Information Handoff

Information Handoff

AAMVA releases new best practice guide for administering third-party agents

  |    |  

Jurisdictions all across North America partner with third-party agents for a range of reasons and under differing arrangements. A few years ago, AAMVA began hearing from its members about some issues and challenges they were experiencing with third-party agents in part due to the gray areas of those partnerships that had not been contractually defined or for which a remediation process had not been outlined. Guidance was needed.

Advancements in technology, among other factors, have led to an increase in the number of third-party agents providing services, software and/or support to jurisdictions. As these partnerships have flourished, a handful of different models for those partnerships have emerged. To provide best practices on this topic, AAMVA first had to define these different partnership models. Over the course of a year, a working group of jurisdiction representatives from the U.S. and Canada along with a cohort of third-party agents came together to tackle the task.

The inclusion of and input from third-party agents in the development of this best practice was essential, according to Casey Garber, AAMVA manager of Vehicle Programs. “We really wanted to understand their businesses and the way they operate as well so that we could make sure our recommendations weren’t going to cause them problems when everything is implemented.”

In this episode, we speak with Casey Garber, Manager of Vehicle Programs at AAMVA, and Steve Murphy, Director of Registries Administration and Accountability at Service Alberta, about the Third Party Agents best practices document and how AAMVA members can use its recommendations. 

Overview and Goals

AAMVA’s “Best Practices for Administering Third-Party Agents” has three main sections:

  • Operational and legal considerations around administering an existing program, expanding an existing program or establishing a new program
  • Framework under which third parties will operate
  • Courses of action to ensure compliance with program standards, security and service goals

The best practice guide does not endorse any single model for administering a third-party agent program that should be adopted by all jurisdictions. Its purpose is to assist jurisdictions that are seeking to implement or expand agent services, as well as those looking to upgrade existing policy documents and procedures with a goal of improving oversight. Regarding contract or memorandum of understanding (MOU) provisions, the guide’s recommendations aim to bring increased standardization for vendors or agents operating in multiple jurisdictions.

For each partnership model defined, the benefits and concerns of each are also included in the guide. Because of the range of services involved in these partnerships, the different models exist to facilitate those different types of partnerships, which is why there is not a one-size-fits-all recommendation. As an added resource, the guide contains a comprehensive appendix that lists the types of third-party agent services used by each North American jurisdiction and province.

Steve Murphy, Director of Registries Administration and Accountability at Service Alberta and Chair of AAMVA’s Third Party Agents Working Group says, “At the end of the day, we wanted to structure the document so that it would suit everyone’s needs—a jurisdiction looking to expand a third party partnership, or one looking to bolster their auditing or performance management, or a jurisdiction starting from scratch.”

Discoveries and Insights

From the outset, the working group sought to answer the recurring questions from the community: “What happens when someone isn’t doing what they’re supposed to do? What authority do jurisdictions have, and what actions can be taken?”

“We had to work our way backward into that challenge,” Garber says. “How do you resolve the issue they’re facing? We had to reverse it all the way back to what you need to start with.”

This reverse engineering approach to answering those questions yielded the following general guidance:

  1. Build a business case, and decide what kind of program is needed.
  2. Evaluate the different partnership models to determine the one best suited for the program.
  3. Write a contract or an MOU that sets out all the general requirements.
  4. Develop standards of performance with specific details for the third-party agent(s).
  5. Outline oversight procedures for quality assurance and auditing as well as remediation steps for noncompliance.

“Spell everything out in writing, so all parties understand what has to happen in order for the business relationship to be successful,” Garber says. “We want service agents to be successful because that’s what makes jurisdictions successful.”

And to drive home the importance of that success, Garber notes that citizens see these agents as an arm of the jurisdiction, not as a separate entity, in most cases. Thus, it is mutually beneficial for everyone to operate at a top level of performance.

Benefits for All Involved

From a holistic perspective, AAMVA’s recommendations in this guide are like a cascading waterfall, according to Garber. Each part flows from another, like water coursing down a stepped terrain. “Without the contract and the standards of performance, you’re not able to do the program compliance and the audit pieces to make sure everyone is doing what they need to do,” she says.

“We highlight the most important areas jurisdictions need to consider,” Murphy says, “and also explain why. We hope when a jurisdiction reads the document, they say, ‘OK, I understand why I should give this area some thought.’”

“If you’re not using a third party, but a third party might help you serve your citizens, give the document a read,” Garber says. “If you want to expand your third-party program, here are some things to consider.

“You might just have an ah-ha moment and say to yourself, ‘Oh, I had not thought about that.’”

Managing Data Privacy and External Access

Third-party agents are often given access to citizens’ personal data. It is imperative that provisions for data security are written into a third-party agent contract. A separate AAMVA working group developed best practices for managing data privacy in parallel with the third-party agents working group, and that best practice, “Managing Data Privacy and External Access,” is a necessary companion to the “Best Practices for Administering Third-Party Agents.”

“We have provided some models in the [data privacy] best practice for data governance as well as risk management frameworks that jurisdictions can follow,” says Julie Knittle, AAMVA Director, Member Services, Regions 3 & 4. “But we recognize each jurisdiction may be set up differently or have different resources available, so we also recommended the key components for customization and incremental implementation in jurisdictions if they’re not ready to implement 100% right out of the gate.”

In this episode, we speak with Julie Knittle, AAMVA Director, Member Services, Regions 3 & 4 and Minty Patel, Manager, Driver and Vehicle Information Services at the Pennsylvania Department of Transportation about the soon-to-be published best practices document for managing data privacy and how AAMVA members can best use this new resource.

Minty Patel of the Pennsylvania Department of Transportation and Chair of AAMVA’s Managing Data Privacy and External Access Working Group recommends jurisdictions start with a focus on record management, compliance and auditing.

“Even if jurisdictions are in the early stages of establishing a data governance structure … the best practice will help make jurisdictions’ data privacy program strong,” Patel says. “COVID-19 has added an extra layer to the importance of data security because there are so many people now working remotely,” says Casey Garber, AAMVA manager of Vehicle Programs.

While all the lessons learned from the pandemic are not yet fully realized, those jurisdictions with established third-party agent partnerships and mature data governance processes pre-pandemic likely will be found to have fared better than those without, especially where online transactional systems and infrastructure for supporting a remote workforce are involved.

With the technological changes driving greater convenience through online services, data security and privacy is paramount. Managing that security across multiple networks, systems, vendors and third-party agents is a big task. AAMVA is up to the challenge and working hard to provide clear guidance and best practices on these topics and more.

AAMVA published a Managing Data Privacy Best Practice meant to accompany the recently released Managing Third-Party Relationships Best Practice. Visit to access these documents.

Related Articles

Deep Fakes

Phony licenses have become big business for counterfeiters. Here’s what DMVs can do to secure licenses and owners’ true identities 

Suspended Future

Linking non-highway safety offenses to license suspension burdens government agencies and, in particular, young drivers

Clearing a Safe Path

Highway safety professionals are continuously trying to improve practices for Traffic Incident Management