FWIW, I agree with your skepticism. If a FI is going to pull credit reports on deposit customers, it should have guidelines as to the circumstances in which the report will be obtained and used. To me it seems that management is back-pedaling in their response. If they are pulling the report for a legit purpose, such as an account that is OD, that would be OK, but if they are pulling reports for cross-selling purposes, then that needs to be addressed immediately. Personally, I would ask for documentation such as policies and procedures for their practice. If they seem hastily written, or you get an electronic file that shows as created or modified after you presented your finding, it would definitely raise my concerns.
I've just writed a wrong.