Putting the Management Back in Vendor Management February 20, 2014

Transcription

1 Putting the Management Back in Vendor Management February 20, 2014 Moderator: Brian O Reilly The Collingwood Group, LLC Panelists: Calvin Hagins, CFPB Ken Markison, MBA Jonathan McKernan, Wilmer Hale Dan Mugge, CoreLogic

2 The New Landscape: Increasing Regulatory Scrutiny Vendor management practices have recently been subject to increased regulatory scrutiny. Banking regulators issued new guidance in 2012 and Recent enforcement actions have targeted vendor management deficiencies. Possible drivers of increased scrutiny Shift in supervisory focus to operational risks: operational risks increase when a vendor is involved in bank operations. Evolving nature of outsourcing relationships: increased reliance on cloud computing and other technology service providers that present greater operational risks. Some areas of focus: Data security Consumer protection compliance 2

3 Regulatory Guidance OCC OCC Bulletin : Third-Party Relationships OCC Bulletin : Foreign-Based Third-Party Service Providers FDIC FIL : Guidance for Managing Third-Party Risk FIL : Bank Technology Bulletin: Technology Outsourcing Information Documents Federal Reserve SR 13-19: Guidance on Managing Outsourcing Risk SR 00-4 (SUP): Outsourcing of Information Technology and Transaction Processing CFPB CFPB Bulletin : Service Providers 3

4 Regulatory Guidance (cont.) FFIEC IT Examination Booklet on the Supervision of Technology Service Providers (Oct. 2012) Guidance for examiners and banks on supervising TSPs. Uniform Rating System for Information Technology (URSIT). Exam Booklet on Outsourcing Technology Services Risk (Jun. 2004) Risk Management of Outsourced Technology Services (Nov. 2000) Administrative Guidelines Implementation of Interagency Programs for the Supervision of Technology Service Providers (Oct. 2012) 4

5 Enforcement Activity Several consent orders targeted alleged telemarketing sales tactics and/or billing issues by vendors involved in credit card add-ons. Amex: $16.2 million in penalties, $59.9 million in customer redress JPMorgan: $60 million in penalties, $309 million in customer redress. Discover: $14 million in penalties, $200 million in customer redress. Capital One: $60 million in penalties, $150 million in customer redress. Amex 2012 consent orders targeted alleged deceptive and other unlawful credit card practices arising out of oversight of affiliated service providers. $27.5 million in penalties and $85 million in customer redress. First Bank of Delaware consent order targeted alleged AML violations arising out of inadequate oversight of vendor payment processors. $15 million in civil money penalties, $500,000 in customer redress, and loss of charter. Mortgage foreclosure orders 5

6 Mortgage Foreclosure Orders Consent orders with servicers targeted unsafe and unsound practices related to servicing and foreclosure processing. Many of the deficiencies in foreclosure processing were by vendors acting on behalf of the banks, in particular by foreclosure attorneys. Among other things, vendor management deficiencies included: Insufficient policies and procedures governing the selection, management and termination of the law firms facilitating foreclosures; Absence of formal contracts with the law firms; Inadequate oversight of law firms; and Failures to retain originals or copies of documents maintained by foreclosure attorneys. Regulators even took enforcement action directly against vendors LPS and MERS under the Bank Service Company Act. 6

7 General Regulatory Expectations Banking regulators generally expect that a bank will ensure that each vendor: does not present a safety and soundness risk; and complies with applicable law when acting on behalf of the bank. Vendor management is risk-based: a bank should take appropriate risk management steps to identify, assess, monitor and control vendor risks. Risk management steps include: (i) a risk assessment; (ii) due diligence; (iii) an appropriate vendor contract; (iv) monitoring of vendor s performance and financial condition; and (v) contingency planning. OCC also identifies several additional phases of the continuous life cycle that include oversight and accountability, documentation and reporting and independent reviews. No one size fits all approach: tailored to a vendor s risk profile. Expectations apply not just to vendors, but to all third-party relationships. Includes other business arrangements where the bank has an ongoing relationship, e.g. joint ventures and affiliate relationships. OCC Bulletin. 7

8 CFPB Requirements CFPB Bulletin requires Due diligence to verify service provider understands and is capable of complying with Federal consumer financial law; Requesting and reviewing service provider s policies, procedures, internal controls, and training materials to ensure service provider conducts appropriate training and oversight of employees or agents having consumer contact or compliance responsibilities; Including in contract with service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices; Establishing internal controls and on-going monitoring to determine whether service provider is complying with Federal consumer financial law; and Taking prompt action to address fully any problems identified through monitoring process, including terminating relationship where appropriate. 8

9 The Paradigm Has Shifted CFPB regulated entities are expected to carry out consumer protection responsibilities including vendor management. 9

10 Industry Challenges Important consumer protection objectives of policy are understood but there are legitimate concerns. For all regulated entities challenges include: 1. Uncertainty about expectations Which service providers are covered? Some are obvious? Independent entities? 2. Managing risks How much is enough? How much is too much? 3. Managing costs Due diligence, changes to practices, establishing controls, monitoring, etc. all have costs. 4. For independent mortgage bankers and many servicers requirements for vendor management on this scale are new. 10

11 Industry Costs Are Ultimately Consumers Retail Production Expenses ($ per Loan) 11

12 Direct Cost to Service ($/loan) Prime Servicers Specialty Servicers Source: MBA s Servicing Operations Study * Excludes corporate administration costs, unreimbursed FC and REO costs, and compensatory fees. Fully loaded servicing operations costs were $312 per loan for prime servicers and $687 per loan for specialty servicers. 12

13 Managing Challenges Regulatory concerns beyond vendor management requirements make vendor control imperative Servicing imperatives RESPA tolerances and RESPA TILA integration Data security issues Affiliations are one way to manage but QM points and fees calculation has made these difficult at least for third party charges Path- Policies and procedures that guide due diligence Compliance Essentials New agreements Monitoring and scrutiny 13

14 Vendor Risk Management Presented by: Dan Mugge Vice President, Technology Solutions Asset Management & Processing Solutions

15 Compliance Reputational Operational Financial Stability Information Security Business Continuity Others Vendor Risk Management Framework First it should be part of larger Enterprise Governance Risk and Compliance Program Second it should consider numerous risk types Governance Strategy Third, it should be based on five main pillars: 1. Due Diligence & Vendor Selection 2. Risk Assessment 3. Contract Management 4. Monitoring and Oversight 5. Exit Plan Risk Compliance Ultimately the lender is responsible for compliance but remember that one size does not fit all 15

16 Enterprise Governance, Risk & Compliance (GRC) Framework Corporate Strategy, Goals, Objectives Examples of Artifacts Risk Appetite Statement Enterprise Laws, Regs, Policies, Standards, Contracts Governance Purpose Establishes corporate oversight and organizational strategy, goals, objectives, risk appetite, and compliance expectations Enterprise Risk Assessment ERM Process Risk Scan Form and Process Risk Action Plans Enterprise Risk Management (ERM) Identifies and assesses risks that, should they occur, may affect the ability of the organization to achieve its goals and objectives Annual Compliance Plan & Assessment Compliance Process Legal and Regulatory Inventory Compliance reports Compliance Management Ensures organization operates in accordance with laws, regulations, industry standards, internal policies and processes, contracts and other commitments Issue Identification Form Issues Management Process Issues Reporting Issues Management Provides formal mechanism for tracking, escalating, reporting and resolving all organizational issues (e.g., non-compliance, complaints, IT gaps, etc. You must have your house in order 16

17 Vendor Risk Management Program Vendor Risk Management 1. Due Diligence & Vendor Selection 2. Contract Management 3. Risk Assessment 4. Monitoring and Oversight 5. Exit Plan Old World Order Price Performance Expertise Performance Penalties Operational Information Security Business Resiliency Spend Transactional Performance Loosely follow exit terms New World Order Consumer Impact GRC Maturity Policies & Procedures Fiscal Health Business Model Lawsuits/Complaints Training Programs Compliance Expectations Enforceable Consequences Consumer Risk Compliance Risk Financial Risk Reputational Risk Critical Quality Indicators Key Risk Indicators Key Performance Indicators Corrective Action Plans Documented for critical vendors Transfer phase identified Third parties can provide staffing, services and expertise but do not assume ultimate responsibility for compliance 17

18 Pitfalls Inadequate understanding internally and externally of expectations Broader range of risks not considered Lack of expertise within the institution on what the vendor actually does Approaching without a continuous improvement mindset Accountability not clearly defined Lack of investment in mock or internal audits Training and communication not funded Information to support the program and survive an audit was not considered and/or defined A holistic and sustainable approach can help identify and manage risk 18

19 Be Prepared: Check and Check Twice STRATEGY What is your supplier adoption strategy? Is there alignment to corporate strategies? GOVERNANCE Do you have VRM policies and procedures? Are your contractual terms aligned to risks? Do you have exit strategies? RISK Can you determine your vendor risk? Does your vendor have operational policies and procedures? Does your vendor have VRM policies and procedures? COMPLIANCE What measurements are possible, practicable and meaningful? Are you effectively communicating expectations? 19