On June 27, 2025, U.S. federal bank and credit union regulators issued an order, with the concurrence of the Financial Crimes Enforcement Network (FinCEN), granting an exemption from customer identification program (CIP) rules. Under the order, U.S. banks and credit unions are relieved from the requirement to collect taxpayer identification numbers (TINs) (e.g., Social Security numbers (SSNs)), employer identification numbers (EINs), and individual taxpayer identification numbers (ITINs)) directly from customers at account opening. News releases by the Office of the Comptroller of the Currency (OCC) and other agencies generally touted the order as a reasonable exercise of regulatory flexibility that addresses customer privacy concerns without increasing fraud, money laundering, or bank safety and soundness risk.
Under CIP rules applicable since 2001, banks have generally been required to collect TINs in addition to names and other identifying information about customers seeking to open accounts.
Significantly, except in the case of credit card accounts, the account-opening institution has been required to obtain this information from the customer. The institution must then apply CIP procedures intended to use this information to verify the customer’s identity, which can include both documentary methods (such as comparison against the customer’s driver’s license or similar government-issued identification) and nondocumentary methods (such as comparison against information obtained from a consumer reporting agency (CRA)).
When the agencies and FinCEN jointly issued final CIP rules in 2003, they acknowledged industry concerns that the requirement to obtain this information from customers directly imposed an undue hardship on institutions in opening credit card accounts. Credit card issuers indicated that new customers were reluctant to provide their TIN information over the telephone and were typically not asked to do so in person. The regulators determined then that allowing banks to continue to rely on third-party sources, such as CRAs, for some of this information would be consistent with existing practices, which had, according to the regulators, “produced an efficient and effective means of extending credit with little risk that the lender does not know the identity of the borrower.”
The USA PATRIOT Act provisions implemented by the CIP rules (statutory authority that is part of what is generally referred to as the Bank Secrecy Act (BSA)) do not prescribe either the minimum information that banks must collect for verifying customer identities or the source of that information. The AML Act of 2020 specifically requires the agencies and FinCEN to review BSA regulations such as the CIP rules for those that may be outdated or that do not otherwise promote risk-based anti-money laundering compliance programs.
In 2024, FinCEN issued a request for information (RFI) soliciting feedback on the potential risks and benefits of permitting banks to obtain TINs from third-party sources instead of from customers as part of their CIP. Within both the RFI and the order, the regulators noted that significant technological changes had occurred within financial services since the CIP rules’ adoption in 2003, both in the ways that customers access such services and in how institutions deliver them. These changes reflect, among other things, innovations in available identity verification methods and tools.
As part of the RFI, the regulators also noted the increasing prevalence of bank partnerships with nonbanks and that these nonbank partners may not be directly subject to CIP or similar compliance requirements. This difference has both compliance and competitive implications for banks. The regulators also acknowledged the need, within the constraints of the existing BSA provisions that the CIP rules implement and other applicable law, to balance CIP requirements intended to prevent and detect fraud, money laundering, and other illegal activity, on the one hand, with bank burdens and customer privacy concerns implicated by account opening processes on the other. At this time FinCEN specifically requested public comment on allowing a bank to obtain partial TIN information from its customer (such as the last four digits of their SSN) and the customer’s full TIN from a third-party service provider.
The Order
The order provides an exemption from the CIP rule requirement for banks subject to the jurisdiction of the agencies (and certain bank subsidiaries) to obtain full TINs directly from the customer prior to opening an account.
The order permits banks, for all account types, to instead use an alternative collection method to obtain TIN information from a third-party source (such as a CRA), provided that the bank otherwise complies with CIP rules, which require written procedures that (1) enable the bank to obtain TIN information before opening an account; (2) are based on the bank’s assessment of the relevant risks; and (3) permit the bank to form a reasonable belief that it knows the true identity of each customer. The agencies stress that reliance on the exemption is optional; banks are not required to begin using an alternative TIN collection method. The order was effective immediately upon its publication, making the exemption it describes available immediately as well.
Basis for the Exemption
In issuing the order, the agencies relied on existing CIP rule authority allowing the bank regulators—with FinCEN’s concurrence—to exempt any entity subject to their supervision or type of account they may open from the rules’ requirements.
Ultimately, the agencies concluded that the risks associated with relaxing the CIP rules to permit banks to obtain TINs from third parties as described in the order did not outweigh the associated benefits. In particular, the agencies relied on (1) evidence of wide availability of alternative TIN collection methods; (2) an increase in electronic and other non-face-to-face account opening; and (3) the success of the existing credit card exemption. They also cited BSA legislative history for the proposition that these rules should not impose requirements that are burdensome, prohibitively expensive, or impractical.
While the agencies acknowledged fraud and identity theft risks associated with non-face-to-face account opening, they concluded that unauthorized TIN information exposure—from data breaches not specifically attributable to account opening or even to banks—has diminished the importance of the specific method of TIN collection used by banks for identity verification purposes. According to the agencies, this exposure has also contributed to consumer hesitancy to provide TINs at account opening. In light of this hesitancy and the increasing availability of alternative identity verification resources (including those using email address, geolocation, and internet protocol (IP) address location information), the agencies determined that the order provided meaningful regulatory relief consistent with safe and sound banking practices.
Risks Related to the Exemption and Other Considerations
The primary risk the agencies focused on within the order is that this exemption may result in weaker account opening processes and therefore increases in identity theft, fraud, and other illegal activity that the CIP rules are intended to prevent. In this regard, the agencies took care to reinforce not only that reliance on the exemption is optional but also that, to take advantage of it, institutions must still support their practices as part of a CIP program that reflects the bank’s assessment of the relevant risks and includes procedures enabling the bank to form a reasonable belief that it knows the true identity of each customer. The agencies asserted that the resulting banking practices will not be contrary to generally accepted standards of prudent banking operation or give rise to abnormal risk of loss or damage to an institution or its shareholders.
Public comments cited by the agencies also raised a concern that smaller institutions may not have the resources to implement third-party TIN collection methods or may be forced to increase fees or take other steps that negatively impact their customers or prospective customers (including the “unbanked”) to do so. The agencies did not specifically address this concern other than by reinforcing that implementation of these alternative methods is optional. Being an order pursuant to existing rules, the agencies did not have to consider these concerns in the same way that they would have had to as part of regulation changes.
The agencies also did not address concerns raised by commenters about the intersection of CIP rule requirements and Internal Revenue Service (IRS) backup withholding requirements. Banks relying on the order to collect TINs from third-party sources may need to align these procedures with procedures used to satisfy these withholding rules. Under these requirements, banks are generally required to implement backup withholding on customer accounts for which the bank is a payer of income (such as interest) for IRS purposes if the customer fails to either furnish accurate TIN information to the bank or fails to certify, under penalties of perjury, that the TIN information furnished to the bank is correct.
Banks frequently satisfy these requirements by collecting a Form W-9 (or substitute W-9 in accordance with IRS rules) from their customers. While backup withholding requirements are distinct considerations and are not implicated by all account types, many banks have streamlined their account opening requirements to satisfy both sets of requirements concurrently (and to streamline future account opening processes, such as a customer’s opening of a non-interest-bearing account and subsequent addition of an interest-bearing account). Similarly, broker-dealers and certain other entities subject to CIP rule requirements are not subject to the order, and institutions deploying joint account opening processes (such as within an affiliate or referral program structure) will need to ensure that reliance on the order does not result in compliance gaps or poor customer experience outcomes.
Banks will also need to consider how reliance on the order could impact sanctions compliance (for example, to the extent that sanctions screening is conducted based on customer-provided information before the completion of CIP identity verification); compliance with other BSA rules (such as legal entity customer beneficial ownership rules or the so-called Travel Rule, under which separate TIN collection requirements apply that are arguably not impacted by the order); and compliance with the federal Fair Credit Reporting Act and similar state laws that may apply to various third-party identity verification services used to do so.
Finally, the order also may compel banks and their program managers or other fintech partners to put a finer point on who is considered the bank’s CIP “customer” for BSA purposes for a particular program or product and what information is required about them under their anti-money laundering programs and partnership terms. As noted in the RFI, CIP standards among these entities may vary, and the order may allow them to better align onboarding practices and deliver a better overall customer experience.
If you have any questions, or would like additional information, please contact one of the attorneys on our Financial Services team or one of the attorneys on our White Collar, Government & Internal Investigations team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.