Policy, Program and Procedures

 View Only

  • 1.  4th party or Nth party?

    Posted 09-30-2024 01:03 PM

    I am not sure where to post this question so appreciate additional guidance and/or redirection if needed. 

    I work within a financial institution and we have come across instances where an external entity (mortgage investor and SBA respectively) have sent us box.com links to upload files that contain NPI.  The SBA or mortgage investor in turn get the files from there.  In our program, mortgage investors and the SBA are not a traditional vendor and are carved out for most vendor oversight/monitoring functions. Box.com is not our vendor and we do not have an agreement with them so we have no information on them or their security measures and yet we are uploading NPI to them via the direction of these external parties.  Would this be an Nth party, a 4th party or something else to us?  Is there some level of inquiry with the SBA or the mortgage investor regarding their vendor monitoring expected in this scenario?  Curious if anyone else encountered this and how you handle it within your program.

    Thank you in advance for your time and insight on this line of inquiry.

    Kind regards, Karmin Thompson



  • 2.  RE: 4th party or Nth party?

    Posted 09-30-2024 03:25 PM

    Hi Karmin

    My understanding is that you are selling these loans to mortgage investors, is that correct?  Is your organization/institution still servicing these loans?  If you are servicing the loans, i can see why this would be a risk to monitor but if you have sold these loans and its off the books, why would you want to monitor the risk? 




  • 3.  RE: 4th party or Nth party?

    Posted 10-01-2024 06:08 AM

    Hi,

    If your vendors are using BOX, they should have a contractual relationship with BOX.  Therefore, BOX would be a 3rd party from your vendors' perspectives, and they are responsible for ensuring that BOX has the requisite security and privacy controls.  If your vendors are obligated to provide you their SOC 2 reports, these reports should include narratives as to their vendor oversight programs; if the SOC 2 reports do not identify BOX as their 3rd party vendor, I suggest that a follow-up is necessary to ensure that BOX is included. 

     

    The BOX web site includes a "Trust Center" that has information on how BOX achieves compliance and security.  This section of the web also has BOX's SOC3 report, which is public. 


    Sensitivity: Company-Internal

    ====================
    This email/fax message is for the sole use of the intended
    recipient(s) and may contain confidential and privileged information.
    Any unauthorized review, use, disclosure or distribution of this
    email/fax is prohibited. If you are not the intended recipient, please
    destroy all paper and electronic copies of the original message.





  • 4.  RE: 4th party or Nth party?

    Posted 10-01-2024 06:32 AM

    Agree with Howard. J

     




    Original Message