Customer Identification Program (CIP) Template: What Banks and Fintechs Must Document at Account Opening

TL;DR

• CIP is the identity-verification spine of every BSA program. 31 CFR 1020.220 requires four data points at minimum and verification within a reasonable time of account opening.
• LPL Financial paid an $18M SEC penalty in January 2025 for failing to close accounts where identity was never verified — proof that “reasonable time” has a hard ceiling.
• The June 2025 FinCEN order lets banks pull TINs from third parties (think: BaaS partners, payroll processors), but the bank still owns the reasonable-belief standard.
• Fintechs riding a sponsor bank’s BSA program inherit the bank’s CIP — but operational gaps in your stack land on the bank’s exam, and on you in the next contract review.

If your CIP procedures haven’t been touched since 2018, you have a problem. The rule itself hasn’t changed much — but examiner expectations, the BaaS landscape, and recent enforcement have shifted what “adequate” looks like at account opening.

The June 27, 2025 FinCEN order on TIN collection is the most consequential CIP update in a decade for banks with fintech partners. The LPL Financial action is the wake-up call for anyone whose “verification within a reasonable time” has quietly become “verification someday, maybe.”

This is the practitioner walkthrough of what to document, what examiners actually open the binder for, and where most CIP programs fall apart.

What 31 CFR 1020.220 Actually Requires

The Customer Identification Program rule lives at 31 CFR 1020.220 for banks. There are parallel rules for broker-dealers (1023.220), mutual funds (1024.220), and futures commission merchants (1026.220) — same skeleton, slight variations.

Five things every bank CIP must contain:

Plus a board-approved written program, integration with the broader AML program, and reasonable procedures for relying on another financial institution if you go that route.

Sounds simple. The miss is almost always in the procedures — what happens when an SSN comes back as deceased, when a utility bill shows a different address, when a documentary verification fails and you need to fall back to non-documentary methods. The rule says you need procedures for all of it. Most CIP policies just gesture at the requirement.

The Four Required Data Points (and What “Address” Actually Means)

For an individual U.S. person, you need:

1. Name — full legal name. Not nicknames. Not the name on the debit card.
2. Date of birth — and not just because it’s a data point. DOB plus name plus SSN is what the OFAC and federal lists screen against.
3. Address — a residential or business street address. P.O. boxes alone are not acceptable. Army/Air Force Post Office (APO/FPO) and rural route addresses are fine. For a customer without a residential address, the address of next of kin or another contact individual.
4. Identification number — for U.S. persons, the SSN or TIN. For non-U.S. persons, a passport number with country, alien ID number, or any other government-issued document showing nationality, residence, and a photograph.

The four data points are the floor, not the ceiling. A risk-based CIP for high-risk products (private banking, correspondent accounts, accounts opened through a fintech with a thin verification stack) typically collects more — occupation, source of funds, expected activity. That extra collection lives in your CDD program but is sourced at CIP intake.

The 2025 TIN Exemption — What It Actually Changes

On June 27, 2025, FinCEN, the OCC, the FDIC, and the NCUA issued an identical exemption order: banks can now obtain a customer’s TIN from a third party rather than collecting it directly from the customer. The Federal Reserve walked through expectations in SR 25-2.

This is huge for BaaS, embedded finance, payroll partners, and any flow where the third party already has the TIN. Pre-order, banks were pulling SSNs through clunky in-account-opening flows that drove abandonment.

To use it, you need three things in writing:

• Procedures that obtain the TIN before account opening, not after.
• An assessment of the third-party-source risks — accuracy of the source, fraud exposure, contractual obligations.
• A documented basis for the bank’s reasonable belief that it knows the true identity of the customer.

Don’t read this as “the TIN doesn’t matter anymore.” The bank still must verify identity within a reasonable time. The exemption just means the TIN can come from a vetted source instead of the customer typing it in.

Verification: Documents vs. Non-Documentary

The rule lets you verify identity with documents, with non-documentary methods, or both. Every CIP needs to specify when each applies.

Documentary verification for individuals typically means:

• Unexpired government-issued photo ID — driver’s license, passport, state ID, military ID, tribal ID
• Original or scanned image; many programs require live capture or document authentication services (Onfido, Jumio, Persona, Socure)

Non-documentary verification typically means:

• Comparing customer-provided info against credit bureau or commercial databases (LexisNexis, Equifax eIDcompare)
• Public records check
• Comparison against information from other financial institutions
• For entities, independent reference verification

Most modern programs use both: documentary for the photo and document authenticity, non-documentary for cross-validating SSN, DOB, and address against bureau data. The CIP must say which combination is used for which product line and what triggers escalation.

The “Resolution” Procedures Examiners Care About

The piece most CIP policies skip: what happens when verification fails or returns conflicting information.

Your CIP needs documented procedures for:

• When the bank cannot form a reasonable belief that it knows the customer’s true identity
• Circumstances under which the bank will not open an account
• Terms under which a customer may use an account while the bank attempts to verify identity (and limits on those activities)
• When the bank will close an account after attempts to verify fail
• When to file a SAR

The LPL action turned on this piece. Examiners pulled accounts where verification had failed and asked: what did your procedures say to do, and did you do it? The answer for thousands of accounts was no.

The LPL $18M Action — What Went Wrong

On January 17, 2025, the SEC charged LPL Financial — one of the largest independent broker-dealers in the U.S. — with AML and CIP violations covering at least May 2019 through December 2023. LPL paid $18 million.

The findings, from the SEC order:

• LPL failed to timely close accounts where it had not verified the customer’s identity
• LPL failed to close or restrict thousands of high-risk accounts — including cannabis-related and foreign accounts — that LPL’s own AML policies prohibited
• LPL’s CIP procedures did not match what the firm actually did

The translation for any practitioner: a CIP that says accounts will be closed within 30 days of failed verification, and a system that lets accounts stay open for years without verification, is a CIP failure even before it becomes an AML failure. Examiners read your procedures, then ask for the data showing you executed them.

The same pattern showed up in the October 2025 OCC enforcement roundup: a bank cited for unsafe and unsound BSA practices, including a CDD program “deficient in collecting and analyzing customer information, resulting in inaccurate risk profiles.” That’s a CIP-CDD handoff failure.

CIP for Fintechs and BaaS Partnerships

If you’re a fintech, you likely operate under a sponsor bank’s BSA program. The bank owns the CIP. You operationalize it. That sounds clean until something breaks.

Where Fintech CIP Operations Fail

The Synapse-Evolve disaster is the cautionary tale at scale. When Synapse collapsed in April 2024, part of what fell apart was reconciliation between fintech-side records and bank-held funds — and underneath that, identity records that lived in the middleware rather than at the bank. When the middleware blew up, banks discovered they didn’t have clean CIP documentation for thousands of end users. The FDIC’s proposed Synapse rule is partly a response to that.

If you’re a sponsor bank: your CIP must contemplate end-customer onboarding through fintech partners. Spell out who collects what, who verifies, where the records live, who has the contractual right to audit, and what happens to records if the fintech goes under.

If you’re a fintech: your operational procedures should be a mirror of the bank’s CIP. Same data points. Same verification standards. Same exception handling. If it isn’t a mirror, it’s an operational risk you’re carrying for the bank.

CIP Template: The 12 Sections That Need to Be in the Document

A defensible CIP policy contains, at minimum:

1. Purpose and scope — applicable lines of business, customer types covered (individuals, legal entities, accounts opened in person vs. remotely)
2. Customer definition and exclusions — federal banks, beneficiaries of trust accounts not directly opening, etc., per the rule’s defined terms
3. Required identifying information — by customer type, with the exact fields collected
4. Verification procedures — documentary and non-documentary methods, by product and risk level
5. Reliance provisions — if applicable, the contractual structure, certifications, and oversight
6. Government list checking — current process, system integration, escalation
7. Recordkeeping — what’s retained, where, for how long, retrieval SLAs for examiner requests
8. Customer notice — language used, where it appears in the account-opening flow
9. Resolution procedures — failed verification handling, account opening with limitations, account closure timelines, SAR filing triggers
10. Roles and responsibilities — first line (front office), second line (BSA officer, compliance), third line (internal audit), board oversight
11. Training — annual CIP training, role-specific modules, recordkeeping of completion
12. Independent testing — frequency, scope, deficiency tracking

Don’t forget the board approval requirement and the link to your AML program. The CIP is part of the broader BSA/AML program, not a standalone document.

A 30/60/90 Plan for Tightening CIP

If you’re inheriting a CIP that hasn’t kept up — either as a new BSA officer, a fintech onboarding to a new sponsor bank, or a bank cleaning up before exam — here’s the sequence:

Days 1–30: Diagnose

• Pull a sample of 50 accounts opened in the last 90 days across product lines. Reconstruct the CIP record from scratch using only what’s retained. What’s missing?
• Pull all accounts with “verification pending” or equivalent status > 30 days old. How many? How old? What’s the policy say should have happened?
• Check your reliance documentation against 31 CFR 1020.220(a)(6) — contract, annual certification, audit rights.
• For BaaS: map your KYC vendor stack to what the sponsor bank’s CIP names. Identify gaps.

Days 31–60: Fix the Document

• Rewrite verification procedures with explicit “if X, then Y” decision trees for failed verification, conflicting data, and document fraud flags.
• Add the June 2025 TIN exemption procedures if you’re using that flexibility — written procedures, third-party risk assessment, reasonable belief documentation.
• Tighten resolution procedures: maximum days from account opening to verification, automatic restrictions or closures, SAR filing escalation.
• Update training materials to reflect what changed.

Days 61–90: Remediate the Backlog

• Resolve the verification-pending population. Verify, restrict, or close. Do not let this drift.
• Run the full CIP independent test. Not the routine annual one — a focused look at the 12 sections above with sample testing on each.
• Document remediation memo for the board. This is what an examiner asks for if they catch the backlog before you do.

So What — Why CIP Failures Are Career Events

The technical fine on LPL was $18M — manageable for a firm of that size. The reputational hit and the consultant-imposed remediation are bigger. But the practitioner-level lesson is sharper: CIP failures are extremely visible on exam because they’re easy to test. Examiners pull a sample, reconstruct what should have happened, see what did happen, find the gap. There’s no judgment call to debate.

If you own this work, the question to ask yourself is: if an examiner pulled 50 random accounts opened in the last six months and asked you to walk through CIP for each one, could you? Including the ones where verification didn’t go cleanly the first time? If yes, you’re in good shape. If no, you have a 30-day project starting today.

Build It Faster

The full template — 12-section policy document, account-opening checklist, exception handling decision tree, and BaaS reliance contract language — is part of the Compliance Essentials bundle. For sponsor banks managing fintech partner onboarding, pair it with the Third-Party Risk Management (TPRM) Kit — same operational backbone, different angle.

For broader BSA program reform context, see our walkthroughs on the FinCEN AML/CFT proposed rule and the GENIUS Act stablecoin AML obligations. For the broker-dealer angle, the Canaccord Genuity record penalty is the precedent that put SEC AML enforcement on every broker-dealer’s radar.