Due Diligence and Ongoing Monitoring

 View Only

  • 1.  NPPI, PII

    This message was posted by a user wishing to remain anonymous
    Posted 10-21-2022 11:08 AM
    This message was posted by a user wishing to remain anonymous

    Hello everybody,

    I am fairly new to TPRM, so forgive me for asking this question.
    What does it mean when they say does the vendor: 

    Process, Store, Manage, View/Add/modify, Transport, Disposable of, Transmit NPPI?

    I understand many of our vendor have access to or we share with them our clients NPPI. 
    What I am confused about is for example does a vendor who is a Web-Based Cloud File Transfer System provider, fall under any of the above categories.  Our TPRM program has our accounting software, LexisNexis, even Refinitiv (Thomas Reuters) and ALLL software provider as having access to NPPI. 

    Any guidance will be greatly appreciated.


  • 2.  RE: NPPI, PII

    Posted 10-21-2022 12:38 PM
    Hello,

    I am also fairly new, however for our program we restrict our definition of NPI to only consumer or client information.
    The information should also as the name implies be nonpublic, but a list of consumers for your organization could qualify as NPI so I would be a bit cautious.

    As far as labeling every software as having access to NPI, I would caution that approach due to the specific reporting requirements when sensitive client or consumer information is accessed without authorization.

    A File Transfer System for client or consumer information I would classify as NPI, but an employee record I would not classify as holding NPI.

    I hope that helps.
    Original Message


  • 3.  RE: NPPI, PII

    This message was posted by a user wishing to remain anonymous
    Posted 10-21-2022 12:39 PM
    This message was posted by a user wishing to remain anonymous

    Good Morning.

    All business have a multitude of Vendors that they typically do business with.  Some of these vendors would typically fall into the Third-Party Service Provider Designation.  Depending on what line of business you are in, there may be an emphasis on how the TPSP is defined.  In the financial sector for example, a TPSP is basically anyone that is outsourced to perform a function in the consumer transaction.  (high level/broadly speaking).  These are typically your higher risk vendors as the extension of your company is always on you, and these vendors would be seen no differently than being direct employees of your organization.  You can not outsource the risk for outsourced arrangements.  This would include the full scope of services that they are providing such as Web-Based Cloud File Transfer Systems.  Your Due Diligence and Risk Assessment should cover all of these elements and the documentation be through to demonstrate to your Federal Auditors that the vendor is in compliance with Federal Regulatory Governance.  It would be concerning if your company does not have a strong Policy & Procedures to manage this as well as train staff on the importance of Third Party Risk Management.
    Original Message