To be sure, requests for information and due diligence from the credit bureaus are not new, but the frequency and level of documentation requested is increasing.
I have in front of me a request to a CRA from one of the major bureaus. It is in spreadsheet form, with numerous “discussion topics.” The column next to these discussion topics is a column titled “documented evidence.” Among the documented evidence requirements are:
- Information security policy
- Portable media policy
- Encryption policy/procedure
- Password policy/procedure
- Data retention policy/procedure
- Customer registration/credentialing
- Subscriber agreement
- Dispute handling Policy/procedure
- Backup Policy and Procedures
- Physical security policy and procedures
- Visitor logging
- Employee background check procedures
- Employee security awareness policies/procedures
With credit bureau audits, increasing litigation and government action regarding CRAs, it is clear that documentation is becoming the name of the game.
Documentation is great, but it takes time and doesn’t bring money through the door. As such it makes sense to be efficient in the process. And to that end, take note: all of the above documentation from the credit bureau is also required documentation with NAPBS Accreditation. The above is by no means all of the documentation required for NAPBS Accreditation and there are a few credit-specific items not covered by NAPBS accreditation, but there is much that is common to both.
There are reasons enough to get accredited that stand on their own. The time is approaching when accreditation will not be “nice to have,” but instead, “must have.” Prospects, plaintiff attorneys, state agencies and yes, maybe credit bureaus will be interested in whether you are accredited.
But another reason to consider accreditation is that in the accreditation process, you will document much of the credit bureau audit documentation requirements and that will allow you to “plug in and play” with credit bureau documentation/audit procedures. Creating compliant policy and procedures, and then documenting them is a chore, but an increasingly necessary one. If you have to do it, you might as well kill two birds with one stone.
This is a guest post by Derek Hinton. Derek is President of CRAzoom (www.crazoom.com) a company providing complete accreditation assistance to CRAs.