This sounds very similar to our "partner" program. Prior to the creation of our TPRM team, there was no governance around these relationships. But now, we perform the actions Hilary called out: we have a direct contract with the partner, we perform risk assessments, due diligence, periodic reassessment and risk monitoring. In some instances, the partner is integrated directly with us and we are passing client PII data to this partner. At other times, the client provides the information directly to the partner. We have contract language that addresses each of these scenarios.