To keep it simple, I recommend utilizing your standard inherent risk assessment to determine which risks are present and to inform the level of due diligence and monitoring required for this relationship. The beauty of using your inherent risk assessment is that it will help you objectively identify the risks and have the necessary record to support your decisions. Since they will be interacting with your customers on some level, at least some risk needs to be addressed.
I hope that is helpful, but welcome thoughts and suggestions from other members as well.
Original Message:
Sent: 09-08-2023 07:57 AM
From: MaKayla Watson
Subject: How are remarketers rated at other banks?
How are other banks rating vendors that they use to either a) pick up our repossessed or off lease asset b) sell our repossessed or off lease asset c) store our asset after repossession or off lease? They may at times communicate with the customer directly for pick up, but they do not have any access to the customer's personal information. Once the asset is picked up all communication is through the bank regarding the sale of the equipment. If more information is needed from the customer or we need to notify them of anything, the bank and/or Orion handles that communication. The bare minimum of information they will have is public information which includes a VIN or SN#, address, phone number. These vendors do not have anything to do with storing customer nonpublic information nor do we do anything with them that would entail having to complete a security assessment.