Collecting a social security number (SSN) from customers
Product: Do I need to collect the full 9 digits of SSN from the customer or can I just collect the last 4 digits?
Legal: Yes
Many B2C fintechs ask this question for an obvious reason: Fintechs compete for the customer, and getting a customer is all about reducing friction for onboarding.
Asking for the full nine digits of a person’s social security number over the internet is not exactly a one-click solution.
First, a little background…
Your Customer Identification Program or CIP
If you offer a B2C deposit or credit product, you are likely working with a bank partner.
On behalf of the bank, you need to implement a KYC, or Know Your Customer program. See here for an introduction of your broader KYC requirements.
The most narrow of your KYC requirements, and one your product team probably knows well, is your CIP. The CIP requirement comes from the Patriot Act (circa 2001), which was an amendment to the Bank Secrecy Act.
The Patriot Act CIP requirement has two steps:
Step 1: Collect from the customer the following 4 pieces of information:
Name
Date of Birth
Social security number or Taxpayer identification number (usually given to non U.S. citizens)
Street address that is not a P.O. Box
And then…
Step 2: Verify enough of the four pieces of information so that you have a reasonable basis to know the identity of your customer.
For step 2, you can use two methods of verification:
Documentary or non-documentary.
Documentary means verifying through a physical document, like a photo I.D.
Non-documentary means verifying through a third party database.
How does verification work?
Most fintechs will rely on non-documentary since it can be done on the back end without having to go back to the customer. This typically involves integrating with a database, like a CRA, or using a tool like Alloy that is integrated with other databases.
But, what does “verification” mean? Let’s use an example:
Have we verified our customer?
It depends.
It is possible Johnny spells his name differently, used to live in New Jersey but now moved to sunny Denver, and while it is possible for Johnny to be 140 years old, it is more likely he mistyped the “8” when he meant a “9” on his date of birth.
So how many matches on the customer’s information do you need to pass someone through your CIP?
Your CIP can have some flexibility on what you consider a “match” and how many matches you need to verify someone — but you should have clear internal rules for this and make sure you are aligned with your bank partner if you work with one.
With these many mismatches, we probably have not yet verified Johnny Soprano.
So now we can:
- Ask our customer to resubmit his information and try non-documentary verification again;
- Use documentary verification to obtain, say, a driver’s license and compare the information he provided to what is in the license;
Collecting SSN or a TIN:
The verification part is straightforward because, generally, we shouldn’t need the customer to be involved (unless we move to documentary verification).
So what about the friction inducing requirement that gives product teams the most heartburn?
For step 1, the Patriot Act requires financial institutions to collect the full 9 digits from the customer.
That settles it, right? The law here is fairly clear.
But, a last minute amendment to the Patriot Act allowed an exception for credit card companies collecting application information over the phone.
(You can imagine the lawmakers thinking through some practicalities for once…who will want to give a stranger over the phone their full nine digits of SSN).
The exception allowed credit card companies to collect only the last 4 digits from the customer and use that information to collect the full 9 digits from a third party database like the credit reporting bureaus.
Legislative Intent
Over time, the fintech industry took the position that the same exception, if we look at the legislative intent, would be applied to today’s products
In other words:
yesterday’s credit card application over the phone =
today’s fintech application over the internet.
This trend started with a few pioneers in the industry.
Remember BillMeLater?
We can “credit” them for being one of the very first to start this practice. Later, companies like Affirm and Bread adopted this practice as well, and it and expanded into the broader BNPL industry.
So just the last 4, right?
Sadly, the answer is still unclear. Despite industry precedent, we’re seeing a gradual push back from regulators against using the exception provided to credit card companies.
The final answer is that the CIP is ultimately owned by the bank sponsor (See here on who owns the KYC program. Hint: It’s the bank sponsor but a fintech, as an extension to the bank, is responsible for implementing the bank’s requirements).
So, whether you can collect the last four digits of the SSN and use that information to go to the bureaus to collect the full nine will depend on the risk appetite of your bank sponsor.
Or, if you’re an MSB or fintech directly regulated by FinCEN, you’ll need the help of a savvy lawyer to help you draft a memo on stating your position. (If the regulators ever come knocking on your door, you want to show that you did your homework and took a reasonable position).
Our opinion at Fintech Law and Compliance 101?
While we don’t normally give opinions here (see disclaimer below, pls), we believe there is a strong precedent for fintechs to only have to collect the last 4 digits of SSN from the customer.
We understand that regulatory pressure on fintechs and bank sponsors is at a peak right now — but there’s no long term reason why the very explicit exception in the Patriot Act shouldn’t also apply to digital, over-the-internet financial products.
It also points to a broader issue in fintech.
How do you take regulations that were meant for the paper and brick-and-mortar industry and apply them to a digital product where you have the customer’s attention for mere seconds?
Unless we’re willing to change a bunch of laws in short order (good luck to us), we’ll need to rely on some out-of-box thinking from our regulators who are enforcing the existing laws.
*************
While we hope you found this post helpful, please note that the information in this post is not intended to be legal, regulatory, or relationship advice.