Who is considered a Service Provider?

Posted By: Patsy Cline

Who is considered a Service Provider? - 05/27/03 04:16 PM

I have read all the other threads but really did not get a good answer to my question. The Interagency Guidelines Establishing Standards for Safeguarding Customer Information (guidelines) indicates that a financial institution must require its service providers by contract to implement approriate measures designed to meet the objectives of the guidelines.

Service providers is defined as any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provisions of services directly to the financial institution.

Customer information is defined as any record containing nonpublic personal information ...

I believe that this excludes service providers such as title companies, appraisers, surveyors, surveyors, etc. Am I correct? We do not provide any nonpublic personal information to those service providers.

What about attorneys? To what extent is everyone going to to get "contracts"?

Posted By: waldensouth

Re: Who is considered a Service Provider? - 05/27/03 06:28 PM

I just received a response(verbal) from the FDIC on that very issue. YES, attorneys are considered service providers for customer information security purposes and must sign a contract/agreement that indicates they will have systems and procedures in place to protect customer information.

Posted By: Patti

Re: Who is considered a Service Provider? - 05/27/03 06:48 PM

This is my first post and I've been researching this issue also. So I'm glad to have an answer. Originally, my thought has been that since attorneys and CPAs, etc. are bound by a certain ethical standard for their occupation(such as: attorney/client privilege) I had thought we wouldn't need a confidentiality agreement. But since FDIC is saying that we should, I would assume then we also need confidentiality agreements with CPAs and other firms that conduct external audits.

Thanks for the info!

Posted By: Anonymous

Re: Who is considered a Service Provider? - 05/27/03 08:00 PM

The posts above are correct. Go HERE for a confirmation that attorney's are included (Fed Reg pages 8618 and 8619) under I.C.2.e Service Providers.

Posted By: Anonymous

Re: Who is considered a Service Provider? - 05/28/03 03:43 PM

Quote:

Originally, my thought has been that since attorneys and CPAs, etc. are bound by a certain ethical standard for their occupation(such as: attorney/client privilege) I had thought we wouldn't need a confidentiality agreement. But since FDIC is saying that we should, I would assume then we also need confidentiality agreements with CPAs and other firms that conduct external audits.

The fact that attorneys and CPAs are bound by a code of ethics does not affect whether or not they are required to execute, under the InfoSec Guidelines, a written agreement that says they agree to implement and maintain an information security program designed to achieve the objectives of the guidelines. They must do so. If the attorney, CPA, or other service provider has access to customer NPI in the course of providing a service to you, that written agreement must be signed.

Where the issue of the code of ethics DOES come into play is in your determination of whether you must actually go beyond getting the agreement referenced above and actually monitor the service provider's information security program. Whether you must monitor or not will depend upon the level of sensitivity of information the service provider has access to and the degree to which the service provider is either already bound directly by the guidelines (such as is the case with a correspondent bank, for example), or is operating under a code of ethics.

You can use this InfoSec SERVICE PROVIDER Assessment Matrix to help you determine which service providers you will need to monitor.
InfoSec Service Provider Assessment Matrix

Posted By: kathy dominguez

Re: Who is considered a Service Provider? - 05/28/03 04:26 PM

This is my first post, but so glad I came across the service provider question. I was wondering if credit reporting agencies should have privacy policies?

Posted By: Retired DQ

Re: Who is considered a Service Provider? - 05/28/03 04:58 PM

I just recently read our Credit Bureau contracts and there are sections that address privacy and the confidentiality
of consumer data. My guess is that that would have been the standard for a while.
Oh, and Kathy: Welcome!

Posted By: Princess Romeo

Re: Who is considered a Service Provider? - 05/29/03 06:25 AM

With respect to Credit Bureaus, they are NOT considered "Service Providers" for purposes of GLBA. I have that information straight from FDIC in Washington D.C. And yes, I saved the voice mail message!

Posted By: SkyDiver

Re: Who is considered a Service Provider? - 05/29/03 12:23 PM

I wonder why not. Did they give the logic for the opinion?

Posted By: Anonymous

Re: Who is considered a Service Provider? - 05/29/03 02:28 PM

I think the argument can be made either way. Some CB's provide other services like marketing and lead generation where the service offering and information security requirement is vastly different from providing credit info. The Federal Trade Commission has asserted and it has held through appeal that CB's fall under the definition of a "financial institution" as defined by the GLBA. As such they are subject to the same InfoSec / privacy/etc. requirements as your bank.

Article:
http://www.ftc.gov/opa/2002/07/tuglbappeal.htm

Posted By: Anonymous

Re: Who is considered a Service Provider? - 05/29/03 03:47 PM

Also -- it is the FTC that regulates CBs, not the FDIC. One credit bureau took a very different stance on the data security reqs we wanted to impose about 10 days after the appeal decision came out!

Posted By: Princess Romeo

Re: Who is considered a Service Provider? - 05/30/03 05:44 AM

Quote:

I wonder why not. Did they give the logic for the opinion?

The answer I received was that a credit bureau is not considered a service provider that provides services to the bank. The answer was relayed by the FDIC in San Francisco who received the answer from the FDIC in Washington.

They did not explain exactly WHY a credit bureau is not considered a service provider. All I can think of is "Man - we need to hire whoever their lobbyists are!"

Yes - I saved the phone message on my voice mail. I really need to transcribe the conversation as our phone system will be changing soon, and my current voice mail will be going "bye-bye."

You should have seen the suprised look on the field examiner from the FDIC. He initially asked to see our Experian contracts, and so I played the voice mail for him. He later confirmed the opinion. I believe that part of the logic is that credit bureaus are under very strict operating standards under the FTC, and the regulators felt an addition to our contract would not accomplish any greater protection. Part of the reason for the contract requirement is to stress to ALL of our service providers that the information they receive must be well guarded and protected.

Posted By: golffan

Re: Who is considered a Service Provider? - 05/30/03 03:27 PM

So what about Title companies,,they claim the information they have can be found in court house records..

Posted By: 1111

Re: Who is considered a Service Provider? - 05/30/03 04:42 PM

Quote:

So what about Title companies,,they claim the information they have can be found in court house records..

Actually, each financial institution decides who their service providers are, except for those specifically noted within the regs or formal interpretations of the regs. For example, a correspondent bank is mentioned as a service provider, but the fact that a correspondent bank is also subject to the same regs eliminates them from the list of providers. Title companies are not mentioned, but they are service providers - but limited to transactions that are approved by specific customers - they do not have access to customer lists, etc., so logically they would not make the cut as a service provider that requires monitoring. Securing a privacy statement from any entity that provides services to the bank, specifically relating to customers, is probably a good idea.

Posted By: golffan

Re: Who is considered a Service Provider? - 05/30/03 07:14 PM

Thank you,, I agree it is the most conservative approach. Can you provide me with the link to the definitions that you are refering to... thanks again..

Posted By: 1111

Re: Who is considered a Service Provider? - 05/30/03 08:17 PM

HERE is a general interpretation overview - key in "service provider" to find the specific section. I look at it this way, some providers clearly need to furnish a specific statement assuring the privacy of records while others are simply handling transactions for specific customers that have specifically requested the product or service, so you may simply want to know how those entities, e.g. title companies, escrow companies plan to use the information, other than for the purpose of transacting customer business.

Keep in mind that the customer is virtually giving out what we keep as confidential information all day long, e.g. name, address, account number, etc. as they issue checks. We just need to assure that the information does not come directly from the bank unless it is in response to something that the customer set in motion.