This message was posted by a user wishing to remain anonymous
Hello! I work for a community bank and we onboard quite a few valuation vendors for commercial loans (these are not AMCs). These vendors will assess the value of the business and its assets, but have no access to PII, only commercial data. The issue I'm coming across is that they end up being moderate risk because of a question within the IRA - they provide information to the Bank that we use to make credit decisions, but they are extremely small companies that have no SIG or SOC reports or any policies and procedures they can really provide to suffice the due diligence that is required of a moderate risk vendor. I'm just wondering if any others have come across this issue and how it's been handled at your company, or if anyone has any advice to offer. I don't really want to get in the business of having different IRAs for different scenarios, but was considering creating an alternate work flow for these vendors or maybe just having the line of business risk accept them. Any advice or best practices you could share would be extremely appreciated!