Q: Do the Red Flags Rules require financial institutions or creditors to oversee all service provider arrangements or only those service providers that offer fraud detection services?
A: The obligation to oversee service provider arrangements is not limited to service providers that offer fraud detection services. The oversight requirement applies when the financial institution or creditor engages a service provider to perform an activity in connection with opening or accessing one or more covered accounts. The oversight obligation is intended to ensure that the financial institution or creditor is responsible for complying with the Red Flags Rules, even if it outsources one or more of its account opening or access activities to a third-party service provider.
For example, a service provider that provides an online banking platform permitting account opening or access, performs call center services that permit account access, or collects debts on delinquent accounts, would be providing services related to covered accounts to the financial institution or creditor. In such cases, the financial institution or creditor should take steps to ensure that the activities of such service providers are conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft in accordance with the Red Flags Rules. The oversight requirement does not require a service provider to have the same Program as the financial institution or creditor. The Red Flags Guidelines enable flexible business arrangements so that financial institutions and creditors may use service providers that have developed their own Programs, as long as the service provider’s Program is sufficient to meet the financial institution’s or creditor’s obligations under the Red Flags Rules. However, a financial institution or creditor must still maintain its own Program that meets the requirements of the Red Flags Rules, including the oversight requirement.