THIRD-PARTY RISK MANAGEMENT

Similar documents
Vendor Management Challenges and Expectations An Open Discussion April 13, 2017

Effective Vendor Risk Management. April 21, Mario A. Mosse. This Training is Brought to you by ComplianceOnline. Presenter:

VENDOR MANAGEMENT 101

Hot Topics in Third Party Management. April 5, 2018 MEMBER OF ALLINIAL GLOBAL, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS

Strengthening Vendor Risk Management Program

VENDOR RISK MANAGEMENT FCC SERVICES

Vendor Management 101

Self Assessment Workbook

DIVIDE BY JEFFREY NAIMON & MOORARI SHAH

IT Service Delivery And Support Week Seven: SLA. IT Auditing and Cyber Security Fall 2016 Instructor: Liang Yao

Best Practices for Establishing a Cost-Effective Internal Audit Function. Article by Heidi Wier June 2016

The Role of the VMO in Regulatory Compliance Planning, Due Diligence and Contract Negotiation

Navigating the Intersection of Vendor Management and Business Continuity

Guidance Note: Corporate Governance - Board of Directors. January Ce document est aussi disponible en français.

Financial Institutions Consulting. Quality service. Personal attention.

Guidance Note: Corporate Governance - Audit Committee. March Ce document est aussi disponible en français.

Guidance Note: Corporate Governance - Audit Committee. January Ce document est aussi disponible en français.

Risk Assessment - Balancing Risk While Enhancing Controls

Self Assessment Workbook

Vendor Management from an Auditor s Perspective

REGULATORY HOT TOPIC Third Party IT Vendor Management

CFPB Compliance Management Review

Corporate Governance Management tool. Executing On Corporate Governance

2016 Focus Groups CFO Strategies Roundtable

Final May Corporate Governance Guideline

Vendor Management Table of Contents. Table of Contents. Equity Loans

STRATEGIES FOR EFFECTIVELY WORKING WITH THIRD-PARTIES. September 2017

IT Risk Management: IT Audit

Internal Control Questionnaire and Assessment

Social Media Policy Manual Table of Contents [Sample Client] Table of Contents. Sample

Risk Assessment. Consumer Risk Assessment. Using the Risk Assessment Template

VENDORINSIGHTU P D A T E

Transparency in the Workforce System Establishing Firewalls & Internal Controls

International Standard on Auditing (Ireland) 402 Audit Considerations Relating to an Entity using a Service Organisation

MALIN CORPORATION PLC CORPORATE GOVERNANCE GUIDELINES. Adopted on 3 March 2015 and Amended on 26 May 2015

SA 402(REVISED) AUDIT CONSIDERATIONS RELATING TO AN ENTITY USING

Internal Control Questionnaire and Assessment

Effects of Changes in Attest Standards on SOC 1 Examinations

CFPB Examination Procedures

An Examination of an Entity s Internal Control Over Financial Reporting That Is Integrated With an Audit of Its Financial Statements

Crowe Consumer Compliance Consulting Services

Ensuring Organizational & Enterprise Resiliency with Third Parties

OFFICE OF FINANCIAL INSTITUTIONS

Internal Audit s Role in Third Party Risk Management (TPRM)

WHAT DO WE LEASE? CONDUCTING AN ENTERPRISE-WIDE CENSUS. THE TEN PLACES TO LOOK TO FIND ALL OF YOUR LEASES

Risk-Focused Examinations

STEPS FOR EFFECTIVE MANAGEMENT OF VENDOR AND SUPPLIER CYBERSECURITY RISKS. April 25, 2018 In-House Counsel Conference

Guidelines of Corporate Governance

International Standards for the Professional Practice of Internal Auditing (Standards)

The CFPB Examination Process

AUDIT COMMITTEE HANDBOOK

IT EXAMS TOP 5 CITATIONS. Top 5 citations LOUISIANA BANKERS ASSOCIATION TECHNOLOGY CONFERENCE Policy and Risk Assessment 2.

BSA Risk Assessments and Transaction Monitoring Systems: Partners in Crime Prevention and Detection

Government Auditing Standards

FDICIA Reporting for Financial Institutions. Reporting Changes Under Part 363 and SAS 130

International Standards for the Professional Practice of Internal Auditing (Standards)

Work Plan Updated March 3, 2014

Table of Contents. Chapter 1...1

THE IMPORTANCE OF DEVELOPING A SOCIAL MEDIA COMPLIANCE POLICY

Community Bankers Conference

SOC Reports: What are they and what should you do with them? berrydunn.com GAIN CONTROL

Internal and External Audits Table of Contents

Format and organization of GAGAS Auditor preparation of financials is a significant threat to independence 3 party arrangements in government State

IAASB Main Agenda (September 2004) Page Agenda Item PROPOSED REVISED INTERNATIONAL STANDARD ON AUDITING 540

GUIDANCE NOTE FOR DEPOSIT TAKERS (Class 1(1) and Class 1(2))

AUDIT COMMITTEE CHARTER AS AMENDED AS OF MAY 6, 2015

Is Your Credit Union at Risk? Five Key Due Diligence Questions to Ask Your Vendors

Statement on February 2014 Auditing Standards 128. Using the Work of Internal Auditors

Australian Financial Markets Association. Principles relating to product approval - retail structured financial products

Consumer Financial Protection Bureau Independent Audit of Selected Operations and Budget

In Control: Getting Familiar with the New COSO Guidelines. CSMFO Monterey, California February 18, 2015

The Who, What, and Why of Service Organization Control (SOC) Engagements. Presentation to: 2nd Annual 'I Heart Audit' Conference

MARIANNE E. ROCHE ATTORNEY AT LAW

FINANCIAL INSTITUTIONS AUDIT COMMITTEE GUIDE FOR FINANCIAL INSTITUTIONS

Catching Fraud During a Recession Through Superior Internal Controls. FICPA s 25 th Annual Accounting Show. J. Stephen Nouss September 29, 2010

Application: All licensed institutions and supervisory personnel

1.3.1 The responsibilities of the Parent Board include, but are not limited to, the following 1 :

NTGA Compliance & Operational Manager Due Diligence Process

Types of Systems Audit & Relevance. Presented By: Prasad Pendse, CISA

Auditing for Effective Training

AUDIT UNDP COUNTRY OFFICE KUWAIT. Report No Issue Date: 20 May 2014

The Basics of Internal Controls & Segregation of Duties

(Effective for audits of financial statements for periods ending on or after December 15, 2013) CONTENTS

Ministry of Finance Comptroller General Victoria, BC

Oversight of external auditors by the audit committee

Job Family Matrix. Core Duties Core Duties Core Duties

Audit and Risk Committee Charter

FRIENDSHIP HOUSE JOB DESCRIPTION. Full Time: Monday - Friday 9AM-6PM, Weekends and evenings as needed

ACING YOUR REMOTE DEPOSIT CAPTURE AUDIT:

Microsoft Cloud Agreement Financial Services Amendment

In 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) issued a

Family Office and Concierge Services

CODE OF ETHICS/CONDUCT

OPERATIONAL RISK MANAGEMENT MODULE

Extended Enterprise Risk Management

Chiyoda Corporation Corporate Governance Policy (Revised on June 23, 2016)

Corporate Governance Statement

Corporate Governance Statement John Bridgeman Limited

Firm Profile TURNING RISKS INTO OPPORTUNITIES

SRI LANKA AUDITING STANDARD 315 (REVISED)

Transcription:

THIRD-PARTY RISK MANAGEMENT Beyond a Regulatory Requirement April 28, 2017 Ken Glascock, CPA, CAMS, CIA, CFSA, CRCM Director kglascock@bkd.com

AGENDA Let s Break It Down What Is Third-Party Risk Management? It s Just for Big Institutions, Right? Why You Need a Third-Party Risk Management Program Regulatory Requirements Are the Right People Involved? It s Not Just an IT Responsibility Common Pitfalls in Third-Party Risk Management Programs Best Practices

What Is Third-Party Risk Management? Let s Break It Down

LET S BREAK IT DOWN What Is a Third Party? More than just IT services More than just critical vendors Formal Definition How to Identify All Third Parties

LET S BREAK IT DOWN What Is Risk Management? Process of Assessing Measuring Monitoring Controlling

Why You Need a Third-Party Risk Management Program It s Just for Big Institutions, Right?

IT S JUST FOR BIG INSTITUTIONS, RIGHT? No size threshold For all institutions using third parties Applicable to all third-party arrangements

WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM

WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM Lack of control of process (increased risk) Regulatory requirement Evaluate whether capital is sufficient to support risk exposures think AIG in the great recession Evaluate whether third party is doing its job properly

OUTSOURCING CASE STUDY Unirush, LLC and MasterCard International

CFPB ORDERS MASTERCARD AND UNIRUSH, LLC TO PAY $13 MILLION RushCard breakdowns cut off consumers access to funds Preventable failures left tens of thousands of economically vulnerable consumers unable to pay for necessitates Many customers could not use their RushCard to get their paychecks and other direct deposits, take out cash, make purchases, pay bills or get accurate balance information

Regulatory Requirements

POTENTIAL REGULATORS NCUA OCC FDIC Federal Reserve FFIEC CFPB

NCUA SUPERVISORY LETTER NO.: 07-01, 10/2007 Evaluating Third Party Relationships Ultimately, credit unions are responsible for safeguarding member assets and ensuring sound operations irrespective of whether or not a third party is involved. Risks may be mitigated, transferred, avoided, or accepted; however, they are rarely eliminated.

NCUA SUPERVISORY LETTER (CONT.) Exposure to full range of risks: Credit Interest rate Liquidity Transaction Compliance Strategic Reputation

NCUA SUPERVISORY LETTER (CONT.) Credit unions must complete the due diligence necessary to ensure the risks undertaken in a third party relationship are acceptable in relation to their risk profile and safety and soundness requirements.

NCUA SUPERVISORY LETTER (CONT.) Risk Assessment Credit unions should complete a risk assessment prior to engaging in a third party relationship to assess what internal changes, if any, will be required to safely and soundly participate.

NCUA SUPERVISORY LETTER (CONT.) Risk Assessment consider all seven risk areas and specifically: Expectations for Outsourced Functions Staff Expertise Criticality Risk-Reward or Cost-Benefit Relationship Insurance Impact on Membership Exit Strategy

NCUA SUPERVISORY LETTER (CONT.) Due Diligence Background Check Business Model Cash Flows Financial and Operational Control Review Contract Issues and Legal Review Accounting Considerations

AUDIT REPORTS SAS70 SSAE16 SSAE18 SOC I-III Type I-II

AUDIT REPORTS (CONT.) Effective May 1, 2017: SOC Reports will now be issued under SSAE 18 (AT-C Section 320) SSAE 18 replaces SSAE 10-14, 16 & 17 SSAE 18 covers all attestation engagements Refer to reports by their individual names (i.e., SOC1, SOC2 and SOC3), and not SSAE 18

SSAE 18 - IMPACT TO SERVICE ORGANIZATIONS AND USER ENTITIES Monitoring the effectiveness of internal controls at subservice organizations Service organizations must implement sufficient controls to monitor the relevant controls at their subservice organizations Assess the risk of material misstatement and perform procedures in response to those risks, i.e., perform a risk assessment Under SSAE 18, service auditors are instructed to better identify potential areas of risk specifically in regards to material misstatement

SSAE 18 - IMPACT TO SERVICE ORGANIZATIONS AND USER ENTITIES (CONT.) Complimentary subservice organization controls and modifications to management s assertion SSAE 18 introduces an additional requirement to include complementary subservice organization controls in SOC reports Evaluating the reliability of evidence produced by the service organization SSAE 18 clarifies the requirements to ensure that evidence provided by service organizations is complete, accurate and sufficiently detailed. The management assertion must be signed by management of the company.

NCUA SUP. LETTER (CONT.) CONTRACT ISSUES Scope of arrangement, services offered and activities authorized Responsibilities of all parties Service level agreements Performance reports Penalties for lack of performance Ownership, control, maintenance and access Ownership of servicing rights Audit rights and requirements Data security and member confidentiality Business resumption or contingency planning Insurance Member complaints and member service Compliance with regulatory requirements Dispute resolution Default, termination and escape clauses

NCUA SUPERVISORY LETTER (CONT.) Since credit unions may ultimately be responsible for consumer compliance violations committed by their agents, credit unions should be familiar with the third party s internal controls for ensuring regulatory compliance and adherence to agreed upon practices.

NCUA SUPERVISORY LETTER (CONT.) Risk Measurement, Monitoring and Control of Third Party Relationships Policies and Procedures Risk Measurement and Monitoring Control Systems and Reporting

The CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships CFPB Bulletin 2012-03

To limit the potential for statutory or regulatory violations and related consumer harm, supervised banks and nonbanks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers CFPB Bulletin 2012-03

CFPB & CREDIT UNIONS CFPB Orders Navy Federal Credit Union to Pay $28.5 Million for Improper Debt Collection Actions Credit Union Used False Threats to Collect Debts and Placed Unfair Restrictions on Account Access - OCT 11, 2016

FFIEC Outsourcing Technology Services Supervision of Technology Service Providers

OCC Comptroller s Handbooks Asset Management Other Real Estate Owned Internal and External Audits Merchant Processing Retail Nondeposit Investment Sales Etc.

A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships OCC Bulletin 2013-29, Third-Party Relationships

the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology) OCC Bulletin 2013-29, Third-Party Relationships

Appropriately managed third-party relationships can enhance competitiveness, provide diversification, and ultimately strengthen the safety and soundness of insured institutions. Third-party arrangements can also help institutions attain key strategic objectives FDIC s Summer 2011 Supervisory Insights

A third-party relationship should be considered significant if the institution s relationship with the third party is a new relationship or involves implementing new bank activities FDIC Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk

A community banking organization may have critical activities being outsourced, but the number may be few and to highly reputable service providers. Therefore, the risk management program may be simpler and use less elements and considerations Federal Reserve SR 13-19, Guidance on Managing Outsourcing Risk

As the service provider represents the institution by selling products or services on its behalf, the institution should consider whether the incentives provided might encourage the service provider to take imprudent risks Federal Reserve SR 13-19, Guidance on Managing Outsourcing Risk

It s Not Just an IT Responsibility Are the Right People Involved?

ARE THE RIGHT PEOPLE INVOLVED? Must know aspects of proper third-party risk management program to know who should be involved

ARE THE RIGHT PEOPLE INVOLVED? Five Phase Approach 1. Planning & risk assessment 2. Due diligence & third-party selection 3. Contracts 4. Ongoing monitoring 5. Termination

ARE THE RIGHT PEOPLE INVOLVED? Phase I - Planning & Risk Assessment (board of directors, management, line personnel) Is it a need or a want? Will it help accomplish strategy? Opportunity cost?

ARE THE RIGHT PEOPLE INVOLVED? Phase II - Due Diligence & Third-Party Selection Persons involved should be those who can properly evaluate Whether vendor will perform task(s) assigned (direct users) Cost/benefit (CFO, executive management, board)

ARE THE RIGHT PEOPLE INVOLVED? Phase III Contracts Legal CEO CFO

ARE THE RIGHT PEOPLE INVOLVED? Phase IV - Ongoing Monitoring Performance (direct users & IT) Financial stability (CFO, credit analysts) Business continuity (IT) Cybersecurity (IT)

BANKS FAIL TO ENFORCE CYBERSECURITY STANDARDS ON THIRD-PARTY PROVIDERS: FDIC WATCHDOG WASHINGTON Banks are woefully unprepared to face potential cybersecurity threats stemming from third-party technology providers, according to a report issued Wednesday by the Federal Deposit Insurance Corp. s independent watchdog. The FDIC's Office of Inspector General found that financial institutions failed to include important cybersecurity provisions in their contracts with the thirdparty firms. Typically, financial institution contracts with technology service providers did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights, the report said.

ARE THE RIGHT PEOPLE INVOLVED? Phase V - Termination Legal IT Project management Business owner AP

Common Pitfalls in Third-Party Risk Management Programs

COMMON PITFALLS 1. Assuming IT can/should take on the responsibility alone 2. Performing only to appease examiners (checking the box) 3. Not including [*****] third parties 4. Board of directors not taking responsibility for oversight What do they see and when do they see it? 5. Obtaining documentation but doing nothing more 6. Not anticipating exit/transition costs in contract negotiations 7. Not having the VM Program reviewed/audited on a recurring basis

COMMON PITFALLS (CONT.) 8. Insufficient reference checks &/or not calling references 9. No risk ratings and/or outdated ratings 10. Not reviewing third party promotional (advertising) materials, as it represents your institution and/or contractually limiting use of your name / logo 11. Inadequate staff training & organizational communication 12. Out of synch with regulatory issuances and expectations 13. Not understanding business case for having a VM program

COMMON PITFALLS (CONT.) 14. Decentralization of contracts where are they? 15. Accepting automatically renewable clauses in contracts 16. Allowing contracts to renew automatically and unintentionally 17. Decentralized purchase / acquisition process 18. Relying on the wrong SOC report

BEST PRACTICES New Vendor Form AP will not set-up a new vendor until: Business Owner signs off Business Owner s superior signs off Vendor Management team signs off

BEST PRACTICES (CONT.) Vendor Monitoring / Performance Review Form Annual Process Dated? Business Owner Signoff? Meeting Service Level Agreements? Site Visit? Customer Complaints Reviewed?

BEST PRACTICES (CONT.) ANNUAL SUMMARY SHEET Vendor Manager Signoff Risk Rating Affirmed / Changed Financial Analysis Complete? Risk Trend Noted Annual monitoring sufficient? Implementation / Testing of User Considerations Complete IT Security Involved?

BEST PRACTICES SOFTWARE Software / Vendors Can We Outsource Vendor Management? Can the vendor manager-manager monitor itself? Software Vendor / Functionality Repository of documents Risk Assessment / Risk Rating Functionality Tickler Email Alerts / Contract Renewals Financial Analysis Security / Audited

BEST PRACTICES (CONT.) Vendor Manager Qualifications / Experience People person + detail oriented Audit / exam administration Project management Contract administration Compliance Risk assessment Appreciates the value of documentation IT background Financial statement analysis

VENDOR CRITICALITY Risk Considerations Possession of or access to member data (physical or logical) Direct contact with members IT infrastructure / provides critical application(s) Loan underwriting Compliance services

VENDOR CRITICALITY (CONT.) Other Issues What s a manageable number? Critical Total vendors tracked How many risk ratings? Can I safely ignore non-critical vendors?

WHAT S IN YOUR AUDIT PROGRAM? Vendor Management Program Review Policies & Procedures Risk Assessment / Risk Ranking Methodology Sample High Risk (Critical Vendors) Assess due diligence performed Review contracts Assess annual monitoring Financial statement analysis SOC report / Client Considerations implemented Sample Terminated Critical Vendors Top 30 payees? Are they tracked in the VM Program? Board / Supervisory Reporting Adequacy and Frequency

PULLING IT ALL TOGETHER INTERNAL STAKEHOLDERS Board & Supervisory Committee CFO Insurance Procurement Credit Analysis Accounts Payable Legal Compliance Internal Audit Contract Administration ERM + Vendor Manager + Software BCP IT Security Project Management Business Owners

Ken Glascock 303-837-3598 kglascock@bkd.com

2024 © businessdocbox.com Privacy Policy | Terms of Service | Feedback