Incorporating eCBSV into your fraud mitigation workflow means accepting a unique set of regulatory challenges. This includes periodic audits to ensure compliance with the eCBSV User Agreement. As both a past user of the legacy paper-based CBSV system and the longest-tenured user of the eCBSV, SentiLink has an unparalleled deeper understanding of the idiosyncrasies that must be managed in order to meet the requirements necessary to pass an audit.
The following guide is intended to provide insight into the two main components of the audit process for financial institutions accessing eCBSV via API and collecting consent electronically: The transaction audit, and review of policies and procedures. It is accurate as of this writing (February 2023). Compliance teams should evaluate the requirements of the User Agreement independently and, where appropriate, with their eCBSV service provider.
Two notes to begin:
The eCBSV Transaction Audit
A major component of each eCBSV audit is a review of specific transactions. SSA will select a random sample of several dozen transactions that occurred during the audit period for closer inspection, focused on documenting the digital trail for each. This may also include a selection of duplicate transactions (i.e., where it appears to SSA that the same name/DOB/SSN combination was submitted multiple times, usually within a short time period).
Additionally, SSA will select a small subset of the transactions from the above sample for an even more granular review. In most cases, it will be necessary for your service provider to provide detailed database records to satisfy this portion.
There are four main pieces of data that, in our experience, combine to form the most solid audit trail:
Timestamps. Generally, for each transaction, timestamps reflecting every important moment, in the correct sequence, of that transaction's journey should be logged. This can include the timestamp of consent received from the consumer, to the call to eCBSV, to eCBSV response received, and anything else you or your service provider tracks.
Transaction IDs: Also in coordination with your service provider, it is recommended to provide your unique transaction ID. SSA will provide their UIDs for each transaction, but to help complete the audit trail, evidence of your own transaction ID is important.
The consumer's IP address. Again, it is imperative to link the specific eCBSV request to a specific consumer and their application.
The Specific Purpose. Every eCBSV request must be predicated on a Specific Purpose as they are defined in the federal Fair Credit Reporting Act (FCRA). Every eCBSV transaction must be associated with the exact purpose for which consent was received. The audit trail must show a clear connection between the specific purpose for which consent was received and the transaction.
In addition to reviewing a selection of transactions, the audit will also examine a variety of relevant documentation and business practices that are directly (or indirectly) related to the use of eCBSV and the processing and retention of eCBSV results. The list of requested items is long, and includes:
Data Protection, Retention and Access Management policies. This includes internal data protection policies and procedures that are shared with employees engaged with the eCBSV process. It is advisable to include explicit reference to eCBSV terms of art, including "Written Consents" (which is the broad term that encompasses electronic consent as well as paper) and "SSN Verifications" (which refers to the actual API data returned from the eCBSV).
Internal org charts and job descriptions of employees involved with eCBSV operations, and with access to results and written consents.
Disaster recovery policy.
Any managed service or cloud service provider policy that the partner uses in any way (storage, processing, etc) with eCBSV, if applicable.
While the eCBSV presents a unique and challenging set of audit requirements, use of the system has proven an effective step-up strategy to help mitigate synthetic identity fraud and approve more legitimate consumers. Having a clear appreciation for the unique requirements presented by the audit process, and establishing a clear division of labor with your service provider, will help offset these challenges.