Compliance Blog

Jul 24, 2023
Categories: BSA

To Destroy or Not to Destroy? That is the Question

Do you ever think about how many places have a copy of your ID stored somewhere in their database? I can’t even begin to count the number of times I have uploaded a copy of my ID and submitted it online. I definitely have never once asked anyone I’ve submitted any form of ID to if and when they will delete it. But you’re a member of NAFCU so your members won’t have to worry about that.

In May 2018 Congress passed the Economic Growth, Regulatory Relief and Consumer Protection Act which was intended to improve and protect consumer access to mortgage credit; provide regulatory relief to financial institutions; and protect veterans, consumers, and homeowners. The act contains a particular provision about keeping copies of IDs when obtained through online activity in section 213 that I want to discuss because I recently got a question on it, and it made sense to provide some clarity to other compliance professionals.

Before we dive in, Congress’ intent in passing this Act was to make it easier for credit unions to open accounts online because some states prohibited the copying or scanning of a member’s ID. Section 213 preempts any directly conflicting state law provision, allowing credit unions to streamline their online account opening process.

It is important to note that section 213 only addresses online activity rather than accounts, services, or products obtained by members in person at a credit union’s branch.

Section 213 allows credit unions to record personal information from a driver's license or identification card as well as make a copy and retain that information in electronic format for any of the purposes described below:

In the same section, there is a provision that explains that financial institutions must permanently destroy the copy/image after using it for one of the above purposes. I know you're probably thinking that isn't possible because you need to retain a copy of IDs for BSA CIP purposes. Well, that is not exactly true, while BSA requirements for a credit union’s CIP may require that a photo ID be obtained, section 1020.220(a)(2)(ii) of FinCEN’s BSA regulation does not appear to require that a copy be made or kept. The BSA rules simply require a description of the documents relied upon to be documented, such as documenting the “type of document, any identification number contained in the document, the place of issuance and, if any, the date of issuance and expiration date.”

Another important thing to note is that it is against federal law to photocopy a US government or military ID. As mentioned above, other limitations on the use of a member’s ID may come from your state law so the credit union may need to consult with local counsel regarding whether or not there are additional limitations to the scanning/copying of a member’s ID when opening an account physically at the branch.

Section 213 expands credit unions’ ability to open accounts through online processes while protecting consumers’ personal information. If credit unions have questions about this topic or any other compliance issue, reach out to NAFCU at

📣 Sessions are open now! Join NAFCU's BSA School On-Demand and/or Risk Management Seminar On-Demand to unlock comprehensive training from anywhere.