Service Providers

   ADMINISTERING YOUR PROGRAM

Program’s implementation, reviewing staff reports about how your

organization is complying with the Rule, and approving important

changes to your Program.

Th e Rule requires that you train relevant staff only as “necessary” –

for example, staff that has received anti-fraud prevention training

may not need to be re-trained. Remember though, that employees at

many levels of your organization can play a key role in identity theft

deterrence and detection.

In administering your Program, monitor the activities of your service

providers. If they’re conducting activities covered by the Rule – for

example, opening or managing accounts, billing customers, providing

customer service, or collecting debts – they must apply the same

standards you would if you were performing the tasks yourself. One

way to make sure your service providers are taking reasonable steps

is to add a provision to your contracts that they have procedures in

place to detect red fl ags and either report them to you or respond

appropriately to prevent or mitigate the crime themselves. Other

ways to monitor them include giving them a copy of your Program,

reviewing their red fl ags policies, or requiring periodic reports about

red fl ags they have detected and their response.

It’s likely that service providers off er the same services to a number of

client companies. As a result, the Guidelines are fl exible about using

service providers that have their own Programs as long as they meet

the requirements of the Rule.

Th e person responsible for your Program should report at least annually

to the board of directors or a designated senior manager. Th e report

should evaluate how eff ective your Program has been in addressing

the risk of identity theft; how you’re monitoring the practices of your

service providers; signifi cant incidents of identity theft and your response; and recommendations for major changes to the Program.