THIRD-PARTY RISK MANAGEMENT Beyond a Regulatory Requirement April 28, 2017 Ken Glascock, CPA, CAMS, CIA, CFSA, CRCM Director kglascock@bkd.com
AGENDA Let s Break It Down What Is Third-Party Risk Management? It s Just for Big Institutions, Right? Why You Need a Third-Party Risk Management Program Regulatory Requirements Are the Right People Involved? It s Not Just an IT Responsibility Common Pitfalls in Third-Party Risk Management Programs Best Practices
What Is Third-Party Risk Management? Let s Break It Down
LET S BREAK IT DOWN What Is a Third Party? More than just IT services More than just critical vendors Formal Definition How to Identify All Third Parties
LET S BREAK IT DOWN What Is Risk Management? Process of Assessing Measuring Monitoring Controlling
Why You Need a Third-Party Risk Management Program It s Just for Big Institutions, Right?
IT S JUST FOR BIG INSTITUTIONS, RIGHT? No size threshold For all institutions using third parties Applicable to all third-party arrangements
WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM
WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM Lack of control of process (increased risk) Regulatory requirement Evaluate whether capital is sufficient to support risk exposures think AIG in the great recession Evaluate whether third party is doing its job properly
OUTSOURCING CASE STUDY Unirush, LLC and MasterCard International
CFPB ORDERS MASTERCARD AND UNIRUSH, LLC TO PAY $13 MILLION RushCard breakdowns cut off consumers access to funds Preventable failures left tens of thousands of economically vulnerable consumers unable to pay for necessitates Many customers could not use their RushCard to get their paychecks and other direct deposits, take out cash, make purchases, pay bills or get accurate balance information
Regulatory Requirements
POTENTIAL REGULATORS NCUA OCC FDIC Federal Reserve FFIEC CFPB
NCUA SUPERVISORY LETTER NO.: 07-01, 10/2007 Evaluating Third Party Relationships Ultimately, credit unions are responsible for safeguarding member assets and ensuring sound operations irrespective of whether or not a third party is involved. Risks may be mitigated, transferred, avoided, or accepted; however, they are rarely eliminated.
NCUA SUPERVISORY LETTER (CONT.) Exposure to full range of risks: Credit Interest rate Liquidity Transaction Compliance Strategic Reputation
NCUA SUPERVISORY LETTER (CONT.) Credit unions must complete the due diligence necessary to ensure the risks undertaken in a third party relationship are acceptable in relation to their risk profile and safety and soundness requirements.
NCUA SUPERVISORY LETTER (CONT.) Risk Assessment Credit unions should complete a risk assessment prior to engaging in a third party relationship to assess what internal changes, if any, will be required to safely and soundly participate.
NCUA SUPERVISORY LETTER (CONT.) Risk Assessment consider all seven risk areas and specifically: Expectations for Outsourced Functions Staff Expertise Criticality Risk-Reward or Cost-Benefit Relationship Insurance Impact on Membership Exit Strategy
NCUA SUPERVISORY LETTER (CONT.) Due Diligence Background Check Business Model Cash Flows Financial and Operational Control Review Contract Issues and Legal Review Accounting Considerations
AUDIT REPORTS SAS70 SSAE16 SSAE18 SOC I-III Type I-II
AUDIT REPORTS (CONT.) Effective May 1, 2017: SOC Reports will now be issued under SSAE 18 (AT-C Section 320) SSAE 18 replaces SSAE 10-14, 16 & 17 SSAE 18 covers all attestation engagements Refer to reports by their individual names (i.e., SOC1, SOC2 and SOC3), and not SSAE 18
SSAE 18 - IMPACT TO SERVICE ORGANIZATIONS AND USER ENTITIES Monitoring the effectiveness of internal controls at subservice organizations Service organizations must implement sufficient controls to monitor the relevant controls at their subservice organizations Assess the risk of material misstatement and perform procedures in response to those risks, i.e., perform a risk assessment Under SSAE 18, service auditors are instructed to better identify potential areas of risk specifically in regards to material misstatement
SSAE 18 - IMPACT TO SERVICE ORGANIZATIONS AND USER ENTITIES (CONT.) Complimentary subservice organization controls and modifications to management s assertion SSAE 18 introduces an additional requirement to include complementary subservice organization controls in SOC reports Evaluating the reliability of evidence produced by the service organization SSAE 18 clarifies the requirements to ensure that evidence provided by service organizations is complete, accurate and sufficiently detailed. The management assertion must be signed by management of the company.
NCUA SUP. LETTER (CONT.) CONTRACT ISSUES Scope of arrangement, services offered and activities authorized Responsibilities of all parties Service level agreements Performance reports Penalties for lack of performance Ownership, control, maintenance and access Ownership of servicing rights Audit rights and requirements Data security and member confidentiality Business resumption or contingency planning Insurance Member complaints and member service Compliance with regulatory requirements Dispute resolution Default, termination and escape clauses
NCUA SUPERVISORY LETTER (CONT.) Since credit unions may ultimately be responsible for consumer compliance violations committed by their agents, credit unions should be familiar with the third party s internal controls for ensuring regulatory compliance and adherence to agreed upon practices.
NCUA SUPERVISORY LETTER (CONT.) Risk Measurement, Monitoring and Control of Third Party Relationships Policies and Procedures Risk Measurement and Monitoring Control Systems and Reporting
The CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships CFPB Bulletin 2012-03
To limit the potential for statutory or regulatory violations and related consumer harm, supervised banks and nonbanks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers CFPB Bulletin 2012-03
CFPB & CREDIT UNIONS CFPB Orders Navy Federal Credit Union to Pay $28.5 Million for Improper Debt Collection Actions Credit Union Used False Threats to Collect Debts and Placed Unfair Restrictions on Account Access - OCT 11, 2016
FFIEC Outsourcing Technology Services Supervision of Technology Service Providers
OCC Comptroller s Handbooks Asset Management Other Real Estate Owned Internal and External Audits Merchant Processing Retail Nondeposit Investment Sales Etc.
A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships OCC Bulletin 2013-29, Third-Party Relationships
the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology) OCC Bulletin 2013-29, Third-Party Relationships
Appropriately managed third-party relationships can enhance competitiveness, provide diversification, and ultimately strengthen the safety and soundness of insured institutions. Third-party arrangements can also help institutions attain key strategic objectives FDIC s Summer 2011 Supervisory Insights
A third-party relationship should be considered significant if the institution s relationship with the third party is a new relationship or involves implementing new bank activities FDIC Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk
A community banking organization may have critical activities being outsourced, but the number may be few and to highly reputable service providers. Therefore, the risk management program may be simpler and use less elements and considerations Federal Reserve SR 13-19, Guidance on Managing Outsourcing Risk
As the service provider represents the institution by selling products or services on its behalf, the institution should consider whether the incentives provided might encourage the service provider to take imprudent risks Federal Reserve SR 13-19, Guidance on Managing Outsourcing Risk
It s Not Just an IT Responsibility Are the Right People Involved?
ARE THE RIGHT PEOPLE INVOLVED? Must know aspects of proper third-party risk management program to know who should be involved
ARE THE RIGHT PEOPLE INVOLVED? Five Phase Approach 1. Planning & risk assessment 2. Due diligence & third-party selection 3. Contracts 4. Ongoing monitoring 5. Termination
ARE THE RIGHT PEOPLE INVOLVED? Phase I - Planning & Risk Assessment (board of directors, management, line personnel) Is it a need or a want? Will it help accomplish strategy? Opportunity cost?
ARE THE RIGHT PEOPLE INVOLVED? Phase II - Due Diligence & Third-Party Selection Persons involved should be those who can properly evaluate Whether vendor will perform task(s) assigned (direct users) Cost/benefit (CFO, executive management, board)
ARE THE RIGHT PEOPLE INVOLVED? Phase III Contracts Legal CEO CFO
ARE THE RIGHT PEOPLE INVOLVED? Phase IV - Ongoing Monitoring Performance (direct users & IT) Financial stability (CFO, credit analysts) Business continuity (IT) Cybersecurity (IT)
BANKS FAIL TO ENFORCE CYBERSECURITY STANDARDS ON THIRD-PARTY PROVIDERS: FDIC WATCHDOG WASHINGTON Banks are woefully unprepared to face potential cybersecurity threats stemming from third-party technology providers, according to a report issued Wednesday by the Federal Deposit Insurance Corp. s independent watchdog. The FDIC's Office of Inspector General found that financial institutions failed to include important cybersecurity provisions in their contracts with the thirdparty firms. Typically, financial institution contracts with technology service providers did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights, the report said.
ARE THE RIGHT PEOPLE INVOLVED? Phase V - Termination Legal IT Project management Business owner AP
Common Pitfalls in Third-Party Risk Management Programs
COMMON PITFALLS 1. Assuming IT can/should take on the responsibility alone 2. Performing only to appease examiners (checking the box) 3. Not including [*****] third parties 4. Board of directors not taking responsibility for oversight What do they see and when do they see it? 5. Obtaining documentation but doing nothing more 6. Not anticipating exit/transition costs in contract negotiations 7. Not having the VM Program reviewed/audited on a recurring basis
COMMON PITFALLS (CONT.) 8. Insufficient reference checks &/or not calling references 9. No risk ratings and/or outdated ratings 10. Not reviewing third party promotional (advertising) materials, as it represents your institution and/or contractually limiting use of your name / logo 11. Inadequate staff training & organizational communication 12. Out of synch with regulatory issuances and expectations 13. Not understanding business case for having a VM program
COMMON PITFALLS (CONT.) 14. Decentralization of contracts where are they? 15. Accepting automatically renewable clauses in contracts 16. Allowing contracts to renew automatically and unintentionally 17. Decentralized purchase / acquisition process 18. Relying on the wrong SOC report
BEST PRACTICES New Vendor Form AP will not set-up a new vendor until: Business Owner signs off Business Owner s superior signs off Vendor Management team signs off
BEST PRACTICES (CONT.) Vendor Monitoring / Performance Review Form Annual Process Dated? Business Owner Signoff? Meeting Service Level Agreements? Site Visit? Customer Complaints Reviewed?
BEST PRACTICES (CONT.) ANNUAL SUMMARY SHEET Vendor Manager Signoff Risk Rating Affirmed / Changed Financial Analysis Complete? Risk Trend Noted Annual monitoring sufficient? Implementation / Testing of User Considerations Complete IT Security Involved?
BEST PRACTICES SOFTWARE Software / Vendors Can We Outsource Vendor Management? Can the vendor manager-manager monitor itself? Software Vendor / Functionality Repository of documents Risk Assessment / Risk Rating Functionality Tickler Email Alerts / Contract Renewals Financial Analysis Security / Audited
BEST PRACTICES (CONT.) Vendor Manager Qualifications / Experience People person + detail oriented Audit / exam administration Project management Contract administration Compliance Risk assessment Appreciates the value of documentation IT background Financial statement analysis
VENDOR CRITICALITY Risk Considerations Possession of or access to member data (physical or logical) Direct contact with members IT infrastructure / provides critical application(s) Loan underwriting Compliance services
VENDOR CRITICALITY (CONT.) Other Issues What s a manageable number? Critical Total vendors tracked How many risk ratings? Can I safely ignore non-critical vendors?
WHAT S IN YOUR AUDIT PROGRAM? Vendor Management Program Review Policies & Procedures Risk Assessment / Risk Ranking Methodology Sample High Risk (Critical Vendors) Assess due diligence performed Review contracts Assess annual monitoring Financial statement analysis SOC report / Client Considerations implemented Sample Terminated Critical Vendors Top 30 payees? Are they tracked in the VM Program? Board / Supervisory Reporting Adequacy and Frequency
PULLING IT ALL TOGETHER INTERNAL STAKEHOLDERS Board & Supervisory Committee CFO Insurance Procurement Credit Analysis Accounts Payable Legal Compliance Internal Audit Contract Administration ERM + Vendor Manager + Software BCP IT Security Project Management Business Owners
Ken Glascock 303-837-3598 kglascock@bkd.com