Vendor Risk Management (Banks and Financial Institutions)
|
|
- Gregory Ross
- 8 years ago
- Views:
Transcription
1 Vendor Risk Management (Banks and Financial Institutions) Speaker: Jay Ranade/Ram Engira CIA, CRMA, CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT Director of Education Risk Management Professionals Intl. New York City, USA Phone
2 Vendor Risk Management Instructor Jay Ranade CIA, CRMA, CRISC, CISA, CISSP, CISM, CBCP, CGEIT, ISSAP Risk Management Professionals Intl. New York City Cell
3 Instructor Introduction Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called Jay Ranade Series. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the Best of Byte. He is currently working on a number of books on various subjects such as IT Audit, IT Security, Business Continuity, and IT Risk Management. Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee( ). He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University. Jay is also adjunct professor at St John s University and teaches Accounting Information Systems, IT Auditing, Internal Auditing, and Operational Risk Management. 3
4 Instructor Introduction Ram Engira has more than 22 years of experience collected through some of Wall Street s largest firms. He has fundamental business operation and technology skills, especially surrounding key initiatives in Banking, trading & investment bank arenas. Ram is currently working as a senior vice President/Senior IT Infrastructure Manager for the Retail Bank O&T division at a major financial firm. He works for the business office focused on strategic planning, proper business & technology alignment, client service delivery management, business realignment, engagement planning and Risk Management. He is a subject matter expert in BCP/DR, Enterprise and IT Risk Management, Information security and Infrastructure optimization. Ram is involved with BCP/DR, Information Security, System Auditing from both strategic and tactical points of view. Ram is among the industry leaders in planning and executing Data Center Consolidation programs and infrastructure virtualization leading to IT optimization. Ram is also an adjunct professor at St. John s University and New York Institute of Technology (NYIT) teaching Master s level courses in Business continuity planning, enterprise Risk Management and IT security and auditing as well as Database Management systems.
5 Instructor s Information Contact information jranade@edeltaconsulting.com JAYRANADE@AOL.COM ranadej@stjohns.edu jayranade@nyu.edu USA Risk Management Professionals International 5
6 What is RISK 6
7 Types of Risks 97 types of risks Credit risk, market risk, liquidity risk, IT risk, sovereign risk, political risk, IT risk, Operational Risk And by the way- Vendor Risk which is a subset of Operational Risk 7
8 Organizational Focus Mitigate risk to the organization Focus is on controls Comply with laws and regulations Focus is on compliance Usually in regulated industry 8
9 Facts about risk It is part of life It is part of doing business You can avoid it, mitigate it, accept it, transfer it Controls are not free Controls slow down business Controls cost money Balance controls and benefit 9
10 Categories of Vendor Risk Controls Directive controls- policy Preventive controls Detective controls Corrective controls - IRM Compensating controls Deterrent controls- SLA penalties 10
11 Types of Vendor Risk Controls Controls can be any of the following six Policy Standard Procedure Process Organizational structure Physical entity 11
12 Why use Vendors? 12
13 Reasons for using vendors. Reduce cost Increase performance Access specific expertise lacking in organization Increase product offerings 13
14 Common 3 rd Party Relationships 14
15 Common Vendor Relationships 3 rd party product providers e.g. credit card providers, auto dealers, mortgage brokers Loan servicing providers e.g. flood insurance monitoring, debt collection, foreclosure activities Disclosure preparers e.g. related SW, 3 rd party documentation preparation 15
16 Common Vendor Relationships Technology providers e.g. web development, software vendors Outsourced compliance functions e.g. fair lending reviews, compliance audits, compliance monitoring 16
17 Common 3 rd Party Risks 17
18 Common Vendor Risks Compliance risk Laws, regulations, rules Reputation risk Law violations, dissatisfied customers Operational risk People, processes, systems, external events Transaction risk Service delivery issues Credit risk 3 rd party not able to meet contract terms 18
19 Vendor Risk Types Examples Deceptive vendor marketing Credit discrimination Privacy issues (data loss or leakage) GLBA issue UDAP unfair deceptive acts or practices UDAP not always apparent, may be commonly accepted bank practices Solution: Oversee vendors as you would a department in your bank 19
20 What practices Increase Vendor Risk? 20
21 Bad Practices Overreliance on 3 rd party vendors Expertise in staffing vendors, products, and services does not mean expertise in compliance and regulations. Failure to monitor vendor Monitoring is variation in risk. You can not outsource accountability 21
22 Bad Practices Failure to retain knowledgeable staff Vendor staff has expertise but organization s staff does not know vendor activities. Risk is to the organization. NO clear expectations set Contracts must include consumer protection requirements Other expectations 22
23 Bad Practices GIGO effect Not providing enough information to vendor to do job Vendor activities in violations No verification process whether vendor complying with the law/regulation or not 23
24 Some Examples of Vendor Risks 24
25 Examples of Vendor Risk Flood insurance monitoring Vendor is used to monitor flood insurance Vendor s error in calculating required coverage Civil money penalty (CMP) lawsuits HAMP Program Home affordable-loan modification program Vendor delay in processing Vendor sending duplicate applications 25
26 Examples of Vendor Risk Credit Card Administration Vendors to market credit cards programs Balance transfer Non-disclosure of fees, UDAP violation CFPB has enforcement actions against 3 major credit card issuers in 2013 Disclosure generation software Vendor SW generates consumer disclosures Regulatory changes need SW changes/alignment Management depends on vendor to make changes 26
27 Examples of Vendor Risk Revenue enhancement 3 rd party offer for revenue enhancement For many products and services Compliance issues not considered 3 rd party payment processors (TPPP) Customers use accounts to process payments for merchant clients TPPP issued payments for merchants in high risk illegal activity Can also result in UDAP risk 27
28 What is a Vendor RISK 28
29 Bank s Vendor Risk Banks use third party vendors to Outsource internal operations Provide products and services to customers that they do not provide Lend their name for services or activities to others for a fee Why use 3 rd party? Resource constraint with bank Provide additional products and services Provide expertise not available with the bank 29
30 Regulator s concern Does outsourcing create more risk? Can financial institution Identify such risk Manage/Control this risk Monitor this risk Two aspects of regulator s concern Financial institution s business and solvency Consumer s protection from harm 30
31 Regulator s concern 3 rd party vendors are not subject to banking and financial reporting requirements 3 rd party vendor s lack of accountability to regulators So, banks and non-banks subject to civil and criminal penalties Because they have the accountability 31
32 Regulator s new tools Bank Service Company Act When 3 rd party performing function for bank operations, regulators treat 3 rd party subject to act Bank Service Company Act, 12 USC (c). Sec Regulator can examine operations of 3 rd party as if they are performed by the bank Dodd-Frank Act - Consumer Finance Protection Bureau (CFPB) has jurisdiction over any person that provides material service to bank (or nonbank) for consumer financial product or service 32
33 VRM Facts You outsource responsibility, not accountability Board and senior management own that CFPB - financial institutions responsible for actions of companies they CONTRACT Financial institutions expected to manage such risk 33
34 So what 7 things do you do? Proper vendor governance 3 rd party due diligence Contracting RCA LCA Continuous monitoring (KRIs, KCIs) and oversight Proper training for those who monitor Tracking consumer complaints 34
35 Cause vs. Effect in VR Cause Event Event Effect (aka consequence) VR is managed through PCs by managing the causes VR is managed through DCs and CCs by mitigating effects 35
36 Cross Border Outsourcing 36
37 Cross Border Outsourcing Life Cycle Strategic assessment Business case development Vendor selection due diligence Contracting Service transition Post transition management monitoring 37
38 Cross Border Outsourcing Inherent Risks Financial risk- fraudulent transactions Privacy risk for PII Brand and reputation risk Regulatory risk Competitive risk from loss of IP 38
39 Cross Border Outsourcing 9 risks Vendor selection risk- lack of due diligence Strategic risk- inconsistent with organization's goals Regulatory compliance risk Laws, regulations, policies, oversight, EU data protection, SOX, FFIEC, export restrictions Technology risks- Processes not aligned with organizational objectives Business interruptions due to technology failure 39
40 Cross Border Outsourcing 9 risks Security risk Lack of protection of customer information, IP, and loss of CIA Legal risk Inability to enforce contractual terms due to legal jurisdiction Country risk Geopolitical, economic, social issues 40
41 Cross Border Outsourcing 9 risks BC risk Lack of recovery plans for critical business processes Exit strategy risk Lack of contract terms for orderly exit from termination of services 41
42 Cross Border Outsourcing Typical Security Requirements Logical access Need to have, need to know, least privilege, proper IAA Application development and maintenance Secure code, application change, source code management Operations Change control, IRM, network management, media handling and disposal Business continuity Critical business processes recovery after interruption within RTO, BC exercises 42
43 Cross Border Outsourcing Typical Security Requirements Physical and environmental controls Parameter, building, equipment, environmental Organizational security SoD, R&R, DOPESS Asset classification Policy-based CIA classes Information security policy Compliance regulatory, contractual 43
44 Cross Border Outsourcing 13 missing provisions Lack of R&R Who owns IP? Assets ownership of by-products Service definition- local holidays, time zone SLA- with penalty clauses Use of sub-contractors Personnel Background check, minimum qualifications, drug testing, right to remove from project 44
45 Cross Border Outsourcing 13 missing provisions Documentation Logs, documents Fees and payment terms Legal and regulatory compliance Audit rights BC and DR requirements Security requirements- CIA 45
46 The VRM Framework 46
47 Vendor Risk Management Framework Governance Vendor Risk and control Assessment Identify risk and Identify control owner and owner Assess likelihood Assess design and Impact and performance Action plans VR due diligence and Contracting VR Indicators Identify key risk and control indicators Action plans Monitoring KRI, KCI VR events and LCA Identify and capture internal and external events Action plans Analyze causes VR Oversight
48 1. VRM - Governance Board approved vendor policy will be alignment with business objectives There will be risk ownership There will be control ownership Accountability Clear direction for management VRM is about threats as well as opportunities
49 2. VRM Due Diligence Vendor assessment prior to on-boarding Onsite visit, references, vendor experience, complaints history, internal controls, financial status Consumer finance perspective Do products and services outsourcing increase consumer harm Does 3 rd party vendor have proper IC environment
50 2. VRM Due Diligence Does vendor understand and can comply with federal consumer financial law? Review of vendor policies, procedures, and IC Review of vendor employee training program for employees/agents having consumer contact Review of vendor employee training program for employees/agents having compliance responsibility
51 2. VRM Due Diligence Vendor contract stipulating expectations regarding violations e.g. unfair practices, abusive acts, deceptive acts Does vendor comply with federal consumer finance laws and has ICs to do that Provision to terminate relationship when problems exceed threshold
52 2. VRM Due Diligence 11 Things to look for in Due Diligence Vendor s experience Reputation, complaints, litigation IC environment and Internal audit BC and contingency plan Insurance coverage Security status- ISO 27001? Audited financial statements Qualifications and background Sufficiency of MIS (computer-based) Technology recovery plans (DR plans) Reliance on sub-contractors
53 3. VRM - Contracting Contract should minimize risk of non performance by vendor Scope of contract must be precisely defined Outsourcer should have contractual right to assess IC environment for vendor Internal audit of outsourcer SOC 1 and SOC 2 (SSAE 16 and ISAE 3402)
54 3. VRM - Contracting Requirements must be defined, understood, and enforceable Performance measures and benchmarks defined Responsibility to communicate information Ownership and licensing of bank s data, HW, SW, IP, and documentation Security- confidentiality, integrity, availability
55 3. VRM - Contracting BC/DR plans Indemnifications holding 3 rd party harmless for negligence Insurance coverage requirement Process for dispute resolution Limits on liability of bank for non-performance of vendor Termination considerations Customer complaints resolution process Contract enforcement jurisdiction for foreign-based vendor
56 4. VRM - RCA 3 rd party focus for RM and CFPB focus for consumer impacting vendors Imbedding VRM in the BPs Establishing risk owner and control owner Not always the same Risk ownership is business Control ownership is operations mostly
57 4. VRM - RCA Develop RM FW for 3 rd party vendors Stratify based on risk to the organization Identify consumer facing vendors (CFPB) Identify laws and regulations for each product and stages of product lifecycle Map vendors and laws (many to many relationship) Which laws apply to which vendor
58 Typical VR RCA Risk Register ID Risks Owner(s) of the risk 1 Weakness in outsourced information security system 2 Over-selling credit cards by vendor 3 Over-deployment of management resources on regulatory issues 4 Failure to understand the outsourcing related regulations 5 Over dependency on outsourcing I L S Controls Owner(s) of the control D P E CK ZK CK RU CK 3 KW CK Staff Training TB Credit scoring EL Forward business planning ZK Monthly review of budget against actual TJ Corporate governance CK Monthly meetings between CK CEO and head of compliance AB TB TB CK SLA CK&EL Outsourcing monitoring CK&EL Due diligence CK Policy CK
59 5. VRM - LCA LCA is for Solidifying PCs Shows due diligence Always document LCA for regulators (and yourself) Maintain event database Helps in statistical analysis Need data items
60 6. VRM Monitoring- Indicators KRIs and KCIs Monitor variation in risk and controls Can be leading, co-, or lagging Leading predict impending issues Lagging are detective Keep RCA and indicators together in RR
61 7. VRM - Oversight Review vendors periodically Vendor s risk and RM Vendor s performance and KPIs Changes in regulatory environment and its alignment with vendor services Provision in vendor contract Assessment of vendor IC environment by the organization
62 7. VRM - Oversight Evaluation SLAs, risk-based vendor reviews, vendor performance reviews, process for issues escalation Gap analysis for 3 rd party oversight and reporting processes Update procedures to close gap Complaint processing Complaint tracking, follow-up, resolution, reporting, CMMI maturity
63 7. VRM - Oversight Regulator s guidance for oversight Risk management practices of vendor Vendor ICs for compliance, QA, personnel changes, contingency planning Documentation QoS and assessment support
64 VRM Timeline Refer to figure on next foil Timeline is to implement FW Includes implementing 6 VRM FW processes And staff to do that Important aspect is to have a software tool to capture or create OR data Proper governance, management, and controls Tone at the tope, tune in the middle, and policies
65 Example timeline for implementing an Vendor Risk Management programme Policy RCA Events and losses Technology tool Staffing VRM Policy Risk matrix Initiative capture Requirements review Bus line and Dept RCA Selection Implement n Risk Committee meetings Loss causal analysis linked to RCA s Recruitment/ staffing Rollout (initially pilot) Embedded Vendor risk and control assessments, including risk champions Due Diligence and Contracting Indicators Reporting Due Diligence Process KCIs captured / reviewed Summarised reporting of RCAs and KCIs Contracting, SLA process KRIs identified, captured and combined with KCI s Risk Status Report 0-3 months 3-6 months 6-9 months 9-12 months months
66 Questions
Vendor Risk Management in the New Regulatory Environment. kpmg.com
Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators
More informationAny business relationship between a bank and another entity, by contract or otherwise
An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationVendor Management Best Practices
23 rd Annual and One Day Seminar Vendor Management Best Practices Catherine Bruder CPA, CITP, CISA, CISM, CTGA Michigan Texas Florida Insight. Oversight. Foresight. SM Doeren Mayhew Bruder 1 $100 billion
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationOutsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP
Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management
More information9/13/2013. 20/20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99
20/20 Vision for Vendor Management & Oversight 2013 WBA Technology Conference September 17, 2013 Ken M. Shaurette, CISSP, CISA, CISM, CRISC, IAM Director IT Services Disclaimer The views set forth are
More informationTo: Our Clients and Friends March 25, 2014
Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors
More informationMorgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers
Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner
More informationCompany Name Vendor Management Policy and Procedure. Table of Contents
Policy and Procedure Table of Contents Table of Contents... i Introduction... 1 Risks of Using Vendors... 1 Vendor Due Diligence... 2 Monitoring... 2 Section 1 Personnel... 1 Section 2 - Outside Vendors
More informationVendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationCFPB Readiness Series: Compliant Vendor Management Overview
CFPB Readiness Series: Compliant Vendor Management Overview Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the
More informationForensic Services. Third Party Risks. March 2013
Forensic Services Third Party Risks Landscape of third party risk Focus on third parties that: perform functions on behalf of the company provide products and services that the company does not originate
More information2014 Vendor Risk Management Benchmark Study
2014 Vendor Risk Management Benchmark Study Introduction/Executive Summary You can have all the security in the world inside your company s four walls, but all it takes is a compromise at one third-party
More informationPutting the Management Back in Vendor Management February 20, 2014
Putting the Management Back in Vendor Management February 20, 2014 Moderator: Brian O Reilly The Collingwood Group, LLC Panelists: Calvin Hagins, CFPB Ken Markison, MBA Jonathan McKernan, Wilmer Hale Dan
More informationwww.pwc.com Third Party Risk Management 12 April 2012
www.pwc.com Third Party Risk Management 12 April 2012 Agenda 1. Introductions 2. Drivers of Increased Focus on Third Parties 3. Governance 4. Third Party Risks and Scope 5. Third Party Risk Profiling 6.
More informationVendor Management: Who the CFPB is Watching and Who They Are Expecting You to be Watching
Vendor Management: Who the CFPB is Watching and Who They Are Expecting You to be Watching John Barnes 713.210.7441 jbarnes@bakerdonelson.com Jessica Hinkie 713.210.7405 jhinkie@bakerdonelson.com Kat Statman
More informationGet in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective
Get in the Groove with the Regulatory Jazz: Cyber Security and Vendor Management Examinations from the Regulators and Auditors Perspective Rory Guenther, CISA Senior Examiner, Operational Risk Specialist,
More information3 rd Party Vendor Risk Management
3 rd Party Vendor Risk Management Session 402 Tuesday, June 9, 2015 (11 to 12pm) Session Objectives The need for enhanced reporting on vendor risk management Current outsourcing environment Key risks faced
More informationFinTech Webinar Series: Vendor Management Principles
FinTech Webinar Series: Vendor Management Principles Evolving Best Practices of Bank Service Providers February 14, 2013 Speakers Russell Bruemmer Partner Eric Mogilnicki Partner Jeffrey Hydrick Special
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationSupervisory Highlights. Summer 2013
Supervisory Highlights Summer 2013 Table of Contents 1. Introduction... 3 2. Supervisory Observations... 5 2.1 Compliance Management Systems... 5 2.2 Mortgage Servicing... 11 2.3 Fair Lending Provision
More informationVII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background
Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party
More informationVendor Compliance Management Series: Performing an Effective Risk Assessment
Vendor Compliance Management Series: Performing an Effective Risk Assessment Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must
More informationWho s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management
Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management 2015 LBA Bank Counsel Conference Marx Sterbcow, Managing Attorney, Sterbcow Law Group The Bureau s Scrutiny of Vendor Management
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationGoldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program
Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program Effective Date: January 27, 2014 Vendor Management Policy Addendum TABLE OF CONTENTS 1. INTRODUCTION...
More informationTHE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
More informationLRES Corporation. Best Business Practices for an Appraisal Management Company
LRES Corporation Best Business Practices for an Appraisal Management Company [This document outlines the key principles and characteristics of an appraisal management company. The contents contained within
More informationISO 27001 Controls and Objectives
ISO 27001 s and Objectives A.5 Security policy A.5.1 Information security policy Objective: To provide management direction and support for information security in accordance with business requirements
More informationCloud Security and Managing Use Risks
Carl F. Allen, CISM, CRISC, MBA Director, Information Systems Security Intermountain Healthcare Regulatory Compliance External Audit Legal and ediscovery Information Security Architecture Models Access
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationVII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background
Third Party Risk Introduction The board of directors and senior management of an insured depository institution (institution) are ultimately responsible for managing activities conducted through third-party
More informationManaging Outsourcing Arrangements
Guidance Note GGN 221.1 Managing Outsourcing Arrangements 1. This Guidance Note provides further detail on the requirements for managing material outsourcing arrangements (refer Prudential Standard GPS
More informationThird-Party Risk Management: Busting Myths and Telling Truths
Third-Party Risk Management: Busting Myths and Telling Truths Richik Sarkar, Esq. McDonald Hopkins LLC 600 Superior Avenue, East, Suite 2100 Cleveland, OH 44114 (216) 430-2009 rsarkar@mcdonaldhopkins.com
More informationII. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight
Compliance Management System Introduction Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market
More informationWhat Lead Generators Need to Know About the Consumer Financial Protection Bureau (CFPB)
What Lead Generators Need to Know About the Consumer Financial Protection Bureau (CFPB) LeadsCon March 18, 2013 Mirage Hotel & Casino, Las Vegas, NV Jonathan L. Pompan Venable LLP 1 Agenda for Today What
More information30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC)
30-SECOND SUMMARY The Federal Reserve and the Office of the Comptroller of the Currency (OCC) have issued extensive new guidance to financial institutions about the use of third parties to perform functions
More informationCFPB Consumer Laws and Regulations
General Principles and Introduction Supervised entities within the scope of CFPB s supervision and enforcement authority include both depository institutions and non-depository consumer financial services
More informationThird Party Relationships
3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 A B D INTRODUCTION AND PURPOSE Background Yes/No Comments 1. Does the credit union maintain a list of the third party
More informationThe CFPB and Medical Collections: Unknown Territory in the Face of Sweeping Regulatory Change
The CFPB and Medical Collections: Unknown Territory in the Face of Sweeping Regulatory Change Agenda What is the CFPB? Brief chronology of the CFPB CFPB investigations and examinations; the cost of non-compliance
More informationAre your business partners watching your back when you are watching your front?
Are your business partners watching your back when you are watching your front? Danny Shaw SE Practice Leader IT Risk Advisory Services Experis Thursday, October 4, 2012 1 Objectives: Organizations frequently
More informationRegulatory Practice Letter February 2014 RPL 14-05
Regulatory Practice Letter February 2014 RPL 14-05 CFPB Nonbank Supervision of International Money Transfer Providers Proposed Rule Executive Summary The Consumer Financial Protection Bureau (CFPB or Bureau)
More informationVIRGINIA ASSOCIATION OF COMMUNITY BANKS
VIRGINIA ASSOCIATION OF COMMUNITY BANKS Spring Internal Audit / Risk Seminar Presented by Lee G. Lester May 26, 2016 Regulatory Hot Topics > De-Risking > Marketplace Lending > Consumer protection initiatives
More informationManaging Sub-Servicing Partnerships
Managing Sub-Servicing Partnerships 2 Managing Sub-Servicing Partnerships WHY IT IS IMPORTANT TO GINNIE MAE: Ginnie Mae recognizes that there are entities that specialize in the servicing and are better
More informationTELEFÓNICA UK LTD. Introduction to Security Policy
TELEFÓNICA UK LTD Introduction to Security Policy Page 1 of 7 CHANGE HISTORY Version No Date Details Authors/Editor 7.0 1/11/14 Annual review including change control added. Julian Jeffery 8.0 1/11/15
More informationTable of Contents... 1. Chapter 1 Introduction... 5. 1.1 Goals & Objectives... 5 1.2 Required Review... 5 1.3 Applicability...
... 1 Chapter 1 Introduction... 5 1.1 Goals & Objectives... 5 1.2 Required Review... 5 1.3 Applicability... 5 Chapter 2 Company Culture... 6 Chapter 3 Risk Management Governance... 7 3.1 Board of Directors...
More informationVENDORINSIGHTU P D A T E
VENDORINSIGHTU P D A T E November 12, 2013 COMPLIANCE VendorINSIGHT is the industry-leading solution for financial institutions offering the most features and capabilities for vendor risk monitoring. Ask
More informationCOMPLIANCE MANAGEMENT SYSTEM
COMPLIANCE MANAGEMENT SYSTEM INTRODUCTION Financial institutions operate in a dynamic environment influenced by industry consolidation, convergence of financial services, emerging technology, and market
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationRisk & Control Considerations for Outsourced IT Operations
Risk & Control Considerations for Outsourced IT Operations Adnan Dakhwe, MS, CISA, CRISC, CRMA Safeway Inc. Core Competencies C32 CRISC CGEIT CISM CISA Introductions & Poll Organization has outsourced
More informationCloud Security Panel: Real World GRC Experiences. ISACA Atlanta s 2013 Annual Geek Week
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
More informationStatement of the Office of the Comptroller of the Currency. Provided to the Subcommittee on Financial Institutions and Consumer Protection
Statement of the Office of the Comptroller of the Currency Provided to the Subcommittee on Financial Institutions and Consumer Protection Senate Committee on Banking, Housing, and Urban Affairs Shining
More informationBoard of Directors and Management Oversight
Board of Directors and Management Oversight Examination Procedures Examiners should request/ review records, discuss issues and questions with senior management. With respect to board and senior management
More informationWHITE PAPER Third-Party Risk Management Lifecycle Guide
WHITE PAPER Third-Party Risk Management Lifecycle Guide Develop and maintain compliant third-party relationships by following these foundational components of a best-practice assessment program. Third
More informationCFPB Update: Regulatory and Enforcement Developments
CFPB Update: Regulatory and Enforcement Developments December 16, 2014, 12:30 1:30 pm ET American Law Institute Webinar Jonathan L. Pompan Alexandra Megaris 1 Agenda Supervision and Examinations What is
More informationOutsourcing Technology Services OT
Federal Financial Institutions Examination Council FFIEC Outsourcing Technology Services OT JUNE 2004 IT EXAMINATION H ANDBOOK TABLE OF CONTENTS INTRODUCTION... 1 BOARD AND MANAGEMENT RESPONSIBILITIES...
More informationData Privacy and Gramm- Leach-Bliley Act Section 501(b)
Data Privacy and Gramm- Leach-Bliley Act Section 501(b) October 2007 2007 Enterprise Risk Management, Inc. Agenda Introduction and Fundamentals Gramm-Leach-Bliley Act, Section 501(b) GLBA Life Cycle Enforcement
More informationAre You Ready for the New Foreclosure Processing Regulations?
Are You Ready for the New Foreclosure Processing Regulations? New regulator guidance provides banks servicing residential mortgages with expectations in effectively assessing foreclosure processing. The
More informationOFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT
County of San Diego Auditor and Controller OFFICE OF AUDITS & ADVISORY SERVICES CLOUD COMPUTING AUDIT FINAL REPORT Chief of Audits: Juan R. Perez Audit Manager: Lynne Prizzia, CISA, CRISC Senior Auditor:
More informationGet More Out of Your Risk Assessment. Austin Chapter of the IIA
Get More Out of Your Risk Assessment Austin Chapter of the IIA Speakers Alyssa G. Martin, CPA Dallas Executive Partner, Advisory Services 25 years of public accounting experience, with a practice emphasis
More informationInformation Security Governance:
Information Security Governance: Designing and Implementing Security Effectively 2 nd Athens International Forum on Security 15 16 Jan 2009 Anestis Demopoulos, CISA, CISSP, CIA President of ISACA Athens
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationThe Other Side of CFPB Compliance
The Other Side of CFPB Compliance Strengthening your compliance program via vendor management Legal Disclaimer This information is for the use of attendees only. Any distribution, reproduction, copying
More informationDomain 1 The Process of Auditing Information Systems
Certified Information Systems Auditor (CISA ) Certification Course Description Our 5-day ISACA Certified Information Systems Auditor (CISA) training course equips information professionals with the knowledge
More informationISO27001 Controls and Objectives
Introduction This reference document for the University of Birmingham lists the control objectives, specific controls and background information, as given in Annex A to ISO/IEC 27001:2005. As such, the
More informationCyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s
Cyber Security Pr o t e c t i n g y o u r b a n k a g a i n s t d a t a b r e a c h e s 1 Agenda Data Security Trends Root causes of Cyber Attacks How can we fix this? Secure Infrastructure Security Practices
More informationThe Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant
THE MARKET LEADER IN IT, SECURITY AND COMPLIANCE SERVICES FOR COMMUNITY FINANCIAL INSTITUTIONS The Emergence of the ISO in Community Banking Patrick H. Whelan CISA IT Security & Compliance Consultant Agenda
More informationFEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose
FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB 2014-07 OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS Purpose This advisory bulletin communicates the Federal Housing Finance Agency s (FHFA)
More informationRegulatory Practice Letter January 2013 RPL 13-01
Regulatory Practice Letter January 2013 RPL 13-01 Fair Lending CFPB Annual Report and Supervisory Highlights Executive Summary In December 2012, the Bureau of Consumer Financial Protection ( CFPB or Bureau
More informationTop 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World
Top 10 Tips and Tools for Meeting Regulatory Requirements and Managing Cloud Computing Providers in the United States and Around the World Web Hull Privacy, Data Protection, & Compliance Advisor Society
More informationRegulatory Practice Letter December 2012 RPL 12-24
Regulatory Practice Letter December 2012 RPL 12-24 CFPB Nonbank Supervision - Larger Participants for Debt Collection and Credit Reporting Final Rules Executive Summary In February 2012, the Bureau of
More informationUsing COBiT For Sarbanes Oxley. Japan November 18 th 2006 Gary A Bannister
Using COBiT For Sarbanes Oxley Japan November 18 th 2006 Gary A Bannister Who Am I? Who am I & What I Do? I am an accountant with 28 years experience working in various International Control & IT roles.
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationOCC BULLETIN OCC 2001-47
OCC BULLETIN Comptroller of the Currency Administrator of National Banks Subject: Third-Party Relationships Description: Risk Management Principles TO: Chief Executive Officers of National Banks, Federal
More informationPreparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship
THE 4 TH NATIONAL CONFERENCE ON OUTSOURCING IN FINANCIAL SERVICES NEGOTIATING, MANAGING & TERMINATING OUTSOURCING RELATIONSHIPS WHILE ENSURING REGULATORY COMPLIANCE Renaissance Mayflower, Washington, DC
More informationNavigating Vendor Management Issues in Today s Regulatory Environment
Navigating Vendor Management Issues in Today s Regulatory Environment May 6, 2015 Elizabeth E. McGinn, Partner Moorari K. Shah, Counsel 1 Disclaimer The information contained herein is for informational
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationStatement of Guidance: Outsourcing All Regulated Entities
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
More informationData Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005
Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad Toronto, Ontario June 14, 2005 Outsourcing Update: New Contractual Options and Risks Lisa K. Abe June 14, 2005
More informationStudent Loan Servicing and the CFPB
Regulatory Practice Letter April 2013 RPL 13-09 CFPB Nonbank Supervision Larger Participants for Student Loan Servicing Proposed Rule Executive Summary The Bureau of Consumer Financial Protection (CFPB
More informationIdentifying Key Risk Indicator
PUERTO RICO PAYMENTS SYMPOSIUM Identifying Key Risk Indicator EPOCPR Services Agenda for Today Background History Regulators & Risk Management Let s have fun Regulators & Risk Assessment ACH Risks Categories
More informationICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS)
ICT SERVICE LEVEL AGREEMENT MANAGEMENT POLICY (EXTERNAL SERVICE PROVIDERS/VENDORS) TABLE OF CONTENTS 1. INTRODUCTION... 3 2. LEGISLATIVE FRAMEWORK... 3 3. OBJECTIVE OF THE POLICY... 4 4. AIMS OF THE POLICY...
More informationPayment Processor Relationships Revised Guidance
Federal Deposit Insurance Corporation 550 17th Street NW, Washington, D.C. 20429-9990 Payment Processor Relationships Revised Guidance Financial Institution Letter FIL-3-2012 January 31, 2012 Summary:
More informationERM Program. Enterprise Risk Management Guideline
ERM Program Enterprise Management Guideline Table of Contents PREAMBLE... 2 When should I refer to this Guideline?... 3 Why do we need a Guideline?... 4 How do I use this Guideline?... 4 Who is responsible
More informationBOARD OF DIRECTORS RESPONSIBILITIES FOR COMPLIANCE MANAGEMENT SYSTEMS
BOARD OF DIRECTORS RESPONSIBILITIES FOR COMPLIANCE MANAGEMENT SYSTEMS Shannon Phillips Jr. Independent Bankers Association of Texas 1700 Rio Grande Street Austin, Texas 78701 sphillips@ibat.org 512.275.2221
More informationTime to Revamp the Compliance Management System
By William (Wylli) J. Foote, CRCM Time to Revamp the Compliance Management System Compliance professionals have long used guidance by the regulatory agencies as the starting point for building a comprehensive
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationInformation security controls. Briefing for clients on Experian information security controls
Information security controls Briefing for clients on Experian information security controls Introduction Security sits at the core of Experian s operations. The vast majority of modern organisations face
More informationT31: Before, During and After Outsourcing David Fong, BlackRock
T31: Before, During and After Outsourcing David Fong, BlackRock Before, During and After Outsourcing David Fong, CISA, CPA Objective o Explore reasons why some organizations choose to outsource o Understanding
More informationSECURITY AND EXTERNAL SERVICE PROVIDERS
SECURITY AND EXTERNAL SERVICE PROVIDERS How to ensure regulatory compliance and manage risks with Service Organization Control (SOC) Reports Jorge Rey, CISA, CISM, CGEIT Director, Information Security
More informationTop Ten Technology Risks Facing Colleges and Universities
Top Ten Technology Risks Facing Colleges and Universities Chris Watson, MBA, CISA, CRISC Manager, Internal Audit and Risk Advisory Services cwatson@schneiderdowns.com April 23, 2012 Overview Technology
More informationNew CFPB mortgage servicing rules present significant challenges for mortgage servicers
New CFPB mortgage servicing rules present significant challenges for mortgage servicers Prepared by: Jose Vivar, Director, McGladrey LLP 312-634-4394, jose.vivar@mcgladrey.com Michael Sher, Partner, McGladrey
More informationInformation Security Policy. Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services
Information Security Policy Document ID: 3809 Version: 1.0 Owner: Chief Security Officer, Security Services Contents 1 Purpose / Objective... 1 1.1 Information Security... 1 1.2 Purpose... 1 1.3 Objectives...
More information