Hi Ashley,
On a per loan processor basis, do you collect proof of cybersecurity, phishing and other types of awareness training for each loan processor on an annual basis as part of your due diligence?
I realize this is an older question, but have found the definition of "third party" vendor management is evolving at the state level during examinations and see multiple states, including NY (NY DFS), expanding the due diligence required to the individuals at the vendor that come in contact (i.e., processing) with the nonpublic information.
For instance, if your firm uses a known third party for cybersecurity training, phishing awareness, HIPAA training (not related to mortgages, but affects other financial services firms like insurance) that provides certifications for your employees, this can help when loan processors act independently and don't provide you with evidence of a bona fide cybersecurity program and training certifications.
For instance, you can see if your training vendor can give you an option to have your external loan processors take that course and provide you with the certification after completed annual training. Companies like KnowBe4 and others have programs where you can arrange to have a third party participant complete and submit cybersecurity training certification PRIOR to access to your nonpublic information and information systems to protect the consumer information's integrity, confidentiality, privacy, security, etc.
In related area, as an example, I know it is a common practice for anti-harassment training -- if someone misses a company training window, they are required to complete online training at New York City's site (https://www1.nyc.gov/site/cchr/law/sexual-harassment-training.page) or similar venues.
Best regards (Happy New Year)
Original Message:
Sent: 02-19-2021 09:51 AM
From: Ashley McGhee
Subject: Third Party Loan Processing
I'm interested in seeing what type of due diligence and monitoring do other banks do for third party residential loan processing.
Thanks.