Checklist12 min read

    What to prepare before applying for bureau subscriber codes

    Getting a subscriber code (Equifax, TransUnion, and Innovis call it a "subscriber code" or "member number"; Experian usually calls it a "subscriber code" too) is the gate every new data furnisher has to walk through before a single account shows up on a consumer's file. It is not a sign-up form. Each bureau runs its own underwriting on you: they confirm the business is real, that you have a legitimate, FCRA-defined permissible purpose to both pull and furnish data, and that you can transmit and store credit data safely. The fastest applicants are the ones who have every answer and document ready the day they apply, because the back-and-forth of "can you also send us X" is what stretches a three-week process into a three-month one.

    This checklist is written for the team standing up furnishing for the first time: a lender, a property manager moving into rent reporting, a BNPL or fintech product, a debt buyer, or a SaaS platform reporting on behalf of clients. It assumes you have decided to report and now need to get approved at one or more of the four nationwide bureaus. It does not assume you have picked Metro 2 software yet, because that decision interacts with the application (the bureaus will ask how you intend to format and deliver files).

    Nothing here is a promise about any bureau's decision or timeline. Bureau processes change, vary by industry, and are ultimately theirs to run. Treat this as the preparation that puts you in the best position, not a guarantee of approval. Where it helps, we point to the free Metro 2 reference and tooling on this site so you can validate format-readiness before you ever talk to a bureau.

    Understand what a subscriber code actually authorizes

    A subscriber code is the identity the bureau attaches to everything you send and pull. When you furnish a Metro 2 file, your subscriber/member code travels in the Base Segment and (for header/trailer accounting) in the file's identifying records, so the bureau can attribute each tradeline back to you and route disputes to the right furnisher. If the code is wrong or shared incorrectly, accounts can be misattributed to another furnisher entirely, which is a real and damaging failure mode.

    Most furnishers need codes for two distinct activities, and the bureaus underwrite them separately: furnishing (reporting your accounts) and inquiry/access (pulling reports to make a decision). You may only need furnishing. Be precise on the application about which you want, because requesting access you do not need invites more permissible-purpose scrutiny than necessary.

    Codes are also industry- and product-scoped. The portfolio type you declare (revolving, installment, mortgage, open, or line of credit) and your account types shape what the bureau expects to see. If you will report more than one product line, say so up front rather than discovering later that your code does not cover a segment you need.

    • Decide furnishing-only vs. furnishing + inquiry access before you apply.
    • Map your products to Metro 2 portfolio types and account types so your declared volumes match reality.
    • Expect a separate code (or at least separate review) per bureau — there is no single application for all four.

    Business verification: the documents every bureau will ask for

    The first thing each bureau confirms is that you are a real, legally operating business at a real address. This is where most delays happen, not because the documents are hard to produce, but because applicants submit a thin set and then field follow-up requests one at a time. Assemble the full package before you start so you can respond to any question within a day.

    Have your legal entity details exactly consistent across every document: the legal name, the DBA if you use one, your EIN, the formation state, and the physical street address must match between your application, your business license, and your Secretary of State filing. Bureaus cross-check these, and a mismatch (a suite number on one doc but not another, an old address on a license) reads as a red flag and triggers re-verification.

    If you are furnishing on behalf of other businesses (you are a platform or servicer), be ready to explain that relationship and how you keep each client's data and permissible purpose separate. That is a different review than furnishing your own portfolio.

    • Articles of incorporation / formation and a current Secretary of State good-standing record.
    • EIN confirmation (IRS letter) and any state/business licenses relevant to your industry.
    • A verifiable physical business address — not a PO box, mailbox store, or residential address (more below).
    • A working business phone and domain-based email; bureaus call and email the listed contacts to verify.
    • D-U-N-S number if you have one, plus a business bank reference for some applications.
    • For servicers/platforms: sample client agreements or a description of how furnishing-on-behalf is authorized.

    The physical site inspection: what it is and how to pass it

    Several bureaus require an on-site (or, increasingly, virtual/photo-based) inspection of your business premises before approving access, especially when you are also requesting the ability to pull reports. The point is to confirm you operate from a secured commercial location where consumer data can be handled responsibly. This single requirement is the reason home-based and virtual-office applicants are most likely to stall.

    An inspector (often a third party engaged by the bureau) typically wants to see a permanent commercial space with signage, locked storage for any physical records, screens that are not visible to the public, and reasonable physical access controls. They may photograph the entrance, the suite, and the work area. If you are remote-first, this is the hurdle to solve early: a coworking desk usually does not satisfy it, and a residential address almost never does.

    If a full in-person inspection is not feasible for your setup, ask the bureau (or your Metro 2 software vendor, who has done this before) what alternatives they accept. Some allow a virtual walkthrough or a verification-of-premises packet. Do not assume — confirm the accepted format before you schedule anything.

    • Use a commercial address with verifiable signage and a real, lockable office — not a home or a virtual mailbox.
    • Be ready to show locked storage, private screens, and basic physical access control.
    • Ask up front whether a virtual/photo inspection is accepted for your situation.
    • Schedule the inspection as early as possible; it is often the longest-lead item.

    Permissible purpose and the FCRA basis for furnishing

    The Fair Credit Reporting Act governs both who may receive a consumer report (permissible purpose, FCRA Section 604) and the accuracy and integrity duties of furnishers (FCRA Section 623 and the Furnisher Rule). Your application has to articulate a legitimate basis for the activity you are requesting. For furnishing, the bureau wants to see that you have a genuine creditor/landlord/servicer relationship with the consumers you will report and that you can stand behind the accuracy of what you send.

    If you also request inquiry access, the permissible-purpose review is stricter, because you are asking to pull files. Common bases include a credit transaction initiated by the consumer, account review, or written authorization. State your basis plainly and be ready to show the consent or transactional relationship that supports it.

    Furnishing also carries ongoing obligations the bureau will expect you to understand before they hand you a code: investigating disputes you receive (directly and through the bureau's e-OSCAR / ACDV channel), correcting and updating inaccurate data, and reporting the Date of First Delinquency (DOFD) accurately so that obsolescence and re-aging rules are applied correctly. If you cannot describe how you will handle disputes and DOFD, you are not ready to apply.

    • Document the creditor/landlord/servicer relationship that gives you a basis to furnish.
    • If requesting access, name your FCRA Section 604 permissible purpose and have the supporting consent ready.
    • Be able to describe your dispute-handling process (e-OSCAR / ACDV) before applying.
    • Confirm you understand DOFD reporting and the seven-year obsolescence rule — accuracy duties start day one.

    Expected volumes and reporting cadence

    Bureaus ask how many accounts you expect to report and how often, and they use it to set expectations and sometimes pricing. Give an honest, defensible estimate of your initial portfolio size and your monthly net new and updated accounts. Most furnishers report on a monthly cycle, sending a full snapshot of the portfolio's current status each month rather than only deltas.

    Right-size your estimate. A wildly inflated number invites scrutiny (and possibly a higher tier than you need); a number that is too low can cause friction later when your real volume shows up. If you genuinely do not know yet, say "pilot of N accounts, growing to M over 12 months" and explain the basis.

    Plan your cadence around the metric that actually matters in the file: every account carries a Date of Account Information (the as-of date for that month's status). Reporting on a consistent monthly cadence keeps that field current and keeps statuses, balances, and payment history aligned across the bureaus. You can sanity-check how a sample file's records and dates look in the free in-browser viewer at /metro2/file-viewer before you commit to a cadence.

    • Estimate initial portfolio size and monthly new/updated counts honestly.
    • Assume a monthly full-portfolio reporting cycle unless you have a reason to do otherwise.
    • Frame uncertain volumes as a pilot-with-growth plan rather than guessing.

    Data security and the onboarding questionnaire

    Because you will be handling consumer data and (if you pull) receiving reports, every bureau runs a security and compliance review. Expect a questionnaire covering how you store, transmit, and access data, who has access, and how you would respond to an incident. The more concrete and specific your answers, the smoother this goes — vague "we take security seriously" answers generate follow-ups.

    The biggest single technical readiness item is secure file transfer. Bureaus accept Metro 2 files over SFTP (Secure File Transfer Protocol), and they will want to know how you will connect, authenticate (key-based auth is preferred), and protect files in transit and at rest. If your in-house systems cannot do hardened, automated SFTP to four different endpoints with four different schedules and credential sets, that is a strong argument for using a Metro 2 software vendor that already operates those connections.

    Have your security basics written down before the questionnaire arrives: access controls and least privilege, encryption in transit and at rest, employee background/onboarding practices, vendor management if you use subprocessors, and an incident-response plan. You do not need a SOC 2 report to be approved at most bureaus, but being able to describe equivalent controls clearly helps.

    • Be ready to describe encryption in transit and at rest, access controls, and least-privilege practices.
    • Plan for key-based SFTP to each bureau; know how you will manage credentials and schedules per endpoint.
    • Have an incident-response plan and a clear answer for who can access consumer data and why.
    • Document any subprocessors/vendors that touch the data path.

    Buy Metro 2 software vs. build it in-house

    By the time you apply, you should know how you will produce a valid Metro 2 file, because the bureaus ask. Metro 2 is a strict fixed-width format (the CDIA Credit Reporting Resource Guide, or CRRG, defines it): a Header Record, one Base Segment per account with optional appended segments (J1/J2 for additional consumers, K1-K4, L1, N1), and a Trailer Record with control totals. Every field has an exact position, length, and justification. Getting a status code, a portfolio type, or a DOFD wrong does not just look bad — it gets the file rejected or, worse, reports inaccurate data.

    Building in-house is viable but routinely underestimated. You are signing up to implement and maintain the full field-level spec, keep up with CRRG revisions, generate and reconcile header/trailer control totals, encode money and date fields correctly, run hundreds of validation rules, handle four separate SFTP deliveries, and parse each bureau's response/return file to learn what they accepted or rejected. That is an ongoing engineering commitment, not a one-time build.

    A purpose-built vendor like Metro2 by Switch Labs collapses most of that. It imports CSV/Excel with auto-detected field mapping, runs a 240+ rule validation engine, generates the bureau-ready fixed-width file, and delivers via automated SFTP to Equifax, Experian, TransUnion, and Innovis. It also parses CRA response files, manages disputes, supports both consumer and commercial tradelines, and offers a sandbox/test mode plus a REST API and webhooks. You can validate format-readiness for free first: drop a sample file into the viewer at /metro2/file-viewer, look up any status code at /metro2/status-code, check a specific field's spec at /metro2/field, and decode rejects at /metro2/error. That lets you show a bureau you are format-ready without writing the generator yourself.

    • In-house means owning the full CRRG spec, validation, control totals, four SFTP deliveries, and response-file parsing — forever.
    • A vendor handles mapping, validation (240+ rules), file generation, SFTP delivery, and CRA response parsing for you.
    • Validate readiness with free tools first: /metro2/file-viewer, /metro2/status-code, /metro2/field, /metro2/error.
    • Either way, have a concrete answer for "how will you format and deliver files?" before you apply.

    Realistic timelines and how to compress them

    Plan in weeks-to-months, per bureau, in parallel. A clean application with a commercial address, complete documents, an easy permissible-purpose story, and a scheduled site inspection can move relatively quickly; a home-based applicant requesting full access with thin documentation can stall for a long time. The variance is almost entirely in how prepared you are, not in the bureau being slow.

    Apply to all four bureaus at once rather than sequentially. Equifax, Experian, TransUnion, and Innovis each run their own process, so doing them serially multiplies your total elapsed time for no benefit. Track each as its own workstream with its own contact, requested code type, and inspection status.

    The two requirements that most often gate the timeline are the physical site inspection and the security questionnaire, so start both as early as possible. While the bureaus review you, get format-ready in parallel: produce a sample file, validate it, and resolve any errors so that the moment a code is issued you can send a real (or test-mode) file the same day rather than starting the engineering then.

    • Apply to all four bureaus in parallel; each is a separate process.
    • Front-load the site inspection and security questionnaire — they are the usual long poles.
    • Get format-ready during the review window so day-one furnishing is a non-event.
    • Keep a per-bureau tracker: contact, code type requested, inspection status, questionnaire status.

    Key takeaways

    • A subscriber code is bureau underwriting, not a sign-up — every answer and document ready on day one is what keeps a three-week process from becoming three months.
    • A real commercial address and the physical site inspection are the most common reasons applicants stall; solve them first.
    • You must be able to describe your permissible purpose, your dispute process (e-OSCAR/ACDV), and accurate DOFD reporting before you apply.
    • Secure, key-based SFTP and a clear data-security story are non-negotiable parts of the onboarding questionnaire.
    • Decide build-vs-buy for Metro 2 before applying — bureaus ask how you will format and deliver files; validate readiness free at /metro2/file-viewer.
    • Apply to Equifax, Experian, TransUnion, and Innovis in parallel and get format-ready during the review window.

    FAQ

    Can I get a subscriber code with a home or virtual office address?

    It is the single hardest scenario. Several bureaus require a physical site inspection of a real commercial premises, and home addresses and virtual mailboxes usually do not satisfy it, especially if you also want to pull reports. If you are remote-first, secure a verifiable commercial office and ask each bureau early whether a virtual/photo inspection is acceptable for your case.

    Do I need one application for all four bureaus?

    No. Equifax, Experian, TransUnion, and Innovis each run their own application, underwriting, inspection, and security review. There is no single combined application. Apply to all four in parallel and track each as a separate workstream so you do not multiply your total timeline.

    How long does approval take?

    It varies by bureau, industry, and how prepared you are — plan for weeks to a few months per bureau. The biggest delays come from incomplete business documents, an address that fails the site inspection, and slow responses to the security questionnaire. A complete, consistent application with a commercial address moves fastest, though no timeline is guaranteed.

    Do I have to build my own Metro 2 file generator?

    No. Metro 2 is a strict fixed-width CRRG format with exact field positions, status codes, control totals, and per-bureau SFTP delivery and response parsing. Building it in-house is an ongoing engineering commitment. A purpose-built tool like Metro2 by Switch Labs handles mapping, 240+ validation rules, file generation, SFTP delivery, and CRA response parsing — and you can validate a sample file for free at /metro2/file-viewer before you ever apply.

    What is permissible purpose and do I need it just to furnish?

    Permissible purpose (FCRA Section 604) governs who may receive a consumer report — it is most relevant when you request inquiry/access. To furnish, you mainly need a genuine creditor, landlord, or servicer relationship with the consumers you report, plus the accuracy and dispute-handling duties of FCRA Section 623. If you also want to pull reports, expect stricter permissible-purpose scrutiny and have your consent or transactional basis documented.

    What should I have ready before I even start the application?

    Consistent legal entity documents (formation, EIN, good standing), a verifiable commercial address, a business phone and domain email, your declared products mapped to Metro 2 portfolio and account types, honest volume estimates, a permissible-purpose statement, a data-security summary (encryption, access controls, incident response, SFTP plan), and a decision on how you will format and deliver files.

    Be format-ready before the bureau ever replies

    While your subscriber-code applications are in review, validate a sample Metro 2 file for free in the in-browser viewer, look up any status code or field, and decode rejects — so the day a code is issued, you send a clean file instead of starting the build.

    Go to the Furnisher LaunchpadRequest a first-file review

    Keep reading

    Checklist
    The Metro 2 launch checklist for first-time furnishers
    Playbook
    How a small furnisher fixed its Equifax and Experian rejects