Any business relationship between a bank and another entity, by contract or otherwise



Similar documents
GUIDANCE FOR MANAGING THIRD-PARTY RISK

Vendor Management Compliance Top 10 Things Regulators Expect

VII 4.1. VII. Unfair and Deceptive Practices Third Party Risk. Third Party Risk. Introduction. Background

Vendor Management: An Enterprise-wide Focus. Susan Orr, CISA CISM CRISC CRP Susan Orr Consulting, Ltd.

Vendor Risk Management in the New Regulatory Environment. kpmg.com

Vendor Management Compliance Top 10 Things Regulators Expect

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB OVERSIGHT OF SINGLE-FAMILY SELLER/SERVICER RELATIONSHIPS. Purpose

VII 5.1. VII. Abusive Practices Third Party Procedures. Third Party Risk. Introduction. Background

Navigating Vendor Management Issues in Today s Regulatory Environment

Preparing for the Outsourcing Challenge: Legal Due Diligence to Ensure a Winning Service Provider Relationship

Outsourced Third Party Relationship Management/ Vendor Management. TTS Webinar July 15, 2015 Susan Orr CISA, CISM, CRISC, CRP

Credit Union Liability with Third-Party Processors

Outsourcing Technology Services A Management Decision

Table of Contents Chapter 1 Introduction Goals & Objectives Required Review Applicability...

OCC 98-3 OCC BULLETIN

Board Responsibility. A bank can outsource a task, but it cannot outsource the responsibility.

Risk Management of Outsourced Technology Services. November 28, 2000

TO: Chief Executive Officers of National Banks, Federal Branches and Data-Processing Centers, Department and Division Heads, and Examining Personnel

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

Are You Ready for the New Foreclosure Processing Regulations?

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

Vendor Management. Outsourcing Technology Services

Third Party Relationships

Goldman Sachs Residential Mortgage Servicing Vendor Management Policy Addendum U.S.-Based Program

Vendor Management Best Practices

Vendor Management Best Practices

9/13/ /20 Vision for Vendor Management & Oversight. Disclaimer. Bank Service Company Act - FIL-49-99

White Paper on Financial Institution Vendor Management

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

Forensic Services. Third Party Risks. March 2013

Managing Outsourcing Arrangements

Outsourcing Technology Services OT

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

VENDOR RISK MANAGEMENT UPDATE- ARE YOU AT RISK? Larry L. Llirán, CISA, CISM December 10, 2015 ISACA Puerto Rico Symposium

FEDERAL HOUSING FINANCE AGENCY ADVISORY BULLETIN AB MORTGAGE SERVICING TRANSFERS. Purpose

Statement of the Office of the Comptroller of the Currency. Provided to the Subcommittee on Financial Institutions and Consumer Protection

UNITED STATES OF AMERICA BEFORE THE BOARD OF GOVERNORS OF THE FEDERAL RESERVE SYSTEM WASHINGTON, DC.

Risk Management Programme Guidelines

Sound Practices for the Management of Operational Risk

Guideline. Outsourcing of Business Activities, Functions and Processes. Category: Sound Business and Financial Practices

SUPERVISORY AND REGULATORY GUIDELINES: PU GUIDELINES ON MINIMUM STANDARDS FOR THE OUTSOURCING OF MATERIAL FUNCTIONS

Statement of Guidance: Outsourcing All Regulated Entities

Third Party Risk Management 12 April 2012

Company Name Vendor Management Policy and Procedure. Table of Contents

MISSION VALUES. The guide has been printed by:

GUIDANCE NOTE ON OUTSOURCING

VENDORINSIGHTU P D A T E

Information Technology

6/8/2016 OVERVIEW. Page 1 of 9

THIRD PARTY SUPPLIER RISK MANAGEMENT. Meeting Emerging Financial Services Regulatory Requirements. By Joseph Yacura, ISG Director.

New CFPB mortgage servicing rules present significant challenges for mortgage servicers

<[Z[hWb <_dwdy_wb?dij_jkj_edi ;nwc_dwj_ed 9ekdY_b

II. Compliance Examinations - Compliance Management System. Compliance Management System. Introduction. Board of Directors and Management Oversight

COMPLIANCE MANAGEMENT SYSTEM

Managing General Agents (MGAs) Guideline

POV on Draft Guidelines on Managing Risks and Code of Conduct in Outsourcing of Financial Services by NBFCs

Managing third-party relationships: It s complicated

Outsourcing Risk Guidance Note for Banks

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Core Principles for Effective Banking Supervision: New Edition Released

Regulatory Practice Letter December 2012 RPL 12-24

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Servicing Issues Update

CFPB Readiness Series: Compliant Vendor Management Overview

NCUA LETTER TO CREDIT UNIONS

Financial Services Guidance Note Outsourcing

SUPERVISION GUIDELINE

Community Bank Risk-Focused Consumer Compliance Supervision Program

GUIDELINES ON OUTSOURCING

Subject: Safety and Soundness Standards for Information

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

SHARED ASSESSMENTS PROGRAM STANDARD INFORMATION GATHERING (SIG) QUESTIONNAIRE 2014 MAPPING TO OCC GUIDANCE ( ) ON THIRD PARTY RELATIONSHIPS

Attachment. OCC Guidance on Due Diligence Requirements in Determining Whether Securities Are Eligible for Investment

Vendor Risk Management (Banks and Financial Institutions)

THIRD PARTY. T i m L i e t z R e g i o n a l P r a c t i c e L e a d e r R i s k A d v i s o r y S e r v i c e s

Identifying and Managing Third Party Data Security Risk

RISK MANAGEMENT AND COMPLIANCE

CFPB Update: Regulatory and Enforcement Developments

Who s Your Vendor? Secondary Market Compliance and Title Agent Vendor Management

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

Minimizing Legal and Compliance Risk for Credit Furnishers

BANKING UNIT BANKING RULES OUTSOURCING BY CREDIT INSTITUTIONS AUTHORISED UNDER THE BANKING ACT 1994

BOARD OF DIRECTORS RESPONSIBILITIES FOR COMPLIANCE MANAGEMENT SYSTEMS

Transcription:

An Overview for Bank Directors Managing the Third Party Relationship Patrick Neuman Boardman & Clark LLP Madison, Wisconsin Any business relationship between a bank and another entity, by contract or otherwise Third Party Relationships Outsourcing part of bank operations Offering services or products to bank customers Franchising bank s name Purpose 1

Reduce bank costs Increase bank revenue Accessing special expertise or efficiency Increasing bank s product offerings Benefits FDIC and OCC expect banks to identify significant or critical relationships, such as: New relationship New bank activity Material effect on bank s revenues or expenses Significant effect on bank s earnings or capital Identifying Significant/Critical Relationships FDIC and OCC expect banks to identify significant or critical relationships, such as: Critical function for bank Access to customer information Vendor is marketing bank products or services Potential for significant customer impacts Identifying Significant/Critical Relationships 2

Mortgage related front-end services and foreclosures Technology services Data processing services Payment processing services Examples of Common Relationships Compliance audits and monitoring Affinity and credit card providers Flood insurance monitoring Debt collection services Disclosure preparers Examples of Common Relationships Bank should have a risk management process commensurate with the level of risk and complexity of its third party relationships and bank s organizational structure Bank Responsibility Risk Management Process 3

Bank cannot shift responsibility to third party and is responsible for ensuring that activity is conducted in a safe and sound manner and in compliance with all applicable laws and regulations as well as bank s internal policies Bank Responsibility Risk Management Process Board of directors (or a committee of the board) and senior management are responsible for overseeing bank s risk management processes Bank Responsibility Risk Management Process Compliance Risk Violation of laws, rules or regulations or non-compliance with policies Privacy, UDAP, Fair Lending, TILA (Reg B), RESPA Third Party Relationship Risks 4

Strategic Risk Adverse business decisions Failure to implement appropriate business decisions in a manner consistent with institution s goals Third Party Relationship Risks Operational Risk Inadequate or failed internal processes, people or systems External events Third Party Relationship Risks Transaction Risk Third party s inability to perform its functions Inadequate capacity Technological failure Human error Fraud Threats to security and integrity of systems and resources Third Party Relationship Risks 5

Credit Risk Third party is unable to meet the terms of the contractual arrangements with bank Unable to financially perform as agreed Third Party Relationship Risks Other Risks Liquidity Interest Rate Price Foreign currency transaction Third Party Relationship Risks Risk Assessment Due Diligence Contract Negotiation Ongoing Monitoring Bank Responsibility Managing Risk 6

Is relationship consistent with bank s strategic planning and risk strategy? Risk/reward analysis for significant matters performed by management and reviewed by the board Involve outside parties if necessary attorneys, accountants, IT consultants Identify internal controls necessary to monitor third party relationships Risk Assessment For significant third party relationships, board may consider appointing a senior manager with requisite knowledge and experience to manage relationship Estimate long-term financial effect of third party relationship Risk Assessment Bank s due diligence process design should provide management with information needed to address quantitative and qualitative aspect of third party relationship to determine if relationship will achieve bank s goals and mitigate identified risks Due Diligence 7

Scope of due diligence depends on significance of activity High-risk large scale activities require more comprehensive review Due Diligence When conducting due diligence, banks may consider the following: Financial condition Business experience and reputation Qualifications Legal and regulatory compliance Due Diligence When conducting due diligence, banks may consider the following: Scope of internal controls Risk management Systems and data security Privacy protections Due Diligence 8

When conducting due diligence, banks may consider the following: Business resumption/contingency plans Knowledge of relevant consumer protection/civil rights laws Human resource management Reliance on subcontractors Insurance Due Diligence Ensure specific expectations and obligations of bank and third party are outlined in written contract Board approval should be obtained before entering into any material third party relationships Contract Structure and Negotiation Legal counsel should review significant contracts prior to finalization Bank contracts should generally address the following: Nature and scope of relationship Cost/compensation Performance standards Responsibility for compliance with applicable laws and regulations Contract Structure and Negotiation 9

Bank contracts should generally address the following: Reports and audit rights Confidentiality and security Customer complaints Business resumption/contingency plans Dispute resolutions Ownership and license Contract Structure and Negotiation Bank contracts should generally address the following: Indemnification Limits on liability Insurance Subcontracting Default and termination Contract Structure and Negotiation Maintain adequate oversight of third party activities and adequate quality control over those products and services provided by third parties Minimize exposure to financial loss, reputation damage and supervisory action Ongoing Monitoring 10

Board should initially approve, oversee and review at least annually significant third party arrangements, and review arrangements and contracts whenever this is a material change to the program Ongoing Monitoring Performance monitoring may include the following: Business strategy potential conflicts of interest Review of financial conditions and audits Compare actual earnings/costs to projections Review compliance with internal controls and security procedures Evaluate performance standards and compliance with those standards Ongoing Monitoring Performance monitoring may include the following: Determine adequacy of training and monitor changes in key personnel Monitor compliance with applicable laws and regulations, especially when third party interacts with consumers on behalf of bank Review business resumption contingency planning and costs Review customer complaints and responses to them Ongoing Monitoring 11

Ensure effective process is in place to manage risks related to third party relationships in a manner consistent with bank s strategic goals, organization s objectives and risk appetite Board Responsibility Oversight and Accountability Approve bank s risk-based policies that govern third party risk management process and identify critical activities Review and approve management plans for using third parties that involve critical activities/significant relationships Board Responsibility Oversight and Accountability Review summary of due diligence results and management s recommendations to use third parties that involve critical activities Approve significant contracts that involve critical activities Board Responsibility Oversight and Accountability 12

Review the results of management s ongoing monitoring of significant third party relationships, including relationships that involve critical activities Board Responsibility Oversight and Accountability Ensure management takes appropriate steps to remedy significant deterioration in performance or address changing risks or material issues identified through ongoing monitoring Review results of periodic independent reviews of bank s third party risk management process Board Responsibility Oversight and Accountability FDIC reviews bank s management of significant third party relationships in safety and soundness examinations and compliance examinations Safety and soundness examinations review management s record and process of assessing, measuring, monitoring and controlling risks associated with bank s significant third party relationships Supervisory Reviews/Examinations 13

FDIC reviews bank s management of significant third party relationships in safety and soundness examinations and compliance examinations Compliance examinations: Evaluate the quality and effectiveness of bank s compliance risk management program as it pertains to third party relationships Supervisory Reviews/Examinations FDIC reviews bank s management of significant third party relationships in safety and soundness examinations and compliance examinations Compliance examinations: Review operations to ensure that products, services and activities of third party vendors comply with consumer protection and civil rights laws and regulations Supervisory Reviews/Examinations OCC expects banks to engage in robust analytical process to identify, measure, monitor and control the risks associated with third party relationships and to avoid excessive risk-taking that may threaten safety and soundness Failure to have effective risk management process may be an unsafe and unsound banking practice Supervisory Reviews/Examinations 14

Financial loss to the bank bad contracts may mean that bank will incur actual costs that harm the bank Litigation costs indemnification, termination provisions, limits of liability, etc. Penalties Regulators will note deficiencies on the examination reports, which may lead to enforcement actions and/or civil money penalties Reputation costs Penalties Financial Institution Letter 44-2008 Third Party Risks: Guidance for Managing Third Party Risk http://www.fdic.gov/news/news/financial/ 2008/fil08044a.pdf Additional Resources 15

OCC Bulletin 2013-29 Third Party Relationships: Risk Management Guidance http://www.occ.gov/news-issuances/ bulletins/2013/bulletin-2013-29.html Additional Resources Federal Reserve Outlook Live Webinar Vendor Risk Management Compliance Considerations, May 2, 2012 http://www.philadelphiafed.org/bankresources/publications/consumercompliance-outlook/outlook-live/2012/ 050212.pdf Additional Resources CFPB Bulletin 2013-03 Service Providers http://files.consumerfinance.gov/f/ 201204_cfpb_bulletin_serviceproviders.pdf Additional Resources 16

FFIEC IT Examination Handbook Outsourcing Technology Services June, 2004 http://ithandbook.ffiec.gov/itbooklets.aspx Additional Resources FFIEC IT Examination Handbook Supervision of Technology Service Providers March, 2003 http://ithandbook.ffiec.gov/itbooklets.aspx Additional Resources Federal Reserve Bank of New York Outsourcing Financial Services Activities: Industry Practices to Mitigate Risks October, 1999 http://www.newyorkfed.org/banking/ circulars/outsource.pdf Additional Resources 17

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information