On July 31, 2025, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an exemptive order in coordination with the Board of Governors of the Federal Reserve System (the “Fed”) that allows banks under the Board’s jurisdiction to collection Tax Identification Number (TIN) information from third parties, instead of requiring that such information only be obtained directly from their customers. This order follows a similar order issued by FinCEN on June 27, 2025, in coordination with the Office of the Comptroller of the Currency (OCC), Federal Deposit Insurance Corporation (FDIC), and National Credit Union Administration (NCUA).1
As is the case with all banks subject to the supervision of the above-referenced regulators, the Fed’s release notes that the change “is optional, and banks are not required to use alternative collection methods.”
Background
Since 2003, the Customer Identification Program (CIP) Rule has required banks to collect specific identifying information (Social Security numbers or TINs) from customers opening new accounts. Banks must have written procedures that: (1) enable the bank to obtain TIN information prior to opening an account; (2) are based on the bank’s assessment of the relevant risks; and (3) are risk-based for the purpose of verifying the identity of each customer to the extent reasonable and practicable, enabling the bank to form a reasonable belief that it knows the true identity of each customer. This new exemptive relief eases the previous requirement that financial institutions receive TIN information directly from customers and enables them to obtain information from certain third parties, such as consumer reporting agencies, when opening a new account.
Easing this collection requirement signals a change in the way financial institutions interact with their customers. TIN collection has been a topic of discussion amongst regulators and the industry for the last few years. Customers interact with banks in diverse ways today, including through various digital channels and remote applications. Additional means of identity verification that offer reliable alternatives to collecting nine-digit TINs directly from customers are currently available. These alternative means can help mitigate the risks associated with data breaches and identity theft.
Analysis
Banks that choose to take advantage of the exemption will want to update their policies, procedures, and controls on TIN collection and their broader CIP. Such updates may allow banks to streamline the customer onboarding process through partnerships with trusted third parties.
While this is a significant development in modernizing anti-money laundering (AML) compliance, it is important to note that:
- TINs are still an element of the required identity verification process. Therefore, TINs must be obtained from trusted third party sources, such as credit bureaus or reputable identity verification services;
- CIP procedures must still be written and reflect a risk-based approach to account opening; and
- CIP obligations are not relaxed, i.e., banks and other financial institutions subject to the supervision of the above-referenced regulators are still required to verify the identities of their customers through robust procedures (whether those are documentary, e.g., matching driver’s license information, or non-documentary, e.g., cross-referencing a customer’s personal data with a known database).
These recent changes are particularly beneficial to Fintech companies partnering with banks to onboard customers, even though the exemptive order does not extend to non-bank financial institutions, such as money service businesses, for purposes of complying with their own CIP obligations (to the extent required). Nonetheless, this exemption may still affect bank-Fintech partnerships by allowing such Fintechs to provide TIN retrieval and verification services as third-party service providers to their bank customers during the account opening process.
Conclusion
Treasury and FinCEN have undertaken a number of reviews over the years seeking to modernize AML compliance obligations to balance risk with efficiency.2 These efforts, which have crossed administrations in the past, are expected to continue in light of the current Administration’s deregulatory agenda. King & Spalding will continue to monitor developments in this space and is well equipped to advise clients subject to these requirements on compliance with their AML obligations.
