New CIP exemption: Weighing the opportunities and challenges

What does the new CIP exemption mean for financial institutions?

The new order may sound technical on the surface, but it has big implications for banks and the future of digital onboarding.

On June 27, 2025, the Federal Deposit Insurance Corporation (FDIC), the Office of Comptroller of the Currency (OCC), and the National Credit Union Administration (NCUA) jointly announced a Customer Identification Program (CIP) exemption to the Patriot Act that allows banks to obtain customers’ Taxpayer Identification Numbers (TINs) from third-party sources, instead of requiring applicants to provide them directly during account opening. 

The announcement followed an RFI issued by the agencies in March 2024 on the risks and benefits of permitting banks to obtain part or all of a customer’s TIN information from a third-party source prior to opening an account rather than from the customer. This new flexibility potentially enables more pragmatic, secure, and customer-friendly verification practices.

What changed with the new CIP exemption, and why it matters

Previously, banks were required to collect TINs (typically Social Security Numbers for individuals) directly from customers prior to account opening, as part of their CIP procedures. While essential for verifying identity, this requirement introduced friction into the onboarding process—especially in digital channels—often forcing applicants to manually type in one of their most sensitive identifiers. 

A longstanding exemption had previously excluded credit card accounts from this requirement, permitting banks to obtain customer identification information from a third-party source prior to extending credit to the customer. Now, with this new exemption, all banks subject to the jurisdiction of the FDIC, OCC, or NCUA have the option to collect TINs from verified third-party sources for all accounts, not just credit card accounts, as long as they continue to meet all other CIP requirements and ensure the accuracy of the data. 

The potential impact? A reduction in friction for customers, minimizing the exposure of sensitive information, and supporting the industry’s shift toward safer, faster, and digital-first account opening processes.

Potential opportunities for banks following the new CIP exemption

This move has benefits for consumers and banks alike. It enables banks to:

• Streamline onboarding by eliminating the need for customers to enter TINs manually and reducing opportunities for data entry errors.
   
• Protect privacy by limiting the direct handling of sensitive personally identifiable information (PII), particularly during commercial onboarding, where businesses must apply using the SSNs of multiple Ultimate Business Owners (UBOs).

Potential challenges for banks following the new CIP exemption

While the opportunities are exciting, banks are likely to face some challenges following this exemption.

• Customer trust concerns may arise about data storage and management. If a customer sees their SSN pre-filled into the application without having to type it in themselves, they may have concerns about data storage and worry that anyone could open an account under their name with their PII auto-populated.
   
• Fraudsters could exploit pre-filled applications using stolen devices. While this new exemption streamlines onboarding for legitimate customers, it also means that fraudsters can open accounts without having to enter this information. This challenge poses a greater threat to banks if the fraudster has access to a stolen device belonging to a legitimate person. 

To make this exemption work in practice, banks need trusted partners who can efficiently and compliantly orchestrate and verify this data. That’s where Alloy comes in.

The role of data orchestration in seamless identity verification

At Alloy, we’ve long believed that smarter identity decisions start with better data orchestration. Our platform already connects to over 250 partner solutions to verify identity, assess risk, and meet compliance requirements.

With this new exemption, we can help banks seamlessly locate and verify TINs using reliable third-party solutions, layered on top of their existing workflows. That means no extra friction for applicants and no additional manual review for compliance teams.

What this unlocks:

• Pre-built integrations: Banks that previously relied on manual TIN collection can now tap into leading partner solutions with pre-fill capabilities.
   
• Customized compliance workflows: Alloy makes it easy for banks to tailor workflows to risk tolerance and regulatory strategy by blending third-party data and customer-provided information. 
   
• A multi-layered approach: Third-party vendors with TIN pre-fill capabilities can work in tandem with other leading identity verification and fraud prevention data solutions to keep bad actors out of your organization.
   
• Scalable, secure onboarding: With built-in fraud prevention and automated decisioning, banks can reduce operational burden while growing confidently.

The bottom line

This exemption marks a meaningful evolution in how identity can be verified in modern banking. It signals a degree of comfort from regulators in the effectiveness of third-party data and a deeper recognition of digital identity infrastructure as a critical component of the financial system.

For banks, it’s a chance to rethink legacy onboarding practices in favor of more efficient, customer-centric approaches.