FinCEN Seeks To Expand Reach of the BSA and Modernize Customer Identification Regulations

Skadden Publication

Mark Chorazak Adam J. Cohen Alessio D. Evangelista Eytan J. Fisch Khalil N. Maalouf Alyssa R. Domino Joe Sandman

The U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) has recently taken steps to expand the reach of the Bank Secrecy Act (BSA) and related customer identification regulations. These steps build on FinCEN’s efforts to modernize the anti-money laundering and countering the financing of terrorism (AML/CFT) framework in the United States.

Specifically, FinCEN has issued notices of proposed rulemaking that would require:

  • Securities and Exchange Commission (SEC)-registered investment advisers (RIAs) and exempt reporting advisers (ERAs) to establish, document and maintain written customer identification programs (CIPs).
  • Certain professionals involved in real estate closings and settlements to report information to FinCEN about non-financed transfers of residential real estate to legal entities or trusts.

FinCEN also issued a request for information related to existing requirements for banks under its CIP-related regulation to collect a taxpayer identification number from a customer prior to opening an account.

While the notices of proposed rulemaking show that FinCEN is expanding its regulatory footprint to cover additional institutions not previously subject to BSA regulation, the request for information suggests that FinCEN may take a more pragmatic approach to certain requirements as industries develop and technological capabilities expand.

Proposed New Requirements for Registered Investment Advisers and Exempt Reporting Advisers

On May 13, 2024, FinCEN and the SEC jointly proposed a new rule that would require RIAs and ERAs to establish, document and maintain written CIPs. The proposed rule would complement a separate FinCEN proposal to designate RIAs and ERAs as “financial institutions” under the BSA, which would subject them to comprehensive AML program requirements and suspicious activity report (SAR) filing obligations.

This is not the first time that FinCEN has sought to impose AML requirements on investment advisers. In 2002 and 2003, FinCEN proposed rules covering them, but in 2008, FinCEN withdrew those, reasoning in part that the activities of these industry actors were not entirely outside of the BSA framework because they, and their clients, hold their assets at, and conduct their financial transactions through, financial institutions that are subject to BSA program requirements.

Under the new proposed rule, RIAs and ERAs would be required to implement reasonable procedures to identify and verify the identity of their customers, among other requirements, to form a reasonable belief that they know the true identity of their customers. FinCEN believes that the proposed rule would make it more difficult for criminal, corrupt or illicit actors to establish customer relationships with investment advisers in order to launder money, finance terrorism or engage in other illicit finance activity.

Many RIAs are already subject to AML program requirements, including CIP requirements and SAR filing obligations because they also operate as broker-dealers or other covered financial institutions. However, for RIAs that are not currently subject to these requirements, the proposed rule — along with FinCEN’s separate proposal to designate RIAs and ERAs as “financial institutions” — could create a new burden, including on many small businesses that operate as RIAs. While these developments were long expected, they remain controversial.

The comment period for the proposed rule closes on July 22, 2024. The comment period for FinCEN’s proposal to designate RIAs and ERAs as “financial institutions” closed on April 15, 2024.

Proposed New Requirements for Non-Financed Transfers of Residential Real Estate

On February 7, 2024, FinCEN proposed a new rule that would require certain professionals involved in real estate closings and settlements to report information to FinCEN about non-financed transfers of residential real estate to legal entities or trusts. While the BSA requires “persons involved in real estate closings and settlements” to maintain AML programs, FinCEN has long exempted such persons from comprehensive regulation under the BSA. Instead, FinCEN has employed risk-based measures, such as the “geographic targeting orders” that FinCEN has issued since 2016 focusing on specific U.S. real estate markets. The proposed rule, however, would apply to non-financed transfers of residential real estate nationwide.

Under the proposed rule, certain persons involved in real estate closings and settlements would be required to file, and to maintain a record of, a report with FinCEN that would identify:

  • The reporting person
  • The legal entity or trust to which the residential real property is transferred.
  • The beneficial owners of the transferee entity or transferee trust.
  • The transferor.
  • The property being transferred.
  • Certain transactional information about the transfer.

The proposed rule would designate only one reporting person for any reportable transfer, identified either by way of a “cascading” reporting order or by way of a written agreement between the real estate professionals described in the cascading reporting order. In the absence of a written agreement, the reporting obligation is on the highest business in the cascade, unless there is no such business involved in the transaction, in which case the reporting obligation shifts down one level. The proposed cascade is:

  1. The real estate professionals providing certain settlement services (i.e., a closing or settlement agent).
  2. The person that underwrites an owner’s title insurance policy for the transferee.
  3. The person that disburses the greatest amount of funds in connection with the reportable transfer.
  4. The person that prepares an evaluation of the title status.
  5. The person who prepares the deed.

For the purposes of this new reporting requirement, FinCEN is relying on its authority to impose SAR filing obligations on financial institutions, which it is choosing to exercise in a “streamlined” manner, without an accompanying AML program requirement. Given that the proposed criteria for the streamlined filing is known by all parties to the transfer, though, including those whose information will be collected and reported to FinCEN, FinCEN proposes to exempt reporting persons from the confidentiality provisions that would ordinarily apply to suspicious activity reporting.

FinCEN received over 600 comments on the proposed rule. The comment period closed on April 16, 2024.

Modernization of the CIP Rule

On March 29, 2024, FinCEN published a request for information and comment seeking information and comments to help it evaluate the risks, benefits and safeguards if banks were permitted to collect a partial social security number (SSN) from a customer and subsequently use reliable third-party sources to obtain the customer’s full SSN prior to account opening. FinCEN cited changes in technology and the financial services industry as some of the reasons that it is seeking comment.

As background, FinCEN issued regulations — collectively known as the CIP Rule — in 2003 to implement Section 326 of the USA PATRIOT Act. Among other requirements, the CIP Rule requires a bank, as part of its AML program, to implement a written CIP that contains identity verification procedures that enable the bank to form a reasonable belief that it knows the true identity of its customers.

Under the rule, banks must collect an identification number from each customer. For U.S. persons, the identification number is a taxpayer identification number, which for individuals is generally an SSN. FinCEN has indicated that banks must generally collect the full nine-digit SSN directly from the customer and emphasized that the CIP Rule generally does not provide for a bank collecting some or all of an individual’s SSN from a person other than the customer (e.g., a reliable third-party service provider).

Since its inception, though, the CIP Rule has not required banks to obtain full SSNs for credit card accounts. Customers opening credit card accounts only need to provide the last four digits of their SSNs, and banks are permitted to obtain the first five digits from a reliable third-party provider. Additionally, beyond credit card accounts, U.S. regulators have allowed institutions to collect from customers only the last four digits of their SSNs in certain situations, such as when the Office of the Comptroller of the Currency granted an exemption to a bank operating subsidiary via an interpretive letter dated November 16, 2020.

At the time the CIP Rule was adopted, customers typically opened bank accounts in person at branch locations, while customers often opened credit card accounts over the phone or at the checkout counter in a retail store, where providing a full SSN could raise privacy and security concerns.

The ways that customers interact with banks — and with financial service providers more generally — have changed considerably since 2003, and additional means of identity verification have become available that offer reliable alternatives to collecting nine-digit SSNs from customers. At the same time, customers have become more attuned to the risks of identity theft and reluctant to provide full SSNs, creating unnecessary friction in online transactions.

This call for comment is both a reminder that FinCEN takes the position that banks must generally collect full SSNs directly from customers to comply with the current CIP Rule and an opportunity for banks and fintech companies to signal to FinCEN that they would welcome a refresh to the rule.

More broadly, though, the request for information and comment signals an openness by FinCEN to reconsidering current requirements under the CIP Rule with respect to the collection of full nine-digit SSNs from customers. An update to the rule would provide helpful relief to fintech companies and others who partner with banks and have developed innovative ways to form a reasonable belief that they know the true identity of their customers.

The comment period closed on May 28, 2024.


FinCEN has become a more active regulator in recent years. FinCEN administers the new reporting requirements under the Corporate Transparency Act and is increasingly regulating entire classes of financial institutions that it had previously exempted under the BSA. See our January 31, 2024, client alert, “The Corporate Transparency Act Is Here and the New York LLC Transparency Act Is Coming.” These changes reflect growing concern within the U.S. government about money laundering and illicit finance, especially the impact of non-U.S. persons laundering the proceeds of crime through the U.S. financial system.

If issued, these proposed rules would impose substantial new compliance obligations on U.S. businesses. However, FinCEN’s apparent willingness to consider modernizing the CIP Rule shows that it is willing to update its rules to keep pace with changes in technology and business models.

This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.