Oversight of Service Provider Arrangements

The Red Flags Rule requires that you conduct oversight of service provider arrangements; you should ensure that your vendors or service providers act “in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft.”

As an example, the Rule says you could require your vendors by contract to have “policies and procedures designed to detect relevant Red Rlags that may arise in the performance of the service provider’s activities, and either report the Red Flags to [your company] or take appropriate steps to prevent or mitigate identity theft.”

What if your service provider does not have an identity theft prevention program?  Your options are:

• Find a different vendor or service provider
• Delay using the service provider until they can meet the requirement
• Go without the service
• See if the service provider has other controls that could be used instead of a Red Flags Program.

The Red Flags Rule allows you to incorporate other controls you may have already established as part of your Red Flags Program.  So if you have compliance activity related to, for example, Sarbanes-Oxley or HIPAA, you can and should incorporate the relevant parts of that activity into your Program.

It is likely that many vendors who do not yet have Red Flags Programs in place will have other compliance programs.  You can request a copy of whatever programs they have and verify that they intend to implement a Red Flags Program.  For example, an application service provider should be able to provide you with a copy of their SAS70.  Or they should be able to provide a document of some sort that tells you how they handle security.

For example, here is one from Amazon Web Services (amazon.com provides application hosting services in addition to their online store).