Today, Congresswoman Maxine Waters (D-CA), the top Democrat on the House Financial Services Committee, sent a letter to financial regulators, including the U.S. Treasury Department, National Credit Union Association, Federal Deposit Insurance Corporation, Financial Crimes Enforcement Network (FinCEN), the Office of the Comptroller of the Currency, and the Federal Reserve. In the letter, Congresswoman Waters urges regulators to modernize the Customer Identification Program (CIP) rules to better reflect advancements in technology and address data privacy concerns. CIP rules were created in 2003 for financial institutions to protect against fraud and other criminal activity by collecting verifying information surrounding the identity of customers prior to doing business.

This letter follows the March 29, 2024, Request For Information (RFI) issued by the Financial Crimes Enforcement Network and other regulatory bodies to gather public feedback on modernizing CIP mandates. As Congresswoman Waters emphasizes, the RFI, which received 153 comments, underscores the need for updated regulations that align with modern banking practices and technologies. Currently, CIP rules require banks to collect a customer’s full nine-digit Social Security Number (SSN) for identity verification. However, financial institutions have access to advanced tools that can verify a customer’s identity using only partial SSNs combined with other data points.

“In light of these data breaches, cybersecurity and data privacy experts have urged companies and policymakers to prioritize data minimization to ensure businesses are only collecting the data they need to provide a product or service. Moreover, as the RFI notes, the current CIP rules already allow flexibility for credit card companies to collect only four digits of a customer’s SSN when the company uses third-party identification tools, and it seems prudent to consider formally expanding that flexibility to applications for other financial services and products,” wrote Congresswoman Waters. “Accordingly, I ask that your Agencies consider issuing a new Frequently Asked Questions (“FAQs”), a change to the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act/Anti-Money Laundering Manual, and/or other administrative improvements to reflect these modern technologies and concerns. Specifically, I request that your Agencies allow banks the option to comply with CIP Rules by the collection of a customer’s partial SSN directly from the applicant when the banks use other appropriate tools to ensure proper identification.”

See the full letter here and below.

Dear Secretary Yellen, Director Gacki, Chairman Gruenberg, Chairman Harper, Acting Comptroller Hsu, and Chairman Powell: 

I write today in response to the March 29, 2024, Request for Information (“RFI”) and Comment on Customer Identification Program Rule Taxpayer Identification Number Collection Requirement, issued by the Financial Crimes Enforcement Network (FinCEN), in consultation with the Office of the Comptroller of the Currency, the Federal Deposit Insurance Corporation, the National Credit Union Administration, and the Board of Governors of the Federal Reserve System. I was pleased to see this solicitation of perspectives from the public, including industry and consumer advocates, on the potential modernization of Customer Identification Program (“CIP”) mandates related to the rule’s requirements for complying financial institutions (“banks”). In light of changes to both the business of banking and the technologies and analytic capabilities available to banks that have been developed since the 2003 issuance of 31 CFR 1020.220 (“CIP Rule”)^[1] and given concern about the security of consumers’ personal data,^[2] this RFI is timely and needed.  The 153 comments that the RFI received are demonstrative of that need.

As discussed in the RFI, per statute and designed to protect our nation’s security,^[3] under the CIP Rule, banks are required to implement a CIP that includes risk-based verification procedures that enable the bank to form a reasonable belief that it knows the true identity of its customers. These procedures must specify what identifying information the bank will collect from each customer, prior to establishing an account. The minimum information under CIP includes a customer’s name, date of birth, address, and identification number (for U.S. persons, typically, a social security number [“SSN”]). The CIP procedures must also contain risk-based procedures for verifying the identity of the customer through documentary or nondocumentary methods.

In order to accomplish this, the rule currently requires that:

[t]he bank must obtain, at a minimum, the following information from the customer prior to opening an account:

(1)  Name;

(2)  Date of birth, for an individual;

(3)  Address, which shall be:

(i)         For an individual, a residential or business street address;

(ii)       For an individual who does not have a residential or business street address, an Army Post Office (APO) or Fleet Post Office (FPO) box number, or the residential or business street address of next of kin or of another contact individual; or

(iii)     For a person other than an individual (such as a corporation, partnership, or trust), a principal place of business, local office, or other physical location; and

(4)  Identification number, which shall be:

(i)         For a U.S. person, a taxpayer identification number; or

(ii)       For a non-U.S. person, one or more of the following: A taxpayer identification number; passport number and country of issuance; alien identification card number; or number and country of issuance of any other government-issued document evidencing nationality or residence and bearing a photograph or similar safeguard.^[4]

The RFI addresses the CIP rule’s requirement to collect a taxpayer identification number, most often the SSN for U.S. persons. Currently, examiners interpret the rule to mean that the full nine-digit number must be collected from the customer; banks report that this is increasingly an issue raised related to their exams. This was reasonable when the CIP rule was issued 20 years ago, but today, using advanced identification tools, financial institutions have other means of leveraging minimally collected information to enhance their reasonable belief of the customer’s true identity. For example, a bank might collect only the last four digits of a customer’s SSN as part of an online application, and using address, date of birth, and other publicly available information, it can obtain the first five digits through third-party identification tools. Such tools can also allow for cross-referencing of customer information to analyze email addresses, phone numbers, and internet protocol (“IP”) address location to discern and verify a customer’s identity. Banks may use multifactor authentication (e.g., emailing a code to a provided email address) to support this process, as well. With the advent of online banking and online applications for credit and accounts, these tools may be an important and useful part of a bank’s CIP. 

Further, while new technology is available to help banks, it is also available to help those who would target institutions to steal customers’ personally identifiable information. This includes the SSNs of customers, collected to fulfill the CIP rule requirements. Banks report a growing reluctance of consumers to offer their full nine-digit SSN due to the risks associated with identity theft and data breaches in order to obtain credit and other banking services.^[5] For example, in 2017, Equifax experienced one of the largest data breaches, exposing SSN and other sensitive personal data of 147 million individuals.^[6] In 2021, more than 100 companies, including Morgan Stanley and Flagstar Bank, were hacked and had customer SSN and other sensitive data stolen.^[7] In 2022, Flagstar Bank was hacked again and had 1.5 million customer SSN data stolen.^[8] 

In light of these data breaches, cybersecurity and data privacy experts have urged companies and policymakers to prioritize data minimization to ensure businesses are only collecting the data they need to provide a product or service.⁹ Moreover, as the RFI notes, the current CIP rules already allow flexibility for credit card companies to collect only four digits of a customer’s SSN when the company uses third-party identification tools, and it seems prudent to consider formally expanding that flexibility to applications for other financial services and products. 

Accordingly, I ask that your Agencies consider issuing a new Frequently Asked Questions (“FAQs”), a change to the Federal Financial Institutions Examination Council (FFIEC) Bank Secrecy Act/Anti-Money Laundering Manual, and/or other administrative improvements to reflect these modern technologies and concerns. Specifically, I request that your Agencies allow banks the option to comply with CIP Rules by the collection of a customer’s partial SSN directly from the applicant when the banks use other appropriate tools to ensure proper identification.

Sincerely,

MAXINE WATERS

Ranking Member

Committee on Financial Services

###