BSA Examiner Vol 99 – TIN collection rule update and NACHA fraud update

December 30, 2025

A Quarterly Publication from Wayne Barnett Software
Volume 99, 4th Quarter 2025

The BSA Examiner is a quarterly newsletter published by Wayne Barnett Software. If you have a question to ask or a story to tell (we promise anonymity), please call us at 469-464-1902.

Case #1—FinCEN Alternative Collection Method to Obtain TIN

The Case:
A long-time customer of a Midwestern community bank walked into a branch shortly after her husband passed away unexpectedly. She needed to open an account in her own name to receive survivor benefits and begin managing household finances on her own.

She was shaken, overwhelmed, and missing paperwork — including her Social Security card. Under older interpretations of Customer Identification Program (CIP) requirements, the conversation might have ended quickly: “Please come back when you have your documents.”

Instead, the banker took a different approach.

Because the bank already had a long-standing relationship with the customer, the banker was able to:

  • Access existing verified customer records
  • Confirm identity through internal systems
  • Use trusted third-party verification tools
  • Walk the customer through reviewing and confirming pre-filled information

The account was opened the same day. No shortcuts were taken. No rules were broken. But the process was human.

Later, the customer wrote a handwritten note thanking the bank — not for speed or convenience, but because “you treated me like a person when I needed it most.”

Why this matters now:
In 2025, FinCEN issued an order granting an exemption allowing banks to use alternative collection methods to obtain Taxpayer Identification Number (TIN) information from third parties rather than directly from the customer, provided the bank otherwise complies with the CIP Rule under section 326 of the USA PATRIOT Act. Banks must still:

  1. Obtain TIN information prior to account opening
  2. Base procedures on assessed risk
  3. Form a reasonable belief they know the true identity of each customer

In addition, the FDIC issued FIL-39-2025, clarifying that pre-populated customer information may be treated as information “from the customer” if:

  • The customer can review, correct, update, and confirm the information, and
  • The bank’s process allows it to form a reasonable belief as to the customer’s identity based on risk

Stories like this are why the 2025 FinCEN and FDIC guidance matters. These updates do not weaken identity requirements — they recognize that banks can meet them in ways that reflect modern banking relationships, technology, and real customer needs.

For additional regulatory detail, see the FDIC Financial Institution Letters page.

Case #2—A Cautionary Bank Tale

At Smarter Faster Payments Remote Connect 2025, William Mills, VP of Deposit and ACH Operations at Premier Banks, shared a real-world story that illustrates why the new NACHA rules matter.

A branch manager flagged a suspicious ACH transaction: a $40,000 ACH credit posted to a personal account that previously showed only small debit card activity such as Venmo and PayPal transactions.

Upon review, the account displayed classic “kiting” indicators — small deposits followed by nearly identical small withdrawals repeated many times. This pattern is a well-known red flag for fraud, often associated with mule accounts or unauthorized credits.

What changed — and why:
These NACHA rule updates respond to a major shift in fraud trends. Instead of traditional debit fraud, criminals increasingly rely on credit-push fraud, where victims are tricked into authorizing payments through:

  • Business Email Compromise (BEC)
  • Payroll impersonation
  • Vendor and invoice scams

Once the credit is sent, funds move quickly and are difficult to recover. This surge in sophisticated fraud led NACHA to strengthen its operating rules.

Key NACHA Rule Updates

  1. Strengthened Fraud Monitoring (March & June 2026)
    Originators, ODFIs, and third-party service providers must implement risk-based monitoring to detect unauthorized or fraudulently induced ACH entries.

    • Phase 1: March 20, 2026 (high-volume participants)
    • Phase 2: June 22, 2026 (all participants)

  2. RDFI Credit Monitoring (2026)
    Receiving banks must now proactively monitor incoming ACH credits — a significant shift from historical practice.

  3. Standardized Company Entry Descriptions (March 20, 2026)
    Entries such as payroll and e-commerce must use standardized descriptions (e.g., “PAYROLL,” “PURCHASE”) to improve detection accuracy.

  4. Faster Funds Availability (September 18, 2026)
    Standard ACH credits must be available by 9:00 a.m. local time on settlement date, eliminating the old 5:00 p.m. cutoff.

  5. International ACH Transaction (IAT) Clarifications
    Updates clarify IAT definitions and improve contact registration requirements for cross-border payments.

Why stories like this matter:
This wasn’t an isolated incident. It highlights systemic gaps that fraudsters exploit:

  • Unusual patterns go unnoticed
  • Monitoring responsibilities are unclear
  • Funds move before fraud is detected

NACHA’s updated rules aim to close those gaps by making fraud prevention proactive, documented, and risk-based — not just a best practice.

Barnett Software’s Suspicious Activity Monitor (SAM) continuously analyzes incoming and outgoing ACH activity against historical behavior, modeling what “normal” looks like and flagging deviations — exactly what the updated NACHA rules call for.

If you like the commonsense stories and guidance we share in our newsletters, you’ll love our easy-to-use software. We are Wayne Barnett Software.

We’re not a big company, but our products compare nicely with Verafin, Abrigo, and the others.

You can contact us at rrigdon@barnettsoftware.com or 469-464-1902. Thanks for reading our newsletter.

📥 Download the Newsletter (PDF)

▶️Video summary of the newsletter