"Are You My Service Provider?" Safeguard Rule Compliance

By by Megan C. Nicholls & Webb McArthur* August 23, 2023
 A person becomes a “consumer” when (s)he gives personal information in the context of possibly financing or leasing a car from a dealer. A privacy notice (and an opt-out notice) must be given if the dealership discloses the customers personal information to a nonaffiliated third party. A person becomes a “consumer” when (s)he gives personal information in the context of possibly financing or leasing a car from a dealer. A privacy notice (and an opt-out notice) must be given if the dealership discloses the customers personal information to a nonaffiliated third party.

How to Analyze Whether a Third Party May Be a Service Provider Under the Safeguards Rule

With the Safeguards Rule in effect, financial institutions are shifting into full-compliance gear. The Safeguards Rule requires that financial institutions contractually bind their service providers to implement and maintain certain controls under the Safeguards Rule, which we have generally discussed in previous Spot articles. You might be wondering if every relationship that a financial institution has with a third party is considered a “service provider” relationship for purposes of the Safeguards Rule.

Below is a brief refresher on the Safeguards Rule’s definition of “service provider,” followed by a list of questions you can ask to help determine if a third party with which you have a relationship might be considered a service provider under the Safeguards Rule.

What is a “service provider”?

The Safeguards Rule defines the term “service provider” to mean a person or entity that receives, maintains, processes, or is otherwise permitted to access customer information through its provision of services directly to a financial institution. Breaking the definition of “service provider” apart, there are two pieces: (1) a service provider accesses customer information of the financial institution; and (2) a service provider provides services to the financial institution relative to the customer information.

Do you provide “customer information” to the third party?

In order to answer this question, you need to know what constitutes “customer information.” This part can be a bit tricky. “Customer information” means any record containing nonpublic personal information about a customer of a financial institution, whether in paper, electronic, or other form, that is handled or maintained by or on behalf of the financial institution or its affiliates. In layman’s terms, “customer information” can include:

  • information that a consumer provides to a financial institution on an application to obtain credit;
  • payment history;
  • account balance information;
  • the fact that an individual is or has been a customer of, or has obtained a financial product or service from, a financial institution;
  • any information that a consumer provides to a financial institution or that the financial institution or its agent otherwise obtains in connection with collecting on or servicing a credit account;
  • any information in connection with a financing transaction that a financial institution collects through an Internet “cookie”; and
  • information from a consumer report.

“Customer information” also includes a list, description, or grouping of customers that is derived using information points like those listed above.

The Federal Trade Commission published on its website a list of frequently asked questions regarding its Privacy Rule and auto dealers. While this set of FAQs is directed toward Privacy Rule compliance, it can also be particularly helpful when analyzing whether information is specifically “customer information” from a Safeguards Rule perspective (remember that the Privacy Rule and the Safeguards Rule are both issued under the larger Gramm-Leach-Bliley Act). The FTC’s response to Question 6 includes the following: “A list of all your customers—without reference to whether they financed their car or paid for it outright—falls outside the Privacy Rule, as long as the list wasn’t derived from information about how they obtained their car.”

The FTC’s response to Question 15 is also helpful in determining whether information is “customer information”: “information like name, address, vehicle make and model, and vehicle identification number may be disclosed because these categories are not related to whether or how the car was financed. However, any personal information you obtain in the course of financing or leasing is covered by the Privacy Rule. This includes the fact that a car has been financed or leased or any other information derived from the financing or leasing.”

From these responses, we can gather that, for information to be “customer information,” it has to tie back to, or have been derived from, how the vehicle was financed or paid for. A list of all your customers, irrespective of financing or purchase means, would not be considered “customer information.”

What is the third party providing to you?

In order to meet the definition of a “service provider,” the third party must be providing services to the financial institution. Of course, the term “services” is not defined under the Safeguards Rule, and the FTC expressly declined to revise the definition of “service provider” via its most recent amendments to provide more clarity, simply stating that “entities subject to this requirement under the Final Rule will remain the same as under the existing Rule and may include consumer reporting agencies.”

Thus, we must look outside the text of the Safeguards Rule to guidance provided by the FTC and to other facts about the relationship to determine whether “services” are being provided.

Looking back to the FAQs, the FTC seems to distinguish “service providers” from other third parties that a financial institution may work with, such as a “third party lender” that is purchasing a retail installment contract (see the responses to Questions 8 and 9), which may be subject to the Safeguards Rule as a financial institution, or car manufacturers that require a dealer to complete a retail delivery report on every sale of a manufacturer’s vehicle without reference to or based on financing or leasing information (see the response to Question 15). In reference to “service providers,” the FTC specifically points to common relationships such as a marketing company sending marketing materials on a financial institution’s behalf (see the responses to Questions 6 and 7). The FTC has also published a guidance resource, “How to Comply with the Privacy of Consumer Financial Information Rule of the Gramm-Leach-Bliley Act,” which indicates that a service provider may engage in activities such as mailing account statements or performing “other administrative activities for a consumer’s account.”

Turning now to your relationship with the third party, it is often helpful to inspect your contract(s) with the third party. In the obvious case, your contract may indicate that the third party is a “service provider.” Alternatively, your contract may only reference the duties of each party. In this case, you may need to spend time analyzing your relationship and the information you provide to the third party during the course of the relationship. The fact that you don’t have a contract that says the third party is a “service provider,” even with respect to the GLBA Privacy Rule, doesn’t mean that the third party is not a “service provider” under the Safeguards Rule.

It may also be helpful to talk internally about what the third party does for you. Sometimes contracts do not capture the full picture of how a third party is helping to facilitate your business, and you will want to ask other questions. Thus, to get the full picture, discussions internally should flesh out all the products and services that a financial institution leverages from a third party and whether they are provided to you. For example, auto manufacturers may provide marketing services to dealers, but they may also perform services on their own behalf. And, for consistency, you should review your privacy notice and leverage additional facts that you used to create your privacy notice, in particular how you categorized the third party in your Privacy Rule compliance program.

Regardless of how you classify the third party, it is important to ensure that sensitive consumer information is protected by you and the third party. Thus, it is always a good idea to ensure that you and the third parties with which you do business are on the same page with respect to how information will be secured in transit and at rest.


*Megan C. Nicholls is a partner in the Texas office of Hudson Cook, LLP. Webb McArthur is a partner in the Washington, D.C., office of Hudson Cook, LLP.

© CounselorLibrary.com 2020, all rights reserved. Based on an article from Spot Delivery. Single print publication rights only to Used Car News.” 

Rate this item
(1 Vote)
Last modified on Wednesday, 23 August 2023 14:12