Blog post

Navigating eCBSV's Audit Requirements

Jason Kratovil

Published

February 13, 2023

eCBSV Audit Requirements

Incorporating eCBSV into your fraud mitigation workflow means accepting a unique set of regulatory challenges. This includes periodic audits to ensure compliance with the eCBSV User Agreement. As both a past user of the legacy paper-based CBSV system and the longest-tenured user of the eCBSV, SentiLink has an unparalleled deeper understanding of the idiosyncrasies that must be managed in order to meet the requirements necessary to pass an audit.

The following guide is intended to provide insight into the two main components of the audit process for financial institutions accessing eCBSV via API and collecting consent electronically: The transaction audit, and review of policies and procedures. It is accurate as of this writing (February 2023). Compliance teams should evaluate the requirements of the User Agreement independently and, where appropriate, with their eCBSV service provider.

Two notes to begin:

  • SSA has granted very broad latitude to its external audit firm to interpret the eCBSV User Agreement at its own discretion. As a result, many aspects of the eCBSV audit appear subjective and, to a degree, fluid. This ambiguity and uncertainty can be especially challenging for compliance teams at financial institutions used to oversight by prudential regulatory agencies and a different level of certainty.

  • It is critically important to establish a coherent process and set of expectations for sharing information and data (i.e., who is providing what, and how) with your service provider. Maintaining open communication throughout the audit process is the most effective way to minimize the risk of surprises, given the ambiguities discussed above.

 

The eCBSV Transaction Audit

A major component of each eCBSV audit is a review of specific transactions. SSA will select a random sample of several dozen transactions that occurred during the audit period for closer inspection, focused on documenting the digital trail for each. This may also include a selection of duplicate transactions (i.e., where it appears to SSA that the same name/DOB/SSN combination was submitted multiple times, usually within a short time period).

Additionally, SSA will select a small subset of the transactions from the above sample for an even more granular review. In most cases, it will be necessary for your service provider to provide detailed database records to satisfy this portion.

There are four main pieces of data that, in our experience, combine to form the most solid audit trail:

  1. Timestamps. Generally, for each transaction, timestamps reflecting every important moment, in the correct sequence, of that transaction's journey should be logged. This can include the timestamp of consent received from the consumer, to the call to eCBSV, to eCBSV response received, and anything else you or your service provider tracks.

  2. Transaction IDs: Also in coordination with your service provider, it is recommended to provide your unique transaction ID. SSA will provide their UIDs for each transaction, but to help complete the audit trail, evidence of your own transaction ID is important.

  3. The consumer's IP address. Again, it is imperative to link the specific eCBSV request to a specific consumer and their application.

  4. The Specific Purpose. Every eCBSV request must be predicated on a Specific Purpose as they are defined in the federal Fair Credit Reporting Act (FCRA). Every eCBSV transaction must be associated with the exact purpose for which consent was received. The audit trail must show a clear connection between the specific purpose for which consent was received and the transaction.

 

Audit of processes, policies and procedures

In addition to reviewing a selection of transactions, the audit will also examine a variety of relevant documentation and business practices that are directly (or indirectly) related to the use of eCBSV and the processing and retention of eCBSV results. The list of requested items is long, and includes:

  • Data Protection, Retention and Access Management policies. This includes internal data protection policies and procedures that are shared with employees engaged with the eCBSV process. It is advisable to include explicit reference to eCBSV terms of art, including "Written Consents" (which is the broad term that encompasses electronic consent as well as paper) and "SSN Verifications" (which refers to the actual API data returned from the eCBSV).

  • Internal org charts and job descriptions of employees involved with eCBSV operations, and with access to results and written consents.

  • Disaster recovery policy.

  • Any managed service or cloud service provider policy that the partner uses in any way (storage, processing, etc) with eCBSV, if applicable.

 

While the eCBSV presents a unique and challenging set of audit requirements, use of the system has proven an effective step-up strategy to help mitigate synthetic identity fraud and approve more legitimate consumers. Having a clear appreciation for the unique requirements presented by the audit process, and establishing a clear division of labor with your service provider, will help offset these challenges.

Share

Learn how we can help.

Schedule a demo with a fraud expert and evaluate our solutions.