On February 7, 2025, Acting Chairman Travis Hill sent a letter to FinCEN supporting more flexibility in certain Customer Identification Program requirements for bank-fintech partnerships. The important point is what the letter was and what it was not: it was a policy signal about modern onboarding, not a final rule change that banks could treat as a free pass to relax identity controls.
That distinction matters because CIP questions tend to get over-simplified very quickly. If a page reads like the agency already changed the law, it becomes outdated the moment a reader compares it to the actual supervisory framework. This version should stay focused on what banks can do now to prepare for a possible shift while still preserving a risk-based identity program.
What the signal actually said
The FDIC’s message was that the current CIP framework can be too rigid for the way many banks now onboard customers through digital channels and fintech partners. One concrete example was the suggestion that banks should be able to collect the last four digits of a Social Security number, rather than the full nine digits, in some onboarding contexts, similar to the approach already permitted for credit card customers. That does not eliminate verification. It simply points toward a more modern way to collect the information needed to satisfy risk-based identity controls.
As of the post date, the practical takeaway was straightforward: banks should prepare for a possible shift in supervisory expectations, but they should not assume the rulebook had already changed. This is the kind of topic where timing matters, because a page that reads as though a final exemption already exists will be misleading the moment it is published.
Where flexibility would matter most
The biggest benefit would likely show up in digital-first account opening, embedded finance, and partnerships where the bank is not collecting identity information in a traditional branch workflow. In those environments, a lighter data-collection burden can reduce friction for customers without eliminating the need for robust identity assurance. The key is to understand which checks are truly necessary at the front end and which can be performed through later verification steps.
That matters for small-dollar products, remote accounts, and fintech-branded experiences where a clunky onboarding form can drive abandonment. A bank that wants to compete in those channels has to know whether it can simplify collection without weakening the controls that prove it still knows who the customer is.
Practical implications for banks and fintech partners
The most immediate impact is on onboarding design. A bank that works with fintech partners needs to know which identity checks are being performed, who owns the verification step, what happens when verification fails, and how exceptions are documented. If the bank cannot explain its workflow end to end, the company is not ready to benefit from more flexible CIP standards, even if regulators eventually make them available.
This is also a vendor-management issue. Many institutions rely on outside platforms to collect identity data, but the bank still owns the compliance outcome. That means the bank should review contracts, audit trails, escalation paths, and fraud controls before it changes the way it gathers or stores customer data. A lighter touch on data collection only works if the risk controls around it are stronger, not weaker.
- Map the current CIP workflow from first click to account opening.
- Identify which steps are manual, which are automated, and which are controlled by vendors.
- Document when the bank steps up to additional verification for higher-risk customers.
- Make sure fraud, BSA/AML, and operations teams share the same exception log.
- Review customer-facing disclosures so the onboarding experience matches the bank’s actual process.
What a defensible implementation would still require
Even if regulators later bless more flexibility, the bank still needs a strong paper trail. That means policy language that explains the rationale for each data field, testing that shows the onboarding flow works under real conditions, and escalation steps for mismatches, fraud hits, or incomplete identity results. The compliance question is not whether the bank collected the maximum possible amount of data. It is whether it had a reasonable and documented basis for believing it knew the customer.
Legal and risk teams should also think about account type. A consumer checking product, a higher-risk commercial relationship, and a low-dollar fintech deposit product may not deserve the same level of collection friction. A good CIP framework distinguishes between those use cases instead of forcing one rigid process on every applicant.
Why this page is not a brokered-deposits page
This memo is about customer onboarding and identity verification. It is not about deposit-funding classification or channel strategy. That distinction matters because a lot of FDIC coverage gets lumped together too quickly. Here, the useful question is whether a bank can modernize identity collection without compromising CIP, BSA/AML, fraud detection, or auditability.
In other words, the page should help readers understand how policy flexibility could affect product design, fintech partnerships, and account-opening friction. It should not wander into deposit-broker debates or bank-funding strategy, because those are separate issues with different legal tests and different business consequences.
What not to assume yet
Do not assume the February 7 letter changed the law by itself. Do not assume a bank can stop collecting identifying information that its risk profile still requires. And do not assume a fintech onboarding flow can be simplified without updating the controls that sit behind it. The smarter reading is that regulators were signaling openness to modernization, but they were still expecting institutions to prove that their procedures form a reasonable belief about customer identity.
For counsel, that means the right response is to prepare. Review the bank’s CIP policy, test how the current onboarding stack handles edge cases, and confirm that the institution can explain why each field is collected and how the resulting risk is managed. That preparation makes it easier to move quickly if the agencies later codify a more flexible rule.
How banks and fintechs should prepare now
The most useful next step is not a policy rewrite. It is a controlled gap assessment. Product, compliance, operations, and vendor-management teams should compare the current workflow against the kinds of flexibility regulators appear to be considering and identify where the bank could simplify without weakening assurance. If the answer is unclear, the bank should leave the process in place until the control design is ready.
That kind of prep work also gives management a clean story for examiners: the institution is not relaxing controls casually; it is studying which parts of the onboarding journey are actually necessary, which are duplicative, and which can be modernized without sacrificing the ability to know the customer.
Share your details and we’ll follow up shortly.
Frequently Asked Questions
What date should readers remember?
February 7, 2025, when Acting Chairman Travis Hill sent the FinCEN letter.
Did the FDIC change the CIP rule that day?
No. The letter was a policy signal and a request for greater flexibility, not a final exemption or rule amendment.
What is the operational takeaway?
Bank-fintech onboarding should be documented, risk-based, and ready for a more modern identity-collection standard if regulators adopt one.
How is this different from a brokered-deposits article?
This page is about CIP, identity verification, and onboarding controls, not funding-channel classification or deposit-broker rules.
What should a bank test before changing its workflow?
It should test exception handling, fraud review, vendor handoffs, escalation paths, and whether the new process still supports a reasonable belief about customer identity.
