RSK.IQ Question of the Week 11/25/13

Bank has determined, on the basis of “red flags” contained in the consumer report and elsewhere, that a person who completed a loan application was committing identity theft.  It has followed all proper reporting requirements, but should it also send the person who completed the application an adverse action notice?

Regulation B requires a bank to provide an adverse action notice to an applicant when it declines to grant the credit requested. 12 CFR 1002.9(a)(2). It does not address fraudulent applications as such. The definition of “applicant” is so broad—“any person who requests an extension of credit”—that it could conceivably embrace someone who was appropriating the identity of someone else to apply for credit. For that reason, some commentators have suggested that an adverse action notice should be sent in such a case, with the reason disclosed on the adverse action notice for the action taken being something like “unable to verify information.”


Under the present circumstances, however, the better practice and the one required by the regulation, is not to send an adverse action notice at all.

Regulation B provides that the term “adverse action” does not include a refusal to extend credit because applicable law prohibits the creditor from extending the credit requested. 12 CFR 1002.2(c)(2)(iv). In this case, the facts of the matter indicate that the individual applying for credit was engaging in identity theft. Under the rules implementing the Fair and Accurate Credit Transactions Act (“FACT Act”), the bank must have a policy and procedures which enable it to form a reasonable belief that it knows the identity of a customer. 12 CFR 41.82(c). To that end, it must have an Identity Theft Prevention Program intended to address the risk of identity theft to its customers and the safety and soundness of the bank. The program must have reasonable procedures to prevent and mitigate identity theft in the opening of accounts, including not opening a new account when a bank cannot verify the identity of the applicant. 12 CFR 41.90(d)(2)(iv)(E). Under the FACT Act, a “new account” includes an extension of credit. 12 CFR 41.90(b)(1)(i).

Since the Bank is precluded by the FACT Act from opening a new account for a person whose identity it cannot verify, and since the term “account” includes an extension of credit, its refusal to grant the credit requested is not an adverse action under Regulation B, when the term “adverse action” does not include a refusal to extend credit because of applicable law. Thus, the Bank would not be required to send an adverse action notice.


The same rule would apply whenever credit is applied for that a bank, as a matter of law, cannot grant. From a safety and soundness standpoint, for example, there would be a question about entering into a contractual relationship with an applicant who does not exist. In this particular case, the very circumstances which raised a red flag also precluded the need to send an adverse action notice.

This entry was posted on Monday, November 25th, 2013 at 2:23 pm.

Leave a Reply

Your email address will not be published. Required fields are marked *