VENDOR MANAGEMENT Presented By:

Transcription

1 VENDOR MANAGEMENT EXAMINER EXPECTATIONS FOR ASSESSING & MANAGING 3RD PARTY RISK Presented By: Tom Hinkel, VP of Compliance Services Safe Systems, Inc.

2 Agenda Blurred Lines: Defini/on of vendor Recent regulatory expecta/ons for vendor management Due diligence (pre- contract) Contracts 6 vendor management steps to take NOW

3 Tradi/onal defini/on: Vendor vs. Service Provider Vendor anyone with whom you have a contractual rela/onship Service Provider Vendor that provides a bank- related service (BSCA). check and deposit sor/ng and pos/ng, computa/on and pos/ng of interest and other credits and charges, prepara/on and mailing of checks, statements, no/ces, and similar items, or any other clerical, bookkeeping, accoun/ng, sta/s/cal, or similar func/ons performed for a depository ins/tu/on.

4 Current defini/on: Vendor vs. Service Provider Term "service providers" is broadly defined to include all en//es* that have entered into a contractual rela/onship with a financial ins/tu/on to provide business func/ons or ac/vi/es. Federal Reserve * En//es may be a bank or nonbank, affiliated or non- affiliated, regulated or non- regulated, or domes/c or foreign. A third- party rela/onship is any business arrangement between a bank and another en/ty, by contract or otherwise.* - OCC * Third- party rela/onships include ac/vi/es that involve outsourced products and services, use of independent consultants Third- party rela/onships generally do not include customer rela/onships.

5 FFIEC Financial ins/tu/ons increasingly rely on service providers, soxware vendors, and other third par/es. Financial ins/tu/ons are responsible for risks associated with the ac/vi/es of third- party service providers with which they contract. An effec/ve outsourcing oversight program should provide the framework for management to understand, monitor, measure, and control the risks associated with outsourcing.

6 Vendor Management What s New? Increased vendor selec/on & pre- contract due diligence Strategic goals (decision to outsource) Concentra/on risk Cri/cality of service (highly cri/cal vendors may need to be assigned to a senior officer for oversight - OCC) Vendor use of sub- contractors BCP review (opera/onal risk) Expanded Risk Assessments (not just NPI) Cri/cality Complexity Reputa/onal risk

7 Vendor Management What s New? (cont.) Increased on- going oversight Contracts Third- party report (audits) - SAS- 70 vs. SOC 1, 2, 3 Regulatory examina/on reports BOD repor/ng Assess ALL vendors

8 Due Diligence 1. During the product selec/on process, prior to contrac/ng for the product or service Reputa/on, strategic fit, etc. 2. AXer the vendor has been selected, and prior to implementa/on RFP s vs. contracts 3. Post implementa/on, and ongoing as long as the rela/onship exists Tradi/onal vendor management program

9 Due Diligence Pre- Contract Product / Service is in alignment with strategic plan? Outsourcing is best op/on? RFP/RFI U/lized? Product / Service Cloud Based? Vendor Business Con/nuity RTO's Reviewed?

10 Due Diligence Checklist

11 Due Diligence Checklist

12 Due Diligence Checklist

13 Controls Controls Trust but Verify Financial Statements Contracts & Service Level Agreements (SLA s) Incident Response Plans (include actual incidents) DR/BCP Plans (RTO s aligned?) Regulatory Examina/on Reports Third- party audit reviews (SAS 70 phased out)

14 Controls According to the FFIEC Handbook on Outsourcing Technology Services The is the single most important control in the outsourcing process. A. Ini/al due diligence process B. Review of third- party audit reports C. Contract D. Risk Assessment E. Vendor s financial stability

15 Controls The contract is the legally binding document that defines all aspects of the servicing rela/onship. A wrijen contract should be present in all servicing rela/onships. This includes instances where the service provider is affiliated with the ins/tu/on. The contract is the single most important control in the outsourcing process.

16 Contracts

17 Contracts

18 Contracts

19 Contracts

20 Regulatory Examination Reports The Agencies conduct IT- related examina/ons of financial ins/tu/ons and their TSPs based on the guidelines contained in the IT Handbooks. Uses URSIT (Uniform Ra/ng System for Informa/on Technology) ra/ngs Each TSP examined for IT is assigned a summary or composite ra/ng based on the overall results of the evalua/on.

21 Regulatory Examination Reports The financial ins/tu/on must inquire from their primary federal regulator (PFR) whether or not they have completed an examina/on of the vendor (or TSP). If the PFR indicates they have, the ins/tu/on may request a summary of the exam (called a Report of Examina/on, or ROE), which will not contain the actual score. Instead the ROE contains an Open Sec/on, which contains all significant examina/on findings and conclusions. The excep/on to this is if the TSP scores a 4 or lower (i.e. 4 or 5), in which case the regulator will proac/vely provide a summary of the exam to each ins/tu/on serviced by the TSP.

22 Next Steps? 6 Changes to Make to your Vendor Management Program Now ü Remove references to SAS 70, replace with Third- party Review ü Rank Vendors Use Tiered Approach (H, M, L, or Tier I, Tier II, Tier III) ü Add Vendor Management responsibili/es to IT Steering Commijee (or equivalent). High risk vendors may require senior management sponsor. ü Manage contract expira/on dates and auto- renewal clauses ü Review SOC reports ü Request examina/on reports

23 Questions? Tom Hinkel CISA, CRISC, CCSA, CRMA VP of Compliance Services Safe Systems, Inc. The Compliance and Technology Partner for Financial Ins8tu8ons