Due Diligence and Ongoing Monitoring

 View Only
Expand all | Collapse all

Vendors with relationships with your customers through referral

  • 1.  Vendors with relationships with your customers through referral

    This message was posted by a user wishing to remain anonymous
    Posted 11-29-2021 01:59 PM
    This message was posted by a user wishing to remain anonymous

    How do you monitor/manage vendors that maintain direct relationships with your customers through a REFERRAL by your institution? Where the vendor is not collecting NPI directly from your institution, but the vendor may store/process or have access to customer information because of the referral by you to them. How is that information captured in your risk assessments/questionnaires?


  • 2.  RE: Vendors with relationships with your customers through referral

    Posted 12-08-2021 10:58 AM

    Hi there,
    While this may seem confusing, it can be simple to apply the questions to every potential vendor, including referrals.

    1. Does the vendor access, process, transmit or store customer data? This question covers every type of vendor relationship, including referrals. An excellent example of where a vendor has customer data that didn't originate from your organization would be credit reporting agencies. They have your customer data, and they didn't get it from you. However, that data is used within the context of the direct relationship.
    2. You must consider the duty of care when making such a referral. That means that your organization is confident that the referred organization can safely manage your customer's data and privacy before you refer them. So conducting appropriate due diligence based on the vendor's access to data is essential.

    In my opinion, it is not necessary to alter your questionnaires to identify referrals. However, the question remains what or if you will monitor the vendor's risk profile and if any performance monitoring will occur. Depending on the type of service they are offering, you may have different requirements. Check with your legal counsel to understand your organization's liability and risk to your reputation if the referral vendor should have a breach or other issue.

    Again there are probably different ways to handle the situation, and I would love to hear other members' ideas.