COMMENT CALL: FinCEN, in consultation with the NCUA and other regulators, recently issued a request for information (RFI) asking whether credit unions and other financial institutions should be allowed to collect just partial Social Security numbers (e.g., the last four digits of an individual’s SSN), before opening accounts for U.S. persons for CIP purposes.
In a press release announcing the RFI, FinCEN said that it will use information it gathers “to evaluate the risks, benefits, and safeguards” if banks and credit unions can collect partial SSN information from a customer/member and then use a third-party source to obtain the full SSN.
As explained in The League’s ii Release No. 0159, FinCEN rules currently require credit unions to have CIP procedures that set out the identifying information they will obtain from a member/customer. The information must include, at a minimum, the name, date of birth (for an individual), address, and an identification number. For U.S. persons, (i.e., an individual who is a U.S. citizen, or an entity established or organized under the laws of a state or the United States), the identification number is a taxpayer identification number, meaning a Social Security number, individual taxpayer identification number or employer identification number for an organization.
FinCEN said that it recognizes the significant advances in customer identifying information collection and verification tools available to credit unions and other financial institutions since the adoption of the CIP Rule. FinCEN also recognizes that current technology has identified more customer identifying attributes – including email addresses, geolocation, and internet protocol (IP) address locations – that financial institutions may collect that could be used as part of a risk-based customer verification procedures.
Even with these advances, however, FinCEN said that it is still concerned that partial SSN collection could lead to increased fraud. For example, it notes that failing to obtain full SSNs could result in increased identity theft. And other risks – including impeding law enforcement investigations – may arise if third-party sources obtain inaccurate SSNs.
The RFI asks commenters to consider a long list of questions, including these:
- Should banks be permitted to collect part or all of a customer’s SSN and/or other customer identifying information required by the CIP Rule from a third-party source prior to account opening?
- What would be the risks and benefits of permitting partial SSN collection and what safeguards would need to be in place?
- What due diligence would a bank conduct before contracting with a third-party source for SSN collection, and what ongoing due diligence and monitoring of the third-party would it conduct?
- Does the current SSN collection requirement impact a customer’s ability to access financial products and services?
- What type of changes to the SSN collection requirement would improve the risk-based nature of a financial institution’s AML program?
- What factors and considerations may be necessary to identify, assess, and mitigate any risks associated with new technologies or innovative approaches to the SSN collection requirement?
- Do financial institutions use a combination of documentary and non-documentary methods to verify the identity of their customers, or do financial institutions rely solely on one of the two methods?
- Describe the processes and technologies used by financial institutions when obtaining and verifying partial and/or full customer identifying information as it pertains to various delivery channels (such as telephonic, mobile, and point-of-sale).
- What are the competitive advantages and disadvantages between banks that are required to collect the full SSN from the customer and those non-banks that collect a partial SSN from the customer and then use a third-party source to obtain the customer’s full SSN?
FinCEN asks that “commenters identify issues in as much detail as possible and provide specific examples where appropriate. … FinCEN requests that commenters note their highest priorities in their response, along with an explanation of how or why certain suggestions have been prioritized, when possible.”
Make your voice heard
The League plans to comment in on FinCEN’s RFI, but we need information from our member credit unions. What do you think about collecting just a partial SSN for CIP purposes? Please share your thoughts with Paul Guttormsson by May 21, so that our letter to FinCEN (which is due May 28) can reflect our credit unions’ ideas.