EI3PA Certification and Compliance
As a consumer reporting agency (CRA) reseller, you gather requests and retrieve data from companies like Experian. The data that companies like Experian provide is often highly sensitive and considered to be a consumer report. Any security compromise of consumer reports could have adverse consequences for your company. In addition to your responsibility for maintaining the security of sensitive consumer data, CRA resellers are liable for the management and handling of consumer reports under the Fair Credit Reporting Act (FCRA) and other consumer financial protection laws.
As part of a continuous effort to protect sensitive consumer information, Experian released their Experian Independent Third Party Assessment (EI3PA) in 2009. As a CRA reseller of Experian data, to continue working with Experian, you must receive an EI3PA compliance certification annually. There are different levels of EI3PA certification; however, if you receive, store or maintain any Experian data on your own systems, you are considered a Level 1 reseller and cannot self-assess. As a Level 1 reseller, your EI3PA certification must be performed by a Qualified Security Assessor (QSA) in good standing with the PCI-SSC.
Aprio has a team of experienced QSAs on staff who can perform EI3PA certifications and help you meet your organization’s EI3PA compliance requirements. Unlike other EI3PA certification providers, Aprio’s EI3PA report is unique in that it includes:
- An assessment for compliance with relevant consumer financial protection laws
- A comprehensive approach for mapping your company’s data flow to address underlying risks in your company’s business model
- A combination of these reporting elements with Experian’s base EI3PA requirements to create a SOC 2 report, which is a widely recognized reporting framework and is also approved by Experian
The result of this unique approach is a comprehensive hybrid report that not only fulfills your requirements to continue working with Experian, but also provides you with valuable information concerning your business’ security risks and compliance with consumer financial protection laws. Many CRAs and technology service providers find SOC 2 to be a pragmatic approach to assurance reporting, since many CRAs provide services to other stakeholders (e.g., banks or other clients) that also require assurance reporting. Aprio’s team can help you craft a unified or singular set of controls and an assurance reporting approach that meets all your assurance needs as a CRA.