New CIP requirements: Weighing the opportunities and challenges

What financial institutions need to know about the new TIN exemption and FDIC guidance on pre-filled data

Recent regulatory changes may sound technical on the surface, but they have big implications for banks and the future of digital onboarding.

On June 27, 2025, the Federal Deposit Insurance Corporation (FDIC), the Office of Comptroller of the Currency (OCC), and the National Credit Union Administration (NCUA) jointly announced a Customer Identification Program (CIP) exemption to the Patriot Act that allows banks to obtain customers’ Taxpayer Identification Numbers (TINs) from third-party sources, instead of requiring applicants to provide them directly during account opening. Shortly thereafter, on July 30, 2025, the FDIC issued FIL‑39‑2025 clarifying that FDIC-supervised institutions may leverage other pre-filled information (such as name, address, DOB) to fulfill CIP requirements—so long as customers can review, update, correct, and confirm that data before account opening, and the financial institution’s account opening processes otherwise allow it to form a reasonable belief as to the identity of the customer. 

These developments followed an RFI issued by the banking agencies in March 2024 on the risks and benefits of permitting banks to obtain part or all of a customer’s TIN information from a third-party source prior to opening an account, rather than from the customer. This new flexibility potentially enables more pragmatic, secure, and customer-friendly verification practices.

What changed with the new CIP requirements, and why it matters

Previously, banks were required to collect TINs (typically Social Security Numbers for individuals) directly from customers prior to account opening, as part of their CIP procedures. While essential for verifying identity, this requirement introduced friction into the onboarding process—especially in digital channels—often forcing applicants to manually type in one of their most sensitive identifiers. 

A longstanding exemption had previously excluded credit card accounts from this requirement, permitting banks to obtain customer identification information from a third-party source prior to extending credit to the customer. Now, with the new exemption for TINs and the FDIC’s announcement of a new supervisory approach for other CIP information, banks may have compliant alternatives available to them for the collection of TINs and other CIP information from verified third-party sources for all accounts, as long as they continue to meet all other CIP requirements and ensure the accuracy of the data. 

The potential impact? A reduction in friction for customers, minimizing the exposure of sensitive information, and supporting the industry’s shift toward safer, faster, and digital-first account opening processes.

Potential opportunities for banks following the new CIP requirements

This move has benefits for consumers and banks alike. It enables banks to:

• Streamline onboarding by eliminating the need for customers to enter information manually and reducing opportunities for data entry errors.
   
• Protect privacy by limiting the direct handling of sensitive personally identifiable information (PII), particularly during commercial onboarding, where businesses must apply using the SSNs of multiple Ultimate Business Owners (UBOs).

Potential challenges for banks following the new CIP requirements

While the opportunities are exciting, banks are likely to face some challenges following this exemption.

• Customer trust concerns may arise about data storage and management. If a customer sees their information pre-filled into the application without having to type it in themselves, they may have concerns about data storage and worry that anyone could open an account under their name with their PII auto-populated.
   
• Fraudsters could exploit pre-filled applications using stolen devices. While this new exemption streamlines onboarding for legitimate customers, it also means that fraudsters can open accounts without having to enter this information. This challenge poses a greater threat to banks if the fraudster has access to a stolen device belonging to a legitimate person. 

To make these requirements work in practice, banks need trusted partners who can efficiently and compliantly orchestrate and verify this data. That’s where Alloy comes in.

The role of data orchestration in seamless identity verification

At Alloy, we’ve long believed that smarter identity decisions start with better data orchestration. Our platform already connects to over 250 partner solutions to verify identity, assess risk, and meet compliance requirements.

With these new regulatory changes, we can help banks seamlessly locate and verify TINs and other CIP information using reliable third-party solutions, layered on top of their existing workflows. That means no extra friction for applicants and no additional manual review for compliance teams.

What this unlocks:

• Pre-built integrations: Banks that previously relied on manual data collection can now tap into leading partner solutions with pre-fill capabilities.
   
• Customized compliance workflows: Alloy makes it easy for banks to tailor workflows to risk tolerance and regulatory strategy by blending third-party data and customer-provided information. 
   
• A multi-layered approach: Third-party vendors with pre-fill capabilities can work in tandem with other leading identity verification and fraud prevention data solutions to keep bad actors out of your organization.
   
• Scalable, secure onboarding: With built-in fraud prevention and automated decisioning, banks can reduce operational burden while growing confidently.

The bottom line

The June 2025 TIN exemption and subsequent FDIC announcement mark a meaningful evolution in how identity can be verified in modern banking. It signals a degree of comfort from regulators in the effectiveness of third-party data and a deeper recognition of digital identity infrastructure as a critical component of the financial system.

For banks, it’s a chance to rethink legacy onboarding practices in favor of more efficient, customer-centric approaches.