Q: Do the Red Flags Rules require oversight of service provider arrangements through written contracts?
A: The Red Flags Rules do not specifically require the financial institution’s or creditor’s oversight of the service provider to be maintained through a written contract. However, the Red Flags Guidelines state that a financial institution or creditor is responsible for ensuring the service provider’s compliance with the Red Flags Rules. Financial institutions or creditors may find it helpful to require a service provider, by contract, to have policies and procedures to detect relevant red flags that may arise in the performance of the service provider’s activities and either report the red flags to the financial institution or creditor or take its own appropriate steps to prevent or mitigate identity theft. See Section VI(c) of the Guidelines.