You may have heard some squeaking lately, investigated a little further, and determined that all the noise is about the Federal Trade Commission’s Safeguards Rule. It may have been a while since you have looked at your Safeguards program, or maybe you regularly polish it off. Regardless, now is the perfect time to inspect how your program handles service providers if you are a financial institution.
Auto dealers who offer financing to consumers and finance companies are financial institutions under the Safeguards Rule. Financial institutions use service providers to, for example, help manage inventory, prepare documents, process payments, and provide services to customers. These service providers make financial institutions’ lives easier, in many cases, by taking something off the never-ending to-do list. However, federal regulatory requirements mandate that financial institutions not forget about service providers as soon as the contracts between them are signed. Financial institutions are responsible for actions performed (or not performed) by service providers, and, thus, financial institutions must oversee service providers.
This article breaks down the definition of a service provider under the Safeguards Rule and outlines the level of oversight required under the rule.
What is a “service provider”?
The Safeguards Rule defines the term “service provider” to mean a person or entity that receives, maintains, processes, or is otherwise permitted to access customer information through its provision of services directly to a financial institution. So, what constitutes “customer information”? This part can be a bit tricky: “Customer information” means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of you or your affiliates. In layman’s terms, “customer information” can include:
• information that a consumer provides to you on an application to obtain credit;
• payment history;
• account balance information;
• the fact that an individual is or has been one of your customers or has obtained a financial product or service from you;
• any information that a consumer provides to you or that you or your agent otherwise obtain in connection with collecting on or servicing a credit account;
• any information in connection with a financing transaction that you collect through an Internet “cookie”; and
• information from a consumer report.
“Customer information” also includes a list, description, or grouping of customers that is derived using information points like those listed above.
What does the Safeguards Rule require you to do to oversee service providers?
The Safeguards Rule requires financial institutions to oversee the relationship with service providers in three ways:
• Onboarding Due Diligence. The Safeguards Rule requires financial institutions to take reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards. Therefore, financial institutions must conduct due diligence when choosing a service provider to determine whether the service provider adequately protects customer information.
• Contracting. Financial institutions must specifically require service providers, by contract, to implement and maintain appropriate safeguards. Contracts with service providers should require service providers to safeguard customer information specifically in compliance with the Safeguards Rule.
• Ongoing Monitoring. The Safeguards Rule requires financial institutions to periodically assess service providers based on the risk they present and the continued adequacy of the safeguards used to protect customer information. Therefore, financial institutions should periodically refresh due diligence and routinely assess safeguards used by service providers. If the safeguards used by service providers are not up to par, financial institutions must be prepared to take remedial measures up to and including termination of the relationship.
What should you do now?
To prepare for the December 9th effective date of the revisions to the Safeguards Rule, you should take the following steps:
• Examine your service provider relationships to make sure you are engaging in appropriate oversight;
• Review your files to check whether you verified that the service provider adequately safeguards customer information. If not, ask the service provider to complete a questionnaire addressing its information security practices;
• Review your service provider onboarding process for future engagements to determine whether information security practices are addressed as part of a larger service provider oversight program. If not, update those materials to ensure that information security practices are evaluated during the service provider selection phase and on an ongoing basis;
• Review any contracts with existing service providers to verify that they include provisions requiring the service provider to implement and maintain adequate safeguards, including listing the specific safeguards you expect the service provider to employ. If your contracts do not include these types of provisions, work with compliance counsel to develop a contractual amendment addressing the Safeguards Rule as well as contractual language to include in future contracts with service providers; and
• Review your service provider oversight program to make sure that you have a plan in place to periodically check whether your vendors are adequately safeguarding your customer information. This review includes determining whether you have a method of assessing compliance (such as a follow-up information security questionnaire), implementing a schedule for evaluating service providers based on the level of risk they present to the safety and integrity of your customer information, and verifying whether you have a corrective action plan in place for dealing with noncompliant service providers.