KYCC Strategies for Managing Third-Party Payment Processor (TPPP) and Third-Party Sender (TPS) Risk
|
|
- Duane Tate
- 8 years ago
- Views:
Transcription
1 KYCC Strategies for Managing Third-Party Payment Processor (TPPP) and Third-Party Sender (TPS) Risk Dan Frechtling SVP Marketing & Chief Product Officer April 20, 2015 Steve Clendaniel Director of Risk Consulting
2 KYCC strategies for TPPPs and TPSs KYCC: TPPP: TPS: Toyota Production System Know Your Customer s Customer Third Party Payment Processor Third Party Sender
3 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required
4 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required
5 Regulation has become competitive sport FRB FDIC OCC FTC CFPB In the US, we now have the regulatory Olympics. (SVP Payments for top 5 US bank) In 2014 US and European banks paid ~$65B in penalties, 40% greater than 2013, the previous high, according to BCG McKinsey estimates that senior executives spend about 20 to 25 percent of their time on regulatory matters Sources: Wall Street Journal, Dec 2014; Bankdirector.com, Jan 2015
6 Regulatory pressure is rising 2013 March October November 50+ Banks subpoenaed by the government to examine their risk management processes
7 and rising 2014 March April May June
8 and rising 2015 March April
9 Regulatory pressure is unavoidable This is the business that we ve chosen and these are the rules you must follow in order to be able to stay in the game. If we want to continue to grow and to prosper we have to get A s on your report card in terms of compliance. If you get anything less than that, they ll shut down your growth. It s just not optional. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015
10 Regulatory pressure is unpredictable It s almost a crap shoot, right? So anybody could come in, a new regulator that wasn t here last year, and say, That s not how I look at it, or you need to beef this up, or I saw this other institution do this. I m recommending this for you So there is some concern, but it s almost uncontrollable. Vice President, Risk Management and Compliance, Midsized Bank Source: G2 Web Services Research Study, March 2015
11 Regulatory pressure is examiner-driven it s more the human nature from an examiner, or a specific examiner, let s say, in their opinion or what they ve seen in their travels versus a new regulation coming out and being a total shock to us. Vice President, Compliance, Midsized Bank Source: G2 Web Services Research Study, March 2015
12 TPPP and TPS regulations are changing In an ever changing regulatory environment, especially TPPP being newer, is - are the regulators going to change their requirements? I think there s a black hole in banking, especially with examination, whereby examination procedures and guidance say one thing, but we re also held to best standards and practices. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015
13 TPPPs and TPSs can be opaque to banks The level of challenge with respect to any vendor relationship to which the banking regulators are requiring us to increasingly know, vet, and to fully understand what s going on in that vendor s black box. Those are sorts of things that keep you up at night. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015
14 TPPPs and TPSs may lose banking relationships 10 years ago, you linked up with a vendor and you sort of relied on them to do the things- you did your own due diligence but it wasn t nearly the same sort risk assessment process that you go through today. And what we see it evolving to is one that is even much, much more invasive for the vendor. You are going to have to discontinue certain relationships. Executive Vice President and Chief Risk Officer, Midsized Bank Source: G2 Web Services Research Study, March 2015
15 Entire categories of TPPPs and TPSs are at risk What has occurred is a lot of the very large institutions based on a lot of guidance from regulatory agencies have sort of de-risked their portfolio. And so a lot of them for instance don t do any clients that are money service business or third party payment processors because that s what it seemed like the regulators wanted and it s just easier, rather than trying to interpret, to just avoid it. EVP and CEO, Midsized Bank Source: G2 Web Services Research Study, March 2015
16 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required
17 Regulators have provided bulletins on TPPPs
18 FDIC and OCC offer guidance and a framework FDIC FIL FIL FIL OCC BULLETIN BULLETIN BULLETIN
19 All agree on principles: onboarding, ongoing
20 Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Strategies: check growth goals, current and proposed structures, quality initiatives, efficiency improvements, employment practices are consistent with bank s philosophy Compliance: licenses, expertise, controls, status with regulators and similar organizations Financials: statements, trends, pending litigation, fee structures Reputation: complaints, years of experience, reference checks, SEC & regulatory filings, websites
21 Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Principals: senior management, key employees, subcontractors Risk management: independence of audit function, policies for escalating audit findings, SOC reports, other standards (e.g. ISO) IS: SLAs and performance metrics, change management processes, ability to mitigate data breach vulnerabilities Resilience: disaster recovery and business continuity plans in event of service disruptions
22 Guidelines: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Security: physical security, incident reporting HR: training, succession planning, holding employees accountable for compliance Subcontractors: geographic locations, due diligence and monitoring; conduct your own diligence, look for legally-binding indemnification Insurance: bond coverage for dishonest acts, liability coverage for negligence, hazard insurance for disasters
23 Best practices: Onboarding Conduct due diligence commensurate with the level of risk and complexity of the 3 rd party relationship Have a prohibited category list Check the merchant for fraudulent activity Identify what the merchant is selling, beyond MCC/NAICS/SIC code Analyze the merchant s online history of risk Analyze the merchant s website for suspicious activity or hidden goods Require the same due diligence of your TPPPs with their customers
24 Guidelines: Ongoing Performed periodically during the course of the relationship, particularly when considering a renewal of a contract. Onboarding Ongoing Compliance Financials Insurance IS Resilience Subcontractors Reputation Principals HR Remediation Agreements Confidentiality
25 Best practices: Ongoing Performed periodically during the course of the relationship, particularly when considering a renewal of a contract. Check for migration to prohibited categories Persistently monitor the merchant for changes in goods/services offered Monitor the merchant for fraudulent activity Adjust your oversight based depend upon the potential risks and the magnitude of the arrangement Require Third Parties to monitor their merchants according to your standards, and request regular reports
26 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required
27 Risk Managers have responded by using new tools Onboarding Ongoing 1 2 Identity Verification Manual Credit/Asset Searches 3 4 Transaction Monitoring Manual spot Checks
28 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required
29 1. Identity Verification Tools Good standard practice Complies with core BSA/AML guidance for due diligence & EDD Recommended for compliance with CIP rule of Patriot Act Many financial institutions do some kind of criminal background check which is only as good as the data store which they are checking against. Guy Huntington, Identity Management expert X Verification can be outmaneuvered by black hat applicants X Most effective when applicants disclose information that can be verified X Only as good as the data store : misses hidden merchant risk
30 2. Manual Credit/Asset Searches Consolidates separate data sources into one platform Valued by most regulators as highly credible sources Provides a sense of control and rigor Because it s manual it s inconsistently applied. Level of experience of the evaluator varies. (the process) is staff intensive Chief Risk Officer, Large Bank, Midwest X May produce better information about principals than merchants X Quality of the review fluctuates based on analyst s experience X Lacks automated scoring that can speed underwriting
31 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions Onboarding Ongoing An additional level of intelligence is required
32 3. Transaction Monitoring Important and necessary for compliance with OCC s CFR & , and FDIC s FIL & FIL Improving quality of data science means anomaly detection is faster and more accurate Alerts can provide evidence of suspicious activity or outright fraud Allows for triaging of suspicious transactions separate from normal transactions for further review All things being equal, preventative controls are always better than protective controls. X Most effective after fraud has struck X Miss leading indicators of fraud X Outsmarted by black hat applicants Chief Risk Officer, Midsized Bank, Southeast Source: G2 Web Services Research Study, March 2015
33 4. Manual Spot Checks Easy to start and modify, especially at low volumes Simple to explain to auditors Fewer technical black boxes are involved There are manual reports that we look at. There s a daily payment processing report and then we can look at them monthly, quarterly or annually it s a very manual, labor intensive process. Chief Risk Officer, Midsized Bank X Are rarely conducted X Require technology and training to spot changes X Hard to detect deceptive marketing practices X Lacks automated scoring that can speed underwriting
34 All four miss vital aspects of KYC Missing: Hidden merchant risk Direct evidence of illegal activity, patterns of fraud and compliance violations Links to illicit merchants, criminal fraud rings, hidden websites Conducting business with many FIs Missing: Automated scoring History of fraud, compliance missteps Technology-enabled analysts rather than labor Predictions such as poor reputation with consumers, leading indicators of future fraud and compliance violations
35 Individual risk merchant risk Survey of Dual Occupation Professionals: Should US firms offer gifts to gain a foothold in a new market if this violated federal law? As engineers, 90% disagreed As managers, 50% agreed When people switch hats, they often switch moral compasses. -Keith Leavitt, OSU faculty Source: Oregon State Research Study, May 2012
36 Can hidden merchant patterns be detected? I doubt you can do this. It sounds good, but the proof is in the pudding. Looking at years of merchant history is a real differentiator, a way of looking at the past as indicator of future activity. Our bank is not be able to dig as deep. Senior VP, 3rd Party Risk Mgt, Midsized Bank, Mid-Atlantic Source: G2 Web Services Research Study, March 2015
37 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required Key elements Implementation
38 Key elements of merchant intelligence 1. Underlying merchants 2. Historical connections 3. Predictive modeling 4. Instant quantification 5. Risk-based approach 6. Rich reporting
39 1. Underlying merchants must be submitted Banks must obtain TPPP and TPS portfolios In totality Each new boarded customer
40 2. Merchant intel finds connections Random sample of many years of merchant history data Historical data provides access to deeper of level connections so we can better detect bad actors By using these known connections, Data Science can make better predictions of merchant violations
41 Connections: a case study Over $1MM of fraudulent charges from a company offering translation services Merchant 1 URL 1 Merchant ID 1 Acquirer
42 Connections: findings After network investigation was complete Merchant 83 Related URLs 56 Merchant IDs 32 Acquirers
43 Merchant relationship mapping Charting relationships throughout the payment value chain 43
44 3. Merchant intel enables predictive modeling Key data points: Public information 1. Blacklists and whitelists (OFAC, PEP, NABP, etc.) 2. Reputation data (aggregated from multiple sources) Proprietary information 1. Historical data on merchants and individuals 2. Past fraud and content violations 3. Connections between individuals and businesses Data science predicts likelihood of compliance violations or fraud
45 Predictive modeling: case study 1. UK bank onboards Merchant X and submitted portfolio for review 2. Vendor reports Merchant X as high risk after detecting likelihood of past fraud (2 of 5 data points matched previous bad actor) 3. Merchant X instantly began fraudulent activity, which was not immediately detected in transaction flow Limited Fraud Losses 655 ~ 33, UK bank terminated merchant, limiting fraud to 2% of typical loss Losses from Merchant X Typical losses Proprietary Data + Third Party Data = 99% accurate predictions that can reduce losses
46 4. Merchant intel can yield instant quantification Examples: G2 Compass Score Argos Risk Score Speed Most results <1 second Significantly reduces merchant onboarding time Integration Works in conjunction with your existing core platform solution and enhances existing processes Choice API provides seamless integration with in-house systems or 3 rd party platforms (ex. Zoot) Portal log in to access reports
47 Instant quantification: case study Applications a month Minutes per applications Hours per month ~ 10 full-time staff to review and process
48 3,000 New Applications Prelim Approval 1,830 Applications (61%) Needs Review 420 Applications (14%) Declined 750 Applications (25%)
49 Instant quantification: results Applications a month Minutes per application Hours per month 93% time savings
50 5. Merchant intel powers a risk-based approach
51 Risk-based approach: case study A US Bank faced additional scrutiny for inadequate KYC/KYCC policies. Risk managers lacked tools for effective TPPP oversight, and TPPPs were not adhering to regulations to the same degree the bank was.
52 Risk-based approach: solution The bank created a holistic TPPP oversight management program, including predictive merchant risk tools as the main ingredient. Predictive merchant scoring gave them a more comprehensive risk profile of their TPPPs and underlying merchants. The bank received praise by both external and internal auditors, and retained their merchant relationships and associated revenues.
53 6. Merchant intel can be richly reported Quick snapshot of categories of risk in your portfolio Benchmarking data to compare portfolio to the broader industry Continually evaluate your boarding process
54 Rich reporting: example Compare portfolio to rich database of risk information across the industry Helps to assess both positive and negative risk
55 Merchant intel for KYCC: summary 1. Underlying merchants 2. Historical connections 3. Predictive modeling 4. Instant quantification 5. Risk-based approach 6. Rich reporting
56 KYCC strategies for TPPPs and TPSs Risk officers face exceptional uncertainty Regulators have offered qualified guidance New tools present partial solutions An additional level of intelligence is required Key elements Implementation
57 Implementation Tips Partner with TPPPs and TPSs on implementation Pass on investments in tools and analysts Encourage (stipulate) third parties to implement beneficial systems and processes Learn from regulatory and association best practices OCC and FDIC guidelines CMS from TPPPA NACHA guidelines Build systems and processes incrementally Start with hosted web services Then integrate into in-house platforms via APIs
58 MERCHANT INTELLIGENCE FOR 3 RD PARTIES Reduce Regulatory Burden Decrease Risk Decide Faster
59 Thank you! Dan Frechtling Steve Clendaniel
Managing TPPPs and TPSs in the Current Regulatory Environment
November 2015 Managing TPPPs and TPSs in the Current Regulatory Environment Prepared by: Jodie Ruby, Director Audience: This document is intended for managers, directors and executives who deal with business
More informationGet In Tune With Third Parties: Finding the harmonies between Third Party Senders, Originators, and Customers.
Get In Tune With Third Parties: Finding the harmonies between Third Party Senders, Originators, and Customers. Marsha Jones President TPPPA Brent Siegel Vice President Argos Risk 1 1 AGENDA/OUTLINE Third-Party
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Paul M. Phillips, CFA Attorney, Adams and Reese Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay 2014 EastPay.
More informationVendor Management Compliance Top 10 Things Regulators Expect
Vendor Management Compliance Top 10 Things Regulators Expect Peter Davey, AAP VP & Director, Enterprise Payments, CapitalOne Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay
More informationTo: Our Clients and Friends March 25, 2014
Financial Services Group To: Our Clients and Friends March 25, 2014 A Significant Change Is Occurring Regarding Regulatory Oversight of Banks and Their Third Party Relationships. Both Banks and their Vendors
More informationExecutive Fraud Forum October 30, 2013
Executive Fraud Forum October 30, 2013 Payments Fraud Trends Mary Kepler, Director, Retail Payments Risk Forum, Federal Reserve Bank of Atlanta Judy Long, Executive Vice President, First Citizens National
More informationGUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July 2014)
Federal Deposit Insurance Corporation 550 17th Street NW, Washington, D.C. 20429-9990 Financial Institution Letter FIL-127-2008 November 7, 2008 GUIDANCE ON PAYMENT PROCESSOR RELATIONSHIPS (Revised July
More informationIdentifying Key Risk Indicator
PUERTO RICO PAYMENTS SYMPOSIUM Identifying Key Risk Indicator EPOCPR Services Agenda for Today Background History Regulators & Risk Management Let s have fun Regulators & Risk Assessment ACH Risks Categories
More informationAIM for Success and Effectively Manage High Risk Originators
AIM for Success and Effectively Manage High Risk Originators Pamela T. Rodriguez, AAP, CIA, CISA EVP, Risk Management & Education, EastPay Brent Siegel Vice President, Argos Risk Disclaimer This presentation
More informationOutsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP
Outsourced Third Party Relationship Management/ Vendor Management TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP 1 Risk Management Guidance 2 3 Appendix J: 4 - Key Elements Third Party Management
More informationVendor Risk Management in the New Regulatory Environment. kpmg.com
Vendor Risk Management in the New Regulatory Environment kpmg.com Vendor Risk Management in the New Regulatory Environment 2 Vendor Risk Management in the New Regulatory Environment Background Regulators
More informationWhite Paper on Financial Institution Vendor Management
White Paper on Financial Institution Vendor Management Virtually every organization in the modern economy relies to some extent on third-party vendors that facilitate business operations in a wide variety
More informationManaging your community bank s ACH and demand draft risk By George F. Thomas
Payment Protocols Managing your community bank s ACH and demand draft risk By George F. Thomas Would anyone in their right mind attempt to drive a car blindfolded? Well, the answer would be an emphatic
More informationTO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel
AL 2000 12 O OCC ADVISORY LETTER Comptroller of the Currency Administrator of National Banks Subject: Risk Management of Outsourcing Technology Services TO: Chief Executive Officers of National Banks,
More informationGUIDANCE FOR MANAGING THIRD-PARTY RISK
GUIDANCE FOR MANAGING THIRD-PARTY RISK Introduction An institution s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships,
More informationThird-Party Payment Processing and Financial Crimes March 14, 2012
Third-Party Payment Processing and Financial Crimes March 14, 2012 Michael Benardo Chief, Cyber Fraud & Financial Crimes Section Division of Risk Management Supervision Federal Deposit Insurance Corporation
More informationVendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.
Vendor Management: An Enterprise-wide Focus Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd. Why Focus on Vendor Management Increased financial regulatory scrutiny GLBA and Identity Theft Red
More informationKnow Your Customer & Know Your Customer s Customers (KYCC) BITS ACH Fraud Risk Subgroup Presented by George Thomas November 19, 2008
Know Your Customer & Know Your Customer s Customers (KYCC) BITS ACH Fraud Risk Subgroup Presented by George Thomas November 19, 2008 Agenda Theme and Issue Types of Third Party Processors Risk from Third
More informationRisk Management of Outsourced Technology Services. November 28, 2000
Risk Management of Outsourced Technology Services November 28, 2000 Purpose and Background This statement focuses on the risk management process of identifying, measuring, monitoring, and controlling the
More informationInformation Technology
Information Technology Information Technology Session Structure Board of director actions Significant and emerging IT risks Practical questions Resources Compensating Controls at the Directorate Level
More informationSHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS
SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE (2013-29) ON THIRD PARTY RELATIONSHIPS An overview of how the Shared Assessments Program SIG 2014
More informationone admin. one tool. Providing instant access to hundreds of industry leading verification tools.
2 7 12 14 11 15 8 16 10 41 40 42 19 49 45 44 50 48 47 51 46 52 53 55 54 56 57 67 68 1 5 39 43 58 71 81 82 69 70 88 25 29 23 26 22 3 21 28 4 6 32 30 38 33 31 37 34 35 36 63 59 64 60 62 61 65 72 73 66 74
More informationWho s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management
Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management 2015 LBA Bank Counsel Conference Marx Sterbcow, Managing Attorney, Sterbcow Law Group The Bureau s Scrutiny of Vendor Management
More informationVENDORINSIGHTU P D A T E
VENDORINSIGHTU P D A T E November 12, 2013 COMPLIANCE VendorINSIGHT is the industry-leading solution for financial institutions offering the most features and capabilities for vendor risk monitoring. Ask
More informationThird Party Payment Processors Job Aid
Third Party Payment Processors Job Aid This job aid is to be used by state institution examiners as a means to understand, identify, and assess the risks associated with institutions relationships with
More informationPayment Processor Relationships Revised Guidance
Federal Deposit Insurance Corporation 550 17th Street NW, Washington, D.C. 20429-9990 Payment Processor Relationships Revised Guidance Financial Institution Letter FIL-3-2012 January 31, 2012 Summary:
More informationCompliance and Ethics at the Federal Reserve Bank of New York
Compliance and Ethics at the Federal Reserve Bank of New York Operational Risk and Internal Audit Course Marina Adams, Compliance Officer and AVP David K. Clune, Compliance and Ethics Officer Kevin White,
More informationThird-Party Risk Management: Busting Myths and Telling Truths
Third-Party Risk Management: Busting Myths and Telling Truths Richik Sarkar, Esq. McDonald Hopkins LLC 600 Superior Avenue, East, Suite 2100 Cleveland, OH 44114 (216) 430-2009 rsarkar@mcdonaldhopkins.com
More informationOutsourcing Technology Services A Management Decision
Outsourcing Technology Services A Management Decision A Telephone Seminar for National Banks Tuesday, July 20, 2004 And again on Wednesday, July 21, 2004 Agenda Outsourcing activities and relationships
More informationVendor Compliance Management Series: Performing an Effective Risk Assessment
Vendor Compliance Management Series: Performing an Effective Risk Assessment Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must
More informationDon t Originate in the Dark: Shine Some Light on Your Third-Party Senders and Their Originators
Don t Originate in the Dark: Shine Some Light on Your Third-Party Senders and Their Originators This ACH risk management white paper examines the risks related to ACH transactions processed by Third-Party
More informationKnowing your customers and their customers and their customers and so on and so on
Knowing your customers and their customers and their customers and so on and so on Identifying your Third-Party s and their Nested s This ACH risk management white paper provides an overview of ACH relationships
More informationCredit Union Liability with Third-Party Processors
World Council of Credit Unions Annual Conference Credit Union Liability with Third-Party Processors Andrew (Andy) Poprawa CEO, Deposit Insurance Corporation of Ontario Canada 1 Credit Union Liability with
More informationRisk Management of Remote Deposit Capture
Federal Financial Institutions Examination Council 3501 FAIRFAX DRIVE ROOM 3086 ARLINGTON, VA 22226-3550 (703) 516-5487 http://www.ffiec.gov Background and Purpose Risk Management of Remote Deposit Capture
More informationGuidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004
Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004 1. INTRODUCTION Financial institutions outsource business activities, functions and processes
More informationValidating Third Party Software Erica M. Torres, CRCM
Validating Third Party Software Erica M. Torres, CRCM Michigan Bankers Association Risk Management & Compliance Institute September 29, 2014 MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT
More informationTHE UH OH MOMENT. Financial Services Enterprises Focus on Governance, Transparency and Supply Chain Risk
THE UH OH MOMENT Financial Services Enterprises Focus on Governance, Transparency and Supply Chain Risk By Lois Coatney, Chuck Walker and Joseph Yacura, ISG Directors www.isg-one.com INTRODUCTION A top
More information2014 Financial Services Industry Compliance Benchmark Study
2014 Financial Services Industry Compliance Benchmark Study Presented By: and Executive Summary Beginning in early December 2013, SAI Global Compliance conducted a survey among compliance professionals
More informationACH Operations Bulletin #2-2013
ACH Operations Bulletin #2-2013 High-Risk Originators and Questionable Debit Activity March 14, 2013 EXECUTIVE SUMMARY Recent press reports have inaccurately stated that some Receiving Depository Financial
More informationEFT Industry and BSA/AML Dan Altman
EFT Industry and BSA/AML Dan Altman Sr. IT and Risk Consultant Background Dan Altman, Sr. IT and Risk Consultant SHAZAM Internal Audit SHAZAM Secure o IT Exam, ACH Exam, BSA Exam, IT Consulting, Security
More informationTHIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s
MANAGING THIRD PARTY RISK T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s Experis -- a different kind of talent company. Experis Tuesday, January 08,
More informationOCC 98-3 OCC BULLETIN
To: Chief Executive Officers and Chief Information Officers of all National Banks, General Managers of Federal Branches and Agencies, Deputy Comptrollers, Department and Division Heads, and Examining Personnel
More informationO OCC BULLETIN OCC 2006-39. Automated Clearing House Activities. Risk Management Guidance
O OCC BULLETIN Comptroller of the Currency Administrator of National Banks Subject: Automated Clearing House Activities Description: Risk Management Guidance TO: Chief Executive Officers, Chief Risk Officers,
More informationFinTech Webinar Series: Vendor Management Principles
FinTech Webinar Series: Vendor Management Principles Evolving Best Practices of Bank Service Providers February 14, 2013 Speakers Russell Bruemmer Partner Eric Mogilnicki Partner Jeffrey Hydrick Special
More informationANTI-MONEY LAUNDERING FOR LENDERS
ANTI-MONEY LAUNDERING FOR LENDERS Ari Karen Offit Kurman akaren@offitkurman.com 240.507.1740 Bill Heyman Offit Kurman wheyman@offitkurman.com 301.575.0393 THE RATIONALE FOR THE NEW REGULATIONS The Financial
More informationStatement of Guidance: Outsourcing All Regulated Entities
Statement of Guidance: Outsourcing All Regulated Entities 1. STATEMENT OF OBJECTIVES 1.1. 1.2. 1.3. 1.4. This Statement of Guidance ( Guidance ) is intended to provide guidance to regulated entities on
More informationA Cautionary Tale Plus Cross-Channel Risk
Dan Tobin A Cautionary Tale Plus Cross-Channel Risk IT Examiner Supervision, Regulation & Credit Dan.tobin@bos.frb.org Agenda A Cautionary Tale Shames-Yeakel v. Citizens Financial Bank Cross-Channel Risk
More informationAny business relationship between a bank and another entity, by contract or otherwise
An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise
More informationIncreasingly community banks are turning to
A system of ACH risk-management valves can help banks bypass the big loss By Jeanette A. Fox and Cary Whaley Increasingly community banks are turning to payments, specifically Automated Clearing House
More informationFraud Risk Management Procedures
Fraud Risk Management Procedures 1. Introduction KCE Electronics Public Company Limited ( KCE or the Company ) is committed to achieving the highest levels of business integrity, morals and transparency
More informationGrowing Vendor Management
V E N D O R M A N A G E M E N T P R O F I L E S E R I E S A Wh it e Pap e r by Ve n d or I NS I G HT an d C MPG, L L C Growing Vendor Management as a Sustainable Business Process with Automated Vendor
More informationVENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium
1 VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium 2 Agenda Introduction Vendor Management what is? Available Guidance Vendor Management
More informationACH Operations Bulletin #1-2014
ACH Operations Bulletin #1-2014 Questionable ACH Debit Origination: Roles and Responsibilities of ODFIs and RDFIs September 30, 2014 Replaces ACH Operations Bulletin #2-2013 (Originally Issued March 14,
More informationThe rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions
The rise of third party relationships means rise in risk and regulation Non-compliance is risky business for financial institutions Increasing dependency on third parties by banks has resulted in mandatory
More informationYou Can t Afford the Risks
Anti-Money Laundering You Can t Afford the Risks Audit Tax Advisory The Risks Associated With AML/Sanctions Compliance Are Just Too Great to Ignore Continued increases in regulatory scrutiny and rigorous
More informationElectronic Transactions Association Guidelines on Merchant and ISO Underwriting and Risk Monitoring
TM MARCH 2014 Electronic Transactions Association Guidelines on Merchant and ISO Underwriting and Risk Monitoring DEVELOPED BY www.deanarich.com COUNSEL Venable LLP Jeffrey D. Knowles Ellen Traupman Berge
More informationPutting the Management Back in Vendor Management February 20, 2014
Putting the Management Back in Vendor Management February 20, 2014 Moderator: Brian O Reilly The Collingwood Group, LLC Panelists: Calvin Hagins, CFPB Ken Markison, MBA Jonathan McKernan, Wilmer Hale Dan
More informationFDIC Updates Guidance on Payment Processor Relationships
February 2012 FDIC Updates Guidance on Payment Processor Relationships BY KEVIN L. PETRASIC In its recently issued Financial Institution Letter, FIL-3-2012, the Federal Deposit Insurance Corporation (
More informationThird-Party Sender Case Studies: ODFI Best Practices to Close the Gap An ACH Risk Management White Paper
Third-Party Sender Case Studies: ODFI Best Practices to Close the Gap An ACH Risk Management White Paper This ACH risk management white paper examines three case studies related to Third-Party Sender Risk.
More informationBlind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.
Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks. For anyone familiar with the banking industry, it comes as no surprise that banks are
More informationOutsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk
March 24, 2014 If you have any questions regarding the matters discussed in this memorandum, please contact the following attorneys or your regular Skadden contact. Stuart D. Levi New York / 212.735.2750
More informationSafer food supply chains why assessments are great news for your business
Safer food supply chains why assessments are great news for your business Article By Vel Pillay, a food safety expert for LRQA America; and Cor Groenveld, Global Food Product Manager of LRQA and chairman
More informationMARKET CONDUCT ASSESSMENT REPORT
MARKET CONDUCT ASSESSMENT REPORT PART 1 STATUTORY ACCIDENT BENEFITS SCHEDULE (SABS) PART 2 RATE VERIFICATION PROCESS Phase 1 (2012) Financial Services Commission of Ontario (FSCO) Market Regulation Branch
More informationC2 Financial Corporation Anti Money Laundering Program and Suspicious Activity Reporting (AML Program)
C2 Financial Corporation Anti Money Laundering Program and Suspicious Activity Reporting (AML Program) Purpose: This program is being established and implemented by C2 Financial Corporation (C2) as an
More informationDesigning an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting
Consulting and Professional Services Designing an Operational Risk Program for a Community Bank Stephan Salvador Managing Director, Risk Management Consulting Designing an Operational Risk Program for
More information3 rd Party Risk Management is Broken Critical Vendors Should be Exam-Ready.
3 rd Party Risk Management is Broken Critical Vendors Should be Exam-Ready. Abstract: Kudos to the FFIEC agencies efforts to bring more attention and effort to managing 3rd party risk. With so much focus
More informationCloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World
Cloud Computing Risks in Financial Services Companies: How Attorneys Can Best Help In An Increasingly SaaS-ified World July 30, 2015 Sutherland Webinar Michael Steinig 202.383.0804 Michael.Steinig@sutherland.com
More informationNavigating Vendor Management Issues in Today s Regulatory Environment
Navigating Vendor Management Issues in Today s Regulatory Environment May 6, 2015 Elizabeth E. McGinn, Partner Moorari K. Shah, Counsel 1 Disclaimer The information contained herein is for informational
More informationHITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?
HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What? Introduction This material is designed to answer some of the commonly asked questions by business associates and other organizations
More informationWhite Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA
White Paper Achieving GLBA Compliance through Security Information Management White Paper / GLBA Contents Executive Summary... 1 Introduction: Brief Overview of GLBA... 1 The GLBA Challenge: Securing Financial
More informationVENDOR MANAGEMENT. General Overview
VENDOR MANAGEMENT General Overview With many organizations outsourcing services to other third-party entities, the issue of vendor management has become a noted topic in today s business world. Vendor
More informationTHE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS
THE BEST PRACTICES FOR DATA SECURITY AND PRIVACY IN VENDOR/ CLIENT RELATIONSHIPS Data Law Group, P.C. Kari Kelly Deborah Shinbein YOU CAN T OUTSOURCE COMPLIANCE! Various statutes and regulations govern
More informationThe Role of Internal Audit in Risk Governance
The Role of Internal Audit in Risk Governance How Organizations Are Positioning the Internal Audit Function to Support Their Approach to Risk Management Executive summary Risk is inherent in running any
More informationPreparing for the HITECH September Deadline: Tips for Negotiating Effective Business Associate Agreements under HIPAA.
Preparing for the HITECH September Deadline: Tips for Negotiating Effective Business Associate Agreements under HIPAA July 29, 2014 Meet Today s Speakers James B. Wieland Principal, Ober Kaler jbwieland@ober.com
More informationFINAL May 2005. Guideline on Security Systems for Safeguarding Customer Information
FINAL May 2005 Guideline on Security Systems for Safeguarding Customer Information Table of Contents 1 Introduction 1 1.1 Purpose of Guideline 1 2 Definitions 2 3 Internal Controls and Procedures 2 3.1
More informationCYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility
CYBER SECURITY AND RISK MANAGEMENT An Executive level responsibility Cyberspace poses risks as well as opportunities Cyber security risks are a constantly evolving threat to an organisation s ability to
More informationBy: Gerald Gagne. Community Bank Auditors Group Cybersecurity What you need to do now. June 9, 2015
Community Bank Auditors Group Cybersecurity What you need to do now June 9, 2015 By: Gerald Gagne MEMBER OF PKF NORTH AMERICA, AN ASSOCIATION OF LEGALLY INDEPENDENT FIRMS 2015 Wolf & Company, P.C. Cybersecurity
More informationTHIRD PARTY PAYMENT PROVIDERS
THIRD PARTY PAYMENT PROVIDERS BY DARLIA FOGARTY, DIRECTOR OF COMPLIANCE & COO KNOWLEDGE. CLARITY. RELIABILITY. www.compliancealliance.com (888) 353-3933 THIRD PARTY PAYMENT PROCESSORS Third Party Payment
More informationInstructions for Completing the Information Technology Officer s Questionnaire
Instructions for Completing the The (Questionnaire) contains questions covering significant areas of a bank s information technology (IT) function. Your responses to these questions will help determine
More informationVendor Management Best Practices
Vendor Management Best Practices Presented by: Raji Sathappan, MBA, CRCM, CISA, CAMS FMS East Coast Regional Conference September 2015 Certified Public Accountants Consultants Wealth Management Technology
More informationCOMPLIANCE MANAGEMENT SYSTEM
COMPLIANCE MANAGEMENT SYSTEM Ensuring Your Bank Meets Regulatory Standards Overview of Compliance Exams Examination Purpose: Assess the quality of an institution s compliance management system (CMS) for
More informationBusiness Information Services. Product overview
Business Information Services Product overview Capabilities Quality data with an approach you can count on every step of the way Gain the distinctive edge you need to make better decisions throughout the
More informationBank Secrecy Act, Anti-Money Laundering, and Office of Foreign Assets Control
Bank Secrecy Act, Anti-Money Laundering, and Office of Foreign Assets Control Overview The Bank Secrecy Act (BSA) was created in 1970 to assist in criminal, tax, and regulatory investigations. The Financial
More informationSample Financial institution Risk Management Policy 2011
Sample Financial institution Risk Management Policy 2011 1 Contents Risk Management Program...2 Internal Control and Risk Management Diagram... 2 General Control Environment... 2 Specific Internal Control
More informationCloud Vendor Evaluation
Cloud Vendor Evaluation Checklist Life Sciences in the Cloud Cloud Vendor Evaluation Checklist What to evaluate when choosing a cloud vendor in Life Sciences Cloud computing is radically changing business
More informationINSIDER TRADING POLICY
INSIDER TRADING POLICY PURPOSE: U.S. federal securities laws prohibit the purchase and sale of securities at a time when the person possesses material, non-public information (positive or negative) concerning
More informationMorgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers
Morgan Stanley Policy for the Management of Third Party Residential Mortgage Servicing Providers Title Policy for the Management of Third Party Residential Mortgage Servicing Providers Effective Date Owner
More informationVendor Management. Outsourcing Technology Services
Vendor Management Outsourcing Technology Services Objectives Board and Senior Management Responsibilities Risk Management Program Risk Assessment Service Provider Selection Contracts Ongoing Monitoring
More informationVIRGINIA ASSOCIATION OF COMMUNITY BANKS
VIRGINIA ASSOCIATION OF COMMUNITY BANKS Spring Internal Audit / Risk Seminar Presented by Lee G. Lester May 26, 2016 Regulatory Hot Topics > De-Risking > Marketplace Lending > Consumer protection initiatives
More informationFINANCIAL SERVICES FLASH REPORT
FINANCIAL SERVICES FLASH REPORT OCC Updates Guidance on Third-Party Relationships December 2, 2013 Introduction On November 4, 2013, the Office of the Comptroller of the Currency (OCC) released Bulletin
More informationAttachment. OCC Guidance on Due Diligence Requirements in Determining Whether Securities Are Eligible for Investment
Attachment OCC Guidance on Due Diligence Requirements in Determining Whether Securities Are Eligible for Investment The guidance below was issued by the Office of the Comptroller of the Currency (OCC)
More informationwww.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit March 6, 2014 (4:30-5:30) Draft v8 2-25-14
www.pwc.com The data breach lifecycle: From prevention to response IAPP global privacy summit (4:30-5:30) Draft v8 2-25-14 Common Myths 1. You have not been hacked. 2. Cyber security is about keeping the
More informationEFFECTIVE MONITORING: MANAGING INQUIRIES, INVESTIGATIONS
EFFECTIVE MONITORING: MANAGING INQUIRIES, INVESTIGATIONS AND THE REPORTING OF SUSPICIOUS ACTIVITY Managing the Inventory External Inquiries 1 314 (a) 2 314 (b) 3 Law Enforcement Inquiries Grand Jury Subpoenas
More informationBANK EXAMINERS MANUAL FOR AML/CFT RBS EXAMINATION
BANK EXAMINERS MANUAL FOR AML/CFT RBS EXAMINATION 1 Contents 1. EXAMINATION PROCEDURES ON SCOPING AND PLANNING 1..1 2. EXAMINATION PROCEDURES OF AML/CFT COMPLIANCE PROGRAM...3.. 3 3. OVERVIEW OF AML/CFT
More informationWhite Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK. By James Christiansen, VP, Information Risk Management
White Paper THE FIVE STEPS TO MANAGING THIRD-PARTY RISK By James Christiansen, VP, Information Management Executive Summary The Common Story of a Third-Party Data Breach It begins with a story in the newspaper.
More informationWHITE PAPER SPLUNK SOFTWARE AS A SIEM
SPLUNK SOFTWARE AS A SIEM Improve your security posture by using Splunk as your SIEM HIGHLIGHTS Splunk software can be used to operate security operations centers (SOC) of any size (large, med, small)
More informationPayment Card Industry Data Security Standard
Symantec Managed Security Services support for IT compliance Solution Overview: Symantec Managed Services Overviewview The (PCI DSS) was developed to facilitate the broad adoption of consistent data security
More informationEnterprise Security Tactical Plan
Enterprise Security Tactical Plan Fiscal Years 2011 2012 (July 1, 2010 to June 30, 2012) Prepared By: State Chief Information Security Officer The Information Security Council State of Minnesota Enterprise
More informationThird-Party Cybersecurity and Data Loss Prevention
Third-Party Cybersecurity and Data Loss Prevention SESSION ID: DSP-W04A Brad Keller Sr. Vice President Santa Fe Group Jonathan Dambrot, CISSP CEO, Co-Founder Prevalent Networks 3rd Party Risk Management
More information