Conventional wisdom among lenders is that you shouldn’t decline an application for credit based on an identity suspected as being fraudulent, because it would create an obligation under the Fair Credit Reporting Act (FCRA) to provide an adverse action notice (AAN).
As a consequence, many lenders feel obligated to continue the process of reviewing an application through a seemingly endless cycle of verification before eventually abandoning the application as incomplete, even when the applicant is strongly suspected of being fraudulent.
I believe this is unnecessary, and we support our partners’ right to reject an application immediately based on unresolved identity defects without issuing an adverse action notice.
Going into the legal analysis is not going to endear me to readers - suffice to say there have been several cases on this issue. The most relevant is Kidd v Thompson Reuters Corp. (925 F.3d 99 (2d Cir. 2019)), in which identity information provided by Thompson Reuters CLEAR and factored into a decision to reject an application was regarded as being outside the scope of the FCRA, and did not require an AAN. The other case, Cortez v TransUnion (617 F.3d 688, 703-05 (3d Cir. 2010)) determined that identity information provided by TransUnion (a consumer reporting agency) in conjunction with a credit report was subject to the FCRA. SentiLink is not a consumer reporting agency and does not provide information on creditworthiness, and so the Cortez case is not relevant to the scenario experienced by SentiLink partners.
When you think about it, this is completely logical. Identity determination and eligibility are conceptually discrete and indeed sequential. How can you determine someone’s creditworthiness if you don’t know who they are? There are also strong policy arguments in favor of this approach. The FCRA implicitly assumes that the consumers addressed under the Act are the consumers they purport to be, and is intended to provide consumers with the information they need to improve their eligibility for credit. In addition, the application of the FCRA to identity verification and fraud prevention services would allow fraudsters to troubleshoot and improve their schemes, by providing them with actionable information about how their frauds were detected.
And this is conceptually consistent with the CIP Rules and the FTC’s Red Flag Rule, which essentially require a financial institution to reject an applicant for credit if the identity of the applicant cannot be sufficiently determined.
As is often the case, a diagram can assist with understanding this process.
It’s worth noting that while the process of subjecting a suspected fraudster to additional identity checks is optional, it is often desirable for two reasons: (1) because it allows false positives to verify their legitimacy, providing incremental customer acquisition opportunities, and (2) it supports and substantiates the fact that the decision to reject the application is being taken purely on the basis of defects in identity, and without regard to eligibility considerations. The eCBSV solution offered by the Social Security Administration provides a useful secondary identity check, as does the verification of a government-issued identity.
Every business transacting online wants to optimize the efficiency of its processes, and regulatory optimization is an overlooked tactic. Being able to reject fraudulent applicants without issuing AANs will reduce fraud and relieve banks and lenders from the effort of evaluating known fraudulent applications for creditworthiness.
James Cook is General Counsel of SentiLink, where he has been leading the legal function since 2019. James has served as General Counsel for hyper-growth B2B SaaS start-ups since 2008, including 5 years supporting identity verification and fraud technology providers.