I think this situation is a prime example of where a lot of financial institutions were hoping that we'd get some more specifics in the interagency guidance on how to define a third party. Unfortunately, they continue to keep it loosely defined as a "business arrangement."
I also work for a bank, but I'm not aware of any assessments that we do on title companies. We have some companies that do title work, but; however, they provide other services for us and we're the ones sending them the data. We also have contracts with them, so I don't feel like it's an apples to apples comparison. Are you sending data directly to the title company that your customer chooses or does it all come through your customer? Either way, I think you're right to consider it in your program. If the title company has a major breach, the information of every single one of your customers that used them could be at risk, and it's inevitable that it'll fall back on the bank.
Are any of these companies receiving a significant volume of customers? If not, and they are each only getting a few customers a year, then maybe the risk isn't high enough to justify the need for a review. That would depend on your risk appetite and how you look at the risks.
Hopefully, some others have more direct experience with this specific situation and can provide you with some better advice. I'm curious to hear what you're able to get figured out. I feel like this is one of the 90/10 situations where 10% of your population seems to take up 90% of your time, or at least is the cause of 90% of your frustrations.
------------------------------
------------------------------