SentiLink provides identity verification and fraud prevention services that our financial institution partners use to answer a seemingly simple but critical question about an application: “Who are you?” Our partners answer this question as a first step prior to answering subsequent questions, such as “Is this applicant creditworthy?” or “Is this applicant eligible for the financial product?”
Verifying an identity as the first step of application review is supported by the intuitive principle that you can’t determine a person’s creditworthiness if you don’t know who they are. It is also deeply rooted in legal authority: the Fair Credit Reporting Act (FCRA) regulates when a “permissible purpose” exists to pull a credit report on a consumer, including “[i]n accordance with the written instructions of the consumer,” “in connection with a credit transaction involving the consumer,” or “[i]n connection with a business transaction that the consumer initiates.” It is therefore not a decision to take lightly.
Further, the decision to pull a credit report should not be taken when an institution is not yet confident that the person applying is the same person who is described in the application, a point emphasized by the Consumer Financial Protection Bureau. Skipping identity verification raises the real possibility that the financial institution will pull credit without a permissible purpose. Because the application identity is not a real person, is not the correct identity, or is the identity of an identity theft victim, there is no legitimate consumer present to provide the permissible purpose. Underscoring the seriousness of this issue, litigation on alleged violation of consumers’ FCRA rights has frequently centered on alleged access and use of consumer reports without a permissible purpose.
Making matters worse, the institution may ultimately underwrite and approve a fraudulent application. Of course, no institution wants to open an account that is infected with identity fraud. The law doesn’t countenance it either. The Gramm-Leach-Bliley Act (GLBA) “red flags rule” requires banks to prevent and mitigate identity theft by using an adequate set of processes to detect “red flags”: the suspicious indicators that suggest an application or account is an instance of identity theft.
Some of these red flags will expose the criminal activities of an identity thief who has opened or otherwise controls an account in the victim’s identity. Mitigating the harm by taking action on a fraudulent account is of course better than nothing. Better still is when the bank has well-tailored red flag detection systems at the point of application.
To be effective, these detection steps must be applied before the bank moves to the “FCRA” portion of the application review process, where the financial institution determines the eligibility of an applicant. At that point, the identity thief is well on their way to completing the crime. The thief can even manipulate and misuse FCRA’s consumer rights provisions to inflict more harm on the victim. For example, a thief who has successfully cleared identity verification but is denied at the eligibility stage will receive a “notice of adverse action” under the FCRA. While still impersonating the victim, the thief can seek to have credit report information removed or changed to improve the thief’s chances of defrauding the victim in future applications.
Sometimes an institution will ask SentiLink, “At what point do we need to start applying consumer protection rights to an application?” This question needs a bit of reframing: “When is a SentiLink partner protecting consumers through ‘red flags’ detection and other vital identity verification, and when is a partner protecting consumers by applying the requirements of the FCRA?”
The answer: SentiLink helps its partners keep consumer protection at the center of identity verification by applying powerful fraud detection tools (such as SentiLink’s ID theft and synthetic scores, Facets, and other services). Our partners thereby impose a sturdy barrier to thwart identity criminals while efficiently verifying the identities of honest consumers. After verifying an application identity, the partner further protects consumers by proceeding to a separate eligibility review using non-SentiLink information governed by the FCRA.
The end result is the optimal one: the institution verifies as many legitimate application identities as possible, and then is able to approve as many applications as possible that meet its eligibility requirements. And in the process, the financial institution satisfies the GLBA red flags rule and scrupulously follows the FCRA when it applies (but refrains from misapplying it when it does not).
