Vendor Management: Your Questions Answered June 16, 2015 Elizabeth E. McGinn Partner Moorari K. Shah Counsel 1
Disclaimer The information contained herein is for informational purposes only; does not constitute legal advice; and, does not necessarily reflect the opinions of BuckleySandler LLP or any of its attorneys or clients. This presentation is not intended to create, and does not create, an attorney-client relationship between you and BuckleySandler LLP, or any of the presenters, and you should not act or rely on any information in this presentation without consulting legal counsel. The information contained in this presentation may or may not reflect the most current legal developments; accordingly, information in this presentation is not promised or guaranteed to be correct or complete, and should not be considered an indication of future results. BuckleySandler LLP expressly disclaims all liability in respect to actions taken or not taken based on any or all of the contents of this presentation. 2
Q1: Role of the Board What is expected of the board of directors with respect to vendor management? Setting the tone from the top is a key focus of regulators Full accountability requires treating the outsourced activity as if the service were being performed in-house Alignment with overall business strategy and objectives 3
Q2: Building a Vendor Management Function How should a company start to build the framework if the vendor management function has not previously existed? Common question for nonbanks Compliance Management Systems Size and structure vary across financial institutions Many institutions underestimate the necessary resources 4
Q3: Use of Cross-Function Teams When should organizations consider using cross-functional teams to support vendor management? Evaluation of activities affecting multiple business lines Include internal audit, information security, human resources, legal and compliance Team advises and assists relationship manager Augment team with outside consultants for expertise 5
Q4: Risk Ratings Is there a standard risk rating scale for vendors? General agreement that high-risk vendors include: Customer-facing vendors Those that store sensitive customer information Those that provide mission-critical applications, such as coreprocessing systems Business continuity and disaster recovery services Develop cascading model that is tailored to company s size and complexity of financial products Develop mitigation plan based on risk rating 6
Q5: Ongoing Monitoring Focus Areas What are current areas of regulatory focus related to ongoing monitoring? Compliance training Early identification of issues Information security 7
Q6: Subcontractors What actions should a financial institution take with respect to oversight of subcontractors? Monitor vendor s reliance on subcontractors Contractual right to audit subcontractors Require vendor to perform due diligence and ongoing monitoring of subcontractors and report results 8
Q7: Handling Consumer Complaints What steps should an institution take in its ongoing monitoring of consumer complaints? How should you respond to consumer complaints about a vendor that arrive through the CFPB portal? Assign responsibility for monitoring and responding Vendor point person Move quickly Initial response due in 15 days 60 days to investigate before made public Involve legal and compliance teams Decide whether to choose one of the permitted responses Ongoing monitoring and remediation principles still apply Portal response is not a safe harbor 9
Q8: Sufficient Staff What constitutes sufficient staff to onboard and manage third party vendors? Dedicated staff Periodic reviews of ongoing monitoring files: Test for thoroughness of documentation and records and whether they satisfy internal policies and procedures Verify that staff is testing for compliance with applicable laws 10
Q9: Transitioning Vendors What should financial institutions consider when terminating a relationship with a service provider? Establishing a replacement vendor Resources required Timing Project plan Managing legal and regulatory compliance during transition Data return, transfer, and destruction Joint intellectual property 11
Q10: Re-Negotiating with Vendors How do you re-negotiate vendor contracts to incorporate new regulatory requirements when the vendor has no interest in re-negotiating? Dialogue first Dealing with vendors who refuse or seek significant concessions Contemplate back-up plan with another vendor that will accept the necessary language 12
Q11: UDAAP Update What are the latest updates related to UDAAP and service providers? Opt-In cases Mobile cramming Payment program providers Mortgage industry 13
Q12: TILA-RESPA Integrated Disclosure Rule What are companies doing to prepare for TRID rule changes? Software vendors Mortgage brokers Training and timing Applications Loan estimates Closing disclosure Closing services Fee estimates and tolerances 14
Q13: Possible Future Actions What s coming next? More direct actions against service providers Opt-in is a hot topic Cyber-security/privacy FTC and FCC focus Add-on products Potential expansion of cramming 15
Questions Elizabeth McGinn Partner 202.349.7968 (DC office) 212.600.2370 (NY office) emcginn@buckleysandler.com Moorari Shah Counsel 310.424.3939 (LA office) mshah@buckleysandler.com www.buckleysandler.com www.infobytesblog.com 16