Fact Sheet 31:
Customer Identification Programs for Financial Transactions
Send to Printer
Privacy Rights Clearinghouse
- About Customer Identification Programs (CIPs)
- When Is Proof of Identity Required?
- Information Required to Open an Account: Proving You Are You
- Opening an Account without Documents
- Your Identity Is Kept on File
- Terrorist Lists
- Reportable Transactions
- Prepare: Be Part of the Process
Customer identification programs (CIPs) are required by federal law to prevent financing of terrorist operations and money laundering. The requirements go beyond just verifying your identity. Banks must keep records of identifying information and check customer names against terrorist lists. This applies to anyone who opens a new account.
The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act, (USA PATRIOT Act), Pub.L. 107-56, was signed by the President on October 26, 2001. Moved through Congress at breakneck speed after the September 11, 2001, terrorist attacks, the PATRIOT Act has been broadly criticized for what many see as excessive powers given to law enforcement officials. (For more on the PATRIOT Act and consumer concerns, see the web sites of the Electronic Privacy Information Center (EPIC), www.epic.org, the Electronic Frontier Foundation, www.eff.org, and the ACLU, www.aclu.org.)
The PATRIOT Act also includes measures to undercut terrorist financing and combat money laundering. Customer identification programs for financial institutions are required by §326 of the PATRIOT Act,1 with the details spelled out in regulations published by multiple federal agencies2 . The regulations are referred to in this guide collectively as the CIP Rules.3
This guide is intended to make you aware of the requirements for opening a financial account as well as the kinds of companies that must comply with the CIP Rules. We also provide some suggestions on how you can prepare yourself and become part of the process.
What companies must have CIPs?
The PATRIOT Act requires CIPs for a broad category of companies that fall under the definition of “financial institution,” a term defined by the Bank Secrecy Act. A partial list of business sectors that qualify as “financial institutions” was published along with the final CIP Rule. The list includes:
- Commercial banks.
- Agencies and branches of foreign banks in the United States.
- Thrifts (savings and loan institutions).
- Credit unions.
- Private banks.
- Trust companies.
- Investment companies.
- Brokers and dealers in securities.
- Futures commission merchants.
- Insurance companies.
- Travel agents.
- Dealers in precious metals.
- Check cashers.
- Telegraph companies.
This follows generally the wide array of financial activities covered by the privacy and security provisions of the federal Gramm-Leach-Bliley Act (GLB), 15 USC §6801-6809, which are described in the Bank Holding Company Act of 1956. A list of covered financial activities can be found at www.ftc.gov/privacy/glbact/sec4bhca.htm.
For more on the GLB customer data privacy and security sections, see PRC Fact Sheet 24, Protecting Financial Privacy in the New Millennium: The Burden Is on You and Fact Sheet 24e, Is Your Financial Information Safe?
Will I receive notice about identity requirements before I open an account?
The CIP Rule says you must receive notice about the identity requirements. The notice may come in a variety of ways. The financial institution may post the notice in its lobby or on its website. Or, the notice may be included in documents you receive when opening an account. The notice may be either written or oral. Here’s a sample notice included in the CIP Rule:
Important Information about Procedures for
Opening a New Account
To help the government fight the funding of terrorism and money laundering activities, Federal law requires all financial institutions to obtain, verify, and record information that identifies each person who opens an account.
What this means for you: When you open an account, we will ask for your name, address, date of birth, and other information that will allow us to identify you. We may also ask to see your driver’s license or other identifying documents.
What does the CIP Rule require banks to do?
Primarily the CIP Rule requires banks and other financial institutions to adopt written procedures to ensure proper identification of new customers. The Rule allows great flexibility for each institution to adopt procedures appropriate to its own size and customer base.
This means the procedures may vary significantly from one company to the next. You may be asked, for example, to submit only one item of identity at one company while another may ask for several pieces of identification.
Will CIPs stop identity theft?
CIPs will certainly not stop identity theft. Whether CIPs will make any dent in this growing crime remains to be seen. However, make no mistake. CIPs are not required as a consumer protection measure. Rather, they are required as part of the PATRIOT Act to combat terrorism and money laundering.
Under CIP requirements, if the bank or other financial institution is not satisfied that adequate or legitimate identification has been provided, it will simply refuse to open the account. You, as the consumer, may never know that someone attempted to open an account using your name and other identifying information. The thief could then simply go to another institution where he or she might be more successful.
Consumer advocates have long pointed out that individuals can only go so far in protecting against identity theft, and that much of the problem lies with lax procedures on the part of businesses. The “instant credit society” that often lends itself to inadequate identity verification has fueled the identity theft problem.
Whether the CIP Rule applies to you depends on whether you are a “customer” who opens an “account.” The CIP Rule applies generally to new customers who open new accounts after October 1, 2003.
Does the CIP Rule apply just to individuals who open accounts?
No. The Rule applies to “persons” who open an account. For purposes of the CIP Rules, “person” includes not only individuals but also
“…corporations, partnerships, trusts, estates, joint stock companies, associations, syndicates, joint ventures, other unincorporated organizations or groups, certain Indian Tribes, and all entities cognizable as legal personalities.” (31 C.F.R. 103.11(z))
This takes in almost every company, of any size, including sole proprietorships. It also includes accounts opened for recreational or civic groups like your bowling team or tenant association.
Does a child have to produce identification?
An individual who opens an account for a minor child has to produce his or her identifying information. Under the CIP Rules, a person who opens an account for a minor is specifically included as a “customer” who must produce information to open a new account.
I want to open a bank account for my bowling league. What identification do I use?
In that case, your own identifying information will be required, and you will be the “customer.”
I have a checking account with my bank. Do I have to produce identifying information to open a loan account?
Under the original proposal you would have had to do that. The final Rule says a bank need not prove the identity of an existing customer as long as the bank is “reasonably” satisfied that it knows who you are.
Does the CIP Rule apply when I purchase travelers checks?
No. To be a customer and subject to the CIP, you must have a “formal” banking relationship with the financial institution. Certain kinds of transactions such as check cashing, wire transfers, sale of a cashier’s check or money order do not mean you have an ongoing relationship.
The bank may have a policy of checking identification for some transactions, but it is not required by the CIP Rule. Also, if the transaction is over a certain dollar amount, other regulations may require the bank to report the transaction to the appropriate government agency. Some transactions need not be reported to the government, but must be noted by the bank for future review by auditors.
I am one of several people in my company authorized to sign checks on the company’s account. Is my personal identifying information required?
No. The original CIP Rule proposal required signatories to produce personal information, even for a business account. But, based on numerous comments pointing out the impracticality of this as workers leave and new employees are added, the final Rules deleted this requirement.
However, the CIP Rule leaves it up to the bank to decide when additional steps are necessary to identify a customer that is not an individual. This may include gathering information about signatories. In other words, the CIP Rule does not require personal identifying information from people authorized to use business accounts, but the bank’s own procedures may require it.
My spouse and I plan to open a joint account. Do we both have to produce identifying information?
Yes. The CIP Rule applies to all those named on an account. The same is true if your name or someone else’s name is added as an account holder after the account is opened.
Do I have to produce ID to open a new account at a company where I previously had an account?
Yes. If you closed your account – no matter how recently – and if it was after the effective date of the CIP Rule, you do not have an established relationship with the firm. You will have to follow the company’s procedure as if you never had an account.
Does the CIP Rule only pertain to accounts where money is deposited?
No. Under the CIP Rule, an account also includes:
- A transaction or asset account.
- A credit account or other extension of credit.
- A safety deposit box or other safekeeping services.
- A cash management account.
- Custodian and trust services.
In short, an account encompasses nearly any ongoing relationship that involves the exchange of money for financial products or services.
If my bank merges with another bank, do I have to produce identifying information for the new bank?
No. There are certain exceptions to when an account is a new account subject to the CIP Rule. One of those is when the bank acquires accounts through acquisition, merger, purchase of assets, or assumption of liabilities. Since these new accounts are not opened or initiated by the customers, identification is not required.
Another exception is for accounts opened for the purpose of participating in an employee benefit plan established by your employer under the Employment Retirement Income Security Act of 1974 (ERISA). In such cases, the plan administrator and not the plan participant has control over the account. Thus personal identification from each participant is not required. The CIP Rule also exempts accounts opened by a government agency or a publicly traded company subject to the jurisdiction of the SEC.
Do I have to produce identifying documents to inquire about opening an account?
No. The Rule only applies when you actually open an account and have an “ongoing” relationship. If you do not receive banking or other financial services, for example, where you applied for a loan but were turned down, the Rule does not apply.
The CIP Rules establish the minimum identification information a financial institution must collect from you before opening a new account. Beyond this, financial institutions have flexibility to adopt CIP procedures appropriate to the business operations of each.
Four data items are required for all new accounts. These are:
- Date of birth (for an individual).
- Identification number.
May I use a Post Office box number as my address?
The CIP Rule requires a physical address. Either a home or business address will do. The only exception is for Army Post Office boxes (APO) or Fleet Post Office (FPO). The home or business address of a next of kin or other contact individual is also acceptable. There is nothing to say, however, that you can’t supply a physical address and ask the bank to use another mailing address such as a post office box.
Does the CIP Rule allow me to use a commercial mailbox? I’m worried about identity theft.
A physical address is required because “…law enforcement agencies should be able to contact an individual customer at a physical location, rather than solely through a mailing address.” .
There is nothing that says your bank cannot collect a physical address, but mail your statements and other correspondence to a commercial mailbox. The CIP neither requires nor encourages a separate mailing address. A bank that is alert to its customers’ concerns about identity theft should have no objection to a separate mailing address.
I live in a rural area. What address do I use?
A rural route number is an acceptable address under the CIP Rule because it describes the area where you can be located. If you have no rural route number, the bank may instead ask for a description of where you live.
What address must a business use when opening an account?
A business account may list its principal place of business, a local office, or other physical location.
The CIP Rule requires an identification number. What is my number?
An identification number is one of the four data items required by the CIP Rule. For an individual, the tax identification number is the Social Security number (SSN). For businesses, the tax identification number is the employer identification number (EIN) or tax identifier for the business (TIN).
I am not a U.S. Citizen. What can I use to open an account?
For non-U.S. citizens who do not have a SSN, one of the following numbers can be used:
- Passport number and country of issuance.
- Alien identification card number.
- Number and country of issuance of any other government-issued document bearing a photograph.
I applied for a SSN but don’t have it yet. Do I have to wait to open an account?
As long as you have applied, the CIP Rule allows banks and other financial institutions to open an account. You will have to provide proof of your application. Pending applications are acceptable for both individuals and businesses.
What documents should I take to the bank?
The CIP Rule requires financial institutions to verify your identity through documents. To do this, you will have to produce a current government-issued identification that shows:
- Your nationality or residence.
- A photograph.
For individuals, a driver’s license or passport are examples of acceptable documents. Again, the documents must be current, not expired.
For a business, documents verifying the business may include:
- Articles of incorporation.
- A government-issued business license.
- Partnership agreement.
- Trust instrument.
The Rule encourages, although does not require, more than one identifying document.
How does a sole proprietorship identify itself?
A sole proprietorship may use a state-issued “fictitious” or “assumed name” certificate as identifying information. Otherwise, the personal information of the sole proprietor and any other individual with control over the account will have to be produced.
How does an elderly person with no current driver’s license or passport open an account?
This is one example of when a financial institution may open an account without documents. We discuss this further in Part 5. The CIP Rules favor an identity procedure based on documents, but they realize that it is not always possible to have document verification. The Agencies say that financial institutions should incorporate such situations into written procedures.
Can I still open an account over the Internet?
Yes. Today, many new accounts are opened over the Internet, by mail, or by telephone. The CIP Rules recognize that many new accounts are opened when customers do not appear in person at the bank or other financial institution. Banks must still verify the customer’s identity, but procedures must be in place to verify identity without documents.
How does the bank verify my identity without documents?
The Agencies give several examples of what a bank can do to verify identifying information when one does not appear in person. Suggested methods include:
- Contacting the customer after the account is opened.
- Obtaining a financial statement, for example from a corporate customer.
- Comparing the identifying information provided by the customer against fraud and bad-check databases.
- Comparing identifying information with a trusted third party source such as a consumer reporting agency.
- Checking references with other financial institutions.
Are copies of my identifying documents kept on file?
The financial institution must keep a description of the documents you provided as proof of identity when you opened your account. The description should include the name of the document, date of issuance, and expiration date. The financial institution must also record any measures it took to verify your identity.
What so-called terrorist lists does the bank check?
At the time the final Rule was published, the Agencies stated that no compilation of lists had been made. Nonetheless, one likely source is the Questions about Specially Designated Nationals (SDNs) maintained by the Office of Foreign Asset Control (OFAC), a part of the U.S. Treasury Department.
OFAC publishes a list of individuals and companies owned or controlled by, or acting for or on behalf of, targeted countries. It also lists individuals, groups, and entities, such as suspected terrorists and narcotics traffickers designated under programs that are not country-specific. Collectively, such individuals and companies are called Specially Designated Nationals or SDNs. Their assets are blocked and U.S. persons are generally prohibited from dealing with them. For more on the SDN list, see www.ustreas.gov/offices/enforcement/ofac/faq/#sdn.
The CIP Rule does not require financial institutions to report your dealings to the government. However, sections of the Bank Secrecy Act do require transactions over a certain dollar amount to be either reported to the Financal Crimes Enforcement Network (FinCEN), a branch of the U.S. Department of the Treasury, or documented by the bank. Reporting requirements may vary depending on the type of financial institution. FinCin provides the following general examples of transactions that should be reported.
- Any transaction over $2,000 if the bank is suspicious. The company must file a Suspicious Activity Report (SAR).
- All cash-in or cash-out transactions over $10,000 with the same customer in the same day. The company must file a Cash Transaction Report (CTR).
- Money orders or travelers checks of $3,000 to $10,000 to the same customer in the same day. The bank will keep a record. Transactions over $10,000 would trigger a CTR.
- Money transfers of $3,000 or more to the same customer in the same day. The company must keep a record.
- Currency exchanges of more than $1,000 to the same customer in the same day.
The U.S. Office of Comptroller of Currency, the agency that oversees national banks, notes that reporting is required "...at specified thresholds, or transactions over $5,000 that they suspect involve money laundering ..." Rules that apply to SAR Reports for national banks can be found at 12 CFR 21.11. Reporting requirements for other depository institutions such as credit unions and state chartered banks may vary depending on the rules adopted by the oversight agency.
National banks and other depository institutions are not the only "financial" companies required to file SAR Reports. SAR reporting requirements also apply to the following:
- Money services businesses (dealing in e.g. transactions in money orders, travelers checks, money transmissions, check cashing, currency exchange.)
- Precious metals/jewelry
- Mortgage company/broker
FinCEN provides information and guidance for all financial industries subject to SAR reporting.
Cash payments of $10,000 or more must also be reported to the IRS on Form 8300, www.irs.gov/pub/irs-pdf/f8300.pdf. The person or business that receives the cash is the one responsible for filing the form. However, if you are the purchaser, you will also have to supply some personal information.
If, for example, you purchase a car for over $10,000 in cash, you will be asked to provide certain information, either to a dealer or another individual such as the loan officer. The form requires that certain personal information be obtained from you. This includes:
- Date of birth
- Social Security number
The company reporting to the IRS must also verify your identity and report a description of the documents that were used.
Reporting on IRS Form 8300 is required for a number of different transactions, including:
- Personal or real property purchased.
- Personal services provided.
- Business services provide.
- Intangible property purchased.
- Debt obligations paid.
- Exchange of cash.
- Escrow or trust funds.
- Bail received by court clerks.
Cash means U.S. and foreign currency, a cashier’s check, money order, bank draft, or travelers checks. IRS Form 8300 states: “Cash does not include a check drawn on the payer’s own account such as a personal check, regardless of the amount.”
Opening a new account is a good time to check up on yourself, in other words, to find out what information is available about you to banks or other financial institutions. An important benefit of checking key reports is to determine if you are a victim of identity theft. You would not want to be turned down for an account and considered a person of suspicion if you were a victim of credit fraud. Here are some things you can do:
- Check your credit report. CIP Rules list a credit check as one of the means of verifying your identification. You can get a free copy of your report from the three national consumer reporting agencies. For more on free credit reports see PRC's Privacy Survival Guide.
- Order your ChexSystems Report. ChexSystems is a consumer reporting agency comprised of member banks and credit unions. Reports of problem accounts are usually accessed when you open an account at a new financial institution. Like your credit report, you are entitled to a copy of the report and to dispute inaccurate information. The ChexSystem Report is defined in FACTA as a “nationwide specialty consumer report.” You are entitled to one free copy of your ChexSystems Report each year. https://www.consumerdebit.com/consumerinfo/us/en/freereport.htm
- USA PATRIOT Act, Public Law 107-56 (October 26, 2001),
- Bank Secrecy Act (BSA),
- Fair Credit Reporting Act (FCRA), as amended by FACTA,
- Gramm-Leach-Bliley Act (privacy and security of customer data),
- SEC/Treasury, Identification Programs for Mutual Funds,
- SEC/Treasury Identification Programs for Broker-Dealers,
- Joint final Rule: FDIC, Federal Reserve Board , OCC, OTS, OFAC,
Other Federal Publications:
- Bank Secrecy Act Examination Procedures for Customer Identification Programs,
- FAQ: Final CIP Rule,
- Financial Crimes Enforcement Network, Department of Treasury
Telephone: (800) 767-2825
- Office of the Comptroller of Currency
U.S. Department of Treasury
Customer Assistance Group
1301 McKinney Street, Suite 3450
Houston, TX 77010
Telephone: (800) 613-6743
Complaint information: http://www.helpwithmybank.gov/complaints/index-file-a-bank-complaint.html
- Federal Deposit Insurance Corporation
550 17th Street N.W.
Washington, D.C. 20429-9990
Telephone: (202) 736-0000
- Board of Governors of the Federal Reserve
Division of Consumer and Community Affairs
20th and C Streets, N.W., Stop 801
Washington, D.C. 20551
Telephone: (202) 452-3693
- National Credit Union Administration
1775 Duke Street
Alexandria, VA 22314-3428
Telephone: (703) 518-6300
- Securities and Exchange Commission Complaint Center
450 Fifth Street, N.W.
Washington, D.C. 20549-0213
Fax complaint to: (202) 942-9634.
- Commodity Futures Trading Commission
Three Lafayette Centre
1155 21st Street, N.W.
Washington, D.C. 20581
Telephone: (202) 418-5000
Fax: (202) 418-5521
2. For banking functions, CIP Rules were published jointly by the Office of Comptroller of Currency, www.occ.treas.gov; the Federal Reserve Board, www.federalreserve.gov; the Federal Deposit Insurance corporation, www.fdic.gov, the former Office of Thrift Supervision, and the National Credit Union Administration, www.ncua.gov Separate CIP Rules were published by the Securities and Exchange Commission, www.sec.gov and the Commodity Futures Trading Commission, www.cftc.gov, in conjunction with the US Department of Treasury, www.treas.gov
3. The CIP Rules include some elements of the controversial “Know Your Customer” (KYC) Rules that were proposed by federal banking agencies in October 1998. In addition to identifying customers, the KYC Rule would have required financial institutions to determine such things as source of funds, normal and expected transactions in an account as well as mandated monitoring of account activity and reporting “suspicious” activities to the government. The KYC Rules were withdrawn in March 1999, following widespread public consumer about consumer privacy along with complaints from the financial services industry that the Rules were burdensome. http://www.fdic.gov/news/news/press/1999/pr9914.html
Browse Privacy Topics
Background Checks & Workplace
Banking & Finance
Credit & Credit Reports
Harassment & Stalking
Identity Theft & Data Breaches
Online Privacy & Technology
Privacy When You Shop
Public Records & Info Brokers
Social Security Numbers
Who We Are
We are a nationally recognized consumer education and advocacy nonprofit dedicated to protecting the privacy of American consumers.