I would disagree that "most CIP policies require two types of I.D.". Most that I review require only 1. As Shemp pointed out, CIP requires you to create a policy that is risk-based. CIP requires you to verify enough info so that you are reasonably satisfied they are who they say they are."
You might want to review Q&A's 1-4 of the "31 C.F.R. § 103.121(b)(2)(ii) -- Customer verification" section of the new/revised
CIP Q&A's. Also, review Q&A #2 of the section entitled "31 C.F.R. § 103.121(b)(3)(ii) – Retention of records".