I recently completed a permissible purpose review by sampling credit reports ordered and trying to tie them back to an application for credit (renewal or extension of credit is all my bank should be using credit reports for). I ended up with a few where the employee responsible for pulling the report could not provide me with an application or with an existing loan that was subject to renewal. When reporting to management, I was given screen prints of DDA information for the consumer the credit report was obtained on and it was argued that it would not be a violation since the person was an existing customer. I understand their argument; however, I feel as though there should be something giving a reason for them pulling credit correct? Just because they have an account with us does not automatically give us the right to pull credit does it? Any ideas on how I can argue my point on this and, in your opinion, should this be a noted exception?

FWIW, I agree with your skepticism. If a FI is going to pull credit reports on deposit customers, it should have guidelines as to the circumstances in which the report will be obtained and used. To me it seems that management is back-pedaling in their response. If they are pulling the report for a legit purpose, such as an account that is OD, that would be OK, but if they are pulling reports for cross-selling purposes, then that needs to be addressed immediately. Personally, I would ask for documentation such as policies and procedures for their practice. If they seem hastily written, or you get an electronic file that shows as created or modified after you presented your finding, it would definitely raise my concerns.