With the Safeguards Rule in effect, financial institutions are shifting into full-compliance mode. The Federal Trade Commission’s (FTC) Safeguards Rule requires that financial institutions contractually bind their service providers to implement and maintain certain controls under the Safeguards Rule.
You might be wondering if every relationship a financial institution has with a third party is considered a “service provider” relationship for purposes of the Safeguards Rule.
This is a brief refresher on the Safeguards Rule’s “service provider” definition to determine whether a third party with which you have a relationship might be considered a service provider under the Safeguards Rule.
What is a “service provider?”
The Safeguards Rule defines the term “service provider” to mean a person or entity that receives, maintains, processes, or is otherwise permitted to access customer information through its provision of services directly to a financial institution.
Breaking the “service provider” definition apart, there are two pieces:
- A service provider accesses customer information of the financial institution; and
- A service provider provides services to the financial institution relative to the customer information.
Do you provide “customer information?”
To answer this question, you must know what constitutes “customer information.”
This part can be a bit tricky.
“Customer information” means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial institution or its affiliates.
In layman’s terms, “customer information” can include:
- Information that a consumer provides to a financial institution on an application to obtain credit;
- Payment history;
- Account balance information;
- The fact that an individual is or has been a customer of, or has obtained a financial product or service from, a financial institution;
- Any information that a consumer provides to a financial institution or that the financial institution or its agent otherwise obtains in connection with collecting on or servicing a credit account;
- Any information in connection with a financing transaction that a financial institution collects through an Internet “cookie”; and
- Information from a consumer report.
“Customer information” also includes a list, description or grouping of customers derived using information points like those listed above.
The FTC’s website published a frequently asked questions list regarding its Privacy Rule and dealers. Although these FAQs are directed toward Privacy Rule compliance, they can be particularly helpful when analyzing whether the information is specifically “customer information” from a Safeguards Rule perspective (remember, the Privacy Rule and the Safeguards Rule are both issued under the larger Gramm-Leach-Bliley Act).
The FTC’s response to Question 6 says in part: “A list of all your customers—without reference to whether they financed their (RV) or paid for it outright—falls outside the Privacy Rule, as long as the list wasn’t derived from information about how they obtained their (RV).”
The FTC’s response to Question 15 also helps determine whether the information is “customer information”: “(I)nformation like name, address, vehicle make and model, and vehicle identification number may be disclosed because these categories are not related to whether or how the car was financed. However, any personal information you obtain in the course of financing or leasing is covered by the Privacy Rule.”
From these responses, we can gather that, for information to be “customer information,” it must tie back to, or have been derived from, how the vehicle was financed or paid for. A full customer list, irrespective of financing or purchase means, would not be considered “customer information.”
What is the third party providing?
To meet the “service provider” definition, the third party must be providing services to the financial institution. Of course, the term “services” is not defined under the Safeguards Rule, and the FTC expressly declined to revise the “service provider” definition with its most recent amendments. Instead, the FTC stated simply “entities subject to this requirement under the Final Rule will remain the same as under the existing Rule and may include consumer reporting agencies.”
Thus, we must look outside the Safeguards Rule text to guidance provided by the FTC and other facts about the relationship to determine whether “services” are being provided.
Looking back to the FAQs, the FTC seems to distinguish “service providers” from other third parties a financial institution may work with, such as a “third-party lender.” The “third-party lender” purchasing a retail installment contract (see the responses to Questions 8 and 9) may be subject to the Safeguards Rule as a financial institution “Service providers” are distinguished from manufacturers requiring a dealer to complete a retail delivery report on every sale of a manufacturer’s vehicle without reference to or based on financing or leasing information (see the response to Question 15)
In reference to “service providers,” the FTC specifically points to common relationships such as a marketing company sending marketing materials on a financial institution’s behalf (see the responses to Questions 6 and 7)
The FTC published a guidance resource, “How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act ” The document indicates a service provider may engage in activities such as mailing account statements or performing “other administrative activities for a consumer’s account ”
Turning now to your relationship with the third party, it is often helpful to inspect your contract(s) with the third party In the obvious case, your contract may indicate the third party is a “service provider ” Alternatively, your contract may only reference the duties of each party
In this case, you may need to spend time analyzing your relationship and the information you provide to the third party during the relationship The fact you do not have a contract saying the third party is a “service provider,” even concerning the GLBA Privacy Rule, does not mean the third party avoids “service provider” obligations under the Safeguards Rule.
It may be helpful to talk internally about what the third party does for you. Sometimes contracts do not capture the full picture of how a third party is helping to facilitate your business, and you will want to ask other questions.
Thus, to get the full picture, discussions internally should flesh out all the products and services that a financial institution leverages from a third party and whether they are provided to you. For example, manufacturers may provide marketing services to dealers, but they may perform services on their behalf. For consistency, you should review your privacy notice and leverage additional facts you used to create your privacy notice—in particular, how you categorized the third party in your Privacy Rule compliance program.
Regardless of how you classify the third party, ensuring sensitive consumer information is protected by you and the third party is important. Be sure you and the third parties with which you do business are on the same page concerning how information will be secured in transit and at rest.
Megan C. Nicholls is a partner in the Texas office of Hudson Cook, LLP. She can be reached at 682-350-9151 or by email at [email protected]. Webb McArthur is a partner in the Washington, D.C., office of Hudson Cook, LLP. He can be reached at 202-715-2012 or by email at [email protected].
