IBA Compliance Connection

Your go to source for compliance!

We use a third party vendor that prepares credit reports on our loan applicants. Sometimes the reports show multiple names and addresses associated with the applicant’s social security number under “SSN Validation.” Our customers disclaim any knowledge of these names and addresses, and the other information on their reports appears to be accurate. The report does state that its information cannot be used “in establishing a customer’s eligibility for credit, residence, or employment.” Should we require the customers to contact the credit bureaus or certify in writing that they are unaware of who these people are, or is there other information we should require?

by

admin

From what you have told us, it appears that you are describing a vendor’s proprietary report and not a credit report issued by a credit bureau. If so, it is possible the additional names and addresses are being provided as part of your vendor’s process for validating an applicant’s social security number (which may be why the report states this information should not be used to establish the applicant’s credit eligibility). We recommend following up with your vendor, who should provide more context to help you interpret these entries.

Depending on what you learn from your vendor, you also may wish to recommend to affected applicants that they submit a dispute to the credit bureaus to remove the incorrect names and addresses. In cases where identify theft appears possible, you also could recommend to applicants that they freeze their credit reports. In appropriate cases, you also might find it prudent to request applicants to certify in writing that they have no knowledge of these names and addresses. In extreme cases, you may find it necessary to follow your procedures for suspicious activity reporting.

For resources related to our guidance, please see:

  • Regulation V, Appendix J, Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation (Examples of red flags include: (“(10) Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor . . . (12) Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer . . . . (14) The SSN provided is the same as that submitted by other persons opening an account or other customers. . . .”)

  • Regulation V, Appendix J, Interagency Guidelines on Identity Theft Detection, Prevention, and Mitigation (Examples of appropriate response to red flags include: (“(a) Monitoring a covered account for evidence of identity theft; (b) Contacting the customer; . . . (e) Not opening a new covered account; . . . (h) Notifying law enforcement; or (i) Determining that no response is warranted under the particular circumstances.”)

  • FinCEN Rules, Reports by banks of suspicious transactions, 31 CFR 1020.320(a)(2) (“A transaction requires reporting under the terms of this section if it is conducted or attempted by, at, or through the bank, it involves or aggregates at least $5,000 in funds or other assets, and the bank knows, suspects, or has reason to suspect that: (i) The transaction involves funds derived from illegal activities or is intended or conducted in order to hide or disguise funds or assets derived from illegal activities (including, without limitation, the ownership, nature, source, location, or control of such funds or assets) as part of a plan to violate or evade any Federal law or regulation or to avoid any transaction reporting requirement under Federal law or regulation.”)