Address Discrepancy Procedures

The address discrepancy procedures requirement in 17 CFR § 248.202 means you must have written, implemented procedures to handle credit bureau “notice of address discrepancy” flags by (1) forming a reasonable belief the consumer report matches the right person and (2) if you open/maintain a continuing relationship, confirming and furnishing the consumer’s address back to the bureau. ¹

Key takeaways:

• You need a workflow that detects address discrepancy notices and routes them to identity verification before account opening or credit decisions. ¹
• “Reasonable belief” must be operationalized through defined verification steps, decision criteria, and documentation. ¹
• If you establish a continuing relationship, you must be able to confirm the address and furnish it to the consumer reporting agency under your procedure. ¹

Address discrepancy notices are a narrow but high-impact edge case: your team requested a consumer report, and the consumer reporting agency flags that the address you provided “differs substantially” from what it has on file. Regulation S‑ID requires you to be ready for that moment with reasonable policies and procedures, not ad hoc judgment. ¹

For a CCO or GRC lead, the practical objective is twofold. First, prevent mis-association: you must form a reasonable belief that the consumer report you received is for the same consumer you intended to check. Second, if your firm establishes a continuing relationship with that consumer, your procedure must cover confirming the address and furnishing it back to the consumer reporting agency. ¹

This page gives you requirement-level implementation guidance: who must comply, how to build the workflow, what evidence to retain, and what exam teams usually probe. It is written for operators who need a fast path from regulatory text to ticketable controls, training, and audit-ready artifacts.

Regulatory text

Requirement (operator paraphrase): You must develop and implement reasonable policies and procedures to respond to a consumer reporting agency’s notice of address discrepancy. Your procedures must support forming a reasonable belief that the consumer report relates to the consumer you asked about. ¹

Continuation requirement (operational trigger): If you establish a continuing relationship with the consumer, your procedures must also address confirming the consumer’s address and furnishing the confirmed address to the consumer reporting agency. ¹

Plain-English interpretation

An address discrepancy flag is a “stop and verify” signal. Your firm can’t treat the consumer report as reliable until you have a documented basis to believe it belongs to the right person. If you proceed to open or maintain an ongoing relationship, you must have a path to validate the address and, under your procedure, send the confirmed address back to the bureau. ¹

Who it applies to

Covered entities

• Financial institutions, including broker-dealers, subject to Regulation S‑ID. ¹

Operational contexts where it shows up

You’ll see address discrepancy notices anywhere a consumer report is requested, such as:

• New account onboarding where you request a consumer report as part of identity verification or eligibility.
• Credit decisions or margin/loan-related processes that involve consumer reports.
• Periodic account reviews where a consumer report is pulled for an existing customer.

The rule is not limited to one channel. It needs to work for branch/manual workflows and digital/automated decisioning.

What you actually need to do (step-by-step)

Below is an implementation pattern that exam teams can follow end-to-end.

Step 1: Define the triggering event and detection method

1. Inventory all integrations and processes that request consumer reports (onboarding platforms, LOS systems, manual pulls by operations, third-party processors).
2. Confirm how the notice arrives (API field/response code, file-based indicator, portal flag, or a message from your consumer reporting agency).
3. Create a single internal “Address Discrepancy” event type in your case tool or ticketing system so you can evidence volume, handling, and outcomes.

Control objective: No address discrepancy notice is ignored, dropped, or handled outside a controlled workflow. ¹

Step 2: Stop the line and route to verification

1. Block auto-approval or auto-progression when the discrepancy indicator is present.
2. Route to a trained reviewer (operations/KYC team) or a rules-based step-up process if you have strong automated identity proofing.
3. Define permissible actions while pending (for example: “collect additional documentation,” “request consumer confirmation,” “decline pending verification”). Keep this consistent across channels.

What “reasonable” looks like in practice: A clear decision point: proceed only after you can articulate why the report matches the consumer. ¹

Step 3: Form a “reasonable belief” the report relates to the correct consumer

Create a written standard that lists acceptable methods to establish reasonable belief. Common building blocks:

• Match on multiple identifiers already in your possession (for example, name, DOB, SSN/ITIN if collected, phone, email) and reconcile mismatches.
• Address validation steps such as consumer confirmation plus independent corroboration (document review or trusted database match), based on your risk appetite.
• Escalation criteria when signals conflict (e.g., multiple mismatches, high-risk products, or suspicious patterns).

Operationally, you want a checklist-style decision record:

• What discrepancy was flagged.
• What additional data was obtained.
• What comparisons were performed.
• Why the reviewer concluded it was (or was not) the right consumer.

This is the core of the requirement. Your procedure must be able to defend the “reasonable belief” call. ¹

Step 4: Decide the outcome and document it

Define outcomes that map to system states:

• Verified / proceed (reasonable belief established).
• Unable to verify / do not proceed (close/decline, or require different method).
• Refer / enhanced review (when policy requires a second set of eyes).

Also define who can override and under what circumstances. Overrides should be rare and well-documented.

Step 5: If you establish a continuing relationship, confirm and furnish the address

Your procedures must address what happens next when you establish a continuing relationship:

1. Confirm the address as part of onboarding or early lifecycle. Build this into your “address verified” milestone.
2. Furnish the confirmed address to the consumer reporting agency in the manner your relationship/support model allows (file, portal, API, or processor submission), consistent with your written procedure. ¹

A practical way to operationalize this is to add a control: “continuing relationship cannot be marked active until address discrepancy case is closed with address confirmation and furnishing step completed (or documented as not applicable).”

Step 6: Train, test, and monitor

• Training: Give reviewers examples of acceptable verification combinations and examples that fail the standard.
• QA sampling: Periodically review closed cases for documentation quality and policy adherence.
• Metrics: Track volumes, average resolution time, and override frequency so you can spot process breakage. (Avoid publishing numeric targets unless your program sets them internally.)

Step 7: Align third parties and contracts (where applicable)

If a third party runs parts of your onboarding, identity verification, or consumer report ordering:

• Contractually require them to surface address discrepancy notices to you or process them under procedures you approve.
• Ensure you can retrieve case evidence on demand for audits and exams.

Daydream can help here by keeping a single control narrative, mapped tasks, and evidence requests for third parties in one place, so address discrepancy handling does not disappear inside an outsourced onboarding stack.

Required evidence and artifacts to retain

Keep evidence in a format an examiner can replay:

Policy and procedure artifacts

• Address Discrepancy Procedures document (purpose, scope, triggers, steps, roles, acceptable verification methods, escalation/override rules). ¹
• Process map or runbook covering both manual and automated channels.

Operational records (case-level)

• Copy of the consumer reporting agency notice/flag (screenshot, API payload log excerpt, or bureau response record).
• Verification checklist and supporting documentation references (what was checked and what matched).
• Outcome decision and approver (if escalated/overridden).
• If continuing relationship established: address confirmation record and furnishing confirmation (submission log, confirmation receipt, or processor attestation). ¹

Governance and assurance

• Training completion logs for staff who handle exceptions.
• QA reviews and corrective actions for errors found.
• Evidence that the workflow is implemented in systems (configuration screenshots, rule logic description, test cases).

Common exam/audit questions and hangups

Expect questions like:

• “Show me your written procedures for address discrepancy notices.” ¹
• “How do you ensure a discrepancy stops automated onboarding from proceeding?”
• “What does ‘reasonable belief’ mean at your firm, and who decides?”
• “Provide a sample of cases and walk through the evidence.”
• “If you establish a continuing relationship, how do you confirm and furnish the address to the consumer reporting agency?” ¹
• “How do you oversee third parties that order consumer reports on your behalf?”

Hangups usually occur when the firm has a policy statement but no closed-loop workflow, or when the reviewer notes are too thin to prove the decision.

Frequent implementation mistakes (and how to avoid them)

1. Mistake: Treating the notice as a data quality issue, not an identity risk.
   Fix: Make the discrepancy a mandatory identity verification step with defined acceptable evidence.

2. Mistake: “Reasonable belief” exists only in a person’s head.
   Fix: Require a structured checklist and capture the match logic in the case record.

3. Mistake: Auto-decisioning systems ignore the flag.
   Fix: Add a hard rule that blocks progression until the discrepancy case is resolved.

4. Mistake: No furnishing path for confirmed address after account opening.
   Fix: Build a furnishing task into the “account activated” workflow for discrepancy cases tied to continuing relationships. ¹

5. Mistake: Outsourced onboarding hides the evidence.
   Fix: Contract for transparency, testing rights, and evidence delivery; mirror key events in your own case tool.

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog for this requirement, so this page does not cite specific actions.

Risk-wise, address discrepancy failures typically manifest as:

• Mis-association risk: acting on the wrong consumer report (wrong person), which can drive improper account decisions and downstream complaints.
• Identity theft facilitation: a mismatch flag can be a signal of synthetic identity or takeover attempts.
• Control design risk: regulators often view missing exception handling as a program gap because it is predictable and detectable.

Treat this as an identity exception control, not a clerical fix.

Practical 30/60/90-day execution plan

Because exam readiness depends on your current maturity, use phases rather than date promises.

First phase (immediate): Make the risk controllable

• Assign an owner (KYC/operations) and a policy owner (Compliance).
• Identify all consumer report request points and confirm you can detect the discrepancy flag.
• Implement a manual stopgap: route all discrepancy notices into a case queue with a required verification checklist.
• Draft or update the written procedure and get it approved. ¹

Second phase (near-term): Systemize and reduce variance

• Add system gating to prevent auto-approval when the flag is present.
• Standardize evidence capture (templates, required fields, attachment types).
• Train staff and implement QA sampling with documented findings and fixes.

Third phase (ongoing): Close the loop, including furnishing

• Implement the “continuing relationship” branch: address confirmation milestone plus furnishing confirmation record. ¹
• Extend oversight to third parties with periodic evidence pulls and control testing.
• Add metrics and management reporting so Compliance can see drift before the exam team does.

Frequently Asked Questions

What counts as a “notice of address discrepancy” under Regulation S‑ID?

It’s a notice from a consumer reporting agency indicating the address you provided differs substantially from the address in the agency’s file, triggering your procedure to respond. ¹

Do we need to stop onboarding every time there is an address discrepancy?

You need procedures that form a reasonable belief the report relates to the correct consumer before relying on that report. In practice, that usually means pausing automated progression and doing step-up verification. ¹

What does “reasonable belief” look like for auditors?

Auditors look for consistent criteria and documentation that show how you concluded the report matched the intended consumer, not just a final “approved” note. Your procedure should specify acceptable verification methods. ¹

When do we have to furnish the confirmed address back to the bureau?

Your procedures must address furnishing the confirmed address if you establish a continuing relationship with the consumer. Build this into the post-onboarding steps for discrepancy cases. ¹

Can a third party handle address discrepancy processing for us?

Yes, but you still need reasonable policies and procedures and the ability to evidence compliance. Require the third party to surface discrepancy events, follow your decision criteria, and provide case records on request. ¹

What evidence is most often missing in address discrepancy files?

The missing piece is usually the “why”: what identifiers were matched, what was inconsistent, and why the reviewer concluded the report related to the correct consumer. Make those fields mandatory in the case record. ¹

Footnotes

1. 17 CFR Part 248, Subpart C