Navigating Vendor Management Issues in Today s Regulatory Environment



Similar documents
Vendor Management: Your Questions Answered

Any business relationship between a bank and another entity, by contract or otherwise

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Management Compliance Top 10 Things Regulators Expect

Outsourcing Technology Services A Management Decision

Outsourcing in the Financial Services Industry: Finding Opportunities and Managing Risk. New York. OCC and FRB Guidance on Managing Third-Party Risk

White Paper on Financial Institution Vendor Management

GUIDANCE FOR MANAGING THIRD-PARTY RISK

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Identifying and Managing Third Party Data Security Risk

Reverse Due Diligence A New Trend In Financial M&A

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship

Vendor Management Compliance Top 10 Things Regulators Expect

Office of Inspector General

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Managing Sub-Servicing Partnerships

Bank Vendor Management An Aspirin to Prevent a Headache or Just a Headache?

The CFPB's 'UDAAPification' Of Consumer Protection Law

COMMENTARY. occ and fdic Guidance on Supervisory Concerns and Expectations Regarding Deposit Advance Products JONES DAY

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

Minimizing Legal and Compliance Risk for Credit Furnishers

Are You Ready for the New Foreclosure Processing Regulations?

Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management

Managing third-party relationships: It s complicated

Risk Management of Outsourced Technology Services. November 28, 2000

The New Third-Party Oversight Framework: Trust but Verify kpmg.com

Compliance Management Systems A Blueprint for Success

FEDERAL DEPOSIT INSURANCE CORPORATION WASHINGTON, D.C.

Statement of the Office of the Comptroller of the Currency. Provided to the Subcommittee on Financial Institutions and Consumer Protection

Understanding the Fundamentals of Credit Union Third-Party Vendor Due Diligence

VII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

NCUA LETTER TO CREDIT UNIONS

How To Be Ethical With Lead Generation

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

The Other Side of CFPB Compliance

WEBLINKING: IDENTIFYING RISKS AND RISK MANAGEMENT TECHNIQUES

Supporting Effective Compliance Programs

Vendor Management. Outsourcing Technology Services

VENDORINSIGHTU P D A T E

TESTIMONY OF VALERIE ABEND SENIOR CRITICAL INFRASTRUCTURE OFFICER OFFICE OF THE COMPTROLLER OF THE CURRENCY. Before the

UNITED STATES OF AMERICA BEFORE THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, D.C.

LRES Corporation. Best Business Practices for an Appraisal Management Company

Subject: Safety and Soundness Standards for Information

Attachment. OCC Guidance on Due Diligence Requirements in Determining Whether Securities Are Eligible for Investment

Vendor Management: Who the CFPB is Watching and Who They Are Expecting You to be Watching

Payment Systems: Regulatory Interest in Payment Processors, Faster Payments, and Related Consumer Protections

UNITED STATES OF AMERICA BEFORE THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, DC.

FDIC Updates Guidance on Payment Processor Relationships

THIRD PARTY SUPPLIER RISK MANAGEMENT. Meeting Emerging Financial Services Regulatory Requirements. By Joseph Yacura, ISG Director.

ACH Operations Bulletin #1-2014

CFPB COMPLIANCE: Interaction Between Compliance Assessments and Systems Issues

CFPB Consumer Laws and Regulations

Healthcare Payment Processing: Managing Data Security and Privacy Risks

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Importance of the Consumer Financial Protection Bureau

OCC 98-3 OCC BULLETIN

Compliance Risk Management Survey A Point of View

Web Site Development Agreement

ACH Operations Bulletin #2-2013

Second Annual Conference September 16, 2015 to September 18, 2015 Chicago, IL

Consumer Protection and Regulatory Changes in the Dodd-Frank Bill

New CFPB mortgage servicing rules present significant challenges for mortgage servicers

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Outsourcing Technology Services OT

Payment Processor Relationships Revised Guidance

Credit Union Liability with Third-Party Processors

Regulatory Compliance - What You Need to Know. John Zasada Principal CliftonLarsonAllen John.zasada@claconnect.com

WHITE PAPER THIRD PARTY MANAGEMENT: FUNDAMENTALS

3 rd Party Risk Management is Broken Critical Vendors Should be Exam-Ready.

Transcription:

Navigating Vendor Management Issues in Today s Regulatory Environment May 6, 2015 Elizabeth E. McGinn, Partner Moorari K. Shah, Counsel 1

Disclaimer The information contained herein is for informational purposes only; does not constitute legal advice; and, does not necessarily reflect the opinions of BuckleySandler LLP or any of its attorneys or clients. This presentation is not intended to create, and does not create, an attorney-client relationship between you and BuckleySandler LLP, or any of the presenters, and you should not act or rely on any information in this presentation without consulting legal counsel. The information contained in this presentation may or may not reflect the most current legal developments; accordingly, information in this presentation is not promised or guaranteed to be correct or complete, and should not be considered an indication of future results. BuckleySandler LLP expressly disclaims all liability in respect to actions taken or not taken based on any or all of the contents of this presentation. 2

Agenda Vendor Management Half-Truths and New Realities Overview of CFPB, OCC, and FRB guidance Best practices for selecting and managing vendors Lessons learned from enforcement actions against financial institutions and their vendors Questions 3

Vendor Management Half-Truths and New Realities 1 2 3 4 Although regulatory scrutiny has increased, the benefits of outsourcing still far outweigh the risks of failing to comply with laws and regulations. While cost, quality, and efficiency are still the primary forces driving the procurement of goods and services, regulatory compliance has become a gating factor when considering outsourcing and selecting vendors. Financial institutions that negotiate strong service provider contracts with clear obligations and appropriate remedies for breach generally have not been the subject of enforcement actions related to vendor management. Significantly more resources for due diligence and oversight may be required to reduce compliance and enforcement risk. Many institutions are having to build or re-build their entire vendor management framework. Financial institutions can shield themselves from fines and penalties arising from enforcement actions by including indemnification and insurance clauses in their vendor contracts. Many enforcement actions have involved the failure to adequately oversee vendors. Your institution is ultimately responsible for the actions of your vendors. Oversee all vendors as you would any division of your company. Vendors are limited to parties that provide goods and services to financial institutions. Examiners are expanding the traditional notion of vendors to include other third party relationships, such as marketing partners that sell ancillary products and services. 4

Consumer Financial Protection Bureau (CFPB) CFPB Bulletin 2012-03 (April 2012) Supervised banks and nonbanks must oversee vendors ( service providers ) in a manner that ensures compliance with Federal consumer financial law, which is designed to protect the interests of consumers and avoid consumer harm Focus on avoiding any unwarranted risks to consumers Bulletin requires a financial institution to: Conduct thorough due diligence of vendors to verify that they understand and comply with the law Review vendors policies, procedures, internal controls, and training materials to ensure that they conduct appropriate training and oversight of employees/agents who have consumer contact or compliance responsibilities Include clear expectations about compliance in contracts, as well as consequences for violations of compliance-related responsibilities Establish internal controls and on-going monitoring to monitor compliance Take prompt action to address compliance issues 5

CFPB Expectations: Compliance Management Systems Develop and maintain a Compliance Management System Assign and communicate compliance roles and responsibilities Incorporate CMS into business processes and regularly review operations to self-identify issues and address promptly Each CFPB examination will include review and testing of components of the financial institution s CMS 6

Office of the Comptroller of the Currency (OCC) OCC Bulletin 2013-29 (October 2013) Updates and replaces OCC Bulletin 2001-47 Provides most detail of any regulatory guidance OCC Bulletin makes clear that the failure to have in place an effective risk management process commensurate with the risks and complexity of third party relationships may be an unsafe and unsound banking practice Five important stages of the risk management life cycle Planning/Risk Assessment Due Diligence and Selection Contract Negotiation and Implementation Ongoing Relationship Monitoring Relationship Termination 7

Federal Reserve Board (Fed or FRB) Supervision and Regulation Letter 13-19 (December 2013) Provides guidance on managing outsourcing risks largely mirrors OCC Bulletin 2013-29 Supplements existing 2004 FFIEC guidance relating to risks presented by Technology Service Providers (TSPs) to reach service providers that perform a wide range of business functions Core elements of Service Provider Risk Management Program: Risk assessments Due diligence and selection of service providers Contract provisions and considerations Incentive compensation review Oversight and monitoring of service providers Business continuity and contingency plans 8

Segmentation of High-Risk Vendors Customer-facing vendors Critical activities Document reasons for the risk level assigned Develop cascading model of oversight 9

Best Practice Considerations: Pre-contract Planning/Risk Assessment Document objectives, goals, risks of outsourced activities Determine laws applicable to vendors, services and / or products Assign risk rating and create risk management plan Due Diligence/Vendor Selection Review vendor policies, procedures, internal controls and training materials Consider onsite visits, audit results and discussions with management 10

Best Practice Considerations: Negotiations Enter into written contracts with clearly defined responsibilities related to legal and regulatory compliance Augment standard terms with service-specific provisions Adjust standard contracts based on cues from new guidance and enforcement actions Re-negotiate with current vendors 11

Best Practice Considerations: Ongoing Monitoring Dedicate sufficient staff to monitor vendors Tailor oversight to level of risk Consider if additional measures are necessary Onsite and more frequent reviews Enhanced reporting and independent audits Revisit the risk rating of the relationship Ensure legal and regulatory compliance Identify if remedies, renegotiation or termination are necessary Monitor reliance on performance of subcontractors 12

Enforcement Actions: Lessons Learned Ancillary Products Oct. 2014: Joint FTC/FCC/state AGs $105 million settlement to resolve allegations of unauthorized third party charges June 2014: CFPB $59.5MM action against bank and third party service provider relating to marketing credit card ancillary products June 2013: CFPB $3.2MM enforcement action against a financial institution and $3.3MM enforcement action against a service provider concerning service contracts in connection with auto loans Key Takeaway: Treat companies with whom you jointly market or sell ancillary products like any other service provider, especially with respect to due diligence and ongoing monitoring 13

Enforcement Actions: Lessons Learned Technology Service Providers (TSPs) Aug. 2014: CFPB $2.75MM enforcement action against finance company to address alleged deficiencies in the finance company s credit reporting practices Jan. 2014: OCC and FDIC cease and desist order against two affiliated TSPs that offer payment and other technology solutions for banks related to disaster recovery planning and evaluation and monitoring of vendor risks Dec. 2013: OCC, FRB and FDIC reached formal agreement with banking software company that provides services to more than 1,000 U.S. financial institutions related to disaster recovery readiness Key Takeaway: Data integrity and cybersecurity risks are receiving particular attention from regulators, especially TSPs that store personal and financial information and are heavily relied upon by financial institutions 14

Questions Elizabeth McGinn Partner 212.600.2370 (NY office) 202.349.7968 (DC office) emcginn@buckleysandler.com Moorari Shah Counsel 310.424.3939 (LA office) mshah@buckleysandler.com www.buckleysandler.com www.infobytesblog.com 15

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information