.png)
This post is for informational purposes only and does not constitute legal, tax, or compliance advice. For guidance specific to your organization, please consult a qualified professional.
On June 27, 2025, the U.S. Treasury’s Financial Crimes Enforcement Network (FinCEN), in coordination with the Office of the Comptroller of the Currency (OCC), the Federal Deposit Insurance Corporation (FDIC), and the National Credit Union Administration (NCUA), issued a groundbreaking exemption to the Customer Identification Program (CIP) rule. The exemption allows banks under these regulators’ jurisdictions to verify Tax Identification Numbers (TINs) using third-party sources, rather than collecting the full TIN directly from customers.
That initial shift marked the first meaningful change to the CIP rule since it was introduced in 2003. But just a few weeks later, on July 31, the Federal Reserve Board issued a companion order with FinCEN’s concurrence, extending this exemption to all banks and subsidiaries under the Fed’s jurisdiction.
Together, these updates have kicked off a major transformation in how financial institutions handle identity, not just at onboarding, but across the full customer lifecycle.
For the first time, regulated banks can use secure third-party services to retrieve and verify a customer’s full TIN. Customers may only need to enter the last four digits, while the bank completes verification behind the scenes — unlocking faster flows, lower drop-off, and smarter identity checks.
Understanding the shift
Traditionally, CIP compliance required banks to collect and verify four data points before onboarding: full name, date of birth, address, and full TIN (e.g., Social Security Number or EIN).
Previously, only credit card issuers had limited flexibility to use third-party data for TIN verification. This began to shift in December 2020, when the OCC issued a letter in response to an RFI (Request for Information) that catalyzed broader regulatory reconsideration. That letter granted a group of banks known as OpSub a limited exemption from CIP rules—allowing them to collect just the last four digits of a customer’s TIN, then verify the full number via a trusted third-party provider.
Now, under the updated guidance from FinCEN and the federal regulators, this model applies more broadly across deposit, digital, and business banking accounts.
Under the new framework, institutions can:
- Use a trusted third-party source to collect a customer’s full TIN, instead of requesting it directly
- Alternatively, collect just the last four digits from the customer and match it against the third-party source
- Proceed with account opening, assuming all other CIP requirements are met
This approach is designed to reduce friction, protect sensitive information, and modernize compliance practices for a digital-first world.
What it means for banks
For traditional banks and credit unions, the exemption creates an opportunity to modernize not just onboarding flows, but also ongoing identity verification and customer servicing. To adopt the new approach, institutions will need to update internal CIP documentation and risk-based procedures, vet and integrate with third-party TIN verification vendors, and demonstrate to examiners how they achieve a “reasonable belief” in customer identity — even without collecting the full TIN directly.
The impact doesn’t stop at onboarding. Banks can also apply this model during periodic reviews, account updates, or when triggering downstream compliance checks — such as ownership changes.
Importantly, this exemption is optional. Banks may continue collecting full TINs directly if they prefer. The new framework simply offers flexibility — especially for institutions looking to reduce drop-off, meet digital privacy expectations, or streamline non-face-to-face onboarding.
It’s also worth noting that this exemption does not apply to Ultimate Beneficial Owners (UBOs) tied to business accounts. Full TINs must still be collected directly from individuals with significant ownership stakes.
There’s also an open question: can banks use their own historical customer databases instead of a third-party lookup? The order specifies reliance on a “third-party,” but it's unclear whether a financial institution’s previously verified records would qualify. Legal teams and examiners will likely seek further clarification on this point in future guidance.
What it means for fintechs and BaaS platforms
For fintechs that partner with banks to power onboarding and identity workflows, the exemption has immediate downstream implications. If a partner bank adopts a last-four-plus-third-party verification model, the fintech can prompt users for just the last four digits, match them via the bank’s systems, and streamline the entire identity flow.
And the benefits go beyond initial onboarding — the same approach could support periodic reverification, fast reactivation of returning customers, or silent fraud checks when risk signals change.
That said, fintechs can’t adopt this model unilaterally. They’ll need to confirm whether their bank partner has implemented the exemption, coordinate fallback logic, revisit compliance and data-sharing contracts, and ensure they’re not storing or reusing TIN data in a way that violates policy or licensing agreements.
This shift is also prompting teams to rethink identity verification itself — moving away from static, one-size-fits-all flows toward smarter, adaptive experiences.
A new model for identity verification
The exemption opens the door for adaptive, intelligent verification — where identity checks evolve with context. A sample onboarding or re-verification flow could look like this:
- User inputs business name and address
- Backend lookup attempts to match full TIN using a third-party database
- If a match is found: continue the flow without prompting for full TIN
- If no match is found: prompt the user to enter the full TIN manually
- Optional: escalate to enhanced due diligence such as ID scans or document uploads
This approach is already gaining traction among product and risk teams aiming to reduce friction without compromising trust. It shifts the burden away from static input fields and toward identity workflows that adapt in real time — based on what’s already known, verified, or high-confidence.
Balancing flexibility with compliance
Even with greater flexibility, the core obligation remains: financial institutions must know who they’re doing business with. This exemption does not alter AML requirements, and fallback mechanisms must still be in place for data gaps or elevated-risk profiles.
Teams will need to build tiered, risk-based workflows, document verification logic for audits, and ensure proper controls when working with sole proprietors or SSN-based identities. Harder-to-verify segments will still require careful layering of authoritative sources, contextual signals, and integration safeguards.
There’s also the question of how data is sourced and reused. If verification relies on third-party databases, what are the boundaries around prefill, confidence scoring, or fallback prompts? These are questions for compliance, legal, and product leaders to navigate together — with transparency and precision.
What's ahead
This exemption is likely to spark a wave of product experimentation. Expect to see increased adoption across onboarding and servicing flows, regulator input on internal vs. third-party data sources, and broader use of contextual signals — such as registration changes or behavioral shifts — to trigger verification.
Some teams are already exploring how to combine TIN data with other risk indicators to silently verify legitimate businesses. Done right, this approach could reduce friction, lower fraud risk, and accelerate time-to-yes — all while maintaining compliance rigor.
Up next: What FinCEN’s UBO reporting pause means for your onboarding strategy
FinCEN’s latest TIN guidance isn’t the only rule reshaping business identity. In our next BEV Break, Middesk’s In-House Counsel, Sam Matthew, unpacks how the pause on beneficial ownership reporting impacts onboarding, compliance, and risk management. Register here!
