When Members Won't Talk: Obtaining A Physical Address
I recently responded to a question in our Compliance Inbox that made me think for a while. How often are credit union members uncooperative? Here’s the story: a credit union member called in and changed their address to a P.O. Box, but when asked to provide a current physical address, pursuant to the credit union’s Know Your Customer (KYC) BSA policy, the member was like:
So, the credit union wrote in to the Compliance Team, asking whether they could use other means to search for the member’s physical address, such as skip tracing or doing a ChexSystems review (i.e., pulling a credit report). This question brought up multiple issues, which I thought would be useful for others, as well.
In general, section 1020.220(a)(2)(i)(A)(3) of FinCEN’s regulations requires a physical address in order to open an account. The FFIEC’s BSA/AML Exam Manual notes that there are some exceptions – for example, use of an Army Post Office (APO), Fleet Post Office (FPO), or residential or business street address of next of kin or another contact individual are allowed (footnote 14). This information is required to be retained by the credit union for five years after the date the account is closed, even if the address subsequently changes. This is for account-opening customer/member identification program (CIP/MIP) purposes. A credit union may need to review its BSA Policy to determine if subsequent address changes are covered as part of its ongoing customer due diligence, and what the credit union requires the member to provide, as well as what to do in cases where a member is unwilling to do so.
Regarding using a credit report to obtain a physical address, the FCRA’s permissible purposes do not appear to include the necessity of obtaining an address to comply with BSA regulations. Section 604 outlines the permissible purposes that do exist for obtaining a consumer report, and those are the only permissible purposes that may be utilized, which include (among others):
(a) In general. Subject to subsection (c), any consumer reporting agency may furnish a consumer report under the following circumstances and no other:
(1) In response to a court order.
(2) In accordance with the written instructions of the consumer to whom it relates.
(3) To a person which it has reason to believe
(A) intends to use the information in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the extension of credit to, or review or collection of an account of, the consumer; or
(B) intends to use the information for employment purposes; or
(C) intends to use the information in connection with the underwriting of insurance involving the consumer; or
(D) intends to use the information in connection with a determination of the consumer’s eligibility for a license or other benefit granted by a governmental instrumentality required by law to consider an applicant’s financial responsibility or status; or
(E) intends to use the information, as a potential investor or servicer, or current insurer, in connection with a valuation of, or an assessment of the credit or prepayment risks associated with, an existing credit obligation; or
(F) otherwise has a legitimate business need for the information
(i) in connection with a business transaction that is initiated by the consumer; or
(ii) to review an account to determine whether the consumer continues to meet the terms of the account.
(G) executive departments and agencies in connection with the issuance of government-sponsored individually-billed travel charge cards.
(Emphasis added.)
Unfortunately, I do not have the space to include the full list of permissible purposes, however, suffice to say, it does not appear that the circumstances described would fall under any of the Section 604 permissible purposes. The closest option may be section (a)(3)(F)(ii), but that addresses continued eligibility for a credit account, and not obtaining information from the report to satisfy another regulatory requirement.
On the other hand, federal laws and regulations do not explicitly prohibit a credit union from using other means of determining a member’s physical address, such as skip tracing. Although, Article XVI, Section 7 of NCUA’s current Model Bylaws states that “members must keep the credit union informed of their current mailing address or, if the member has elected to receive electronic communications, their current email address.” (Emphasis added.) The bylaws only mention a mailing address and do not require a physical street address. In this case, the P.O. Box appears to be the member’s preferred current mailing address, in which case, this bylaw requirement may be satisfied.
We have previously blogged about address change considerations, including potential identity theft, privacy, and BSA concerns. Per the blog, “NCUA has provided guidance on identity theft in Letter to Credit Unions 01-CU-09, which includes steps credit unions should take to prevent fraud when processing address changes. This guidance indicates that credit unions should verify information prior to processing an address change, and send a confirmation of the address change to the member. . . To prevent fraudulent address changes, credit unions should verify member information before executing an address change and send a confirmation of the address change to both the new address and the address of record.” In the privacy realm, the blog notes that credit unions “may want to consult with local counsel to determine if there are any privacy concerns when updating address information automatically across all accounts.” This NAFCU Q&A also addresses change of address procedures, from a FACT Act perspective, which echoes the identity theft guidance provided in the blog.