Ensure Your Third-party Service Providers Follow Policies to Protect Consumer Funds, NPI
|September 2, 2014|
While title and settlement companies are encouraged to maintain policies to protect non-public personal information (NPI), businesses also should ensure the third-party service providers that they use comply with an information security program. Title and settlement companies should take reasonable steps to select and retain service providers that are capable of appropriately safeguarding NPI. Vendors that may have electronic or digital access to NPI through information systems and associated resources include:
Additionally, companies should consider the vendors that may have access to NPI in paper-based files, including:
To help ensure a title or settlement company is protected if NPI is stolen from a service provider, vendors and vendor personnel should be provided with a copy of the company’s information security policy annually. The policy should be signed acknowledging that the vendor understands the policy and agrees to follow the policy. Banks frequently require at a minimum that their vendors maintain a current service auditor’s report using the Statement on Standards for Attestation Engagements No. 16 (SSAE 16) (replacement for the SAS 70 Auditing Standard). Title and settlement companies may want to consider including this in their due diligence with service providers.