I'm trying to establish a process for clearing extended fraud alerts on online loan applications when a phone number is not included in the alert. My understanding of FIL-22-2006 leads me to believe the application cannot be declined without first taking reasonable steps to identify the applicant so there's not a Reg. B violation.

I'd like to confirm that my interpretation is correct and if so, what I should consider reasonable steps when I can't utilize any of the information contained on the application because it could be fraudulent.