Financial regulators are rolling out changes that make it easier for banks and credit unions to open accounts while complying with know-your-customer and anti-money laundering rules. The latest announcement clarifies, for example, that banks can use pre-filled information online to verify identities.
Another change from the Treasury Department’s Financial Crimes Enforcement Network lets banks and credit unions collect taxpayer identification numbers (TINs), such as social security or employer identification numbers, from third parties rather than by directly asking customers when they open accounts. The change is expected to benefit banks that partner with fintechs, who’ve argued potential customers can abandon loan applications after being hesitant to provide such sensitive information online.
The average bank and credit union, however, may decide the benefits of adopting the TIN exemption aren’t worth the costs yet. Some may decide to stick with the tried-and-true method of collecting TINs directly from customers, rather than changing their onboarding processes.
“I’m not sure there’ll be a rush into this,” says Barry Hester, a lawyer at Alston & Bird, since some banks may feel it “may not be worth urgently working” on the issue unless there’s a clear business case to do so.
If they do adopt the exemption, financial institutions would have to run assessments gauging whether the change will lead to elevated risk of money laundering. The answer is likely to be “no,” given the blessing FinCEN gave to the change.
But it’s a process banks would have to undertake nonetheless, using up time and resources that may be better spent elsewhere.
“It’s an exercise that might not be worthwhile for smaller local or community banks,” says Marc-Alain Galeazzi, bank regulatory and anti-money laundering partner at Morrison Foerster.
The TIN requirement has been in place since 2003, part of the post-9/11 bolstering of protections against money laundering and terrorism financing. But much has changed in the two decades since, regulators say, including the development of innovative new tools to verify customers’ identity.
“This order reduces burden by providing banks with greater flexibility in determining how to fulfill their existing regulatory obligations without presenting a heightened risk,” Andrea Gacki, the FinCEN director, said in a news release. In their order allowing for the exemption, regulators said “reliable alternatives exist for verification today that did not exist or were not as prevalent” 20 years ago. But regulators “are not prescribing specific alternative processes for banks,” they said.
The Federal Reserve signed off on the change on July 31, joining the two other federal bank regulators along with the National Credit Union Administration.
Fintech Friendly
The change is a positive for banking-as-a-service arrangements, where some banks partner with fintechs on deposit products, loans and other financial tools.
“It’s a great example of a small policy issue resulting in a significant consumer benefit,” says Ian P. Moloney, head of policy and regulatory affairs at the American Fintech Council.
Fintechs, prodded by their bank partners, tend to ask customers for all nine digits of the social security numbers to satisfy bank regulatory requirements. But consumers, many of whom now conduct financial services online, can hesitate when asked to type in their socials online.
Some 10% of loan seekers abandoned their applications with American Fintech Council- member companies when asked to type in their full numbers, the group wrote in a comment letter to FinCEN last year. That amounted to at least 2.8 million customers and $3.7 billion in lost loans.
Others may have typed in their socials incorrectly but don’t respond to follow-ups from lenders clarifying the issue, says Carlin McCrory, a lawyer at Troutman Pepper Locke.
“If it’s truly me, and I’ve just muddled up my own Social Security Number, I may not bother when they reach out to me,” McCrory says.
Risk Mitigation
Easing the TIN requirement could potentially raise fraud risks — at a time when the banking industry grapples with rising fraud levels. But banks and fintechs can adopt steps to guard against fraud, she says, such as asking customers for the last four digits of their social security numbers only or taking more innovative approaches to identity verification.
There are “plenty of other ways to mitigate the doubt that someone is actually who they say they are,” McCrory says, noting IP address data or user selfies as two options.
And consumers are ultimately safer by not typing in their socials online, Moloney argues, since hackers can target them through key-logging hacks or other methods.
“It lessens the risk of that Social Security Number being obtained by a nefarious actor,” Moloney says.
It is one reason why credit cards were exempt from the original 2003 rules — customers were wary about giving their full SSNs when applying by phone or at retailers for in-store cards.
If they do adopt the exemption, banks will still need to ensure they run an effective Customer Identification Program, lawyers and regulators say.
Regulators cautioned that the exemption doesn’t change the purpose of the CIP rule — that a bank has procedures in place so it can “form a reasonable belief that it knows the true identity of each customer.”
Tax Trickiness
Banks should proceed with caution so they don’t open themselves up to questions from the Internal Revenue Service, says Jessalyn Dean, managing director at Dune Consultants and a specialist in tax reporting.
While banks can now collect socials through a third party for customer identification, the IRS may take a different view for interest payments that trigger tax reporting requirements.
Shortcomings in processes could mean banks “would be on the hook” for customers’ tax liabilities, she says.
“For the ones that do decide to implement it, they need a very robust reconciliation procedure,” says Dean, a former PwC tax reporting advisor, so banks can track whether they got SSNs directly from customers or through a third party.
Previous