We use the following questions in our risk review to determine which reports are needed, if any:
Does the third party process/store/manage/view/modify/transmit/destroy the bank's NPPI or bank sensitive data?
If yes, the next question is:
Will the third party process or store NPPI or other sensitive bank data at their own location offsite?
If yes, we require a SOC 2 report
Will the third party process financial transactions on behalf of our company?
If yes, we require a SOC 1 report
If both questions are true, we require both reports, and there are few instances where they are not available at that point.
If you are not the intended recipient of this email do not read, retain, copy, distribute, or disclose the content of this email. If you have received this email in error, please advise us by reply email @FNBAlaska.com and destroy the original message and all copies.