Due Diligence and Ongoing Monitoring

 View Only

  • 1.  NPPI

    This message was posted by a user wishing to remain anonymous
    Posted 11-01-2022 01:32 PM
    This message was posted by a user wishing to remain anonymous

    Hello,

    Just wanted to get the communities opinion on an NPPI issue:

    If a law firm has access to our clients - note, deed, deed of trust, assignment or transfer of lien and release of liens, does that mean they have access to NPPI? I personally think information contain within these documents does not constitute NPPI, but I am not sure.

    Also, if it is NPPI, then what level of due diligence do we have to do on a law firm?

    Thanks


  • 2.  RE: NPPI

    Posted 11-04-2022 08:15 AM
    NPI or NPPI is defined under GLBA. NPI is any "personally identifiable financial information" that a financial institution collects about an individual in connection with providing a financial product or service, unless that information is otherwise "publicly available."

    The Nonpublic part of the data is that the individual is a client to the Bank. 
    when I have this discussion, I typically recommend looking at the FTC definition of NPI; as I think it's well written and helps get over the challenge of what is nonpublic verses what is (PII) Personally Identifiable Information. They are two different things with the implication that need to be handled the same. 

    https://www.ftc.gov/business-guidance/resources/how-comply-privacy-consumer-financial-information-rule-gramm-leach-bliley-act

    ------------------------------
    Bradley Martin

    ------------------------------

    Original Message


  • 3.  RE: NPPI

    This message was posted by a user wishing to remain anonymous
    Posted 11-04-2022 11:43 AM
    This message was posted by a user wishing to remain anonymous

    Thank you, Bradley.

    The reason I ask this question is that in our TPRM program, if a vendor has access to NPI or NPPI, that vendor is automatically considered at least a moderate risk. 
    So, I want to be very careful how we answer this question, since most law firms will not be able to provide many of the documents that we require.

    Any input will be greatly appreciated.

    Original Message


  • 4.  RE: NPPI

    Posted 11-04-2022 02:46 PM
    You could carve out law firms in policy. They have a different handling and due diligence process.
    That's what I do. 
    I have them listed under an exemption clause in Policy as "Exempt Professional Services and Agreements."
    Procedurally, I have a short form and attestation process that is signed off on by the Legal department. 

    I also bucket, in the same exemption clause... 
    Interbank Agreements where both entities are governed by a common regulatory body.
    Loan Sales to regulated institutions or Government Agencies
    Governmental entity or agency, GSEs (i.e. FNMA, Freddie Mac, FHLB, FRB, FDIC, US Postal Service)
    Law Firm Retainer Agreements/Engagement Letters
    Loan Broker and Escrow services
    Broker Services for Bank Treasury

    Hope that helps.

    ------------------------------
    Bradley Martin
    ------------------------------

    Original Message


  • 5.  RE: NPPI

    Posted 11-04-2022 04:25 PM

    Bradley Martin:

     

    Could you share the short form related to the exempt professionals? 

     




    Original Message


  • 6.  RE: NPPI

    This message was posted by a user wishing to remain anonymous
    Posted 11-07-2022 08:31 AM
    This message was posted by a user wishing to remain anonymous

    Hi Bradly,

    I am interested in seeing how you have the attestation written. Is this something you can share?

    Thank you!



    Original Message