In a significant move, on June 27, 2025 the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an order granting banks and their subsidiaries an exemption from the Customer Identification Program (CIP) Rule of the U.S.A. PATRIOT Act. Under the order, these entities are now permitted to collect taxpayer identification number (TIN) information from third party sources in addition to obtaining that information directly from the customer.
The order comes more than a year after the collective governing agencies [Federal Deposit Insurance Corporation (FDIC), Office of the Comptroller of the Currency (OCC), and National Credit Union Administration (NCUA)] issued a request for information in March 2024. The agencies sought public comment on the potential risks, benefits, safeguards, and concerns surrounding the potential for banks to obtain all or part of a customer’s TIN information from a third-party source rather than from the customer directly prior to opening an account. In issuing the order, FinCEN and the agencies acknowledged the significant digital evolution in how consumers obtain and access financial services. They further acknowledge that consumers are often reluctant to provide their full TIN due to identity theft and data breach concerns.
Prior to the order, banks were required to obtain TIN information directly from the customer before opening an account, with the exception of credit card accounts where the bank was permitted to obtain some customer information from a third party source.
Banks are still required to comply with the Customer Identification requirements (CIP), which implement Section 326 of the U.S.A. Patriot Act. As such, a bank must still have written CIP procedures that:
- enable the bank to obtain TIN information prior to opening an account;
- are based on the bank’s assessment of the relevant risks; and
- are risk-based for the purpose of verifying the identity of each customer to the extent reasonable and practicable, enabling the bank to form a reasonable belief that it knows the true identity of each customer.
This change is particularly impactful and allows banks, and bank service providers, to integrate automated methods to obtain TIN information, which in turn leads to a smoother customer onboarding process. Notably, FinCEN stated that it had not identified heightened money laundering, terrorist financing, or other illicit finance risks associated specifically with alternative collection methods when appropriately managed under the existing exception for credit card accounts.
FinCEN and the agencies also acknowledge that banks have access to reliable alternative processes for verification, allowing them to form a reasonable belief that they know the identity of each customer. Utilization of alternative processes for verification would need to be part of a bank’s risk assessment and factored into a risk-based program. However, if for any reason a bank chooses to continue obtaining full TIN information directly from the customer, they may continue to do so.
Banks and their partners should be aware of the flexibility the order provides when complying with CIP obligations.
