For ID Theft, we require our service providers with access to our customer information to sign a certification/contract that states they have a red flags program and that they'll report any red flag issue regarding our customers to us. I have one vendor who refuses to sign. They sent me their audit (SSAE16 Type 2 Report) which goes over their data security controls but there is nothing about red flags monitoring/detection or reporting.. I see this more as compliance with GLBA rather than the red flags. However, I'm not sure as they say other banks seem satisfied with this report.

Have you all had this issue? Do you accept such docs such as the audit mentioned above as proof of a red flag program. ?

Not all vendors who have access to customer information are required to have a red flag program. For those we might accept a SSAE16 (if they are subject to that)and/or we would review their contract for confidentiality, data breach etc...

Sometimes you have to look at the risk rating of the vendor and then see what types of controls that vendor is subject to. Then document why you had to deviate from the norm. We have not been criticized for accepting alternate documentation from vendors as long as we can reasonably document why we did what we did.

I agree with the comments above ^^ and would add a few things. You might consider asking the vendor to provide a statement on how they comply with the rules. It might simply be that they don't want to sign a document you prepared, but they'd be willing to provide a statement on what they're doing.

On the other hand, they may not be subject to the rules. Our core processor came back with a statement that following their corporate legal review of the red flags rules, they determined that they are not required to have a written red flags program. However, they can assist us in meeting our red flags requirements.

With regard to the SSAE16 report, this is a useful source of information for the red flags program. For example, our Bill Pay vendor provides access to our covered accounts. They don't have a written red flags program and aren't required to under the regulation. However, in their SSAE16 report, there is a ton of information on their fraud monitoring processes which would help detect potential identity theft and/or unauthorized account access.

Thanks for your responses. However, I guess I am confused as far as a third party service provider who has access to consumer customer info not being subject to our oversight of their red flags program. I know the servicer is not subject to the reg but the bank is and is required to provide oversight. From the FAQ's:

2. Do the Red Flags Rules require oversight of service provider arrangements through written contracts?

The Red Flags Rules do not specifically require the financial institution’s or creditor’s oversight of the service provider to be maintained through a written contract. However, the Red Flags Guidelines state that a financial institution or creditor is responsible for ensuring the service provider’s compliance with the Red Flags Rules. Financial institutions or creditors may find it helpful to require a service provider, by contract, to have policies and procedures to detect relevant red flags that may arise in the performance of the service provider’s activities and either report the red flags to the financial institution or creditor or take its own appropriate steps to prevent or mitigate identity theft. See Section VI(c) of the Guidelines.

So, I take this to mean that they sign the contract or a statement that is similar, or they provide procedures relating to ID theft.

Yes, they sign a contract or statement, or provide procedures, or provide evidence that they have controls in place - which the SSAE16 report is likely to evidence, depending on the type of service provider they are.