How do we include vendors in our Cyber Incident Response Plan? We don’t know their Plan.
Our lending operations department (not credit card) would like to initiate an EFT through our third party vendor to debit our customer's deposit account to exercise our right to offset for amounts owed on our customer's loan. Our deposit account terms and conditions discloses our right to offset any amounts owed to the bank. We know that generally Reg E, Section 205.3 (c)(5) would allow the bank to electronically transfer funds between a customer's accounts without the customer's specific request under certain circumstances and that the official commentary provides that this exception to Reg E includes the right to initiate "electronic debits or credits to consumer accounts for check charges, stop-payment charges, NSF charges, overdraft charges, provisional credits, error adjustments and similar items that are initiated automatically on the occurrence of certain events." In order to exercise our right to offset electronically, the transaction will need to be processed through our third party vendor. Do we have any Reg E or other regulatory concerns in doing so?