Reg P vs. Guidelines for Information Security

Answered by:

Question:

Please help me understand the difference between service providers referred to in 40.13 of Reg P and providers used to effect, administer or enforce a transaction in 40.14 of Reg P. For example where would Deluxe, Clarke American, etc. fall? It seems logical that checks ordered would fall into 40.14, but I have been told that confidentiality clauses are needed with check vendors. Examples of each category would be appreciated. Thanks. By the way, am I the only one having trouble with this?

Answer:

I think some of the confusion is stemming from two separate regulatory issuances on the topic of service providers. From the standpoint of Regulation P, I think that your check vendors would fall under the section .14 exceptions. As such, Reg P does not require contractual language regarding privacy in order to effect the exception. The confusion begins, however, with the issuance of the Guidelines for Information Security which seem to suggest that it would be appropriate to include information security requirements into all of your third party vendor contracts. So as it stands right now, if you don't put information security and privacy clauses into your contracts with check vendors, you'll be fine with Reg P, but potentially in violation of the Info Security Guidelines.

First published on BankersOnline.com 6/4/01