Third-Party Risk: The Examiners are Coming!

Transcription

1 Third-Party Risk: The Examiners are Coming! Brad Keller, Sr. Director, 3rd Party Strategy Prevalent Inc. Hosted by Compliance Week s assistant director of events & programs, Tsvetelina Gabin. 1

2 Agenda for Today s Webcast This webcast will last for 60 minutes 2:00 p.m. Introduction 2:05 p.m. Presentation Tsvetelina Gabin Compliance Week Speakers: Brad Keller Prevalent 2:45 p.m. Q&A 3:00 p.m. Closing Spon sored by 2

3 Introduction The Series, Schedule and Instructions Instructions Use the Ask A Question function (left side of your screen). All questions will be anonymous Polling This webcast features polling. CPE To download today s presentation, click on Event Resources dropdown menu on the left-hand side of your screen Please disable your pop-up blockers to access the automatic CPE exam presented at the webcast conclusion Upcoming Webcasts Visit our website for future webcast dates and topics Spon sored by 3

4 Speaker Brad Keller, JD, CTPRP has developed and implemented vendor and business risk management programs at several financial institutions that have substantially improved risk management while also passing federal regulatory scrutiny for 25 years. Today Brad is the Senior Director of Third-Party Strategy at Prevalent, where he focuses on the delivery of Prevalent s third party risk management and assessment solutions, and the consulting to support those solutions. Prior to joining Prevalent, he was a Senior Vice President with The Santa Fe Group focusing on the management of the Shared Assessments Program. Brad graduated with honors from the University of Missouri with a B.S. degree in Finance and received his J.D. with honors from St. Louis University School of Law. Spon sored by 4

5 Setting the bar Establishing the need to proactively manage third parties across the entire risk management life cycle (OCC ) Establishing evaluation criteria Supplemental Examination Procedures for Third Party Relationships (OCC ) Providing guidance on current best practices to comply with Third Party Risk Assessment Best Practice Recommendations (OCC )

6 A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships A bank should ensure comprehensive risk management and oversight of third-party relationships involving critical activities An effective risk management process throughout the life cycle of the relationship includes: Plans that outline the bank s strategy, identify the inherent risks of the activity, and detail how the bank selects, assesses, and oversees the third party. Proper due diligence in selecting a third party. Written contracts that outline the rights and responsibilities of all parties. Ongoing monitoring of the third party s activities and performance. Contingency plans for terminating the relationship in an effective manner. Clear roles and responsibilities for overseeing and managing the relationship and risk management process. Documentation and reporting that facilitates oversight, accountability, monitoring, and risk management. Independent reviews that allow bank management to determine that the bank s process aligns with its strategy and effectively manages risks.

7 Planning Banks need to develop and implement processes to identify and address risks across the entire vendor lifecycle, bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships Documentation Banks should thoroughly document: The governance, controls and processes used to assess vendors. Proper documentation is essential ensure comprehensive risk management and oversight of third-party relationships involving critical activities A current inventory of all third party relationships, including the type of data and systems accessed Risk assessment and performance reports, including regular reporting to the board and senior management Due Diligence and Third Party Selection Due diligence prior to contracting that is tied to the level of risk and complexity of the service Contract Negotiation Identification of required contract provisions Compliance with applicable regulations Right to audit and require remediation Subcontracting Ongoing monitoring Independent Reviews Periodic reviews of the third party risk management process by either internal or external resources. Board of Directors and Senior Management Specifically required to be proactively involved in the development and oversight of the third party risk management program

8 Please indicate which answer best describes your institution s response to OCC Examination Procedures like OCC : A. My institution treats Examination Procedures the same way as any other Guidance or Regulation which requires the bank s compliance. B. My institution uses them as an indicator of what we need to have in place to prepare for examinations. C. My institution treats them as informational only as they dictate Examiner activity, rather than bank compliance requirements.

9 OCC provides guidance to Examiners on what to look for when examining a bank s third party risk management program. In so doing, it sets forth the practices that banks are expected to have in place: Methodologies for assigning a risk ranking to all third-party relationships Ongoing monitoring that addresses certain specified minimum risk factors Processes for holding applicable bank employees personally accountable for identified material weaknesses in third party oversight Ongoing reviews of online activity, publicity, public reports and social media for adverse events involving third parties or their subcontractors* *OCC Bulletin , at 10-17

10 While Guidance is well written and comprehensive, many questions still exist: How should a Third Party Risk Management (TPRM) Program be structured? What to do when third parties don t cooperate? How can banks manage the costs of compliance? What exactly is ongoing monitoring?

11 What structure best complies with OCC s expectation that banks TPRM programs will align with the risk presented by their third party relationships? OCC recognizes that bank structure comes in many shapes and sizes*: Dispersed accountability for third party relationships Centralized management of risk and compliance Structure of the program is not the compelling issue: Having the appropriate stakeholders involved in managing third party risk Having a program that addresses third party risk issues across the entire risk life cycle Appropriate levels of board oversight Adequate board and senior management reporting *OCC Bulletin , Section 3

12 Despite best efforts, third parties don t always provide all of the necessary information in a timely manner, if at all. The OCC has acknowledged this situation and provides the following recommendations: Develop appropriate alternative ways to analyze these critical third party service providers. Establish risk-mitigating controls. Be prepared to address interruptions in delivery (for example, use multiple payment systems, generators for power, and multiple telecommunications lines in and out of critical sites). Make risk-based decisions that these critical third-party service providers are the best service providers available to the bank despite the fact that the bank cannot acquire all the information it wants. Retain appropriate documentation of all efforts to obtain information and related decisions. Ensure that the contract meets the bank s needs. *OCC Bulletin , Section 1

13 OCC provides several recommendations for improving TPRM efficiency: Collaborate on assessment due diligence and ongoing monitoring Establish user groups of shared third party service providers Utilize standard questionnaires for gathering assessment due diligence *OCC Bulletin , Sections 2, 4 & 6

14 Please indicate which answer best describes your institution s response to the third party risk recommendations for collaboration outlined in OCC : A. My institution is actively engaged in collaboration with other banks with whom we share common third party service providers. B. My institution fully understands the benefits of a more collaborative approach and is investigating how to leverage them in our TPRM program. C. My institution is unsure how to utilize/execute a collaborative approach in our TPRM program. D. My institution is unsure of the actual benefits from a collaborative approach.

15 Collaboration is essential to meet the requirements of * Leverages resources across institutions Promotes knowledge sharing to better understand changing risk environment Use common third party questionnaires Use of common tools for the collection of third party due diligence, ongoing monitoring, and risk control evaluation results in greater efficiency and lower costs Creation of user groups who use similar third parties Promotes innovation Proactive approach to risk identification and management *OCC , Section 4

16 Collaboration is an essential and useful tool but banks are still responsible for making decisions about risk. Bank s must continue to make their own decisions about: Specific risk control requirements Appropriate levels of risk acceptance Acceptable alternative mitigating controls Matters requiring remediation Nature and timing of remediation efforts *OCC , Sections 4 & 5

17 Reliance on static scheduled assessments is no longer sufficient to monitor the rapidly changing third party risk environment Ongoing monitoring looks beyond compliance with contract requirements Current information on third party's threat environment Incidents and events Legal activity Regulatory actions Financial viability Operational issues Mergers/acquisition Senior leadership changes Brand and reputational issues Allows you to be proactive rather than reactive *OCC Bulletin , Section 1

18 Brad Keller, JD, CTPRP Phone: (908)

19 Question & Answer Session Speakers Brad Keller, Sr. Director, 3rd Party Strategy Prevalent Inc. Moderator Tsvetelina Gabin, Assistant Director, Events and Programs Compliance Week You can submit questions using the Ask a Question button on the left side of y our screen.

20 Thank you for joining us CPE Credit information The CPE test will appear in a separate window at the conclusion of the webcast. If you have trouble accessing the test, please us at info@complianceweek.com. CPE certificates will be ed to you separately following completion of the exam. *Please note that a passing score of 80% or higher is needed to receive CPE credit. Be sure to disable your pop-up blockers to access the automatic CPE exam presented at the conclusion of the webcast. Please send feedback to: info@complianceweek.com. Y ou can submit questions using the Ask a Question button on the left side of y our screen. Spon sored by 20