CIP rule should not be amended to allow for partial SSN collection
America’s Credit Unions opposes a change to the Customer Identification Program (CIP) rule to allow the partial collection of a social security number (SSN) for identity verification purposes. Credit union concerns are outlined in a comment letter to the Financial Crimes Enforcement Network (FinCEN) sent Tuesday, in response to FinCEN’s request for comments related to the Taxpayer Identification Number (TIN) collection requirement under the CIP rule.
At issue is the potential access to consumers’ full SSN by a third party. The existing rule requires financial institutions to implement a written CIP that includes identity verification procedures, and financial institutions must currently collect a full SSN from a customer to fulfill the TIN requirement. FinCEN seeks input on the rule’s SSN collection requirement, including potentially allowing financial institutions to collect a partial SSN from the customer and then using a third-party to collect the full SSN.
“[W]e are concerned that modifying the current process to allow for collection of the full SSN from a third-party may present certain risks, without clear benefits,” the letter reads. “While we typically encourage regulatory changes that increase flexibility, we are also mindful that some changes could bring about increased risk, including in the area of consumer fraud, such as identity theft, as noted by FinCEN.”
When it does not involve SSN collection, America’s Credit Unions recognizes the potential efficiencies in utilizing third parties under the CIP rule. The letter asks FinCEN to consider allowing greater use of third parties under the CIP Rule, which “can decrease the amount of processing time required, while still complying with the regulatory requirements of the CIP Rule.”
“Based on member feedback, [outside the TIN collection requirement,] we ask FinCEN to evaluate the appropriateness of expanding financial institutions’ ability to rely on third parties (e.g., fintechs) to collect and verify consumer data,” the letter reads. “Under such an approach, the financial institution would continue to be responsible for ensuring compliance with the customer verification requirements, as well as relevant data protection requirements.”