Customer Identification Program

A Customer Identification Program (CIP) is the required set of written, risk-based procedures you use to collect identifying information, verify identity, keep verification records, and screen customers against applicable government lists when they open an account. To operationalize CIP quickly, map “account opening” to your onboarding flows, define verification methods and exception handling, then implement recordkeeping and list-check controls. (31 CFR § 1023.220)

Key takeaways:

• CIP is a documented, operational process tied to account opening, not a policy you file away. (31 CFR § 1023.220)
• You must collect minimum identity data, verify identity (documentary or non-documentary), retain records, and perform required government list checks. (31 CFR § 1023.220)
• Examiners focus on consistency: “reasonable time” verification, handling of failures, and complete audit trails for each account opened. (31 CFR § 1023.220)

CIP is one of the fastest ways an AML program fails in practice: the rule is clear, but onboarding operations drift. Products add new account types, teams create manual workarounds, and identity verification vendors change decision logic. The result is uneven evidence, inconsistent exception handling, and customers who get opened before you can show verification occurred within a reasonable time. (31 CFR § 1023.220)

For a CCO, Compliance Officer, or GRC lead, the goal is straightforward: define what counts as “opening an account” in your business, enforce a standard set of required identity fields, and implement verification pathways that cover your customer population without creating undocumented, one-off decisions. Your CIP should also integrate with record retention and name screening against applicable government lists, with clear responsibility for monitoring and remediation. (31 CFR § 1023.220)

This page breaks CIP into implementable controls: what to write, what to build into onboarding, what evidence to retain, and how to answer exam questions without scrambling. It assumes you want a requirement-level blueprint you can hand to operations, product, and engineering and then test. (31 CFR § 1023.220)

Customer Identification Program requirement (plain-English)

You must maintain written procedures that allow your firm to form a reasonable belief it knows the true identity of each customer who opens an account. Operationally, that means: collect a defined set of identifying information, verify identity using documents and/or reliable non-documentary methods within a reasonable time, keep records of what you did and the results, and check names against relevant government lists when required. (31 CFR § 1023.220)

A CIP is not “KYC generally.” It is the minimum, testable identity layer tied to account opening. Your broader AML program may include customer due diligence and risk rating, but CIP is the part examiners can sample account-by-account and expect to see consistent artifacts. (31 CFR § 1023.220)

Regulatory text

Requirement (operator view): “Financial institutions must establish a Customer Identification Program that includes procedures for verifying the identity of each person who opens an account.” (31 CFR § 1023.220)

What you must do to meet that text:

• Maintain written CIP procedures that describe required information collection, verification methods, timing (“within a reasonable time”), recordkeeping, and government list checks. (31 CFR § 1023.220)
• For each account opened, collect minimum identifying information (name, date of birth, address, identification number). (31 CFR § 1023.220)
• Verify identity using documentary and/or non-documentary methods, and define what happens when verification fails. (31 CFR § 1023.220)
• Keep records that show what you relied on and the outcome. (31 CFR § 1023.220)
• Check customer names against applicable government lists as required by the rule. (31 CFR § 1023.220)

Who this applies to (entity + operational context)

Entity types covered here: Broker-dealers and investment advisers, in the context of AML onboarding controls aligned to the CIP rule cited above. (31 CFR § 1023.220)

Operationally, it applies anywhere you “open an account.” Treat “account opening” as a product-and-process question, not just a legal definition. In most firms, CIP must cover:

• Digital onboarding (self-serve and assisted)
• Paper or email-based account opening
• Accounts opened via introducing brokers, intermediaries, or other third parties acting for you
• New account types launched after initial CIP design (a common gap)

Your critical scoping output: a definitive list of account-opening events and channels mapped to the exact step where CIP data collection, verification, and list checks occur. (31 CFR § 1023.220)

What you actually need to do (step-by-step)

1) Define “account opening” triggers and stop/go gates

Create an onboarding control map:

• Trigger: the first point a person is treated as a customer opening an account in your workflow. (31 CFR § 1023.220)
• Gate: the point where the account is considered opened/active, funded, or able to transact.
• Rule: what must be completed before gate (CIP minimums), what can occur after gate (only if your written CIP allows timing “within a reasonable time”), and who approves exceptions. (31 CFR § 1023.220)

Practical tip: make the gate enforceable in systems. If an account can trade before verification, you will eventually have accounts with missing CIP evidence.

2) Standardize minimum identity data collection

Implement required fields in every channel and ensure they are stored in a system of record:

• Name
• Date of birth (for individuals)
• Address
• Identification number (for example, a taxpayer or government-issued identification number, depending on customer type) (31 CFR § 1023.220)

Build validation rules (format checks, required-field enforcement) and align them with your written CIP procedures so operations cannot “skip and fix later” without creating an exception record. (31 CFR § 1023.220)

3) Implement verification methods (documentary and non-documentary)

Your CIP must specify how you verify identity, and your operations must follow it. (31 CFR § 1023.220)

Documentary verification (examples):

• Government-issued photo ID for individuals
• Other documents your procedures deem acceptable (your CIP must define acceptability criteria) (31 CFR § 1023.220)

Non-documentary verification (examples):

• Database checks
• Knowledge-based or possession-based checks
• Other methods you document as reliable for your risk profile (31 CFR § 1023.220)

Control design requirement: define which method applies by customer/channel/risk, and define fallbacks. Example pattern:

• Default to non-documentary for low-risk digital onboarding.
• Require documentary for higher-risk scenarios or when non-documentary fails.
• Route unresolved cases to manual review with documented disposition. (31 CFR § 1023.220)

4) Define “reasonable time” and exception handling

The rule requires verification “within a reasonable time.” Your job is to make “reasonable” operational:

• Write a timing standard in procedures that aligns to your product risk and transaction enablement. (31 CFR § 1023.220)
• Define what the business may do before verification completes (for example, allow profile creation but restrict trading), and implement that restriction technically.
• Build an exception workflow: who can approve, what evidence is required, and how you remediate failures or close accounts where identity cannot be verified. (31 CFR § 1023.220)

Examiners will look for consistency: if your procedure says you verify within a reasonable time, your sample should not show accounts sitting in limbo without escalation and a recorded decision.

5) Perform required government list checks

Your CIP must include procedures for checking the customer’s name against applicable government lists of known or suspected terrorists or similar lists when required. Operationalize this as:

• A defined screening point (pre-account opening, at opening, or immediately after, per your procedure). (31 CFR § 1023.220)
• A case management process for potential matches: escalation, disposition, documentation, and any required restrictions based on the list-check outcome. (31 CFR § 1023.220)

Keep the process tightly documented even if the screening is performed by a third party provider; you still own the control.

6) Recordkeeping and retrievability

You must maintain records of the verification process. (31 CFR § 1023.220)

Design for retrieval by account sampling:

• One “CIP evidence packet” per account (system-generated bundle or a case record) containing collected data, verification steps, results, and approvals.
• A retention approach that preserves the record even if vendors change or integrations are replaced.
• A way to prove completeness: reports showing accounts opened vs. accounts with completed CIP artifacts.

If you use Daydream to manage onboarding evidence, the practical win is centralization: map each CIP step to a required artifact, auto-request missing items, and produce a consistent exam-ready packet for any sampled account without reconstructing history from multiple tools.

Required evidence and artifacts to retain

Maintain artifacts that let an examiner re-perform your reasoning for a sampled account. At minimum, keep:

• CIP policy/procedures approved and version-controlled, including verification methods and timing standards. (31 CFR § 1023.220)
• Customer identification data captured at account opening (minimum required fields). (31 CFR § 1023.220)
• Verification evidence:
  • Documentary: document type, issuing authority, ID number (as appropriate), expiration date (if captured), and who reviewed it
  • Non-documentary: vendor/data source used, transaction/reference ID, result codes, and decisioning rules applied (31 CFR § 1023.220)
• Government list check evidence: timestamp, system/provider, result, and case notes for potential matches. (31 CFR § 1023.220)
• Exceptions and overrides: rationale, approver, date/time, and remediation outcome. (31 CFR § 1023.220)
• Training and QA evidence showing staff follow procedures (tie training to CIP roles).

Common exam/audit questions and hangups

Expect these and prepare canned evidence pulls:

1. Show me your written CIP and how it maps to onboarding steps. Provide the control map and screenshots/work instructions. (31 CFR § 1023.220)
2. For this sample of accounts, show the minimum identity information and verification results. This is where missing fields and vendor-result gaps appear. (31 CFR § 1023.220)
3. What happens when identity cannot be verified? Auditors look for documented outcomes, not verbal processes. (31 CFR § 1023.220)
4. How do you ensure third parties follow your CIP? Provide contracts/SLAs, oversight, and evidence intake. You own the requirement even if a third party executes steps. (31 CFR § 1023.220)
5. How do you perform government list checks and resolve potential matches? Show the workflow, case records, and escalation paths. (31 CFR § 1023.220)

Frequent implementation mistakes (and how to avoid them)

• Mistake: CIP procedures don’t match reality. Teams change onboarding flows without updating CIP. Fix with a change-management trigger: any onboarding/product change requires CIP impact review and sign-off. (31 CFR § 1023.220)
• Mistake: “Reasonable time” is undefined. That creates inconsistent handling. Define timing and build system gates aligned to it. (31 CFR § 1023.220)
• Mistake: Vendor dependency without evidence. A vendor “verified” status without reference IDs, timestamps, or decision details is hard to defend. Contract for audit fields and store them. (31 CFR § 1023.220)
• Mistake: Manual exceptions with no trail. If operations can override failures in chat or email, you will fail sampling. Route all overrides through a case tool with required fields. (31 CFR § 1023.220)
• Mistake: Screening evidence is not tied to the account. Store list-check results in the CIP packet so you can prove it happened for that specific customer. (31 CFR § 1023.220)

Enforcement context and risk implications

No public enforcement cases were provided in the approved source catalog for this page, so this section is limited to requirement-driven risk.

CIP failures usually create two downstream risks:

• Regulatory risk: inability to demonstrate compliance account-by-account because records are incomplete or inconsistent. (31 CFR § 1023.220)
• Financial crime risk: accounts opened under false identity or with incomplete screening, which can undermine the broader AML program. CIP is explicitly a component of AML compliance. (31 CFR § 1023.220)

Practical execution plan (30/60/90-day)

The plan below is phase-based; adjust to your release cycles and staffing.

First 30 days (stabilize scope and minimum controls)

• Inventory all account-opening paths and define CIP triggers/gates for each. (31 CFR § 1023.220)
• Update written CIP procedures to match current onboarding reality, including verification methods, list checks, and exception handling. (31 CFR § 1023.220)
• Identify top evidence gaps by sampling recent accounts: missing minimum fields, missing verification results, missing list-check logs. (31 CFR § 1023.220)

Days 31–60 (build enforceable workflows and evidence)

• Implement required-field enforcement across channels for minimum identity data. (31 CFR § 1023.220)
• Standardize verification decisioning (documentary/non-documentary) and route failures into a single exception workflow with approvals and dispositions. (31 CFR § 1023.220)
• Ensure government list checks are executed and logged per your procedure; connect results to the account record. (31 CFR § 1023.220)
• Stand up a “CIP evidence packet” output that can be produced for any account on demand.

Days 61–90 (test, monitor, and lock change management)

• Run a mock exam: pull a sample of accounts and verify every CIP element is present and consistent. (31 CFR § 1023.220)
• Add QA checks (operational reviews, automated completeness reports) for CIP completion and exception aging. (31 CFR § 1023.220)
• Implement change-management controls: onboarding/product changes cannot ship without CIP impact review and updated procedures/training where needed. (31 CFR § 1023.220)
• If you use Daydream, map each CIP step to a required artifact and set automated reminders/escalations for missing items to keep sampling clean over time.

Frequently Asked Questions

Does CIP apply to existing customers, or only new accounts?

CIP is tied to verifying the identity of each person who opens an account under your procedures. If an existing customer opens a new account, treat that event according to your defined “account opening” triggers and your written CIP. (31 CFR § 1023.220)

Can we rely entirely on non-documentary verification?

The rule allows documentary or non-documentary methods, but your written CIP must specify what you do and when, including fallbacks if the initial method fails. Build a documented path for exceptions and higher-risk scenarios. (31 CFR § 1023.220)

What does “within a reasonable time” mean in practice?

The regulation uses “reasonable time,” so you must define an operational standard in your procedures and enforce it through gates and escalation. Examiners expect your process to match what your procedures say and to be consistent across accounts. (31 CFR § 1023.220)

What evidence do we need from an identity verification vendor?

Keep enough information to show what method was used, when it was run, and the result for that customer, plus any reference IDs or logs your vendor provides. A simple “pass/fail” status without traceability often fails sampling. (31 CFR § 1023.220)

How do we handle customers who cannot be verified?

Your CIP should define the actions you take when verification fails, including escalation, restrictions, and whether you decline or close the account. Record the decision and the basis in the account’s CIP evidence packet. (31 CFR § 1023.220)

Do we need a separate CIP process for accounts opened through third parties?

You can use third parties to execute steps, but you still need written procedures, oversight, and evidence that the required information collection, verification, and list checks occurred. Make evidence delivery and audit fields part of the operational agreement. (31 CFR § 1023.220)