The CIP Rule Is Coming—And Deepfakes Are Why RIAs Can’t Afford to Wait

A finance employee in Hong Kong joined what seemed like a routine video call with her CFO and colleagues. The meeting looked normal. Everyone sounded right.

She authorized $25 million in transfers.

Weeks later, the truth came out: every single person on that call was an AI-generated deepfake. Not one of them was real.

Welcome to 2025, where “knowing your customer” has become exponentially harder—and exponentially more important.

The Customer Identification Program (CIP) rule for investment advisors is pending. And while regulatory timelines shift, the fraud landscape driving this rule forward isn’t waiting for anyone.

What Is the Customer Identification Program (CIP) Rule?

The Customer Identification Program rule, jointly proposed by the SEC and FinCEN in May 2024, would require Registered Investment Advisors (RIAs) to establish written programs to verify customer identities.

The proposed rule requires:

• Risk-based procedures to verify each customer’s identity before or after account opening
• Collection of name, date of birth, address, and identification number
• Recordkeeping for at least five years
• Protocols for when identity verification fails or suspicious activity is detected

The CIP rule is currently proposed and the effective date is still pending.

As of July 2025, FinCEN announced it intends to revisit the proposed rule for investment advisers.

Why Now: The Explosion of AI-Powered Fraud

The CIP rule isn’t regulatory busy work. It’s a response to criminals exploiting investment advisors to launder money and move illicit funds through the U.S. financial system.

But here’s what makes 2025 different: artificial intelligence has supercharged fraud.

Deepfakes: According to identity verification platform Sumsub, deepfake attacks increased by a staggering 704% in 2023. One attack occurs every five minutes. Generative AI fraud in the U.S. is expected to hit $40 billion by 2027. The cryptocurrency sector accounts for 88% of detected deepfake fraud, and 92% of companies have experienced financial loss due to deepfakes.

Voice Cloning: Scammers harvest voice samples from social media or YouTube, then use AI to generate convincing audio. Deepfake fraud losses reached $200 million in Q1 2025 alone. A three-second voice clip is all it takes to clone someone’s voice.

Phone Number Spoofing: Imposter scams were the leading fraud method in 2023, with financial services being the most impersonated industry. Call spoofing lets scammers falsify caller ID to make calls seem legitimate. Financial data breaches increased 67% year-over-year, creating higher risk for spoofing attacks.

What This Means for RIAs

Traditional methods of “knowing your customer” are failing.

A video call? Could be a deepfake.

A voice verification? Could be cloned.

Caller ID showing your firm’s number? Could be spoofed.

The Customer Identification Program rule addresses this by requiring robust, risk-based identity verification. But even if the rule gets delayed, the fraud threat isn’t going anywhere.

How to Prepare for CIP Compliance Now

Proactive RIAs aren’t waiting. Here’s how to prepare:

Conduct a Risk Assessment

Identify your highest-risk clients, vulnerabilities, and whether current verification methods are sufficient. The proposed rule requires risk-based CIP tailored to your firm’s profile, customers, and services.

Document Current Procedures

Can you prove how you verify customer identities? Document what information you collect during onboarding, how you verify it, what triggers additional due diligence, and how you maintain records.

Implement Multi-Layered Verification

Single-point verification isn’t enough. Layer your approach:

• Document verification (government IDs, utility bills)
• Database checks (credit bureaus, sanctions lists)
• Knowledge-based authentication
• Biometric verification (with awareness of deepfake limitations)
• Behavioral analytics

If one method is compromised, others provide backup.

Establish Clear Escalation Protocols

Create a decision tree: What happens if verification fails? Who decides whether to proceed? When do you escalate to compliance or file a Suspicious Activity Report?

Train Your Team on Red Flags

Your staff needs to recognize:

• Clients who resist providing standard identification
• Inconsistencies between provided information and public records
• Requests for unusual urgency
• Communications that don’t match typical patterns
• Reluctance to meet in person or via verified video

Develop Secure Communication Protocols

For high-risk communications, establish:

• Pre-arranged code words known only to you and the client
• Out-of-band verification (call back at pre-verified numbers)
• Multi-party authorization for large transactions
• Written confirmations following verbal authorizations

Stay Updated on Technology

The fraud prevention industry is racing to keep pace. Stay informed about deepfake detection software, liveness detection for video verification, and voice biometric authentication—but remember that technology must be paired with strong procedures and human judgment.

The Role of Compliance Support

Implementing a comprehensive Customer Identification Program while staying ahead of evolving fraud threats is massive.

This is why many RIAs turn to our outsourced compliance services. Compliance professionals can:

• Draft CIP policies tailored to your firm’s risk profile
• Conduct ongoing risk assessments
• Train staff on identity verification and red flags
• Monitor regulatory developments
• Provide legal guidance on complex scenarios
• Defend procedures during examinations

It takes time to design and implement a robust program, onboard technology, train staff, and fine-tune procedures. Starting now prevents last-minute scrambling.

With a securities lawyer and compliance team in your corner, you’re building a defensible program that actually protects your firm and clients.

RIA Compliance University offers training on customer identification best practices, recognizing synthetic identity fraud, anti-money laundering obligations, and maintaining compliant records.

Final Thoughts: Don’t Wait for the Rule—Prepare for the Reality

Yes, the Customer Identification Program rule has not been finalized. Yes, it may be revised.

But the fraud threat? That’s here now.

Deepfakes are increasing 900% annually. AI voice cloning costs as little as $20 on the dark web. Phone spoofing is trivial. Generative AI fraud could reach $40 billion by 2027.

Every day you wait to strengthen client identity verification is a day you’re vulnerable—to fraud, regulatory scrutiny, and reputational damage.

The firms that thrive won’t be the ones who scramble when the final rule drops. They’ll be the ones who acted proactively.

At My RIA Lawyer, we help investment advisors navigate the complex intersection of regulatory compliance and modern fraud prevention. From developing comprehensive customer identification programs to training your team on emerging threats, we ensure you’re prepared for regulations and reality.

Ready to get ahead of the curve? Contact us today to learn how our outsourced compliance services can help you build a CIP that works in the age of deepfakes and AI fraud.

Because knowing your customer has never been more important—or more complicated.