- Collection agency data sharing procedure
- Information service data sharing procedure
Section VI, part C, of the guidelines provides that, whenever a service provider is engaged to perform an activity in connection with one or more covered accounts, the institution should take steps to ensure the activity of the service provider is conducted in accordance with reasonable policies and procedures designed to detect, prevent, and mitigate the risk of identity theft. Thus, the guidelines make clear that a service provider that provides services to multiple financial institutions and creditors may do so in accordance with its own program to prevent identity theft, as long as the program meets the requirements of the regulations. The guidelines also provide an example of how a covered entity may comply with this provision. The guidelines state that a financial institution or creditor could require the service provider, by contract, to have policies and procedures to detect relevant red flags that may arise in the performance of the service provider's activities and either report the red flags to the financial institution or creditor or take appropriate steps to prevent or mitigate identity theft.