What You Need to Know

  • Key takeaway #1
    The current CIP rule remains in effect, and requires banks to collect all nine digits of SSNs directly from U.S. individual customers before opening an account for them, except in the case of credit card accounts.
  • Key takeaway #2
    Banks that rely on third-party service providers to collect SSNs for the opening of accounts should make sure that these providers are collecting all nine digits directly from customers to avoid a potential CIP compliance issue. Conversely, FinTechs and banking-as-a-service providers should assess whether they collect full SSNs from prospective customers in connection with services offered through banks, and should prepare for diligence requests from their bank partners on this issue.
  • Key takeaway #3
    FinCEN has requested comments on the current CIP requirement to collect SSNs and other key personal identifiers from customers, including potentially allowing banks to collect partial SSN information from the customer and using a third-party source to collect the full SSN. These comments are due to FinCEN by May 28, 2024.

On March 29, 2024, the U.S. Department of the Treasury's Financial Crimes Enforcement Network ("FinCEN"), issued a "notice and request for information and comment" ("RFI") seeking comments on the Bank Secrecy Act's ("BSA") customer identification program ("CIP") rule. The CIP rule requires U.S. banks to collect a taxpayer identification number ("TIN") from a U.S. person before opening a new account for that person. For individuals, this TIN will be a Social Security number ("SSN").

In particular, the RFI seeks comments on the possibility of allowing banks to collect only part of an SSN (e.g., the last four digits) directly from their customers, and then using "reputable third-party sources," such as credit bureaus, to obtain the full SSN before account opening.

FinCEN, which administers the BSA, issued the RFI in consultation with the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Board of Governors of the Federal Reserve System (collectively, the "Agencies").

Comments on the RFI are due by May 28, 2024.

Why FinCEN Is Asking for Comments

The CIP rule generally requires banks to obtain certain personal identifying information (name, date of birth, address, and TIN or foreign equivalent) "from each customer" before a bank opens an account for that person. In its RFI, FinCEN notes that, when it promulgated the CIP rule in 2003, it excused banks from collecting TIN and the other required elements directly from customers opening credit card accounts, instead allowing banks to collect this information from third-party sources. FinCEN explains that this was done based on: (1) concerns from industry that credit card account customers had security and privacy concerns about providing these details, especially over the phone; and (2) legislative history indicating that Congress expected the CIP rule to be "appropriately tailored for accounts opened in situations where the account holder was not physically present at the financial institution" when the account was opened, and that Treasury should not impose requirements that were "burdensome, prohibitively expensive, or impractical."

FinCEN acknowledges that, since it first issued the CIP rule in 2003, there has been significant innovation in the financial services offered by banks and how they collect and verify customer identifying information. FinCEN cites buy-now-pay-later ("BNPL") loans, which extend credit to customers at point-of-sale, as one example of such new services.

The RFI requests comments about the potential risks, benefits, and safeguards related to partial collection of SSNs directly from customers and the use of third-party sources to collect customers' full SSNs, among other questions. The RFI also recognizes that there has been significant "public interest by banks, trade associations, and Congress" about the idea of allowing partial SSN collection from customers. FinCEN also recognizes that certain non-bank entities may be providing financial services without being required to obtain a TIN from customers, and that this might result in regulatory arbitrage or allow illicit finance activity risk in the U.S. financial system to go undetected.

At the same time, FinCEN identifies potential risks from allowing partial collection of SSNs, suggesting that partial SSN collection might "increase the ease and speed of identity theft, including synthetic identity fraud that can result in accounts opened without appropriate safeguards."

The RFI Makes Clear That the Current CIP Rule Requires Collection of Full SSNs Directly from Customers

The RFI also repeatedly emphasizes FinCEN's and the Agencies' view that, under the current CIP rule, banks are required to collect all nine digits of SSNs directly from customers. Indeed, FinCEN suggests that the same is true with respect to the collection by banks of the other required customer identifying information (name, date of birth, and address). It also warns banks about relying on third-party service providers that fail to collect required customer identifying information directly from the customer.

Representative Questions for Which FinCEN Seeks Comments

Although the RFI seems aimed primarily at the question of whether banks should be allowed to collect partial SSNs, the full list of questions on which FinCEN seeks comment is substantially broader, and asks, among other things:

  1. Whether banks should be allowed to collect other required customer identifying information from third-party sources;
  2. What diligence banks would conduct on third-party providers used to provide complete SSNs;
  3. How banks would verify the accuracy of SSNs received from third-party providers;
  4. About the impact on banks and customers of banks having to collect full SSN directly from customers as opposed to partial SSN plus the use of a third-party provider to obtain the remainder of the SSN.
  5. Non-banks' views of using a third-party source for SSN collection, and the diligence and monitoring such non-banks conduct on these third parties.
  6. About the competitive advantages between banks which must collect a customer's full SSN from a customer and non-banks that collect a partial SSN from the customer, and the remainder of the SSN from a third-party source.
  7. What other means bank and non-bank financial institutions use to collect and verify customer identifying information apart from the processes relating to SSN collection and verification.
  8. For public studies or data points that assess the impact on financial crime when a customer is not required to provide a full SSN.

The current CIP rule allows the appropriate banking regulator, with the concurrence of the Department of the Treasury, to establish exemptions to the CIP rule. The RFI suggests that FinCEN and the Agencies may be considering changes to the CIP rule, at least with respect to the collection of SSNs from customers.

Key Takeaways

The most immediate takeaways are FinCEN's clarification that: (1) it currently expects banks to collect all digits of TINs directly from customers, rather than collecting partial TINs from customers and using third-party services to obtain full TINs; (2) banks should consider whether third-party service providers assisting banks with CIP are collecting full TINs; and (3) the same requirement to collect data directly from the customer applies to the other required elements of CIP (name, date of birth, and address). Banks should consider their current CIP practices against this guidance and make any necessary adjustments, while anticipating that, as a result of the RFI, it is possible that FinCEN, or one or more of the Agencies, may in the future change these requirements. This includes monitoring any third-party service providers that banks use to collect SSNs or other required identifying information from customers, to monitor their compliance with the guidance.

Conversely, FinTechs and banking-as-a-service ("BaaS") providers that collect SSNs for bank partners should consider whether their practices comply with the guidance, and anticipate possible questions from their bank partners.

Retaining experienced counsel knowledgeable in these issues can help banks and FinTechs to understand their risks, and best options for making any needed changes and addressing any historical risk.

The banking industry has changed substantially from where it was 20 years ago, including in particular with respect to how much banking is done online or by phone as opposed to in person. The RFI represents an important opportunity for banks, FinTechs, and other service providers to comment on the preferability of not requiring customers to communicate sensitive information such as TINs online, which may carry fraud or cybersecurity risks for both customers and their financial institutions.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.