Disposal of Credit Report Information
One of the FACT Act's new requirements is that creditors dispose of information obtained in a credit report in a timely fashion. As written into the law, the concept is to minimize the chances of information straying into the wrong place or being accessible to a thief.
The concept is a reasonable one. The less information that is lying about, the less chance of problems related to misuse of that information. It seems simple.
The challenge is that managing information is not easy. Information about a customer has many appropriate and necessary uses within a financial institution. This means that information from one or another source may travel to a number of locations in the process of providing service to the customer. An application for credit is reviewed often by more than one person. The request to open a deposit account may occur at the customer service desk, but the papers and information supporting the account will go to a variety of locations.
So far the new rule takes a fairly simplistic approach. It has the effect of making the rule look simple and straightforward. Unfortunately, we must deal with all the details, and that is where the difficulties are. When we map out this process, the new requirement is anything but simple and straightforward.
As with most compliance, the challenge is not the general concept, but the specifics of how to comply. When dealing with information, compliance discipline is not a comfortable fit. Bankers rely on information. It is a key part of underwriting and the decision to extend credit. Information is increasingly important in making the decision to open an account. Information about customers is something that financial institutions use actively. In fact, we couldn't do our job without it.
Because of its importance to the decisions about and management of products, it is easy to forget limitations and protections that should be in place. It is likely to be even more difficult to comply with the limitations.
The recent adventures with Y2K, privacy and information security have raised our sensitivities about information and information systems. In this context, the FACT Act rules are simply another step. And now we have to take it.
Let's look at some basic - and complicated - steps you should take.
- Map where and how information from credit reports resides and moves within your organization. Start with all individuals or business units with authority to obtain a credit report.
- Now map where, when and how that credit report moves. The credit report itself is subject to these disposal requirements. But note that it is also subject to record retention requirement of other laws such as ECOA and BSA.
- Next, look for all the ways that information from credit reports is picked up and used. Remember that the disposal requirement applies not only to the credit report itself, but also to information contained in the report. This means that you should look at loan work sheets, loan memos, and underwriting documents. And don't forget to look at loan officer notes. When a loan officer writes down a credit score, that is information from the credit report.
- Now look for some less obvious places that information from credit reports could be placed. For example, account opening documents, such as signature cards, may contain information that was obtained for purposes of CIP. Add these locations to your map.
- Now that you know where the information is, you should deal with the security question. For each location, evaluate the information security procedures.
- Now look at record retention requirement of other laws. This includes BSA, RESPA, and ECOA together with any state laws. Any records destruction program must consider the record keeping requirements of other regulations. Otherwise, you'll have violations.
- Establish a protocol for keeping essential information and disposing of non-essential information (without violating any record retention requirements.)
Copyright © 2004 Compliance Action. Originally appeared in Compliance Action, Vol. 9, No. 11, 10/04
First published on 10/01/2004