FinCEN Order Anyone?

July 28, 2025
Melanie Fletcher, CRCM, CAMS, CCBIA, AAP, CCBP

FinCEN Order Anyone?

Raise your hand if you remember the last time a multitude of agencies granted a regulatory exemption?  Anyone?  Anyone?  I don’t see any hands – because it so rarely happens!  But perhaps you’ve heard about the exemption order issued by FinCEN at the end of June allowing financial institutions under the jurisdiction of the OCC, FDIC, and NCUA to obtain a Taxpayer Identification Number (TIN) from a third-party rather than directly from the customer for all accounts, not just credit cards as was the lone previous exemption.  The exemption order is pretty short and sweet, but as an auditor, of course I was hoping for some FAQs.  FinCEN is attempting to adjust requirements to catch up with the times, so that’s a win in my book.  

Here is what we know about the exemption:

  • There is no requirement to utilize it – if your institution isn’t currently using a third-party partner to assist in identity verification (IDV), there is no requirement to start
  • You will still need to obtain/maintain the entire TIN
  • There is no waiver of compliance with CIP

This last point – no waiver of CIP compliance – is critical.  The exemption order states the financial institution can collect the TIN from a third-party before the account is opened, provided they otherwise comply with the CIP Rule, which requires written procedures that: (1) enable the bank to obtain TIN information prior to opening an account; (2) are based on the bank’s assessment of the relevant risks; and (3) are risk-based for the purpose of verifying the identity of each customer to the extent reasonable and practicable, enabling the institution to form a reasonable belief that it knows the true identity of each customer.  

If you are going to utilize this exemption, make sure you complete appropriate due diligence on the vendor that provides the IDV product, plus you will want to ensure the IDV product you are using is performing some sort of evaluation of the Tax ID number (most do), and that any identified discrepancies are cleared and appropriately documented.  Of course, this also means you’ll need to update your policies, procedures and risk assessment, and don’t forget to include and document employee training on any changes you make to your CIP program.  Obtain board approval as needed.  

See the link below for the full Order that also discusses some of the reasoning behind the agency’s decision.  

https://www.fincen.gov/sites/default/files/2025-06/CIP-TIN-Exemption-Order-final508.pdf

 

Neovera SV (formerly 10-D Security) is an independent firm specializing in IT security and compliance for financial institutions. We help clients mitigate risk and comply with GLBA requirements, offering tailored services and expertise to strengthen cybersecurity programs.

We can help, connect with the SV Team