What the assessment covers
The full CTS framework, end to end.
The CTS framework spans multiple risk and control domains tailored to the operational realities of creditor industry vendors — including consumer information risk, AI-related security, vendor operations, physical security, information security, and privacy and regulatory compliance. Convergent's assessment delivers the complete questionnaire scope in one engagement.
Domain 01
Consumer Information Risk
How your firm handles Consumer Non-Public Information (NPI) and confidential data across the vendor relationship. Storage, processing, transmission, and monitored versus unmonitored consumer interaction — the program's central scoping lens for assessing vendor risk to creditor clients.
- Access management and identity
- Encryption at rest and in transit
- Network and endpoint security
- Vulnerability management
- Logging and monitoring
- Physical Security
Domain 02
AI-Related Security& Compliance
Regulatory alignment with FDCPA, GLBA, and state privacy laws. Vendor management. Consumer-facing privacy practices and the documented evidence to defend them.
- Privacy notice and consent
- Data classification and handling
- Vendor risk management
- Regulatory compliance mapping
- Breach notification readiness
Domain 03
Vendor Operations
Operational controls and oversight specific to creditor industry vendors. Day-to-day practices for managing vendor operations, change management, business continuity, incident response, and audit readiness — the operational discipline that determines whether a vendor can deliver under regulatory and creditor-client expectations.
- Business continuity planning
- Disaster recovery testing
- Incident response procedures
- Tabletop exercise cadence
- Recovery time objectives