Customer Screening: CIP and KYC
Quick Answer
Customer onboarding uses two separate regimes. The Customer Identification Program (CIP) under the USA PATRIOT Act verifies identity at account opening using four data points: name, date of birth, physical address, and taxpayer ID. FINRA Rule 2090 (Know Your Customer) requires reasonable diligence to know the essential facts about every customer and the authority of anyone acting on their behalf.
Before a Series 6 representative can open an account, the broker-dealer (BD) must answer two different questions: "Is this person who they claim to be?" and "What do we need to know about this customer to service the account properly?" The first question is answered by the Customer Identification Program (CIP) under the USA PATRIOT Act. The second is answered by FINRA Rule 2090 (Know Your Customer, KYC).
What does the Customer Identification Program (CIP) require?
Legal basis:
- Section 326 of the USA PATRIOT Act (2001), implemented for broker-dealers at 31 CFR 1023.220
- Part of the firm's overall anti-money laundering (AML) program
When it applies: At account opening. The firm must form a reasonable belief that it knows the true identity of each customer before opening the account.
Required Information
The firm must collect four pieces of identifying information from every new customer before opening the account:
| Item | Details |
|---|---|
| Name | Legal name of the customer |
| Date of birth | For individuals only (not entities) |
| Physical address | Residential or business address; no P.O. boxes for individuals (APO/FPO is allowed) |
| Taxpayer Identification Number (TIN) | SSN or EIN for U.S. persons; passport number and country, alien ID card, or other government-issued photo ID for non-U.S. persons |
Identity Verification
After collecting the four items, the firm must verify the customer's identity within a reasonable time using one or both of:
- Documentary methods: driver's license, passport, birth certificate, government-issued ID
- Non-documentary methods: credit bureau reports, public records, consumer reporting agency checks, contacting the customer
The firm picks the method that fits the customer's situation, including when the customer cannot appear in person.
Government List Check
- The firm must check every new customer against government lists of known or suspected terrorists (most commonly the Office of Foreign Assets Control (OFAC) Specially Designated Nationals (SDN) list)
- A customer on the SDN list cannot be onboarded, and the firm must follow OFAC procedures (which can include blocking assets and reporting)
Customer Notice
- The firm must give the customer adequate notice that information is being collected to verify identity
- Notice is adequate if it generally describes the identification requirements and reaches the customer before the account opens (posted in the branch, included in the account agreement, on the firm's website)
Recordkeeping
| Record | Retention |
|---|---|
| Customer's identifying information | 5 years after the account is closed |
| Verification records (ID copies, non-documentary check results) | 5 years after the record is made |
Exam Tip: Gotchas
- CIP retention runs after the account is closed, not after the account was opened. A 30-year-old account closed last year still has 5 more years of CIP retention ahead of it.
What does FINRA Rule 2090 (Know Your Customer) require?
Standard: The firm must use reasonable diligence, in regard to the opening and maintenance of every account, to know the essential facts concerning every customer and the authority of each person acting on the customer's behalf.
What Counts as "Essential Facts"
Essential facts are the facts required to:
- Effectively service the customer's account
- Act in accordance with any special handling instructions on the account
- Understand the authority of each person acting on behalf of the customer (Power of Attorney (POA) holder, trustee, corporate officer, etc.)
- Comply with applicable laws, regulations, and rules
When Rule 2090 Applies
- At the beginning of the broker-customer relationship (account opening)
- On an ongoing basis throughout the relationship
- Triggered regardless of whether the firm makes a recommendation
KYC vs. Suitability
| Feature | FINRA Rule 2090 (KYC) | FINRA Rule 2111 (Suitability) |
|---|---|---|
| Trigger | Opening and maintaining any account | Firm makes a recommendation |
| Focus | Essential facts and authority of persons acting for the customer | Whether a specific recommendation is suitable |
| Applies to a self-directed account? | Yes | No (no recommendation is made) |
| Ongoing? | Yes | Per recommendation |
Exam Tip: Gotchas
- Rule 2090 does NOT require a recommendation. A customer who opens a self-directed account still triggers KYC obligations. Rule 2111 (Suitability) is the one that requires a recommendation to trigger.
- CIP and KYC are distinct. CIP (USA PATRIOT Act) is about verifying identity with documentary or non-documentary evidence at account opening. KYC (Rule 2090) is about understanding the customer's essential facts and authority on an ongoing basis. A question that asks about verifying a government-issued ID is testing CIP. A question about knowing who can trade in a corporate account is testing KYC.
Think of it this way: CIP is the bouncer at the door checking your ID against a list. KYC is the host who keeps track of who you came with, what you ordered, and whether the kid at your table is actually allowed to order a drink. CIP happens once, at the door. KYC never stops.
What are the most commonly tested CIP and KYC distinctions?
Exam Tip: Gotchas
- "No P.O. boxes" for individual CIP: APO/FPO is fine, but a P.O. box is not a physical address.
- CIP records run from account close, not account open.
- KYC applies without a recommendation. Suitability does not.
- Government list check = OFAC SDN list, confirmed within a reasonable time after account opening (or sooner if required).