FinCEN and banking agencies allow banks to collect customers’ SSNs from third parties
In a significant step towards modernizing Bank Secrecy Act compliance, FinCEN and certain banking agencies are providing flexibility in “know your customer” requirements for banks.
The Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (collectively, the Agencies), with the concurrence of the Financial Crimes Enforcement Network (FinCEN), issued an order on June 27, 2025 that permits banks subject to the jurisdiction of the Agencies to collect a customer’s tax identification number (TIN) from a third-party rather than a customer, provided the bank otherwise complies with the Customer Identification Program (CIP) Rule (the Order).[1]
The Order was issued after the Agencies and FinCEN considered comments in response to a March 2024 CIP Request for Information, which sought insight from the public on the potential risks and benefits if banks were permitted to obtain part or all of a customer’s TIN information from a third party source prior to opening an account, as opposed to collecting TIN information directly from a customer.[2]
The order is an important step towards modernizing compliance with the Bank Secrecy Act (BSA) and its implementing regulations. The CIP Rule, issued in 2003, requires banks to, among other things, collect certain identifying information from customers before account opening. The CIP Rule is one of the core legal requirements underlying “know-your-customer” (KYC) processes maintained by banks and, in turn, banks’ fintech partners, who play a critical role in assisting banks with discharging their KYC obligations under the CIP Rule.
Compliance practices and financial services have evolved substantially since the CIP Rule was issued and banks and their financial services partners have found the technical compliance requirements under the CIP Rule—in particular the requirement to collect all nine digits of a customer’s Social Security number (SSN) directly from customers prior to account opening—onerous and impractical, especially in light of modern identity verification tools and services. Importantly, the Order will provide significant flexibility for banks that maintain bank-fintech partnerships and/or offer online or mobile banking activities, allowing such banks to leverage digital identity verification services and tools that were not available when the CIP Rule was adopted. According to the OCC, “The Order also promotes financial inclusion, allowing greater access to financial products and services by addressing the legitimate concerns of customers who are unwilling to provide their full TIN in an electronic format, in an online account opening or credit application.”[3] We agree.
What this means is that, moving forward, banks subject to the jurisdiction of the Agencies may, but are not required to, collect a customer’s TIN information (e.g., SSN) from third parties prior to account opening. Banks must still, however, continue to comply with the broader requirements of the CIP Rule, which include maintaining written procedures that: (1) enable the bank to obtain TIN information prior to opening an account; (2) are based on the bank’s assessment of the relevant risks; and (3) are risk-based for the purpose of verifying the identity of each customer to the extent reasonable and practicable, enabling the bank to form a reasonable belief that it knows the true identity of each customer.
Overview of CIP Rule compliance
Pursuant to Section 326 of the USA PATRIOT Act, FinCEN and the Agencies jointly issued the CIP Rule in 2003, which establishes minimum standards for customer identification and verification by requiring banks to implement written CIP procedures that enable a bank to form a reasonable belief that it knows the true identity of its customers. The CIP Rule requires banks to verify the identity of their customers to the extent reasonable and practicable, and CIP procedures must specify the customer identifying information that a bank will obtain from each customer prior to opening an account, which must include, at a minimum:
- the customer’s name,
- date of birth (for an individual),
- address, and
- identification number, which is a TIN for U.S. persons.[4]
Historically, to meet the CIP Rule’s identification number requirement, banks were required to collect a customer’s full SSN prior to account opening, except with respect to credit card accounts.[5] In practice, banks and their financial services partners have found technical compliance with the CIP Rule to be onerous and burdensome, particularly in the context of bank-fintech partnerships where collecting the full SSN can be challenging and regulatory expectations inconsistent. For example, in 2020 the OCC adopted a more flexible stance with respect to CIP Rule compliance, as compared to the other Agencies, such as the FDIC, resulting in inconsistent CIP compliance practices among banks and, in turn, their fintech partners.[6]
The Agencies and FinCEN note that “[s]ince the CIP Rule was issued in 2003, FinCEN and the Agencies have observed a significant expansion in ways that consumers access financial services, along with a rise in reported customer reluctance to provide their full TIN due, in part, to data breaches and identity theft concerns.” Notably, the Order states further that “FinCEN and the Agencies believe that the rationale relating to consumer privacy and security concerns provided for the credit card exception in 2003 as well as concerns about requirements being burdensome, prohibitively expensive, or impractical is applicable to all other types of accounts that are now easily accessible to customers through non-face-to-face means.”
The Agencies and FinCEN recognize that reliable alternative processes for identity verification exist today that were not available when the CIP Rule was issued, and thus the flexibility the Order provides is warranted. Moving forward, banks subject to the jurisdiction of the Agencies may, but are not required to, collect a customer’s TIN information from third parties prior to account opening, providing more flexibility for banks to offer digital banking services in compliance with the CIP Rule and consistent compliance practices across financial institutions.
[1] Note, the Federal Reserve Board did not participate in the Order and thus banks within the Federal Reserve Board’s jurisdiction are not covered by the Order.
[2] Dan Stipano, Davis Polk’s Head of AML/CFT, submitted a comment letter in response to the CIP Request for Information, which can be found here.
[3] News Release 2025-61, Office of the Comptroller of the Currency, Acting Comptroller of the Currency Issues Statement on Order Granting Exemption to Customer Identification Program.
[4] 31 C.F.R. § 1020.220(a)(2)(i).
[5] For credit card accounts, the CIP Rule allows banks to obtain customer identification information from a third-party source prior to extending credit to the customer. 31 C.F.R. § 1020.220(a)(2)(i)(C).
[6] In a 2020 interpretive letter (the OCC Interpretive Letter), the OCC granted an exemption to a national bank operating subsidiary to allow the entity to collect a partial SSN from its customers and subsequently using third-party sources to obtain the full SSN prior to account opening. See OCC Interpretive Letter #1175 (Nov. 16, 2020). The OCC Interpretive Letter noted that the “practice of collecting partial TINs is similar to the existing exemption available to the processing of credit card accounts, and [OpSub]’s modified process should be treated similarly because the OCC finds that the rationale supporting the credit card exemption also applies to the [OpSub] process as described in the request letter.”