Latest Discussions

This message was posted by a user wishing to remain anonymous Hello Community! Have any other firms explored categorizing or assigning labels/groupings to types of remediation plans? Today we leverage (Control, Policy, and Management Action) and are ...

Thanks David. This is very helpful. I agree that reporting should be within compliance. This gives me some good information to take back to the team to discuss on streamlining our process internally.

Yes, Bank Service Company Act! Thank you, this is very helpful!

Information Classification: ll General The relevant FDIC guidance (although it and the illustrative examples are now quite dated) is FIL-49-99 and it speaks to the Bank Service Company Act (BSCA - 12 U.S.C. 1867) NOT the BSA. See ...

Hi, It is not the Bank Secrecy Act, it is the Bank Service Company Act they are referring to. You can find the FIL here : https://www.fdic.gov/news/financial-institution-letters/1999/fil9949.html Basically what we do, is that at the end of our ...

Our bank is FDIC regulated, but even if you are not I would recommend taking a look at the FDIC Guidance for Managing Third-Party Risk. Section 3 of that guidance goes into great detail concerning contracting recommendations. We initially used this ...

This message was posted by a user wishing to remain anonymous For FDIC guidance on the notification requirement in the Bank Secrecy Act see FIL-49-99

We currently also use LexisNexis as an additional tool to supplement research we may need to conduct in certain circumstances. I do not view this vendor as critical to our every day business functions, however, I am absolutely placing sensitive and at ...

I have a couple of thoughts- First is that a critical vendor shouldn't be something that you're adding to the Vendor stable on a regular basis. Critical is defined by your vendor policy, of course, but to borrow from my understanding, ...

This message was posted by a user wishing to remain anonymous I have posted before and have received valuable data and insights and hoping someone can assist re this challenge. Does anyone have contract, industry type, provisions that you can share ...

To my community bankers, how is your organization handling the above requirement internally? We are still having some healthy debates internally on which category of vendors fall into this requirement. The requirement states, " significant computer-security ...

We are currently undergoing an exam with the regulators and one of the questions that has come up is notification to regulators on new critical service providers. What guidance are all of you following and what new "critical providers" are you notifying ...

This message was posted by a user wishing to remain anonymous What are your businesses controls for Vendor Control Environment's? and by this question I mean What controls do you have put in place for vendors that you implement in the contract. For example...... ...

This message was posted by a user wishing to remain anonymous We use LexisNexis as an additional tool for customer due diligence (e.g., address verification, derogatory media, TIN status, company formation information). As a data aggregator, the vendor ...

Hello, Proper vendor and product setup is a common topic we discuss with our clients, so please know that your questions are in great company! Jackson's recommendation is one way you could handle your predicament, however, we would love to explore ...

Greetings! I work for a CU that also uses JHA. When you say that you want each product to be its own individual file, are you thinking along the lines of each product has it's own separate Vendor page? If so, the only thing I could think of would ...

Our VM Software system has a field for "Parent Company" When we have separate products/owners/documents, etc. We would load them as a separate vendor in their own right, and then list the parent company. I haven't used that feature yet, as I'm still ...

CPRA becomes effective 1/1/23, while CCPA has been effective since 1/1/20. This website has some easier to understand information on CPRA: https://www.caprivacy.org/ For service providers or contractors that store or process (nearly all actions fall ...

This message was posted by a user wishing to remain anonymous My credit union uses a popular critical vendor known as Jack Henry. Under Jack Henry we have 53 products we use with them. Each product has its own vendor owner and each product risk rating. ...

This message was posted by a user wishing to remain anonymous Thank you Heather. I would be interested to see what those Non-Banking Mortgage Lenders are doing in this aspect (those not regulated by the below mentioned government entities).