Q&A: Here’s a question that a Wisconsin credit union recently asked The League’s Legal Affairs team, along with our answer. Do you have a compliance question? Contact The League’s Compliance Hotline at (800) 242-0833 or email.
Q. While reviewing The League’s ii Release No. B041 regarding adverse actions, I noticed that there doesn’t seem to be any information about handling cases where the application is deemed fraudulent. Could you please provide some clarification or guidance on what steps we should take in such situations?
A. Unfortunately, there is no definitive answer in either Reg. B (the Equal Credit Opportunity Act rules) or in any available reference material.
Reg. B § 1002.9 requires an adverse action notice (AAN) when a creditor takes “adverse action” concerning a “completed application” submitted by an “applicant” in accordance with the creditor’s procedures.
The definitions of those terms (from Reg. B in § 1002.2 and its commentary) are all important:
- Adverse action means “a refusal to grant credit in substantially the amount or on substantially the terms requested in an application …” “If the applicant applied in accordance with the creditor’s procedures, a refusal to refinance or extend the term of a business or other loan is adverse action.”
- “Applicant means any person who requests or who has received an extension of credit from a creditor, and includes any person who is or may become contractually liable regarding an extension of credit.”
- “Application means an oral or written request for an extension of credit that is made in accordance with procedures used by a creditor for the type of credit requested. The term application does not include the use of an account or line of credit to obtain an amount of credit that is within a previously established credit limit.”
- “A completed application means an application in connection with which a creditor has received all the information that the creditor regularly obtains and considers in evaluating applications for the amount and type of credit requested (including, but not limited to, credit reports, any additional information requested from the applicant, and any approvals or reports by governmental agencies or other persons that are necessary to guarantee, insure, or provide security for the credit or collateral).”
None of these definitions or commentary include outright exceptions for fraudulent applications. So, the safest course would be to send AANs, even when the credit union believes that the application is the result of fraud or identity theft. (In such cases, a Suspicious Activity Report is also probably needed, depending on the amount involved).
On the other hand, there are some arguments to be made that an AAN shouldn’t be required. For example, the credit union might take the position that there was no legitimate “applicant,” since the fraudster or bot that submitted the online application wasn’t the real individual purported to be asking for a loan. You might also argue that your procedures require eligibility for membership before the credit union will even consider a loan application, and so it’s not an “application” at all when the online form shows on its face that the “applicant” doesn’t meet membership eligibility criteria. I can’t predict how successful those arguments might be if the credit union were ever challenged (by examiners or by legitimate consumers) for failing to send AANs as required under Reg. B.
Please also note that the Fair Credit Reporting Act and Reg. V require a different AAN to be sent if you take adverse action on a credit application based, even in part, on information from a credit reporting agency.
In this article, the author (an attorney) takes the position that no AAN is required under the FCRA when you deny an application based on suspected identity theft:
The FCRA implicitly assumes that the consumers addressed under the Act are the consumers they purport to be and is intended to provide consumers with the information they need to improve their eligibility for credit. In addition, the application of the FCRA to identity verification and fraud prevention services would allow fraudsters to troubleshoot and improve their schemes, by providing them with actionable information about how their frauds were detected.
And this is conceptually consistent with the CIP Rules and the FTC’s Red Flag Rule, which essentially require a financial institution to reject an applicant for credit if the identity of the applicant cannot be sufficiently determined.
America’s Credit Unions also recently addressed this topic in their Adverse Actions: A Couple of Frequently Asked Questions:
AQ 2: Does Regulation B require that we send an adverse action notice if we’re denying a loan for suspicion of fraud?
This is a tricky one and we always advise credit unions to consult with their legal counsel when these types of issues arise, as we are unable to provide legal advice. However, while fraud does not appear to be a reason to not send an adverse action notice pursuant to Regulation B, if the fraud is due to a case of identity theft, sending an adverse action notice to a consumer who did not actually apply for an extension of credit also does not appear consistent with the regulation. However, section 1002.2(c)(2) discusses what is not considered “adverse action”, and there is no explicit mention of an exception for fraud.
Another point to think about is what if the credit union is wrong about its suspicion of fraud? In that case, the credit union would be in a position in which it failed to send the adverse action notice as required by the regulation. Ultimately, a credit union may need to decide which approach is best given its own risk tolerance (likely after consulting with its legal counsel). *Note: whether an adverse action notice would be required under the FCRA in such circumstances will also be an issue to discuss with your legal counsel.