For those of you wondering if you should be looking at this internally, I would suggest you review the Interagency FCRA Examination procedures. The regulatory examiners will be looking, that is for sure:
Institution Procedures. Given the preponderance of electronically available information and the growth of identity theft, financial institutions should manage the risks associated with obtaining and using consumer reports. Financial institutions should employ procedures, controls, or other safeguards to ensure that consumer reports are obtained and used only in situations for which there are permissible purposes. Access to, and storage and destruction of this information is dealt with under an institution’s Information Security Program; however, obtaining consumer reports initially must be done in compliance with the FCRA.
Section 604 Permissible Purposes of Consumer Reports and
4. Evaluate the institution’s procedures to ensure that consumer reports are obtained only for permissible purposes. Confirm that the institution certifies to the consumer reporting agency the purposes for which it will obtain reports. (The certification is usually contained in a financial institution’s contract with the consumer reporting agency.)
5. If procedural weaknesses are noted or other risks requiring further investigation are noted, such as the receipt of several consumer complaints were received, review a sample of consumer reports obtained from a consumer reporting agency and determine whether the financial institution had permissible purposes to obtain the reports.
• For example, obtain a copy of a billing statement or other list of consumer reports obtained by the financial institution from the consumer reporting agency for a period of time.
• Compare this list, or a sample from this list to the institution’s records to ensure that there is a permissible purpose for the report(s) obtained. This could include any permissible purpose, such as the consumer applied for credit, insurance, or employment, etc. The financial institution may also obtain a report in connection with the review of an existing account.
The opinions expressed here should not be construed to be those of my employer: PPDocs.com