4. Explain the bureau's strong caution against the acceptance of a bribe, and obtain employee's agreement to report fully on any bribery attempt. 5. Before final employment, have employee complete and sign an agreement as to Coentiality of records, understanding of Company policies and FCRA penalties. 6. During first four weeks of employment administer further training covering FCRA and award employee certificate of compliance with FCRA requirements. 7. New employee completes the form that the requires information not found on application a., place of birth, color of uyes 2nd color of hair). 8. Agreement to take a polygraph test 9. Employee is photographed C. Photo-identification badge (Optional) and 1. A badge, bearing employee's photograph, typed and signed name, and badge number is prepared and issued. 2. Office security requires the wearing of the badge at all times while on company premises. 3. If terminated, employee must surrender badge. 4. In a metropolitan bureau, consider periodic recall and reissue of badges. Consider also color codes on badges to indicate access to computer room. 5. Maintain a system of badges issued to visitors and record so visitors are logged in and out. 6. Consider a separate type of badge to be issued to vendors and technicians while doing work on premises. (Badges can be coded by number if desired.) IV. Security of Employee Records A. Consider maintaining employee's credit file in a separate secure place, accessible only to manager and certain designated supervisory personnel. (In an automated environment, if it is not feasible to file employee's credit files *Required b. In reporting operations not only should a base code number be assigned but also a security code suffix. This allows the base code number to remain assigned to a given subscriber permanently and yet allows for changes in the security code periodically or as required when security has been breached in some manner. An example would be, XYZ Department Store's base code number is 100. The security code this month might be 50. In order to validate the code and receive credit reports, the subscriber, XYZ Department Store, must give the complete Code Number 100-50. c. Security codes of users should be changed when necessary, at least annually. If there is any question concerning reports given to a subscriber, or when a creditor's employee who had access to the complete code leaves, the security code should be changed. d. In a computerized bureau the security code prints out in only one area, the Member Master Roster. This roster should be limited to as faw copies as possible as it becomes critical to security of the files. The Sales or Membership Department should keep its copy under lock and normally another copy should be secured in the Accounting Department. 2. Screening Prospective Members a. All prosnertiva inc.nbars for credi services inust meet the requirement of the Fair Credit Reporting Act on permissible purposes, and any requirements imposed by the particular bureau itself. The FCRA permits use of reports for the following purposes: (Section G04) *Required Extension of credit. Employment purposes. Review or collection of accounts. b. Additionally the bureau may have additional requirements set by its Board of Directors. Some examples are: (1) Member must have a business phone listing. (2) Member must have bona fide place of business. (3) Deposit requirements by type of business. (Optional) (4) Local applications for membership should be verified by a bureau representative at the member's place of business, partly to determine that such an address and business actually exist and to see the operation of the prospective subscriber. Non-local applications should be verified through logical outside sources. The application must be signed by either an officer in the case of a corporation, or by a principal in a partnership or proprietorship. c. Applications of prospective users not *Required well known to management must be screened through: (1) Local reputable commercial reporting agency. (2) Direct check of references (especially bank references and major suppliers) (3) Credit bureau... (4) City and/or county licensing agency. d. (1) When the contract is finalized, the bureau must review with the new user the portions of the contract that stipulate the permissible purposes for which reports will be requested. Also consider reviewing the user agreement to specifically notify the bureau when the user is requesting a credit report for employment purposes. (2) Get user's agreement to restrict dis- 3. Monitoring Member/User Compliance a. Members (1) The Sales or Membership Department must see that members abide by the FCRA and other contract requirements and cancel those who do not. The operating division of the bureau will supply most of the documentation where a member: (a) Did not know his or her code num ber or used another subscribers code number (b) Used a report for other than a permissible purpose (c) Submitted false information to the bureau (d) Committed other questionable acts. b. Non-Members (1) Occasionally non-members attempt to gain access to a code number and/or attempt to add or delete a credit record or some part of it for criminal purposes Security codes must be changed and the peco as he as the math dsques must be vest gated a turned over to authorities. Several areas of internal processing require close control in order to preserve file integrity. Each area will be covered in detail in the sub-sections which follow. A. File Maintenance k. Deletion of record of inquiries. Depending upon its particular situation, a given bureau may add to these basic prohibitions 2 in add tanto sting the actions that may not be taken without cause, it is necessary to establish a system of authorization which requires that such cases be screened by a supervisor, department manager or manager before such actions may be performed when done legitimately The authorization should include a listing by the supervisor of the approved item(s), so that subsequent audits will highlight entries which have been made without authorization. 3. In manual operations, the checking of work for improper actions will be to the extent determined by bureau management but should, as a minimum, involve a spot check of records with recent activity to determine if any unauthorized changes were made in the record. 4. In automated operations, the monitoring of records to detect any unauthorized activity should be constant and should cover all prohibited actions. The specific method of *Required **Any subscribers who telephone requesting deletion of informa tion such as adverse ledger experience should be referred to a supervisor, and confirmation in writing within 10 days should be required if supervisory approval is given for the deletion. computer monitoring will be determined by the companies involved but, as a minimum, will involve monitoring the above actions. B. Inter-Bureau Reports 1. Inter-bureau reports are a particularly vulnerable area with regard to security and should be handled carefully. Credit reporting agencies should adopt a policy of not sending reports to another credit bureau without a specific request from that bureau. 2. If a voluntary report is received, with or without a request for payment, the reporting bureau should be telephoned to determine whether or not the bureau actually sent the 3. A "password", assigned periodically by ACB, Inc., will be issued to all credit bureaus and must be used in conjunction with the ACB assigned bureau identification number before a telephone inquiry can be considered a valid request from another ACB bureau. 4. Each bureau will be responsible for assigning its own code numbers and passwords to reputable non-member bureaus with which it has contracts. It must promptly and completely inform such non-member bureaus of such code numbers and passwords. 5. Reports must not be issued without the bureau identification code and the password. C. Additions of New Records New records added manually to the file each day should be: 1. Entered by certain designated operators only or filed by certain designated operators in a manual operation. 2. A new record must consist of at least a Last Name, First Name, Complete Address, Employment and a trade item or inquiry, or both, to be considered for entry into the file. 3. Any new item, including a public record item, must not be entered without complete identification, including residence address. D. Screening of Revision Requests contained is authentic. 2. Any trend or pattern that is suspect will be reported to the supervisor such as: a. One particular subscriber causing a c. The same address or employment d. The same references given frequently on new files by one member. e. A subscriber trying to telephone favorable voluntary credit experience to be placed in a record containing little or no information after revision. f. All the accounts in a new file are recorded as having been paid out as agreed but are dated several years prior to the current date. g. Cases in which all references, when checked, report a "No record" and the record left in file consists only of identifying information and an inquiry. action. Voluntary items which would create a new file should be screened closely. 2. Voluntaries received from companies suspected of improper reporting of credit information will be destroyed no matter what the balance or rating is. A listing of such firms should be provided to the security group or manager Consider terminarny user if there is reasonable proof of misuse of access to bureau. 3. Careful attention must be given to voluntaries which may possibly be fraudulent. Any voluntaries which are suspect should be forwarded to the security group or manager for action This includes items sent in plain topes; items from retain ong company in the same envelope; items from firms on an "uncertain" list; items that are suspect and characterized by a certain handwriting or typewriter print known to come from companies that are suspect. 4. Use a special trade slip to make spot checks in order to verify a voluntary item which would add favorable data to a questionable record, create a new record, or delete adverse data from a record. (In smaller bureaus, these spot checks may be made by telephone.) The credit granter should be asked to furnish the account number of the consumer if it is missing. 5. Some offices may find it practical to number voluntary report forms sequentially, so that a number range can be associated with a given subscriber. This permits an element of control not present when un-numbered voluntary data forms are made available to any member who requests them. VII. Automated Systems 1. Computerized credit bureaus or computer *Required supplier to the service company location. Secondly, the tapes should be delivered directly to a data control area responsible for receiving, logging and controlling such tapes from the time of receipt until returned to the suppliers. 3. Third, the service Company must. depending upon its particular organization, insure that tapes in process are not tampered with in any way or that information loaded into the system is not changed in any way to reflect other than what the credit granter wishes to be reported. 4. The tapes being returned to the supplier must be closely controlled so as not to fall into unauthorized hands in some cases, the credit bureau and/or the service company erases all data from the tapes before returning them to the supplier. This practice should be followed where practical or authorized. B. Audit Trails 1. (a) Do not permit a credit granter to make 2. (a) Any internal activity performed under (b) Such administrative-purposes inquiries must not be deleted. C. Microfiche / Printouts/Obsolete Manual Records All such documents containing confidential credit information should be kept under lock and key while not in use. One individual should be responsible for this security. When disposing of any of these materials they should be shredded or burned. |