How to Ensure Your Policies and Workflow are up to the Challenge
The digital transformation of the banking sector has led to significant changes in how financial institutions operate and interact with their customers. Yet, it has taken more than 20 years for the Customer Identification Program (CIP) rule, established in 2003 under the USA PATRIOT Act, to finally adapt.
On June 27, 2025, FinCEN and other agencies announced a new exemption. Banks can now source taxpayer identification numbers (TINs), such as a Social Security number or employer identification number, from trusted third parties not just directly from customers.
Why this change matters
Customers are increasingly reluctant to share sensitive information like a TIN digitally due to concern over identity theft and data breaches. With 77% of new accounts opened online or via mobile, the exemption reduces onboarding friction and abandonment rates by allowing banks to collect TINs (in full or in part) from credit bureaus or other providers while maintaining compliance.
Crucially, the exemption to the CIP rule does not change what is required; it simply offers flexibility regarding who can provide the information – the customer or a third-party.
Although the exemption is a welcome development, it can be a double-edged sword. On one hand, it enables banks to improve customer experience, which is a key competitive advantage in a digital-first marketplace. But it also introduces new vectors for operational risk and potential regulatory scrutiny. The bank’s internal policies and procedures need to be updated to account for a host of new scenarios and workflow issues while maintaining compliance.
Practical considerations
Banks that choose to take advantage of the flexibility the CIP rule exemption provides should look at the onboarding process in its entirety. This includes determining if the process should differ for in-person versus online applicants and whether additional forms of identification (e.g., driver’s license, passport) should be routinely collected to supplement the verification process and third-party TIN data. Additionally, banks should establish a risk-based approach built around the following key elements:
- Strong controls for data sourcing and vendor management: Evaluate the risks associated with third-party TIN sourcing, including data accuracy, provider reliability, security, and potential for identity fraud.
- Enhanced due diligence to strengthen identity verification: Collect additional data points, such as the last four digits of the Social Security number or a copy of a government-issued ID, to strengthen identity verification and improve match rates. The more comprehensive the dataset, the higher the likelihood of accurate verification.
- Clear decision, escalation and exception-handling procedures: Document the decision process, identify when and how third-party TIN data will be used, update existing protocols, and revise workflow to address new scenarios.
- Ongoing staff training: Educate front-line personnel and compliance teams on the updated policies and procedures, potential red flags, and workflow changes to ensure consistent decisions and prevent gaps in compliance.
- Continuous monitoring and reporting: Implement metrics to track the impact of the CIP rule exemption on account opening, verification, and incident rates, including false positives and manual reviews. Adjust procedures as necessary based on findings and changes to policies and emerging threats.
Although the CIP rule exemption provides flexibility, it does not relieve a bank of its fundamental responsibilities under the Bank Secrecy Act (BSA) and anti-money laundering (AML) regulations. Ultimate accountability for customer identity verification remains with the institution, regardless of who provides the TIN.
Moving forward
The June 2025 CIP rule exemption marks a significant evolution in the regulatory landscape for U.S. banks, reflecting the realities of digital transformation and the need for flexible, customer-centric solutions. By allowing third-party sourcing of TINs, regulators have provided banks with new tools to streamline onboarding, reduce application abandonment, and enhance operational efficiency.
However, with greater flexibility comes greater responsibility. Banks must carefully update their policies, procedures, and technology to address the new risks and workflow challenges, ensuring that their compliance programs remain effective and resilient. The exemption is not a relaxation of standards, but a pragmatic adaptation that reflects the realities of a changing landscape and that requires continued commitment to the core principles of customer due diligence and financial crime prevention.
Digital banks and similar financial providers that are further along the technology curve are poised to move quickly to take advantage of the CIP rule exemption. Large, traditional banks will likely need more time to adapt as they must update policies and procedures tied to complicated workflows and an older technology infrastructure. Small local banks and credit unions may be among the last to jump on the CIP rule exemption bandwagon.
Regardless of size or where a financial provider sits on the digital spectrum embracing the opportunities presented by the CIP rule exemption must be done with transparency and a proactive approach to risk management. By striking the right balance, banks can meet compliance obligations and drive additional revenue while delivering a secure, seamless customer experience.
Contact us to learn how our advanced technology and award-winning data can help you improve identity verification, streamline onboarding, prevent fraud, and ensure compliance.