Red Flag Program -- Service Provider Arrangements
by Russ Horn, CISA, CISSP, CoNetrix
Question: Under the Red Flag rules, I am required to "exercise appropriate and effective oversight of service provider arrangements", but what does that mean, and what is the definition of a service provider?
Answer: The term "service provider" used in the final ruling was based upon the definition of "service provider" in the Information Security Standards: "service provider means a person that provides a service directly to the financial institution or creditor."
The greatest risk is associated with service providers that perform activities in connection with one or more of your institutions covered accounts. For example, a service provider that is opening loan or lending accounts on your behalf. Many financial institutions are simply managing the service providers through contractual requirements; however, some financial institutions are going so far as to audit the service providers to ensure Identity Theft is monitored and customer data is protected.
First published on BankersOnline.com 9/01/08
First published on 09/01/2008