Section 326 CIP: What It Requires and Who It Applies To

What is Section 326 CIP?

Section 326 of the USA PATRIOT Act is a federal statute requiring U.S. financial institutions to implement a Customer Identification Program (CIP) as a mandatory component of their Bank Secrecy Act compliance framework. FinCEN, together with the OCC, Federal Reserve, FDIC, and OTS, issued the implementing rule on May 9, 2003, codified at 31 CFR 1020.220 for banks. Compliance was required by October 1, 2003.

Congress added Section 326 in direct response to September 11. Post-attack investigations found that several hijackers had opened U.S. bank accounts using fictitious names and fraudulent documents. The legislative intent was straightforward: a bank can't file a meaningful suspicious activity report or run effective ongoing monitoring if it doesn't actually know who opened the account.

Section 326 is the identity verification foundation of the U.S. AML framework. It's distinct from the FinCEN CDD Rule, which came later in 2016 and added beneficial ownership requirements for legal entity customers. Section 326 addresses the natural persons opening accounts; the CDD Rule addresses the entities those persons represent. Together they form the statutory basis for what FATF calls customer due diligence.

The rule is administered jointly by FinCEN and the federal functional regulators. The FFIEC BSA/AML Examination Manual serves as the primary guide for how examiners assess compliance in practice.

Who does Section 326 CIP apply to?

The rule applies to "banks" as defined in 31 CFR 1010.100(d) and to other financial institutions whose federal regulators have issued parallel CIP rules. Covered entities include:

• Commercial banks and savings associations, regardless of charter or asset size, supervised by the OCC, Federal Reserve, FDIC, or state regulators
• Credit unions, regulated by the NCUA
• Broker-dealers registered with the SEC, subject to a parallel CIP rule issued jointly by the SEC and FINRA
• Mutual funds registered under the Investment Company Act
• Futures commission merchants and introducing brokers under CFTC jurisdiction
• Insurance companies offering certain products, such as permanent life insurance policies with cash value

There are no asset-size thresholds. A $400 million community bank faces the same CIP requirements as a trillion-dollar institution. The risk-based latitude in the rule concerns how to verify identity, not whether to verify it.

Foreign branches of U.S. banks operating on U.S. soil are covered. Offshore operations are not directly subject to Section 326, though they face equivalent obligations under host-country law. Most FATF member countries have implemented CDD standards based on FATF Recommendation 10, which the FATF identifies as the foundation of any functional AML/CFT program (FATF Recommendations, fatf-gafi.org).

Shell companies and legal entities opening accounts are subject to CIP for the natural persons acting on their behalf. Entity-level beneficial ownership verification falls under the CDD Rule, not Section 326.

What does Section 326 CIP require?

The rule specifies four minimum program elements. Every written CIP must address all four.

1. Identity information collection

Before opening an account, the institution must collect the customer's full legal name, date of birth (for individuals), address (residential for individuals; principal place of business for legal entities), and an identification number. For U.S. persons, that's a Social Security Number or Individual Taxpayer Identification Number. For non-U.S. persons, it's a passport number, alien identification number, or another government-issued document number.

2. Identity verification

The institution must verify the collected information within a reasonable time after account opening. Two approaches are permitted: documentary (a government-issued photo ID) and non-documentary (credit bureau queries, public records databases, knowledge-based authentication). The rule doesn't mandate a specific method. Examiners do expect the chosen approach to be risk-based, documented, and consistently applied across similar customer segments.

3. Government list screening

Every CIP must include procedures to check new customers against government-provided lists of known or suspected terrorists. In practice, this means checking the OFAC SDN list at account opening. FinCEN's Section 314(a) requests, transmitted when law enforcement is seeking account information, are a separate but related obligation that CIP procedures should address.

4. Customer notice

Institutions must inform customers that information is being collected to verify their identity under federal law. A brief printed disclosure, posted branch signage, or an onboarding screen statement satisfies this. Customer consent isn't required.

Record retention. Identifying information collected at opening must be kept for five years after the account is closed. Verification method records must be kept for five years after the record is made, per 31 CFR 1020.220(a)(4).

What evidence do regulators expect?

On a BSA/AML examination, federal and state examiners follow the FFIEC BSA/AML Examination Manual (bsaamlexams.ffiec.gov). For CIP, they want operational evidence, not a policy binder. The standard checklist:

• Written CIP policy and procedures, board- or senior committee-approved, with a version history confirming at least annual review
• Risk-based methodology documentation explaining why specific verification methods were chosen for particular customer segments or products (for example, why non-documentary methods are used for online account openings)
• Training records: annual documentation showing that customer-facing and operations staff understand CIP requirements and escalation procedures
• System logs or audit trails from identity verification platforms, showing date, method, result, and responsible party for each verification event
• OFAC and 314(a) screening records at account opening, with dates, list versions checked, and outcomes documented
• Customer notice evidence: a copy of the disclosure and proof of delivery, whether screenshots of an onboarding flow, branch signage photos, or copies of mailed notices
• Exception logs for accounts where verification was completed after opening, including the risk rationale and the date verification was ultimately finished
• Third-party vendor oversight records if any CIP function is outsourced. The institution stays responsible; examiners expect active vendor management, not just a signed contract.
• Independent testing results covering CIP, with findings, management responses, and remediation tracking

The BSA examination manual is publicly available and is the most useful single document for exam preparation. Institutions that can't produce testing evidence on examination day consistently receive more intrusive findings, regardless of whether their underlying procedures are sound.

Common failure modes

Most CIP enforcement actions don't target institutions that ignored the rule. They target institutions whose CIP policies exist on paper but aren't being executed consistently. We've seen this pattern repeat across institutions of every size. The recurring failure modes:

• Expired documents accepted without secondary verification. Examiners routinely find driver's licenses or passports that were expired at account opening, with no alternative check performed and no exception documented.
• Thin procedures for non-U.S. persons. Many CIP programs are thorough for U.S. citizens but vague for foreign nationals, students on visas, and non-resident account openers. They're often higher-risk customers, so this is a structural gap in two directions.
• "Reasonable time" treated as indefinite. The rule permits completing verification after opening in certain circumstances. Some institutions interpret this as a permanent grace period. Examiners don't.
• OFAC screening in place, 314(a) procedure missing. OFAC screening is typically integrated into onboarding systems. FinCEN's 314(a) request procedure is sometimes in a separate policy that front-line staff haven't seen.
• CIP data siloed from customer due diligence workflows. When the two programs live in separate systems, customers can pass CIP without triggering a CDD review. Examiners treat this as a structural gap, not a minor coordination issue.
• No vendor oversight documentation. When banks outsource identity verification to third-party fintechs or data providers, examiners expect contract provisions, SLA monitoring, and periodic audits. Outsourcing doesn't transfer the compliance obligation.

The OCC Enforcement Actions database (occ.gov enforcement actions) provides full consent order text for OCC-supervised institutions. FinCEN publishes its enforcement actions at fincen.gov/news/enforcement-actions.

Penalties for non-compliance

FinCEN can impose civil money penalties up to $25,000 per day per violation, or up to $1 million per violation for willful or knowing violations, under 31 U.S.C. § 5321. Federal banking regulators can add parallel penalties under their own supervisory authority, and the two often act in coordination.

Named enforcement cases illustrate the range:

• TD Bank (October 2024). DOJ and FinCEN assessed a combined $3 billion penalty, partly for systemic CIP and AML failures that allowed three drug-trafficking networks to launder hundreds of millions of dollars through accounts that should have been flagged at onboarding. FinCEN's full consent order is available at fincen.gov/news/enforcement-actions.
• USAA Federal Savings Bank (March 2022). FinCEN assessed $140 million for willful BSA violations, including inadequate CIP controls on a significant share of newly opened accounts and failures to file timely SARs.
• US Bank (February 2018). DOJ and FinCEN assessed $613 million for systemic AML failures, including CIP execution failures across high-risk product lines.

Beyond fines, regulators can impose cease-and-desist orders with specific remediation milestones, formal agreements restricting new account opening in affected lines, and deferred prosecution agreements with ongoing monitorship. Personal liability for the BSA compliance officer is also on the table under 31 U.S.C. § 5322, with criminal penalties up to $250,000 and imprisonment up to five years for willful violations.

The AMLA 2020 expanded FinCEN's penalty authority and added a whistleblower award program. That means internal CIP failures are more likely to surface externally before an institution finds and fixes them on its own.

Related regulations and frameworks

Section 326 CIP is one element of the U.S. BSA/AML framework. It can't be read in isolation.

At the federal level, the core dependencies are:

• The Bank Secrecy Act, which is the foundational statute. Section 326 amends the BSA rather than creating separate law.
• The FinCEN CDD Rule (effective May 2018), which extends identity verification obligations to the beneficial owners of legal entity customers. Section 326 covers the individual opening the account; the CDD Rule covers the entity being represented. Together they form the Know Your Customer and Know Your Business framework that U.S. examiners assess as a unified program.
• The Corporate Transparency Act beneficial ownership reporting requirements (effective January 2024), which created a FinCEN registry. Institutions can reference this registry in their CDD processes, but it doesn't replace CIP obligations.
• Section 314(a) and Section 314(b) information-sharing mechanisms, both of which depend on accurate customer identification to function as intended.
• AMLA 2020, which directed FinCEN to modernize the BSA framework and improve how CIP data integrates into risk-based AML programs.

Internationally, Section 326 implements FATF Recommendation 10 (Customer Due Diligence). FATF's guidance makes clear that CDD is the starting point of any functional AML/CFT program (FATF Recommendations). The EU equivalent sits in Article 13 of the Sixth Anti-Money Laundering Directive and the forthcoming EU Anti-Money Laundering Regulation, which will harmonize CDD standards across member states.

For OCC-supervised banks, 12 CFR Part 21 provides implementing guidance. Broker-dealers operating in parallel are subject to equivalent CIP requirements under FINRA Rule 3310.

How FluxForce supports Section 326 CIP compliance

CIP compliance hinges on consistent execution across thousands of account openings, not documented procedures alone. FluxForce's identity verification agents automate the four minimum CIP elements at account opening: collecting required identity fields, running documentary and non-documentary verification, screening against OFAC and FinCEN lists, and logging each step with tamper-proof audit records. Nova Sentinel routes incomplete verifications to compliance staff before accounts become operational. The platform produces the evidence examiners expect, including screening logs, decision rationale, and vendor oversight records, without manual assembly. To see it in a live environment, request a demo.