Over the last several months, my team’s research into online fraud ecosystems has revealed just how far criminals are willing to go to outpace financial
institutions. On Telegram, sellers advertise “fullz” — complete identity kits including Social Security numbers, driver’s licenses, and even school transcripts. On Facebook, fraudsters openly promote packages engineered to pass KYC checks. And in automated
bot-run shops, buyers can order stolen identities like they would shoes or groceries.
These aren’t random one-off sales. They are sophisticated bundles designed for one purpose: to beat the minimum requirements of banks’ and fintechs’ Customer
Identification Programs (CIP).
For compliance professionals, that should raise alarms. CIP is a cornerstone of the USA PATRIOT Act and financial institutions’ Bank Secrecy Act (BSA)/AML
programs. If criminals can reliably pass through it, the consequences aren’t just fraud losses — they’re regulatory, reputational and systemic.
CIP as a regulatory obligation, and a weak point
The regulation is straightforward. At account opening, institutions must collect and verify four identifiers — name, date of birth, address and an identification
number — through documentary or non-documentary means. They must check those identifiers against government watchlists, record results, and keep their CIP program board-approved and risk-based.
But here’s the problem: fraudsters already know these requirements. Identity kits are built specifically to satisfy them. Vendors advertise “young adult
SSNs” because they’re more likely to be accepted as new-to-credit consumers. Tutorials warn buyers which mismatches will fail and which ones institutions typically let through. Some even simulate step-up processes so fraudsters can rehearse their responses.
The result is that CIP, when applied mechanically, functions less as a barrier and more as a roadmap.
What this means for compliance officers
Compliance professionals are accountable for ensuring that CIP isn’t just “technically compliant” but effective in preventing fraud and money laundering.
Regulators expect programs to be risk-based, adaptable, and integrated with broader BSA/AML efforts.
From what we’re seeing in the field, three upgrades are critical:
-
Move from static data checks to pattern recognition.
Verifying that an SSN “exists” or that a driver’s license “looks real” isn’t enough. Compliance programs should evaluate whether the identity coheres across multiple sources, not just the standard ones everyone uses.
The breakthrough comes from combining the tried-and-true (credit header data, for example), knowledge gained from authoritative sources like eCBSV, and large volumes of historic application data spanning billions of PII records. These lessons are vital, because
real consumers leave consistent, longitudinal trails over time. Identity criminals don’t. A risk-based CIP program should therefore elevate verification from the level of isolated data points to the broader coherence of data patterns, including the populations
traditional sources struggle with like ITIN holders and thin-file consumers. In other words, the provenance, richness and accuracy of data matters more now than ever for compliance professionals. -
Break down the silos between fraud detection and compliance screening.
Too often, CIP matching and OFAC/watchlist screening run in separate workflows, which themselves can be business units distinct from front-line fraud teams. That slows onboarding, increases false positives, and leaves
compliance staff reconciling contradictory results. Criminals take advantage of these inconsistencies. More fundamentally, treating fraud prevention and compliance as separate problems misses the opportunity to build a unified defense. The institutions gaining
ground today are those linking fraud intelligence with compliance functions and expertise. This more consistent line of defense leads to better-informed outcomes, lower compliance risk, and a better experience for legitimate applicants. -
Adapt as fast as the fraud economy.
Fraud markets are constantly evolving. If your CIP program is updated annually, you’re already behind. Regulators expect continuous monitoring and risk-based adjustments.
Compliance teams need tools with built-in feedback loops that can keep pace with the rapidly changing reality of the fraud ecosystem and incorporate human expertise when automated systems
alone aren’t enough. Having a “ground truth” informed by both data and experienced investigators allows controls to improve over time and adapt as threats change. It’s not just about having more data sources; it’s about
what you do with them.
Why proactive CIP matters
For compliance officers, the downsides of weak CIP don’t stop at account fraud. When criminals pass through onboarding, the consequences go far beyond
a single fraudulent account. Rudimentary CIP controls increase the likelihood of money laundering, magnify operational inefficiencies by driving up manual review costs, and expose institutions to regulatory findings. Conversely, when CIP functions as a dynamic,
intelligence-driven program, compliance teams achieve both stronger fraud prevention and smoother onboarding for legitimate customers. Institutions that succeed in this area approve good applicants more quickly, reject fraud kits before they take root, and
are able to demonstrate to regulators that their programs are not only compliant but also effective in practice.
What this all points to is a simple but urgent reality: criminals are treating CIP like an obstacle course. They test it, train for it, and share playbooks
for defeating it.
Compliance professionals must respond by reimagining CIP as more than a checklist. The regulation already allows this flexibility. In fact, it demands
it. What matters now is whether institutions are willing to treat CIP as a configurable, intelligence-powered system that learns and adapts as quickly as the fraud economy it is meant to defend against.
