Latest Discussions

Hi Cathy, You are correct that the SSAE 18 supersedes the SSAE 16. I keep a collection of provisions that I use as examples and should update that in my file. We often review contracts prior to the 2017 change and even see some older that refer to ...

Rather than insert our "Right to Audit" clause. I am going to second Heather's. Just because it says the right things. It asks for due diligence documentation up front. This is important for supplier performance measures. The updated certifications ...

Thanks ever so much for sharing your "Right to Audit" clause. In my examination of the clause against our subcontract I noted that SSAE 16 (with which I was unfamiliar) says online it has been superseded by SSAE No. 18 and as of 5/1/2017 the report ...

Hi Paul, Here is an example of a clause you may find helpful. Vendor Management: (a) To meet the mandates associated with third party vendors, the Client may request annually from the Company the following information: Annual Financial Statements; ...

Hi David, Can you give us a bit more definition around your definition of "independent agent"? What does the agency relationship with these folks look like? Thanks, Gordon Rudd

Yes. The Right to Audit clause should be an essential part of any vendor contact.

Hello, As we are developing our TPRM program we are looking to get security assessments to our independent agents, who we list as third-parties. We are not going to give them our usual assessment that we give to the rest of our critical/high-risk vendors, ...

Excellent. Thank you!

This is a list of contract terms legal is looking for in our critical ranked vendor contracts. Required Contract Terms for Critical Vendors (Legal Department discretion as to relevance to vendor) Privacy-provision surrounding how personally ...

Hi, Does anyone have examples you could share of contract checklists? Basically, I'm looking for examples of checklists one uses when reviewing vendor contracts to ensure that significant clauses are included. Joe

Great question! If the vendor has access to NPI, it's a high-risk vendor. Then can drill down to exactly what information would a repo agent, collection company, and skip tracer be given from any lender. While a collection agency and a skip tracer ...

Our position is that all Personal Information is handled as confidential information and gets the strictest due diligence for governance. Personal Information has many forms and has many layers. If you have the data controller's opt-in, you can gather ...

Hi Matt, I know everyone is asking for ya! But i'd like to know more as well!

Hi Matt, I would be interested in learning more about your extensive review.

I have seen this question discussed multiple times in many outlets out there. Name, address and phone numbers are not always considered confidential or private if they are already in the public domain. Third Party Management offices struggle with ...

This is an area we are also working on laying out. We are attempting to define minimum insurance requirements by engagement type, with the knowledge each engagement will need to be reviewed on its own and minimums adjusted up if required. Matt, I would ...

We also request these items via a Vendor Risk program doing a Due Diligence and Annual Audit based on a vendor risk score or if applicable during contract negotiations if it is a vendor we need to ensure is protecting data or networks appropriately. ...

The ISO 27001 cert is good for a 3-year period though applicability should be reviewed annually. It is part of our checklist. "Is it still valid? Do we think the supplier can meet the requirements?" Reputable auditor - KPMG, Deloitte, Coalfire, etc. ...

This message was posted by a user wishing to remain anonymous I am wondering how others are categorizing vendors with access to NPI. Do you count special, case-by-case access (i.e. Repo Agents or special collection vendor) or full on, uninhibited access ...

​Does anyone have a questionnaire that you would be willing to share with me. I am new at this Vendor stuff and it needs a lot of TLC.I would greatly appreciate it. Please and thanks, Marlene