Topic: Third Party Risk
-
In a third party vendor contract, we want to require the vendor to notify us of data breaches within 24 hours. However, the vendor told us that there is no regulation or regulatory guidance that requires a 24 hour turnaround time for reporting incidents. Do you know of any regulatory guidance that imposes a specific time frame for a vendor to report data breach incidents to us? If so, what verbiage is required?
—
by
No, we are not aware of any guidance that imposes a specific time frame for a vendor to report a data breach to your financial institution. The Interagency Guidance regarding unauthorized access to customer information requires third party service providers to notify a financial institution “as soon as possible” after a data breach. However, the…
-
We are hiring a third party vendor to print mailing labels for bank event flyer. Can we provide the list of names and addresses to the vendor for producing the labels, without violating our customers’ privacy? Our privacy policy states that we share customer information “for our marketing purposes — to offer our products and services to you.”
—
by
Yes, you may share a list of customer names and addresses with your printer, provided that you enter into a written contract with the printer preventing it from misusing or losing your customers’ information. Regulation P permits a bank to share nonpublic personal information with a third party if the sharing is reflected in its…
-
We are purchasing a portfolio of indirect auto loans from another bank, which permitted discretionary dealer markups for the loans’ interest rates. What due diligence do you recommend from a fair lending perspective? Could we be held liable for fair lending issues from the purchased loans? Should we perform statistical analysis on the loans before purchasing?
—
by
We believe it would be prudent to perform a statistical analysis as part of your institution’s decision to purchase the auto loan portfolio to help assess the potential legal and reputational risks involved. Purchased auto loans could pose fair lending risks to your institution, even though your institution did not originate the loans. The Equal…
-
We are entering into a marketing agreement with a social media website, which will target advertising to our customers (based on a customer list that we will provide). The agreement requires the company to comply with all federal privacy laws. Is that sufficient for Illinois privacy law purposes? Any other possible concerns?
—
by
Yes, that should be sufficient for Illinois privacy law purposes, provided that your agreement with the social media company complies with the federal law’s requirements in Regulation P. As explained in an Illinois Department of Financial and Professional Regulation (IDFPR) letter, the financial privacy requirements in the Illinois Banking Act incorporate all of the exceptions…
-
Do we need to provide a “click through” disclaimer for links on our website that leave our website and lead to our online mortgage application platform, which is run by a third-party service provider?
—
by
No, we do not recommend using a click through disclaimer when linking to a third-party service provider’s website that is providing a service on behalf of the bank. The interagency guidance on web linking recommends using a disclaimer when linking to third-party websites that are “not under direct control of the financial institution.” However, the…
-
We are considering an arrangement in which a local business would solicit business in some of our branches, and in return, bank employees will hand out marketing materials promoting our institution at the business. What federal and state regulations should we consider?
—
by
We are not aware of any federal or state laws or rules that would directly apply in this case. However, your arrangement should be structured to comply with Illinois and federal financial privacy laws, and we recommend that your employees be properly trained and aware of the privacy rules with respect to the arrangement. Particularly…
-
We outsource our credit card program. Although the cards have our bank logo on them and we provide the credit card applications, the applications are submitted directly to the vendor, and we have no access to account information. If a blocked person opens a credit card, are we liable for the OFAC violation? Are we liable for transactions that are processed through the credit cards?
—
by
We do not believe that you would be held responsible for OFAC violations related to the credit card accounts issued by or transactions conducted through your third party credit card vendor, but it would be advisable to confirm this practice with your primary regulator. Of course, the scope of transactions covered by OFAC regulations is…