Latest Discussions

Are any credit unions currently using push notifications for marketing purposes within their mobile apps? If so, could you share how you distinguish between marketing and transactional/service-related messages, including how consent is obtained and managed ...

Good afternoon, There are several factors to consider in this instance. While the specific requirements may vary depending on your risk methodology, based on the description provided-and assuming the service provider will have access to Non-Public Information ...

We are onboarding our first Brokered Deposits vendor since before the 2024 SVB, et al collapse. What due diligence do you gather from these types of vendors? Our last onboarding was very long time ago and the previous vendor program manager treated them ...

Since the ridiculous expansion in the 2023 guidance ("any business arrangement", which places Subway in scope for bringing lunch to a meeting), we (FDIC examined) have an ever-growing section in the TPRM policy & Standard governance documentation that ...

This message was posted by a user wishing to remain anonymous We include Escrow and Title Companies in our "in scope vendors". For ongoing due diligence we typically collect insurance only.

This message was posted by a user wishing to remain anonymous Did you not recognize the title companies at all within your program? Maybe that was the issue that was trying to be addressed? We were trying at one point to maintain a file for each title ...

This message was posted by a user wishing to remain anonymous You can take a risk-based approach and make the decision to scope Title companies out of your program and document your rationale. We have been on the fence about scoping them out and are ...

This message was posted by a user wishing to remain anonymous Hello, We include our third parties like title companies is our vendor management due diligence. Based on our risk category and due diligence questions we will determine at what level ...

This message was posted by a user wishing to remain anonymous Hello, Our third-party business partners like title companies are included in our vendor management due diligence and reviewed on an annual basis. Our vendor management team determines ...

This message was posted by a user wishing to remain anonymous You can decide who to include and exclude from the vetting process and then spell it out in your policy. The issue might be that you haven't specifically addressed these types of vendors? ...

This message was posted by a user wishing to remain anonymous As part of our TPRM process, vendors provide due diligence documentation that is typically designated as confidential and not to be shared externally. If we store this information in ...

This message was posted by a user wishing to remain anonymous Recently we had an external auditor, write up a finding in regard to Escrow and Title companies Due Diligence. They said that because of Regulatory guidance from 2023, we should include ...

Hi all – As a Vendor Management function led by a department of one, I'm working to better define roles and responsibilities as the program continues to mature. If anyone is open to sharing sample job descriptions for vendor management or third-party ...

We define a Critical vendor as a vendor that provides services that are critical to the Bank or is a SOX vendor. Critical services may have a significant client impact that could cause material harm if the vendor fails to meet expectations or could have ...

Our third‑party questionnaires have been updated to incorporate new AI‑focused questions, including inquiries about AI usage and any use of our data in model training. We've also identified several third‑party vendors we plan to onboard whose offerings ...

This message was posted by a user wishing to remain anonymous This is how we determine our Critical Vendors. Tiers 1-3 are reviewed annually (Critical, GLBA & Infrastructure) Vendors providing services considered 'critical' to the Credit Union's daily ...

Hi, For us critical is defined as a vendor that is critical to our daily business and/or one that has a large amount of private information. If we cannot function without them they are critical. All critical get reviewed at least ...

This message was posted by a user wishing to remain anonymous Hi all, I'm interested in how peer organizations are approaching two areas within their third-party risk programs: Critical Vendor Definition: How does your organization define ...

This message was posted by a user wishing to remain anonymous Hi all, I'm interested in how peer organizations are approaching two areas within their third-party risk programs: Critical Vendor Definition: How does your organization define ...

This message was posted by a user wishing to remain anonymous Hi Everyone, at my company (large global insurance company) we are looking in to broadening processes and controls around data sent to third parties. I'm wondering if anyone as any processes ...