Skip to content
 

Red Flag Program -- Service Provider Arrangements

by Russ Horn, CISA, CISSP, CoNetrix

Question: Under the Red Flag rules, I am required to "exercise appropriate and effective oversight of service provider arrangements", but what does that mean, and what is the definition of a service provider?

Answer: The term "service provider" used in the final ruling was based upon the definition of "service provider" in the Information Security Standards: "service provider means a person that provides a service directly to the financial institution or creditor."

The greatest risk is associated with service providers that perform activities in connection with one or more of your institutions covered accounts. For example, a service provider that is opening loan or lending accounts on your behalf. Many financial institutions are simply managing the service providers through contractual requirements; however, some financial institutions are going so far as to audit the service providers to ensure Identity Theft is monitored and customer data is protected.

First published on BankersOnline.com 9/01/08

First published on 09/01/2008

Filed under: 
Compliance
Security
Filed under security as: 
Audit
Identity Theft
GLBA
Service Provider
IT
Policies
Training
Information Security Guidelines
Red Flags

Report a problem with this page

Search Topics