Be Careful: That Unusual Request for a Credit App may be Legitimate

Have you ever had a request by your provider of credit reports to produce a copy of a signed credit application to justify your request for the report? If so, you probably thought it was bogus. You may have thought it was a scam artist, or an identity thief, or even the customer’s brother in law. However, it might have been legitimate.21610405

We have received information that the Consumer Financial Protection Bureau is auditing credit reporting services and their contractors to determine whether credit reports supplied to retailers were legitimately requested under the Fair Credit Reporting Act. The service from whom you requested the credit report may contact you to obtain the information necessary to show that authorization.

However, should you be responding to a phone call? We suggest not. When you get a phone call, you do not know who is calling. Most credit reporting agencies and their contractors have an agreement with retailers allowing them to check records. However, any attempt by a provider to audit authorizations should come in a form that allows you to verify that it is a legitimate request. Here are some things to keep in mind.

  • As we have written repeatedly, always have a customer sign an authorization for a credit report. A signed authorization is not required under the law – only a business purpose in connection with the extension of credit. However, how do you prove that? The signature of a consumer on an authorization for a credit report is the best way. We are regularly asked about phone calls, fax inquiries and other credit related requests from consumers who are not in the showroom. Those should go through your secure internet portal. These days, anyone who can afford to buy a car probably has internet access. Have the person verify the request through a secure internet portal.
  • Keep all authorizations for five years. That means you must keep not only authorizations on deals you deliver (you will probably keep those in your deal files anyway), but you must keep them on deals not completed. The statute of limitations for a violation of the Fair Credit Reporting Act is two years from the discovery of wrongdoing up to five years. So keep authorizations, whether for delivered deals or dead deals, for five years.
  • From time to time compare your authorizations to your credit bureau bill to make sure you are getting authorizations for every report for which you are billed. If you cannot match up credit reports for which you are billed with authorizations, find out why and fix any problems.
  • If you get a request for a signed authorization from someone who claims to be from a credit reporting agency or from a contractor for the provider with whom you do business, verify it. The best way to do that is to demand the request in writing identifying:
    • The identity of the person seeking the information
    • The authority by which the person claims to have access to the information
    • The purpose for the request.
    • Identification of the person whose report was accessed, by full name, social security number, and date of access.
  • If you get requests for authorizations, consider whether you have a problem. Audit your own processes to make sure that reports are only run based upon written authorization of a customer.