Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP"

Transcription

1 Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1

2 Risk Management Guidance 2

3 3

4 Appendix J: 4 - Key Elements Third Party Management Third Party Capacity Testing with Third Party TSPs Cyber Resilience

5 Risk Management Program 5

6 Life Cycle 6

7 Risk management process through out the life cycle of relationship includes: Plan outlining bank s strategy, inherent risks; how select, assess, and oversee 3rd parties. Proper selection due diligence Contracts outlining roles and responsibilities Ongoing monitoring of activities and performance Termination contingency plans Roles/responsibilities for overseeing the relationship and risk management process Documentation and reporting - oversight, accountability, monitoring, risk management Management reviews to ensure alignment with strategic goals and objectives of the bank 7

8 More comprehensive and rigorous oversight and management of relationships that involve critical activities such as: Significant bank functions (payments, clearing, settlements) Significant shared services (information technology) Activities that create significant risk if 3rd party fails to meet expectations, Could have significant customer impact Require significant investment in resources to implement and manage the 3rd party Could have major impact on operations if have to find alternate 3rd party or bring in-house 8

9 Oversight and Accountability Board Senior Management Employees managing relationships 9

10 Board and Sr. Mgmt Board Establish and approve policies governing use. Establish risk management program Senior Mgmt Ensure policies execution Oversee development and implementation of program Report to Board 10

11 A bank s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution. - OCC and CFPB 11

12 FDIC FIL : An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships to the same extent as if the activity were handled within the institution. 12

13 Committee Not a regulatory requirement but a good practice. 13

14 Committee End user management Compliance officer Risk officer Technology officer Audit - liaison Legal - liaison 14

15 Planning Discuss inherent risks Outline strategic purposes Assess complexity Cost vs. benefit Affect on strategic initiative Impact to dual employees Customer interaction Security Contingency plans Laws and regulations Selection aligns with bank policies and practices Detail selection, assessment, and oversight of compliance with contract Presented and approved by BOD 15

16 Strategic Planning Integration with overall strategic objectives Identify the role of the relationship in conjunction with the business strategy and objectives Identify Need/purpose Benefits Costs Legal issues 16

17 Risk Assessment Identify all third party relationships Identify the risk Identify risk mitigations strategies Risk rate and rank 17

18 HR/ Payroll processor Operations (wires, ACH, ATM Core) IT Trust Cash Management Enterprise-wide Law Firms Marketing Accounting Lending Facilities/ Security Company 18

19 Classification Factors Mission critical Access to NPI Information controlled by the third party Volume of transactions Concentration of $ New activity New relationship Market products or services High risk activities Cloud computing Subcontracting/Foreign based contractors Foreign based company 19

20 Types of Risk Reputation - risk arising from negative publicity or public opinion. Strategic - risk arising from adverse business decisions or failure to implement appropriate business decisions or to make invalid assumptions. Transactional - risk arising from problems with service or product delivery 20

21 Types of Risk Operation - risk from inadequate or failed internal processes, people, systems, or an external event. Credit - risk that those necessary to the relationship are unable to meet the terms of the contractual arrangement or perform as agreed financially. 21

22 Types of Risk Compliance/legal - risk arising from violations of law, rules, regulations or noncompliance with internal policies and procedures. Concentration - arises when outsourced services or products are provided by a limited number of providers or are concentrated in limited geographic locations. 22

23 Potential Risk Interest rate Liquidity Market Foreign currency translation Country risk Pricing 23

24 Foreign Based Background Country risk/ability to prosecute Compliance risk US Laws Embargo Sanctions OFAC 24

25 Specific Risk with Technology Reliability Security Scalability Compatibility 25

26 Failure to Manage/Mitigate Regulatory action Financial loss Reputation issues Legal actions Impact ability to establish new or continue current customer relationships 26

27 Written Program Elements Overview of program Responsibilities Risk management process Needs assessment Due diligence and selection Contracting Oversight and Monitoring How monitor/manage problems with 3rd party How monitor performance with SLA Termination Contingency Approval process 27

28 Needs Assessment Function/activity Purpose/need served Alignment with strategic plan Budgeted amount Minimum standards/ expectations Minimum acceptable characteristics Security/control Oversight reports BCP Conversion/Training Contract requirements 28

29 Due Diligence/Selection Conduct on all potential 3rd parties prior to selection Don t rely solely on prior knowledge or experience Should be commensurate with level of risk and complexity of relationship onsite visits may be useful for full understanding of operations and capacity Broaden scope as necessary 29

30 Due Diligence/Selection Financial status Strategies and goals References Legal/regulatory compliance issues Resilience: BCP/Pandemic preparedness/incident Response Risk management/information security Qualifications, background, reputation of principals Employee background checks Insurance coverage Experience and reputation 30

31 Due Diligence/Selection Internal controls Facilities management Training Security of systems Privacy/confidentiality Maintenance and retention of records Use of subcontractors Physical security Systems development Technology/system specs Service support/delivery Resource management Fee Structure Conflicting contract arrangement with others 31

32 Business Resiliency Ensure third party service provider has a third party risk management program Third Party Service Provider s ability: To provide critical services to all its clients Meet stated RTOs and RPOs 32

33 Lack of resilience/failure of TSP Financial Institution clients take over operations Convert New TSP takes over existing operations Bring in-house 33

34 Financial Performance and Condition Most recent financials Sustainability FI relationship on SP financial condition SP commitment to contracted services SP review of financial condition of any subcontractor Other current issues SP may be facing that may affect future financial performance Insurance coverage 34

35 Contract Elements Scope of service Performance Standards/ Benchmarks Security/Confidentiality GLBA/Confidentiality Compliance with Laws, Regulation, Guidance Security/Controls Change management Incident response BCP/DR Right to Audit and Remediation MIS Oversight reports 35

36 Contracts Responsibilities for providing, receiving, retaining information Cost and compensation Ownership and license Indemnification Dispute Resolution Limits on liability Default and termination Subcontracting Foreign based 3rd parties Duration Assignment of contract 36

37 OCC Contracts: Stipulate performance of activities by external parties subject to OCC examination oversight including access to all work papers, drafts, and other materials. OCC generally has authority to examine and regulate functions/operations provided by 3rd parties to same extent as bank. 37

38 Service Level Agreement Identify significant elements of service Processing error rates System uptime/downtime Speed Performance Availability/timeliness of service Confidentiality/integrity of data Change control Help desk 38

39 Ongoing Monitoring Compliance with legal and regulatory requirements Insurance coverage Key personnel knowledge Ability to effectively manage risk Confidentiality/integrity of systems/ information Adequacy of training Process for adjusting policies, procedures, controls in response to change threats/vulnerabilities/breaches Information technology used/ management of information systems Business continuity/dr Subcontracting Consumer complaints and remediation 39

40 Ongoing Monitoring Ensure customer base is segregated from other clients (especially cloud provider) Internal controls Assess adequacy of control environment SSAE 16, SOC 2 FFIEC Examination Security incidents Onsite visits as needed/ Escalation of oversight activities when fail to meet: Performance Compliance Control Viability expectations 40

41 Ongoing Monitoring Types of reports Financial Patch management Pen testing Security assessments Audits Incident response BCP/pandemic 41

42 SSAE 16 SOC 1 - Internal controls over financial reporting (ICFR) SOC 2 - Specifically designed for data centers, MSSPs, SAS vendors, cloud computing and technology providers 42

43 SOC 2 Trusted Service Principles Security of systems Availability of systems Processing integrity Confidentiality of information Privacy of information 43

44 Independent Review Senior management should ensure periodic independent reviews are conducted on 3rd party risk management processes, especially critical activities. Internal audit or independent audit Report to Board 44

45 FRB - BCP Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 45

46 Appendix J: Business Resiliency Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 46

47 Termination Contingency Plan Management should ensure relationships terminate in an efficient manner. Have a plan to bring service in-house if no alternate 3rd parties 47

48 Appendix D: MSSP 2012 update to FFIEC Outsourcing Technology Service Handbook Reliance increases risk 39

49 MSSP Services Network boundary protection IDS/IPS Event log management/ alerting AV and Web content filtering services hosting Patch management Security software management Incident response management DLP Information security consulting services 40

50 MSSP Management Regular risk management program plus Contract with SLA Strategies for transparency/accountability Communications Review of MSSP processes, infrastructure, control environment 41

51 MSSP Management Risk Assessment: Due Diligence, Ongoing Risk Elements Business Processes Info Security Infrastructure Access Management and Control Data handling BCP/DRP Incident Response Awareness and Training Application Development/ Systems Integration Malware protection 51

52 MSSP Management Education/Awareness Training content/frequency Financial institution understanding of reports, audits, security testing 42

53 Cyber Security Risk Assessment Tool Domain 4 - External Dependency Management Connections Relationship Management

54 Document and Report Current inventory/risk assessment Approved plans to use 3rd party Due diligence results Analysis of costs Regular reports to Board on internal control testing and monitoring Audits, security reviews, compliance with SLA Regular reports to Board on overall risk management process Executed contract Regular risk management and performance reports from 3rd party 54

55 Bank Service Company Act FDIC supervised institutions Section 7(c)(2) Notification of Performance of Bank Services New servicing relationships by 3rd parties 45

56 Technology Outsourcing: Informational Tools for Community Bankers Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers FDIC 30

57 Effective Practices for Selecting a Service Provider Resource in addressing specific challenges Not an exam procedure or official guidance Informational tool 31

58 Effective Practices Objectives in the Selection Process Evaluation and Selection Negotiating the Contract 32

59 Contracts Exit clause that allows FI to cancel for reasons such as failure to perform SLA should be stated Clear understanding of current and anticipated future requirements of service Obtain list of all key personnel and any subcontractors, consultants or third parties on which service delivery depends 33

60 Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers. 34

61 Tools to Manage Risk: SLA SLA key component in structuring successful outsourcing contract Service category (system availability or response time) Acceptable range of service quality Definition of what is being measured Formula for calculating the measure Credit/penal,es for achieving/ failing performance targets Frequency and interval of measurement 35

62 Measure service activity results against defined service levels Examine measured results to identify problems or determine causes Take appropriate action to correct failed activities, functions, or processes Continuously guide service providers through feedback sessions based on objectively measured performance metrics 36

63 Successful SLA Identify performance and risk factors that are most crucial Make sure metrics measure what you want Focus on your goals Be specific, ensure everyone understands the terms and that terms are clear measured Measure performance provided to you not aggregate to all clients 37

64 Techniques for Managing Multiple SPs Use a lead contractor who is responsible for establishing subcontracts with other providers and managing their performance Use Inter-provider Operating Agreements 38

65 Thank You Susan Orr

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red

More information

Outsourcing Technology Services A Management Decision

Outsourcing Technology Services A Management Decision Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships

More information

Any business relationship between a bank and another entity, by contract or otherwise

Any business relationship between a bank and another entity, by contract or otherwise An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.

More information

Risk Management of Outsourced Technology Services. November 28, 2000

Risk Management of Outsourced Technology Services. November 28, 2000 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the

More information

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,

More information

Vendor Management. Outsourcing Technology Services

Vendor Management. Outsourcing Technology Services Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring

More information

Vendor Management Compliance Top 10 Things Regulators Expect

Vendor Management Compliance Top 10 Things Regulators Expect Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay

More information

Vendor Management Best Practices

Vendor Management Best Practices 23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion

More information

Technology Outsourcing. Tools to Manage Technology Providers Performance Risk: Service Level Agreements

Technology Outsourcing. Tools to Manage Technology Providers Performance Risk: Service Level Agreements Technology Outsourcing Tools to Manage Technology Providers Performance Risk: Service Level Agreements Technology Outsourcing Tools to Manage Technology Providers Performance Risk: Service Level Agreements

More information

9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99 20/20 Vision for Vendor Management & Oversight 2013 WBA Technology Conference September 17, 2013 Ken M. Shaurette, CISSP, CISA, CISM, CRISC, IAM Director IT Services Disclaimer The views set forth are

More information

Identifying and Managing Third Party Data Security Risk

Identifying and Managing Third Party Data Security Risk Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:

More information

Credit Union Liability with Third-Party Processors

Credit Union Liability with Third-Party Processors World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with

More information

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management

More information

White Paper on Financial Institution Vendor Management

White Paper on Financial Institution Vendor Management White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety

More information

GUIDANCE FOR MANAGING THIRD-PARTY RISK

GUIDANCE FOR MANAGING THIRD-PARTY RISK GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,

More information

Appendix J: Strengthening the Resilience of Outsourced Technology Services

Appendix J: Strengthening the Resilience of Outsourced Technology Services Appendix J: Strengthening the Resilience of Outsourced Technology Services Background and Purpose Many financial institutions depend on third-party service providers to perform or support critical operations.

More information

To: Our Clients and Friends March 25, 2014

To: Our Clients and Friends March 25, 2014 Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors

More information

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Risk Management in the New Regulatory Environment. kpmg.com Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators

More information

Vendor Management Best Practices

Vendor Management Best Practices Vendor Management Best Practices Presented by: Raji Sathappan, MBA, CRCM, CISA, CAMS FMS East Coast Regional Conference September 2015 Certified Public Accountants Consultants Wealth Management Technology

More information

FinTech Webinar Series: Vendor Management Principles

FinTech Webinar Series: Vendor Management Principles FinTech Webinar Series: Vendor Management Principles Evolving Best Practices of Bank Service Providers February 14, 2013 Speakers Russell Bruemmer Partner Eric Mogilnicki Partner Jeffrey Hydrick Special

More information

Technology Outsourcing. Effective Practices for Selecting a Service Provider

Technology Outsourcing. Effective Practices for Selecting a Service Provider Technology Outsourcing Effective Practices for Selecting a Service Provider Technology Outsourcing Effective Practices for Selecting a Service Provider Federal Deposit Insurance Corporation 550 17th Street

More information

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b FFIEC Table of Contents Introduction 1 Board and Management Responsibilities 2 Risk Management 3 Risk Assessment and Requirements 4 Quantity of Risk Considerations 5 Requirements Definition 6 Service Provider

More information

VENDORINSIGHTU P D A T E

VENDORINSIGHTU P D A T E VENDORINSIGHTU P D A T E November 12, 2013 COMPLIANCE VendorINSIGHT is the industry-leading solution for financial institutions offering the most features and capabilities for vendor risk monitoring. Ask

More information

Outsourcing Technology Services OT

Outsourcing Technology Services OT Federal Financial Institutions Examination Council FFIEC Outsourcing Technology Services OT JUNE 2004 IT EXAMINATION H ANDBOOK TABLE OF CONTENTS INTRODUCTION... 1 BOARD AND MANAGEMENT RESPONSIBILITIES...

More information

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b FFIEC TABLE OF CONTENTS INTRODUCTION 1 BOARD AND MANAGEMENT RESPONSIBILITIES 2 RISK MANAGEMENT 3 Risk Assessment and Requirements 4 Quantity of Risk Considerations 4 Requirements Definition 5 Service Provider

More information

Are your business partners watching your back when you are watching your front?

Are your business partners watching your back when you are watching your front? Are your business partners watching your back when you are watching your front? Danny Shaw SE Practice Leader IT Risk Advisory Services Experis Thursday, October 4, 2012 1 Objectives: Organizations frequently

More information

SECURITY AND EXTERNAL SERVICE PROVIDERS

SECURITY AND EXTERNAL SERVICE PROVIDERS SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security

More information

Technology Outsourcing. Techniques for Managing Multiple Service Providers

Technology Outsourcing. Techniques for Managing Multiple Service Providers Technology Outsourcing Techniques for Managing Multiple Service Providers Technology Outsourcing Techniques for Managing Multiple Service Providers Federal Deposit Insurance Corporation 550 17th Street

More information

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship THE 4 TH NATIONAL CONFERENCE ON OUTSOURCING IN FINANCIAL SERVICES NEGOTIATING, MANAGING & TERMINATING OUTSOURCING RELATIONSHIPS WHILE ENSURING REGULATORY COMPLIANCE Renaissance Mayflower, Washington, DC

More information

30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC)

30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) 30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) have issued extensive new guidance to financial institutions about the use of third parties to perform functions

More information

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements

Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements isl Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements DataGuardZ White Paper Forti5 BNP Paribas [Pick the date] What is the history behind FFIEC compliance?

More information

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions The rise of third party relationships means rise in risk and regulation Non-compliance is risky business for financial institutions Increasing dependency on third parties by banks has resulted in mandatory

More information

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner

More information

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party

More information

Third Party Relationships

Third Party Relationships 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party

More information

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes

More information

Statement of Guidance: Outsourcing All Regulated Entities

Statement of Guidance: Outsourcing All Regulated Entities Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on

More information

Managing Outsourcing Arrangements

Managing Outsourcing Arrangements Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS

More information

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES

CAYMAN ISLANDS. Supplement No. 5 published with Gazette No. 19 dated 14 September, STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES CAYMAN ISLANDS Supplement No. 5 published with Gazette No. 19 dated 14 September, 2015. STATEMENT OF GUIDANCE: OUTSOURCING REGULATED ENTITIES Statement of Guidance: Outsourcing Regulated Entities 1. STATEMENT

More information

Third-Party Risk Management: Busting Myths and Telling Truths

Third-Party Risk Management: Busting Myths and Telling Truths Third-Party Risk Management: Busting Myths and Telling Truths Richik Sarkar, Esq. McDonald Hopkins LLC 600 Superior Avenue, East, Suite 2100 Cleveland, OH 44114 (216) 430-2009 rsarkar@mcdonaldhopkins.com

More information

Presenters: Pam Bishop, Mutual of Omaha Insurance Companies Kurt Swan, Connecticut Insurance Department Cynthia Wood, Risk & Regulatory Consulting,

Presenters: Pam Bishop, Mutual of Omaha Insurance Companies Kurt Swan, Connecticut Insurance Department Cynthia Wood, Risk & Regulatory Consulting, Presenters: Pam Bishop, Mutual of Omaha Insurance Companies Kurt Swan, Connecticut Insurance Department Cynthia Wood, Risk & Regulatory Consulting, LLC Moderator: Barry L Wells, Risk & Regulatory Consulting,

More information

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015

By: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015 Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,

More information

www.pwc.com Third Party Risk Management 12 April 2012

www.pwc.com Third Party Risk Management 12 April 2012 www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.

More information

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC

Enterprise Risk Management Process Improvement. Secure Banking Solutions, LLC Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com

More information

Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers

Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Tony DaSilva, AAP, CISA S&R Senior Technical Expert Federal Reserve Bank of Atlanta Disclaimer The opinions expressed

More information

Identifying Key Risk Indicator

Identifying Key Risk Indicator PUERTO RICO PAYMENTS SYMPOSIUM Identifying Key Risk Indicator EPOCPR Services Agenda for Today Background History Regulators & Risk Management Let s have fun Regulators & Risk Assessment ACH Risks Categories

More information

Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective

Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective Rory Guenther, CISA Senior Examiner, Operational Risk Specialist,

More information

Outsourcing has become a critical component of financial institutions management

Outsourcing has become a critical component of financial institutions management Skadden Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or call your regular Skadden

More information

Instructions for Completing the Information Technology Officer s Questionnaire

Instructions for Completing the Information Technology Officer s Questionnaire Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine

More information

Information Technology

Information Technology Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level

More information

VENDOR MANAGEMENT. General Overview

VENDOR MANAGEMENT. General Overview VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor

More information

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault

Anatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing

More information

3 rd Party Vendor Risk Management

3 rd Party Vendor Risk Management 3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced

More information

Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program

Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program Effective Date: January 27, 2014 Vendor Management Policy Addendum TABLE OF CONTENTS 1. INTRODUCTION...

More information

Navigating Vendor Management Issues in Today s Regulatory Environment

Navigating Vendor Management Issues in Today s Regulatory Environment Navigating Vendor Management Issues in Today s Regulatory Environment May 6, 2015 Elizabeth E. McGinn, Partner Moorari K. Shah, Counsel 1 Disclaimer The information contained herein is for informational

More information

Forensic Services. Third Party Risks. March 2013

Forensic Services. Third Party Risks. March 2013 Forensic Services Third Party Risks Landscape of third party risk Focus on third parties that: perform functions on behalf of the company provide products and services that the company does not originate

More information

ICBA Summary of FFIEC Cybersecurity Assessment Tool

ICBA Summary of FFIEC Cybersecurity Assessment Tool ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary

More information

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015

By: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015 Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity

More information

T31: Before, During and After Outsourcing David Fong, BlackRock

T31: Before, During and After Outsourcing David Fong, BlackRock T31: Before, During and After Outsourcing David Fong, BlackRock Before, During and After Outsourcing David Fong, CISA, CPA Objective o Explore reasons why some organizations choose to outsource o Understanding

More information

Office of Inspector General

Office of Inspector General Audit Report OIG-14-034 Not Sufficiently Documented April 21, 2014 Office of Inspector General Department of the Treasury Contents Audit Report Background... 2 Results of Audit... 4 OCC Has Updated Guidance

More information

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Vendor Compliance Management Series: Performing an Effective Risk Assessment Vendor Compliance Management Series: Performing an Effective Risk Assessment Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must

More information

Risk Management of Remote Deposit Capture

Risk Management of Remote Deposit Capture Federal Financial Institutions Examination Council 3501 FAIRFAX DRIVE ROOM 3086 ARLINGTON, VA 22226-3550 (703) 516-5487 http://www.ffiec.gov Background and Purpose Risk Management of Remote Deposit Capture

More information

CFPB Readiness Series: Compliant Vendor Management Overview

CFPB Readiness Series: Compliant Vendor Management Overview CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the

More information

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World

Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com

More information

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services

Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Roles and Responsibilities The proposed Guidance Note 20 Outsourced Accounting Services (GN 20) will set out the various

More information

360 of Vendor Management

360 of Vendor Management 360 of Vendor Management Jay Brietz, CPA and CIA Shareholder Elliott Davis Decosimo, LLC Elliott Davis Decosimo, PLLC Disclaimer This material was used by Elliott Davis Decosimo during an oral presentation;

More information

FFIEC Cybersecurity Assessment Tool

FFIEC Cybersecurity Assessment Tool Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,

More information

Logging In: Auditing Cybersecurity in an Unsecure World

Logging In: Auditing Cybersecurity in an Unsecure World About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that

More information

Validating Third Party Software Erica M. Torres, CRCM

Validating Third Party Software Erica M. Torres, CRCM Validating Third Party Software Erica M. Torres, CRCM Michigan Bankers Association Risk Management & Compliance Institute September 29, 2014 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT

More information

Vendor Risk Management Financial Organizations

Vendor Risk Management Financial Organizations Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current

More information

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World

Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society

More information

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014

More information

VII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background

VII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party

More information

Board Responsibility. A bank can outsource a task, but it cannot outsource the responsibility.

Board Responsibility. A bank can outsource a task, but it cannot outsource the responsibility. Third-Party Risk Board Responsibility The Board of Directors and senior management are ultimately responsible for managing activities conducted through third-party relationships as if the activity were

More information

Cybersecurity: What CFO s Need to Know

Cybersecurity: What CFO s Need to Know Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction

More information

OCC BULLETIN OCC 2001-47

OCC BULLETIN OCC 2001-47 OCC BULLETIN Comptroller of the Currency Administrator of National Banks Subject: Third-Party Relationships Description: Risk Management Principles TO: Chief Executive Officers of National Banks, Federal

More information

Bank of Papua New Guinea Prudential Standard BPS252: Outsourcing of Business Activities, Functions and Processes

Bank of Papua New Guinea Prudential Standard BPS252: Outsourcing of Business Activities, Functions and Processes Bank of Papua New Guinea Prudential Standard BPS252: Outsourcing of Business Activities, Functions and Processes Issued under Section 27 of the Banks and Financial Institutions Act 2000 Overview and Key

More information

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS Purpose This advisory bulletin communicates the Federal Housing Finance Agency s (FHFA)

More information

Outsourcing Risk Guidance Note for Banks

Outsourcing Risk Guidance Note for Banks Outsourcing Risk Guidance Note for Banks Part 1: Definitions Guideline 1 For the purposes of these guidelines, the following is meant by: a) outsourcing: an authorised entity s use of a third party (the

More information

Objective and key requirements of this Prudential Standard

Objective and key requirements of this Prudential Standard Prudential Standard CPS 231 Outsourcing Objective and key requirements of this Prudential Standard This Prudential Standard requires that all outsourcing arrangements involving material business activities

More information

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

A Crisis Response, Information Sharing View of FFIEC Appendix J?

A Crisis Response, Information Sharing View of FFIEC Appendix J? A Crisis Response, Information Sharing View of FFIEC Appendix J? Susan Rogers (MBCP, MBCI) Financial Services Information Sharing and Analysis Center FS-ISAC, Business Resiliency Director srogers@fsisac.us;

More information

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

The New Third-Party Oversight Framework: Trust but Verify kpmg.com Financial Services Regulatory Point of View The New Third-Party Oversight Framework: Trust but Verify kpmg.com The New Third-Party Oversight Framework: Trust but Verify 1 Financial services regulatory

More information

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS

THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern

More information

Putting the Management Back in Vendor Management February 20, 2014

Putting the Management Back in Vendor Management February 20, 2014 Putting the Management Back in Vendor Management February 20, 2014 Moderator: Brian O Reilly The Collingwood Group, LLC Panelists: Calvin Hagins, CFPB Ken Markison, MBA Jonathan McKernan, Wilmer Hale Dan

More information

Cloud Computing: Legal Risks and Best Practices

Cloud Computing: Legal Risks and Best Practices Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent

More information

Ed McMurray, CISA, CISSP, CTGA CoNetrix

Ed McMurray, CISA, CISSP, CTGA CoNetrix Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats

More information

Refresher on cloud computing

Refresher on cloud computing Refresher on cloud computing Cloud computing is a form of outsourcing where the organization outsources data processing to computers owned by the vendor. Outsourcing may also include utilizing the vendor

More information

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Part A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES... Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation

More information

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management

White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.

More information

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS THIRD PARTY MANAGEMENT: FUNDAMENTALS by Linda Tuck Chapman Sponsored by Third Party Management Fundamentals Third Party Management isn t new, but its importance is growing in every industry and the financial

More information

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk March 24, 2014 If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or your regular Skadden contact. Stuart D. Levi New York / 212.735.2750

More information

Servicing Issues Update

Servicing Issues Update September 2014 Servicing Issues Update Regulatory Developments 1. Future Rulemaking. CFPB has indicated that it is reviewing its mortgage servicing regulations and may issue additional amendments and clarifications.

More information

Managing Sub-Servicing Partnerships

Managing Sub-Servicing Partnerships Managing Sub-Servicing Partnerships 2 Managing Sub-Servicing Partnerships WHY IT IS IMPORTANT TO GINNIE MAE: Ginnie Mae recognizes that there are entities that specialize in the servicing and are better

More information

Managing General Agents (MGAs) Guideline

Managing General Agents (MGAs) Guideline Managing General Agents (MGAs) Guideline JUNE 2013 DRAFT FOR COMMENT BC AUTHORIZED LIFE INSURERS www.fic.gov.bc.ca PURPOSE This draft guideline outlines best practices that the Financial Institutions Commission

More information

CFPB Consumer Laws and Regulations

CFPB Consumer Laws and Regulations General Principles and Introduction Supervised entities within the scope of CFPB s supervision and enforcement authority include both depository institutions and non-depository consumer financial services

More information

Vendor Risk Management (Banks and Financial Institutions)

Vendor Risk Management (Banks and Financial Institutions) Vendor Risk Management (Banks and Financial Institutions) Speaker: Jay Ranade/Ram Engira CIA, CRMA, CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT Director of Education Risk Management Professionals Intl. New

More information

SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 ISSUED: 4 th May 2004 REVISED: 27 th August 2009 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS I. INTRODUCTION The Central Bank

More information