Navigating the New CIP Requirements Exemption

Jacob M. Rivkin
| 7/15/2025
Two business professionals discuss customer onboarding while reviewing a tablet at a table, focusing on compliance insights.

A new exemption to CIP requirements allows for streamlined onboarding, but compliance and risk management remain critical.

The Office of the Comptroller of the Currency (OCC) has issued an update that could significantly reshape how financial services organizations approach customer onboarding. On June 27, Acting Comptroller Rodney Hood announced a new exemption to the Customer Identification Program (CIP) requirements, a move that reflects the OCC’s intention to align regulatory expectations with technological advancement and practical realities in financial services.

Financial services organizations can take steps now to assess the implications of the exemption and remain compliant while taking advantage of new flexibility.

Keep informed
Sign up to receive the latest insights on strengthening your financial crime program.

Understanding the new CIP requirements exemption

The CIP rule, originally established under the USA PATRIOT Act and codified in the Bank Secrecy Act (BSA), requires financial services organizations to implement reasonable procedures to verify the identity of individuals opening accounts. Traditionally, this verification process has included collecting specific information, such as name, date of birth, address, and identification number, at the time of account opening.

The OCC’s recent exemption introduces an alternative from this rigid framework. It allows organizations to adopt alternative customer identification methods under certain conditions, particularly when traditional methods are deemed impractical, ineffective, or potentially burdensome. This adjustment is especially relevant in digital-first contexts, remote banking environments, and scenarios involving underserved populations that might lack conventional identity documents.

While the exemption supports innovation, it does not eliminate the requirement to maintain robust anti-money laundering (AML) and countering the financing of terrorism (CFT) controls. Instead, the focus shifts from how identification is confirmed to whether the method used effectively mitigates AML and CFT risks.

Key implications for financial services organizations

This evolving regulatory landscape provides financial services organizations with opportunities to modernize their customer identification processes, strengthen innovation and efficiency, and reinforce the necessity of rigorous risk management and compliance practices. Organizations should consider the following key areas as they adapt to increased flexibility in customer onboarding.

Enhanced flexibility in customer onboarding. Financial services organizations might now have more flexibility to rely on a broader spectrum of identity verification tools. Such tools could include:

  • Biometric verification technologies, including facial recognition and fingerprint scanning
  • Digital identity wallets and decentralized ID systems
  • Third-party identity verification providers with advanced analytics
  • Government-authenticated digital IDs or secure document uploads

This flexibility can reduce friction in the onboarding process, enabling faster customer acquisition, improved user experience, and greater accessibility, especially for remote or international clients.

Reassessing risk management protocols. With greater freedom comes increased responsibility. The exemption places the burden on organizations to demonstrate that alternative verification methods are equally effective in detecting and deterring money laundering and terrorist financing. Organizations must therefore revisit their risk assessment frameworks, incorporating the following elements:

  • Evaluation of risk profiles associated with alternative verification tools
  • Documentation of the controls and processes ensuring reliability and security
  • Analysis of geographic, customer-type, and transaction-risk variables

Risk-based approaches must remain dynamic and responsive to the organization’s evolving customer base and technological environment.

Operational and policy adjustments. The new CIP requirements exemption necessitates a formal update of internal policies, including:

  • CIP documentation
  • AML and CFT compliance manuals
  • Employee training programs
  • Independent audit and quality control frameworks

Additionally, team members should be trained not only on the technical use of new identity verification tools but also on the regulatory rationale and risk implications behind them.

Continued emphasis on regulatory compliance. Despite the innovation in method, the core expectations of the BSA remain intact. Organizations must retain comprehensive records of their identification processes and provide evidence of due diligence during regulatory examinations. Key recordkeeping obligations include:

  • Methods of identity verification
  • Results of the verification process
  • Any follow-up measures taken in the event of discrepancies
  • Clear justification for choosing alternative methods

Failing to comply with these obligations might result in penalties, reputational harm, or even enforcement actions, particularly if lapses lead to illegal activities slipping through compliance nets.

Strategic recommendations for implementation

To realize the benefits of the new CIP requirements exemption while minimizing downside risk, organizations should adopt a strategic and methodical approach. Following are four key recommendations.

Conducting comprehensive risk assessments. Start by performing a review of the risk landscape associated with the use of alternative identification methods. This review includes:

  • Identifying specific use cases such as international customers or fintech partnerships 
  • Measuring inherent risk versus residual risk after controls are applied
  • Aligning identification methods with customer risk tiers

Organizations should consider developing a CIP exception matrix and documenting when and why alternative methods are permitted and under what conditions.

Proactively engaging with regulatory authorities. Proactive communication with regulators, such as the OCC, the Federal Deposit Insurance Corp., the Federal Reserve Board, and the National Credit Union Administration, will be critical to successful implementation. Financial services organizations could:

  • Request informal feedback on proposed verification methods
  • Participate in industry working groups or OCC-sponsored forums
  • Stay abreast of emerging guidance documents and FAQ

Establishing a transparent, two-way dialogue helps to reduce misalignment and builds trust with supervisory agencies.

Using technology investments thoughtfully. Technology is central to this exemption, but organizations must vet vendors and platforms rigorously. Organizations should prioritize:

  • Solutions that align with AML and CFT requirements and offer audit trails
  • Vendors with a track record of compliance readiness
  • Systems that are interoperable with existing know your customer (KYC) and AML stacks

Additionally, organizations can consider investing in AI-powered transaction monitoring, which complements identity verification by detecting suspicious behaviors after onboarding.

Establishing robust monitoring and review mechanisms. The exemption is not a one-time implementation. It’s an ongoing compliance obligation. Organizations should consider:

  • Implementing continuous monitoring tools to detect anomalies
  • Reviewing performance metrics, such as false positives and failed verifications
  • Conducting periodic internal audits and compliance testing

Feedback loops should inform regular updates to policies and procedures to support adaptability in the face of new threats or changes in the regulatory landscape.

Broader industry impact and opportunities

The OCC’s move is consistent with a broader regulatory shift toward innovation and digital enablement in financial services. It is in line with similar international trends, such as:

  • The most recent pre-legislative version of the UK’s digital identity and attributes trust framework
  • Updates for the European Union’s electronic identification and trust services (eIDAS) regulation
  • Ongoing discussions at the Financial Action Task Force on digital KYC efforts

This harmonization offers opportunities for cross-border onboarding and global identity solutions, reducing barriers for underbanked populations and promoting financial inclusion. It also might give U.S. organizations a competitive edge in global fintech partnerships and embedded finance ecosystems.

However, this progress must not come at the cost of vigilance. Cyber fraud, synthetic identities, and deepfake technologies are rising threats that make robust implementation and ethical technology use more essential than ever.

A balancing act

The new CIP requirements exemption warrants that organizations thoughtfully balance regulatory rigor and operational agility. By embracing innovation while staying anchored to strong compliance principles, financial services organizations can improve customer experience, expand access, and fortify trust.

As this regulatory landscape evolves, the organizations that succeed will be those that approach the exemption not as a loophole but as an opportunity to build a more resilient, risk-aware, and inclusive financial ecosystem.

Fight financial crime with a team that understands the stakes

With more than 40 years of experience working with financial services companies, our financial crime specialists know how to help you address risks in ways that make sense for your organization.