Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Identity Theft and Red Flags

    This message was posted by a user wishing to remain anonymous
    Posted 08-23-2022 07:31 PM
    This message was posted by a user wishing to remain anonymous

    Hello,

    I want to know how everybody handles Identity Theft and Red flag due diligence. Do you ask all your vendors who have access to NPPI, or only vendors who are considered Financial Institution or creditor. (BTW, we are a Bank)

    For example Ellie Mae informed us that they are not required to have a written identity theft program.

    How about Payroll processing vendor?
    Employee Benefits? Couriers? document shredding?

    Thank you in advance for all the assistance.


  • 2.  RE: Identity Theft and Red Flags

    Posted 08-23-2022 07:39 PM
    If they can change the customers Address; they need a program. 
    But if they share the program elements with you, that's a new risk (they shouldn't) As exposing what their controls are, opens the possibility that bad guys will find a way around them. 

    However, they can provide an attestation they have a program and it's audited at least annually.
    And you can make certain you have a contract clause that describes both that they have a program; and what steps will be taken in the event a security breach exposes your clients, customers, consumers to potential Identity Theft. 


    ------------------------------
    Bradley Martin
    bradleymartin.net
    ------------------------------