AARGH! I have been searching for half an hour now and can't find what I'm looking for. Perhaps someone can kick the cobwebs from my brain.

I remember years ago when rules about identifying customers and protecting identities came out, there was a specific ruling about not using SSNs as primary identifiers in electronic transactions, internet banking logins, etc.

I also know of banks who have been written up for this with internet banking and voice response systems.

Trouble is, I can't find the ruling or regulation and I'm trying to educate an internet banking vendor. Does anyone recall? Was it Reg E, FFIEC, CIP...?

I think it is limited to specific States, like California for one, where it is strictly prohibited. Otherwise, it is just considered a bad practice.

Aaahh... the last bank I worked with on this was a Massachusetts bank and Massachusetts tends to be very consumer friendly. Maybe that's why I can't find it. THanks.

I found this, which helps me for the time being. I'm posting it here in case anyone else is having the same issue and looks here in hopes of an answer.

http://www.mesirowfinancial.com/insurance/publications/updates/update_0906.pdf