3 rd Party Risk Management is Broken Critical Vendors Should be Exam-Ready. Abstract: Kudos to the FFIEC agencies efforts to bring more attention and effort to managing 3rd party risk. With so much focus on 3rd party risk, it has become a paramount issue. Therefore, it s time to explore what proactive steps the 3rd parties can take that are mutually beneficial to their business, bank clients, and consumers. Whether you are a financial institution or a 3 rd party offering services to financial institution clients, this paper offers you an intuitive perspective on the steps that must be taken to improve the compliance and risk management partnership between institutions and 3 rd parties. Author: Paul R. Reymann, Partner McGovern Smith Advisors Contents 3 rd Party Compliance is Paramount... 1 The Cost of Doing Business with a Financial Institution... 1 Trusted Partners are Exam-Ready... 2 1 st Priority Establish Compliance Policies and Procedures... 3 2nd Priority Administer the Compliance Programs 4 Consumer Compliance Program... 4 Information Security Program... 6 Vendor Risk Management Program... 6 Business Continuity Planning... 7 3rd Priority Compliance Oversight & Training... 7 Next Steps... 8
By: Paul Reymann, Partner, McGovern Smith Advisors, LLC. Are 3 rd parties doing enough? Not according to the enforcement actions, consent orders, fines, civil money penalties, and risk management mandates imposed on such companies and their financial institution clients. 3 rd Party Compliance is Paramount We are witnessing a renewed focus by bank regulators and examiners on vendor-related risks, including those that can directly affect consumers, and the banks and their vendor partners ability to comply with consumer compliance, cybersecurity, incident response, and risk management and oversight mandates. This is coupled with an aggressive willingness to issue enforcement actions against banks for 3 rd party service provider violations of consumer protections. The Consumer Financial Protection Bureau (CFPB) and Office of Comptroller of the Currency (OCC) April 2014 consent order against Bank of America and the May 2013 Federal Deposit Insurance Corporation (FDIC) settlement against Achieve and First California Bank (FCB) are reminders. 1 The regulatory focus from the Federal Financial Institutions Examination Council (FFIEC) agencies along with the enforcement action history of the past 2 to 3 years is a clear indication that 3rd parties working with regulated financial and non-financial institutions need to adopt a compliance and risk management culture that supports the up-stream institution s compliance and risk management culture. Regulators are stepping up their focus on the risk management and oversight of non-financial 3 rd parties working in the payment s industry and providing critical activities. 2 They are requiring regulated institutions to subsequently step up their vendor risk management, anti-money laundering, consumer compliance, cybersecurity controls, cyber incident management, and performance monitoring of such critical 3rd parties. 3 Kudos to the FFIEC agencies efforts to bring more attention and effort to managing 3 rd party risk. With so much focus on 3 rd party risk, it has become a paramount issue. Therefore, it s time to explore what proactive steps the 3 rd parties can take that are mutually beneficial to their business, bank clients, and consumers. The Cost of Doing Business with a Financial Institution In short, it is time to invert the traditional regulatory message of Banks must manage their 3 rd party risk to 3 rd parties must manage risk for their bank clients. As an example, let s look at the nature of the relationship between a typical sponsoring bank and independent program manager relationship that exists today for issuing prepaid cards. 1 The CFPB, in cooperation with the OCC, issued a consent order against Bank of America and its credit card subsidiary - FIA Card Services - to pay an estimated total of $727 million for alleged UDAAP violations related to credit card add-on products in connection with identity protection and debt cancellation services. The FDIC determined that Achieve and FCB engaged in unfair and deceptive practices in violation of Section 5 in the marketing and servicing of the AchieveCard, a prepaid, reloadable MasterCard, Each entity agreed to provide restitution of approximately $1.1 million to over 64,000 prepaid cardholders. In addition, the FDIC has assessed civil money penalties of $600,000 against FCB and $110,000 against Achieve. 2 Critical activities are significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology), or other activities that: could cause a bank to face significant risk if the third party fails to meet expectations; could have significant customer impacts; require significant investment in resources to implement the third-party relationship and manage the risk; or could have a major impact on bank operations if the bank has to find an alternate third party or if the outsourced activity has to be brought in-house. 3 Example references include: OCC Bulletin 2013-29 - Third-Party Relationships: Risk Management Guidance; FDIC FIL-3-2012 Payment Processor Relationships; and FRB SR 13-19 Guidance on Managing Outsourcing Risk. Copyright 2014. McGovern Smith Advisors, LLC. pg. 1 of 8
Many banks will sponsor an independent program manager that operates as a channel partner to help grow the bank s sale of cards through merchants and ultimately the consumer. In such relationships, the bank sponsorship provides access for the independent program manager to the payment network. Subsequently, the program manager will administer and manage the card program for the bank in accordance with specific bank requirements. Both parties along with the company that processes the payment, split the fees paid by the consumer and the merchant. In general, the sponsoring bank receives a small slice of these economics in such relationships. However, they are burdened with the mandate and cost to ensure the vendor complies with all the necessary legal and regulatory requirements and that the consumer is protected. Historically, sponsoring banks hold the program manager liable for meeting the bank s requirements, including all risk and compliance matters. Unfortunately, we see from the history of enforcement actions and consent orders that imposing liability on the 3rd party in the contract agreement has not enabled the bank to avoid compliance costs. When the regulators find fault with the activities of 3rd parties working with the bank, both parties have been required to pay fines or penalties. So what is the solution? Trusted Partners are Exam-Ready Third parties that strive to operate as an extension of the bank s examination-ready state will mitigate the risk of experiencing issues with their bank partners (and their bank s regulators), while also mitigating their own business risks. Such companies will be considered trusted partners by defining and implementing compliance and risk management programs that echo those of their bank clients. Working with financial institutions and their partners in the payments industry, McGovern Smith Advisors has defined a comprehensive road map to help clients establish a successful compliance and risk culture to validate 3 rd party vendors as a trusted partner to banks and in the eyes of the regulators. This road map contains multiple elements that are needed to enable 3 rd parties to achieve a trusted partner exam-ready state, proactively addressing the needs of their institution clients. These include implementing, self-policing, and validating the effectiveness of their individual company efforts to preemptively meet the client s and regulators expectations. Self-policing, which can also be described as self-monitoring or self-auditing, reflects a proactive commitment by a 3 rd party company to use resources for the prevention and early detection of potential violations of laws and regulations. 4 The CFPB and other FFIEC agencies expect financial institutions and their critical vendors to have a robust compliance management system appropriate for the size and complexity of a party s business. While this will not always prevent risk events or compliance violations, it will often facilitate early detection of potential problems and violations, which can limit the size and scope of harm or enforcement action. Questions that the regulators will consider in determining whether to provide favorable consideration for self-policing activity that detects problems, violations, or potential violations include: 1. What compliance procedures or self-policing mechanisms were in place to prevent, identify, or limit the conduct that occurred and to preserve relevant information? In what ways, if any, were the party s selfpolicing mechanisms particularly noteworthy and effective? 2. How does the party s self-policing functions measure up to customary supervisory expectations? 3. If the party is a business entity, what was the tone at the top of the business about compliance? Was there a culture of compliance? How high up in the chain of command did people know of or participate in the conduct at issue? Did senior personnel participate in, or turn a blind eye toward, obvious indicia of misconduct or deficiencies in compliance procedures? 4 See CFPB Bulletin 2013-6, Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation (June 25, 2013). Copyright 2014. McGovern Smith Advisors, LLC. pg. 2 of 8
All companies that want to work with financial institutions and provide or support a critical activity must define and implement a transparent compliance and risk management culture. They must maintain a strategy to address the numerous risk management controls, regulatory mandates and updates, and enforcement actions that are frequently issued by the regulators. Whether you are just starting to think about how to establish policies and procedures or define a prudent compliance program, exploring options for enhancing your existing programs, or planning to validate the effectiveness of your programs, there is a lot to consider to be successful and do it right. In general: 1. The first priority is to establish clear policies and procedures that inform management and staff regarding his and her individual duties and responsibilities. 2. The second priority is to implement a prudent compliance program that addresses consumer compliance, information security, vendor management, and business continuity planning. 3. The third priority is to develop and execute a compliance management and training program to ensure all staff have adopted the culture of compliance and risk management defined in the policies and procedures and implemented in the various compliance and risk management programs. 1 st Priority Establish Compliance Policies and Procedures Based on FFIEC regulations, guidance, and industry best practices, MSA has identified 34 specific policies and subsequent procedures that should be implement by any 3 rd party that strives to become an exam-ready trusted partner in the payments industry. MSA works with 3 rd parties and institutions to build upon existing control documentation to create and maintain the 34 compliance policies and procedures listed in Chart 1. MSA highly recommends standardizing the process and format for all policies and procedures to establish an effective baseline to facilitate growth and the efficient and cost-effective audit and maintenance efforts. The payments industry compliance policies and procedures are categorized into 34 topics: 17 consumer compliance topics and 17 information technology topics that are applicable to payments activities. Chart 1 Compliance Policies & Procedures Related to the Payments Industry Consumer Compliance 1. Fair Credit Reporting Act (including FACT Act provisions) 2. Prohibited Consumer Credit Practices Rules 3. Electronic Fund Transfers Act/Regulation E 4. Advertising 5. Right to Financial Privacy Act 6. Consumer Privacy Regulations (Gramm Leach Bliley Act) 7. Debt Collection Practices Act (FDCPA) 8. Do-Not-Call/Do-Not Fax 9. Unfair Deceptive Acts or Practices (UDAP)/Regulation AA 10. Unfair Deceptive or Abusive Acts or Practices (UDAAP) 11. Unlawful Internet Gambling Act/Regulation GG 12. Bank Secrecy Act, including Anti-Money Laundering ( AML ) 13. Customer Identification Program 14. USA Patriot Act 15. Office of Foreign Assets Control ( OFAC ) 16. FACT Act (Red Flags Rules) 17. Consumer Complaint Tracking & Monitoring Information Technology 1. IT-Access Controls 2. IT-Authentication 3. IT-Network, Application, & System Access 4. IT-Remote Access 5. IT-Physical Security 6. IT-Encryption 7. IT-Malicious Code 8. IT-Change Management Administration 9. IT-Change Management Development / Testing 10. IT-Change Management Migration (Segregation of Duties) 11. IT-Patch Management 12. IT-Personnel Security 13. IT-Data Security 14. IT-Service Provider Oversight (Vendor) 15. IT-Business Continuity Considerations 16. IT-Security Monitoring 17. IT-Backup and Recovery Copyright 2014. McGovern Smith Advisors, LLC. pg. 3 of 8
Once this initial priority of publishing a board or senior management approved library of compliance policies and procedures is successfully completed, 3 rd party service providers will be in a prudent position to initiate the required work to implement the remaining compliance and risk management program elements. This approach helps each company to cost-effectively begin by defining the baseline foundational descriptions of its compliance and risk management practices. 2nd Priority Administer the Compliance Programs Implementing and administering a comprehensive compliance program requires all critical 3 rd parties to focus on the numerous legal and regulatory compliance mandates. In a recent review of such mandates, MSA identified 121 regulatory publications as shown on the next page in Chart 2 that are associated with the requirements for 3 rd party vendors to address: Consumer compliance Information security Vendor risk management (i.e., primary contractor and subcontractors) Business continuity planning and incident response All 3 rd parties and their partner bank(s) involved with payments should have a validated compliance program. In short, the regulators want bankers to be accountable and take responsibility for knowing and managing vendors as if they were an extension of the bank s staff. They are also increasingly expecting the banks vendor partner to adopt a compliance and risk management culture to show it understands the regulatory mandates of the bank and it is willing and able to validate it is an exam-ready partner. Consumer Compliance Program The consumer compliance program should include a review and testing of numerous compliance areas. For example, for prepaid cards the program should address: Advertising Bank Secrecy Act, including Anti-Money Laundering ( AML ) Consumer Complaints Tracking and Management Consumer Privacy Regulations (Gramm Leach Bliley Act) Customer Identification Program Debt Collection Practices Act (FDCPA) Do-Not-Call/Do-Not Fax Electronic Fund Transfers Act/Regulation E FACT Act (Red Flags Rules) Fair Credit Reporting Act (including FACT Act provisions) Information Security (Gramm Leach Bliley Act) Office of Foreign Assets Control ( OFAC ) Prohibited Consumer Credit Practices Rules Right to Financial Privacy Act Unfair Deceptive Acts or Practices (UDAP)/Regulation AA Unfair Deceptive or Abusive Acts or Practices (UDAAP) Unlawful Internet Gambling Act/Regulation GG USA Patriot Act Copyright 2014. McGovern Smith Advisors, LLC. pg. 4 of 8
Chart 2 CFPB (3) FFIEC (3) OCC (60) FDIC (30) FRB (6) NCUA (18) BITS (1) Bulletin Regarding Marketing of Credit Card Add-on Products Final Policy Statement - Publication of Credit Card Complaint Data Bulletin 2013-6 - Responsible Business Conduct: Self-Policing, Self-Reporting, Remediation, and Cooperation IT Booklet on Outsourcing Technology Services IT Booklet on Supervision of Technology Service Providers Social Media: Consumer Compliance Risk Management Guidance Bulletin 2013-33 - Use and Review of Independent Consultants in Enforcement Actions Bulletin 2013-29 - Third-Party Relationships: Risk Management Guidance (Appendix B refers to 57 other publications) BULLETIN 2011-27: Risk Management Guidance and Sound Practices FIL-3-2012 Payment Processor Relationships (Refers to 6 other publications) FIL-56-2013 Social Media: Consumer Compliance Risk Management Guidance (Refers to 22 other publications) SR 13-19, 12/5/13 Guidance on Managing Outsourcing Risk (Refers to 4 other publications) Outlook Live Webinar (5/2/12) Vendor Risk Management Compliance Considerations LTR No. 13-CU15 Private Student Loans (Direct & Indirect) LTR No. 13-CU13 Changes to NCUA Regulations Related to Credit Union Service Organizations (CUSOs) LTR No. 10-CU26 Evaluating Payment System Service Providers (with a check list) LTR No. 10-CU15 Indirect lending & Appropriate Due Diligence LTR No. 08-CU19 Third-Party Relationships: Mortgage Brokers and Correspondents LTR No. 08-CU09 Evaluating Third Party Relationships Questionnaire LTR No. 07-CU13 Evaluating Third Party Relationships (Refers to 11 prior publications) Share Assessments, a.k.a., SIG Lite Copyright 2014. McGovern Smith Advisors, LLC. pg. 5 of 8
Information Security Program Security is also paramount. All organizations should implement physical, administrative, and technological safeguards to protect the confidentiality and integrity of confidential data, networks, and facilities from known and unknown threats. Working together, financial institutions and their trusted partners can do a better job of preventing cyberattacks from happening. In a July 17, 2014 interview on CNBC Squawkbox, Wells Fargo CEO John Stumpf noted that third parties are a big area of risk. Wells Fargo does business with third parties that have access to the system and the people they know, e.g., customers. He also noted that bad people get in through third party access, which makes this a big school of thought and discussion at Wells Fargo these days. Clearly, the prudent management of third party vendor risk is an important initiative for Wells Fargo, as with all financial institutions. In accordance with the Gramm Leach Bliley security rule and other recognized information security best practice, a prudent, compliant, and effective information security program will include: Involvement of the board and senior management A risk assessment of threats and vulnerabilities Effective risk management and controls Training Testing Vendor oversight Monitoring and adjustment based on changes that affect the security program Board reporting of material cyber-security information Vendor Risk Management Program A risk-based vendor management program is a top concern among many financial institutions as well as various regulators. All of us are challenged to think more broadly about the risks and complexity of outsourcing. We now need to think about how to become more aware and efficient in identifying, managing, and mitigating risk at the bank, vendor, and consumer level. Specific to the payments industry, we see six primary sleeper risk categories that capture many of today s challenges for fraud, outsourcing complexity, enforcement actions, technology, and new product innovation, as displayed in Chart 3 on the next page. Each organization should implement the necessary controls and practices to ensure: It is performing adequate due diligence and managing its individual vendors and the associated risk to the organization and its partners and its network and customer data. It has mutual key performance and key risk indicators defined and included in contracts with all critical vendors. It is identifying issues and creating a framework to track, manage, resolve, and report to Executive Management on open issues, as appropriate. Copyright 2014. McGovern Smith Advisors, LLC. pg. 6 of 8
Chart 3 Business Continuity Planning Done properly, business continuity planning (BCP) will: enable you to rapidly recover from a disruption or disaster; keep your organization in compliance with relevant standards; and be a sustainable program that improves over time. Each organization should develop and implement a business continuity program that: 1. Establishes BCP governance (i.e., policies, standards, program review, and maintenance). 2. Establishes an organizational structure capable of managing enterprise-wide crisis, IT disaster recovery, and department level tactical continuity of business operations. 3. Performs risk assessments of key facilities. 4. Performs business impact analysis (BIA) that defines priorities, recovery timeframes, and recovery resource requirements - aligning incident response and disaster recovery with operational requirements. 5. Establishes operational recovery procedures. 6. Establishes pandemic preparedness. 7. Identifies information technology and other operational disaster recovery needs, capabilities, and procedures. 3rd Priority Compliance Oversight & Training The financial services industry is a significant element of our critical infrastructure. Therefore, any 3 rd party that partners with a financial institution, must ensure its staff understand the importance of his and her actions in supporting institution clients. Copyright 2014. McGovern Smith Advisors, LLC. pg. 7 of 8
Therefore, once the compliance policies, procedures, and program elements are developed, all staff must be trained on his and her duties and responsibilities. They should receive annual training on the legal and regulatory mandates outlined throughout this paper that are associated with his and her individual day-to-day activities. They should also receive regular training on the policies, procedures and other compliance and risk management controls. Each organization should also ensure proactive oversight of its ability to maintain its compliance and risk management culture by performing: Quarterly board and audit committee meetings. Internal and external validation of the effectiveness of its policies, procedures, programs, controls, and training. Next Steps The increasing volume and complexity of 3 rd party risk management regulatory mandates is causing all financial institutions to evaluate and update their traditional vendor risk management programs. It is also creating a new field of engagement for 3 rd parties that want to be competitive in offering products and services to institutions. Whether you are a financial institution that wants to ensure its vendor program is successfully addressing the regulatory risk and compliance mandates or a 3rd party that wants to establish a competitive edge and become exam-ready as a trusted partner, this paper offers you an intuitive perspective on the steps that must be taken to improve the compliance and risk management partnership between institutions and 3rd parties. If you would like to talk in greater detail about how McGovern Smith Advisors can help jump start or supplement your efforts, call us at 202-721-9120. About the Author Paul Reymann is a Partner with McGovern Smith Advisors, LLC. He has over 28 years in compliance and risk management, including 13 years with the Department of Treasury. He co-authored the Gramm-Leach-Bliley Act Data Protection regulation. He is the visionary behind outsourced managed compliance products and services to make it easier for businesses to meet today s tsunami of regulatory challenges. You can reach Paul by email at preymann@mcgovernsmithadvisors.com or call him directly at 410-417-5035. About McGovern Smith Advisors, LLC. McGovern Smith Advisors understands our clients needs and delivers the knowledge and services that empower them to advance their payments business and remain competitive, compliant, and profitable. Our clients tell us we are unique in our depth of payments expertise. We bring forward-thinking advice and services on strategy, product development, profitability, compliance, RFPs & contracts, partnership formation, 3rd party vendor risk management, M&A, advocacy, and consumer campaigns to each client engagement. Visit www.mcgovernsmithadvisors.com for more information about how we can help you succeed. Copyright 2014. McGovern Smith Advisors, LLC. pg. 8 of 8