non-documentary methods become especially important when the customer can't present a document in person, when the document can't be authenticated, or when the account is opened remotely — which, today, is most accounts. As an analyst you'll often combine both paths on the same customer, because layering independent checks is what builds a defensible, reasonable belief of identity.

Because so much onboarding is now digital, you'll work with electronic identity verification, or eIDV — software that checks the customer's data against authoritative sources in real time. Paired with it are liveness checks, which confirm there's a real, present human on the other end rather than a held-up photo, a video replay, or a deepfake. And biometric face-matching compares a live selfie against the photo on the submitted ID.

These tools are powerful, but treat them as risk reducers, not guarantees. Deepfake and injection attacks are improving fast, so a strong program layers signals — document authentication, a liveness check, a database match — rather than trusting any single one.

Now the part assessments love: spotting a fake. Watch for inconsistent fonts, uneven spacing, or a photo that looks pasted in. Watch for data that doesn't reconcile — the name, date of birth, or address differs between the ID and other documents.

Watch for missing security features: holograms, microprint, or the optically variable ink that should shift under tilt. Be suspicious of an ID that conveniently expired yesterday, of images that look like a template, and of the same stock photo appearing across supposedly different applicants — a classic sign of a synthetic-identity or fraud ring. When the document fails, that's your cue to escalate to non-documentary verification or to decline.

Let's lock it in. CIP requires four data elements — name, date of birth, address, and identification number — and a reasonable belief you've identified the customer. You verify documentarily, non-documentarily, or both, on a risk basis, increasingly through eIDV, liveness, and biometric tools that you layer rather than trust in isolation.

And you stay alert to document-fraud red flags. We've proven who's at the door. Next, we go behind the company name to find out who really owns and controls it.

Go test yourself on CIP first. The throughline is that identity is the foundation everything else stands on, so we take it seriously.