Key Points
- On June 27, 2025, the Federal Deposit Insurance Corporation (FDIC), the Office of Comptroller of the Currency (OCC) and the National Credit Union Administration (NCUA) exempted supervised banks and credit unions from the Customer Identification Program (CIP) Rule requiring them to collect full taxpayer identification numbers (TINs) directly from customers prior to opening an account.
- This mirrors an existing exemption for credit cards and will allow institutions to streamline their onboarding experience for customers establishing accounts online or through fintech partnerships, where the requirement to collect full TINs had created customer acquisition problems.
- Institutions using this exemption must still comply with procedures under the existing CIP Rule, including implementing risk-based written procedures to ensure they have a reasonable belief about a customer’s identity.
Background: Responding to a Digital Reality
Since 2003, the CIP Rule has required banks to collect specific identifying information from customers opening new accounts. This included collecting a customer’s full, nine-digit Social Security number (SSN) directly from the customer. Importantly, an exception for customers opening a credit card account allowed the collection of only the last four digits of their SSN, which the bank would then use to confirm the remaining five digits with a trusted third party, such as a credit bureau. The CIP Rule included this exception in recognition of the fact that, at the time the CIP Rule was adopted in 2003, while most transaction accounts were opened in person at bank branches, credit card accounts were commonly opened over the phone or at a checkout counters in a retail store, where providing a full SSN could raise privacy and security concerns.
Customers now interact with banks — and with financial service providers more generally — much differently than they did in 2003. Remote onboarding through a bank’s own digital channels or at a digital or physical point of sale is the norm, not the exception, and additional means of identity verification that offer reliable alternatives to collecting nine-digit SSNs from customers are readily available and commonly used. Cybersecurity risks have also increased, making it riskier to provide a full SSN due to the potential for identity theft and data breaches. Customers, correspondingly, have become more attuned to that risk, creating friction in online transactions that require the provision of a full SSN.
Leading policymakers, including the ranking member of the House Financial Services Committee, Rep. Maxine Waters, and trade associations, have urged federal regulators to respond by granting an exception to the CIP Rule to allow banks to use the same process for general account onboarding as they use for credit card accounts. Advocates argued that collecting partial SSNs can be more secure and practical for both banks and customers. The new exemption effectively grants that request for banks and credit unions primarily supervised by the FDIC, OCC or NCUA. The U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN) concurred in the exemption.
What the Exemption Does
The new exemption authorizes banks and credit unions supervised by the FDIC, OCC or NCUA to use alternative collection methods for TINs, provided they meet three key conditions:
- TINs must still be collected before account opening. Institutions must obtain the full TIN from a reliable third-party source before opening a customer account.
- Procedures must be written and risk-based. Institutions must incorporate the alternative collection method into their written CIP policies. These procedures must be based on the institution’s assessment of relevant risks, including the method of account opening (e.g., online, in person), the types of accounts offered and the demographics of the institution’s customer base.
- Identity must still be verified to a reasonable degree. Institutions must form a reasonable belief that they know the true identity of the customer. The exemption does not relax this standard. Rather, it gives institutions more flexibility in how they meet it.
Importantly, the exemption applies broadly to all types of accounts and is not limited to credit products or specific channels. However, it is only available to institutions primarily supervised at the federal level by the OCC, FDIC or NCUA. State member banks supervised by the Federal Reserve remain subject to a formal requirement to collect all nine digits of a customer’s SSN directly from the customer.
Why Does the Exemption Matter? Streamlining and Strengthening Customer Identification Programs Going Forward
Banks should view this regulatory development as a strategic catalyst, not just as a compliance tweak. By embracing third-party TIN collection:
- Institutions can modernize customer onboarding and better align with digital user expectations and remove historic barriers to opening new accounts.
- Fintechs can reduce onboarding friction and extend access to underserved markets, boosting competitiveness and reach.
- Banks of all sizes can reduce cybersecurity exposure related to the direct collection and storage of sensitive customer information.
Moreover, the exemption signals a broader openness to innovation on the part of bank regulators. It demonstrates that agencies are willing to rethink legacy frameworks when warranted by technological and behavioral change.
What’s Next? Modernizing BSA/AML Compliance
Most federally supervised institutions now have a formal, flexible path to collect TINs through trusted third-party sources while maintaining compliance with the CIP Rule. Banks that adopt this exemption thoughtfully and strategically will be well-positioned to enhance customer service, strengthen data security and remain competitive in an increasingly digital market.
Banks and financial technology firms should continue to closely monitor regulatory efforts in this area, proactively assess their internal readiness to capitalize on opportunities offered by a more modern AML/CFT framework, and engage with key stakeholders and advisers.
This memorandum is provided by Skadden, Arps, Slate, Meagher & Flom LLP and its affiliates for educational and informational purposes only and is not intended and should not be construed as legal advice. This memorandum is considered advertising under applicable state laws.