Vendor Management ComplianceTop 10 Things Regulators Expect
Peter Davey, AAPVP & Director, Enterprise Payments, CapitalOne
Pamela T. Rodriguez, AAP, CIA, CISAEVP, Risk Management & Education, EastPay
© 2014 EastPay. All Rights Reserved
Respect
Team
work
Passion
Integrity
Trust
EASTPAY Not-for-profit Regional Payments Association Educational Programs Member benefits
– Voice & Representation in National Rule Making and Regulatory Process
– Toll free operational assistance and – Discounts on seminars, publications, conferences
Online purchasing and registration 9 ACH Accredited Professionals (AAP) on staff
© 2014 EastPay. All Rights Reserved
Disclaimer This presentation and applicable materials are
intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice.
You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature.
Image source: Thinkstock
© 2014 EastPay. All Rights Reserved
Agenda
Key Components of FFIEC IT Examination Handbook on Outsourcing Technology Services
Regulator Expectations Common Gaps in Vendor Management
Programs
© 2014 EastPay. All Rights Reserved 4
OCC Bulletin 2013-29
First, the Third-Party Guidance’s title itself (replacing the word “Principles” with “Guidance”), closely aligns with the phrase “compliance with all applicable Legal Requirements and OCC supervisory guidance” - language frequently used in Cease and Desist Orders.
Second, the final section of the Third-Party Guidance, entitled Supervisory Reviews of Third-Party Relationships plainly states: “A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.”
Third, the Third Party Guidance makes it clear that the OCC has the power to examine third party-vendors, and to charge the financial institution with a special examination or investigation fee for the OCC’s examination of a third party for the bank.
And finally, for community banks, the Third-Party Guidance makes it clear that regulatory expectations have increased. While OCC Bulletin 2001-47 stated: “community banks may be able to adopt this guidance in a less formal and systematic manner…”, that is not the case with 2013-29.
© 2014 EastPay. All Rights Reserved 5
FFIEC IT EXAMINATION HANDBOOK ON OUTSOURCING TECHNOLOGY
SERVICES
6© 2014 EastPay. All Rights Reserved
FFIEC IT Examination Handbook on Outsourcing Technology Services
Examples of IT operations frequently outsourced:– Origination– Processing– Settlement of Payments and Financial Transactions– Information Processing Related to Customer Account
Creation and Maintenance– Information and Transaction Processing Activities that
Support Critical Banking Functions• Loan Processing• Deposit Processing
© 2014 EastPay. All Rights Reserved 7
FFIEC IT Examination Handbook on Outsourcing Technology Services
Decision to outsource should fit into overall strategic plan and corporate objectives
Degree of oversight and review of outsourced activities will depend on criticality of service
Outsourced relationships are subject to same risk management, security, privacy, and other policies that would be expected if FI were conducting activities in-house
© 2014 EastPay. All Rights Reserved 8
Board and Management Responsibilities
Oversee outsourced relationships Identify, measure, monitor, and control the risks
associated with outsourcing Establish servicing requirements and strategies Select a provider Negotiate the contract Monitoring, changing, and discontinuing
outsourced relationships
© 2014 EastPay. All Rights Reserved 9
Key Factors of Effective Risk Management
Senior Management and Board Awareness of risks associated with outsourcing agreements
Ensure outsourcing arrangement is prudent from a risk perspective and consistent with business objectives
Systematically assessing needs while establishing risk-based requirements
© 2014 EastPay. All Rights Reserved 10
Key Factors of Effective Risk Management
Implementing effective controls to address identified risks
Performing ongoing monitoring to identify and evaluate changes in risk from initial assessment
Documenting procedures, roles/responsibilities, and reporting mechanisms
© 2014 EastPay. All Rights Reserved 11
Risk Management Process Incorporates
Risk Assessment and requirements definition Due diligence in selecting a service provider Contract negotiation and implementation Ongoing Monitoring
© 2014 EastPay. All Rights Reserved 12
Risk Assessment and Requirements
Assess the risk from outsourcing Involve stakeholders in creating risk-based
written requirements to control an outsourcing action
Use written requirements to guide and manage the remainder of the outsourcing process
© 2014 EastPay. All Rights Reserved 13
FFIEC IT Examination Handbook on Outsourcing Technology Services
Consider the following factors in evaluating the quantity of risk at inception of outsourcing:– Sensitivity of data accessed, protected, or controlled
by the service provider– Volume of transactions– Criticality of FI’s business
© 2014 EastPay. All Rights Reserved 14
Risks Pertaining to the Service Provider
Strength of financial condition Turnover of management and employees Ability to maintain business continuity Ability to provider accurate, relevant, and timely
Management Information Systems Experience with the function outsourced Reliance on subcontractors Redundancy and reliability of communication
lines
15© 2014 EastPay. All Rights Reserved
Sound Business Practices for Development of Requirements
Stakeholder involvement Integration Documentation
16© 2014 EastPay. All Rights Reserved
Ongoing Monitoring
Key Service Level Agreements (SLAs) and contract provisions
Financial condition of service provider General control environment of service provider
through receipt and review of audit reports Potential changes due to external environment
17© 2014 EastPay. All Rights Reserved
Financial Condition of Service Provider
On-going monitoring Financial viability on an annual basis, review
financial statements Report results to Board of Directors Information provided by public media (trade
magazines, newspapers, television, etc.)
18© 2014 EastPay. All Rights Reserved
General Control Environment of Service Provider
Conduct regular, comprehensive audit of service provider relationship
Review internal and external audit reports Auditor’s level of training and experience Service Providers external auditors’ training Internal IT audit techniques of service provider
19© 2014 EastPay. All Rights Reserved
1. Due Diligence Prior to Vendor Selection
Review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls
21© 2014 EastPay. All Rights Reserved
1. Due Diligence Prior to Vendor Selection(cont’d)
Evaluation of a third party may include the following items:– Audited financial statements, annual reports, SEC
filings, and other available financial indicators– Significance of the proposed contract on the third
party's financial condition– Experience and ability in implementing and
monitoring proposed activity– Business reputation
22© 2014 EastPay. All Rights Reserved
1. Due Diligence Prior to Vendor Selection (cont’d)
Qualifications and experience of the company's principals
Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies
Existence of any significant complaints or litigation, or regulatory actions against the company
Ability to perform the proposed functions using current systems or the need to make additional investment
23© 2014 EastPay. All Rights Reserved
1. Due Diligence Prior to Vendor Selection (cont’d)
Use of other parties or subcontractors by the third party
Scope of internal controls, systems and data security, privacy protections, and audit coverage
Business resumption strategy and contingency plans
Knowledge of relevant consumer protection and civil rights laws and regulations
Adequacy of management information systems Insurance coverage
24© 2014 EastPay. All Rights Reserved
2. Vendor Selection
Audit Requirements – Identify regulation requirements of FI
Resources and Technology Support System Policies, procedures, and service organization
control reports Disaster recovery plan Reputation
25© 2014 EastPay. All Rights Reserved
3. Contract Negotiation
Audit rights, self assessments, monthly compliance reviews, obtain vendor’s annual SOC report on its control compliance
Service level agreements and financial penalties
© 2014 EastPay. All Rights Reserved 26
4. Contract Scope
Timeframe covered by the contract Frequency, format, and specifications of the
service or product to be provided Other services to be provided by the third party,
such as software support and maintenance, training of employees, and customer service
© 2014 EastPay. All Rights Reserved 27
4. Contract Scope (cont’d)
Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance
Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations
© 2014 EastPay. All Rights Reserved 28
4. Contract Scope (cont’d)
Identification of which party will be responsible for delivering any required customer disclosures
Insurance coverage to be maintained by the third party
Terms relating to any use of bank premises, equipment, or employees
© 2014 EastPay. All Rights Reserved 29
4. Contract Scope (cont’d)
Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements
Authorization for the institution to monitor and periodically review the third party for compliance with its agreement
Indemnification
© 2014 EastPay. All Rights Reserved 30
5. Implementation
Access management – Review system access reports at least monthly to
ensure users of outsourced service are authorized
Transaction monitoring Change management
– FI should approve any changes made by vendor
System backup
31© 2014 EastPay. All Rights Reserved
6. Monitoring
Audits Service Organization Control (SOC) Reports –
Vendor’s compliance with their own policies IT Controls Statement on Standards for Attestation
Engagements No. 16 (SSAE 16), formerly known as Statement on Auditing Standards No. 70 (SAS 70)
© 2014 EastPay. All Rights Reserved 32
7. Ensure Proposed Relationship is consistent with FI’s Strategic Plan
and Overall Strategy Step one in Risk Assessment Process Management should analyze benefits, costs,
legal aspects, and potential risks associated with Third-Party
Expanded analysis should be conducted if product or service is new for FI– FI personnel conducting analysis should have
appropriate knowledge and skills to conduct
33© 2014 EastPay. All Rights Reserved
8. Ensure vendor management program risk-ranks vendors based on:
Access to other confidential (i.e. proprietary) information?
Criticality of the product/service they provide? Complexity of the product/service?
34© 2014 EastPay. All Rights Reserved
9. Adherence to Service Level Agreements and Contract Provisions
Formal Policy that defines SLA program SLA monitoring process Recourse process for non-performance Escalation process Dispute resolution process Termination process
© 2014 EastPay. All Rights Reserved 35
10. File Bank Service Company Act when Required
Section 7 of Bank Service Company Act (12 U.S.C. 1867) requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution
36© 2014 EastPay. All Rights Reserved
10. File Bank Service Company Act when Required (cont’d)
Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first."
© 2014 EastPay. All Rights Reserved 37
10. File Bank Service Company Act when Required (cont’d)
As defined in Section 3 of the Act, these services include "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution."
38© 2014 EastPay. All Rights Reserved
Common Gaps in Vendor Management Program
Lack of Board Approved Policy Limited Board of Directors involvement Lack of Risk Rating Vendors Inadequate Monitoring of SLAs SLAs have not been defined Limited ongoing monitoring Business continuity
© 2014 EastPay. All Rights Reserved 40
Useful Vendor Management Forms
Vendor Risk Assessment & Rating Matrix New Vendor Due Diligence Report Exit Strategy Questionnaire Early Contract Termination Questionnaire Vendor Monitor Report Reference Check Form
© 2014 EastPay. All Rights Reserved 41
Useful Vendor Management Forms
Financial Review Report SAS-70/SSAE-16 Review Report Information Security Review Report Contract and Legal Review Checklist Ongoing Due Diligence: Annual/High Risk
© 2014 EastPay. All Rights Reserved 42
Useful Vendor Management Publications
CFPB Bulletin 2013-03 – “any person who provides a material service”– http://files.consumerfinance.gov/f/201204_cfpb_bulletin_service-providers.pdf
CFPB Bulletin 2012-06 – credit card add-on products FIL-3-2012 – Revised guidance for payment processor relationships revising
FIL 127-2008 FDIC Guidance for Managing Third-Party Risk (FIL 44-2008) OCC 2013-29– Risk Management Principles
– http://occ.treas.gov/news-issuances/bulletins/2013/bulletin-2013-29.html FFIEC Vendor and Third-Party Management
– http://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/retail-payment-systems-risk-management/operational-risk/vendor-and-third-party-management.aspx
FFIEC Handbook on Retail Payment Systems FFIEC Handbook on Outsourcing Technology Services FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML)
43© 2014 EastPay. All Rights Reserved
Steps to Follow
Follow these steps to establish a safe and sound vendor management program. – Step 1 - Ensure that proper internal risk analysis is
performed, proper approval is obtained.• Strategic Plan
– Step 2 - Perform due diligence prior to contracting with a vendor.
– Step 3 - Ensure contracts are appropriate.– Step 4 - Monitor performance of the vendor and vendor’s
compliance with contractual and regulatory requirements.
• Perform ongoing due-diligence and “appropriate intervals”.
44© 2014 EastPay. All Rights Reserved
Vendor Management
Remember– Technology related vendors may not be familiar with
regulations applicable to financial institutions– Business resumption plans
• Are they adequate?
– Retain due diligence documentation in anticipation of examinations
45© 2014 EastPay. All Rights Reserved
Contracting with Vendors
Remember – Any material or significant contract with a third party should prohibit
assignment, transfer or subcontracting by the third party of its obligations to another entity, unless and until the financial institution determines that such assignment, transfer, or subcontract would be consistent with the due diligence standards for selection of third parties.
– All contracts should state that the vendor is subject to regulatory review and allow for the financial institution to monitor the vendor.
• Periodic reviews and audits– Expectations and performance standards help to determine if the
vendor is adequately performing services. • Termination of contract
– Who is responsible for what?– Appropriate legal counsel should review higher risk contracts prior
to execution.
46© 2014 EastPay. All Rights Reserved
Contact The Presenter
Peter Davey, AAPVP & Director, Enterprise [email protected]
Pam Rodriguez, AAP, CIA, CISAEVP, Risk Management & [email protected], ext 305
© 2013 EastPay. All Rights Reserved