📰The end of last week brought potential changes for BSA/AML programs from FinCEN’s perspective. Friday, FinCEN issued a Final Order providing financial institutions greater flexibility for collecting Tax ID Numbers (TINs) for compliance with CIP practices.
CIP practices were established in 2001 with the passage of the USA PATRIOT Act. A lot has changed within banking since 2001 and FinCEN is attempting to keep up with those changes. “This order reduces burden by providing banks with greater flexibility in determining how to fulfil their existing regulatory obligations without presenting a heightened risk of money laundering, terrorist financing, or other illicit finance activity,” stated FinCEN director Andrea Gacki. FinCEN, in coordination with the OCC, FDIC, and NCUA issued an order that allows alternative collection methods to obtain a customer’s TIN for CUP purposes. This allows the FIs to comply with CIP requirements if they can form a reasonable belief that they know the true identity of each customer.
This new exception does not replace current CIP practices but allows for more flexibility in the banking space. The FIs must maintain written procedures, base their practices on their unique assessments of relative risk, and be risk-based for verifying identities. Instead, it allows financial institutions to utilize third party systems to collect TIN information, provided the remaining CIP requirements are met.
🚧However, FIs should proceed with caution when determining if this new exception is something they want to pursue. Below are a few precautions you should consider before deciding to move forward with a third-party collection process.
1. While the new CIP exception is a step forward, FIs need to be aware that this exception conflicts with the IRS’s requirement to collect the full TIN directly from the taxpayer. The IRS does not allow the collection of the TIN from a third party. ⚖️
2. Core limitations for a large number of FIs mean that you may be restricted from implementing such an exception. For many FIs, a costly core conversion would be required to even be able to implement such an exception. 💰💵
3. Use of such an exception would require the FI to also have a process in place to reconcile the collection of the TINs to the customer’s TINs. In an age when a lot of FIs struggle to prove that their OFAC vendors are processing OFAC transactions correctly, consider the necessary processes to make sure your customers’ TINs are properly provided. 🕵️
4. Which leads to number 4, confirming the TINs are accurate is one thing, but also consider the Vendor Due Diligence required to make sure that your customer’s private data is protected properly. FIs have obligations to ensure their third parties have strong cybersecurity controls. If your third party has a data breach or failure, your FI could be left helping to hold the bag. 🛡️
FIs should also consider how their customers will feel with the use of such third parties. In the order, FinCEN discusses how consumers may be hesitant to provide their TINs to financial institutions. However, just how comfortable the general public feels about providing the last 4 of their TINs and letting the FI find the rest on its own should be considered. In the comments addressed in the order, some FIs addressed the likelihood of two or more people sharing the last 4 of their SSNs. This is a genuine concern given that there are only 10,000 unique combinations for the last 4 digits of a TIN. What happens with the third party gets the TIN wrong? ❓
Such exceptions present a potentially exciting opportunity to allow technology to help us work more efficiently. However, until a full risk assessment on such uses is performed, and the limitations of the banking systems currently in place are fully understood, FIs should tread cautiously before jumping in with both feet! 👣
The Final Rule can be read here: FinCEN Order - Customer Identification Program