Recently, Treasury’s Financial Crimes Enforcement Network (“FinCEN”) released a request for information regarding the collection of a customer’s full social security number (SSN) at account opening. The RFI asks for feedback on the risks, benefits, and potential safeguards of permitting only partial collection of the SSN and allowing a bank to access the remainder from a third-party source. Notably, accompanying this release was a reminder from both FinCEN and the Federal Deposit Insurance Corporation (“FDIC”) that the requirement to collect the whole SSN from a customer “exist[s] regardless of whether the bank establishes this relationship directly with the customer or through an intermediary.”
This notice has caused substantial discussion in the fintech industry. That’s because, for the first time, banking regulators expressly stated their expectations for the collection of SSNs in the context of bank-fintech partnerships, despite previously accepting the risk-based last four collection practice in certain instances. As FinCEN acknowledges, there have been substantial innovations in bank-fintech partnerships, but there has also been a lack of clarity and consistency regarding requirements around collecting the full nine digits of an SSN directly from the customer versus only collecting the last four and using a reputable third-party source for the rest. FinCEN and the FDIC’s releases endeavor to address this but ultimately provide guidance that contradicts the legal direction some entities have received.
In an age when data security concerns are paramount, manually collecting the whole SSN from a consumer versus the last four digits (and leveraging a third party to obtain the rest) introduces risk, friction into the account verification process, and can act as a potential deterrent to people accessing technology-driven financial services. More broadly, this debate reveals how out-of-date the U.S. identity system is and demonstrates how technology can move the needle and increase financial inclusion. Instead of relying on analog ID attributes like the SSN, a better path forward would be to create a regulatory framework for identity verification that allows for the broad use of technology. Embracing technology-driven identification methods would also protect consumers, given the common but unfortunate reality that Americans’ SSNs are routinely compromised.
Dive In: The History of the Customer Identification Program Rule
First, it’s important to acknowledge the history of this requirement. Section 326 of the USA PATRIOT Act requires the Treasury Secretary to promulgate regulations to establish “minimum standards” for financial institutions to identify a customer at account opening. The statute notably states that these regulations, for entities engaged in financial activities covered by Section 4(k) of the Bank Holding Company Act, “shall be prescribed jointly” with the relevant federal regulator. Provisions were also included in the statute to facilitate exemptions from any rule.
In 2003, the customer identification program (CIP) rule was released and applied to banks, broker-dealers, credit unions, and other entities. When it was finalized, the rule was based on the practice, at the time, of customers physically going into a bank to open an account, except for credit card accounts where third-party sources could be used to obtain identifying information. That logic does not reflect the reality today, when nearly nine in ten Americans use a fintech app, and most people expect to manage their finances online.
Notably, money service businesses and certain other BSA-covered entities are not directly covered by the rule, though they are generally required to identify and verify their customers under their own AML regulations. Traditionally, these firms have taken more digitally forward approaches, notably collecting the last four digits of an SSN from a customer and using a third party to obtain the remainder, which can reduce data security risks.
Over the years, the banking agencies have issued exemptions to the CIP rule – most recently relating to premium finance lending and allowing one undisclosed institution, in particular circumstances, to collect the last four digits of an SSN and obtain the rest from a third-party source. In its September 2020 advanced notice of proposed rulemaking, FinCEN also stated that one of the many recommendations from the Bank Secrecy Act Advisory Group’s AML Effectiveness Working Group was to consider “steps that financial institutions could take to better use responsible innovation in meeting CIP requirements—such as third-party software and service providers.”
Perhaps most notably, in drafting the Corporate Transparency Act, Congress refrained from requiring the provision of SSNs as identifying information for beneficial owners but instead specified the collection of “unique identifying numbers,” among other things.
What’s Next: Evolving Rules for the Digital Landscape
As financial services migrate to a digital-centric approach, our rules need to evolve accordingly. While FinCEN’s RFI is a good first step, more can be done to align customer identification requirements with the illicit finance risks stemming from innovative products and services, as well as the technological advances in identity verification.
- First, we need to migrate customer identification and verification requirements to a more flexible, principles-based framework that is less prescriptive and leaves room for technological innovations that can reduce customer friction while enhancing privacy.
- Second, to provide the clarity needed for banks and credit unions that partner with fintechs, at least five different regulators will have to agree. Federal regulators must make any changes jointly, and they also need to be durable to meet the challenges of the evolving technology-driven customer identification and verification landscape.
Financial technology has unlocked countless benefits for the U.S. economy, putting affordable, transparent, and easy-to-use tools in the hands of American consumers and businesses. However, industry now has the ability to lead the way in creating a vision for the future of customer identification that leverages the latest technologies while also carving a path for enhanced financial inclusion.
Angelena Bradfield leads policy and government relations at the Financial Technology Association, a trade association representing fintech industry leaders.