Federal law is unambiguous: financial institutions cannot establish new accounts — including credit facilities and extensions of credit — without first verifying customer identity. The USA PATRIOT Act, implemented through Bank Secrecy Act regulations, establishes explicit Customer Identification Program requirements that are mandatory across covered financial institutions. As explored in LASER's overview of AML and KYC requirements for financial institutions, understanding how CIP obligations fit within the broader AML KYC requirements framework is essential for building a compliance program that satisfies regulators at every level.
The governing regulation — 31 CFR § 1020.220 — requires verification before account opening, not after. This sequencing is as important as the verification itself. Synthetic identity fraud makes this timing critical — these fictitious identities are engineered to pass standard document verification at onboarding and build convincing credit histories before executing a bust-out. As detailed in LASER's analysis of how synthetic fraud works, completing rigorous CIP verification before account establishment is the primary structural defense against this attack pattern.
The required information collection is specific: full legal name, date of birth, address, and identification number — verified through documentary, non-documentary, or combined methods. FCRA compliance intersects directly when non-documentary verification involves pulling consumer credit data, triggering permissible purpose, accuracy, and adverse action obligations that must be documented alongside the CIP record. GLBA compliance governs how the personal financial information collected during CIP must be protected and safeguarded — making the verification workflow simultaneously a data governance obligation that extends well beyond onboarding. Third-party vendor relationships add further complexity. As explored in LASER's analysis of what lenders need to know about third-party risk, FCRA compliance and GLBA compliance obligations do not transfer to vendors — they remain with the institution regardless of where in the ecosystem a failure occurs.
Institutions that treat CIP as a post-onboarding administrative task are carrying live regulatory exposure on every account they open. Examination findings related to CIP deficiencies trigger mandatory remediation, potential enforcement action, and reputational consequences that compound over time.
LASER's COMPLY pillar operationalizes these requirements — automating pre-account identity verification, documentation workflows, and CIP recordkeeping within a seamless 100% Salesforce-native environment so every credit relationship begins with verified identity, documented AML KYC requirements compliance, and the audit trail regulators require.