Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

As many are aware, the FTC is implementing changes to the Safeguards Rule and I had a question for the community regarding contracting with service providers.  The FTC states that you must require your service providers to safeguard consumer information in various means but it must also be a requirement in your contracts with the service provider.

What is the communities thoughts and practice around Closing/Title Agents that you may send consumer information as part of the loan process.  Are they your service provider, even though the customer chooses whom to use?  Financial Institutions require the consumer to use a Closing/Title agent to receive a loan from them, so are they your service provider?

If the FTC would consider that they are a service provider of the financial  institution, are you getting a contract or other agreement with the Closing/Title agent that requires them to meet the FTC Safeguards rule as stated by the FTC?

Good morning,

The Safeguards Rule applies to financial institutions subject to the FTC's jurisdiction and that aren't subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.

For Financial Institutes, (banks, credit unions) this rule would not apply as they are regulated by the OCC, FDIC or NCUA for national credit unions, and state regulators for smaller credit unions.

While there is nothing specific to contracts, there is this requirement: Require the service provider or affiliate to maintain an information security program that protects you in accordance with the requirements of this part.  Without specific requirements as to the contract, the FI can execute the requirements as they see fit, to meet the requirement.

Based on interpretation of this regulation, having a standard data security agreement to use in these instances, would likely be sufficient.

I hope this is helpful and would love to get input from other members of the community on this subject.

This message was posted by a user wishing to remain anonymous

Thank you Heather.  I would be interested to see what those Non-Banking Mortgage Lenders are doing in this aspect (those not regulated by the below mentioned government entities).
Original Message:
Sent: 06-29-2022 11:01 AM
From: heather garnett
Subject: FTC - Service Providers and Contracting

Good morning,

The Safeguards Rule applies to financial institutions subject to the FTC's jurisdiction and that aren't subject to the enforcement authority of another regulator under section 505 of the Gramm-Leach-Bliley Act, 15 U.S.C. § 6805.

For Financial Institutes, (banks, credit unions) this rule would not apply as they are regulated by the OCC, FDIC or NCUA for national credit unions, and state regulators for smaller credit unions.

While there is nothing specific to contracts, there is this requirement: Require the service provider or affiliate to maintain an information security program that protects you in accordance with the requirements of this part.  Without specific requirements as to the contract, the FI can execute the requirements as they see fit, to meet the requirement.

Based on interpretation of this regulation, having a standard data security agreement to use in these instances, would likely be sufficient.

I hope this is helpful and would love to get input from other members of the community on this subject.