Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP
|
|
- Sharon Smith
- 8 years ago
- Views:
Transcription
1 Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1
2 Risk Management Guidance 2
3 3
4 Appendix J: 4 - Key Elements Third Party Management Third Party Capacity Testing with Third Party TSPs Cyber Resilience
5 Risk Management Program 5
6 Life Cycle 6
7 Risk management process through out the life cycle of relationship includes: Plan outlining bank s strategy, inherent risks; how select, assess, and oversee 3rd parties. Proper selection due diligence Contracts outlining roles and responsibilities Ongoing monitoring of activities and performance Termination contingency plans Roles/responsibilities for overseeing the relationship and risk management process Documentation and reporting - oversight, accountability, monitoring, risk management Management reviews to ensure alignment with strategic goals and objectives of the bank 7
8 More comprehensive and rigorous oversight and management of relationships that involve critical activities such as: Significant bank functions (payments, clearing, settlements) Significant shared services (information technology) Activities that create significant risk if 3rd party fails to meet expectations, Could have significant customer impact Require significant investment in resources to implement and manage the 3rd party Could have major impact on operations if have to find alternate 3rd party or bring in-house 8
9 Oversight and Accountability Board Senior Management Employees managing relationships 9
10 Board and Sr. Mgmt Board Establish and approve policies governing use. Establish risk management program Senior Mgmt Ensure policies execution Oversee development and implementation of program Report to Board 10
11 A bank s board of directors is required to remain vigilant to the hazards posed by outsourcing functions to third parties, or else risk significant financial and reputational harm to its institution. - OCC and CFPB 11
12 FDIC FIL : An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships and identifying and controlling the risks arising from such relationships to the same extent as if the activity were handled within the institution. 12
13 Committee Not a regulatory requirement but a good practice. 13
14 Committee End user management Compliance officer Risk officer Technology officer Audit - liaison Legal - liaison 14
15 Planning Discuss inherent risks Outline strategic purposes Assess complexity Cost vs. benefit Affect on strategic initiative Impact to dual employees Customer interaction Security Contingency plans Laws and regulations Selection aligns with bank policies and practices Detail selection, assessment, and oversight of compliance with contract Presented and approved by BOD 15
16 Strategic Planning Integration with overall strategic objectives Identify the role of the relationship in conjunction with the business strategy and objectives Identify Need/purpose Benefits Costs Legal issues 16
17 Risk Assessment Identify all third party relationships Identify the risk Identify risk mitigations strategies Risk rate and rank 17
18 HR/ Payroll processor Operations (wires, ACH, ATM Core) IT Trust Cash Management Enterprise-wide Law Firms Marketing Accounting Lending Facilities/ Security Company 18
19 Classification Factors Mission critical Access to NPI Information controlled by the third party Volume of transactions Concentration of $ New activity New relationship Market products or services High risk activities Cloud computing Subcontracting/Foreign based contractors Foreign based company 19
20 Types of Risk Reputation - risk arising from negative publicity or public opinion. Strategic - risk arising from adverse business decisions or failure to implement appropriate business decisions or to make invalid assumptions. Transactional - risk arising from problems with service or product delivery 20
21 Types of Risk Operation - risk from inadequate or failed internal processes, people, systems, or an external event. Credit - risk that those necessary to the relationship are unable to meet the terms of the contractual arrangement or perform as agreed financially. 21
22 Types of Risk Compliance/legal - risk arising from violations of law, rules, regulations or noncompliance with internal policies and procedures. Concentration - arises when outsourced services or products are provided by a limited number of providers or are concentrated in limited geographic locations. 22
23 Potential Risk Interest rate Liquidity Market Foreign currency translation Country risk Pricing 23
24 Foreign Based Background Country risk/ability to prosecute Compliance risk US Laws Embargo Sanctions OFAC 24
25 Specific Risk with Technology Reliability Security Scalability Compatibility 25
26 Failure to Manage/Mitigate Regulatory action Financial loss Reputation issues Legal actions Impact ability to establish new or continue current customer relationships 26
27 Written Program Elements Overview of program Responsibilities Risk management process Needs assessment Due diligence and selection Contracting Oversight and Monitoring How monitor/manage problems with 3rd party How monitor performance with SLA Termination Contingency Approval process 27
28 Needs Assessment Function/activity Purpose/need served Alignment with strategic plan Budgeted amount Minimum standards/ expectations Minimum acceptable characteristics Security/control Oversight reports BCP Conversion/Training Contract requirements 28
29 Due Diligence/Selection Conduct on all potential 3rd parties prior to selection Don t rely solely on prior knowledge or experience Should be commensurate with level of risk and complexity of relationship onsite visits may be useful for full understanding of operations and capacity Broaden scope as necessary 29
30 Due Diligence/Selection Financial status Strategies and goals References Legal/regulatory compliance issues Resilience: BCP/Pandemic preparedness/incident Response Risk management/information security Qualifications, background, reputation of principals Employee background checks Insurance coverage Experience and reputation 30
31 Due Diligence/Selection Internal controls Facilities management Training Security of systems Privacy/confidentiality Maintenance and retention of records Use of subcontractors Physical security Systems development Technology/system specs Service support/delivery Resource management Fee Structure Conflicting contract arrangement with others 31
32 Business Resiliency Ensure third party service provider has a third party risk management program Third Party Service Provider s ability: To provide critical services to all its clients Meet stated RTOs and RPOs 32
33 Lack of resilience/failure of TSP Financial Institution clients take over operations Convert New TSP takes over existing operations Bring in-house 33
34 Financial Performance and Condition Most recent financials Sustainability FI relationship on SP financial condition SP commitment to contracted services SP review of financial condition of any subcontractor Other current issues SP may be facing that may affect future financial performance Insurance coverage 34
35 Contract Elements Scope of service Performance Standards/ Benchmarks Security/Confidentiality GLBA/Confidentiality Compliance with Laws, Regulation, Guidance Security/Controls Change management Incident response BCP/DR Right to Audit and Remediation MIS Oversight reports 35
36 Contracts Responsibilities for providing, receiving, retaining information Cost and compensation Ownership and license Indemnification Dispute Resolution Limits on liability Default and termination Subcontracting Foreign based 3rd parties Duration Assignment of contract 36
37 OCC Contracts: Stipulate performance of activities by external parties subject to OCC examination oversight including access to all work papers, drafts, and other materials. OCC generally has authority to examine and regulate functions/operations provided by 3rd parties to same extent as bank. 37
38 Service Level Agreement Identify significant elements of service Processing error rates System uptime/downtime Speed Performance Availability/timeliness of service Confidentiality/integrity of data Change control Help desk 38
39 Ongoing Monitoring Compliance with legal and regulatory requirements Insurance coverage Key personnel knowledge Ability to effectively manage risk Confidentiality/integrity of systems/ information Adequacy of training Process for adjusting policies, procedures, controls in response to change threats/vulnerabilities/breaches Information technology used/ management of information systems Business continuity/dr Subcontracting Consumer complaints and remediation 39
40 Ongoing Monitoring Ensure customer base is segregated from other clients (especially cloud provider) Internal controls Assess adequacy of control environment SSAE 16, SOC 2 FFIEC Examination Security incidents Onsite visits as needed/ Escalation of oversight activities when fail to meet: Performance Compliance Control Viability expectations 40
41 Ongoing Monitoring Types of reports Financial Patch management Pen testing Security assessments Audits Incident response BCP/pandemic 41
42 SSAE 16 SOC 1 - Internal controls over financial reporting (ICFR) SOC 2 - Specifically designed for data centers, MSSPs, SAS vendors, cloud computing and technology providers 42
43 SOC 2 Trusted Service Principles Security of systems Availability of systems Processing integrity Confidentiality of information Privacy of information 43
44 Independent Review Senior management should ensure periodic independent reviews are conducted on 3rd party risk management processes, especially critical activities. Internal audit or independent audit Report to Board 44
45 FRB - BCP Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 45
46 Appendix J: Business Resiliency Ensure DR/BCP exists Assess adequacy and effectiveness of the plan and alignment to bank s plan Test SP s BCP on periodic basis Maintain an exit strategy in event that SP is unable to perform Document roles and responsibilities for maintaining and testing the SP s plan 46
47 Termination Contingency Plan Management should ensure relationships terminate in an efficient manner. Have a plan to bring service in-house if no alternate 3rd parties 47
48 Appendix D: MSSP 2012 update to FFIEC Outsourcing Technology Service Handbook Reliance increases risk 39
49 MSSP Services Network boundary protection IDS/IPS Event log management/ alerting AV and Web content filtering services hosting Patch management Security software management Incident response management DLP Information security consulting services 40
50 MSSP Management Regular risk management program plus Contract with SLA Strategies for transparency/accountability Communications Review of MSSP processes, infrastructure, control environment 41
51 MSSP Management Risk Assessment: Due Diligence, Ongoing Risk Elements Business Processes Info Security Infrastructure Access Management and Control Data handling BCP/DRP Incident Response Awareness and Training Application Development/ Systems Integration Malware protection 51
52 MSSP Management Education/Awareness Training content/frequency Financial institution understanding of reports, audits, security testing 42
53 Cyber Security Risk Assessment Tool Domain 4 - External Dependency Management Connections Relationship Management
54 Document and Report Current inventory/risk assessment Approved plans to use 3rd party Due diligence results Analysis of costs Regular reports to Board on internal control testing and monitoring Audits, security reviews, compliance with SLA Regular reports to Board on overall risk management process Executed contract Regular risk management and performance reports from 3rd party 54
55 Bank Service Company Act FDIC supervised institutions Section 7(c)(2) Notification of Performance of Bank Services New servicing relationships by 3rd parties 45
56 Technology Outsourcing: Informational Tools for Community Bankers Effective Practices for Selecting a Service Provider Tools to Manage Technology Providers Performance Risk: Service Level Agreements Techniques for Managing Multiple Service Providers FDIC 30
57 Effective Practices for Selecting a Service Provider Resource in addressing specific challenges Not an exam procedure or official guidance Informational tool 31
58 Effective Practices Objectives in the Selection Process Evaluation and Selection Negotiating the Contract 32
59 Contracts Exit clause that allows FI to cancel for reasons such as failure to perform SLA should be stated Clear understanding of current and anticipated future requirements of service Obtain list of all key personnel and any subcontractors, consultants or third parties on which service delivery depends 33
60 Technology service providers encompass a broad range of entities including but not limited to affiliated entities, nonaffiliated entities, and alliances of companies providing products and services. This may include but is not limited to: core processing; information and transaction processing and settlement activities that support banking functions such as lending, deposit-taking, funds transfer, fiduciary, or trading activities; Internet-related services; security monitoring; systems development and maintenance; aggregation services; digital certification services, and call centers. Other terms used to describe Service Providers include vendors, subcontractors, external service provider (ESPs) and outsourcers. 34
61 Tools to Manage Risk: SLA SLA key component in structuring successful outsourcing contract Service category (system availability or response time) Acceptable range of service quality Definition of what is being measured Formula for calculating the measure Credit/penal,es for achieving/ failing performance targets Frequency and interval of measurement 35
62 Measure service activity results against defined service levels Examine measured results to identify problems or determine causes Take appropriate action to correct failed activities, functions, or processes Continuously guide service providers through feedback sessions based on objectively measured performance metrics 36
63 Successful SLA Identify performance and risk factors that are most crucial Make sure metrics measure what you want Focus on your goals Be specific, ensure everyone understands the terms and that terms are clear measured Measure performance provided to you not aggregate to all clients 37
64 Techniques for Managing Multiple SPs Use a lead contractor who is responsible for establishing subcontracts with other providers and managing their performance Use Inter-provider Operating Agreements 38
65 Thank You Susan Orr
Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationAny business relationship between a bank and another entity, by contract or otherwise
An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay
More information9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99
20/20 Vision for Vendor Management & Oversight 2013 WBA Technology Conference September 17, 2013 Ken M. Shaurette, CISSP, CISA, CISM, CRISC, IAM Director IT Services Disclaimer The views set forth are
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationTechnology Outsourcing. Tools to Manage Technology Providers Performance Risk: Service Level Agreements
Technology Outsourcing Tools to Manage Technology Providers Performance Risk: Service Level Agreements Technology Outsourcing Tools to Manage Technology Providers Performance Risk: Service Level Agreements
More informationIdentifying and Managing Third Party Data Security Risk
Identifying and Managing Third Party Data Security Risk Legal Counsel to the Financial Services Industry Digital Commerce & Payments Series Webinar April 29, 2015 1 Introduction & Overview Today s discussion:
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationAppendix J: Strengthening the Resilience of Outsourced Technology Services
Appendix J: Strengthening the Resilience of Outsourced Technology Services Background and Purpose Many financial institutions depend on third-party service providers to perform or support critical operations.
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationTo: Our Clients and Friends March 25, 2014
Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationVendor Risk Management in the New Regulatory Environment. kpmg.com
Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators
More informationVendor Management Best Practices
Vendor Management Best Practices Presented by: Raji Sathappan, MBA, CRCM, CISA, CAMS FMS East Coast Regional Conference September 2015 Certified Public Accountants Consultants Wealth Management Technology
More informationVENDORINSIGHTU P D A T E
VENDORINSIGHTU P D A T E November 12, 2013 COMPLIANCE VendorINSIGHT is the industry-leading solution for financial institutions offering the most features and capabilities for vendor risk monitoring. Ask
More informationFinTech Webinar Series: Vendor Management Principles
FinTech Webinar Series: Vendor Management Principles Evolving Best Practices of Bank Service Providers February 14, 2013 Speakers Russell Bruemmer Partner Eric Mogilnicki Partner Jeffrey Hydrick Special
More informationOutsourcing Technology Services OT
Federal Financial Institutions Examination Council FFIEC Outsourcing Technology Services OT JUNE 2004 IT EXAMINATION H ANDBOOK TABLE OF CONTENTS INTRODUCTION... 1 BOARD AND MANAGEMENT RESPONSIBILITIES...
More informationTechnology Outsourcing. Effective Practices for Selecting a Service Provider
Technology Outsourcing Effective Practices for Selecting a Service Provider Technology Outsourcing Effective Practices for Selecting a Service Provider Federal Deposit Insurance Corporation 550 17th Street
More information<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b
FFIEC Table of Contents Introduction 1 Board and Management Responsibilities 2 Risk Management 3 Risk Assessment and Requirements 4 Quantity of Risk Considerations 5 Requirements Definition 6 Service Provider
More information<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b
FFIEC TABLE OF CONTENTS INTRODUCTION 1 BOARD AND MANAGEMENT RESPONSIBILITIES 2 RISK MANAGEMENT 3 Risk Assessment and Requirements 4 Quantity of Risk Considerations 4 Requirements Definition 5 Service Provider
More information30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC)
30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) have issued extensive new guidance to financial institutions about the use of third parties to perform functions
More informationSECURITY AND EXTERNAL SERVICE PROVIDERS
SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security
More informationAre your business partners watching your back when you are watching your front?
Are your business partners watching your back when you are watching your front? Danny Shaw SE Practice Leader IT Risk Advisory Services Experis Thursday, October 4, 2012 1 Objectives: Organizations frequently
More informationPreparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship
THE 4 TH NATIONAL CONFERENCE ON OUTSOURCING IN FINANCIAL SERVICES NEGOTIATING, MANAGING & TERMINATING OUTSOURCING RELATIONSHIPS WHILE ENSURING REGULATORY COMPLIANCE Renaissance Mayflower, Washington, DC
More informationTechnology Outsourcing. Techniques for Managing Multiple Service Providers
Technology Outsourcing Techniques for Managing Multiple Service Providers Technology Outsourcing Techniques for Managing Multiple Service Providers Federal Deposit Insurance Corporation 550 17th Street
More informationThird Party Relationships
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party
More informationWho s Regulating Whom & What are the Requirements: Banks As Payment Services Providers
Who s Regulating Whom & What are the Requirements: Banks As Payment Services Providers Tony DaSilva, AAP, CISA S&R Senior Technical Expert Federal Reserve Bank of Atlanta Disclaimer The opinions expressed
More informationMorgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers
Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationThe rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions
The rise of third party relationships means rise in risk and regulation Non-compliance is risky business for financial institutions Increasing dependency on third parties by banks has resulted in mandatory
More informationVII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background
Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party
More informationThird-Party Risk Management: Busting Myths and Telling Truths
Third-Party Risk Management: Busting Myths and Telling Truths Richik Sarkar, Esq. McDonald Hopkins LLC 600 Superior Avenue, East, Suite 2100 Cleveland, OH 44114 (216) 430-2009 rsarkar@mcdonaldhopkins.com
More informationStatement of Guidance: Outsourcing All Regulated Entities
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
More informationManaging Outsourcing Arrangements
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
More informationBy: Tracy Hall. Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level. June 9, 2015
Community Bank Auditors Group Taking Your Business Continuity Plan To The Next Level June 9, 2015 By: Tracy Hall MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company,
More informationPresenters: Pam Bishop, Mutual of Omaha Insurance Companies Kurt Swan, Connecticut Insurance Department Cynthia Wood, Risk & Regulatory Consulting,
Presenters: Pam Bishop, Mutual of Omaha Insurance Companies Kurt Swan, Connecticut Insurance Department Cynthia Wood, Risk & Regulatory Consulting, LLC Moderator: Barry L Wells, Risk & Regulatory Consulting,
More informationOutsourcing has become a critical component of financial institutions management
Skadden Skadden, Arps, Slate, Meagher & Flom LLP & Affiliates If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or call your regular Skadden
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationIdentifying Key Risk Indicator
PUERTO RICO PAYMENTS SYMPOSIUM Identifying Key Risk Indicator EPOCPR Services Agenda for Today Background History Regulators & Risk Management Let s have fun Regulators & Risk Assessment ACH Risks Categories
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationEnterprise Risk Management Process Improvement. Secure Banking Solutions, LLC
Enterprise Risk Management Process Improvement 2 Contact Information Contact Information Chad Knutson Senior Information Security Consultant CISSP, CISA, CRISC Phone: 605-480-3366 chad.knutson@protectmybank.com
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationGet in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective
Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective Rory Guenther, CISA Senior Examiner, Operational Risk Specialist,
More informationNavigating Vendor Management Issues in Today s Regulatory Environment
Navigating Vendor Management Issues in Today s Regulatory Environment May 6, 2015 Elizabeth E. McGinn, Partner Moorari K. Shah, Counsel 1 Disclaimer The information contained herein is for informational
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationICBA Summary of FFIEC Cybersecurity Assessment Tool
ICBA Summary of FFIEC Cybersecurity Assessment Tool July 2015 Contact: Jeremy Dalpiaz Assistant Vice President Cyber Security and Data Security Policy Jeremy.Dalpiaz@icba.org www.icba.org ICBA Summary
More informationVendor Compliance Management Series: Performing an Effective Risk Assessment
Vendor Compliance Management Series: Performing an Effective Risk Assessment Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must
More informationRisk Management of Remote Deposit Capture
Federal Financial Institutions Examination Council 3501 FAIRFAX DRIVE ROOM 3086 ARLINGTON, VA 22226-3550 (703) 516-5487 http://www.ffiec.gov Background and Purpose Risk Management of Remote Deposit Capture
More informationCloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World
Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com
More informationT31: Before, During and After Outsourcing David Fong, BlackRock
T31: Before, During and After Outsourcing David Fong, BlackRock Before, During and After Outsourcing David Fong, CISA, CPA Objective o Explore reasons why some organizations choose to outsource o Understanding
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationGoldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program
Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program Effective Date: January 27, 2014 Vendor Management Policy Addendum TABLE OF CONTENTS 1. INTRODUCTION...
More informationAnatomy of an IT Outsourcing Deal. Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault
Anatomy of an IT Outsourcing Deal Bruce Laco Deloitte John Pickett IT World Canada Barry Sookman McCarthy Tetrault 3656867 Agenda Key Considerations for IT Outsourcing Decision Anatomy of an Outsourcing
More informationValidating Third Party Software Erica M. Torres, CRCM
Validating Third Party Software Erica M. Torres, CRCM Michigan Bankers Association Risk Management & Compliance Institute September 29, 2014 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT
More informationVendor Risk Management Financial Organizations
Webinar Series Vendor Risk Management Financial Organizations Bob Justus Chief Security Officer Allgress Randy Potts Managing Consultant FishNet Security Bob Justus Chief Security Officer, Allgress Current
More informationForensic Services. Third Party Risks. March 2013
Forensic Services Third Party Risks Landscape of third party risk Focus on third parties that: perform functions on behalf of the company provide products and services that the company does not originate
More informationVII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background
Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party
More informationTop 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationOCC BULLETIN OCC 2001-47
OCC BULLETIN Comptroller of the Currency Administrator of National Banks Subject: Third-Party Relationships Description: Risk Management Principles TO: Chief Executive Officers of National Banks, Federal
More informationTHE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
More informationLogging In: Auditing Cybersecurity in an Unsecure World
About This Course Logging In: Auditing Cybersecurity in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that
More informationFFIEC Cybersecurity Assessment Tool
Overview In light of the increasing volume and sophistication of cyber threats, the Federal Financial Institutions Examination Council 1 (FFIEC) developed the Cybersecurity Tool (), on behalf of its members,
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationSHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS
SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014
More informationCybersecurity: What CFO s Need to Know
Cybersecurity: What CFO s Need to Know William J. Nowik, CISA, CISSP, QSA PCIP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2014 Wolf & Company, P.C. Today s Agenda Introduction
More informationThe New Third-Party Oversight Framework: Trust but Verify kpmg.com
Financial Services Regulatory Point of View The New Third-Party Oversight Framework: Trust but Verify kpmg.com The New Third-Party Oversight Framework: Trust but Verify 1 Financial services regulatory
More informationProposed Principles to be addressed in APES GN 20 Outsourced Accounting Services
Proposed Principles to be addressed in APES GN 20 Outsourced Accounting Services Roles and Responsibilities The proposed Guidance Note 20 Outsourced Accounting Services (GN 20) will set out the various
More informationCloud Computing: Legal Risks and Best Practices
Cloud Computing: Legal Risks and Best Practices A Bennett Jones Presentation Toronto, Ontario Lisa Abe-Oldenburg, Partner Bennett Jones LLP November 7, 2012 Introduction Security and Data Privacy Recent
More informationOffice of Inspector General
Audit Report OIG-14-034 Not Sufficiently Documented April 21, 2014 Office of Inspector General Department of the Treasury Contents Audit Report Background... 2 Results of Audit... 4 OCC Has Updated Guidance
More informationPart A OVERVIEW...1. 1. Introduction...1. 2. Applicability...2. 3. Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...
Part A OVERVIEW...1 1. Introduction...1 2. Applicability...2 3. Legal Provision...2 Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...3 4. Guiding Principles...3 Part C IMPLEMENTATION...13 5. Implementation
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS Purpose This advisory bulletin communicates the Federal Housing Finance Agency s (FHFA)
More informationA Crisis Response, Information Sharing View of FFIEC Appendix J?
A Crisis Response, Information Sharing View of FFIEC Appendix J? Susan Rogers (MBCP, MBCI) Financial Services Information Sharing and Analysis Center FS-ISAC, Business Resiliency Director srogers@fsisac.us;
More informationEd McMurray, CISA, CISSP, CTGA CoNetrix
Ed McMurray, CISA, CISSP, CTGA CoNetrix AGENDA Introduction Cybersecurity Recent News Regulatory Statements NIST Cybersecurity Framework FFIEC Cybersecurity Assessment Questions Information Security Stats
More informationObjective and key requirements of this Prudential Standard
Prudential Standard CPS 231 Outsourcing Objective and key requirements of this Prudential Standard This Prudential Standard requires that all outsourcing arrangements involving material business activities
More informationOutsourcing Risk Guidance Note for Banks
Outsourcing Risk Guidance Note for Banks Part 1: Definitions Guideline 1 For the purposes of these guidelines, the following is meant by: a) outsourcing: an authorised entity s use of a third party (the
More informationPutting the Management Back in Vendor Management February 20, 2014
Putting the Management Back in Vendor Management February 20, 2014 Moderator: Brian O Reilly The Collingwood Group, LLC Panelists: Calvin Hagins, CFPB Ken Markison, MBA Jonathan McKernan, Wilmer Hale Dan
More informationPRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES
PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES TECHNICAL COMMITTEE OF THE INTERNATIONAL ORGANIZATION OF SECURITIES COMMISSIONS FEBRUARY 2005 Preamble The IOSCO Technical Committee
More informationManaging General Agents (MGAs) Guideline
Managing General Agents (MGAs) Guideline JUNE 2013 DRAFT FOR COMMENT BC AUTHORIZED LIFE INSURERS www.fic.gov.bc.ca PURPOSE This draft guideline outlines best practices that the Financial Institutions Commission
More information2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level. Tracy L. Hall, MBCP
2015 CEO & Board University Taking Your Business Continuity Plan To The Next Level Tracy L. Hall, MBCP MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C.
More informationVendor Risk Management (Banks and Financial Institutions)
Vendor Risk Management (Banks and Financial Institutions) Speaker: Jay Ranade/Ram Engira CIA, CRMA, CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT Director of Education Risk Management Professionals Intl. New
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationBoard Responsibility. A bank can outsource a task, but it cannot outsource the responsibility.
Third-Party Risk Board Responsibility The Board of Directors and senior management are ultimately responsible for managing activities conducted through third-party relationships as if the activity were
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationKey Considerations of Regulatory Compliance in the Public Cloud
Key Considerations of Regulatory Compliance in the Public Cloud W. Noel Haskins-Hafer CRMA, CISA, CISM, CFE, CGEIT, CRISC 10 April, 2013 w_haskins-hafer@intuit.com Disclaimer Unless otherwise specified,
More informationWHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS
THIRD PARTY MANAGEMENT: FUNDAMENTALS by Linda Tuck Chapman Sponsored by Third Party Management Fundamentals Third Party Management isn t new, but its importance is growing in every industry and the financial
More informationOutsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk
March 24, 2014 If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or your regular Skadden contact. Stuart D. Levi New York / 212.735.2750
More informationRefresher on cloud computing
Refresher on cloud computing Cloud computing is a form of outsourcing where the organization outsources data processing to computers owned by the vendor. Outsourcing may also include utilizing the vendor
More informationVENDOR MANAGEMENT Presented By:
VENDOR MANAGEMENT EXAMINER EXPECTATIONS FOR ASSESSING & MANAGING 3RD PARTY RISK Presented By: Tom Hinkel, VP of Compliance Services Safe Systems, Inc. Agenda Blurred Lines: Defini/on of vendor Recent regulatory
More informationNegotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham
Negotiating Contracts That Will Keep our Clouds Afloat: You re going to put THAT in a cloud? Meteorologist: Daniel T. Graham The dynamic provisioning of IT capabilities, whether hardware, software, or
More informationTESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the
For Release Upon Delivery 10:00 a.m., December 10, 2014 TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY Before the COMMITTEE ON BANKING, HOUSING,
More informationWhat Directors need to know about Cybersecurity?
What Directors need to know about Cybersecurity? W HAT I S C YBERSECURITY? PRESENTED BY: UTAH BANKERS ASSOCIATION AND JON WALDMAN PARTNER, SENIOR IS CONSULTANT - SBS 1 Contact Information Jon Waldman Partner,
More information