Prefilling Customer Data May Not be Permissible, What to Do Instead

Customer Information Programs (CIP) were mandated by the USA PATRIOT Act in legislation passed by the federal government just after 9/11/2001. Section 326 of the Act requires financial institutions to have a “reasonable belief” the person they are doing business with is who they say they are. It requires, at a minimum, the collection of the name, physical address, date of birth and identification number from the consumer and then a mechanism for verifying those data elements. This could be accomplished through either documentary evidence presented at a branch of the financial institution or through non-documentary sources such as name, SSN and DOB.

In the 21 years since the introduction of that bill, little has changed about CIP requirements. However, following the Covid pandemic, financial services shifted to a much more digital approach, and digital onboarding took center stage. Yet, even after this shift and the subsequent breaches of millions of identities, nothing changed to improve CIP and how it is used.

Prefill Generates Regulatory Commentary

Financial services companies, and especially fintechs and challenger banks, are taking advantage of this digital transformation to make it easier to attract and onboard customers. In an effort to reduce friction and abandonment, shortcuts changed and reduced the data input by consumers in application form fields. Solutions evolved to pull data based on a single consumer PII element such as a phone number. Some sectors have adopted these practices as a standard, while some are using a document to pull data into an application.

Standard regulatory exam practice is clear for financial institutions – data must be taken directly from the consumer. Most banks follow this standard, but with technology, this standard has started to shift to simplify the process for their users. While they have the ability to prefill customer applications, is that a practice they should pursue? And if they do, what are the repercussions of doing so?

Recently, as many banks have gone through their regulatory examination, there is a recurring theme that this practice may not be acceptable. Regulators repeatedly give banks direction that using any prefill methods is an unacceptable practice. However, there are three trends that signal a potential change in direction from the regulators:

1. Third-party services that leverage a single input such as a phone number, a name and last four digits of the social security number (SSN) or any other service that pre-populates consumer data. This activity does not meet the requirements of consumer-supplied consent. Some organizations have tried to bypass this with specific consumer consent or confirmation, but according to regulators, this does not make the practice acceptable. This practice instead makes it easier for fraudsters to steal information and create fraudulent accounts.
2. Consumer credentials extracted from a document via barcode or MRZ are a second category that has been called out as unacceptable. This was a surprising call-out as it has long been considered an acceptable practice to use documents to verify identity. This new trend does not disallow the use of documents but instead still requires consumer information to be entered by the customer with comparison to the documents as verification.
3. Internal database prefill. In a surprising addition, regulators also called out prefilling existing customer information from internal records. That means a current customer that is adding an additional account relationship would need to input all their personal information as opposed to data being prefilled from previous records.

Even though the recent regulatory comments were directed to banks, these banks are the backbone behind fintech and other expanded financial services providers. The role of banking is, and likely always will be, a critical part of the fintech and technology providers, since bank charters are necessary to accept deposits and provide financial services to consumers in the US.

Regulatory Action is On the Horizon

Currently FinCEN is considering policy changes for financial crime detection. A big part of their focus has centered around identity verification and the pervasiveness of digital and stolen identities. Let’s hope the focus of the new policy includes processes and safeguards that make it more difficult for identity thieves and money launderers to get into these financial systems.

As we move forward and await changes, these initial directional changes indicate that more regulatory action is on the horizon. One thing is clear, there will be more rigor applied to CIP programs in the coming months and years and “prefill” appears to not be the onboarding shortcut many hoped it would be.

Despite prefill tactics coming under greater regulatory scrutiny, you can still achieve seamless onboarding of good customers while meeting regulatory requirements.

How to Enable Safe, Seamless Digital Onboarding

Socure’s KYC solution can automate your KYC/CIP program, enabling you to auto-approve up to 98% of customers while satisfying compliance requirements. Socure KYC is powered by the industry-leading ID graph and uses advanced AI/ML and search analytics to achieve the highest match accuracy in the industry including Gen Z and underserved consumers. This means you capture more of the customers you need to grow your business, while meeting regulatory scrutiny.

To learn more about how Socure can help your organization achieve compliance while reducing consumer friction at onboarding, request a demo today.