Skip to content
BOL Conferences
Thread Options
#82780 - 05/27/03 04:16 PM Who is considered a Service Provider?
Patsy Cline Offline
Diamond Poster
Patsy Cline
Joined: Sep 2002
Posts: 1,117
On the road...
I have read all the other threads but really did not get a good answer to my question. The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (guidelines) indicates that a financial institution must require its service providers by contract to implement approriate measures designed to meet the objectives of the guidelines.

Service providers is defined as any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provisions of services directly to the financial institution.

Customer information is defined as any record containing nonpublic personal information ...

I believe that this excludes service providers such as title companies, appraisers, surveyors, surveyors, etc. Am I correct? We do not provide any nonpublic personal information to those service providers.

What about attorneys? To what extent is everyone going to to get "contracts"?

Last edited by MRG; 05/27/03 04:28 PM.
_________________________
Michelle CRCM

"What would you attempt to do if you knew you could not fail?" ~ unknown


Return to Top
Security - PUBLIC
#82781 - 05/27/03 06:28 PM Re: Who is considered a Service Provider?
waldensouth Offline
Power Poster
waldensouth
Joined: Nov 2001
Posts: 7,983
FINALLY ABOVE the gnat line
I just received a response(verbal) from the FDIC on that very issue. YES, attorneys are considered service providers for customer information security purposes and must sign a contract/agreement that indicates they will have systems and procedures in place to protect customer information.
_________________________
"Once you learn to read, you will be forever free."

- Frederick Douglass




My Opinion Only.

Return to Top
#82782 - 05/27/03 06:48 PM Re: Who is considered a Service Provider?
Patti Offline
New Poster
Patti
Joined: Feb 2003
Posts: 5
Kansas
This is my first post and I've been researching this issue also. So I'm glad to have an answer. Originally, my thought has been that since attorneys and CPAs, etc. are bound by a certain ethical standard for their occupation(such as: attorney/client privilege) I had thought we wouldn't need a confidentiality agreement. But since FDIC is saying that we should, I would assume then we also need confidentiality agreements with CPAs and other firms that conduct external audits.

Thanks for the info!

Return to Top
#82783 - 05/27/03 08:00 PM Re: Who is considered a Service Provider?
Anonymous
Unregistered

The posts above are correct. Go HERE for a confirmation that attorney's are included (Fed Reg pages 8618 and 8619) under I.C.2.e Service Providers.

Return to Top
#82784 - 05/28/03 03:43 PM Re: Who is considered a Service Provider?
Anonymous
Unregistered

Quote:

Originally, my thought has been that since attorneys and CPAs, etc. are bound by a certain ethical standard for their occupation(such as: attorney/client privilege) I had thought we wouldn't need a confidentiality agreement. But since FDIC is saying that we should, I would assume then we also need confidentiality agreements with CPAs and other firms that conduct external audits.





The fact that attorneys and CPAs are bound by a code of ethics does not affect whether or not they are required to execute, under the InfoSec Guidelines, a written agreement that says they agree to implement and maintain an information security program designed to achieve the objectives of the guidelines. They must do so. If the attorney, CPA, or other service provider has access to customer NPI in the course of providing a service to you, that written agreement must be signed.

Where the issue of the code of ethics DOES come into play is in your determination of whether you must actually go beyond getting the agreement referenced above and actually monitor the service provider's information security program. Whether you must monitor or not will depend upon the level of sensitivity of information the service provider has access to and the degree to which the service provider is either already bound directly by the guidelines (such as is the case with a correspondent bank, for example), or is operating under a code of ethics.

You can use this InfoSec SERVICE PROVIDER Assessment Matrix to help you determine which service providers you will need to monitor.
InfoSec Service Provider Assessment Matrix




Return to Top
#82785 - 05/28/03 04:26 PM Re: Who is considered a Service Provider?
kathy dominguez Offline
Junior Member
Joined: May 2003
Posts: 25
This is my first post, but so glad I came across the service provider question. I was wondering if credit reporting agencies should have privacy policies?

Return to Top
#82786 - 05/28/03 04:58 PM Re: Who is considered a Service Provider?
Retired DQ Offline
10K Club
Retired DQ
Joined: Dec 2002
Posts: 40,766
Turnpike Exit 10
I just recently read our Credit Bureau contracts and there are sections that address privacy and the confidentiality
of consumer data. My guess is that that would have been the standard for a while.
Oh, and Kathy: Welcome!
_________________________
Get your facts first, then you can distort them as you please. - Mark Twain

Return to Top
#82787 - 05/29/03 06:25 AM Re: Who is considered a Service Provider?
Princess Romeo Offline

Power Poster
Princess Romeo
Joined: Jun 2001
Posts: 8,272
Where the heart is
With respect to Credit Bureaus, they are NOT considered "Service Providers" for purposes of GLBA. I have that information straight from FDIC in Washington D.C. And yes, I saved the voice mail message!
_________________________
CRCM,CAMS
Regulations are a poor substitute for ethics.
Just sayin'

Return to Top
#82788 - 05/29/03 12:23 PM Re: Who is considered a Service Provider?
SkyDiver Offline
Gold Star
SkyDiver
Joined: Jul 2002
Posts: 274
Northeast
I wonder why not. Did they give the logic for the opinion?

Return to Top
#82789 - 05/29/03 02:28 PM Re: Who is considered a Service Provider?
Anonymous
Unregistered

I think the argument can be made either way. Some CB's provide other services like marketing and lead generation where the service offering and information security requirement is vastly different from providing credit info. The Federal Trade Commission has asserted and it has held through appeal that CB's fall under the definition of a "financial institution" as defined by the GLBA. As such they are subject to the same InfoSec / privacy/etc. requirements as your bank.

Article:
http://www.ftc.gov/opa/2002/07/tuglbappeal.htm

Return to Top
#82790 - 05/29/03 03:47 PM Re: Who is considered a Service Provider?
Anonymous
Unregistered

Also -- it is the FTC that regulates CBs, not the FDIC. One credit bureau took a very different stance on the data security reqs we wanted to impose about 10 days after the appeal decision came out!

Return to Top
#82791 - 05/30/03 05:44 AM Re: Who is considered a Service Provider?
Princess Romeo Offline

Power Poster
Princess Romeo
Joined: Jun 2001
Posts: 8,272
Where the heart is
Quote:

I wonder why not. Did they give the logic for the opinion?




The answer I received was that a credit bureau is not considered a service provider that provides services to the bank. The answer was relayed by the FDIC in San Francisco who received the answer from the FDIC in Washington.

They did not explain exactly WHY a credit bureau is not considered a service provider. All I can think of is "Man - we need to hire whoever their lobbyists are!"

Yes - I saved the phone message on my voice mail. I really need to transcribe the conversation as our phone system will be changing soon, and my current voice mail will be going "bye-bye."

You should have seen the suprised look on the field examiner from the FDIC. He initially asked to see our Experian contracts, and so I played the voice mail for him. He later confirmed the opinion. I believe that part of the logic is that credit bureaus are under very strict operating standards under the FTC, and the regulators felt an addition to our contract would not accomplish any greater protection. Part of the reason for the contract requirement is to stress to ALL of our service providers that the information they receive must be well guarded and protected.
_________________________
CRCM,CAMS
Regulations are a poor substitute for ethics.
Just sayin'

Return to Top
#82792 - 05/30/03 03:27 PM Re: Who is considered a Service Provider?
golffan Offline
Junior Member
Joined: May 2003
Posts: 32
So what about Title companies,,they claim the information they have can be found in court house records..

Return to Top
#82793 - 05/30/03 04:42 PM Re: Who is considered a Service Provider?
1111 Offline
Platinum Poster
1111
Joined: Jan 2003
Posts: 580
Quote:

So what about Title companies,,they claim the information they have can be found in court house records..




Actually, each financial institution decides who their service providers are, except for those specifically noted within the regs or formal interpretations of the regs. For example, a correspondent bank is mentioned as a service provider, but the fact that a correspondent bank is also subject to the same regs eliminates them from the list of providers. Title companies are not mentioned, but they are service providers - but limited to transactions that are approved by specific customers - they do not have access to customer lists, etc., so logically they would not make the cut as a service provider that requires monitoring. Securing a privacy statement from any entity that provides services to the bank, specifically relating to customers, is probably a good idea.

Return to Top
#82794 - 05/30/03 07:14 PM Re: Who is considered a Service Provider?
golffan Offline
Junior Member
Joined: May 2003
Posts: 32
Thank you,, I agree it is the most conservative approach. Can you provide me with the link to the definitions that you are refering to... thanks again..

Return to Top
#82795 - 05/30/03 08:17 PM Re: Who is considered a Service Provider?
1111 Offline
Platinum Poster
1111
Joined: Jan 2003
Posts: 580
HERE is a general interpretation overview - key in "service provider" to find the specific section. I look at it this way, some providers clearly need to furnish a specific statement assuring the privacy of records while others are simply handling transactions for specific customers that have specifically requested the product or service, so you may simply want to know how those entities, e.g. title companies, escrow companies plan to use the information, other than for the purpose of transacting customer business.

Keep in mind that the customer is virtually giving out what we keep as confidential information all day long, e.g. name, address, account number, etc. as they issue checks. We just need to assure that the information does not come directly from the bank unless it is in response to something that the customer set in motion.

Return to Top

Moderator:  Andy_Z