Key Takeaways
- FinCEN’s Order provides an exemption to the CIP Rule that increases operational flexibility by permitting banks to use an alternative collection method for obtaining TIN information rather than directly from the customer.
- For example, banks are now permitted to collect only the last four digits of a TIN from the customer and verify the full nine-digit TIN through a third-party source for all accounts, not just credit card accounts.
Introduction
On June 27, 2025, the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN) issued an order (Order) allowing banks,[1] and their subsidiaries, subject to the jurisdiction of the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA) (collectively the “Agencies”) to collect Tax Identification Number (TIN) information from a third party rather than directly from the bank’s customer at account opening. This is an exemption to the existing Customer Identification Program (CIP) Rule requirement under the Bank Secrecy Act (BSA) and became effective immediately upon issuance of the Order on June 27, 2025.
Background
The BSA, which was passed by Congress to prevent the laundering of money and the financing of terrorism, imposes various anti-money laundering obligations on certain types of defined categories of financial institutions, including establishing reasonably designed, risk-based programs to combat such risks. Under the BSA, as amended by Section 326 of the USA PATRIOT Act, the Secretary of the Treasury is required to create minimum standards for financial institutions regarding the identification of their customers for account openings, in order to combat illicit financial activity. Such standards include reasonable procedures for: (1) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; and (2) maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information. To implement Section 326’s requirement, FinCEN and the Agencies issued the CIP Rule in 2003.
The CIP Rule requires each bank to have written procedures used to form a reasonable belief that it knows the identity of each customer. At a minimum, banks must collect each customer’s name, date of birth, address, and identification number, which is typically a TIN. Since 2003, the CIP Rule has mandated that banks obtain complete TINs, usually a Social Security Number (SSN) or an employer identification number (EIN), directly from customers for account openings.
However, since 2003, credit card accounts have been exempt from the CIP Rule’s identification number requirement and banks may satisfy their CIP requirements by obtaining the full TIN from a third-party source (e.g., credit reporting agencies) prior to issuing a credit card to a customer. In the Order, FinCEN notes that it has not identified heightened money laundering/terrorist financing (ML/TF) risks that were related solely to obtaining the full TIN from a third-party source, and the Agencies consider such alternative collection methods for TIN information consistent with safe and sound banking.
FinCEN and the Agencies issued a Request for Information (RFI) in March 2024 requesting comments on the CIP TIN collection requirement. In that RFI, FinCEN emphasized that banks must continue to comply with the then-current CIP Rule requirement and collect all nine digits of a customer’s TIN.
The New Carveout
With this Order, instead of having to collect the full nine-digit TIN directly from the customer, banks subject to the CIP Rule are now permitted to collect TIN information from a third-party source rather than directly from the customer when opening a new account. The exemption provides an alternate and optional path to the existing one, whereby banks collect full TIN information directly from the customer. The order makes clear that banks are not required to use this alternative collection method, mitigating concerns expressed by certain banks with respect to having limited resources available for such third-party identity verification services.
FinCEN emphasizes in the Order that all other regulatory requirements remain in effect, meaning banks pursuing this alternate method must still demonstrate their ability to form a reasonable belief they know the true identity of each customer.
Notably, the Order does not appear to apply this exemption to the TIN collection requirements under the CIP Rule to ultimate beneficial owners (UBOs). Thus, until there is further regulatory clarity, banks should continue to collect the full TIN for UBOs at account opening.
The Bigger Picture: MSBs and Fintechs
Although the Order notes that customers are obtaining financial services using non-bank financial institutions at a significant rate, the Order only exempts banks that are subject to the CIP Rule. It does not explicitly address such an exemption for non-bank financial institutions such as Money Services Businesses (MSBs). Nonetheless, this exemption may still impact MSBs and fintechs engaged in bank-fintech partnerships. For instance, when the non-bank fintech party in a banking-as-a-service arrangement requests CIP information in connection with opening an account issued by the bank, it may have previously been contractually required by the bank to obtain the full TIN directly from the customer at onboarding. Going forward, the bank could instead, for example, permit the fintech to collect the last four digits of the customer’s TIN and obtain the full TIN from a third-party identification service provider.
Improvements to Identity Verification
With the high rate of customers engaging in online banking services rather than in-person, customers have been required to provide their full TIN via mobile application or website as part of the account opening process. However, as the Order notes, customers have reported reluctance when asked to provide this sensitive information online due to the heightened risk of identity theft and data breaches associated with non-face-to-face means of collection. The alternative collection methods under the Order may provide customers with increased comfort as banks begin to ask for no TIN information from the customer or only the last four digits and collect the rest from a third-party source.
Additionally, there are various enhancements in technologies available to banks for customer verification purposes, for example, biometric verification. While prior to the Order, banks were required to directly obtain full TIN information from customers at non-credit card account opening, banks also have increasingly used fingerprints, facial recognition, and other forms of biometric verification as part of meeting their compliance obligations under the CIP Rule. As banks rely on third parties to provide the customer’s full TIN at account opening with this new exemption, banks will likely maintain an interest in leveraging the various advancements in identity verification methods to help mitigate their compliance risk and data security risk.
[1] The Order specified that the term “bank” has the same definition in regulations implementing the BSA, 31 C.F.R. § 1010.100(d), and includes each agent, agency, branch, or office within the United States of banks, savings associations, credit unions, and foreign banks.
[View source.]
