Request for Information and Comment on Customer Identification Program Rule Taxpayer Identification Number Collection Requirement, 22231-22234 [2024-06763]

Agencies

• DEPARTMENT OF THE TREASURY
• Financial Crimes Enforcement Network

[Federal Register Volume 89, Number 62 (Friday, March 29, 2024)]
[Notices]
[Pages 22231-22234]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-06763]



[[Page 22231]]

-----------------------------------------------------------------------

DEPARTMENT OF THE TREASURY

Financial Crimes Enforcement Network


Request for Information and Comment on Customer Identification 
Program Rule Taxpayer Identification Number Collection Requirement

AGENCY: Financial Crimes Enforcement Network (FinCEN), Treasury.

ACTION: Notice and request for information and comment.

-----------------------------------------------------------------------

SUMMARY: FinCEN, in consultation with staff at the Office of the 
Comptroller of the Currency (OCC), the Federal Deposit Insurance 
Corporation (FDIC), the National Credit Union Administration (NCUA), 
and the Board of Governors of the Federal Reserve System (Board) 
(collectively, the ``Agencies''), seeks information and comment from 
interested parties regarding the Customer Identification Program (CIP) 
Rule requirement for banks to collect a taxpayer identification number 
(TIN), among other information, from a customer who is a U.S. person, 
prior to opening an account (the ``TIN collection requirement''). 
Generally, for a customer who is an individual and a U.S. person 
(``U.S. individual''), the TIN is a Social Security number (SSN). In 
this request for information (RFI), FinCEN specifically seeks 
information to understand the potential risks and benefits, as well as 
safeguards that could be established, if banks were permitted to 
collect partial SSN information directly from the customer for U.S. 
individuals and subsequently use reputable third-party sources to 
obtain the full SSN prior to account opening. FinCEN seeks this 
information to evaluate and enhance its understanding of current 
industry practices and perspectives related to the CIP Rule's TIN 
collection requirement, and to assess the potential risks and benefits 
associated with a change to that requirement. This notice also serves 
as a reminder from FinCEN, and staff at the Agencies, that banks must 
continue to comply with the current CIP Rule requirement to collect a 
full SSN for U.S. individuals from the customer prior to opening an 
account (``SSN collection requirement''). This RFI also supports 
FinCEN's ongoing efforts to implement section 6216 of the Anti-Money 
Laundering Act of 2020, which requires FinCEN to, among other things, 
identify regulations and guidance that may be outdated, redundant, or 
otherwise do not promote a risk-based anti-money laundering/countering 
the financing of terrorism (AML/CFT) regime.

DATES: Written comments on this RFI are welcome and must be received on 
or before May 28, 2024.

ADDRESSES: Comments may be submitted by any of the following methods:
     Federal eRulemaking Portal: https://www.regulations.gov. 
Follow the instructions for submitting comments. Refer to Docket Number 
FINCEN-2024-0009.
     Mail: Policy Division, Financial Crimes Enforcement 
Network, P.O. Box 39, Vienna, VA 22183. Refer to Docket Number FINCEN-
2024-0009.
    Please submit comments by one method only.

FOR FURTHER INFORMATION CONTACT: FinCEN's Regulatory Support Section at 
1-800-767-2825 or electronically at [email protected].

SUPPLEMENTARY INFORMATION: 

I. Background

A. Bank Secrecy Act

    The legislative framework generally referred to as the Bank Secrecy 
Act (BSA),\1\ which consists of the Currency and Financial Transactions 
Reporting Act of 1970 and other legislation, is designed to combat 
money laundering, the financing of terrorism, and other illicit finance 
activity. To fulfill the purposes of the BSA, Congress authorized the 
Secretary of the Treasury (Secretary) to administer the BSA and require 
financial institutions to keep records and file reports that, among 
other purposes, ``are highly useful in criminal, tax, or regulatory 
investigations, risk assessments, or proceedings,'' or in the conduct 
of ``intelligence or counterintelligence activities, including 
analysis, to protect against terrorism.'' \2\ The Secretary has 
delegated the authority to implement, administer, and enforce 
compliance with the BSA and its implementing regulations to the 
Director of FinCEN.\3\
---------------------------------------------------------------------------

    \1\ Certain parts of the Currency and Foreign Transactions 
Reporting Act of 1970, its amendments, and the other statutes 
relating to the subject matter of that Act, have come to be referred 
to as the Bank Secrecy Act (BSA). These statutes are codified at 12 
U.S.C. 1829b, 1951-1960, and 31 U.S.C. 5311-5314, 5316-5336 and 
includes other authorities in notes thereto. Regulations 
implementing the BSA appear at 31 CFR chapter X.
    \2\ 31 U.S.C. 5311(1).
    \3\ Treasury Order 180-01 (Jan. 14, 2020), Paragraph 3(a), 
available at https://home.treasury.gov/about/general-information/orders-and-directives/treasury-order-180-01.
---------------------------------------------------------------------------

    Section 326 of the Uniting and Strengthening America by Providing 
Appropriate Tools Required to Intercept and Obstruct Terrorism Act of 
2001 (USA PATRIOT Act) \4\ amended the BSA to require, among other 
things, the Secretary to prescribe regulations ``setting forth the 
minimum standards for financial institutions and their customers 
regarding the identity of the customer that shall apply in connection 
with the opening of an account at a financial institution.'' \5\ These 
minimum standards include, among other things, reasonable procedures 
for: (1) ``verifying the identity of any person seeking to open an 
account to the extent reasonable and practicable''; and (2) 
``maintaining records of the information used to verify a person's 
identity, including name, address, and other identifying information.'' 
\6\
---------------------------------------------------------------------------

    \4\ USA PATRIOT Act, Public Law 107-56.
    \5\ 31 U.S.C. 5318(l).
    \6\ Id., at 5318(l)(2)(A)-(B).
---------------------------------------------------------------------------

B. The CIP Rule: Certain Minimum Information Collection Requirements 
and Risk-Based Identity Verification Procedures

    In 2003, FinCEN and the Agencies issued regulations implementing 
section 326 of the USA PATRIOT Act for banks.\7\ Among other 
requirements, the CIP Rule requires a bank to, as part of its AML 
program, implement a written CIP that contains identity verification 
procedures that enable the bank to form a reasonable belief that it 
knows the true identity of its customers, including by verifying the 
identity of its customers to the extent reasonable and practicable. 
These procedures must specify the customer identifying information that 
a bank is to collect from each customer, including, at a minimum, the 
customer's name, date of birth (for an individual), address, and 
identification number. For U.S. persons, the identification number is a 
TIN.\8\ Generally, to fulfill the CIP

[[Page 22232]]

Rule's TIN collection requirement for a U.S. individual, a bank must 
collect from the customer prior to opening an account the full SSN. 
While a bank's procedures for verifying a customer's identity may be 
risk-based and may vary from bank to bank, the CIP Rule makes clear 
that the collection of certain identifying information is a minimum 
requirement and such information must be collected directly from the 
customer prior to opening an account, except with respect to credit 
card accounts. The CIP Rule generally does not provide for a bank 
collecting an individual's SSN from a person other than the customer 
(e.g., from a third-party service provider).
---------------------------------------------------------------------------

    \7\ See, e.g., Board, FDIC, OCC, FinCEN, Office of Thrift 
Supervision, and NCUA, Joint Final Rule--Customer Identification 
Programs for Banks, Savings Associations, Credit Unions and Certain 
Non-Federally Regulated Banks, 68 FR 25103 (May 9, 2003) (codified 
at 31 CFR 1020.220(a)(4)), available at https://www.federalregister.gov/citation/68-FR-25103. These regulations are 
codified under 12 CFR 208.63(b)(2), 12 CFR 211.5(m)(2), and 12 CFR 
326.8(b)(2) (FDIC); 12 CFR 211.24(j)(2) (Board); 31 CFR 1020.220 
(FinCEN); 12 CFR 748.2(b)(2) (NCUA); and 12 CFR 21.21(c)(2) (OCC) 
(collectively, the ``CIP Rule''). Additionally, in 2020, FinCEN 
issued a final rule implementing the CIP Rule for banks that lack a 
Federal functional regulator. See FinCEN, Customer Identification 
Programs, Anti-Money Laundering Programs, and Beneficial Ownership 
Requirements for Banks Lacking a Federal Functional Regulator, 85 FR 
57129 (Nov. 16, 2020) (codified at 31 CFR 1010 and 31 CFR 1020).
    \8\ See 31 CFR 1020.220(a)(2)(i)(A)(4); see also 31 CFR 
1010.100(yy). A TIN is defined by section 6109 of the Internal 
Revenue Code of 1986 (26 U.S.C. 6109) and the Internal Revenue 
Service regulations implementing that section (e.g., SSN or employer 
identification number). In instances in which a U.S. person has not 
yet received a TIN, the CIP Rule provide an exception for persons 
applying for a TIN. In such cases, instead of obtaining a TIN from a 
customer prior to opening an account, the bank's CIP may include 
procedures for opening an account for a customer (including an 
individual) that has applied for, but has not received, a TIN. See 
31 CFR 1020.220(a)(2)(i)(B).
---------------------------------------------------------------------------

    When the CIP Rule was adopted, banks were exempted from the 
requirement with respect to credit card accounts to collect identifying 
information, including an identification number, directly from the 
customer. Instead, for credit card accounts, a bank may obtain the 
customer's identifying information, such as the SSN, from a third-party 
source prior to extending credit to the customer. FinCEN recognized at 
that time that without this exception, the CIP Rule would alter a 
bank's business practices by requiring additional information beyond 
what was already obtained directly from a customer who opened a credit 
card account at the point of sale or by telephone.\9\ Concerns were 
raised during the proposed CIP Rule's comment period that an individual 
applying for a credit card account would be reluctant to give out their 
SSN, especially through non-face-to-face means, due to consumer privacy 
and security concerns.\10\ FinCEN observed that requiring a bank to 
collect a customer's identifying information from the customer in every 
case, including over the phone, would likely alter the manner in which 
they do business.\11\ FinCEN was also mindful of the legislative 
history of section 326, which indicated that Congress expected 
implementing regulations be appropriately tailored for accounts opened 
in situations where the account holder was not physically present at 
the financial institution and would not impose requirements that were 
burdensome, prohibitively expensive, or impractical.\12\ Therefore, 
credit card accounts were exempted from the CIP Rule's information 
collection requirements, allowing banks to obtain a customer's 
identifying information from a third-party source, such as a credit 
bureau, prior to an extension of credit. FinCEN considered this 
practice to be an efficient and effective means of extending credit 
with little risk that the lender did not know the identity of the 
borrower.\13\
---------------------------------------------------------------------------

    \9\ 68 FR 25103, at p.103 (May 9, 2003) (codified at 31 CFR 
1020.220(a)(4)), available at https://www.federalregister.gov/citation/68-FR-25103.
    \10\ Id. at p.113.
    \11\ Id. at p.116.
    \12\ Id. at p. 103. See also H.R. Rep. No. 107-250, pt. 1, at 63 
(2001).
    \13\ Id. at p. 105.
---------------------------------------------------------------------------

    Since the CIP Rule was adopted in 2003, FinCEN is cognizant that 
there has been significant innovation in the way that customers 
interact with financial institutions and receive financial services, as 
well as significant innovation in the customer identifying information 
collection and verification tools available to financial 
institutions.\14\ Many banks now partner with non-bank financial 
institutions (e.g., third-party service providers) to facilitate new 
financial products and services, such as buy-now-pay-later (BNPL) loans 
that extend credit at point of sale to customers. These products and 
services operate in a similar manner to credit cards but may be offered 
by non-bank financial institutions that may or may not be subject to 
the BSA and its implementing regulations, or other similar regulatory 
requirements. Nonetheless, banks that do not comply with the CIP Rule 
may face supervisory action, particularly if the non-bank financial 
institution the bank has partnered with does not collect the customer's 
identifying information directly from the customer, as required by the 
CIP Rule.
---------------------------------------------------------------------------

    \14\ FinCEN and the Agencies have previously issued interagency 
guidance on the applicability of the CIP Rule to prepaid cards. The 
guidance clarifies that certain prepaid cards issued by a bank 
should be subject to the bank's CIP, including when a bank issues 
prepaid cards under arrangements with third-party program managers 
that sell, distribute, promote, or market the prepaid cards issued 
by the bank. See Interagency Guidance to Issuing Banks on Applying 
Customer Identification Program (Mar. 21, 2016), available at 
https://fincen.gov/sites/default/files/shared/InterAgencyGuidance20160318.pdf.
---------------------------------------------------------------------------

    This RFI will inform FinCEN's understanding in this area and assist 
FinCEN in evaluating the risks, benefits, and potential safeguards 
related to certain CIP Rule requirements applicable to banks. 
Specifically, FinCEN is seeking input from banks and other interested 
parties regarding the CIP Rule's SSN collection requirement, including 
potentially allowing banks to collect partial SSN information from the 
customer and using a third-party source to collect the full SSN. 
Partial SSN collection refers to the practice where a bank may collect 
a certain part of the SSN from individuals who are the customers (e.g., 
last four digits of an individual's SSN), and then obtain the full SSN 
from a reputable third-party service provider.

II. Request for Information Overview

    FinCEN is aware of public interest by banks, trade associations, 
and Congress about the SSN collection requirement.\15\ In particular, 
there has been expressed interest in permitting banks to collect a 
partial SSN while also permitting the use of reputable third-party 
sources to obtain the full SSN prior to account opening. FinCEN is 
interested in comments from the public on whether permitting partial 
SSN collection by a bank prior to account opening may promote, with 
appropriate safeguards, increased accessibility to financial services 
for a broader population of individuals. As noted earlier, this 
practice is currently not permissible under the CIP Rule, except for 
the previously described exception for credit card accounts.\16\
---------------------------------------------------------------------------

    \15\ See Ranking Member Congresswoman Maxine Waters of the U.S. 
House Committee on Financial Services letter to FinCEN and the 
Agencies (Sept. 7, 2023), available at https://democrats-financialservices.house.gov/news/documentsingle.aspx?DocumentID=410778; see also House Subcommittee 
on National Security, Illicit Finance, and International Financial 
Institutions Hearing Entitled: ``Oversight of the Financial Crimes 
Enforcement Network (FinCEN) and the Office of Terrorism and 
Financial Intelligence (TFI)'' (Apr. 27, 2023), available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=408719 (which entered into the 
Congressional Record a letter from the American FinTech Council to 
H. Das, Acting Director of FinCEN titled ``Comments Regarding 
Regulatory Clarity, CIP Rules, and Consumer Products'' (Apr. 3, 
2023), available at https://fintechcouncil.org/fincen-bnpl); and 
House Subcommittee on National Security, Illicit Finance, and 
International Financial Institutions Hearing Entitled: ``Oversight 
of the Financial Crimes Enforcement Network (FinCEN) and then Office 
of Terrorism and Financial Intelligence (TFI)'' (Feb. 14, 2024), 
available at https://financialservices.house.gov/calendar/eventsingle.aspx?EventID=409139 (which had questions regarding TIN 
collection entered into the record).
    \16\ See 31 CFR 1020.220(a)(2)(i).
---------------------------------------------------------------------------

    FinCEN recognizes the expansion of additional tools, sources, and 
methods available to banks since the initial adoption of the CIP Rule 
in 2003 to collect and verify customer identifying information, for 
example the emergence of new identity sources such as state mobile 
driver's licenses.\17\ FinCEN also

[[Page 22233]]

recognizes there are, and will be, more available customer identifying 
attributes that banks may collect (e.g., email address, geolocation, 
and internet protocol (IP) address location), some of which vary in 
accuracy and authenticity, but which could be used holistically as part 
of a banks' risk-based verification procedures under the CIP Rule.
---------------------------------------------------------------------------

    \17\ See Department of Homeland Security, Minimum Standards for 
Driver's Licenses and Identification Cards Acceptable by Federal 
Agencies for Official Purposes; Waiver for Mobile Driver's Licenses, 
88 FR 60056 (Aug. 30, 2023), available at https://www.federalregister.gov/d/2023-18582.
---------------------------------------------------------------------------

    Notwithstanding these advancements, FinCEN is aware of consumer 
fraud and protection concerns around permitting a bank to obtain the 
full SSN from a third-party service provider. For instance, by 
permitting a bank to collect only the last four digits of an SSN from a 
customer who is an individual, a bank may increase the ease and speed 
of identity theft, including synthetic identity fraud that can result 
in accounts opened without appropriate safeguards.\18\ Additional risks 
may arise if there is inaccuracy when using a third-party source to 
obtain an individual's full SSN, which may lead to potential 
impediments to law enforcement investigative efforts in obtaining 
accurate customer identifying information. FinCEN also recognizes 
differing regulatory requirements for customer information required 
between banks and other entity types, which may not subject to the BSA 
and FinCEN's implementing regulations, may result in regulatory 
arbitrage and even allow for illicit finance activity risk to remain 
undetected in the U.S. financial system, particularly by entities not 
subject to suspicious activity reporting requirements pursuant to the 
BSA.\19\
---------------------------------------------------------------------------

    \18\ See FinCEN, Financial Trends Analysis: Identity-Related 
Suspicious Activity: 2021 Threats and Trends (Jan. 2024), available 
at https://www.fincen.gov/sites/files/shared/FTA_Identity_Final508.pdf (which highlights the use of ``synthetic 
identity,'' a combination of real and fake customer identifying 
information, to exploit a financial institution's identity 
verification processes).
    \19\ See 31 CFR 1022.210(d)(1)(i)(A). Money services businesses, 
for example, have an AML Program requirement to verify customer 
identification, but are not subject to the CIP Rule.
---------------------------------------------------------------------------

    This RFI seeks information and comment on the potential risks, 
benefits, and safeguards around banks collecting partial SSNs for U.S. 
individuals directly from the customer and subsequently using reputable 
third-party sources to obtain a full SSN prior to account opening. 
FinCEN is also gathering information about current industry practices 
regarding SSN collection. This RFI also seeks responses to specific 
questions below.

III. Suggested Topics for Commenters

    To allow FinCEN to evaluate comments more effectively, FinCEN 
requests that, where possible, comments include any suggested use of 
FinCEN authorities, or changes to FinCEN regulations or guidance, 
including the nature of the requested change and supporting data or 
other information on impacts, costs, and benefits.
    The following questions are intended to assist in the formulation 
of comments and are not intended to restrict what may be addressed by 
the public. Commenters may also address matters that do not appear in 
the questions below related to the CIP Rule's SSN collection 
requirement. FinCEN requests that, in addressing these questions, 
commenters identify issues in as much detail as possible and provide 
specific examples where appropriate. Commenters are requested to 
comment on some or all of the questions below and are encouraged to 
indicate in which area the comments are focused. FinCEN requests that 
commenters note their highest priorities in their response, along with 
an explanation of how or why certain suggestions have been prioritized, 
when possible.
    1. Should banks be permitted to collect part or all of a customer's 
SSN for a U.S. individual from a third-party source prior to account 
opening? Should banks be permitted to collect other customer 
identifying information required by the CIP Rule from a third-party 
source?
    2. If banks were permitted to collect partial SSN information from 
a customer in the case of a U.S. individual and subsequently use a 
reputable third-party source to obtain the full SSN prior to account 
opening:
    a. What would be the risks and benefits of permitting this partial 
SSN collection practice for banks?
    b. What safeguards would need to be in place? What impact would 
there be on a bank's policies, practices, and procedures?
    c. What practices and procedures would banks use to obtain a 
customer's full SSN when a partial SSN is collected from the customer?
    d. How would the collection of a partial SSN from the customer 
impact how a bank forms a reasonable belief of the customer's identity?
    e. How would the reliance on third-party sources for SSN collection 
impact the adherence to CIP recordkeeping requirements, if at all?
    f. What minimum due diligence processes would a bank typically 
conduct, or expect to conduct, before contracting with a third-party 
source for SSN collection? How do banks review and assess the 
capability, quality, and performance of the third-party source, 
including the accuracy and reliability of the full SSN collected by the 
third-party source?
    g. What ongoing due diligence and monitoring would be conducted on 
the third-party source? How frequently would ongoing due diligence be 
conducted?
    h. What measures could banks have in place to verify the accuracy 
of a full SSN retrieved from a third-party source?
    i. How would existing third-party monitoring and due diligence 
processes be modified to ensure the privacy and security of customer 
data?
    j. What would be the impact of allowing partial SSN collection with 
third-party validation in terms of identity theft-related safeguards 
for customers?
    3. Regarding the current CIP Rule SSN collection requirement for 
banks to collect the full SSN for a U.S. individual directly from the 
customer prior to account opening:
    a. What is the impact of the current requirement on banks and their 
customers to collect the full SSN directly from the customer?
    b. Does the current SSN collection requirement impact a customer's 
ability to access financial products and services?
    c. How does the current SSN collection requirement impact a bank's 
AML program? What type of changes to the SSN collection requirement 
would improve the risk-based nature of a financial institution's AML 
program?
    d. What are the risks and benefits of collecting a full SSN 
directly from the customer? What safeguards are in place to protect SSN 
information?
    e. Is there any impact on the SSN collection requirement from the 
method used by the customer to access a bank's products and services 
(e.g., mobile application, third-party website, face-to-face)?
    f. What factors and consideration may be necessary to identify, 
assess, and mitigate any risks associated with new technologies or 
innovative approaches to the SSN collection requirement?
    g. Is there any impact on the SSN collection requirement related to 
geography? For example, how should the location of the customer be 
considered in terms of the SSN collection requirement?
    h. Do certain financial products and services pose higher or lower 
levels of risk in terms of the SSN collection requirement? Are there 
certain products or services that are better placed for either full or 
partial SSN collection?
    i. For banks registered to use an authoritative, government-
affiliated source for verification, such as the Social Security 
Administration's

[[Page 22234]]

electronic Consent Based SSN Verification (eCBSV) program, which 
typically requires customer consent prior to accessing this program, 
how would banks be able to use the eCBSV program if banks no longer 
obtained the full SSN from the customer?
    4. Regarding current practices by parties not subject to the CIP 
Rule's SSN collection requirement (i.e., non-banks) when using third-
party sources for SSN collection:
    a. What are the risks and benefits of using a third-party source 
for SSN collection?
    b. What minimum due diligence processes does a non-bank typically 
conduct before contracting with a third-party source for SSN 
collection? How do non-banks review and assess the capability, quality, 
and performance of the third-party source, including the accuracy and 
reliability of the full SSN collected by the third-party source?
    c. What ongoing due diligence and monitoring do non-banks conduct 
on the third-party source? How frequently is ongoing due diligence 
conducted?
    d. What measures do non-banks have in place to verify the accuracy 
of a full SSN retrieved from a third-party source?
    e. How do non-banks ensure the privacy and security of customer 
data when using a third-party source for SSN collection?
    f. What authoritative or private sector third-party sources are 
generally used for obtaining SSNs?
    g. What, if any, limitations and/or shortcomings have been 
identified in third-party sources used to obtain SSN information?
    h. What is the typical timeframe from when a customer enters their 
partial TIN to the non-bank receiving the full SSN from the third-party 
source?
    i. What types of processes or strategies may be employed by third-
party sources to manage high volume and/or time-sensitive SSN 
collection requests?
    j. How frequently do customers fail the third-party SSN collection? 
What process(es) can be applied in such instances?
    k. Have there been expected or observed differences in the rate of 
fraud or suspicious activity when non-banks using a partial SSN 
collection process versus full SSN collection directly from a customer?
    l. How frequently does the partial SSN provided by a customer match 
to more than one individual when submitted to a third-party source? 
What additional steps are taken in such a case?
    m. When the customer provides a partial SSN, is the customer 
notified that the remaining digits of their SSN will be obtained from a 
third-party source? Are there instances when non-banks may display a 
full SSN to a customer who provided a partial SSN? How would non-banks 
address and mitigate identity theft-related risks in those instances?
    5. Provide any publicly available studies or data points that 
demonstrate:
    a. Customer behavior in seeking or avoiding access to financial 
products or services based on risks associated with a customer 
providing a full SSN, whether perceived or actual.
    b. Accuracy and reliability of third-party sources from which SSN 
information could be acquired.
    c. Impact on financial crime or other illicit finance activity 
risks when a customer is not required to provide a full SSN.
    d. The benefits and risks for non-banks (e.g., employers, 
retailers, financial service providers, and government agencies) and 
third-party service providers in obtaining a partial SSN from the 
customer and then using a third-party source to obtain the customer's 
full SSN.
    6. Regarding current CIP practices of all financial institutions, 
both banks and non-banks:
    a. What risks have been identified with the SSN collection 
requirement, and how have those risks been mitigated?
    b. Do financial institutions use a combination of documentary and 
non-documentary methods to verify the identity of its customers, or do 
financial institutions rely solely on one of the two methods?
    i. For financial institutions that do not rely on a combination of 
both methods, what is the rationale?
    ii. For financial institutions that rely solely on non-documentary 
methods, what is the rationale and what information is collected to 
form a reasonable belief that it knows the true identity of the 
customer?
    c. What are the variations to TIN collection and verification 
practices used by financial institutions?
    d. Other than processes related to TIN collection and verification, 
what other means are used by financial institutions to collect and 
verify customer identifying information?
    e. Describe the processes and technologies used by financial 
institutions when obtaining and verifying partial and/or full customer 
identifying information as it pertains to various delivery channels 
(such as telephonic, mobile, and point-of-sale).
    f. Describe similarities and differences in the collection and 
verification practices by financial institutions between individuals 
who provide SSNs and legal entities that provide Employer 
Identification Numbers.
    7. What are the competitive advantages and disadvantages between 
banks that are required to collect the full SSN from the customer and 
those non-banks that collect a partial SSN from the customer and then 
use a third-party source to obtain the customer's full SSN?
    8. What types of products/services are impacted by differing 
regulatory requirements related to SSN collection?

Andrea M. Gacki,
Director, Financial Crimes Enforcement Network.
[FR Doc. 2024-06763 Filed 3-28-24; 8:45 am]
BILLING CODE 4810-02-P