Due Diligence and Ongoing Monitoring

My financial institution is considering entering into a relationship where we would refer our customers to a student loan organization website (linked from our corporate website) and the customer would enter their own confidential information into that 3rd party site and engage in a lending relationship with the student loan organization.  Our financial institution would not be sharing any information directly.   

For third parties where we share a customer's confidential information, we typically look at assessing the vendor's information security (SOC audit, policies, questionnaire), their financial condition as well as their compliance to things such as UDAAP and ID Theft red flags.  However, in this case, we are referring the customer to an outside organization where they (the customer) enters into an agreement with that organization.  My question is what type of due diligence should we require from the student loan organization in this type of relationship?

Will you have a contract with that 3rd party site as a referral partner?   If yes, then I would treat them as you do any other critical vendor.  Although they would not be considered a critical vendor for you, they would be for the customers you are referring to them and I would think you would be more comfortable having checked them out on a high level.  If you will not have a contract with them, it may be a little hard to get what you need to do a proper assessment on them.  

My financial institution is considering entering into a relationship where we would refer our customers to a student loan organization website (linked from our corporate website) and the customer would enter their own confidential information into that 3rd party site and engage in a lending relationship with the student loan organization.  Our financial institution would not be sharing any information directly.   

For third parties where we share a customer's confidential information, we typically look at assessing the vendor's information security (SOC audit, policies, questionnaire), their financial condition as well as their compliance to things such as UDAAP and ID Theft red flags.  However, in this case, we are referring the customer to an outside organization where they (the customer) enters into an agreement with that organization.  My question is what type of due diligence should we require from the student loan organization in this type of relationship?

My financial institution is considering entering into a relationship where we would refer our customers to a student loan organization website (linked from our corporate website) and the customer would enter their own confidential information into that 3rd party site and engage in a lending relationship with the student loan organization.  Our financial institution would not be sharing any information directly.   

For third parties where we share a customer's confidential information, we typically look at assessing the vendor's information security (SOC audit, policies, questionnaire), their financial condition as well as their compliance to things such as UDAAP and ID Theft red flags.  However, in this case, we are referring the customer to an outside organization where they (the customer) enters into an agreement with that organization.  My question is what type of due diligence should we require from the student loan organization in this type of relationship?