NEWS: The NCUA and other federal regulators (the “Agencies”), with the concurrence of the Financial Crimes Enforcement Network (FinCEN), have announced an order granting an exemption from a requirement of the Customer Identification Program (CIP) Rule implementing Section 326 of the USA PATRIOT Act. The CIP Rule requires a bank (or credit union) to obtain taxpayer identification number (TIN) information from its customer (member) before opening an account. The exemption now permits a bank to use an alternative collection method to obtain TIN information from a third-party rather than from the customer.
Background
In 2003, FinCEN and the Agencies jointly issued regulations implementing Section 326 of the USA Patriot Act that requires banks to have a CIP. The CIP rule establishes minimum standards for identifying and verifying the identity of customers who open new accounts. We describe the requirements in The League’s ii Release No. 0159. The bank’s procedures must specify the customer identifying information that the bank will obtain from each customer prior to opening an account, including, the customer’s name, date of birth for an individual, address and identification number, which is a TIN for U.S. persons. Since the CIP rule was issued in 2003, the Agencies observed other ways that consumers access financial services, along with consumers reluctance to provide their full TIN due, in part, to data breaches and identity theft concerns. In addition, it is now a common practice for banks and other financial institutions to offer products and services through non-face-to-face means (e.g., mobile app or website). FinCEN states “Reliable alternative processes for verification — which allow the bank to form a reasonable belief that it knows the true identity of each customer — are more prevalent today than when the CIP Rule was issued, meaning there could be circumstances in which such processes produce an equivalent or more reliable outcome when banks are permitted the flexibility to change their method of TIN collection based on the bank’s assessment of the relevant risks.”
Back in March 2024, FinCEN issued a CIP Request for Information (CIP RFI) asking whether credit unions and other financial institutions should be allowed to collect just partial social security numbers before opening accounts for U.S. persons for CIP purposes. FinCEN and the Agencies considered comments received through the CIP RFI, along with other factors, in granting the exemption from one aspect of the CIP TIN collection requirements.
Exemption
The exemption described in this FinCEN Order “permits a bank (or credit union) to use an alternative collection method to obtain TIN information from a third-party rather than from the customer, provided that the bank otherwise complies with the CIP Rule, which requires written procedures that: (1) enable the bank to obtain TIN information prior to opening an account; (2) are based on the bank’s assessment of the relevant risks; and (3) are risk-based for the purpose of verifying the identity of each customer to the extent reasonable and practicable, enabling the bank to form a reasonable belief that it knows the true identity of each customer.
While FinCEN and the Agencies are not prescribing specific alternative processes for banks, such processes should take into consideration the purpose of the CIP Rule — to ensure the bank is able to form a reasonable belief that it knows the true identity of each customer — and the bank’s assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank’s size, location, product and service offerings, and customer base.
This exemption does not change the overall purpose of the CIP Rule. Credit unions are still required to implement a CIP Program that includes risk-based verification procedures that enable them to form a reasonable belief that they know the true identity of their members. These requirements exist regardless of whether credit unions establish this relationship directly with the member or through an intermediary.
The use of this exemption is optional; banks and credit unions are not required to use an alternative collection method for TIN information. Meaning, credit unions can still choose to collect TIN information directly from members. The Acting Comptroller of the Currency issued this statement supporting the order saying “Importantly, this Order does not impose any new requirements, but instead has the potential to ease regulatory burden by allowing banks the choice to adopt new, innovative methods of CIP compliance, if the bank deems them to be beneficial for its business model.”
Credit Unions taking advantage of this exemption must continue to comply with all other regulatory requirements pursuant to the Bank Secrecy Act (BSA). In addition, if the credit union chooses to use an alternative TIN collection method, it will want to update its written CIP policy and procedures. You can find additional information on the BSA in The League’s ii Release No. 0071 and InfoSight360 – Compliance Topics – Bank Secrecy Act.