Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Attorney Due Diligence

    Posted 11-15-2022 12:52 PM

    As part of a recent discussion, post exam, it was recommended that we classify our Attorneys as significant. Our Attorney inventory has been classified as Non-Essential and I am curious what others are doing with attorneys in regards to requesting Due Diligence documentation and the overall classifications for TPRM, outside of the items recommended for DD/RA.

  • 2.  RE: Attorney Due Diligence

    Posted 11-15-2022 01:11 PM
    Hi Jeremy,
    I don't have the answer for you, sorry.  But the topic is interesting. I never heard about that.  Do you mind sharing what's the rationale behind the that: attorney is rated Significant vendor?   
    I am wondering other people's comments. :)
    Thank you!

  • 3.  RE: Attorney Due Diligence

    Posted 11-16-2022 09:18 AM
    Hi Jeremy,
    Our CU has an Other category for Attorneys, Auditors, Maintenance, Indirect Dealerships etc. We tickle for Business/Attorney Licenses/Certificates, and COIs and also run a BBB check annually. We hadn't had an examiner recommend any changes to our classification of these types of vendors.

    I would also like to know if the examiner provided any insight as to why a classification of Significant was recommended.  

  • 4.  RE: Attorney Due Diligence

    This message was posted by a user wishing to remain anonymous
    Posted 11-16-2022 02:56 PM
    This message was posted by a user wishing to remain anonymous

    We have the same classification for attorneys, CPAs, etc. Our justification is that these are professionals that are regulated and have own privacy requirements. In addition, they only have access to customer NPI to the specific deals they are assigned and not access to our whole database/significant amounts of NPI.

  • 5.  RE: Attorney Due Diligence

    Posted 11-16-2022 02:56 PM
    Our General Counsel team screens all law firms which includes a specialized (very short) data security questionnaire.  THe process requires completion and re-attest at least every 3 years.  The questionnaire is reviewed by out InfoSec team just like the SOC reviews etc. for gap identification and remediation.

    TPRM has oversight (scheduling, review coordination, etc.) of the law firm data security review process, but otherwise the law firms are exempt. 

    We have a few similar exempt carveouts for Line 1 managed qualification processes (panel real-estate appraisers, etc.)