Situation: We have had a relationship with flood determination vendor for years and have never entered into a contractual relationship with them. Here is my writeup that I need some help with...
Scope:
FEMA Flood Insurance Guidelines allow lenders to obtain assistance in completing the SFHD. The guidelines also state that a contract may be instituted between the two parties to establish responsibility. The review consisted of determining if such a relationship and/or contract exists. It was determined during the review that "our bank" utilizes "flood vendor" services for asistance in completion of the SFHD, however, no contractual relationship has been established.
Recommendation:
Without a contractual agreement in place between "our bank" and "flood vendor" .... {finish this sentence. I am looking for the "what ifs" or the liabilities the bank could face by not having this type of agreement binding.}

In reply to:

---

Without a contractual agreement in place between "our bank" and "flood vendor" ....

---

...there are no provisions for recourse in the event of erroneous determinations. Without a contract the bank will bear the full liability for such failures, including potential civil liability to customers as well as potential administrative liability to regulators.

Gosh you are good. Want my job?

Additionally, "vendor" is receiving nonpublic personal information and a specific privacy/confidentiality clause is needed to protect the bank and customer information.

Jim, wow-that was good. I will have to check with you when I get stumped on my next audit report!! I'm glad to know I am not the only one who gets stumped with how to word this stuff.

Now I addressed loan ops about this exact issue back when we were determining what third parties we were providing confidential consumer information to and they said the only information submitted to the flood vendor was the customers name and the property address, both which are "public" information. They argued on the basis that you could get the customers name from the phone book and the address from court records. Thoughts? I already battled them about this.

No joke. After you have worked on it, wrote it, read it...somehow you find yourself saying the same redundant things over and over and over or you just blank out. (thats me! ) Thank goodness for all of my audit friends out there who have MANY years more experience than myself! Thank you, Thank you, Thank you.

Okay, now that one makes me feel even BETTER!! Yeah, you write and re-write and delete and add back the same paragraph and agonize over the wording while laying awake in bed at night-and then no one even blinks when they read the final audit report. Gotta love our jobs!!

I disagree and am cautious. What if your customer applying for the refi says he's suddenly getting calls to sell him flood insurance? Where might those come from? I believe this fits into vendor management and a confidentiality clause is warranted. Certainly it isn't as vital as with your Internet Banking provider, but important still the same.

Andy, I do not disagree with you. I am a proponent for CYA in any situation especially in regard to privacy and information security. I guess I was not able to make a strong enough case for them to deem it necessary. This is why we talk amongst ourselves here. Hopefully through my writeup I can actually communicate the importance.

I want to say that my last exam request letter even asked who received any customer information and for copies of agreements such as this.

I thought a confidentiality clause was required for ALL third party vendors.

It wouldn't have to be in an agreement with all, the paper supplies we get, periodicals or software, but anytime customer information is used, it should be.

(Side bar - Actually it may become an issue on some software beyond the mainframe now. There are some who have read the new Microsoft EULAs and MS says you grant them access to the computer memory files. Those obviously may have NPPI on them and raises privacy issues.)

I was trying to find my notes on Vendor Management from an OCC conference but I can't. I don't work with that much but I want to say there are some guidelines published on this.

Many flood zone determination vendors now include Life of Loan (LOL) coverage at basically no additional cost.

This requires a contract since it is backed by the vendor's Errors and Omissions insurance.

On the other hand, try to avoid a long term exclusive contract. The technology is changing quickly. Vendors are integrating from the front end, the loan origination system, to assorted services such as appraisal, title search, flood insurance, ad infinitum.

Andy,
I am not trying to be difficult, just that knowing my loan ops people I already can anticipate their responses in advance so help me out here. You used the example that "what if" our customers began receiving phone calls from the vendor to solicit insurance (for example), and again all the information provided is considered public information, couldn't we say that they could have just as easily have picked up a phone book and made the same solicitation?

I'm pretty sure I remember that, per G-L-B, you would have to have actual knowledge that the information was in a phone book before you could use it. (Sorry to step in here - Andy certainly doesn't need me to answer for him, especially if I'm wrong!)

The customer's name would also be on the filed mortgage, so we could exclude the phone book example. (Can't you imagine why the examiners are weary to walk into my office? )

I receive a ton of junk mail based on the information on file with the county recorder. I can always tell because it is addressed to my name as trustee, and will sometimes reference a loan that was paid off a few years ago.

I'm just glad I don't have a library card from the city of Huntington Beach.....

From the Interagency Guidelines on SCI.

A service provider is a person or entity that maintains, processes, or otherwise is permitted
access to customer information through its provisions of services directly to the bank.
Institutions must exercise due diligence in selecting service providers, including reviewing the
service provider’s information security program or measures used by the service provider to
protect the institution’s customer information. In addition, contracts entered into after March 5,
2001 must require that the service provider implement appropriate measures designed to meet the
objectives of the Guidelines. By July 1, 2003, all contracts are subject to this requirement.

It is one thing to say the info is available to the public. But it is another to profess that this is John, this is a house John owns, John is getting a loan, John's house is in a flood zone, John needs insurance.