Due Diligence and Ongoing Monitoring

We have a department wanting to onboard an Investment firm/Financial Advisor.   This is the response I received from them regarding me stating they have access NPPI/PII even if we aren't sharing with them. 

In their interactions with us, there is no NPI, and there is no consumer data exchanged.  They act only as an investment firm and financial advisor to the actual bank and holding company. 

My question is, what would you request in due diligence documentation?  They are wanting them rated as Low risk since our bank won't be sharing NPPI.  

Hello,

This relationship may be low risk without NPI, but they should still go through your Inherent Risk Assessment to validate that objectively. In terms of due diligence, I recommend you review the SEC rule linked here, specifically page 130:  https://www.sec.gov/files/rules/proposed/2022/ia-6176.pdf" href="https://www.sec.gov/files/rules/proposed/2022/ia-6176.pdf" rel="noreferrer noopener" target="_blank" class="fui-Link ___1rxvrpe f2hkw1w f3rmtva f1ewtqcl fyind8e f1k6fduh f1w7gpdv fk6fouc fjoy568 figsok6 f1hu3pq6 f11qmguv f19f4twv f1tyq0we f1g0x7ka fhxju0i f1qch9an f1cnd47f fqv5qza f1vmzxwi f1o700av f13mvf36 f1cmlufx f9n3di6 f1ids18y f1tx3yz7 f1deo86v f1eh06m1 f1iescvh fhgqx19 f1olyrje f1p93eir f1nev41a f1h8hb77 f1lqvz6u f10aw75t fsle3fq f17ae5zn" title="https://www.sec.gov/files/rules/proposed/2022/ia-6176.pdf">https://www.sec.gov/files/rules/proposed/2022/ia-6176.pdf

What you should be reviewing are controls for:

• sub-contracting (fourth-party oversight / TPRM)
• "record-keeping" (i.e., data privacy)
• "competence, capacity, and resources necessary to perform the covered function in a timely and effective manner" (i.e, operational resilience and availability)
• intent to comply with Federal securities laws (e.g., staff licensing and security registrations)
  

I hope this helps. What are other members' thoughts on this topic?