How Many Digits? FinCEN Seeks Comment on Bank Customer Identification Requirements
On March 28, 2024, the US Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), in consultation with the staffs of the federal banking agencies, issued a request for information and comment (the “RFI”) regarding industry practices and perspectives with respect to banks’ requirement, under the Customer Identification Program (“CIP”) Rule, to collect a taxpayer identification number (“TIN”) from a customer prior to opening an account. Specifically, the RFI seeks information and comment regarding a proposal to allow banks to collect a partial Social Security number (“SSN”) from a customer that is both an individual and a US person, and then to use a reputable third-party source to obtain the full SSN prior to opening an account for the customer. In addition to a request for information and comment, FinCEN (and, in a separate release, the Federal Deposit Insurance Corporation (“FDIC”)) indicated that the agencies view the existing CIP Rule as requiring banks to collect the full, nine-digit SSN from a US individual.1
FinCEN will accept comments on the RFI until May 28, 2024.
Background
Under the CIP Rule, banks (along with certain other categories of financial institutions, such as broker-dealers) are required to collect, prior to opening an account, a minimum of four pieces of information from an individual customer: the customer’s name, date of birth, address and identification number.2 For a US individual, the identification number is the individual’s TIN, which is generally a SSN. Originally promulgated in 2003, the CIP Rule contained a limited exception for banks offering credit card accounts to obtain some information from the customer directly, while obtaining the remaining information from third-party sources. In the preamble to the final CIP Rule, FinCEN and the federal banking agencies acknowledged that imposing the general collection requirement would have likely altered the way banks offered credit card products, and alluded to the legislative history of the relevant requirement, which provided that the regulations should be appropriately tailored for situations where the accountholder was not physically present at the financial institution, and should avoid imposing requirements that are burdensome, prohibitively expensive, or impractical.3 Aside from this exception—and the related discussion in the preamble to the final CIP Rule—FinCEN had not, to date, provided any guidance as to whether banks were required to collect the full, nine-digit SSN directly from the customer, as opposed to only a portion of the SSN, with the rest collected through reliable third-party sources.
This requirement—and the ambiguity as to its scope—has been a major friction point for fintechs, as there has been pressure from bank partners to collect the full nine digits of a customer’s SSN during the onboarding process. This is in contrast to common practice outside the banking industry, where collection of only the last four digits of the SSN, while supplementing the rest using trusted third-party sources, is commonplace. Bank partners, looking to the “from the customer” requirement in the CIP Rule, have increasingly been applying a strict requirement for their fintech partners to collect the full, nine-digit SSN directly from the customer at onboarding. From the perspective of the fintech, this additional requirement can lead to friction in the onboarding process and, given customers’ reluctance to provide a full SSN in an online context, an increase in abandonment of the onboarding process. This friction had not gone unnoticed, and a variety of stakeholders, including financial institutions, trade associations and members of Congress, had called attention to the reluctance of customers to provide full SSNs and the failure of the existing CIP requirements to acknowledge that such collection was unnecessary to achieve the objectives of the CIP Rule.
Takeaways
The RFI seeks perspectives from both bank and non-bank financial institutions and stakeholders, and presents an opportunity for banks, fintechs, and other interested parties to suggest changes to the current CIP requirements—or put differently, FinCEN’s current interpretation of those requirements—and to provide pertinent information to FinCEN and the federal banking agencies. Banks, as well as fintechs that rely on bank partners to provide services, should take notice and consider commenting on the RFI, as a rule that explicitly establishes a requirement to collect a full, nine-digit SSN from customers for banks (and bank-offered products and services) could result in different sets of requirements between bank-offered products and services and those offered by fintech and other financial institutions operating under their own license authority. Given the reluctance for customers to provide a full SSN, these differences could lead to higher abandonment rates for customers onboarded to bank-offered products and services. Fintechs and their bank partners are uniquely positioned to offer perspectives on why existing solutions—commonly employed by non-banks and others—could allow a bank to form a reasonable belief that it knows the true identity of its customer, without requiring collection of the full, nine-digit SSN from the customer.
1 See FDIC, FIL-25-2024, Collecting Identifying Information Required Under the Customer Identification Program (CIP) Rule (Mar. 28. 2024).
2 See 31 C.F.R. § 1020.220(a)(2)(i)(A) (rule for banks).
3 See Customer Identification Programs for Banks, Savings Associations, Credit Unions and Certain Non-Federally Regulated Banks, 68 Fed. Reg. 25,090, 25,097 (June 9, 2003).
