United States: How Many Digits? FinCEN Seeks Comment On Bank Customer Identification Requirements

On March 28, 2024, the US Department of the Treasury's Financial Crimes Enforcement Network ("FinCEN"), in consultation with the staffs of the federal banking agencies, issued a request for information and comment (the "RFI") regarding industry practices and perspectives with respect to banks' requirement, under the Customer Identification Program ("CIP") Rule, to collect a taxpayer identification number ("TIN") from a customer prior to opening an account. Specifically, the RFI seeks information and comment regarding a proposal to allow banks to collect a partial Social Security number ("SSN") from a customer that is both an individual and a US person, and then to use a reputable third-party source to obtain the full SSN prior to opening an account for the customer. In addition to a request for information and comment, FinCEN (and, in a separate release, the Federal Deposit Insurance Corporation ("FDIC")) indicated that the agencies view the existing CIP Rule as requiring banks to collect the full, nine-digit SSN from a US individual.¹

FinCEN will accept comments on the RFI until May 28, 2024.

BACKGROUND

Under the CIP Rule, banks (along with certain other categories of financial institutions, such as broker-dealers) are required to collect, prior to opening an account, a minimum of four pieces of information from an individual customer: the customer's name, date of birth, address and identification number.² For a US individual, the identification number is the individual's TIN, which is generally a SSN. Originally promulgated in 2003, the CIP Rule contained a limited exception for banks offering credit card accounts to obtain some information from the customer directly, while obtaining the remaining information from third-party sources. In the preamble to the final CIP Rule, FinCEN and the federal banking agencies acknowledged that imposing the general collection requirement would have likely altered the way banks offered credit card products, and alluded to the legislative history of the relevant requirement, which provided that the regulations should be appropriately tailored for situations where the accountholder was not physically present at the financial institution, and should avoid imposing requirements that are burdensome, prohibitively expensive, or impractical.³ Aside from this exception—and the related discussion in the preamble to the final CIP Rule—FinCEN had not, to date, provided any guidance as to whether banks were required to collect the full, nine-digit SSN directly from the customer, as opposed to only a portion of the SSN, with the rest collected through reliable third-party sources.

This requirement—and the ambiguity as to its scope—has been a major friction point for fintechs, as there has been pressure from bank partners to collect the full nine digits of a customer's SSN during the onboarding process. This is in contrast to common practice outside the banking industry, where collection of only the last four digits of the SSN, while supplementing the rest using trusted third-party sources, is commonplace. Bank partners, looking to the "from the customer" requirement in the CIP Rule, have increasingly been applying a strict requirement for their fintech partners to collect the full, nine-digit SSN directly from the customer at onboarding. From the perspective of the fintech, this additional requirement can lead to friction in the onboarding process and, given customers' reluctance to provide a full SSN in an online context, an increase in abandonment of the onboarding process. This friction had not gone unnoticed, and a variety of stakeholders, including financial institutions, trade associations and members of Congress, had called attention to the reluctance of customers to provide full SSNs and the failure of the existing CIP requirements to acknowledge that such collection was unnecessary to achieve the objectives of the CIP Rule.

TAKEAWAYS

The RFI seeks perspectives from both bank and non-bank financial institutions and stakeholders, and presents an opportunity for banks, fintechs, and other interested parties to suggest changes to the current CIP requirements—or put differently, FinCEN's current interpretation of those requirements—and to provide pertinent information to FinCEN and the federal banking agencies. Banks, as well as fintechs that rely on bank partners to provide services, should take notice and consider commenting on the RFI, as a rule that explicitly establishes a requirement to collect a full, nine-digit SSN from customers for banks (and bank-offered products and services) could result in different sets of requirements between bank-offered products and services and those offered by fintech and other financial institutions operating under their own license authority. Given the reluctance for customers to provide a full SSN, these differences could lead to higher abandonment rates for customers onboarded to bank-offered products and services. Fintechs and their bank partners are uniquely positioned to offer perspectives on why existing solutions—commonly employed by non-banks and others—could allow a bank to form a reasonable belief that it knows the true identity of its customer, without requiring collection of the full, nine-digit SSN from the customer.

Footnotes

1. See FDIC, FIL-25-2024, Collecting Identifying Information Required Under the Customer Identification Program (CIP) Rule (Mar. 28. 2024).

2. See 31 C.F.R. § 1020.220(a)(2)(i)(A) (rule for banks).

3. See Customer Identification Programs for Banks, Savings Associations, Credit Unions and Certain Non-Federally Regulated Banks, 68 Fed. Reg. 25,090, 25,097 (June 9, 2003).

Visit us at mayerbrown.com

Mayer Brown is a global services provider comprising associated legal practices that are separate entities, including Mayer Brown LLP (Illinois, USA), Mayer Brown International LLP (England & Wales), Mayer Brown (a Hong Kong partnership) and Tauil & Chequer Advogados (a Brazilian law partnership) and non-legal service providers, which provide consultancy services (collectively, the "Mayer Brown Practices"). The Mayer Brown Practices are established in various jurisdictions and may be a legal person or a partnership. PK Wong & Nair LLC ("PKWN") is the constituent Singapore law practice of our licensed joint law venture in Singapore, Mayer Brown PK Wong & Nair Pte. Ltd. Details of the individual Mayer Brown Practices and PKWN can be found in the Legal Notices section of our website. "Mayer Brown" and the Mayer Brown logo are the trademarks of Mayer Brown.

© Copyright 2024. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.