If they can change the customers Address; they need a program.
But if they share the program elements with you, that's a new risk (they shouldn't) As exposing what their controls are, opens the possibility that bad guys will find a way around them.
However, they can provide an attestation they have a program and it's audited at least annually.
And you can make certain you have a contract clause that describes both that they have a program; and what steps will be taken in the event a security breach exposes your clients, customers, consumers to potential Identity Theft.
------------------------------
Bradley Martin
bradleymartin.net
------------------------------
Original Message:
Sent: 08-23-2022 06:53 PM
From: Anonymous Member
Subject: Identity Theft and Red Flags
This message was posted by a user wishing to remain anonymous
Hello,
I want to know how everybody handles Identity Theft and Red flag due diligence. Do you ask all your vendors who have access to NPPI, or only vendors who are considered Financial Institution or creditor. (BTW, we are a Bank)
For example Ellie Mae informed us that they are not required to have a written identity theft program.
How about Payroll processing vendor?
Employee Benefits? Couriers? document shredding?
Thank you in advance for all the assistance.