I’ve recently been asked whether a financial institution has Breach Notification responsibility in the case where the institution refers customers to vendors such as financial service providers where the institution merely vetted several vendors as a convenience for its customers, has no contract with the vendors, passes no PII/NPPI to the vendor, receives no referral fees and the customer is the sole decision maker as to whether they wish to do business with the vendor. The answer is YES according to the FDIC who points to FDIC Part 364B. In vetting vendors and providing a referral, the institution represents that it has a relationship with the vendor and if the vendor has a breach, the institution must provide notification to customers whether or not they are aware of who has been effected.