You should be cross refrencing their application to what is on file on your core. For example, their SS, name, DOB, and other items- they also need to know their account numbers, and security questions if you set that up at the time of account opening. any differences should be investigated before access is granted.