Are your employees following permissible purpose compliance rules? The answer might surprise you.

Consumer credit reports play a central role in many bank activities. First, your bank uses them to help determine eligibility for loans. You likely also use them in the course of servicing these loans to extend additional lines, for collection purposes and even for employment purposes when hiring.

There are various requirements and rules surrounding the use of these reports, including those laid out in the FCRA, FACT Act, ECOA, any applicable state laws or other provisions stipulated by your credit agency agreements. Because of those demands, your bank has strict written policies and procedures in place to ensure there are no compliance issues that might result from violating those regulations.

In many cases, written policies and procedures are not followed by each employee, and are only the first step in mitigating the risk involved in managing the access, use, storage and destruction of consumer credit reports. You also need to enact prudent processes and controls that support the bank’s written policies and procedures and assure that personnel in all departments, branches and remote locations adhere to company policies and procedures.

Assuring that all users of credit reports accessed in the bank’s name are strictly following the bank’s policy and procedures is critical. Check to make sure that:

• Everyone within your institution understands the limitations on pulling credit reports and does not deviate from your procedures.
• The permissible purpose for pulling a credit report is apparent from your documentation.
• To guard against fraud or violations of FCRA, compare the list of credit reports you are billed for with those that you know were requested.

Field Protection

For many banks, ensuring credit report compliance is a daunting task. Access to credit reports may not be centralized and might be spread out within the organization. Access may exist at the branch level in multiple states or even at the individual user level. This is especially true within many mortgage-lending departments where loan officers have access to credit reports "in the field."

If your bank allows access to credit data by its loan officers while they are away from the office, you can implement an additional security layer by having security questions built into the loan origination system (LOS) used to access credit reports and make sure loan officers answer them before granting access to credit data. These questions can focus on information that only the consumer would be prepared to answer, and that would not be generally available except through the direct questioning of the specific consumer whose credit file is being accessed.

LOS Additions

If your bank accepts phone applications and allows access to a consumer credit file without a signed application, the security question process can be combined in the LOS with "screen shot" data obtained from the consumer, which can be stored as proof of permissible purpose and consumer authorization to access their credit file. This can come in quite handy if your bank is audited and you are asked to prove you had a permissible purpose for accessing a consumer’s credit file or if a consumer disputes that they gave your bank authorization to access their credit file.

It is also important to ensure confidential data is not released improperly. Once the credit file is accessed, the loan officer uses the data in the credit file to confirm the consumers’ identity before discussing or releasing credit data over the phone. Having processes and controls in place to assure that your institution does not release or discuss credit data with the wrong person is critical to your operation.

These developments and LOS additions can guarantee that all of your bank’s employees strictly adhere to the bank’s policy and procedures, whether you have one or 1,000 employees with access to credit data in your bank’s name.

Larry Avery is director of sales and marketing at Birchwood Credit Services, North Conway, N.H.  Email: avery.bcsrep@comcast.net