Section 326 CIP: What It Requires and Who It Applies To

What is Section 326 CIP?

Section 326 of the USA PATRIOT Act (Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 2001) is the US federal statute that turned Know Your Customer (KYC) from a best practice into a hard legal obligation. Enacted on October 26, 2001, it directed FinCEN and the federal banking agencies to issue joint implementing rules. Those rules took effect October 1, 2003, and are codified at 31 CFR 1020.220 for banks, 31 CFR 1023.220 for broker-dealers, and parallel provisions for mutual funds and futures commission merchants.

The policy logic behind the rule is direct: a financial institution can't detect or report suspicious activity if it doesn't know who it's dealing with. Before 2001, identity verification practices varied widely. Post-9/11 intelligence reviews found that several of the hijackers had opened US bank accounts with minimal scrutiny. Section 326 was a legislative response to that gap.

Section 326 sits inside the broader Bank Secrecy Act (BSA) framework. The BSA has required AML programs since 1970, but the PATRIOT Act added CIP as a specific, mandatory structural component. The two are inseparable: CIP compliance is one of the four pillars that examiners evaluate when assessing whether a bank's overall BSA/AML program is adequate.

FinCEN oversees the CIP rules and enforces them through the BSA examination process, coordinated with prudential regulators: the OCC for national banks, the FDIC for state non-member banks, the Federal Reserve for state member banks, and the NCUA for credit unions. Non-bank financial institutions are examined directly by FinCEN.

Who does Section 326 CIP apply to?

The rule covers every institution that falls under FinCEN's BSA jurisdiction and opens accounts for customers. In practice, that includes:

• Commercial banks and savings associations regulated by the OCC, FDIC, or Federal Reserve, regardless of asset size
• Credit unions supervised by the NCUA
• Broker-dealers registered with the SEC and subject to FINRA Rule 3310
• Mutual funds registered under the Investment Company Act of 1940
• Futures commission merchants and introducing brokers registered with the CFTC
• US branches of foreign banks, which are covered to the same extent as domestic institutions

There is no asset-size exemption. A community bank with $50 million in assets faces the same CIP obligations as JPMorgan Chase. The rule applies at account opening, which FinCEN defines broadly to cover demand deposit accounts, savings accounts, time deposits, loans, and most other formal customer relationships.

Foreign branches of US banks must comply. The rule also permits contractual reliance arrangements: an institution can rely on a third party or introducing broker to perform CIP, but only with a written annual certification confirming that the third party has a compliant program and is itself subject to BSA requirements. The relying institution remains legally responsible if the third party fails.

International equivalents exist for non-US institutions. FATF Recommendation 10 on customer due diligence establishes the same identity verification obligations for financial institutions globally. US banks with foreign correspondent relationships also need to map their CIP procedures against FATF Recommendation 13 on correspondent banking, since CIP gaps in correspondent relationships are a recurring exam finding.

What does Section 326 CIP require?

The regulation establishes six core obligations. Institutions may exceed these minimums, and most do based on their risk assessments.

1. Collect minimum identity information. For individuals: full legal name, date of birth, residential street address (not a P.O. box), and an identification number. For US persons, that's a Social Security Number. For non-US persons, it's a passport number, alien identification number, or other government-issued document number. For legal entities: legal name, principal place of business address, and Taxpayer Identification Number (TIN).

2. Verify identity before or at account opening. Verification can be documentary (government-issued photo ID, passport, driver's license) or non-documentary (credit bureau checks, public records databases, third-party data providers). The rule doesn't mandate a specific method, but institutions must document which methods they use and why those methods are appropriate for their customer base. A bank serving domestic retail consumers can rely heavily on documentary verification. One onboarding international corporate clients can't.

3. Collect beneficial ownership information for legal entities. After the FinCEN CDD Final Rule took effect in May 2018, CIP for legal entity customers must also capture the identity of individuals who own 25% or more of the entity, plus one individual who controls it.

4. Screen against government lists. Institutions must check new customers against OFAC's Specially Designated Nationals list and any other government-issued watchlist of known or suspected terrorists. Screening must happen within a reasonable time after account opening. Most institutions do it in real time.

5. Retain records for five years. Identity information must be kept for five years after account closure (for documentary records) or five years after the record was made (for non-documentary records). This aligns with FATF Recommendation 11 on record-keeping obligations.

6. Provide customer notice. Before or at account opening, institutions must inform customers that identity information is being collected to comply with the law. The standard FinCEN-approved notice reads: "Important information about procedures for opening a new account." It can appear on branch counters, websites, or in account opening documents.

The written CIP must cover all six elements and must be approved in writing by the board of directors or an equivalent senior governing body.

What evidence do regulators expect?

Examiners arrive expecting to see specific documentation. A general statement that "we do CIP" is not sufficient. The FFIEC BSA/AML Examination Manual spells out exactly what examiners look for:

• Written CIP policy with an effective date, board approval signature, and a version history showing how it's been updated as regulations changed. An undated or unsigned policy is an immediate red flag.
• Risk assessment documentation showing why the institution chose its specific verification methods. Examiners want to see the reasoning, not just the method.
• Account opening records for a sample of recently opened accounts. These need to show the exact data collected, which verification method was used, who performed verification, and when.
• OFAC screening logs documenting the date, outcome, and disposition of each screening. False positives need written resolution notes. Institutions that can't produce screening logs for new accounts are routinely cited.
• Training records for all customer-facing and compliance staff. Annual training is the minimum the FFIEC expects. Examiners want attendance records, training content, and evidence of competency testing.
• Board and BSA committee minutes showing periodic review of the CIP, including any changes made in response to regulatory updates.
• Independent testing results: most prudential regulators expect either a third-party audit or a documented internal review of CIP effectiveness, including sample testing of account records against written procedures.
• Vendor due diligence files for any third-party identity verification providers, covering contracts, due diligence records, and performance reviews.

Examiners will also cross-reference CIP records against suspicious activity report filings to check whether identity gaps are driving SAR narratives.

Common failure modes

Most CIP enforcement actions share a short list of recurring problems:

• Missing or stale beneficial ownership data. Post-2018, banks must collect beneficial ownership for legal entity customers. Banks that treat CIP as a consumer-only process fail to update their procedures for business accounts. In 2022, FinCEN assessed a $140 million civil money penalty against Shinhan Bank America in part for failures to collect and verify beneficial owner information. (FinCEN enforcement actions index)

• Accounts going live before verification is complete. The rule requires verification before or at account opening. Online account opening flows often allow accounts to become active before verification finishes. Examiners treat this as a systemic control failure.

• OFAC screening completed but not documented. If the log doesn't exist, the examiner treats the screening as if it didn't happen. This is one of the most common deficiency findings in BSA exams.

• Reliance arrangements without written certifications. Institutions relying on introducing brokers or third parties for CIP without an annual written certification are out of compliance, even if the third party's program is excellent.

• Written program not board-approved or not updated. A CIP policy last reviewed in 2015 that hasn't incorporated the 2018 beneficial ownership amendments fails on its face.

• Training records gap. Staff can't locate the CIP-specific training they received, or training was generic BSA awareness content rather than procedure-specific instruction.

Penalties for non-compliance

FinCEN can impose civil money penalties under 31 U.S.C. § 5321. For willful violations, the penalty is the greater of $25,000 per day per violation or the amount of the transaction involved, up to $1 million per violation. Negligent violations can result in penalties up to $500 per day. Criminal penalties under 31 U.S.C. § 5322 include fines up to $250,000 and prison sentences up to five years, rising to 10 years when the violation occurs in connection with another federal crime.

Three enforcement actions illustrate the stakes:

• Capital One (2021): FinCEN assessed an $80 million civil money penalty for BSA failures including CIP gaps in the commercial banking unit. The OCC separately issued a $290 million penalty on the same day. The combined $370 million action followed years of examination findings that Capital One had failed to address. (FinCEN press release, January 2021)

• Shinhan Bank America (2022): FinCEN's $140 million assessment covered CIP failures, particularly the bank's systemic failure to identify and verify beneficial owners of legal entity customers despite multiple regulatory warnings.

• US Bancorp (2018): FinCEN and the OCC jointly assessed $185 million in penalties after finding that the bank had deliberately capped its AML monitoring program and failed to file SARs on thousands of suspicious transactions. CIP weaknesses in business accounts were part of the underlying case. (FinCEN press release, February 2018)

Repeated or escalating violations can also result in cease-and-desist orders, removal of BSA compliance officers, and in extreme cases, referral for charter revocation.

Related regulations and frameworks

Section 326 doesn't stand alone. It's one component of an integrated US AML framework, and it maps directly to several international and domestic counterparts.

FATF Recommendation 10 is the global equivalent, requiring all financial institutions to identify and verify customers as part of a full Customer Due Diligence (CDD) program. FATF standards aren't directly binding in the US, but FinCEN explicitly aligns CIP requirements with FATF standards and treats FATF compliance as evidence of a sound program.

The FinCEN CDD Final Rule (effective May 11, 2018) extended Section 326 to require collection of Ultimate Beneficial Owner (UBO) data for legal entities at the 25% ownership threshold. The Corporate Transparency Act (effective January 2024) created a parallel FinCEN reporting obligation for certain legal entities, but compliance with the CTA doesn't satisfy CIP requirements: they're separate obligations.

Section 314(a) of the PATRIOT Act works alongside CIP: it lets law enforcement query financial institutions for accounts tied to suspected money laundering or terrorism. CIP records are typically the first reference point for those queries.

AMLA 2020 directed FinCEN to modernize the entire BSA regulatory framework, including CIP, and to push toward a more risk-based approach consistent with updated FATF standards. Revised CIP rules incorporating AMLA 2020's direction are still in progress as of 2026.

For broker-dealers specifically, FINRA Rule 3310 requires a written AML program that incorporates CIP, making Section 326 compliance a FINRA examination item as well as a FinCEN one.

How FluxForce supports Section 326 CIP compliance

FluxForce's KYC and AML automation agents handle the document collection, identity verification, and watchlist screening that Section 326 mandates. Nova Sentinel screens each new customer against OFAC and other government lists in real time, attaching full decision evidence to every record. Aiden Flux manages the onboarding workflow and flags incomplete data before accounts go live. The platform generates audit-ready CIP records mapped to what examiners expect on exam day. Request a demo to see how it works.