Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Armored Transportation and Cash Vault

    This message was posted by a user wishing to remain anonymous
    Posted 02-14-2023 05:25 PM
    This message was posted by a user wishing to remain anonymous

    Hello all,

    How do you handle the due diligence for an Armored Transportation and Cash Vault vendor? Example: Brinks.

    They do handle checks and cash. They also make pick-ups at our customers businesses. 

    Any suggestion will be greatly appreciated.



  • 2.  RE: Armored Transportation and Cash Vault

    Posted 02-14-2023 05:44 PM

    I'd be interested in this information too. We are due to review Brinks this year and am looking for guidance on this one.

     

    Thanks

     

    Cheryl Turner, CRVPM II

    Vendor Manager






  • 3.  RE: Armored Transportation and Cash Vault

    Posted 02-14-2023 06:23 PM

    If there is reliance on vendor service and they have access to confidential/sensitive data, or are interacting with your customers then you should definitely be performing due diligence on such vendors to gain assurance that data is protected and that in the event there is a disruption on the vendors side, they are set up with backup etc. to support interruption in service.  In due diligence you would still want to evaluate their BCDR program, InfoSec policy, ensure they have adequate insurance coverage, are financially sound to support such services.  They will have physical access to your facility, so you want to ensure vendor is conducting background checks on their employees etc. If there is customer impact/interaction, then assessing their complaint policies etc. also become important.  Then there is their operational and physical security policies that would provide assurance on what controls are in place for transportation/transit.

    Performance monitoring should also be in place to ensure established SLA's are achieved and issues are tracked and monitored. 




  • 4.  RE: Armored Transportation and Cash Vault

    This message was posted by a user wishing to remain anonymous
    Posted 06-13-2023 02:43 PM
    This message was posted by a user wishing to remain anonymous

    Hello all,

    We are about to start a service with Brinks to pick up deposits from our customers. My question is:

    Does having a deposit slip with the customers cash (with customer Name, account # and address) constitute a NPI.  I personally don't think this is an NPI, but we are having an internal debate.  If having a deposit slip constitutes NPI, then we automatically put this vendor in High-risk category, and our due diligence requirement increases.

    All inputs will be helpful. 


    Original Message


  • 5.  RE: Armored Transportation and Cash Vault

    This message was posted by a user wishing to remain anonymous
    Posted 06-14-2023 07:31 AM
    This message was posted by a user wishing to remain anonymous

    Technically it is NPI.  However, we consider materiality when risk-rating and classifying vendors ... those with significant amounts of NPI vs those with minimal amounts of NPI (e.g., access to our data warehouse vs. maybe an armored car service that picks up 5- 10 customer deposits, or an outside attorney working on a single customer litigation, or an appraiser looking at an individual borrower's property, etc.)   I don't remember exactly, but our Compliance department opined that for operational purposes any vendor or unintended exposure of NPI of, say, less than 250 (or 500?) records would not constitute a significant exposure.  Note that every state may have different or more prescriptive reporting requirements for number of records exposed for regulatory purposes, but for business purposes that is our risk tolerance.


    Original Message


  • 6.  RE: Armored Transportation and Cash Vault

    Posted 06-14-2023 09:31 AM

    Account number and customer name in combination are a common trigger for NPI level scrutiny. It at least opens the door for social engineering/account take over. That address is included adds additional information for the social engineer.

    Does the Deposit slip also contain either the bank name and or routing number?  If so, this also opens a door for ACH fraud -  full routing/account# plus customer name.

    I would place this vendor/service in a tier for Access to NPI. 



    ------------------------------
    Greg Schmeisser
    Dir. Corp. Contracts & Procurement
    First Merchants bank
    ------------------------------

    Original Message


  • 7.  RE: Armored Transportation and Cash Vault

    Posted 06-14-2023 02:20 PM

    Yes. We consider this NPI. We classify our vendors in to 3 groups. Critical, Significant and Non-Essential, then assign a risk level. Brinks is considered Significant, as they do have NPI, however, they are a low risk, as they only service 4 of our branches and there are other carriers available.

     




    Original Message


  • 8.  RE: Armored Transportation and Cash Vault

    Posted 06-15-2023 06:47 PM

    I would echo this as well, as we also use the same criticality level of Critical, Significant and Non-Essential. I wonder if we utilize the same GRC tool, Quantivate, for this purpose. 

    If so, I would love to connect and share best case practices and pain points as my organization is looking to mature our program. Thank you.


    Original Message


  • 9.  RE: Armored Transportation and Cash Vault

    Posted 06-16-2023 09:01 AM

    Hi Neil,

     

    Yes, we use Quantivate. Please email me so we can connect. I'm always looking for people to network with.

     

    [This email address has been removed by the Community Manager for privacy reasons. Please message the member directly within the community or review their contact information by clicking on the member's name, which will redirect to their community member profile.]

     

    Thanks

     




    Original Message