Let’s set the scene: Your platform needs to transfer funds between your users’ bank accounts within the United States. You’re interested in Dwolla. You’re looking at our API documentation and your account executive keeps mentioning CIP verification.
What is CIP verification? Why is CIP verification important? Will Dwolla do CIP verification for me?
When considering a payments integration, devoting time and resources to verifying your customers and the information they share reduces the chances of a return, reversal or failed transaction. Knowing your customers allows you to act quickly when suspicious activity occurs on your platform. Adding any payments capability to your platform brings risks. You are best equipped to know your own customers and determine your risk tolerance.
CIP verification refers to a Customer Identification Program, which every financial institution is required by U.S. law to implement. CIP includes collecting and validating information about the identity of customers opening accounts.
You may be familiar with the USA PATRIOT Act that became law in 2001 with the objective of criminalizing the financing of terrorism. The USA PATRIOT Act expanded requirements on all financial institutions and broadened information sharing between the government and financial institutions, resulting in the establishment of CIP verification.
CIP verification requires financial institutions to verify the identity of individuals who want to conduct financial transactions. Related, there are what are commonly referred to as Know Your Customer (KYC) obligations, which require a financial institution to have a reasonable understanding of the type of activity in which its customer will engage.
Verified Customer Records & CIP
Dwolla is a white-label payments API that powers account-to-account transfers for businesses.
Through our API, you gather the required personal information (and banking information) from your users within your branded interface. You then pass the information to Dwolla through the API to fulfill our requirements for identity verification.
When a user successfully completes CIP verification and adds a funding source, that user is created as a Verified Customer Record. (Learn more about the types of customers you can create.) CIP verification requires providing specific information about the user or the user’s entity, and verifying that information.
Verified Customer Records (VCR) have the most functionality of any Dwolla customer type — they can do things like hold a balance (stored value) and enjoy increased transaction limits. In every transaction using Dwolla, at least one party must be a Verified Customer Record, and in some cases both ends of a transaction may require this type of record.
When you think of a transaction between two parties, your customer types can be arranged in a variety of ways, for example:
- If your business is using Dwolla to send payments to your users’ bank accounts, your business is the Verified Customer.
- If your rental management application facilitates payments from tenant to landlord, the tenant or the landlord will need to be a Verified Customer. (If payments exceed standard transaction limits for Unverified Customers, you may need both the tenant and the landlord to be Verified Customers. Learn more about the risk associated with Unverified Customer Records.)
When integrating payments into your application, the more information you gather about your customers, the more comfort you can have that you’re not an easy target for high risk behaviors (or fraudsters!) You could choose to verify the identity of every user you create using Dwolla.
Required Information for Verified Customers
To create an individual as a Verified Customer, you will need to collect:
- First name, Last name
- Email Address
- Physical Address
- Date of Birth
- Last Four Digits of SSN
To create a business entity as a Verified Customer, Dwolla must collect the following:
- Business Name
- Business EIN
- Authorized Representatives
- First Name, Last Name
- Email Address
- Date of Birth
- Last Four Digits of SSN
In addition to the collection of the information listed, the business will need to provide information to verify the identities of its ultimate beneficial owners, which means any natural person who owns 25% or more of the business, and an individual who has responsibility for controlling, managing or directing that business.
Keep in mind, CIP verification simply verifies that the information submitted by the end user is that of a real individual, but does not verify the information submitted was by that particular person.
Let’s dive in a bit more.
The Importance of CIP & KYC
When integrating a payments API, you begin operating in a heavily regulated financial space; because of this, collecting the right information from the appropriate parties is imperative. Your business needs to be aware of your own legal and/or regulatory requirements for owning a CIP. It’s important to be aware of the industry you are operating in and the risk incurred when offering certain types of transfers.
Dwolla’s CIP is for the benefit of our financial institution partners and cannot be relied upon by our customers to meet your requirements. If you have determined that your business is directly required to establish a CIP, you will still need to do so even if you have integrated with Dwolla.
Even if you are not legally required to establish a CIP, when adding payments capabilities to your application it’s just good business to deeply understand the payments taking place and the people transacting on your application.
Working with payments always involves risk, and truly knowing your customers helps you reduce some of that risk. As you establish your business, investing in quality CIP and KYC processes can improve the safety of your operations.
Consider this: What would happen if an end user initiated a transfer that resulted in an ACH return and left you with a negative balance? By ensuring you know your customer, you should be able to contact them and recoup the funds.
Cyber crime is still a significant concern. The FBI reports that internet crime schemes steal millions of dollars each year from victims. Data breaches involving large companies like Target, Home Depot and Experian have made headlines in recent years, alerting the public that many consumers had personal information exposed. Malicious users can use personal data to set up an account on a platform and transfer funds without the account holder’s authorization.
Expanding on Risk Mitigation
To succeed in payments, confidence is key. You want your customers to feel confident using your application to initiate or receive payments. So, what are some steps your business can take to further mitigate risk?
- Build out your own robust CIP/KYC. Onboarding with additional information from your end users can help you understand who they are and what they’re trying to do. Asking for additional documentation such as bank statements and photo IDs can help ensure the person who signed up on your platform is who they say they are.
- Understand your business’ risk tolerance and how to control against unwanted risk. Consider a tiered onboarding approach where an end user establishes a positive transfer history before reviewing for increased limits and/or faster transfer speeds.
- Implement required email verification for end users. Having an end user provide an email address, sending an email to the address provided and having the end user click a link in an email to verify receipt and establish services can protect your business against automated attacks.
- Require name match verification and balance checks on your end users to help ensure the user is an authorized signer on the account and reduce the potential for returns.
- Ensure your business is aware of any legal and/or regulatory obligations based on your industry. Having an understanding of your business’ requirements will help you achieve compliance.
- Consider the types of insurance that can help protect your business against potential loss as it relates to malicious use.
- Utilize Bank Account Fingerprinting and talk to your account manager about SSN fingerprinting to prevent multiple users from using the same funding source or SSN.
- Monitor excessive returns by end users on your platform.
- Deactivate or suspend accounts that display unusual or suspicious activity until resolved.
- Monitor IP address usage. If an end user typically signs in from one IP address, then you start seeing activity from a different IP address, that could be a sign of fraud.
At Dwolla, we know what it takes to be compliant and productive in this space. We understand that security and compliance are ever-evolving. We take these concepts seriously at Dwolla and are committed to staying on top of the industry standard to help your business do the same.