Vendor Management Compliance Top 10 Things Regulators Expect
|
|
- Kristopher Carpenter
- 8 years ago
- Views:
Transcription
1 Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay. All Rights Reserved
2 Disclaimer This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice. You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature. Image source: Thinkstock 2014 EastPay. All Rights Reserved
3 Agenda Key Components of FFIEC IT Examination Handbook on Outsourcing Technology Services Regulator Expectations Common Gaps in Vendor Management Programs 3
4 OCC Bulletin First, the Third-Party Guidance s title itself (replacing the word Principles with Guidance ), closely aligns with the phrase compliance with all applicable Legal Requirements and OCC supervisory guidance - language frequently used in Cease and Desist Orders. Second, the final section of the Third-Party Guidance, entitled Supervisory Reviews of Third-Party Relationships plainly states: A bank s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of thirdparty relationships, and organizational structure of the bank may be an unsafe and unsound banking practice. Third, the Third Party Guidance makes it clear that the OCC has the power to examine third party-vendors, and to charge the financial institution with a special examination or investigation fee for the OCC s examination of a third party for the bank. And finally, for community banks, the Third-Party Guidance makes it clear that regulatory expectations have increased. While OCC Bulletin stated: community banks may be able to adopt this guidance in a less formal and systematic manner, that is not the case with EastPay. All Rights Reserved
5 FFIEC IT EXAMINATION HANDBOOK ON OUTSOURCING TECHNOLOGY SERVICES 5
6 FFIEC IT Examination Handbook on Outsourcing Technology Services Examples of IT operations frequently outsourced: Origination Processing Settlement of Payments and Financial Transactions Information Processing Related to Customer Account Creation and Maintenance Information and Transaction Processing Activities that Support Critical Banking Functions Loan Processing Deposit Processing 6
7 FFIEC IT Examination Handbook on Outsourcing Technology Services Decision to outsource should fit into overall strategic plan and corporate objectives Degree of oversight and review of outsourced activities will depend on criticality of service Outsourced relationships are subject to same risk management, security, privacy, and other policies that would be expected if FI were conducting activities in-house 7
8 Board and Management Responsibilities Oversee outsourced relationships Identify, measure, monitor, and control the risks associated with outsourcing Establish servicing requirements and strategies Select a provider Negotiate the contract Monitoring, changing, and discontinuing outsourced relationships 8
9 Key Factors of Effective Risk Management Senior Management and Board Awareness of risks associated with outsourcing agreements Ensure outsourcing arrangement is prudent from a risk perspective and consistent with business objectives Systematically assessing needs while establishing risk-based requirements 9
10 Key Factors of Effective Risk Management Implementing effective controls to address identified risks Performing ongoing monitoring to identify and evaluate changes in risk from initial assessment Documenting procedures, roles/responsibilities, and reporting mechanisms 10
11 Risk Management Process Incorporates Risk Assessment and requirements definition Due diligence in selecting a service provider Contract negotiation and implementation Ongoing Monitoring 11
12 Risk Assessment and Requirements Assess the risk from outsourcing Involve stakeholders in creating risk-based written requirements to control an outsourcing action Use written requirements to guide and manage the remainder of the outsourcing process 12
13 FFIEC IT Examination Handbook on Outsourcing Technology Services Consider the following factors in evaluating the quantity of risk at inception of outsourcing: Sensitivity of data accessed, protected, or controlled by the service provider Volume of transactions Criticality of FI s business 13
14 Risks Pertaining to the Service Provider Strength of financial condition Turnover of management and employees Ability to maintain business continuity Ability to provider accurate, relevant, and timely Management Information Systems Experience with the function outsourced Reliance on subcontractors Redundancy and reliability of communication lines 14
15 Sound Business Practices for Development of Requirements Stakeholder involvement Integration Documentation 15
16 Ongoing Monitoring Key Service Level Agreements (SLAs) and contract provisions Financial condition of service provider General control environment of service provider through receipt and review of audit reports Potential changes due to external environment 16
17 Financial Condition of Service Provider On-going monitoring Financial viability on an annual basis, review financial statements Report results to Board of Directors Information provided by public media (trade magazines, newspapers, television, etc.) 17
18 General Control Environment of Service Provider Conduct regular, comprehensive audit of service provider relationship Review internal and external audit reports Auditor s level of training and experience Service Providers external auditors training Internal IT audit techniques of service provider 18
19 TOP 10 REGULATOR EXPECTATIONS 19
20 1. Due Diligence Prior to Vendor Selection Review of all available information about a potential third party, focusing on the entity's financial condition, its specific relevant experience, its knowledge of applicable laws and regulations, its reputation, and the scope and effectiveness of its operations and controls 20
21 1. Due Diligence Prior to Vendor Selection(cont d) Evaluation of a third party may include the following items: Audited financial statements, annual reports, SEC filings, and other available financial indicators Significance of the proposed contract on the third party's financial condition Experience and ability in implementing and monitoring proposed activity Business reputation 21
22 1. Due Diligence Prior to Vendor Selection (cont d) Qualifications and experience of the company's principals Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies Existence of any significant complaints or litigation, or regulatory actions against the company Ability to perform the proposed functions using current systems or the need to make additional investment 22
23 1. Due Diligence Prior to Vendor Selection (cont d) Use of other parties or subcontractors by the third party Scope of internal controls, systems and data security, privacy protections, and audit coverage Business resumption strategy and contingency plans Knowledge of relevant consumer protection and civil rights laws and regulations Adequacy of management information systems Insurance coverage 23
24 2. Vendor Selection Audit Requirements Identify regulation requirements of FI Resources and Technology Support System Policies, procedures, and service organization control reports Disaster recovery plan Reputation 24
25 3. Contract Negotiation Audit rights, self assessments, monthly compliance reviews, obtain vendor s annual SOC report on its control compliance Service level agreements and financial penalties 25
26 4. Contract Scope Timeframe covered by the contract Frequency, format, and specifications of the service or product to be provided Other services to be provided by the third party, such as software support and maintenance, training of employees, and customer service 26
27 4. Contract Scope (cont d) Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations 27
28 4. Contract Scope (cont d) Identification of which party will be responsible for delivering any required customer disclosures Insurance coverage to be maintained by the third party Terms relating to any use of bank premises, equipment, or employees 28
29 4. Contract Scope (cont d) Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements Authorization for the institution to monitor and periodically review the third party for compliance with its agreement Indemnification 29
30 5. Implementation Access management Review system access reports at least monthly to ensure users of outsourced service are authorized Transaction monitoring Change management FI should approve any changes made by vendor System backup 30
31 6. Monitoring Audits Service Organization Control (SOC) Reports Vendor s compliance with their own policies IT Controls Statement on Standards for Attestation Engagements No. 16 (SSAE 16), formerly known as Statement on Auditing Standards No. 70 (SAS 70) 31
32 7. Ensure Proposed Relationship is consistent with FI s Strategic Plan and Overall Strategy Step one in Risk Assessment Process Management should analyze benefits, costs, legal aspects, and potential risks associated with Third-Party Expanded analysis should be conducted if product or service is new for FI FI personnel conducting analysis should have appropriate knowledge and skills to conduct 32
33 8. Ensure vendor management program risk-ranks vendors based on: Access to other confidential (i.e. proprietary) information? Criticality of the product/service they provide? Complexity of the product/service? 33
34 9. Adherence to Service Level Agreements and Contract Provisions Formal Policy that defines SLA program SLA monitoring process Recourse process for non-performance Escalation process Dispute resolution process Termination process 34
35 10. File Bank Service Company Act when Required Section 7 of Bank Service Company Act (12 U.S.C. 1867) requires insured financial institutions to notify their appropriate federal banking agency in writing of contracts or relationships with third parties that provide certain services to the institution 35
36 10. File Bank Service Company Act when Required (cont d) Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party "shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first." 36
37 10. File Bank Service Company Act when Required (cont d) As defined in Section 3 of the Act, these services include "check and deposit sorting and posting, computation and posting of interest and other credits and charges, preparation and mailing of checks, statements, notices, and similar items, or any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution." 37
38 COMMON GAPS IN VENDOR MANAGEMENT PROGRAM 38
39 Common Gaps in Vendor Management Program Lack of Board Approved Policy Limited Board of Directors involvement Lack of Risk Rating Vendors Inadequate Monitoring of SLAs SLAs have not been defined Limited ongoing monitoring Business continuity 39
40 Useful Vendor Management Forms Vendor Risk Assessment & Rating Matrix New Vendor Due Diligence Report Exit Strategy Questionnaire Early Contract Termination Questionnaire Vendor Monitor Report Reference Check Form 40
41 Useful Vendor Management Forms Financial Review Report SAS-70/SSAE-16 Review Report Information Security Review Report Contract and Legal Review Checklist Ongoing Due Diligence: Annual/High Risk 41
42 Useful Vendor Management Publications CFPB Bulletin any person who provides a material service CFPB Bulletin credit card add-on products FIL Revised guidance for payment processor relationships revising FIL FDIC Guidance for Managing Third-Party Risk (FIL ) OCC Risk Management Principles FFIEC Vendor and Third-Party Management FFIEC Handbook on Retail Payment Systems FFIEC Handbook on Outsourcing Technology Services FFIEC Bank Secrecy Act/Anti-Money Laundering (BSA/AML) 42
43 Steps to Follow Follow these steps to establish a safe and sound vendor management program. Step 1 - Ensure that proper internal risk analysis is performed, proper approval is obtained. Strategic Plan Step 2 - Perform due diligence prior to contracting with a vendor. Step 3 - Ensure contracts are appropriate. Step 4 - Monitor performance of the vendor and vendor s compliance with contractual and regulatory requirements. Perform ongoing due-diligence and appropriate intervals. 43
44 Vendor Management Remember Technology related vendors may not be familiar with regulations applicable to financial institutions Business resumption plans Are they adequate? Retain due diligence documentation in anticipation of examinations 44
45 Contracting with Vendors Remember Any material or significant contract with a third party should prohibit assignment, transfer or subcontracting by the third party of its obligations to another entity, unless and until the financial institution determines that such assignment, transfer, or subcontract would be consistent with the due diligence standards for selection of third parties. All contracts should state that the vendor is subject to regulatory review and allow for the financial institution to monitor the vendor. Periodic reviews and audits Expectations and performance standards help to determine if the vendor is adequately performing services. Termination of contract Who is responsible for what? Appropriate legal counsel should review higher risk contracts prior to execution. 45
46 Questions? 46
47 Paul M. Phillips, CFA Associate, Adams and Reese LLP 101 East Kennedy Boulevard Suite 4000 Tampa, FL Tel: (813) The contents of this presentation are intended for general information purposes only. Application of the information reported herein to particular facts or circumstances should be analyzed by legal counsel. Adams and Reese LLP is a registered limited liability partnership. Neither the firm nor the presenter assume liability for the use or interpretation of information contained herein.
48 Presentation Content THIS PRESENTATION IS DESIGNED TO PROVIDE ACCURATE AND AUTHORITATIVE INFORMATION REGARDING ITS SUBJECT MATTER. IT IS PRESENTED WITH THE UNDERSTANDING THAT THE PRESENTER IS NOT RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONAL SERVICES. IF LEGAL ADVICE OR OTHER EXPERT ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENT PROFESSIONAL PERSON SHOULD BE SOUGHT. 48
49 Contact The Presenter Pam Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education , ext 305
50 Follow Us on 50
Vendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay
More informationGet in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective
Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective Rory Guenther, CISA Senior Examiner, Operational Risk Specialist,
More informationAny business relationship between a bank and another entity, by contract or otherwise
An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise
More information9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99
20/20 Vision for Vendor Management & Oversight 2013 WBA Technology Conference September 17, 2013 Ken M. Shaurette, CISSP, CISA, CISM, CRISC, IAM Director IT Services Disclaimer The views set forth are
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationVendor Risk Management in the New Regulatory Environment. kpmg.com
Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators
More informationOutsourcing Technology Services OT
Federal Financial Institutions Examination Council FFIEC Outsourcing Technology Services OT JUNE 2004 IT EXAMINATION H ANDBOOK TABLE OF CONTENTS INTRODUCTION... 1 BOARD AND MANAGEMENT RESPONSIBILITIES...
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationTo: Our Clients and Friends March 25, 2014
Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationOutsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP
Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More information<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b
FFIEC Table of Contents Introduction 1 Board and Management Responsibilities 2 Risk Management 3 Risk Assessment and Requirements 4 Quantity of Risk Considerations 5 Requirements Definition 6 Service Provider
More information<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b
FFIEC TABLE OF CONTENTS INTRODUCTION 1 BOARD AND MANAGEMENT RESPONSIBILITIES 2 RISK MANAGEMENT 3 Risk Assessment and Requirements 4 Quantity of Risk Considerations 4 Requirements Definition 5 Service Provider
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More information30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC)
30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) have issued extensive new guidance to financial institutions about the use of third parties to perform functions
More informationFinTech Webinar Series: Vendor Management Principles
FinTech Webinar Series: Vendor Management Principles Evolving Best Practices of Bank Service Providers February 14, 2013 Speakers Russell Bruemmer Partner Eric Mogilnicki Partner Jeffrey Hydrick Special
More informationVendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationNavigating Vendor Management Issues in Today s Regulatory Environment
Navigating Vendor Management Issues in Today s Regulatory Environment May 6, 2015 Elizabeth E. McGinn, Partner Moorari K. Shah, Counsel 1 Disclaimer The information contained herein is for informational
More informationThird-Party Risk Management: Busting Myths and Telling Truths
Third-Party Risk Management: Busting Myths and Telling Truths Richik Sarkar, Esq. McDonald Hopkins LLC 600 Superior Avenue, East, Suite 2100 Cleveland, OH 44114 (216) 430-2009 rsarkar@mcdonaldhopkins.com
More informationVII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background
Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party
More informationVENDORINSIGHTU P D A T E
VENDORINSIGHTU P D A T E November 12, 2013 COMPLIANCE VendorINSIGHT is the industry-leading solution for financial institutions offering the most features and capabilities for vendor risk monitoring. Ask
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationPutting the Management Back in Vendor Management February 20, 2014
Putting the Management Back in Vendor Management February 20, 2014 Moderator: Brian O Reilly The Collingwood Group, LLC Panelists: Calvin Hagins, CFPB Ken Markison, MBA Jonathan McKernan, Wilmer Hale Dan
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationAIM for Success and Effectively Manage High Risk Originators
AIM for Success and Effectively Manage High Risk Originators Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay Brent Siegel Vice President, Argos Risk Disclaimer This presentation
More informationOCC BULLETIN OCC 2001-47
OCC BULLETIN Comptroller of the Currency Administrator of National Banks Subject: Third-Party Relationships Description: Risk Management Principles TO: Chief Executive Officers of National Banks, Federal
More informationVII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background
Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party
More informationPreparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship
THE 4 TH NATIONAL CONFERENCE ON OUTSOURCING IN FINANCIAL SERVICES NEGOTIATING, MANAGING & TERMINATING OUTSOURCING RELATIONSHIPS WHILE ENSURING REGULATORY COMPLIANCE Renaissance Mayflower, Washington, DC
More informationOUTSOURCING DUE DILIGENCE FORM
OUTSOURCING DUE DILIGENCE FORM SERVICE TO BE OUTSOURCED 1. Type of service to be outsourced: Accounting/Finance: Compliance Consulting: Legal Services: Administrative Functions: Information Technology:
More informationVendor Compliance Management Series: Performing an Effective Risk Assessment
Vendor Compliance Management Series: Performing an Effective Risk Assessment Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationAre your business partners watching your back when you are watching your front?
Are your business partners watching your back when you are watching your front? Danny Shaw SE Practice Leader IT Risk Advisory Services Experis Thursday, October 4, 2012 1 Objectives: Organizations frequently
More informationCOMPLIANCE MANAGEMENT SYSTEM
COMPLIANCE MANAGEMENT SYSTEM Ensuring Your Bank Meets Regulatory Standards Overview of Compliance Exams Examination Purpose: Assess the quality of an institution s compliance management system (CMS) for
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationThird Party Relationships
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party
More informationT31: Before, During and After Outsourcing David Fong, BlackRock
T31: Before, During and After Outsourcing David Fong, BlackRock Before, During and After Outsourcing David Fong, CISA, CPA Objective o Explore reasons why some organizations choose to outsource o Understanding
More informationIdentifying Key Risk Indicator
PUERTO RICO PAYMENTS SYMPOSIUM Identifying Key Risk Indicator EPOCPR Services Agenda for Today Background History Regulators & Risk Management Let s have fun Regulators & Risk Assessment ACH Risks Categories
More informationFINANCIAL SERVICES FLASH REPORT
FINANCIAL SERVICES FLASH REPORT OCC Updates Guidance on Third-Party Relationships December 2, 2013 Introduction On November 4, 2013, the Office of the Comptroller of the Currency (OCC) released Bulletin
More informationOutsourcing has become a critical component of financial institutions management
Skadden Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or call your regular Skadden
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationBoard of Directors and Senior Management 2. Audit Management 4. Internal IT Audit Staff 5. Operating Management 5. External Auditors 5.
Table of Contents Introduction 1 IT Audit Roles and Responsibilities 2 Board of Directors and Senior Management 2 Audit Management 4 Internal IT Audit Staff 5 Operating Management 5 External Auditors 5
More informationCompliance Management Systems A Blueprint for Success
Compliance Management Systems A Blueprint for Success Date or subtitle May 13, 2015 1 Tim Tedrick, CRCM, CRP Partner 815.626.1277 ttedrick@wipfli.com 2 Page 1 Regulatory FDIC https://www.fdic.gov/regulations/compliance/manual/p
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS Purpose This advisory bulletin communicates the Federal Housing Finance Agency s (FHFA)
More informationVendor Management Best Practices
Vendor Management Best Practices Presented by: Raji Sathappan, MBA, CRCM, CISA, CAMS FMS East Coast Regional Conference September 2015 Certified Public Accountants Consultants Wealth Management Technology
More informationPayment Processor Relationships Revised Guidance
Federal Deposit Insurance Corporation 550 17th Street NW, Washington, D.C. 20429-9990 Payment Processor Relationships Revised Guidance Financial Institution Letter FIL-3-2012 January 31, 2012 Summary:
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationMorgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers
Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationFEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C.
FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. In the Matter of THE BANCORP BANK WILMINGTON, DELAWARE (INSURED STATE NONMEMBER BANK) CONSENT ORDER AND ORDER TO PAY CIVIL MONEY PENALTY FDIC-11-698b
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationGUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July 2014)
Federal Deposit Insurance Corporation 550 17th Street NW, Washington, D.C. 20429-9990 Financial Institution Letter FIL-127-2008 November 7, 2008 GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July
More informationManaging Outsourcing Arrangements
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
More informationSHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS
SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014
More informationFEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C.
FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. ) ) In the Matter of ) CONSENT ORDER, ) ORDER FOR ACHIEVE FINANCIAL SERVICES, LLC, as an ) RESTITUTION, AND institution-affiliated party of ) ORDER
More informationStatement of Guidance: Outsourcing All Regulated Entities
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
More informationAre You Ready for the New Foreclosure Processing Regulations?
Are You Ready for the New Foreclosure Processing Regulations? New regulator guidance provides banks servicing residential mortgages with expectations in effectively assessing foreclosure processing. The
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationCloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World
Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com
More informationGuideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices
Guideline Subject: Category: Sound Business and Financial Practices No: B-10 Date: May 2001 Revised: December 2003 Revised: 1 1. Introduction Financial institutions outsource business activities, functions
More informationGoldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program
Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program Effective Date: January 27, 2014 Vendor Management Policy Addendum TABLE OF CONTENTS 1. INTRODUCTION...
More informationProposed Principles to be addressed in APES GN 20 Outsourced Accounting Services
Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Roles and Responsibilities The proposed Guidance Note 20 Outsourced Accounting Services (GN 20) will set out the various
More informationVendor Management: Your Questions Answered
Vendor Management: Your Questions Answered June 16, 2015 Elizabeth E. McGinn Partner Moorari K. Shah Counsel 1 Disclaimer The information contained herein is for informational purposes only; does not constitute
More informationRetirement Plan Products and Services
Comptroller s Handbook AM-RPPS Asset Management (AM) Retirement Plan Products and Services February 2014 Office of the Comptroller of the Currency Washington, DC 20219 Contents Introduction...1 Types of
More informationRisk Management of Remote Deposit Capture
Federal Financial Institutions Examination Council 3501 FAIRFAX DRIVE ROOM 3086 ARLINGTON, VA 22226-3550 (703) 516-5487 http://www.ffiec.gov Background and Purpose Risk Management of Remote Deposit Capture
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
More informationGoing All In on Board Reporting
Going All In on Board Reporting February 13, 2014 10:15 A.M to 11:15 A.M. Tony DaSilva, AAP, CISA Senior Examiner, Federal Reserve Bank of Atlanta Rajiv Donde President, Laru Technologies Peter Davey,
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationII. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight
Compliance Management System Introduction Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market
More informationTB 82a Handbooks: Thrift Activities Section: 310 Subject: Oversight by the Board of Directors
Office of Thrift Supervision September 1, 2004 Department of the Treasury Thrift Bulletin TB 82a Handbooks: Thrift Activities Section: 310 Subject: Oversight by the Board of Directors Third Party Arrangements
More informationBlind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.
Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are
More informationVendor Risk Management (Banks and Financial Institutions)
Vendor Risk Management (Banks and Financial Institutions) Speaker: Jay Ranade/Ram Engira CIA, CRMA, CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT Director of Education Risk Management Professionals Intl. New
More informationFDIC Updates Guidance on Payment Processor Relationships
February 2012 FDIC Updates Guidance on Payment Processor Relationships BY KEVIN L. PETRASIC In its recently issued Financial Institution Letter, FIL-3-2012, the Federal Deposit Insurance Corporation (
More informationRescinded OCC Documents
Rescinded OCC Documents OCC 2012-23 Attachment Advisory Letters AL 1995-03 AL 1995-04 OCC Guidance Title Bank Secrecy Act Implications of Payable Through Accounts Bank Merger Competitive Analysis Review
More information-17 2015 OUTSOURCING POLICY
Outsourcing Policy TABLE OF CONTENTS EXECUTIVE SUMMARY... 3 Aim & Introduction... 3 POLICY PARAMETERS... 4 Key Terms... 4 Outsourcing Agreement Requirements... 5 MATERIAL OUTSOURCING AGREEMENTS... 6 Board
More informationHealthcare Payment Processing: Managing Data Security and Privacy Risks
Moderator: Linda A. Malek Chair, Healthcare Moses & Singer LLP Healthcare Payment Processing: Managing Data Security and Privacy Risks Thursday, September 13, 2012 Panelists: Beth L. Rubin Senior Counsel
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationSUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS
SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 ISSUED: 4 th May 2004 REVISED: 27 th August 2009 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS I. INTRODUCTION The Central Bank
More informationManaging General Agents (MGAs) Guideline
Managing General Agents (MGAs) Guideline JUNE 2013 DRAFT FOR COMMENT BC AUTHORIZED LIFE INSURERS www.fic.gov.bc.ca PURPOSE This draft guideline outlines best practices that the Financial Institutions Commission
More information¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ Ã
CIRCULAR CIR/MIRSD/24/2011 December 15, 2011 All intermediaries registered with SEBI Merchant Bankers/Registrars to An issue and Share Transfer Agents/Debenture Trustees/Bankers to An Issue/Underwriters/Credit
More informationGUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS
SUPERVISORY AND REGULATORY GUIDELINES Guidelines Issued: 22 December 2015 GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS 1. INTRODUCTION 1.1 The Central Bank of The Bahamas ( the Central
More informationFederal Regulatory Agencies Administrative Guidelines. Implementation of Interagency Programs for the Supervision of Technology Service Providers
Federal Regulatory Agencies Administrative Guidelines Implementation of Interagency Programs for the Supervision of Technology Service Providers OCTOBER 2012 for the Supervision of Technology Service Providers
More informationSUPERVISION GUIDELINE
G u i d e l i n e s o n O u t s o u r c i n g P a g e 1 SUPERVISION GUIDELINE G10: GUIDELINES ON OUTSOURCING Issued To All Licensed Financial Institutions G u i d e l i n e s o n O u t s o u r c i n g
More informationBank Vendor Management An Aspirin to Prevent a Headache or Just a Headache?
April 2014 Bank Vendor Management An Aspirin to Prevent a Headache or Just a Headache? BY LAWRENCE D. KAPLAN & KEVIN L. PETRASIC A flurry of recent regulatory guidance, pronouncements and enforcement actions
More informationM-Aud. Comptroller of the Currency Administrator of National Banks. Internal and External Audits. Comptroller s Handbook. April 2003.
M-Aud Comptroller of the Currency Administrator of National Banks Internal and External Audits Comptroller s Handbook April 2003 M Management Internal and External Audits Table of Contents Introduction...1
More informationCommunity Banking. Regulators raise the bar on outsourcing relationships. A D V I S O R Fall 2014
Community Banking A D V I S O R Fall 2014 SWOT analysis is solid armor for lenders Uncover risks among your business loan customers 5 tips for a successful succession plan Bank Wire Regulators raise the
More informationFEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. ) CONSENT ORDER. ) FDIC-13-0450b
FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. In the Matter of THE BANK OF PRINCETON PRINCETON, NEW JERSEY (INSURED STATE NONMEMBER BANK) ) ) ) ) CONSENT ORDER ) ) ) FDIC-13-0450b ) The Federal
More informationFinancial Services Guidance Note Outsourcing
Financial Services Guidance Note Issued: April 2005 Revised: August 2007 Table of Contents 1. Introduction... 3 1.1 Background... 3 1.2 Definitions... 3 2. Guiding Principles... 5 3. Key Risks of... 14
More informationAsset Management. Comptroller s Handbook. Comptroller of the Currency Administrator of National Banks
AM- Comptroller of the Currency Administrator of National Banks Comptroller s Handbook 20 AM Asset Management Asset Management UOperations and Controls Table of Contents Asset Management Operations and
More informationStatement of the Office of the Comptroller of the Currency. Provided to the Subcommittee on Financial Institutions and Consumer Protection
Statement of the Office of the Comptroller of the Currency Provided to the Subcommittee on Financial Institutions and Consumer Protection Senate Committee on Banking, Housing, and Urban Affairs Shining
More informationGUIDELINES ON OUTSOURCING
Monetary Authority of Singapore GUIDELINES ON OUTSOURCING ISSUED IN OCTOBER 2004 (Last Updated 1 July 2005) Monetary Authority of Singapore TABLE OF CONTENTS 1 INTRODUCTION... 1 2 APPLICATION OF GUIDELINES...
More informationWho s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management
Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management 2015 LBA Bank Counsel Conference Marx Sterbcow, Managing Attorney, Sterbcow Law Group The Bureau s Scrutiny of Vendor Management
More informationUNITED STATES OF AMERICA BEFORE THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, DC.
UNITED STATES OF AMERICA BEFORE THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, DC. FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C. OFFICER OF COMPTROLLER OF THE CURRENCY WASHINGTON,
More informationINFORMATION TECHNOLOGY OFFICER S QUESTIONNAIRE. Instructions for Completing the Information Technology Examination Officer s Questionnaire
Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology
More informationPOV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs
POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs April 2015 For private circulation only Draft Guidelines on Managing Risks and Code of Conduct
More information