Risk Assessments

For financial institutions that deal with Down Payment Assistance Programs that require the sharing of NPI, how do you handle in the inherent risk associated with the information sharing and the due diligence from government agencies? There is not usually much information security with detailed polices, cyber insurance and no SOCs.   

You are asking the right question. When handling non-public information, always remember it is a high risk.  As such, this is more of a disclosure issue about what information you might know about any websites the customer will apply to or through for down payment assistance directly with a federal, state, or local program or through your institution. Now, the controls needed to address inherent risk need to be focused on:

1. Security of the portal used to transmit or share the information.  That would include obtaining information about that portal as part of the due diligence process for that entity (federal, state or local).
2. Security of the FI's own internal systems.  That would include a complete information security program, including data security items such as firewalls, encryption, patch management, etc.
3. Privacy policy and procedures in place and effective. That would include accurate disclosures and only sharing information as agreed upon and as permitted by Regulation P (12 CFR 1016).
4. Consent from the borrower to share the information.

Please make sure you have a clear disclosure for the customer or consumer addressing these risks.