Due Diligence and Ongoing Monitoring

This message was posted by a user wishing to remain anonymous

Hello,

Just wanted to get the communities opinion on an NPPI issue:

If a law firm has access to our clients - note, deed, deed of trust, assignment or transfer of lien and release of liens, does that mean they have access to NPPI? I personally think information contain within these documents does not constitute NPPI, but I am not sure.

Also, if it is NPPI, then what level of due diligence do we have to do on a law firm?

Thanks

NPI or NPPI is defined under GLBA. NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."

The Nonpublic part of the data is that the individual is a client to the Bank. 
when I have this discussion, I typically recommend looking at the FTC definition of NPI; as I think it's well written and helps get over the challenge of what is nonpublic verses what is (PII) Personally Identifiable Information. They are two different things with the implication that need to be handled the same. 

https://www.ftc.gov/business-guidance/resources/how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act

------------------------------
Bradley Martin

------------------------------

This message was posted by a user wishing to remain anonymous

Thank you, Bradley.

The reason I ask this question is that in our TPRM program, if a vendor has access to NPI or NPPI, that vendor is automatically considered at least a moderate risk. 
So, I want to be very careful how we answer this question, since most law firms will not be able to provide many of the documents that we require.

Any input will be greatly appreciated.

You could carve out law firms in policy. They have a different handling and due diligence process.
That's what I do. 
I have them listed under an exemption clause in Policy as "Exempt Professional Services and Agreements."
Procedurally, I have a short form and attestation process that is signed off on by the Legal department. 

I also bucket, in the same exemption clause... 
Interbank Agreements where both entities are governed by a common regulatory body.
Loan Sales to regulated institutions or Government Agencies
Governmental entity or agency, GSEs (i.e. FNMA, Freddie Mac, FHLB, FRB, FDIC, US Postal Service)
Law Firm Retainer Agreements/Engagement Letters
Loan Broker and Escrow services
Broker Services for Bank Treasury

Hope that helps.

------------------------------
Bradley Martin
------------------------------

Original Message:
Sent: 11-04-2022 11:35 AM
From: Anonymous Member
Subject: NPPI

This message was posted by a user wishing to remain anonymous

Thank you, Bradley.

The reason I ask this question is that in our TPRM program, if a vendor has access to NPI or NPPI, that vendor is automatically considered at least a moderate risk. 
So, I want to be very careful how we answer this question, since most law firms will not be able to provide many of the documents that we require.

Any input will be greatly appreciated.

Original Message:
Sent: 11/4/2022 2:41:00 PM
From: Bradley Martin
Subject: RE: NPPI

You could carve out law firms in policy. They have a different handling and due diligence process.
That's what I do. 
I have them listed under an exemption clause in Policy as "Exempt Professional Services and Agreements."
Procedurally, I have a short form and attestation process that is signed off on by the Legal department. 

I also bucket, in the same exemption clause... 
Interbank Agreements where both entities are governed by a common regulatory body.
Loan Sales to regulated institutions or Government Agencies
Governmental entity or agency, GSEs (i.e. FNMA, Freddie Mac, FHLB, FRB, FDIC, US Postal Service)
Law Firm Retainer Agreements/Engagement Letters
Loan Broker and Escrow services
Broker Services for Bank Treasury

Hope that helps.

------------------------------
Bradley Martin
------------------------------

This message was posted by a user wishing to remain anonymous

Hi Bradly,

I am interested in seeing how you have the attestation written. Is this something you can share?

Thank you!

Original Message:
Sent: 11-04-2022 02:40 PM
From: Bradley Martin
Subject: NPPI

You could carve out law firms in policy. They have a different handling and due diligence process.
That's what I do. 
I have them listed under an exemption clause in Policy as "Exempt Professional Services and Agreements."
Procedurally, I have a short form and attestation process that is signed off on by the Legal department. 

I also bucket, in the same exemption clause... 
Interbank Agreements where both entities are governed by a common regulatory body.
Loan Sales to regulated institutions or Government Agencies
Governmental entity or agency, GSEs (i.e. FNMA, Freddie Mac, FHLB, FRB, FDIC, US Postal Service)
Law Firm Retainer Agreements/Engagement Letters
Loan Broker and Escrow services
Broker Services for Bank Treasury

Hope that helps.

------------------------------
Bradley Martin
------------------------------


Original Message:
Sent: 11-04-2022 11:35 AM
From: Anonymous Member
Subject: NPPI

This message was posted by a user wishing to remain anonymous

Thank you, Bradley.

The reason I ask this question is that in our TPRM program, if a vendor has access to NPI or NPPI, that vendor is automatically considered at least a moderate risk. 
So, I want to be very careful how we answer this question, since most law firms will not be able to provide many of the documents that we require.

Any input will be greatly appreciated.