Latest Discussions

  • Profile Picture

    Labeling or categorizing remediation plans?

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous Hello Community! Have any other firms explored categorizing or assigning labels/groupings to types of remediation plans? Today we leverage (Control, Policy, and Management Action) and are ...

  • Posted in: Exams or Audits

    Thanks David. This is very helpful. I agree that reporting should be within compliance. This gives me some good information to take back to the team to discuss on streamlining our process internally.

  • Posted in: Exams or Audits

    Yes, Bank Service Company Act! Thank you, this is very helpful!

  • Posted in: Exams or Audits

    Information Classification: ll General The relevant FDIC guidance (although it and the illustrative examples are now quite dated) is FIL-49-99 and it speaks to the Bank Service Company Act (BSCA - 12 U.S.C. 1867) NOT the BSA. See ...

  • Posted in: Exams or Audits

    Hi, It is not the Bank Secrecy Act, it is the Bank Service Company Act they are referring to. You can find the FIL here : https://www.fdic.gov/news/financial-institution-letters/1999/fil9949.html Basically what we do, is that at the end of our ...

  • Our bank is FDIC regulated, but even if you are not I would recommend taking a look at the FDIC Guidance for Managing Third-Party Risk. Section 3 of that guidance goes into great detail concerning contracting recommendations. We initially used this ...

  • Profile Picture

    RE: Notification to regulators on critical third parties

    Posted in: Exams or Audits

    This message was posted by a user wishing to remain anonymous For FDIC guidance on the notification requirement in the Bank Secrecy Act see FIL-49-99

    1 person likes this.
  • We currently also use LexisNexis as an additional tool to supplement research we may need to conduct in certain circumstances. I do not view this vendor as critical to our every day business functions, however, I am absolutely placing sensitive and at ...

  • Posted in: Exams or Audits

    I have a couple of thoughts- First is that a critical vendor shouldn't be something that you're adding to the Vendor stable on a regular basis. Critical is defined by your vendor policy, of course, but to borrow from my understanding, ...

    1 person likes this.
  • Posted in: Contract Management

    This message was posted by a user wishing to remain anonymous I have posted before and have received valuable data and insights and hoping someone can assist re this challenge. Does anyone have contract, industry type, provisions that you can share ...

  • Posted in: Exams or Audits

    To my community bankers, how is your organization handling the above requirement internally? We are still having some healthy debates internally on which category of vendors fall into this requirement. The requirement states, " significant computer-security ...

  • Posted in: Exams or Audits

    We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers. What guidance are all of you following and what new "critical providers" are you notifying ...

  • Profile Picture

    Vendor Control Environments

    This message was posted by a user wishing to remain anonymous What are your businesses controls for Vendor Control Environment's? and by this question I mean What controls do you have put in place for vendors that you implement in the contract. For example...... ...

  • Profile Picture

    LexisNexis Risk Assessment

    This message was posted by a user wishing to remain anonymous We use LexisNexis as an additional tool for customer due diligence (e.g., address verification, derogatory media, TIN status, company formation information). As a data aggregator, the vendor ...

  • Hello, Proper vendor and product setup is a common topic we discuss with our clients, so please know that your questions are in great company! Jackson's recommendation is one way you could handle your predicament, however, we would love to explore ...

  • Greetings! I work for a CU that also uses JHA. When you say that you want each product to be its own individual file, are you thinking along the lines of each product has it's own separate Vendor page? If so, the only thing I could think of would ...

    1 person likes this.
  • Our VM Software system has a field for "Parent Company" When we have separate products/owners/documents, etc. We would load them as a separate vendor in their own right, and then list the parent company. I haven't used that feature yet, as I'm still ...

  • Posted in: Regulations

    CPRA becomes effective 1/1/23, while CCPA has been effective since 1/1/20. This website has some easier to understand information on CPRA: https://www.caprivacy.org/ For service providers or contractors that store or process (nearly all actions fall ...

  • Profile Picture

    Specific Vendor Question

    This message was posted by a user wishing to remain anonymous My credit union uses a popular critical vendor known as Jack Henry. Under Jack Henry we have 53 products we use with them. Each product has its own vendor owner and each product risk rating. ...

    1 person likes this.
  • Profile Picture

    RE: FTC - Service Providers and Contracting

    This message was posted by a user wishing to remain anonymous Thank you Heather. I would be interested to see what those Non-Banking Mortgage Lenders are doing in this aspect (those not regulated by the below mentioned government entities).