Due Diligence and Ongoing Monitoring

 View Only

  • 1.  Co-Branded Credit Card Questions

    This message was posted by a user wishing to remain anonymous
    Posted 03-08-2024 07:37 AM
    This message was posted by a user wishing to remain anonymous

    Hi all,

    I have a scenario where we are a co-branded credit card where we own the servicing and customer touchpoints, however, our bank partner owns the debt. We are in the process of migrating from a homegrown customer self-service site for things like payment on account, viewing credit card statements, etc., and moving to a third-party vendor of our bank partner for future customer self-service. I am curious if anyone else has ever been in this situation before and the best way to ensure we cover ourselves with this vendor. The caveat being this vendor is third party to the bank and not us. Currently we have no contract, etc., with the vendor as they are contracted directly with the bank. We also do not treat the bank as third-party vendor to us given our agreement. Any suggestions would be appreciated! 



  • 2.  RE: Co-Branded Credit Card Questions

    Posted 03-26-2024 10:57 AM

    You are facing an interesting situation. However, without knowing the details of the contract, there is a potential detail that raises a red flag. If your organization owns the customer touchpoints, you must access, process, transmit, or store customer PII (Personally Identifiable Information), which the third party needs to provide customer self-service. 

    The question is, who is providing the customer PII data to the third party? If it is your organization, you must consider them as your third party and perform appropriate TPRM (Third-Party Risk Management) activities, including risk assessment, due diligence, periodic reassessment, and risk monitoring. You should also have a direct contract with the third party that legally obligates them to meet essential requirements such as cybersecurity protections and regulatory compliance, regardless of the third party's relationship with the bank. Suppose customer PII, provided by your organization, is integral to the service the third party provides. In that case, your organization is on the hook from a legal and regulatory standpoint.

    If the customer PII is delivered directly through the bank and your organization is not involved in that process, you might have less to worry about. However, it is still strongly recommended that you carefully review all legal agreements with your legal counsel to understand your rights and obligations. I hope that helps, but I would love to hear other members' thoughts.