I agree with the comments above ^^ and would add a few things. You might consider asking the vendor to provide a statement on how they comply with the rules. It might simply be that they don't want to sign a document you prepared, but they'd be willing to provide a statement on what they're doing.
On the other hand, they may not be subject to the rules. Our core processor came back with a statement that following their corporate legal review of the red flags rules, they determined that they are not required to have a written red flags program. However, they can assist us in meeting our red flags requirements.
With regard to the SSAE16 report, this is a useful source of information for the red flags program. For example, our Bill Pay vendor provides access to our covered accounts. They don't have a written red flags program and aren't required to under the regulation. However, in their SSAE16 report, there is a ton of information on their fraud monitoring processes which would help detect potential identity theft and/or unauthorized account access.