The Office of the Comptroller of the Currency (OCC) has issued an update that could significantly reshape how financial services organizations approach customer onboarding. On June 27, Acting Comptroller Rodney Hood announced a new exemption to the Customer Identification Program (CIP) requirements, a move that reflects the OCC’s intention to align regulatory expectations with technological advancement and practical realities in financial services.
Financial services organizations can take steps now to assess the implications of the exemption and remain compliant while taking advantage of new flexibility.
The CIP rule, originally established under the USA PATRIOT Act and codified in the Bank Secrecy Act (BSA), requires financial services organizations to implement reasonable procedures to verify the identity of individuals opening accounts. Traditionally, this verification process has included collecting specific information, such as name, date of birth, address, and identification number, at the time of account opening.
The OCC’s recent exemption introduces an alternative from this rigid framework. It allows organizations to adopt alternative customer identification methods under certain conditions, particularly when traditional methods are deemed impractical, ineffective, or potentially burdensome. This adjustment is especially relevant in digital-first contexts, remote banking environments, and scenarios involving underserved populations that might lack conventional identity documents.
While the exemption supports innovation, it does not eliminate the requirement to maintain robust anti-money laundering (AML) and countering the financing of terrorism (CFT) controls. Instead, the focus shifts from how identification is confirmed to whether the method used effectively mitigates AML and CFT risks.
This evolving regulatory landscape provides financial services organizations with opportunities to modernize their customer identification processes, strengthen innovation and efficiency, and reinforce the necessity of rigorous risk management and compliance practices. Organizations should consider the following key areas as they adapt to increased flexibility in customer onboarding.
Enhanced flexibility in customer onboarding. Financial services organizations might now have more flexibility to rely on a broader spectrum of identity verification tools. Such tools could include:
This flexibility can reduce friction in the onboarding process, enabling faster customer acquisition, improved user experience, and greater accessibility, especially for remote or international clients.
Reassessing risk management protocols. With greater freedom comes increased responsibility. The exemption places the burden on organizations to demonstrate that alternative verification methods are equally effective in detecting and deterring money laundering and terrorist financing. Organizations must therefore revisit their risk assessment frameworks, incorporating the following elements:
Risk-based approaches must remain dynamic and responsive to the organization’s evolving customer base and technological environment.
Operational and policy adjustments. The new CIP requirements exemption necessitates a formal update of internal policies, including:
Additionally, team members should be trained not only on the technical use of new identity verification tools but also on the regulatory rationale and risk implications behind them.
Continued emphasis on regulatory compliance. Despite the innovation in method, the core expectations of the BSA remain intact. Organizations must retain comprehensive records of their identification processes and provide evidence of due diligence during regulatory examinations. Key recordkeeping obligations include:
Failing to comply with these obligations might result in penalties, reputational harm, or even enforcement actions, particularly if lapses lead to illegal activities slipping through compliance nets.
To realize the benefits of the new CIP requirements exemption while minimizing downside risk, organizations should adopt a strategic and methodical approach. Following are four key recommendations.
Conducting comprehensive risk assessments. Start by performing a review of the risk landscape associated with the use of alternative identification methods. This review includes:
Organizations should consider developing a CIP exception matrix and documenting when and why alternative methods are permitted and under what conditions.
Proactively engaging with regulatory authorities. Proactive communication with regulators, such as the OCC, the Federal Deposit Insurance Corp., the Federal Reserve Board, and the National Credit Union Administration, will be critical to successful implementation. Financial services organizations could:
Establishing a transparent, two-way dialogue helps to reduce misalignment and builds trust with supervisory agencies.
Using technology investments thoughtfully. Technology is central to this exemption, but organizations must vet vendors and platforms rigorously. Organizations should prioritize:
Additionally, organizations can consider investing in AI-powered transaction monitoring, which complements identity verification by detecting suspicious behaviors after onboarding.
Establishing robust monitoring and review mechanisms. The exemption is not a one-time implementation. It’s an ongoing compliance obligation. Organizations should consider:
Feedback loops should inform regular updates to policies and procedures to support adaptability in the face of new threats or changes in the regulatory landscape.
The OCC’s move is consistent with a broader regulatory shift toward innovation and digital enablement in financial services. It is in line with similar international trends, such as:
This harmonization offers opportunities for cross-border onboarding and global identity solutions, reducing barriers for underbanked populations and promoting financial inclusion. It also might give U.S. organizations a competitive edge in global fintech partnerships and embedded finance ecosystems.
However, this progress must not come at the cost of vigilance. Cyber fraud, synthetic identities, and deepfake technologies are rising threats that make robust implementation and ethical technology use more essential than ever.
The new CIP requirements exemption warrants that organizations thoughtfully balance regulatory rigor and operational agility. By embracing innovation while staying anchored to strong compliance principles, financial services organizations can improve customer experience, expand access, and fortify trust.
As this regulatory landscape evolves, the organizations that succeed will be those that approach the exemption not as a loophole but as an opportunity to build a more resilient, risk-aware, and inclusive financial ecosystem.