I’m speculating a bit here, but I have a feeling that as the first wave of Red Flag ruleexaminations occurs, one of the potential perceived weak points in your program(s) may be your vendor relationships. Of particular note are collections agencies. Per the guidelines, “Section 114 applies to financial institutions and creditors.” Under the FCRA, the term “creditor” has the same meaning as in section 702 of the Equal Credit Opportunity Act (ECOA), 15 U.S.C. 1691a.15 ECOA defines “creditor” to include a person who arranges for the extension, renewal or continuation of credit, which in some cases could include third-party debt collectors. Therefore, the Agencies are not excluding third-party debt collectors from the scope of the final rules and “a financial institution or creditor is ultimately responsible for complying with the final rules and guidelines even if it outsources an activity to a third-party service provider.”
A general rule of thumb in any examination process is to look closely at activities that are the most difficult for the examinee to control. Third-party relationship managementcertainly falls into this category. So, make sure your written and operational programs have procedures in place to ensure and regularly monitor appropriate Red Flag compliance — even when customer (or potential customer) activities occur outside your walls.