Our bank dealer contracts hold the bank harmsless for violations of law by dealers. As long as we've done a risk assessment on the dealers that the bank does business with, can we consider the dealer issue addressed under the FACTA red flag rules? We never see these customers and have to rely on the dealer for ID, etc. as required by law.

Dealers fall under the FTC provisions of these rules and they should have a IDTPP in place, yeah right!

However, from a seminar I attended and reading the requirements I believe they would be considered a service provider and you must ensure that the service provider has appropriate red flag procedure in place to detect, prevent or mitigate ID Theft.

Regardless what your contract says with the dealer, you, the FI or creditor, are the ones ultimately responsible under the law.


(This is just one more reason I am thankful we do not do indirect lending.)

Below is a quote from the "Supplementary Information" section of the final ruling (specifically is a response to commenter’s on the initial draft of the regulation):

This may help clarify the intent . . .

"The Agencies believe it is important to retain a provision in the final rules addressing service providers to remind financial institutions and creditors that they continue to remain responsible for compliance with the final rules, even if they outsource operations to a third party. However, the Agencies have simplified the service provider provision in the final rules and moved the remaining parts of proposed §l.90(d)(4) to the guidelines. Section l.90(e)(4) of the final rules provides that a covered entity must exercise appropriate and effective oversight of service provider arrangements, without further elaboration. This provision provides maximum flexibility to financial institutions and creditors in managing their service provider arrangements, while making clear that a covered entity cannot escape its obligations to comply with the final rules and to include in its Program those guidelines that are appropriate by simply outsourcing an activity.

Section VI(c) of the guidelines provides that, whenever a financial institution or creditor engages a service provider to perform an activity in connection with one or more covered accounts, the financial institution or creditor should take steps to ensure that the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Thus, the guidelines make clear that a service provider that provides services to multiple financial institutions and creditors may do so in accordance with its own program to prevent identity theft, as long as the program meets the requirements of the regulations. The guidelines also provide an example of how a covered entity may comply with this provision. The guidelines state that a financial institution or creditor could require the service provider, by contract, to have policies and procedures to detect relevant Red Flags that may arise in the performance of the service provider’s activities and either report the Red Flags to the financial institution or creditor or take appropriate steps to prevent or mitigate identity theft."

Taken from page 16 of the Identity Theft Red Flags Final Rule

--------------------------------

Russ Horn, CISA, CISSP
CoNetrix
Identity Theft Prevention Program online tool

Has anyone communicated with their dealers yet and if so, what was said in that communication?

What types of steps are you taking to ensure "oversight" of 3rd party service providers?

We have decided to send a letter to all current dealers informing them of their obligations under the regulation...CIP due dilligence mainly and offering a copy of the regulation. In addition all new contracts will contain language specifically for ID theft.