Latest Discussions

Catch Up on the Latest Discussions
Network. Collaborate. Connect. 

This community provides a space where professionals in the industry can access third party risk management resources, and more importantly, interact with each other through discussion boards. You’re able to network, share stories, ask questions, receive feedback from others to help overcome your own challenges and more. 

Latest Discussions List

  • Posted in: Contract Management

    Hi Cathy, You are correct that the SSAE 18 supersedes the SSAE 16. I keep a collection of provisions that I use as examples and should update that in my file. We often review contracts prior to the 2017 change and even see some older that refer to ...

  • Posted in: Contract Management

    Rather than insert our "Right to Audit" clause. I am going to second Heather's. Just because it says the right things. It asks for due diligence documentation up front. This is important for supplier performance measures. The updated certifications ...

  • Posted in: Contract Management

    Thanks ever so much for sharing your "Right to Audit" clause. In my examination of the clause against our subcontract I noted that SSAE 16 (with which I was unfamiliar) says online it has been superseded by SSAE No. 18 and as of 5/1/2017 the report ...

  • Posted in: Contract Management

    Hi Paul, Here is an example of a clause you may find helpful. Vendor Management: (a) To meet the mandates associated with third party vendors, the Client may request annually from the Company the following information: Annual Financial Statements; ...

  • Posted in: Risk Assessments

    Hi David, Can you give us a bit more definition around your definition of "independent agent"? What does the agency relationship with these folks look like? Thanks, Gordon Rudd

  • Posted in: Contract Management

    Yes. The Right to Audit clause should be an essential part of any vendor contact.

  • Posted in: Risk Assessments

    Hello, As we are developing our TPRM program we are looking to get security assessments to our independent agents, who we list as third-parties. We are not going to give them our usual assessment that we give to the rest of our critical/high-risk vendors, ...

    1 person likes this.
  • Posted in: Contract Management

    Excellent. Thank you!

  • Posted in: Contract Management

    This is a list of contract terms legal is looking for in our critical ranked vendor contracts. Required Contract Terms for Critical Vendors (Legal Department discretion as to relevance to vendor) Privacy-provision surrounding how personally ...

    1 person likes this.
  • Posted in: Contract Management

    Hi, Does anyone have examples you could share of contract checklists? Basically, I'm looking for examples of checklists one uses when reviewing vendor contracts to ensure that significant clauses are included. Joe

    1 person likes this.
  • Posted in: Risk Assessments

    Great question! If the vendor has access to NPI, it's a high-risk vendor. Then can drill down to exactly what information would a repo agent, collection company, and skip tracer be given from any lender. While a collection agency and a skip tracer ...

  • Our position is that all Personal Information is handled as confidential information and gets the strictest due diligence for governance. Personal Information has many forms and has many layers. If you have the data controller's opt-in, you can gather ...

  • Hi Matt, I know everyone is asking for ya! But i'd like to know more as well!

  • Hi Matt, I would be interested in learning more about your extensive review.

  • I have seen this question discussed multiple times in many outlets out there. Name, address and phone numbers are not always considered confidential or private if they are already in the public domain. Third Party Management offices struggle with ...

  • This is an area we are also working on laying out. We are attempting to define minimum insurance requirements by engagement type, with the knowledge each engagement will need to be reviewed on its own and minimums adjusted up if required. Matt, I would ...

  • Posted in: Risk Assessments

    We also request these items via a Vendor Risk program doing a Due Diligence and Annual Audit based on a vendor risk score or if applicable during contract negotiations if it is a vendor we need to ensure is protecting data or networks appropriately. ...

  • Posted in: Risk Assessments

    The ISO 27001 cert is good for a 3-year period though applicability should be reviewed annually. It is part of our checklist. "Is it still valid? Do we think the supplier can meet the requirements?" Reputable auditor - KPMG, Deloitte, Coalfire, etc. ...

    1 person likes this.
  • Profile Picture

    Vendor's Access to NPI

    Posted in: Risk Assessments

    This message was posted by a user wishing to remain anonymous I am wondering how others are categorizing vendors with access to NPI. Do you count special, case-by-case access (i.e. Repo Agents or special collection vendor) or full on, uninhibited access ...

  • Posted in: Risk Assessments

    ​Does anyone have a questionnaire that you would be willing to share with me. I am new at this Vendor stuff and it needs a lot of TLC.I would greatly appreciate it. Please and thanks, Marlene