Ms. Ann Misback
Secretary
Board of Governors of the Federal Reserve System
20th Street and Constitution Avenue NW
Washington, DC 20551
Mr. James P. Sheesley
Assistant Executive Secretary
Legal ESS
Federal Deposit Insurance Corporation
550 17th Street NW
Washington, DC 20429
Chief Counsel’s Office
Attention: Comment Processing
Office of the Comptroller of the Currency
400 7th Street SW
Suite 3E-218
Washington, DC 20219
Re: Request for Comment: Regulatory Publication and Review Under the Economic Growth and Regulatory Paperwork Reduction Act of 1996—Docket ID OCC–2023–0016; Docket No. OP–1828; RIN 3064–ZA39
To whom it may concern,
On behalf of The American Fintech Council (AFC) , I am submitting this comment letter in response to the joint Request for Comment on the Publication and Review Under the Economic Growth and Regulatory Paperwork Reduction Act of 1996 (Request for Comment) by the Board of Governors of the Federal Reserve (FRB or Federal Reserve), Federal Deposit Insurance Corporation (FDIC), and the Office of the Comptroller of the Currency (OCC) collectively referred to as the “Joint Agencies”.
AFC is the premier trade association representing the largest financial technology (Fintech) companies and innovative BaaS banks. Our mission is to promote a transparent, inclusive, and customer-centric financial system by supporting responsible innovation in financial services and encouraging sound public policy. AFC members foster competition in consumer finance and pioneer products to better serve underserved consumer segments and geographies. Our members are lowering the cost of financial transactions, allowing them to help meet demand for high-quality, affordable products.
AFC recognizes and appreciates the importance of periodically reviewing agency regulations to identify and reform outdated or otherwise unnecessary regulatory requirements. The Joint Agencies’ statutory mandate to pursue this endeavor is a pragmatic requirement that is necessary for ensuring responsible innovation can flourish in the modern banking system.
To assist with the Joint Agencies’ efforts to modernize the regulatory framework to match the modern banking system, AFC has publicly advocated for standards or clear and consistent regulatory frameworks for innovative financial services and products that are appropriate for the size, activity, and risk posed by the entity providing the service. Also, AFC has advocated for a unified regulatory environment for product and service offerings that are provided to consumers for a similar purpose or in a similar manner.
Specifically related to the issues discussed in the Request for Comment, as will be evidenced further below, AFC believes that the Joint Agencies should critically review and reform existing compliance requirements related to the Customer Information Program (CIP) Rule’s Tax Identification Numbers (TIN) collection requirements. By reforming the existing CIP Rule’s collection requirements within the Joint Agencies’ examination manuals in a manner that would provide parity for online lenders with similarly situated products and services, the Joint Agencies would be able to meet the intent of the statutorily required review and reform of outdated or otherwise unnecessary regulatory requirements in a manner that would positively impact both consumers and industry participants.
I. Current Compliance Requirements Implementing CIP Rule Requirements Regarding TINs are Incongruous with Congressional Intent and Industry Best Practices
As part of the Joint Agencies’ safety and soundness examinations, regulated entities are assessed against existing requirements in the CIP program. This assessment includes determining the regulated entity’s adherence to the CIP Rule’s TIN collection requirements. As written, the compliance requirements with which examiners assess are overly prescriptive and do not adhere to the legislative intent of the CIP program, nor are they befitting of moder banking system. AFC noted in its previous advocacy that the text of the CIP Rule requires banks to implement a written CIP program that includes risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The Rule identifies the pieces of information that are to be collected from a customer as part of a bank’s CIP program: the customer's name, address, the customer’s TIN, as well as a requirement that the bank’s CIP procedures verify a customer’s identity through other documentary and non-documentary methods. In addition to the language in the Rule itself, the legislative history of section 326 of the US Patriot Act makes Congress’s intent clear that the “the regulations should not impose requirements that are burdensome, prohibitively expensive, or impractical.”
Further, both FinCEN and the Office of the Comptroller of the Currency (OCC) have adopted policy views which lessened the CIP Rule requirements for entities operating in an online capacity. When FinCEN adopted the CIP Rule, the Agency recognized how processes enabled by the credit card, such as providing a consumer’s Social Security Number (SSN) in a retail store, could put the privacy and security of the consumer at risk. This intent to mitigate privacy and security risks by reforming an outdated regulatory requirement, as detailed further below, is germane to the legislative intent underpinning the Request for Comment and demonstrates an opportunity for the Joint Agencies to pursue a reform that meets with their mandate.
In addition, the Joint Agencies are showing increasing interest in reforming the specific requirements related to the CIP Rule’s TIN collection requirements that enumerated in their compliance manuals in order to ensure they reflect the needs and operations of the modern banking system. Recently, Acting FDIC Chairman Travis Hill issued a letter to FinCEN Director Andrea Gacki directly calling for reforms to the compliance requirements related to the CIP Rule’s TIN collection requirements for online lenders engaged in bank-fintech partnerships. Also, in December of 2020 the OCC recognized the potential issues with requiring a consumer to enter a full TIN when it released its Interpretive Letter 1175. Specifically, in the Interpretive Letter, OCC authorized a similar approach for a national bank's subsidiary to onboard customers by collecting customers' partial SSNs and then using a reputable third-party service to obtain the full nine-digit SSN. While the Interpretive Letter was provided to an online payments provider, the principles underlying the OCC's legal conclusion are equally applicable to banks and all financial institutions. In fact, after notifying FinCEN and considering FinCEN's comments, the OCC determined that the national bank's subsidiary's proposed method for collecting customer SSNs "does not present any additional risk for money laundering activity or terrorist financing than those present for the complete collection of the [SSNs]."
Further, within an industry context, at least one credit reporting agency already adheres to similar partial collection of consumer SSNs for their credit freeze service. TransUnion does not request full SSNs from consumers within its own account opening application, which permits consumers to place extended fraud alerts and credit freezes on their credit reports. Instead, they collect only partial SSNs, as well as the consumer’s name, date of birth, email, phone, and address. This practice is akin to the practices advocated for by AFC.
II. Reforming Compliance Requirements Regarding CIP Rules Would Create a Safer and More Secure Consumer Experience and Bring Parity for Similarly Situated Financial Products
Within the current regulatory framework, financial institutions and fintech companies offering lending products online are required to collect the full SSN for each customer before opening an account with the financial institution or fintech company. The process covered under the CIP Rule was established when banking activities were primarily conducted in an in-person manner. Thus, the process for determining the customer’s identity was fairly straightforward and not impractical for financial institutions.
In the years since the CIP Rule was established, many of the in-person activities conducted at banks have moved to online platforms. For example, lending applications that were previously conducted in-person, with a loan officer, are now more frequently completed using an online application that the consumer submits to the financial institution, often without ever engaging directly with staff at the institution. Further, innovative banking models, such as banking-as-a-service models, which partner banks with innovative financial technology companies to offer products nationally have increased the amount of online banking activities that fall under the existing CIP Rule. To this end, the once practical requirements, including the collection of the full customer SSN has become impractical and burdensome for financial institutions engaging in online activities and innovative business models. Further, due to the online nature of the financial institutions’ engagements with consumers, the current CIP Rule collection requirements are incongruent with more recently established data collection best practices, which were established to improve the safety and security of consumers’ data.
For entities operating in an online environment, the current CIP Rule requirements related to the direct collection of consumers’ TINs imposes a burden on financial services providers that is impractical given the current best practices for data collection and the technological advancements in verifying a consumer’s identity that have occurred since the CIP Rule was originally introduced. While AFC members continue to comply with the data collection requirements, the use of innovative technology has allowed these companies to reasonably verify a consumer’s identity without creating any additional risks to either the consumer or the financial services industry. The use of this technology to verify consumer identities is in accordance with the spirit of the Bank Secrecy Act’s provisions. Specifically, if financial institutions and their fintech partners were able to obtain partial consumer SSNs and verify them through a reputable third-party source, such as a credit reporting agency, the financial institution would leverage the aforementioned data points to improve their ability to reasonably determine the customer’s identity. Unfortunately, this practice is not currently allowed due to existing compliance requirements.
As noted above, FinCEN previously recognized the consumer privacy and data security issues associated with full collection of SSNs directly from consumers operating in an online environment. Specifically, FinCEN issued a credit card exemption, which allows credit card issuers to obtain a customer’s TIN information, among other information, from a third-party source instead of directly from the customer. This exemption allows credit card issuers to streamline application processes and grant access to credit more efficiently and protect consumers from data breach issues that could come from direct collection of this data during the application process.
In contrast, all lenders operating in an online environment are negatively impacted by the existing compliance requirements regarding the CIP rule’s TIN collection requirements. As noted above, the exemption offered to credit cards, which are similarly situated to online lending products in the consumer market, hold a competitive advantage due to the exemption. Without pragmatic reforms to the requirements enumerated in the Joint Agencies’ compliance manuals, online lenders will continue to face an unnecessary, regulation-driven competitive disadvantage against credit card companies.
Given the above discussion, AFC believes the Joint Agencies should reform the existing CIP Rule’s collection requirements within the Joint Agencies’ examination manuals to permit financial institutions and their fintech partners to collect partial TINs or SSNs from consumers while collecting full TINs from a third party, and verifying the provided numbers through the bank’s risk-based identity verification procedures.
III. AFC Recommends that the Joint Agencies consider Reforming the Existing CIP Rule Requirements within their Examination Manuals to Improve Consumers’ Privacy and Security, Experience, and Optionality
Reforming existing CIP Rule’s collection requirements within the Joint Agencies’ examination manuals to permit financial institutions and their fintech partners to collect partial TINs or SSNs from consumers while collecting full TINs from a third party, and verify the provided numbers through the bank’s risk-based identity verification procedures could provide significant benefits to consumers and the financial services industry without increasing the risks that the CIP Rule seeks to address. Specifically, as will be discussed further below, consumers and financial institutions could experience improved privacy and security, as well as the user experience on the online platforms.
Improved Privacy and Security
AFC recognizes that direct collection of a consumer’s SSN functions as a deterrent to potential fraudsters. However, the process established in the current CIP Rule is ill-fitted to the digital banking environment. Personally Identifiable Information (PII), such as consumers’ SSNs, is especially sought after by fraudsters and other nefarious actors who work tirelessly to breach the data collected by financial institutions and third parties that hold PII data in an online environment. The requirement that a consumer enter their full SSN in an online environment introduces an unnecessary risk to the consumer and the financial institution.
Customers are worried about providing their full SSNs, particularly in a digital environment. Requiring input of the full SSNs for every credit application increases the number of third parties that must retain and protect this information from nefarious actors. Identity theft stemming from data breaches in the public and private sectors is devastating to consumers and their financial health. Requiring customers to provide full SSNs compounds these problems. On this issue, leaders ranging from a former director of the Cybersecurity and Infrastructure Security Agency to members of Congress have suggested moving away from reliance on nine-digit SSNs for identification purposes. Since at least 2017, expert government officials have recognized the need to amend the CIP Rule to improve the privacy and security of consumer data. Specifically, a top government cybersecurity official said the Social Security number has “outlived its usefulness,” noting “every time we use the Social Security number, we put it at risk.” Therefore, AFC believes that FinCEN should update the CIP Rule to provide financial institutions with the flexibility to use these innovative and reliable tools in their CIP programs, as banks have been able to do for more than two decades for credit card accounts.
Collecting partial TINs or SSNs from consumers while collecting full TINs or SSNs from a third party, and verifying the provided numbers through the bank’s risk-based identity verification procedures minimizes risks to consumers and adheres to established best practices for data minimization. Leveraging trusted third-party sources to provide the remaining five SSNs digits also helps to mitigate the risk of incorrect manual entry errors by the consumer, which result in time-consuming and sometimes costly error resolution procedures, by limiting the manual entry requirements and allowing the preexisting verified data to improve the efficiency and efficacy of the process. Further, collection of only partial SSNs lowers the risks to the financial institutions and third parties holding this data because they have fewer data points of value to hackers who seek to breach their data protection schemes. To help improve the privacy and security for consumers engaging in online financial services, AFC recommends that the Joint Agencies consider reforming existing CIP Rule requirements within their examination manuals.
Improved Consumer Experience
AFC members work tirelessly to provide the best user experience possible for consumers. At a time when trust in financial services is still low, fintech companies serve an important role in ensuring that consumers gain access to financial services while also improving their trust in the offerings provided through bank-fintech partnerships. However, the current CIP Rule Requirements of requesting the full SSN during the account setup process can be quite cumbersome for users and result in consumers avoiding a specific product or service offering due to concerns related to data breaches. As noted above, collecting partial TINs or SSNs from consumers while collecting full TINs or SSNs from a third party, and verifying the provided numbers through the bank’s risk-based identity verification procedures streamlines the onboarding process and helps ensure that consumers concerned with data breaches are not forced to input their data in a manner that would evoke this concern.
As previously noted, existing compliance requirements in the Joint Agencies’ examination manuals require banks to collect full nine-digit SSNs from customers during the initial application process pushes potential borrowers out of the market for credit lending products offered by AFC members. As noted above, many consumers are understandably wary of providing their full SSNs, and when required to do so, they may reconsider opening an account or finishing the application. According to research conducted by AFC member companies, the CIP Rule Requirements for collection of the full consumer SSN during the initial application process resulted in 10 percent of the applicants abandoning the application process. As a result of consumers abandoning the application process, at least 2.8 million consumers totaling approximately 3.7 billion dollars in loans are not provided to consumers. Given the fact that many of AFC’s members focus their efforts on bringing access to financial services to historically underserved communities and these individuals have exhibited the lowest amount of trust in the financial services industry, it is likely that this demographic is disproportionately impacted by the application abandonment and subsequent loss of credit. To help ensure that the modern financial system is the most inclusive possible, AFC believes the Joint Agencies consider reforming existing CIP Rule requirements within their examination manuals.
* * *
AFC appreciates the opportunity to respond to the Joint Agencies’ Request for Comment. AFC believes that the Joint Agencies should reform the existing CIP Rule’s collection requirements within their examination manuals in a manner that would provide parity for online lenders with similarly situated products and services. We thank you for your consideration of our comments.
Sincerely,
Ian P. Moloney
SVP, Head of Policy and Regulatory Affairs
American Fintech Council
[1] AFC’s membership spans technology platforms, non-bank lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.
[2] Office of the Comptroller of the Currency,Treasury; Board of Governors of the Federal Reserve System; and Federal Deposit Insurance Corporation, “Publication and Review Under the Economic Growth andRegulatory Paperwork Reduction Act of 1996”, Fed. Reg. 89, no. 238 (Dec. 11,2024): 99751.
[3] AFC’s membership spans technology platforms, non-bank lenders, banks, payments providers, loan servicers, credit bureaus, and personal financial management companies.[1] Office of the Comptroller of the Currency, Treasury; Board of Governors of the Federal Reserve System; and Federal Deposit Insurance Corporation, “Publication and Review Under the Economic Growth and Regulatory Paperwork Reduction Act of 1996”, Fed. Reg. 89, no. 238 (Dec. 11,2024): 99751.
[4] 31 C.F.R. section 1020.220(a)(2).
[5] H.R. Rep. No. 107-250, pt. 1, at 62(2001).
[6] Department of the Treasury; Office of the Comptroller of the Currency, Treasury; Office of Thrift Supervision, Treasury; Board of Governors of the Federal Reserve System; National Credit Union Administration; and Federal Deposit Insurance Corporation “Customer Identification Programs for Banks, Savings Associations, Credit Unions and Certain Non-Federally Regulated Banks”, Fed. Reg. 68, no. 90 (May 9, 2003): 25089.
[7] FDIC Acting Chairman Travis Hill to FinCEN Director Andrea Gacki, Feb. 7, 2025, available at https://www.fdic.gov/letter-acting-chairman-hill-fincen-2-7-25#:~:text=Dear%20Ms.,constructive%20collaboration%20on%20this%20issue.
[8] OCC Interpretive letter 1175,published Nov. 16, 2020, Washington, DC, available at https://www.occ.gov/topics/charters-and-licensing/interpretations-and-actions/2020/int1175.pdf.
[9] Ibid at 10
[10] TransUnion,Be in the Know with TransUnion – See YourCredit Score and Start Credit Monitoring Now, available at, https://membership.tui.transunion.com/tucm/orderStep1_form.page (last visited May 6, 2024).
[11] Ibid, Fed. Reg. 68, no. 90 (May 9, 2003):25089.
[12] See Mariam Baksh, CISADirector Pushes to Discontinue Social Security Numbers as Identification, NextGov (Feb. 26, 2020), https://www.nextgov.com/cybersecurity/2020/02/cisa-director-pushes-discontinue-social-security-numbers-identification/163340/; see also Letterfrom Rep. Maxine Waters, Ranking Member, U.S. House Comm. on Fin. Servs., toJanet Yellen, Secretary, U.S. Departmentt of the Treasury, et al. (Sep. 6,2023), https://democrats-financialservices.house.gov/uploadedfiles/09.06.2023_cip_prog.pdf.
[31] See Yuka Hayashi, End ofthe Social Security Number? A White House Official Thinks So, Wall Street Journal, (Oct. 3, 2017), https://www.wsj.com/articles/end-of-the-social-security-number-a-white-house-official-thinks-so-1507069469?mod=article_inline (last visited May 14, 2024).
[14] See, National Institute of Standards andTechnology, NIST Privacy Framework: A Tool for Improving Privacy ThroughEnterprise Risk Management, Version 1.0, (Jan. 16, 2020), available athttps://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.01162020.pdf.
[15] Research findings are based on internal,proprietary, A/B testing on a stochastic sample of consumers. While results arenot publicly available, AFC recognizes the sound methodology used by themembers to conduct the research, and affirms the findings based on thatmethodology.
.svg)
.svg)
About the American Fintech Council: The mission of the American Fintech Council is to promote an innovative, responsible, inclusive, customer-centric financial system. You can learn more at www.fintechcouncil.org.
.webp)