Reported by Caroline E. Brown, Nicole Sayegh Succar, Carlton Greene, and Anand Sithian

On March 29, 2024, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), issued a “notice and request for information and comment” (“RFI”) seeking comments on the Bank Secrecy Act’s (“BSA”) customer identification program (“CIP”) rule.  The CIP rule requires U.S. banks to collect a taxpayer identification number (“TIN”) from a U.S. person before opening a new account for that person.  For individuals, this TIN will be a Social Security number (“SSN”).

In particular, the RFI seeks comments on the possibility of allowing banks to collect only part of an SSN (e.g., the last four digits) directly from their customers, and then using “reputable third-party sources,” such as credit bureaus, to obtain the full SSN before account opening. 

FinCEN, which administers the BSA, issued the RFI in consultation with the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Board of Governors of the Federal Reserve System (collectively, the “Agencies”).

Comments on the RFI are due by May 28, 2024.

Why FinCEN Is Asking for Comments

The CIP rule generally requires banks to obtain certain personal identifying information (name, date of birth, address, and TIN or foreign equivalent) “from each customer” before a bank opens an account for that person.  In its RFI, FinCEN notes that, when it promulgated the CIP rule in 2003, it excused banks from collecting TIN and the other required elements directly from customers opening credit card accounts, instead allowing banks to collect this information from third-party sources.  FinCEN explains that this was done based on: (1) concerns from industry that credit card account customers had security and privacy concerns about providing these details, especially over the phone; and (2) legislative history indicating that Congress expected the CIP rule to be “appropriately tailored for accounts opened in situations where the account holder was not physically present at the financial institution” when the account was opened, and that Treasury should not impose requirements that were “burdensome, prohibitively expensive, or impractical.” 

FinCEN acknowledges that, since it first issued the CIP rule in 2003, there has been significant innovation in the financial services offered by banks and how they collect and verify customer identifying information.  FinCEN cites buy-now-pay-later (“BNPL”) loans, which extend credit to customers at point-of-sale, as one example of such new services. 

The RFI requests comments about the potential risks, benefits, and safeguards related to partial collection of SSNs directly from customers and the use of third-party sources to collect customers’ full SSNs, among other questions.  The RFI also recognizes that there has been significant “public interest by banks, trade associations, and Congress” about the idea of allowing partial SSN collection from customers. FinCEN also recognizes that certain non-bank entities may be providing financial services without being required to obtain a TIN from customers, and that this might result in regulatory arbitrage or allow illicit finance activity risk in the U.S. financial system to go undetected.

At the same time, FinCEN identifies potential risks from allowing partial collection of SSNs, suggesting that partial SSN collection might “increase the ease and speed of identity theft, including synthetic identity fraud that can result in accounts opened without appropriate safeguards.”

The RFI Makes Clear That the Current CIP Rule Requires Collection of Full SSNs Directly from Customers

The RFI also repeatedly emphasizes FinCEN’s and the Agencies’ view that, under the current CIP rule, banks are required to collect all nine digits of SSNs directly from customers.  Indeed, FinCEN suggests that the same is true with respect to the collection by banks of the other required customer identifying information (name, date of birth, and address).  It also warns banks about relying on third-party service providers that fail to collect required customer identifying information directly from the customer.

Representative Questions for Which FinCEN Seeks Comments

Although the RFI seems aimed primarily at the question of whether banks should be allowed to collect partial SSNs, the full list of questions on which FinCEN seeks comment is substantially broader, and asks, among other things:

1. Whether banks should be allowed to collect other required customer identifying information from third-party sources;
2. What diligence banks would conduct on third-party providers used to provide complete SSNs;
3. How banks would verify the accuracy of SSNs received from third-party providers;
4. About the impact on banks and customers of banks having to collect full SSN directly from customers as opposed to partial SSN plus the use of a third-party provider to obtain the remainder of the SSN.
5. Non-banks’ views of using a third-party source for SSN collection, and the diligence and monitoring such non-banks conduct on these third parties.
6. About the competitive advantages between banks which must collect a customer’s full SSN from a customer and non-banks that collect a partial SSN from the customer, and the remainder of the SSN from a third-party source.
7. What other means bank and non-bank financial institutions use to collect and verify customer identifying information apart from the processes relating to SSN collection and verification.
8. For public studies or data points that assess the impact on financial crime when a customer is not required to provide a full SSN.

The current CIP rule allows the appropriate banking regulator, with the concurrence of the Department of the Treasury, to establish exemptions to the CIP rule.  The RFI suggests that FinCEN and the Agencies may be considering changes to the CIP rule, at least with respect to the collection of SSNs from customers.

Read full report: https://www.crowell.com/en/insights/client-alerts/fincen-requests-comments-regarding-possible-relaxation-of-banks-customer-identification-program-requirements