1 AL O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel The Federal Financial Institutions Examination Council (FFIEC) has released the attached guidance, "Risk Management of Outsourced Technology Services." The guidance outlines the processes banks should use to manage the risks associated with outsourcing technology services and discusses four key elements of such processes risk assessment, selection of service providers, contract reviews, and monitoring the service provider relationship. This guidance supplements previous interagency statements and Office of the Comptroller of the Currency (OCC) guidance. The guidance states that a financial institution s board of directors and management are responsible for ensuring that adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations, and responsibilities of the parties involved; and ongoing oversight of outsourced technology services. The guidance encourages management to consider additional risk-management controls when services involve the use of the Internet. The Internet, with its broad geographic reach, ease of access and anonymity, requires extra attention to maintaining secure systems, detecting intrusions, developing reporting systems, and verifying and authenticating customers. Institutions considering operating subsidiaries and minority investments in conjunction with outsourcing arrangements should refer to OCC regulations 12 CFR 5.34 and 5.36 regarding the permissibility of the activities to be conducted. In addition, management should consider whether the appropriate duties, responsibilities, and performance criteria are understood during the due diligence and contract negotiations. The institutions risk assessment phase and contract provisions should take into consideration investment criteria and exit strategies that may be needed depending on the success and continued permissibility of the activities. OCC encourages national banks to use technology in a safe and sound manner to enhance service and product offerings. Regardless of whether technology solutions are managed internally or Date: November 28, 2000 Page 1 of 2
2 outsourced, the board of directors and management need to understand the inherent risks to the institution and implement appropriate controls. For further information on Internet banking and technology risk management guidance, see the OCC s Internet site at or contact Clifford Wilke, director, Bank Technology, at (202) Emory W. Rushton Senior Deputy Comptroller Bank Supervision Policy Attachment Date: November 28, 2000 Page 2 of 2
3 Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the risks associated with outsourcing technology services. 1 Financial institutions should consider the guidance outlined in this statement and the attached appendix in managing arrangements with their technology service providers. 2 While this guidance covers a broad range of issues that financial institutions should address, each financial institution should apply those elements based on the scope and importance of the outsourced services as well as the risk to the institution from the services. Financial institutions increasingly rely on services provided by other entities to support an array of technology-related functions. While outsourcing to affiliated or nonaffiliated entities can help financial institutions manage costs, obtain necessary expertise, expand customer product offerings, and improve services, it also introduces risks that financial institutions should address. This guidance covers four elements of a risk management process: risk assessment, selection of service providers, contract review, and monitoring of service providers. 3 Risk Assessment The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution s objectives and strategic plans and how the service provider s relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution s strategic plans, too costly, or introduce unforeseen risks. 1 The FFIEC Information Systems Examination Handbook is a reference source that contains further discussion and explanation of a number of concepts addressed in this FFIEC guidance. 2 Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. 3 The federal banking agencies have authority to regulate and examine services provided to insured depository institutions under 12 U.S.C. 1867(c), 12 U.S.C. 1786(a), and 12 U.S.C. 1464(d)(7).
4 Page 2 of 3 Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks. 4 Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system s structure, design and controls and not necessarily the volume of activity. An outsourcing risk assessment should consider the following: Strategic goals, objectives, and business needs of the financial institution. Ability to evaluate and oversee outsourcing relationships. Importance and criticality of the services to the financial institution. Defined requirements for the outsourced activity. Necessary controls and reporting processes. Contractual obligations and requirements for the service provider. Contingency plans, including availability of alternative service providers, costs and resources required to switch service providers. Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic objectives and service provider performance. Regulatory requirements and guidance for the business lines affected and technologies used. Due Diligence in Selecting a Service Provider Once the institution has completed the risk assessment, management should evaluate service providers to determine their ability, both operationally and financially, to meet the institution s needs. Management should convey the institution s needs, objectives, and necessary controls to the potential service provider. Management also should discuss provisions that the contract should contain. The appendix to this statement contains some specific factors for management to consider in selecting a service provider. Contract Issues Contracts between the institution and service provider should take into account business requirements and key risk factors identified during the risk assessment and due diligence phases. Contracts should be clearly written and sufficiently detailed to provide assurances for performance, reliability, security, confidentiality, and reporting. Management should consider 4 For example, emerging electronic services may include aggregation. Aggregation is a service that gathers on-line account information from many web sites and presents that information in a consolidated format to the customer.
5 whether the contract is flexible enough to allow for changes in technology and the financial institution's operations. Appropriate legal counsel should review contracts prior to signing. Page 3 of 3 Institutions may encounter situations where service providers cannot or will not agree to terms that the institution requests to manage the risk effectively. Under these circumstances, institutions should either not contract with that provider or supplement the service provider s commitments with additional risk mitigation controls. The appendix to this statement contains some specific considerations for management in contracting with a service provider. Service Provider Oversight Institutions should implement an oversight program to monitor each service provider s controls, condition, and performance. Responsibility for the administration of the service provider relationship should be assigned to personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning. The appendix to this statement contains some specific factors to consider regarding oversight of the service provider. Summary The board of directors and management are responsible for ensuring adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and ongoing oversight of outsourcing technology services.
6 Page A - 1 APPENDIX Risk Management of Outsourced Technology Services Due Diligence in Selecting a Service Provider Some of the factors that institutions should consider when performing due diligence in selecting a service provider are categorized and listed below. Institutions should review the service provider s due diligence process for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties). Depending on the services being outsourced and the level of in-house expertise, institutions should consider whether to hire or consult with qualified independent sources. These sources include consultants, user groups, and trade associations that are familiar with products and services offered by third parties. Ultimately, the depth of due diligence will vary depending on the scope and importance of the outsourced services as well as the risk to the institution from these services. Technical and Industry Expertise Assess the service provider s experience and ability to provide the necessary services and supporting technology for current and anticipated needs. Identify areas where the institution would have to supplement the service provider s expertise to fully manage risk. Evaluate the service provider s use of third parties or partners that would be used to support the outsourced operations. Evaluate the experience of the service provider in providing services in the anticipated operating environment. Consider whether additional systems, data conversions, and work are necessary. Evaluate the service provider s ability to respond to service disruptions. Contact references and user groups to learn about the service provider s reputation and performance. Evaluate key service provider personnel that would be assigned to support the institution. Perform on-site visits, where necessary, to better understand how the service provider operates and supports its services. Operations and Controls Determine adequacy of the service provider s standards, policies and procedures relating to internal controls, facilities management (e.g., access requirements, sharing of facilities, etc.), security (e.g., systems, data, equipment, etc.), privacy protections, maintenance of records, business resumption contingency planning, systems development and maintenance, and employee background checks. Determine if the service provider provides sufficient security precautions, including, when appropriate, firewalls, encryption, and customer identity authentication, to protect institution resources as well as detect and respond to intrusions. Review audit reports of the service provider to determine whether the audit scope, internal controls, and security safeguards are adequate.
7 Page A - 2 Evaluate whether the institution will have complete and timely access to its information maintained by the provider. Evaluate the service provider s knowledge of regulations that are relevant to the services they are providing. (e.g., Regulation E, privacy and other consumer protection regulations, Bank Secrecy Act, etc.). Assess the adequacy of the service provider s insurance coverage including fidelity, fire, liability, data losses from errors and omissions, and protection of documents in transit. Financial Condition Analyze the service provider s most recent audited financial statements and annual report as well as other indicators (e.g., publicly traded bond ratings), if available. Consider factors such as how long the service provider has been in business and the service provider s market share for a given service and how it has fluctuated. Consider the significance of the institution s proposed contract on the service provider s financial condition. Evaluate technological expenditures. Is the service provider s level of investment in technology consistent with supporting the institution s activities? Does the service provider have the financial resources to invest in and support the required technology? Contract Issues Some considerations for contracting with service providers are discussed below. This listing is not all-inclusive and the institution may need to evaluate other considerations based on its unique circumstances. The level of detail and relative importance of contract provisions varies with the scope and risks of the services outsourced. Scope of Service The contract should clearly describe the rights and responsibilities of parties to the contract. Considerations include: Timeframes and activities for implementation and assignment of responsibility. Implementation provisions should take into consideration other existing systems or interrelated systems to be developed by different service providers (e.g., an Internet banking system being integrated with existing core applications or systems customization). Services to be performed by the service provider including duties such as software support and maintenance, training of employees or customer service. Obligations of the financial institution. The contracting parties rights in modifying existing services performed under the contract. Guidelines for adding new or different services and for contract re-negotiation. Performance Standards Institutions should generally include performance standards defining minimum service level requirements and remedies for failure to meet standards in the contract. For example, common service level metrics include percent system uptime, deadlines for completing batch processing, or number of processing errors. Industry standards for service levels may provide a reference point. The institution should periodically review overall performance standards to ensure consistency with its goals and objectives.
8 Page A - 3 Security and Confidentiality The contract should address the service provider s responsibility for security and confidentiality of the institution s resources (e.g., information, hardware). The agreement should prohibit the service provider and its agents from using or disclosing the institution s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use (e.g., disclosure of information to institution competitors). If the service provider receives nonpublic personal information regarding the institution s customers, the institution should notify the service provider to assess the applicability of the privacy regulations. Institutions should require the service provider to fully disclose breaches in security resulting in unauthorized intrusions into the service provider that may materially affect the institution or its customers. The service provider should report to the institution when material intrusions occur, the effect on the institution, and corrective action to respond to the intrusion. Controls Consideration should be given to contract provisions addressing control over operations such as: Internal controls to be maintained by the service provider. Compliance with applicable regulatory requirements. Records to be maintained by the service provider. Access to the records by the institution. Notification by the service provider to the institution and the institution s approval rights regarding material changes to services, systems, controls, key project personnel allocated to the institution, and new service locations. Setting and monitoring of parameters relating to any financial functions, such as payments processing and any extensions of credit on behalf of the institution. Insurance coverage to be maintained by the service provider. Audit The institution should generally include in the contract the types of audit reports the institution is entitled to receive (e.g., financial, internal control and security reviews). The contract can specify audit frequency, cost to the institution associated with the audits if any, as well as the rights of the institution and its agencies to obtain the results of the audits in a timely manner. The contract may also specify rights to obtain documentation regarding the resolution of audit disclosed deficiencies and inspect the processing facilities and operating practices of the service provider. Management should consider, based upon the risk assessment phase, the degree to which independent internal audits completed by service provider audit staff can be used and the need for external audits and reviews (e.g., SAS 70 Type I and II reviews). 5 For services involving access to open networks, such as Internet-related services, special attention should be paid to security. The institution may wish to include contract terms requiring periodic audits to be performed by an independent party with sufficient expertise. These audits may include penetration testing, intrusion detection, and firewall configuration. The institution should receive sufficiently detailed reports on the findings of these ongoing audits to adequately assess security without compromising the service provider s security. It can be beneficial to both the service provider and the institution to contract for such ongoing tests on a coordinated basis 5 AICPA Statement of Auditing Standards 70 Reports of Processing of Transactions by Service Organizations, known as SAS 70 Reports, are one commonly used form of external review. Type I SAS 70 reports review the service provider s policies and procedures. Type II SAS 70 reports provide tests of actual controls against policies and procedures.
9 Page A - 4 given the number of institutions that may contract with the service provider and the importance of the test results to the institution. Reports Contractual terms should discuss the frequency and type of reports the institution will receive (e.g., performance reports, control audits, financial statements, security, and business resumption testing reports). Guidelines and fees for obtaining custom reports should also be discussed. Business Resumption and Contingency Plans The contract should address the service provider s responsibility for backup and record protection, including equipment, program and data files, and maintenance of disaster recovery and contingency plans. Responsibilities should include testing of the plans and providing results to the institution. The institution should consider interdependencies among service providers when determining business resumption testing requirements. The service provider should provide the institution with operating procedures the service provider and institution are to implement in the event business resumption contingency plans are implemented. Contracts should include specific provisions for business recovery timeframes that meet the institution s business requirements. The institution should ensure that the contract does not contain any provisions that would excuse the service provider from implementing its contingency plans. Sub-contracting and Multiple Service Provider Relationships Some service providers may contract with third-parties in providing services to the financial institution. To provide accountability, it may be beneficial for the financial institution to seek an agreement with and designate a primary contracting service provider. The institution may want to consider including a provision specifying that the contracting service provider is responsible for the service provided to the institution regardless of which entity is actually conducting the operations. The institution may also want to consider including notification and approval requirements regarding changes to the service provider s significant subcontractors. Cost The contract should fully describe fees and calculations for base services, including any development, conversion, and recurring services, as well as any charges based upon volume of activity and for special requests. Cost and responsibility for purchase and maintenance of hardware and software may also need to be addressed. Any conditions under which the cost structure may be changed should be addressed in detail including limits on any cost increases. Ownership and License The contract should address ownership and allowable use by the service provider of the institution s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Other intellectual property rights may include the institution s name and logo; its trademark or copyrighted material; domain names; web sites designs; and other work products developed by the service provider for the institution. The contract should not contain unnecessary limitations on the return of items owned by the institution. Institutions that purchase software should consider establishing escrow agreements. These escrow agreements may provide for the following: institution access to source programs under certain conditions (e.g., insolvency of the vendor), documentation of programming and systems, and verification of updated source code.
10 Page A - 5 Duration Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract. Dispute Resolution The institution should consider including in the contract a provision for a dispute resolution process that attempts to resolve problems in an expeditious manner as well as provide for continuation of services during the dispute resolution period. Indemnification Indemnification provisions generally require the financial institution to hold the service provider harmless from liability for the negligence of the institution, and vice versa. These provisions should be reviewed to reduce the likelihood of potential situations in which the institution may be liable for claims arising as a result of the negligence of the service provider. Limitation of Liability Some service provider standard contracts may contain clauses limiting the amount of liability that can be incurred by the service provider. If the institution is considering such a contract, consideration should be given to whether the damage limitation bears an adequate relationship to the amount of loss the financial institution might reasonably experience as a result of the service provider s failure to perform its obligations. Termination The extent and flexibility of termination rights sought can vary depending upon the service. Contracts for technologies subject to rapid change, for example, may benefit from greater flexibility in termination rights. Termination rights may be sought for a variety of conditions including change in control (e.g., acquisitions and mergers), convenience, substantial increase in cost, repeated failure to meet service levels, failure to provide critical services, bankruptcy, company closure, and insolvency. Institution management should consider whether or not the contract permits the institution to terminate the contract in a timely manner and without prohibitive expense (e.g., reasonableness of cost or penalty provisions). The contract should state termination and notification requirements with time frames to allow the orderly conversion to another provider. The contract must provide for return of the institution s data, as well as other institution resources, in a timely manner and in machine readable format. Any costs associated with transition assistance should be clearly stated. Assignment The institution should consider contract provisions that prohibit assignment of the contract to a third party without the institution s consent, including changes to subcontractors.
11 Page A - 6 Oversight of Service Provider Some of the oversight activities management should consider in administering the service provider relationship are categorized and listed below. The degree of oversight activities will vary depending upon the nature of the services outsourced. Institutions should consider the extent to which the service provider conducts similar oversight activities for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties) and the extent to which the institution may need to perform oversight activities on the service provider s significant supporting agents. Monitor Financial Condition and Operations Evaluate the service provider s financial condition periodically. Ensure that the service provider s financial obligations to subcontractors are being met in a timely manner. Review audit reports (e.g., SAS 70 reviews, security reviews) as well as regulatory examination reports if available, and evaluate the adequacy of the service providers systems and controls including resource availability, security, integrity, and confidentiality. 6 Follow up on any deficiencies noted in the audits and reviews of the service provider. Periodically review the service provider s policies relating to internal controls, security, systems development and maintenance, and back up and contingency planning to ensure they meet the institution s minimum guidelines, contract requirements, and are consistent with the current market and technological environment. Review access control reports for suspicious activity. Monitor changes in key service provider project personnel allocated to the institution. Review and monitor the service provider s insurance policies for effective coverage. Perform on-site inspections in conjunction with some of the reviews performed above, where practicable and necessary. Sponsor coordinated audits and reviews with other client institutions. Assess Quality of Service and Support Regularly review reports documenting the service provider s performance. Determine if the reports are accurate and allow for a meaningful assessment of the service provider s performance. Document and follow up on any problem in service in a timely manner. Assess service provider plans to enhance service levels. Review system update procedures to ensure appropriate change controls are in effect, and ensure authorization is established for significant system changes. Evaluate the provider s ability to support and enhance the institution s strategic direction including anticipated business development goals and objectives, service delivery requirements, and technology initiatives. Determine adequacy of training provided to financial institution employees. Review customer complaints on the products and services provided by the service provider. Periodically meet with contract parties to discuss performance and operational issues. 6 Some services provided to insured depository institutions by service providers are examined by the FFIEC member agencies. Regulatory examination reports, which are only available to clients/customers of the service provider, may contain information regarding a service provider s operations. However, regulatory reports are not a substitute for a financial institution s due diligence in oversight of the service provider.
12 Page A - 7 Participate in user groups and other forums. Monitor Contract Compliance and Revision Needs Review invoices to assure proper charges for services rendered, the appropriateness of rate changes and new service charges. Periodically, review the service provider s performance relative to service level agreements, determine whether other contractual terms and conditions are being met, and whether any revisions to service level expectations or other terms are needed given changes in the institution s needs and technological developments. Maintain documents and records regarding contract compliance, revision and dispute resolution. Maintain Business Resumption Contingency Plans Review the service provider s business resumption contingency plans to ensure that any services considered mission critical for the institution can be restored within an acceptable timeframe. Review the service provider s program for contingency plan testing. For many critical services, annual or more frequent tests of the contingency plan are typical. Ensure service provider interdependencies are considered for mission critical services and applications.
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
Federal Financial Institutions Examination Council FFIEC Outsourcing Technology Services OT JUNE 2004 IT EXAMINATION H ANDBOOK TABLE OF CONTENTS INTRODUCTION... 1 BOARD AND MANAGEMENT RESPONSIBILITIES...
Office of Thrift Supervision September 1, 2004 Department of the Treasury Thrift Bulletin TB 82a Handbooks: Thrift Activities Section: 310 Subject: Oversight by the Board of Directors Third Party Arrangements
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
OCC BULLETIN Comptroller of the Currency Administrator of National Banks Subject: Third-Party Relationships Description: Risk Management Principles TO: Chief Executive Officers of National Banks, Federal
VENDOR MANAGEMENT: Responsibilities and Risk Mitigation Saltmarsh Compliance Funnel Patricia M. Hernandez September 22, 2016 TODAY S OBJECTIVES Review vendor management guidance issued by the FED, OCC,
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors
An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators
Federal Deposit Insurance Corporation National Credit Union Administration Office of Thrift Supervision Office of the Comptroller of the Currency April 23, 2003 WEBLINKING: IDENTIFYING RISKS AND RISK MANAGEMENT
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner
Sample Information Security Policies Sample Information Security Policies May 31, 2011 1 13740 Research Blvd Suite 2, Building T Austin, TX 78750 512.351.3700 www.aboundresources.com Boston Austin Atlanta
DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY This Plan we adopted by member, partner, etc.) on Our Program Coordinator (date). (Board of Directors, owner, We have appointed
OUTSOURCING GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2008 BANK OF TANZANIA PART I PRELIMINARY 1 These guidelines may be cited as the Outsourcing Guidelines for Banks and Financial Institutions,
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES A CONSULTATION REPORT OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS STANDING COMMITTEE 3 ON MARKET INTERMEDIARIES
APES GN 30 Outsourced Services Prepared and issued by Accounting Professional & Ethical Standards Board Limited ISSUED: March 2013 Copyright 2013 Accounting Professional & Ethical Standards Board Limited
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987 CONTENTS Page 1. Introduction 3-4 2. The Commission s Policy 5 3. Outsourcing
30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) have issued extensive new guidance to financial institutions about the use of third parties to perform functions
TRUE TITLE BEST PRACTICES Mission Statement The American Land Title Association (ALTA) seeks to guide its membership on best practices to protect consumers, promote quality service, provide for ongoing
Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party
Technology Outsourcing Techniques for Managing Multiple Service Providers Technology Outsourcing Techniques for Managing Multiple Service Providers Federal Deposit Insurance Corporation 550 17th Street
VENDORINSIGHTU P D A T E November 12, 2013 COMPLIANCE VendorINSIGHT is the industry-leading solution for financial institutions offering the most features and capabilities for vendor risk monitoring. Ask
SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014
Skadden Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or call your regular Skadden
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
SUPERVISORY AND REGULATORY GUIDELINES: PU48-0809 ISSUED: 4 th May 2004 REVISED: 27 th August 2009 GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS I. INTRODUCTION The Central Bank
GREAT AMERICAN TITLE OF HOUSTON, LLC D/B/A GREAT AMERICAN TITLE COMPANY EXAMINATION REPORT NOVEMBER 24, 2015 INDEPENDENT ACCOUNTANTS' REPORT To the Board of Directors of Great American Title of Houston,
A How-To Guide for Updating HIPAA Policies & Procedures to Align with ARRA Health Care Provider Edition Version 1 Policy and Procedure Templates Reflects modifications published in the Federal Register
POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs April 2015 For private circulation only Draft Guidelines on Managing Risks and Code of Conduct
Vermont Information Technology Leaders HIPAA COMPLIANCE POLICIES AND PROCEDURES Policy Number: InfoSec 1 Policy Title: Information Privacy and Security Management Process IDENT INFOSEC1 Type of Document:
Technology Outsourcing Effective Practices for Selecting a Service Provider Technology Outsourcing Effective Practices for Selecting a Service Provider Federal Deposit Insurance Corporation 550 17th Street
This Data Protection Addendum ( Addendum ) is an add-on to the Purchasing Terms and Conditions found at http://www.procurement.virginia.edu/pagepterms. It is applicable only in those situations where the
Institution Charter Date of Exam Prepared By INFORMATION TECHLOGY OFFICER S QUESTIONNAIRE Instructions for Completing the Information Technology Examination Officer s Questionnaire The Information Technology
Mobile Deposit Policy Mobile Deposit, a deposit transaction delivery system, allows the Credit Union to receive digital information from deposit documents captured at remote locations (i.e., the Credit
ALTA Title Insurance & Settlement Company Best Practices N e w C a s t l e T i t l e 7 5 0 N o r t h 3 r d S t r e e t, S u i t e B ( 6 0 8 ) 7 8 3-9 2 6 5 ( 6 0 8 ) 7 8 3-9 2 6 6 5 / 2 2 / 2 0 1 5 0 5/22/15
November 8, 2010 To All Insurers Draft Guidelines on Outsourcing of activities by Insurance Companies Reference: 1. INV/CIR/031/2004-05 dated 27 th July, 2004 2. INV/CIR/058/2004-05 dated 28 th December,
OFHEO Director's Advisory Policy Guidance Issuance Date: December 19, 2001 Doc. #: PG-01-002 Subject: Safety and Soundness Standards for Information To: Chief Executive Officers of Fannie Mae and Freddie
Certification Scheme Y03 Compliance Management Systems ISO 19600 ONR 192050 Issue V2.1:2015-01-08 Austrian Standards plus GmbH Dr. Peter Jonas Heinestraße 38 A-1020 Vienna, Austria E-Mail: email@example.com
Subject: Technology Risk Management: PC Banking Description: Guidance for Bankers and Examiners To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal
Bank of Papua New Guinea Prudential Standard BPS252: Outsourcing of Business Activities, Functions and Processes Issued under Section 27 of the Banks and Financial Institutions Act 2000 Overview and Key
Agreement Digital Testing System (Annex 4 to the RFP Digital Testing System) Annex 1 - Data Processing Agreement ANNEX 1 DATA PROCESSING AGREEMENT RELATING TO THE AGREEMENT DIGITAL TESTING SYSTEM BETWEEN
CLOUD COMPUTING FOR SMALL- AND MEDIUM-SIZED ENTERPRISES: Privacy Responsibilities and Considerations Cloud computing is the delivery of computing services over the Internet, and it offers many potential
PLC Intellectual Property & Technology An intellectual property (IP) and information technology (IT) due diligence request list for use in connection with an M&A transaction. This request list is designed
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS Purpose This advisory bulletin communicates the Federal Housing Finance Agency s (FHFA)
Prudential Practice Guide PPG 231 Outsourcing October 2006 www.apra.gov.au Australian Prudential Regulation Authority Disclaimer and copyright This prudential practice guide is not legal advice and users
THE 4 TH NATIONAL CONFERENCE ON OUTSOURCING IN FINANCIAL SERVICES NEGOTIATING, MANAGING & TERMINATING OUTSOURCING RELATIONSHIPS WHILE ENSURING REGULATORY COMPLIANCE Renaissance Mayflower, Washington, DC
Caveat Emptor: What is Vendor Management & Why is it Important to You? Session 4: Vendor Management insidearm LLC Legal Disclaimer This information is not intended to be legal advice and may not be used
NCP 2016 Exam Cycle Core Training Series Session 11 National Check Payments Certification Fraud, Risk, and Risk Mitigation Part II Copyright 2015 by the Electronic Check Clearing House Organization NOTICES
Interagency Guidelines Establishing Information Security Standards Small-Entity Compliance Guide I. INTRODUCTION Purpose and Scope of the Guide This Small-Entity Compliance Guide (footnote 1) is intended
CONSULTATION PAPER P019-2014 SEPTEMBER 2014 GUIDELINES ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing ( the Guidelines ) in 2004 1 to promote sound risk management practices for
GUIDELINE ON THE APPLICATION OF THE OUTSOURCING REQUIREMENTS UNDER THE FSA RULES IMPLEMENTING MIFID AND THE CRD IN THE UK This Guideline does not purport to be a definitive guide, but is instead a non-exhaustive
Service Schedule for CLOUD SERVICES This Service Schedule is effective for Cloud Services provided on or after 1 September 2013. Terms and Conditions applicable to Cloud Services provided prior to this
SUPERVISORY AND REGULATORY GUIDELINES Guidelines Issued: 22 December 2015 GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS 1. INTRODUCTION 1.1 The Central Bank of The Bahamas ( the Central
isl Assessment and Compliance with Federal Financial Institutions Examination Council (FFIEC) Requirements DataGuardZ White Paper Forti5 BNP Paribas [Pick the date] What is the history behind FFIEC compliance?
Compliance Management System Introduction Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market
PM-36: Attachment 4 Business Associate Contract Addendum On this day of, 20, the undersigned, [Name of Covered Entity] ("Covered Entity") and [Name of Business Associate] ("Business Associate") have entered
CONSULTATION PAPER P018-2014 SEPTEMBER 2014 NOTICE ON OUTSOURCING PREFACE 1 MAS first issued the Guidelines on Outsourcing in 2004 1 ( Guidelines ) to promote sound risk management practices for the outsourcing
Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Roles and Responsibilities The proposed Guidance Note 20 Outsourced Accounting Services (GN 20) will set out the various
The PNC Financial Services Group, Inc. Business Continuity Program subsidiaries) 1 Content Overview A. Introduction Page 3 B. Governance Model Page 4 C. Program Components Page 4 Business Impact Analysis
Are your business partners watching your back when you are watching your front? Danny Shaw SE Practice Leader IT Risk Advisory Services Experis Thursday, October 4, 2012 1 Objectives: Organizations frequently
Outsourcing Risk Guidance Note for Banks Part 1: Definitions Guideline 1 For the purposes of these guidelines, the following is meant by: a) outsourcing: an authorised entity s use of a third party (the
General HIPAA Implementation FAQ What is HIPAA? Signed into law in August 1996, the Health Insurance Portability and Accountability Act ( HIPAA ) was created to provide better access to health insurance,
March 24, 2014 If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or your regular Skadden contact. Stuart D. Levi New York / 212.735.2750
Federal Financial Institutions Examination Council 3501 FAIRFAX DRIVE ROOM 3086 ARLINGTON, VA 22226-3550 (703) 516-5487 http://www.ffiec.gov Background and Purpose Risk Management of Remote Deposit Capture
FAYETTEVILLE SCHOOL DISTRICT REQUEST FOR PROPOSAL FOR: Investment Management Services 1.0 INTRODUCTION 1.1 This is a Request for Proposal (RFP) for the Fayetteville School District, Fayetteville, Arkansas.
Due Diligencing Investment Advisers and Outsourced Service Providers By Shane B. Hansen, Partner Warner Norcross & Judd LLP April 30, 2015 Introduction The selection of investment advisers, including subadvisers,
Compliance and Ethics at the Federal Reserve Bank of New York Operational Risk and Internal Audit Course Marina Adams, Compliance Officer and AVP David K. Clune, Compliance and Ethics Officer Kevin White,
Tool QQ Early Childhood Iowa CONTRACTING FOR SERVICES This tool provides an overview of the components of a contract. If your ECI area board currently uses contracts to purchase services, use this tool
BUSINESS ASSOCIATE AGREEMENT This Business Associate Agreement (the Agreement ), is made effective as of the sign up date on the login information page of the CarePICS.com website, by and between CarePICS,
Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party