Latest Discussions

I wanted to reach out to get your perspective on how others are addressing third-party service provider referral processes and whether you have a similar framework in place. We are working through an issue involving a department within a financial ...

How are your teams managing vendors with AI capabilities? I work at a financial institution regulated by the OCC, for context. We have a GenAI review group and a somewhat half-baked process for approving AI capabilities. It works reasonably well for ...

We assess law firms annually based on risk using the volume of records and the annual spend from the previous year.

Yes, Law Firms should be assessed. We have several Default Law firms, and our investors, FNMA and FHLMC, have clear directions in their servicing guide on firm management that we have used as a guideline. ------------------------------ Rachel Kenyon ...

There was another post on this back in 2021 with no feedback, so I'm hoping this can get some traction. We have a CDC that we use for SBA loan packaging. Over the past few years, it's been a struggle to get their due diligence and what we do get shows ...

Hello - I'm wondering if anyone has rules around required documents being tardy and having to keep asking for? Do you wait 1-week, 2 weeks any penalties? How do you escalate?

It's a risk-based decision for us. The easiest and most common categories that are out of scope are memberships, dues, sponsorships, conferences, professional associations. Our exempt providers are on a case-by-case basis, whereas the out-of-scope categories ...

This message was posted by a user wishing to remain anonymous Our company is composed of multiple divisions and organizations that utilize the same vendors. TPRM usually takes time, and since we handle multiple engagement assessments, there are several ...

This message was posted by a user wishing to remain anonymous What insurance are you all asking of your marketing firms that are posting on social media for your FI?

This message was posted by a user wishing to remain anonymous We are currently FDIC regulated but going through the process to become OCC Chartered.

This message was posted by a user wishing to remain anonymous May I please ask who your regulator is?

This message was posted by a user wishing to remain anonymous Both Title companies and Appraisers are excluded from Third Party Risk inventory. This is how we document our reasoning in policy. • Title Companies. The customer and the seller (if ...

This message was posted by a user wishing to remain anonymous Title Company & Appraisers are included in our VM program. 1) We do complete an initial due diligence review and onboarding and they are also part of our ongoing due diligence review. ...

This message was posted by a user wishing to remain anonymous Hi everyone 😊 We're evaluating whether Title Companies and Appraisers should be included in our vendor management program, and I'd appreciate hearing how other banks are ...

Good Morning I am seeking information from other financial institutions regarding the provision of performance feedback to title companies involved in loan origination. Our internal efforts include a Lean Six Sigma Green Belt in Title Defect ...

This message was posted by a user wishing to remain anonymous We're currently working to refine our Exempt / Out ‑ of ‑ Scope vendor definition and governance framework and want to ensure clarity and consistency. I'm specifically looking for credit ...

@Alesha Briley - wonderful use of the 3LOD and its breakdown. Agree with conclusion (practical approaches). While 3LOD is "replaced" with continuous risk management, it was the universal awareness of everyone's role related to risk, accuracy, completeness, ...

Hi Dora! I have worked at two small banks and one mid-to-large non-depository mortgage lender in compliance and fair lending, so I am using those institution experiences for my answer. 3 Lines Structure At each institution: Second ...

That usually comes to a Third Party Risk Assessment in place. Regularly impose a TPRA to your third parties should help here.

Hi, This should be addressed using a risk-based approach. The initial request for a SOC 2 report is typically driven by the inherent risk posed by the vendor, based on scoping factors such as data access, system access, regulatory impact, and the criticality ...