On March 28, 2024, the Financial Crimes Enforcement Network (FinCEN), in consultation with the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Board of Governors of the Federal Reserve System, issued a request for information (RFI).
The RFI seeks information and comment regarding the Customer Identification Program (CIP) Rule requirement that banks collect a full Social Security number (SSN) prior to account opening from a customer who is an individual and a U.S. person (SSN collection requirement). Specifically, in a press release announcing the RFI, FinCEN stated that it intends to use any information gathered “to evaluate the risks, benefits, and safeguards” if banks were allowed to collect partial SSN information from the customer and use a third-party source to obtain the full SSN.
In issuing the RFI, FinCEN recognizes the significant advances in customer identifying information collection and verification tools available to banks and other financial institutions since the adoption of the CIP Rule. FinCEN also recognizes that current technology has identified more customer identifying attributes – including email addresses, geolocation, and internet protocol (IP) address locations – that banks may collect that could be used as part of a bank’s risk-based customer verification procedures.
Even with these advancements, however, FinCEN remains concerned that permitting partial SSN collection could result in increased fraud. By way of example, it notes that failing to obtain full SSNs could result in increased identity theft. And additional risks – including impeding law enforcement investigative efforts in obtaining accurate customer identifying information – may arise if third-party sources obtain inaccurate SSNs.
For these reasons, FinCEN is seeking information and comment in order to determine the potential risks and benefits of more closely aligning data collection components of the CIP Rule to advancements in the modern digital banking environment. To that end, FinCEN includes in the RFI a host of suggested topics for commenters, including:
- Should banks be permitted to collect part or all of a customer’s SSN and/or other customer identifying information required by the CIP Rule from a third-party source prior to account opening?
- What would be the risks and benefits of permitting partial SSN collection and what safeguards would need to be in place?
- What due diligence would a bank conduct before contracting with a third-party source for SSN collection, and what ongoing due diligence and monitoring of the third-party would it conduct?
- Does the current SSN collection requirement impact a customer’s ability to access financial products and services?
- What type of changes to the SSN collection requirement would improve the risk-based nature of a financial institution’s AML program?
- What factors and consideration may be necessary to identify, assess, and mitigate any risks associated with new technologies or innovative approaches to the SSN collection requirement?
- Do financial institutions use a combination of documentary and non-documentary methods to verify the identity of its customers, or do financial institutions rely solely on one of the two methods?
- Describe the processes and technologies used by financial institutions when obtaining and verifying partial and/or full customer identifying information as it pertains to various delivery channels (such as telephonic, mobile, and point-of-sale).
- What are the competitive advantages and disadvantages between banks that are required to collect the full SSN from the customer and those non-banks that collect a partial SSN from the customer and then use a third-party source to obtain the customer’s full SSN?
FinCEN strongly encourages all interested parties to submit written comments as it “explore[s] ways to modernize the U.S. anti-money laundering/countering the financing of terrorism regime.” Comments must be received on or before May 28, 2024.