← Blog · Compliance
Customer Identification Program: CIP Rules for Fintechs

Every US financial institution that opens accounts must operate a written Customer Identification Program. The framework comes from Section 326 of the USA PATRIOT Act, implemented through regulations administered by FinCEN and the federal banking agencies under the Bank Secrecy Act. For fintechs and money services businesses, understanding these obligations is the difference between a defensible onboarding flow and an enforcement finding.
Where CIP Requirements Come From
The Bank Secrecy Act (31 U.S.C. 5311 et seq.) is the foundation of US anti-money-laundering law. In 2001, USA PATRIOT Act Section 326 added a mandate that institutions verify the identity of any person opening an account. The implementing rule for banks appears at 31 CFR 1020.220; parallel provisions cover brokers, mutual funds, and futures merchants. Money services businesses fall under 31 CFR Chapter X and register directly with FinCEN. While the CIP rule is technically written for "banks," the identity-verification principles it establishes shape KYC requirements USA-wide, and MSBs are expected to apply equivalent controls as part of their AML program under 31 CFR 1022.
The Four Core CIP Requirements
A compliant program has to be a written part of your broader AML program, approved by senior management. At minimum, CIP requirements break into four elements:
- Identifying information. Before or shortly after account opening, collect name, date of birth, a physical address (not a P.O. box for individuals), and an identification number — a Social Security Number for US persons, or a passport number, alien identification card, or other government-issued number for non-US persons.
- Verification procedures. Verify identity through documentary methods (unexpired government photo ID) or non-documentary methods (comparing data against consumer reporting agencies, public databases, or other trusted sources), or a combination. Your program must state which methods apply and when.
- Recordkeeping. Retain the identifying information collected for five years after the account is closed, and records of the verification methods used for five years after the record is made.
- Comparison with government lists. Check customers against any lists of known or suspected terrorists issued by federal agencies, such as OFAC-related designations, as directed by FinCEN.
The rule requires "reasonable belief" in a customer's true identity — not certainty. That risk-based standard lets you calibrate depth of verification to the products, geographies, and customer types you serve.
What CIP Means for MSB Compliance
For money services businesses, MSB compliance means integrating identity verification into a documented AML program that also includes a designated compliance officer, ongoing training, and independent testing. FinCEN registration is required within 180 days of establishing the business, with renewal every two years. Transaction thresholds trigger additional duties: Currency Transaction Reports for cash over $10,000, Suspicious Activity Reports for qualifying activity, and specific recordkeeping for money transfers of $3,000 or more. CIP does not replace these — it sits alongside them as the entry-point control.
Building CIP Into Chat-Based Onboarding
Nothing in the Customer Identification Program rule dictates a channel. Identity data can be collected in a branch, a web form, or a messaging conversation — as long as your verification methods and records meet the standard. Chat-based onboarding on platforms like Telegram or WhatsApp can capture the four required data points, request a government ID image for documentary verification, and route non-documentary checks against third-party sources, all within a structured flow. Two design principles matter here:
- Collect only what the rule and your risk assessment require. Extra fields create liability without improving your "reasonable belief" standard.
- Make retention configurable. The five-year clock runs from account closure or record creation; systems that let you set retention windows help you satisfy the requirement without holding data indefinitely.
Common Gaps Regulators Flag
Examiners frequently cite programs that exist on paper but aren't followed, verification methods that don't match stated procedures, missing records of how identity was confirmed, and no process for customers who can't be verified. Document your escalation path for unverifiable customers, including when to decline or close an account. For authoritative text, consult FinCEN guidance at fincen.gov and the regulations in 31 CFR Chapter X.
This article is general information, not legal advice. Confirm your specific obligations with qualified counsel before finalizing any program.
General information, not legal advice. Talk to your compliance counsel for guidance on your specific obligations.