A New Way to Know Your Customer: Inside the FinCEN TIN Collection Exemption

If you’ve ever tried to open a bank account online, you know the moment – the one where you’re asked to type in your full Social Security number and you pause, wondering how many strangers might end up seeing your most sensitive information. That hesitation is exactly what a new regulatory tweak is designed to address.

In June 2025, with the concurrence of FinCEN (Financial Crimes Enforcement Network), federal banking regulators provided clarity to financial institutions about options that explicitly permit them to collect your taxpayer identification number (TIN) from a trusted third-party source instead of directly from you. It’s not a free pass for institutions, which still must meet the rigorous identity verification requirements of the Customer Identification Program (CIP) Rule. It is, however, a subtle shift with significant implications for digital onboarding, fraud prevention, and customer trust.

Regulatory Context: CIP Rule & Improved Clarity

To understand why this exemption matters, you have to know the rules it’s bending. The CIP Rule was born out of the USA PATRIOT Act’s Section 326—a post-9/11 mandate requiring financial institutions to have a greater understanding of who walks through their virtual and physical doors.

At its core, the CIP Rule requires institutions to collect four critical pieces of information before users may open an account: the user’s name, date of birth, address, and a TIN.

For more than two decades, that TIN—whether a Social Security number, EIN, or ITIN—has typically only come straight from the customer. No shortcuts, no proxies. Why? Because the TIN is a cornerstone for verifying someone’s identity and running the necessary anti-money laundering (AML) and counter-terrorist financing (CTF) checks.

That said, the rule hasn’t been entirely inflexible. There have been notable carve-outs when it comes to obtaining a TIN:

• Credit card accounts have long enjoyed an exception that allows certain customer information—including the TIN—to be sourced from a third party.
• In 2020, regulators granted a premium finance exemption for property and casualty insurance loans, acknowledging that the low-risk profile and unique business model made the traditional CIP approach unnecessarily rigid.

These exceptions share a common theme: they’re not about lowering the bar on identity verification—they’re about adjusting the process to fit the risk profile and realities of specific account types. This new 2025 TIN exemption follows this same logic, but applies it to a far broader swath of accounts and onboarding scenarios.

The June 2025 TIN Collection Exemption

On June 27, 2025, the OCC, FDIC, and NCUA—armed with FinCEN’s blessing—quietly dropped an order that gave financial institutions something they’ve never officially had across the board: the option to collect a customer’s TIN from a trusted third-party source instead of directly from the customer.

It’s an option, not a mandate. If you love your current process of asking customers to type in their nine digits while silently holding your breath, you can keep doing it. But now, if your institution can reliably pull that number from a validated source—think government databases, credit bureaus, or other vetted partners—you can integrate it into your CIP process without waiting for the customer to cough it up.

The exemption applies to all accounts under the regulators’ jurisdictions, not just niche products. That’s a big deal. For years, exceptions were reserved only for specific, low-risk offerings (like credit cards or premium finance loans). Now, the door is open for broader application—so long as the institution’s written, risk-based CIP procedures are updated to reflect this new sourcing method.

Why the change? Regulators aren’t getting soft on AML or CTF compliance. The order is explicit: you must still form a reasonable belief that you know your customer’s true identity, and all other CIP requirements still apply. What’s changing is the acknowledgment that in a digital-first, fraud-heavy environment, forcing customers to hand over sensitive identifiers directly—often in less-than-secure ways—can create its own risks.

In other words: expect the same verification rigor, but with more flexibility in how you get there.

Operational & Compliance Considerations

This exemption may read like a single-line tweak in the Federal Register, but in practice, it’s a process shift that could ripple through your onboarding, compliance, and fraud prevention workflows.

First, the obvious: when creating new accounts, it's not enough to just plug in a third-party Taxpayer Identification Number (TIN) feed. Regulatory guidance dictates that this change must be fully integrated into your existing, risk-based Customer Identification Program (CIP) procedures. This means you need to meticulously map out precisely when and how you'll pull the TIN, which data sources are considered "trusted," and the process for handling discrepancies. A significant opportunity for innovation in new account creation lies in combining these trusted data sources with a phone possession check. This check, by verifying the accurate possession of a phone associated with the TIN, provides a robust layer of identity assurance for both the data and the individual presenting it. This integrated approach, which blends static data verification with a dynamic, real-time check, offers a more secure and efficient pathway for account onboarding.

Second, this isn’t a “set it and forget it” arrangement. Third-party reliance is only as strong as the vendor’s controls, so you’ll need ongoing due diligence, data quality monitoring, and vendor management practices that can withstand examiner scrutiny. If a bad record slips in and enables a fraudulent account, the excuse of, “but the vendor gave it to us” won’t cut it as a defense.

Third, remember that this rule is still about identity verification, not data collection. Pulling a TIN from a third party doesn’t absolve you from confirming that the number matches the actual customer in front of you (or behind the keyboard). Regulators expect you to form the same reasonable belief of identity as if the customer had typed it in themselves—only now you have the chance to pre-populate that field and let the customer review and confirm it.

From a strategic standpoint, the benefits are obvious:

• Lower friction in onboarding, especially in digital channels.
• Reduced exposure of sensitive identifiers in transit and storage.
• Potential boost in conversion rates by removing a high-abandonment step.

Despite these benefits, there are trade-offs: including integration costs, the complexity of aligning multiple systems, and the heightened responsibility of validating your data sources. The institutions that will succeed here are those that view this as an enhancement to their identity assurance process, rather than merely a means to expedite account openings.

Audience Relevance

For fraud and identity verification experts, this exemption is more than a compliance footnote—it’s a new lever you can pull in the fight against account opening fraud and onboarding friction.

Why it matters for fraud teams:

Being able to source TINs from trusted third parties means fewer chances for fraudsters to feed you synthetic or stolen identifiers. When that data comes from multiple data sources rather than a typed-in form field, you achieve more accurate results, and cut off one of the easiest injection points for false information. And if you pair this with other data signals—device intelligence, behavioral biometrics, telecom data—you’re building a layered defense without adding friction.

Why it matters for identity verification architects:

Digital onboarding has always been a balancing act between speed and certainty. This exemption nudges the balance toward speed without undermining certainty—provided your CIP procedures are airtight. It opens the door for creative orchestration, such as pre-populating TIN fields, allowing customers to confirm, and then running simultaneous verification checks in the background.

Why it matters for compliance leaders:

The optional nature of the exemption means you can adopt it strategically. High-trust segments or low-risk products might benefit immediately, while higher-risk profiles can remain on the traditional direct-collection path. Regulators will still expect you to document why you made these choices and how they fit into your risk-based program.

Bottom line: This isn’t about doing less work to verify identity. It’s about doing the same work in a smarter, more user-friendly way. For those in fraud, identity, and compliance roles, it’s a chance to re-engineer the customer journey without loosening your grip on risk.

Comparative Snapshot

Sometimes the easiest way to see the impact of a rule change is to put the old way and the new way side by side. Here’s how the traditional CIP process for TIN collection compares to the method allowed by the June 2025 exemption:

In short, the exemption doesn’t loosen the guardrails. Rather, it just gives institutions a wider, smoother lane to drive in. For those willing to invest in the infrastructure and governance to support the switch, the payoff could be a faster, safer, and more customer-friendly onboarding process.

Reframing Your Approach to Identity Verification

The June 2025 TIN collection exemption serves as a reminder that compliance isn’t static—it evolves to meet the realities of modern fraud risk, customer expectations, and digital onboarding. For institutions willing to integrate third-party data sources into their CIP workflows, the potential upside is significant: fewer abandoned applications, stronger fraud defenses, and a smoother path to “yes” for legitimate customers.

But success here depends on execution. You’ll need:

• Trusted, high-quality data sources that meet regulatory standards.
• Integration capabilities that let you pre-populate and confirm identifiers without slowing down onboarding.
• Fraud intelligence that goes beyond the TIN to assess risk holistically.

Prove’s identity solutions are built to power secure, low-friction onboarding by combining authoritative data sources, mobile intelligence, and advanced fraud detection—making it easier to adopt new regulatory flexibilities like the CIP TIN exemption without introducing new risk.

Whether you’re exploring how to operationalize third-party TIN collection, strengthen multi-factor verification, or redesign your onboarding flow for both compliance and conversion, Prove can help you turn this rule change into a competitive advantage.

👉 Learn more at prove.com and see how your institution can meet CIP requirements while delivering a seamless, fraud-resistant customer experience.

‍