Thursday, May 9, 2024

Online Data Collection Challenge


Most of our business is from originating mortgages. Recently, we started originating Buy-Now-Pay-Later loans. I know you specialize in mortgage banking. And these are not mortgage loans. However, they are available online just like we offer our mortgages online. 

Our attorney told us that getting a customer's social security number for online Buy-Now-Pay-Later loans poses consumer privacy and information security risks. She says we could collect partial SSN information directly from the customer and then use a third party source to obtain the full SSN before opening the account. 

This is not a practical solution. As the sales manager, I am trying to find some kind of workaround. We need the SSN when the loan comes in online. Processing begins immediately and includes our CIP filters. However, if we use a third party to handle the BSA requirement, there could be a processing delay. 

Hopefully, you can shed some light on how to resolve this situation. Our attorney reads your articles and often sends them to us. So, I'm sure she will read your view on getting online SSN information. 

Can you explain why our attorney is concerned about our online CIP data collection involving Buy-Now-Pay-Later loans? 


Website Compliance Review 

Policies and Procedures


Since 2006, Lenders Compliance Group has offered mortgage banking compliance. We do not provide compliance guidance for Buy-Now-Pay-Later (BNPL) loans. The BNPL loan is an installment loan that typically allows a customer to purchase something immediately with little or no initial payment and pay off the balance over four or fewer payments.[i] 

I will answer your question because you have an online origination platform that is used to originate mortgage loan products, where you have now introduced the origination of BNPL loans. 

You do not state if your company is contemplating partnering with a nonbank third party service provider to facilitate BNPL loan originations. 

Read on to find out why that information is a critical compliance element. 

I think there are more reasons for your attorney's directive than is described in your question. Given that you are marketing mortgage and non-mortgage products online, the online platform should be evaluated for its overall compliance with CIP requirements, among other things. Depending on the online consumer disclosures, product and service array, origination technology, and other factors, I think her concern is warranted. 

Please ask your attorney to contact me here. We'll discuss and resolve the situation. 

Your question comes as FinCEN is evaluating, via a Request for Information (RFI), existing requirements for banks under the Customer Identification Program Rule ("CIP Rule") to collect a taxpayer identification number (TIN) from a customer before opening an account. I'll provide a bird's-eye view of the anticipated plans, which may be responsive to your attorney's concerns. 

Generally, banks and nonbanks ("financial institution(s)" or "institution(s)") must collect a full Social Security Number (SSN) from a customer who is an individual and a U.S. person. The RFI, mentioned above, is being issued in consultation with staff at the OCC, FDIC, NCUA, and the Federal Reserve System (collectively, the "Agencies"). 

FinCEN is looking for feedback to understand the potential risks, benefits, and safeguards that could be established if financial institutions were permitted to collect partial SSN information directly from the customer for U.S. individuals and subsequently use reputable third party sources to obtain the full SSN before account opening. So, FinCEN's inquiry seems to align with your attorney's suggestion. Agencies usually issue an RFI because they want certain information to evaluate practices and, in this case, a better understanding of current industry practices and perspectives related to the CIP Rule's TIN collection requirement. So, their inquiry is based on wanting to assess the potential risks and benefits associated with a change to that requirement. 

From the start of anti-money laundering compliance, financial institutions have collected identifying information from a customer before opening an account. FinCEN, in consultation with staff at the Agencies, seeks information and comments from interested parties regarding the CIP Rule requirement for financial institutions to collect a taxpayer identification number (TIN) and other information from a customer who is a U.S. person before opening an account. 

There are minimum standards[ii] for such information collection, including, among other things, reasonable procedures[iii] for 

(1) verifying the identity of any person seeking to open an account to the extent reasonable and practicable; and 

(2) maintaining records of the information used to verify a person's identity, including name, address, and other identifying information.  

It is, therefore, a given that, to satisfy the CIP Rule's TIN collection requirement for a U.S. individual, a financial institution must collect the full SSN from the customer before opening an account. While an institution's procedures for verifying a customer's identity may be risk-based and may vary among institutions, the CIP Rule makes clear that the collection of certain identifying information is a minimum requirement, and such information must be collected directly from the customer before opening an account, except concerning credit card accounts. 

That said, the CIP Rule generally does not allow a financial institution to collect an individual's SSN from a person other than the customer (i.e., a third party service provider). 

When the CIP Rule was adopted, institutions were exempted from the requirement for credit card accounts to collect identifying information directly from the customer, including an identification number. Rather, financial institutions may collect the customer's identifying information, such as the SSN, for credit card accounts, from a third party source before extending credit to the customer. The agency saw at that time that without this exception, the CIP Rule would change an institution's business practices by mandating information beyond what was already obtained directly from a customer who opened a credit card account at the point of sale or by phone. 

Concerns were raised during the proposed CIP Rule's comment period that, for instance, a person applying for a credit card account would be hesitant to provide their SSN, especially through non-face-to-face means, because of consumer privacy and security concerns. 

It seems clear that FinCEN saw requiring a bank to collect a customer's identifying information from the customer in every case, including over the phone, would likely alter how they do business. Consequently, credit card accounts were exempted from the CIP Rule's information collection requirements, allowing banks and nonbanks to obtain, for these purposes, a customer's identifying information from a third party source, such as a credit bureau, before an extension of credit. In its issuances, FinCEN considered this practice an efficient and effective means of extending credit with little risk that an institution did not know the borrower's identity. 

Since the CIP Rule was adopted in 2003, FinCEN has become aware that there has been significant innovation in how customers interact with financial institutions and receive financial services, and in CIP data collection and verification tools available to financial institutions. 

So, here's the crux of the matter: some banks partner with nonbank third party service providers to facilitate new financial products and services. A Buy-Now-Pay-Later loan product is an example of a nonbank financial institution, a third party service provider, that enables such financial products and services by extending credit to customers at the point of sale. 

These products and services operate in a similar manner to credit cards but may be offered by nonbank financial institutions that may or may not be subject to the Bank Secrecy Act (BSA) and its implementing regulations or other comparable regulatory requirements.[iv] Even so, institutions that do not comply with the CIP Rule may face supervisory action, particularly if a nonbank with which a bank has partnered does not collect the customer's identifying information directly from the customer, as required by the CIP Rule. 

The RFI[v] will presumably inform FinCEN's understanding in this area and help the agency evaluate the risks, benefits, and potential safeguards related to certain CIP Rule requirements applicable to financial institutions. Specifically, FinCEN is seeking input from institutions and other interested parties regarding the Rule's SSN collection requirement. The results may allow financial institutions to collect partial SSN information from the customer and use a third party source to collect the full SSN. Partial SSN collection is when a bank collects a certain part of the SSN from individuals who are customers (i.e., the last four digits of an individual's SSN) and then obtains the full SSN from a reputable third party service provider. 

Jonathan Foxx, Ph.D., MBA
Chairman & Managing Director 
Lenders Compliance Group

[i] What is a Buy Now, Pay Later (BNPL) Loan?, Consumer Financial Protection Bureau, Issuance (Last Reviewed: December 2, 2021), 

[ii] Section 326 of the USA Patriot Act amended the BSA to require, inter alia, the Secretary to prescribe regulations "setting forth the minimum standards for financial institutions and their customers regarding the identity of the customer that shall apply in connection with the opening of an account at a financial institution." 

[iii] 13 CFR Part 103, Financial Crimes Enforcement Network; Customer Identification Programs for Certain Banks (Credit Unions, Private Banks and Trust Companies, That do not Have a Federal Functional Regulator, Department of the Treasury

[iv] An example of a nonbank financial institution that is a third-party service provider used to facilitate new financial products and services would be one that provides BNPL loans that extend credit at the point of sale to customers.

[v] The RFI supports FinCEN's ongoing efforts to implement Section 6216 of the Anti-Money Laundering Act of 2020, which requires the agency to, inter alia, identify regulations and guidance that may be outdated, redundant, or otherwise do not promote risk-based AML’s requirements for CFT, the acronym for combating the financing of terrorism.