Federal: Comment Letter on Request for Information- Customer Identification Program Rule Taxpayer Identification Number Collection Requirement

The Honorable Andrea Gacki

Director

Financial Crimes Enforcement Network

2070 Chain Bridge Rd.

Vienna, VA 22182

‍

Re: Request for Information: Customer Identification Program Rule Taxpayer Identification Number Collection Requirement—FINCEN-2024-0009

Dear Director Gacki,

On behalf of The American Fintech Council (AFC)¹, I am submitting this comment letter in response to the Financial Crimes Enforcement Network (FinCEN or the Agency) Request for Information on the Customer Identification Program Rule regarding Taxpayer Identification Number Collection Requirements (RFI).

AFC is the premier trade association representing the largest financial technology (Fintech) companies and innovative BaaS banks. Our mission is to promote a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products to better serve underserved consumer segments and geographies. Our members are lowering the cost of financial transactions, allowing them to help meet demand for high-quality, affordable products.

AFC has publicly advocated for standards or clear and consistent regulatory frameworks for innovative financial services and products that are appropriate for the size, activity, and risk posed by the entity providing the service. Also, AFC has advocated for a unified regulatory environment for product and service offerings that are provided to consumers for a similar purpose or in a similar manner. Specifically related to the issues discussed in the RFI, AFC has strongly advocated for reforms to occur within the regulatory requirements and supervisory expectations related to the CIP Rule’s Tax Identification Numbers (TIN) collection requirements.²

‍

I. Current CIP Rule Requirements Regarding TINs are Incongruous with Congressional Intent, Industry Best Practices, and Administration Goals

As AFC noted in its previous advocacy letter, the text of the CIP Rule requires banks to implement a written CIP program that includes risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable.³ The Rule identifies the pieces of information that are to be collected from a customer as part of a bank’s CIP program: the customer's name, address, the customer’s TIN, as well as a requirement that the bank’s CIP procedures verify a customer’s identity through other documentary and non-documentary methods. In addition to the language in the Rule itself, the legislative history of section 326 of the US Patriot Act makes Congress’s intent clear that the “the regulations should not impose requirements that are burdensome, prohibitively expensive, or impractical.”⁴

Further, both FinCEN and the Office of the Comptroller of the Currency (OCC) have adopted policy views which lessened the CIP Rule requirements for entities operating in an online capacity. When FinCEN adopted the CIP Rule, the Agency recognized how processes enabled by the credit card, such as providing a consumer’s Social Security Number (SSN) in a retail store, could put the privacy and security of the consumer at risk.⁵ This intent to mitigate privacy and security risks, as detailed further below, is germane to the issues presented in the RFI in an online context and fits under the “impractical” standard set forth under the US Patriot Act.

In addition, federal regulators who hold FinCEN’s delegated authority to implement the CIP Rule have taken different approaches to their interpretations of how regulated entities may implement the CIP Rule. Specifically, AFC has identified differences in the supervisory expectations afforded to entities under the jurisdiction of the Federal Deposit Insurance Corporation (FDIC) and the OCC.

For example, in December of 2020 the OCC recognized the potential issues with requiring a consumer to enter a full TIN when it released its Interpretive Letter 1175.⁶ Specifically, in the Interpretive Letter, OCC authorized a similar approach for a national bank's subsidiary to onboard customers by collecting customers' partial SSNs and then using a reputable third-party service to obtain the full nine-digit SSN. While the Interpretive Letter was provided to an online payments provider, the principles underlying the OCC's legal conclusion are equally applicable to banks and all financial institutions. In fact, after notifying FinCEN and considering FinCEN's comments, the OCC determined that the national bank's subsidiary's proposed method for collecting customer SSNs "does not present any additional risk for money laundering activity or terrorist financing than those present for the complete collection of the [SSNs]."⁷ Concurrently, FDIC has not taken such an approach towards regulating CIP Rule Requirements.

Further, within an industry context, at least one credit reporting agency already adheres to similar partial collection of consumer SSNs for their credit freeze service. TransUnion does not request full SSNs from consumers within its own account opening application, which permits consumers to place extended fraud alerts and credit freezes on their credit reports. Instead, they collect only partial SSNs, as well as the consumer’s name, date of birth, email, phone, and address.⁸ This practice is akin to the practices advocated for by AFC in the context of the RFI.

Lastly, the Biden Administration identified a policy objective to harmonize and modernize federal regulations across the spectrum.⁹ This policy objective aligns with AFC’s perspectives generally and specifically relates to the CIP Rule at hand. Finding areas where regulatory modernization is needed is crucial to ensuring that the U.S. financial services industry operates effectively and efficiently in the 21st century. It is with this in mind that AFC believes that modernizing the CIP Rule to apply the aforementioned OCC guidance and existing credit card exemption to similarly situated financial products and services offered in an online capacity would greatly assist in the Administration’s efforts to accomplish its policy objective.

‍

II. CIP Rule Reform as Identified in the RFI Would Create a Safer and More Secure Consumer Experience and Bring Parity for Similarly Situated Financial Products

Permitting financial institutions and their fintech partners to collect partial TINs or SSNs from consumers while collecting full TINs from a third party, and verifying the provided numbers through the bank’s risk-based identity verification procedures could provide significant benefits to consumers presents significant benefits for the data security and user experience of the consumer. Further, pursuing such a reform would not increase the money laundering risks that the CIP Rule were established to protect against.

‍

Current CIP Rule Environment

Within the current regulatory framework, financial institutions and fintech companies offering lending products online are required to collect the full SSN for each customer before opening an account with the financial institution or fintech company. The process covered under the CIP Rule was established when banking activities were primarily conducted in an in-person manner. Thus, the process for determining the customer’s identity was fairly straightforward and not impractical for financial institutions.

In the years since the CIP Rule was established, many of the in-person activities conducted at banks have moved to online platforms. For example, lending applications that were previously conducted in-person, with a loan officer, are now more frequently completed using an online application that the consumer submits to the financial institution, often without ever engaging directly with staff at the institution. Further, innovative banking models, such as banking-as-a-service models, which partner banks with innovative financial technology companies to offer products nationally have increased the amount of online banking activities that fall under the existing CIP Rule. To this end, the once practical requirements, including the collection of the full customer SSN has become impractical and burdensome for financial institutions engaging in online activities and innovative business models. Further, due to the online nature of the financial institutions’ engagements with consumers, the current CIP Rule collection requirements are incongruent with more recently established data collection best practices, which were established to improve the safety and security of consumers’ data.

For entities operating in an online environment, the current CIP Rule requirements related to the direct collection of consumers’ TINs imposes a burden to financial services providers that is impractical given the current best practices for data collection and the technological advancements in verifying a consumer’s identity that have occurred since the CIP Rule was originally introduced. While AFC members continue to comply with the data collection requirements, the use of innovative technology has allowed these companies to reasonably verify a consumer’s identity without creating any additional risks to either the consumer or the financial services industry. The use of this technology to verify consumer identities is in accordance with the spirit of the Bank Secrecy Act’s provisions.

In general, AFC agrees with the FinCEN’s recognition in the RFI that “there are, and will be, more available customer identifying attributes that banks may collect (e.g., email address, geolocation, and internet protocol (IP) address location), some of which vary in accuracy and authenticity, but which could be used holistically as part of a banks’ risk-based verification procedures under the CIP Rule.”¹⁰ If financial institutions and their fintech partners were able to obtain partial consumer SSNs and verify them through a reputable third-party source, such as a credit reporting agency, the financial institution would leverage the aforementioned data points to improve their ability to reasonably determine the customer’s identity.

As noted above, FinCEN previously recognized the consumer privacy and data security issues associated with full collection of SSNs directly from consumers operating in an online environment. Specifically, FinCEN issued a credit card exemption, which allows credit card issuers to obtain a customer’s TIN information, among other information, from a third-party source instead of directly from the customer. This exemption allows credit card issuers to streamline application processes and grant access to credit more efficiently and protect consumers from data breach issues that could come from direct collection of this data during the application process. Further, as FinCEN correctly noted in the RFI, FinCEN considered that “allowing banks to obtain a customer’s identifying information from a third-party source, such as a credit bureau, prior to an extension of credit… to be an efficient and effective means of extending credit with little risk that the lender did not know the identity of the borrower.”¹¹ As a result, credit card companies have held a competitive advantage over other online lenders operating in a similar manner.

All lenders operating in an online environment are negatively impacted by the differing regulatory requirements related to SSN collection. As noted above, the exemption offered to credit cards, which are similarly situated to online lending products in the consumer market, hold a competitive advantage due to the exemption.

In practice, the current CIP Rule requirements create significant opportunities for regulatory arbitrage. While the original CIP Rule created an exception for credit cards, the OCC’s 2020 Interpretive Letter effectively expanded this exception to non-credit card products offered by national banks. This leaves state-chartered banks and credit unions at a competitive disadvantage, requiring more information from consumers than their national counterparts when offering functionally similar products. This arbitrage negatively impacts the customers who are most in need of the products being offered by state-chartered banks and their partners to gain access to affordable and responsible credit.

Further, Buy-Now-Pay-Later (BNPL) loans represent one of the primary examples of a digital offering that is negatively impacted by differing regulatory requirements related to SSN collection between credit cards and other online financial products and services. In an effort to operate in full compliance with existing regulations and adhere to contract requirements in their partnerships with financial institutions, BNPL lenders and their financial institution partners have interpreted the CIP Rule requirements to preclude the BNPL lenders from operating under the credit card exemption.

However, in further recognition of the product similarities between credit cards and BNPL loans, in May 2024, the Consumer Financial Protection Bureau (CFPB) released its Interpretive Rule, which categorized BNPL loans as “credit” and designated providers as “creditors card issuers” subject to relevant provision within subpart B of Regulation Z. Through this Interpretive Rule, CFPB explicitly states that “[d]igital user accounts that consumers use to access BNPL credit mimic conventional credit cards. They meet the regulatory definition of “credit cards” as defined at 12 CFR 1026.2(a)(15)(i).”¹² Unfortunately, without similar regulatory clarity from FinCEN, BNPL lenders will likely need to continue to comply with the existing CIP Rule requirements, instead of the more limited requirements under the credit card exemption. To that end, BNPL lenders face a unique competitive disadvantage due to the existing CIP Rule requirements. Therefore, AFC recommends that FinCEN pursue additional guidance to clarify how the existing credit card exemption to the CIP Rule applies to BNPL lenders.

‍

III. AFC Recommends that FinCEN consider Formal Rulemaking on CIP Rule Reforms to Improve Consumers’ Privacy and Security, Experience, and Optionality

The information sought by FinCEN through the RFI represents a beneficial first step in the prudent reform of the CIP Rule requirements regarding TIN collection by financial institutions. Pursuing a reform which would allow financial institutions and their fintech partners to collect partial TINs or SSNs from consumers while collecting full TINs from a third party, and verifying the provided numbers through the bank’s risk-based identity verification procedures could provide significant benefits to consumers and the financial services industry without increasing the risks that the CIP Rule seeks to address. Specifically, as will be discussed further below, consumers and financial institutions could experience improved privacy and security, user experience on the online platforms, and optionality in the industry without facing a significant cost burden when implementing the reforms. Therefore, AFC recommends FinCEN consider building on the effort of the RFI by pursuing formal rulemaking that would address the issues discussed in this comment letter.

‍

Improved Privacy and Security

AFC recognizes that direct collection of a consumer’s SSN functions as a deterrent to potential fraudsters. However, the process established in the current CIP Rule is ill-fitted to the digital banking environment. Personally Identifiable Information (PII), such as consumers’ SSNs, is especially sought after by fraudsters and other nefarious actors who work tirelessly to breach the data collected by financial institutions and third parties that hold PII data in an online environment. The requirement that a consumer enter their full SSN in an online environment introduces an unnecessary risk to the consumer and the financial institution.

Customers are worried about providing their full SSNs, particularly in a digital environment. Requiring input of the full SSNs for every credit application increases the number of third parties that must retain and protect this information from nefarious actors. Identity theft stemming from data breaches in the public and private sectors is devastating to consumers and their financial health. Requiring customers to provide full SSNs compounds these problems. On this issue, leaders ranging from a former director of the Cybersecurity and Infrastructure Security Agency to members of Congress have suggested moving away from reliance on nine-digit SSNs for identification purposes.¹³ Since at least 2017, expert government officials have recognized the need to amend the CIP Rule to improve the privacy and security of consumer data. Specifically, a top government cybersecurity official said the Social Security number has “outlived its usefulness,” noting “every time we use the Social Security number, we put it at risk.”¹⁴ Therefore, AFC believes that FinCEN should update the CIP Rule to provide financial institutions with the flexibility to use these innovative and reliable tools in their CIP programs, as banks have been able to do for more than two decades for credit card accounts.

Collecting partial TINs or SSNs from consumers while collecting full TINs or SSNs from a third party, and verifying the provided numbers through the bank’s risk-based identity verification procedures minimizes risks to consumers and adheres to established best practices for data minimization.¹⁵ Leveraging trusted third-party sources to provide the remaining five SSNs digits also helps to mitigate the risk of incorrect manual entry errors by the consumer, which result in time-consuming and sometimes costly error resolution procedures, by limiting the manual entry requirements and allowing the preexisting verified data to improve the efficiency and efficacy of the process. Further, collection of only partial SSNs lowers the risks to the financial institutions and third parties holding this data because they have fewer data points of value to hackers who seek to breach their data protection schemes. To help improve the privacy and security for consumers engaging in online financial services, AFC recommends that FinCEN reform the CIP Rule as identified in the RFI.

Improved Consumer Experience

AFC members work tirelessly to provide the best user experience possible for consumers. At a time when trust in financial services is still low, fintech companies serve an important role in ensuring that consumers gain access to financial services while also improving their trust in the offerings provided through bank-fintech partnerships. However, the current CIP Rule Requirements of requesting the full SSN during the account setup process can be quite cumbersome for users and result in consumers avoiding a specific product or service offering due to concerns related to data breaches. As noted above, collecting partial TINs or SSNs from consumers while collecting full TINs or SSNs from a third party, and verifying the provided numbers through the bank’s risk-based identity verification procedures streamlines the onboarding process and helps ensure that consumers concerned with data breaches are not forced to input their data in a manner that would evoke this concern.

Requiring banks to collect full nine-digit SSNs from customers during the initial application process pushes potential borrowers out of the market for credit lending products offered by AFC members. As noted above, many consumers are understandably wary of providing their full SSNs, and when required to do so, they may reconsider opening an account or finishing the application. According to research conducted by AFC member companies, the CIP Rule Requirements for collection of the full consumer SSN during the initial application process resulted in 10 percent of the applicants abandoning the application process.16 As a result of consumers abandoning the application process, at least 2.8 million consumers totaling approximately 3.7 billion dollars in loans are not provided to consumers. Given the fact that many of AFC’s members focus their efforts on bringing access to financial services to historically underserved communities and these individuals have exhibited the lowest amount of trust in the financial services industry, it is likely that this demographic is disproportionately impacted by the application abandonment and subsequent loss of credit. To help ensure that the modern financial system is the most inclusive possible, AFC believes that it is critical for FinCEN to reform the CIP Rule as identified in the RFI.

‍

No additional costs to Industry or Consumers

AFC recognizes the importance of weighing the costs and benefits when regulators determine if they will pursue a given rulemaking. In the case of the issues under the RFI, a rulemaking allowing for financial institutions and fintech companies operating online to collect only partial consumer SSNs and then verifying them with a trusted third-party source would pose no real cost to the institutions affected by the amended CIP Rule Requirements. Further, based on our discussions with members, the institutions would be able to easily implement the change in a fully compliant manner and would not require significant changes to their overarching due diligence processes.

If FinCEN allowed financial institutions to partial TINs or SSNs from consumers while collecting full TINs or SSNs from a third party, and verifying the provided numbers through the bank’s risk-based identity verification procedures, the financial institutions and fintech partners could continue to collect relevant data to ensure that money laundering risks do not increase, while not requiring the input of sensitive data that turns customers away from using the financial service. This is due to the fact that regardless of the full or partial collection of consumers SSNs, AFC members already leverage various data points beyond consumers SSNs to reasonably determine a customer’s identity during their due diligence process. As part of this data collection and retention process, AFC members strictly comply with data privacy best practices, to the extent allowed under the current regulatory requirements, and the relevant provisions of the Gramm-Leach-Bliley Act. Therefore, many of the due diligence practices and processes, including record retention practices, would not be significantly impacted by the allowance to collect partial consumer SSNs and verify them through a trusted third-party.

‍

Consumer and Industry Optionality

Further, the current CIP Rule creates significant opportunities for regulatory arbitrage. While the original CIP rule created an exception for credit cards, the OCC’s 2020 Interpretive Letter effectively expanded this exception to payment/non-credit card products offered by national banks. This leaves state-chartered banks and credit unions at a disadvantage, requiring more information from consumers than their national counterparts when offering the same products. This arbitrage negatively impacts the customers who are most in need of the products being offered by state-chartered banks and their partners to gain access to affordable and responsible credit.

As we have noted previously, regulators should pursue a unified regulatory environment for product and service offerings that are provided to consumers for a similar purpose or in a similar manner. As the RFI recognizes, amendments to the CIP Rule Requirements should strike the right balance between ensuring consumer safety and improving the user experience. AFC believes that allowing financial institutions and their fintech partners to operate in a similar capacity as those operating under the existing credit card exemption would still provide appropriate guardrails to limit fraudsters and would allow for more consumers to access financial services in an easier manner. As the financial services industry continues to evolve, institutions will continue to seek opportunities to improve consumer experience without increasing potential harms to consumers. By affording these institutions the same exemption already provided to credit card companies, FinCEN can encourage additional innovations and creative solutions to improve consumer safety and satisfaction the products and services they receive.

‍

* * *

‍

AFC appreciates the opportunity to comment on FinCEN’s Request for Information on the Customer Identification Program Rule regarding Taxpayer Identification Number Collection Requirements. Ultimately, AFC believes that the prudent next step is for the Agency to pursue formal rulemaking on this matter. By pursuing formal rulemaking, FinCEN will ensure proper alignment of supervisory expectations between federal regulators who carry out the Agency’s policy aims and parity between similarly situated products and services within the market. Further, as noted above, consumers will experience an improved and more secure user experience as they engage in online lending services. Should FinCEN pursue a formal rulemaking on the issues presented within this RFI, AFC believes that both FinCEN and its fellow regulators should ensure that the relevant examination manuals are adequately amended, and examiners are properly trained on the parameters of the new requirements. We thank you for your consideration of our comments.

‍

Sincerely,

‍

Ian P. Moloney

SVP, Head of Policy and Regulatory Affairs

American Fintech Council

‍

¹ AFC’s membership spans technology platforms, non-bank lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.

² See, American Fintech Council, Comments Regarding Regulatory Clarity, CIP Rules, and Consumer Products, (Apr. 3, 2023), available at https://www.fintechcouncil.org/advocacy/afc-letter-to-the-financial-crimes-enforcement-network-fincen-requesting-needed-clarity-and-modernization-of-the-customer-information-program-rules. For the purposes of this comment letter, Tax Identification Number (TIN) and Social Security Number (SSN) are used interchangeably.

³ 31 C.F.R. section 1020.220(a)(2).

⁴ H.R. Rep. No. 107-250, pt. 1, at 62 (2001).

⁵ Customer Identification Programs for Banks, Savings Associations, Credit Unions and Certain Non-Federally Regulated Banks Joint Final Rule, Federal Register, 68 FR 25089, available at https://www.federalregister.gov/documents/2003/05/09/03-11019/customer-identification-programs-for-banks-savings-associations-credit-unions-and-certain.

⁶ OCC Interpretive letter 1175, published Nov. 16, 2020, Washington, DC, available at https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1175.pdf

⁷Ibid at 10.

⁸ TransUnion, Be in the Know with TransUnion – See Your Credit Score and Start Credit Monitoring Now, available at, https://membership.tui.transunion.com/tucm/orderStep1_form.page (last visited May 6, 2024).

⁹ U.S. Department of the Treasury, Report to the White House Competition Council, Assessing the Impact of New Entrant Non-Bank Firms on Competition in Consumer Finance Markets (Nov. 16, 2022), available athttps://home.treasury.gov/news/press-releases/jy1105 (last visited May 23, 2024).

¹⁰ See, Financial Crimes Enforcement Network (FinCEN), Request for Information and Comment on Customer Identification Program Rule Taxpayer Identification Number Collection Requirement at 7.

¹¹ Ibid at 5.

¹² See, Consumer Financial Protection Bureau, Truth in Lending (Regulation Z); Use of Digital User Accounts to Access Buy Now, Pay Later Loans, Interpretive Rule; Request for Comment, (May 22, 2024) at 3.

¹³ See Mariam Baksh, CISA Director Pushes to Discontinue Social Security Numbers as Identification, NEXTGOV (Feb. 26, 2020), https://www.nextgov.com/cybersecurity/2020/02/cisa-director-pushes-discontinue-social-security-numbers-identification/163340/; see also Letter from Rep. Maxine Waters, Ranking Member, U.S. House Comm. on Fin. Servs., to Janet Yellen, Secretary, U.S. Departmentt of the Treasury, et al. (Sep. 6, 2023), https://democrats-financialservices.house.gov/uploadedfiles/09.06.2023_cip_prog.pdf.

¹⁴ See Yuka Hayashi, End of the Social Security Number? A White House Official Thinks So, WALL STREET JOURNAL, (Oct. 3, 2017), https://www.wsj.com/articles/end-of-the-social-security-number-a-white-house-official-thinks-so-1507069469?mod=article_inline (last visited May 14, 2024).

¹⁵ See, National Institute of Standards and Technology, NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, Version 1.0, (Jan. 16, 2020), available athttps://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf.