Reported by FinCEN

(Summary version featured below. To read entire order, go to: https://www.fincen.gov/sites/default/files/2025-06/CIP-TIN-Exemption-Order-final508.pdf)

1. A New Era for TIN Collection in CIP

On June 27, 2025, the OCC, FDIC, and NCUA—with FinCEN’s concurrence—issued a joint Order that broadens the existing CIP Rule exception on Taxpayer Identification Number (TIN) collection.  Under this Order, covered banks may now obtain TINs from reliable third-party sources rather than directly from customers when opening any type of account, provided they maintain robust, written, risk-based CIP procedures to form a reasonable belief in each customer’s true identity prior to account opening .

2. Building on the Bank Secrecy Act and PATRIOT Act

Since the enactment of the Bank Secrecy Act and section 326 of the USA PATRIOT Act, financial institutions have been required to collect basic identifying information—name, date of birth, address, and an identification number (for U.S. persons, a TIN)—to verify customer identity before account opening.  The 2003 CIP Rule implemented these standards and included an exception allowing third-party collection of identifying data only for credit-card accounts.  This new Order extends that exception to all deposit, loan, and other account types, reflecting regulatory acknowledgement of modern verification capabilities .

3. Adapting to Digital-First Banking

Regulators recognized two key drivers behind this change: (1) the surge in digital account openings, where customers are reluctant to share sensitive TIN data directly due to privacy and breach concerns; and (2) the maturity of identity-verification technologies that can reliably source TINs.  A March 2024 Request for Information solicited extensive public feedback—from banks, fintechs, trade groups, and community organizations—confirming that third-party TIN retrieval, when integrated into sound CIP practices, does not increase money-laundering or terrorist-financing risks .

4. Assessing Risk and Ensuring Compliance

A comprehensive review of BSA reports, industry comments, and credit-card CIP practices revealed no uptick in illicit-finance activity under the existing exception.  The Agencies concluded that the expanded exemption is consistent with the BSA’s anti-money-laundering objectives and safe, sound banking standards.  Institutions choosing this path must still:

• Obtain the customer’s TIN (via third party) before account opening;

• Tailor the retrieval method to the assessed risk level; and

• Combine TIN sourcing with other documentary or non-documentary verification measures to form a reasonable belief in the customer’s identity.

5. Voluntary Adoption and Regulatory Oversight

Implementation of the exemption is entirely voluntary.  Banks may continue direct customer TIN collection if preferred.  Those opting in must document their approach within their risk-based CIP procedures and uphold all other BSA requirements.  The OCC, FDIC, and NCUA reserve the right to rescind the exemption for any institution that fails to demonstrate consistent compliance with the CIP Rule’s identity-verification standards.