Also something to consider is any regulatory implications of these referrals. Not sure what your business line is, but in the Mortgage world, that could be a TILA/RESPA violation
WARNING: Without the use of appropriate security measures, Internet e-mail may not be a safe method to communicate confidential information. Internet messages and attachments may be intercepted, read and/or corrupted. Minnesota Housing makes no representation or warranty regarding the security of either incoming or outgoing Internet messages. While you may use Internet e-mail to communicate with Minnesota Housing, you do so at your own risk.
Sent: 3/15/2023 10:32:00 AM
From: Jen Wheeler
Subject: RE: Referral relationships
Will you have a contract with that 3rd party site as a referral partner? If yes, then I would treat them as you do any other critical vendor. Although they would not be considered a critical vendor for you, they would be for the customers you are referring to them and I would think you would be more comfortable having checked them out on a high level. If you will not have a contract with them, it may be a little hard to get what you need to do a proper assessment on them.
Sent: 03-15-2023 09:47 AM
From: Sean Kiley
Subject: Referral relationships
My financial institution is considering entering into a relationship where we would refer our customers to a student loan organization website (linked from our corporate website) and the customer would enter their own confidential information into that 3rd party site and engage in a lending relationship with the student loan organization. Our financial institution would not be sharing any information directly.
For third parties where we share a customer's confidential information, we typically look at assessing the vendor's information security (SOC audit, policies, questionnaire), their financial condition as well as their compliance to things such as UDAAP and ID Theft red flags. However, in this case, we are referring the customer to an outside organization where they (the customer) enters into an agreement with that organization. My question is what type of due diligence should we require from the student loan organization in this type of relationship?