Service Provider Management
Our solution allows you to retain and track all relevant documentation and information needed to prove service providers’ compliance with the rule and allows you to quickly compile this information into the required annual report needed to comply with the rule.
What is a Service Provider?
A Service Provider is any person or entity that receives, uses, processes, stores, or has access to your customers’ information through their providing services to your dealership. Service Providers include:
third party IT support
Even your janitorial service could be considered a Service Provider, but whether or not your service providers must comply with the Safeguards Rule depends on whether they have access to customer data.
One way to create a list of your dealership’s service providers is to review your dealership’s accounts payable list. If you use a service provider, you generally have to pay them.
Look down the list and ask yourself, does this company have access to customer NPI in the course of its duties on behalf of the dealership? If the answer is yes, it is a service provider.
Not all service providers are obvious. For example, does your after-hours cleaning service have access to unlocked file cabinets containing customer NPI? How about your offsite storage vendor? Or your third-party IT consultant or forms programmer?
How do I manage my Service Providers?
Once you have identified your dealership’s service providers, the Rule requires that they be “overseen.” What does that mean? The Rule states two specific requirements.
First, a dealership must take reasonable steps to select and retain service providers who are capable of protecting customer NPI.
The second specific requirement is to require by contract that the service provider protect your customers’ NPI.
To reasonably oversee your dealership’s service providers, you should review each lender agreement to determine if it contains a promise to implement and maintain safeguards. You should do the same with your dealership’s contracts with F&I product providers and other service providers.
How do I document and track my service provider’s compliance with the Safeguards Rule?
Once you’ve confirmed each contract contains a promise to implement and maintain safeguards, make a copy of each lender agreement and put it with your Safeguards Program records.
Mosaic provides a software solution for managing service provider compliance with the Safeguards Rule. This solution allows you to retain and track all relevant documentation and information needed to prove service providers’ compliance with the rule and allows you to quickly compile this information into the required annual report needed to comply with the rule.
Service provider management is an important part of the Revised FTC Safeguards Rule, but it can feel daunting to approach. If you need help getting started, Mosaic and our partners have resources to help. If you would like to learn more contact us for a demo today or get started now by filling out our Network Status Questionnaire.