By an exemption order dated June 27, 2025, federal prudential regulators have given banks and credit unions some welcomed flexibility when collecting an individual’s or entity’s taxpayer identification number (TIN) during account opening. Specifically, the order permits depository institutions regulated by the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency, and the National Credit Union Administration to collect TIN information from a third-party source rather than directly from the customer during account opening. For individuals, TIN information includes a social security number.
This small change to the rigid Customer Identification Program (CIP) rule gives depository institutions and their fintech partners more flexibility when designing their customer experiences for new and former customers. However, with more flexibility comes more considerations. Depository institutions will have to evaluate whether using an alternative method to collect TIN information is appropriate for a particular product and whether the source of the TIN information is reliable.
What has changed and what hasn’t
The June exemption order affects a narrow portion of the CIP rule—the requirement to collect TIN information directly from customers. All other portions of the CIP rule remain unaffected, including the requirements to collect other minimum information directly from a customer, to verify a person’s identity, and maintain records for these activities. Overall, the CIP rule continues to mandate that depository institutions form a reasonable belief that they know the true identity of each customer when opening an account for the customer.
Moreover, the exemption order emphasizes that the decision to use an alternative method to collect a customer’s TIN information from a third party should be risk-based and consistent with safety and soundness principles. The federal prudential regulators did not prescribe specific alternative processes that could be used. Depository institutions may choose an alternative method to collect TIN information for a customer but should conduct a risk assessment before using the method.
The order makes it clear that using an alternative method to collect TIN information is not required. Depository institutions could continue to collect TIN information directly from customers in the near or long term.
Next steps
Before taking advantage of the exemption order, depository institutions should evaluate whether relying on a third-party source for TIN information is appropriate for its various product offerings and which third-party source should be used for the information. Under the CIP rule, credit card issuers have long been able to use third-party sources to collect TIN information. While some lessons could be learned from credit card issuers, depository institutions should consider whether the approach used for credit cards is appropriate for other credit or non-credit bank products that are subject to the CIP rule. Another wildcard here may be how a depository institution’s examiner views relying on a third-party source for TIN information when offering a particular product.
CIP rule requirements are typically engrained into a depository institution’s policies, procedures, user experiences, and service provider agreements. Implementing a more flexible TIN information collection method may require document revisions, bank approvals, and technology builds. Once a depository institution has decided to use an alternative collection method, there could be a longer-than-anticipated timeline to implement the flexible collection requirement.
Contact us
If you have questions about the exemption order or would like to discuss the CIP rule more generally, please contact Susan Seaman, Luis Hidalgo, or your Husch Blackwell attorney.