New Customer Identification Program TIN Rule Eases Onboarding

Robert Maddox

Email

205-521-8454

Bio and Articles

Jonathan "Jack" Harrington

Email

205-521-8069

Bio and Articles

Find Your Next Job !

Paralegal - Illinois

Associate Litigation Attorney

Social Services Attorney

Explore More Job Openings

A New Rule Embraces Modernity in the Customer Identification Process

by: Robert Maddox, Jonathan "Jack" Harrington of Bradley Arant Boult Cummings LLP - Financial Services Perspectives

Wednesday, July 9, 2025

Print Mail Download info_icon_img

/>i

Financial institutions across the United States have grappled with compliance requirements under the Customer Identification Program (CIP) Rule for more than two decades. A new exemption, approved in June 2025, promises flexibility for banks and fintech companies. The exemption allows certain financial institutions to collect a taxpayer identification number (TIN) from a reliable third-party source rather than obtaining it directly from the individual customer before an account is opened, provided other regulatory safeguards remain in place. Although still grounded in the Bank Secrecy Act (BSA) and USA PATRIOT Act mandates, this new approach marks a significant step forward in modernizing anti-money laundering (AML) compliance.

The Foundation: The Original CIP Rule

Enacted in response to growing concerns around money laundering and terrorist financing, the CIP Rule was introduced in 2003 as part of a broader anti-money laundering framework. Banks and other financial institutions were required to adopt written policies advocating a risk-based system for verifying the identity of anyone seeking to open an account. Under the old regime, a core data element was the customer’s TIN — for U.S. persons, typically a Social Security number. Generally, institutions had to collect the TIN directly from customers before allowing the account relationship to proceed, except in certain narrowly defined scenarios (most notably credit card applications).

Over the years, the CIP Rule significantly reduced anonymity in financial transactions, ensuring financial institutions could develop a “reasonable belief” of a customer’s identity. Still, the rule’s direct TIN collection requirement has proven challenging in an era of remote applications and evolving consumer habits. Generally, customers have grown increasingly wary of sharing full Social Security numbers through online platforms, even as they demand convenience and speed in opening new accounts.

Why the Amendment Matters Now

Technological innovation has made it more convenient than ever to open accounts online or via mobile devices, often without any in-person meeting. Banks and fintechs frequently rely on advanced verification methods, such as digital identity solutions or alternative data sources, to confirm a user’s identity. At the same time, consumer data breaches and identity theft scenarios have made individuals extremely cautious about sharing sensitive personally identifiable information.

In response to these tensions, financial regulatory bodies recognized that strict, direct-from-customer, TIN collection was not always the most secure or efficient arrangement. Although banks still need to confirm customer identity with the highest level of rigor, they now have access to powerful third-party tools, such as trusted consumer reporting agencies, public databases, or other identity verification vendors that can validate a potential customer’s TIN and other personal data without the customer manually providing all nine digits. By granting an exemption so that banks can rely on these reputable third-party sources, regulators have fused established risk-based principles with modern technological realities.

Key Elements of the New Exemption

The new exemption offers crucial flexibility to banks subject to federal jurisdiction under the FDIC, the Office of the Comptroller of the Currency (OCC), and the National Credit Union Administration (NCUA). Although the exemption relieves them of having to obtain the TIN directly from the customer, three major conditions still apply:

TIN Must Be Obtained Before Opening an Account
Even under the exemption, the TIN still must be on file before the account is officially opened. The difference here is that banks can now source that TIN from a trusted third party — whether that’s a credit bureau, identity verification service, or some other vetted entity.
Risk-Based Written Procedures
Banks cannot simply stop collecting essential data. They must supplement this exemption with written procedures reflecting a thoughtful, risk-based approach to account opening. In other words, the bank’s CIP must hold up under scrutiny, demonstrating that the institution can form a reasonable belief of each customer’s identity. This extends to addressing relevant risks associated with the types of accounts offered, the bank’s specific operational structure, and the various methods of opening accounts.
Consistency with Other CIP Requirements
The new exemption does not diminish overarching CIP obligations. The institution is still required to verify identities through robust, documented procedures — whether those are documentary (e.g., matching driver’s license information) or non-documentary (e.g., cross-referencing a customer’s personal data with a known database). Banks must therefore integrate their new sourcing practices for TIN collection into broader CIP controls.

Impacts on Banks and Fintech Providers

Reduced Onboarding Friction – By no longer demanding that customers manually divulge all nine digits of their TIN, institutions can streamline account set-up and reduce drop-off during the application process. This can translate into improved customer satisfaction, which is critical in the increasingly competitive digital banking environment.
Enhanced Data Security – Data breaches centered on Social Security numbers remain an acute threat. The new exemption allows banks to rely on specialized third-party data security practices for TIN retrieval. When effectively managed, this may reduce direct exposure to full TIN data, lowering institutional risk.
Risk Management Emphasis – With more latitude comes the need for more vigilant risk management. Banks must demonstrate that alternative TIN-collection processes do not compromise identity verification. They should expect heightened scrutiny from regulators to ensure robust CIP policies remain intact.
Opportunity for Deeper Collaboration – The exemption can further open doors for fintechs partnering with banks to onboard customers. Fintech companies, known for innovative identity verification tools, can offer their platforms as third-party solutions for TIN retrieval and verification. This synergy can speed up new account openings and provide a smoother user experience.
Competitive Advantage – Those fintech solutions that employ cutting-edge identity verification techniques are poised to become indispensable partners. This may help fintechs scale their services faster and foster stronger relationships with banks looking for highly efficient and secure paths to onboard new customers.

How to Capitalize on the New Exemption

This new approach underscores that banking compliance no longer relies solely on rigid, one-size-fits-all data collection. Instead, institutions can tailor a risk-based approach, adopting advanced digital verification tools that meet or exceed older, more manual processes. In effect, the CIP Rule’s foundation remains intact, but it is updated to incorporate the reality of high-tech, remote-driven financial interactions. Institutions that thoughtfully embrace the exemption will be at a competitive advantage, but they must consider the following:

Reevaluate Existing CIP Procedures – Institutions should conduct a thorough internal assessment of their current CIP framework to identify how third-party TIN collection can efficiently slot into existing protocols. The updated procedures should remain risk-based, thoroughly documented, and reserved for account relationships where it makes sense.
Partner with Trusted Verification Providers – Identify reputable vendors or technology solutions capable of securely retrieving, storing, and verifying TIN data. Banks should ensure these third parties maintain rigorous security standards to mitigate potential data breaches.
Enhance Staff Training – Both compliance and customer-facing teams must understand the changes to CIP obligations. Employees need to be conversant with new processes to ensure consistent and compliant implementation.
Monitor and Audit Regularly – Just like before, regulators will expect periodic testing and auditing to ensure a bank can confidently say it “knows its customer.” A shift in the manner of TIN collection does not diminish the importance of continuous oversight.
Stay Engaged with Regulators – Open lines of communication with the FDIC, OCC, or NCUA (as applicable) may reveal best practices or early signals that an institution’s approach to the exemption requires adjustment.

Conclusion

The new CIP exemption acknowledges that strong consumer protections and thorough identity verification remain critical, particularly in an environment marked by sophisticated cyber threats. Yet at the same time, regulators are encouraging banks to harness all available technologies — many of which have matured significantly in recent years — to streamline data-sharing processes and keep customers’ most sensitive details secure. Financial institutions that are positioned to take advantage of third-party CIP screening while maintaining a risk-based BSA/AML program to the satisfaction of their regulators will reduce administrative friction and stand out in a crowded market.