VENDOR MANAGEMENT EXAMINER EXPECTATIONS FOR ASSESSING & MANAGING 3RD PARTY RISK Presented By: Tom Hinkel, VP of Compliance Services Safe Systems, Inc.
Agenda Blurred Lines: Defini/on of vendor Recent regulatory expecta/ons for vendor management Due diligence (pre- contract) Contracts 6 vendor management steps to take NOW
Tradi/onal defini/on: Vendor vs. Service Provider Vendor anyone with whom you have a contractual rela/onship Service Provider Vendor that provides a bank- related service (BSCA). check and deposit sor/ng and pos/ng, computa/on and pos/ng of interest and other credits and charges, prepara/on and mailing of checks, statements, no/ces, and similar items, or any other clerical, bookkeeping, accoun/ng, sta/s/cal, or similar func/ons performed for a depository ins/tu/on.
Current defini/on: Vendor vs. Service Provider Term "service providers" is broadly defined to include all en//es* that have entered into a contractual rela/onship with a financial ins/tu/on to provide business func/ons or ac/vi/es. Federal Reserve * En//es may be a bank or nonbank, affiliated or non- affiliated, regulated or non- regulated, or domes/c or foreign. A third- party rela/onship is any business arrangement between a bank and another en/ty, by contract or otherwise.* - OCC * Third- party rela/onships include ac/vi/es that involve outsourced products and services, use of independent consultants Third- party rela/onships generally do not include customer rela/onships.
FFIEC Financial ins/tu/ons increasingly rely on service providers, soxware vendors, and other third par/es. Financial ins/tu/ons are responsible for risks associated with the ac/vi/es of third- party service providers with which they contract. An effec/ve outsourcing oversight program should provide the framework for management to understand, monitor, measure, and control the risks associated with outsourcing.
Vendor Management What s New? Increased vendor selec/on & pre- contract due diligence Strategic goals (decision to outsource) Concentra/on risk Cri/cality of service (highly cri/cal vendors may need to be assigned to a senior officer for oversight - OCC) Vendor use of sub- contractors BCP review (opera/onal risk) Expanded Risk Assessments (not just NPI) Cri/cality Complexity Reputa/onal risk
Vendor Management What s New? (cont.) Increased on- going oversight Contracts Third- party report (audits) - SAS- 70 vs. SOC 1, 2, 3 Regulatory examina/on reports BOD repor/ng Assess ALL vendors
Due Diligence 1. During the product selec/on process, prior to contrac/ng for the product or service Reputa/on, strategic fit, etc. 2. AXer the vendor has been selected, and prior to implementa/on RFP s vs. contracts 3. Post implementa/on, and ongoing as long as the rela/onship exists Tradi/onal vendor management program
Due Diligence Pre- Contract Product / Service is in alignment with strategic plan? Outsourcing is best op/on? RFP/RFI U/lized? Product / Service Cloud Based? Vendor Business Con/nuity RTO's Reviewed?
Due Diligence Checklist
Due Diligence Checklist
Due Diligence Checklist
Controls Controls Trust but Verify Financial Statements Contracts & Service Level Agreements (SLA s) Incident Response Plans (include actual incidents) DR/BCP Plans (RTO s aligned?) Regulatory Examina/on Reports Third- party audit reviews (SAS 70 phased out)
Controls According to the FFIEC Handbook on Outsourcing Technology Services The is the single most important control in the outsourcing process. A. Ini/al due diligence process B. Review of third- party audit reports C. Contract D. Risk Assessment E. Vendor s financial stability
Controls The contract is the legally binding document that defines all aspects of the servicing rela/onship. A wrijen contract should be present in all servicing rela/onships. This includes instances where the service provider is affiliated with the ins/tu/on. The contract is the single most important control in the outsourcing process.
Contracts
Contracts
Contracts
Contracts
Regulatory Examination Reports The Agencies conduct IT- related examina/ons of financial ins/tu/ons and their TSPs based on the guidelines contained in the IT Handbooks. Uses URSIT (Uniform Ra/ng System for Informa/on Technology) ra/ngs Each TSP examined for IT is assigned a summary or composite ra/ng based on the overall results of the evalua/on.
Regulatory Examination Reports The financial ins/tu/on must inquire from their primary federal regulator (PFR) whether or not they have completed an examina/on of the vendor (or TSP). If the PFR indicates they have, the ins/tu/on may request a summary of the exam (called a Report of Examina/on, or ROE), which will not contain the actual score. Instead the ROE contains an Open Sec/on, which contains all significant examina/on findings and conclusions. The excep/on to this is if the TSP scores a 4 or lower (i.e. 4 or 5), in which case the regulator will proac/vely provide a summary of the exam to each ins/tu/on serviced by the TSP.
Next Steps? 6 Changes to Make to your Vendor Management Program Now ü Remove references to SAS 70, replace with Third- party Review ü Rank Vendors Use Tiered Approach (H, M, L, or Tier I, Tier II, Tier III) ü Add Vendor Management responsibili/es to IT Steering Commijee (or equivalent). High risk vendors may require senior management sponsor. ü Manage contract expira/on dates and auto- renewal clauses ü Review SOC reports ü Request examina/on reports
Questions? Tom Hinkel CISA, CRISC, CCSA, CRMA VP of Compliance Services Safe Systems, Inc. tom@safesystems.com www.complianceguru.com The Compliance and Technology Partner for Financial Ins8tu8ons