Having a Customer Identification Program (CIP) is a requirement of the USA PATRIOT Act for financial institutions. Additionally, businesses facilitating payments of any kind should take appropriate steps within their processes to embed and manage an effective Know Your Customer (KYC) framework that can verify the identities of individuals conducting financial transactions on their platform to mitigate fraud.
While the original mandate of the USA PATRIOT Act in 2001 was for “Uniting and Strengthening America by Providing Appropriate Tools to Restrict, Intercept and Obstruct Terrorism,” we have seen its application extend further beyond the prevention and funding of terrorism. This act expanded the requirements for all financial institutions and information sharing between them and the government.
In addition to explaining what CIP is, I’ll explain the importance of CIP verification, provide a few best practices for establishing a CIP program and share why knowing your customer is an important part of preventing fraud.
Understanding Risk Management
Before we begin, I should preface the information that follows with a story.
I have only ever owned two vehicles in my life and in each instance I made sure to inform myself about the sales representative helping me, along with his or her sales manager, the dealership and their customer service—including vehicle care. This is a lot of information to track down just for buying a vehicle, but ask yourself a question: why not? You would essentially be writing a several thousand dollar check and handing it to someone you barely know, right?
Knowing those involved in a transaction, be it for buying a vehicle or funding an investment, continues to be of major importance since the USA PATRIOT Act was passed into law. In addition to an expansion of information sharing between governments and financial institutions, the expansion affects non-traditional financial services providers working with those financial institutions, like Dwolla.
One area of expanded information sharing is the requirement that institutions implement a Customer Identification Program (“CIP”) appropriate for the size and risk of each institution. Also known more broadly as “KYC” or “Know Your Customer,” the purpose of having a CIP program and performing this due diligence is to verify the identity of individuals wishing to open an account to conduct financial transactions, while also giving a reasonable understanding of the type of activity in which each customer will engage.
Knowing the “make up” of your company is incredibly important when it comes to a business effectively managing risk. The premise is that knowing your customers—by performing identity verification, reviewing their financial activities and assessing their risk factors—can keep money laundering, terrorism financing and other types of illicit financial activities in check. When considering a payments integration, aligning your business and team to the increased standards of an effective Customer Identity Program (CIP) and its underlying Know Your Customer (KYC) processes is very important.
While I will not advise you on how to build your CIP/KYC framework, I can leave you with best practices to effectively understand and manage the risks of your organization—along with other risks that come with the movement of funds.
When considering a payments integration, CIP verification requirements and processes can be overlooked but are an important part of the payments puzzle. If the last decade has taught us anything, it’s that a person’s identity isn’t always what it appears to be online. A 2009 report by the United Nations Office on Drugs and Crime (UNODC) estimated that criminal proceeds amounted to 3.6 percent of global GDP, with 2.7 percent ($1.6 trillion) being laundered.
On top of that, corporate losses from fraudulent online transactions are expected to reach $25.6 billion in 2020, according to Juniper Research.
Dwolla has established several best practices around CIP requirements for customer verification that support a variety of businesses and various payment use cases on the platform. Best practice for any business facilitating payments is that within any transaction, one party (end-user) must be verified according to YOUR specific CIP & KYC procedures.
In a transaction between two parties, customer types can be arranged in a variety of ways, for example:
- If your business is doing payouts from a business bank account to a user’s bank account, then the business as the sender will need to undergo verification following your CIP procedures. The receiver of funds will have a simple onboarding experience.
- If a platform is facilitating payments as a rental marketplace, for example, from tenant to landlord, the landlord will need to undergo verification (assuming the tenant has no need to send more than $5,000 per week)
- If a platform is offering services for crowdfunding investments, for example, then all involved parties within the platform will need to undergo full CIP verification.
Once a user successfully completes the requirements for identity or business verification, the user is considered a successfully onboarded customer and they can now add a funding source to their account. On the Dwolla Platform, fully verified customers are able to effectively initiate a transfer, hold a balance and have higher transaction limits.
As a reminder, Dwolla does not carry out CIP verification on behalf of our clients. Our AML framework is Dwolla-specific and intended to meet Dwolla’s own obligations. Dwolla has partnered with third-party services which can support Dwolla’s clients in improving their due diligence processes.
Customer verification is important because with electronic payments, your business is operating in a heavily regulated financial space and collecting the right information from the appropriate parties is imperative to mitigating risk. When a ‘natural person’ (meaning human being) is going through identity verification, he or she will need to provide the following Personally Identifiable Information (PII):
- First name
- Last name
- Email address
- Physical address
- Date of birth
- SSN or ITIN
If a ‘Legal Person’ (such as a business entity) needs to undergo verification, the business will need to provide the following information:
- Business name
- Business EIN
- Physical business address
- Controller and/or authorized representative(s) information
- First name, last name
- Email address
- Date of birth
- SSN or ITIN
But let’s remember that simply carrying out one-time CIP verification is not enough to protect your business. KYC begins when an account is created (either in person or online) and risks such as transactional fraud (friendly or otherwise), identity theft or even spamming can be injected into your platform even if your CIP verification process is air-tight.
You must (and this is the refined compliance geek in me talking) have a program in place with underlying processes to monitor your customers and their activity on a continuing basis. Doing so allows your business to not only know more about your customers and better support them, but also ensure that you are actively monitoring and tuning your system(s) to account for both your overall organization and user risk (depending on how granular you want to go). Best practices for a CIP program and ongoing monitoring include:
- Active (not passive) oversight of your platform
- Monitor for any material changes in
- Transactions (Amounts, Volumes, etc)
- Account level Information changes (Address, phone or email changes, etc.)
- ACH return rates
- Effectively tune customer risk profiles when appropriate
- Refreshing due diligence on customer information
- Monitor login footprint to protect your users from risks like account takeovers
- Monitor for any material changes in
Partnering With Third Party Experts
Remember, when integrating any payment transfer API—such as the Dwolla API—your platform is or will be operating in a heavily regulated financial space, which is why collecting and monitoring the right information is essential. As a way of helping our customers do this, we created the Dwolla Partner Ecosystem and have partnered with companies that offer services to help control and mitigate external risk. Whether that’s for identity verification or detecting user behavior , our partners provide dedicated software services to help businesses like yours mitigate risk.
Just like when I was purchasing my vehicle, being informed and having the right information in front of you is key to finding the right solution and payment integration that will support you and your customers.
When it comes to compliance related requirements such as managing Customer Identification Programs including Know Your Customer frameworks, taking ownership and being confident in the processes your team has established is key to mitigating risk, whether you are a small business, a start-up or a ‘mature’ business. Understanding risk mitigation starts with knowing your customers and verifying they are who they say they are.
Learn more about the risks and considerations with ACH Payments in our recent webinar.