Vendor Compliance Management Series: Performing an Effective Risk Assessment
Legal Disclaimer This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the specific circumstances of each case. Every effort has been made to assure that this information is up-to-date as of the date of publication. It is not intended to be a full and exhaustive explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel.
Who is KirkpatrickPrice? KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 300 clients in more than 42 states, Canada, Asia and Europe. The firm has over 10 years of experience in information assurance by performing assessments, audits, and tests that strengthen information security, and compliance controls.
Services Overview Regulatory Compliance CFPB Guidance and audit services: Policy & Procedure Risk Assessment Vendor Compliance Management CFPB Mock Audit Information Security Guidance and audit services: PCI DSS 3.0 SSAE 16 SOC 2 FISMA ISO 27001 / 27002
Welcome Joseph Kirkpatrick, Managing Partner at KirkpatrickPrice, is a certified specialist in data security, IT governance, and regulatory compliance. He has provided consulting and security assessments for more than 14 years. - Certified in the Governance of Enterprise IT (CGEIT) - Certified Information Systems Auditor (CISA) - Certified in Risk and Information Systems Control (CRISC) - Qualified Security Assessor (QSA)
External Guidance OCC Bulletin 2013-29/2014-37 OCC News Release 2013-116 FDIC FIL 44-2008 Federal Reserve Guidance on Managing Outsourcing Risk FFIEC Outsourcing Technology Services CFPB Bulletin 2012-03
OCC Bulletin 2013-29 Planning Due diligence and third-party selection Contract negotiation Ongoing monitoring Termination Oversight and accountability Documentation and reporting Independent reviews
OCC Bulletin 2013-29
OCC News Release 2013-116 Establish oversight committee Use debt buyer scorecards Maintain account accuracy and documentation Use clear, consistent contract terminology Provide sufficient documentation
OCC News Release 2013-116 Limit the resale of debt Limit the litigation strategy Maintain quality Management Information Systems Conduct periodic reviews
OCC Bulletin 2014-37 Ensure appropriate internal policies and procedures are developed and implemented to govern debt-sale arrangements consistently across the bank. Perform appropriate due diligence when selecting a debt buyer. Ensure debt-sale arrangements with debt buyers cover all important considerations.
OCC Bulletin 2014-37 Provide accurate and comprehensive information regarding each debt sold, at the time of sale. Certain types of debt are not appropriate for sale. Comply with applicable laws and regulations. Implement appropriate oversight of the debtsale arrangement.
FDIC FIL - 44-2008
FDIC FIL - 44-2008
Federal Reserve Guidance on Managing Outsourcing Risk Risk assessments Due diligence and selection of service providers Contract provisions and considerations Incentive compensation review Oversight and monitoring of service providers Business continuity and contingency plans
FFEIC Outsourcing Technology Services Evaluate the quantity of risk present from the institutions outsourcing arrangements Evaluate the quality of risk management
CFPB Bulletin 2012-03 Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law Requesting and reviewing the service provider s policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have consumer contact or compliance responsibilities
CFPB Bulletin 2012-03 Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices Establishing internal controls and on-going monitoring to determine whether the service provider is complying with Federal consumer financial law
CFPB Bulletin 2012-03 Taking prompt action to address fully any problems identified through the monitoring process, including terminating the relationship where appropriate
Welcome Brett Soldevila serves as the Chief Compliance Officer for Security Credit Services, LLC. Prior to joining Security Credit Services, Brett served in the internal audit department of a global consumer and commercial services company, and in the audit & enterprise risk services department of one of the world s largest professional services firms. - Certified Public Accountant - Certified Fraud Examiner - DBA Certification Council - Chair for Council s Standards Committee
Who is Security Credit Services, LLC? Security Credit Services, LLC (SCS) has been in business since 2003, and is a wholly-owned subsidiary of Security Holdings, LLC. SCS acquires delinquent consumer accounts receivable from financial institutions and manages the collections. SCS is based in Oxford, MS and also has offices in Atlanta, GA.
Overview Related Risk Management Guidance Committee of Sponsoring Organizations of the Treadway Commission (COSO) Sarbanes-Oxley Act of 2002 (SOX)
Enterprise-Wide Risk Assessment Gain an understanding of procedures throughout your company Identify and rate risks Implement an annual risk-based audit calendar
Data Security Risk Assessment 3 rd Party Vendors Create listing of vendors Description of Services Confidentiality Agreements Calculate risk ratings Likelihood Impact Determine procedures necessary to mitigate risks
3 rd Party Vendor Risk Assessment Additional Vendor Risk Assessment Criteria Financial Statement Review Gross Collections Time since last audit Prior audit score Complaints/Disputes BBB Rating
Data Security Risk Assessment 3 rd Party Vendors Calculate risk rating for each vendor Determine frequency and type of procedures necessary
Welcome Tony Bailey has served as the Director of Business & Strategic Development at Cornerstone Support for the past 11 years. He has assisted hundreds of debt buyers, collection agencies and collection law firms with various state licensing projects. He also assists many agencies in avoiding possible licensing issues in the M&A process as well as assisting foreign agency firms in entering the US market and domestic firms looking to expand internationally.
Who is Cornerstone Support? Since its inception in 1998, Cornerstone has provided licensing services and compliance support to many of the top collection agencies, debt buyers and attorneys in the accounts receivable industry. Cornerstone offers a wide range of services; from assisting credit grantor and debt buyers in auditing their partner collection agencies for licenses to advising clients on the errors and omissions insurance policy that best lowers their operational risk.
Why Third-Party Validation of Licensing is Important with Vendor Selection State licensing is fluid Agency could be 100% compliant on Jan. 1, but 75% by Dec. 30 State requirements are changing Oh, I don t need a license there. Trust but Verify Most agencies are honest, but everyone makes mistakes.
Why Third-Party Validation of E&O Insurance is Important with Vendor Selection Do partner agencies policies include details that are important to your firm? (e.g., TCPA exclusions, additional insured, FCRA exclusions, lower limits for class action claims) Cyber Liability Insurance Coverage
Thank you for attending our Webinar Q & A For further information contact: Todd Stephenson t.stephenson@kirkpatrickprice.com 800.977.3154 Ext. 202
Coming up Next Vendor Compliance Management Series: Developing an Audit Framework When: November 2014 (TBD) A detailed look at developing effective Information Security and Regulatory Compliance audit frameworks for third parties.