It’s almost impossible to execute all of your processes without using a third party vendor. From sending letters to bankruptcy scrubs, you have to share consumer data with third party vendors in order to do business. But, of course, working with vendors comes with increasing risk and new layers of responsibility, too. So, what do you need to know about your vendors before you sign a contract? And what do you need to review with vendors you’ve been working with for a long time?
Here are six issues you absolutely must broach with all your existing and potential vendors.
1. Basic Data Security
The level of security you require of your vendors depends on what your clients require of you. At minimum, you should be asking about:
- SOC2 compliance
- Whether your data is stored offshore
- Whether your data can be accessed from an offshore location
This is standard external audit stuff, and the risk will vary depending on what kind of data you share with the vendor. Review this at least yearly for most vendors, especially those receiving PII.
2. Data Retention & Destruction
Data retention policies can vary depending on the state/jurisdiction and your clients’ requirements. Not only are you subject to data retention policies, but your vendors are, too. You need to find out how long they are storing your data, and how long you are storing theirs. Also along these lines, you need to know their data destruction method. Are they masking your data, or deleting it? If they’re deleting it, are they using the National Institute of Standards and Technology wiping algorithm, or something else?
Again, review this at least yearly, and as necessary based on changes in policies.
3. Permissible Use
Data is the lifeblood of strategy and the driving force behind technology. Do you have a clearly defined permissible use policy in place with your vendors? Are you appropriately restricting your vendors from updating data outside of that permissible use? Make sure you have a good understanding of how your vendor will use the data you send them. If they’re not asking already, your clients certainly will be soon.
You’ll have to outline this at the beginning of your relationship with a vendor, and certainly update it as needed based on changes in expectations and client requirements.
4. Sending the Minimum Amount of Data
On the same subject as permissible use: do you have a clearly defined idea of what you are trying to accomplish with your vendor, and what data is needed to accomplish it? You should only be sending the minimum data necessary for your vendor to execute on their task. Don’t send large amounts of data and expect your vendors to parse out what they need. Mitigate your risk by defining and sending only the data points they need.
This should also be reviewed at a regular cadence, in case the scope of your project has changed, and with it, the data required to complete it.
5. File Formats
Will you need to create a custom file layout to work with the vendor? Is it possible to reuse a file layout that already exists? How complex is their file layout? Are they using APIs? It might seem obvious, but it’s important to understand how their layouts work before signing an agreement.
This one should absolutely be defined at the beginning of your relationship. Regular checks on file formats should be completed, possibly by an internal audit team.
6. 4th Party Concerns
Are you vendors using vendors? If they are, does any of the data you share go to them? It’s possible that your clients will apply the same security standards to your third party vendors, as well as any fourth party vendors. For example, if your client requires a specific level of background checks on employees, it’s possible that requirement might extend to your fourth party vendors.
Set the expectation in your agreement that your vendors must notify you if any data you send to them gets sent to a fourth party. Again, this should be reviewed thoroughly on at least a yearly basis.
This list is by no means exhaustive, and we encourage you to work with your clients and your counsel to determine what you need to include in your vendor agreements and what to look for when you’re auditing your vendors. Clients are only going to get more creative and ask more questions, especially as data becomes more crucial than ever to day to day operations.
This article was created with insight from the iA Innovation Council’s Data Stewardship Working Group, including Michael Meyer, Chief Risk and Innovation Officer at MRS BPO, Drew Marston, Leader of Digital Transformation and Marketing, Resurgent, Eric Biederman, VP of Infrastructure and Security, MRS BPO, John Kelan, Sr. Director of Operational Strategies, Hunter Warfield, and Adip Dsouza, Director of Information Technology, PFC USA.
Erin Kerr is the Director of Content for Collections & Recovery - a digital resource for collections strategy executives - and the Executive Director of the iA Innovation Council. She is a seasoned receivables management professional, with recent experience in digital strategy and a passion for crafting digital solutions for a better customer experience.
Every Thursday, Collections & Recovery sends out an exclusive email packed with analysis on the newest trends in collections strategy, the shift to digital collections, best practices for vendor management, and deep-dives into regulatory and compliance issues that matter to you. The only way to get it is to subcribe.