third-party risk management - acuia...why you need a third-party risk management program. ......
Post on 08-Jun-2020
5 Views
Preview:
TRANSCRIPT
THIRD-PARTY RISK MANAGEMENT
Beyond a Regulatory Requirement
April 28, 2017
Ken Glascock, CPA, CAMS, CIA, CFSA, CRCMDirector
kglascock@bkd.com
• Let’s Break It Down – What Is Third-Party Risk Management?
• It’s Just for Big Institutions, Right? – Why You Need a Third-Party Risk Management Program
• Regulatory Requirements
• Are the Right People Involved? – It’s Not Just an IT Responsibility
• Common Pitfalls in Third-Party Risk Management Programs
• Best Practices
AGENDA
Let’s Break It Down
What Is Third-Party Risk Management?
What Is a Third Party?
• More than just IT services
• More than just critical vendors
Formal Definition
How to Identify All Third Parties
LET’S BREAK IT DOWN
• What Is Risk Management?
Process of
• Assessing
• Measuring
• Monitoring
• Controlling
LET’S BREAK IT DOWN
It’s Just for Big Institutions, Right?
Why You Need a Third-Party Risk Management Program
No size threshold
For all institutions using third parties
Applicable to all third-party arrangements
IT’S JUST FOR BIG INSTITUTIONS, RIGHT?
WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM
• Lack of control of process (increased risk)
• Regulatory requirement
• Evaluate whether capital is sufficient to support risk exposures – think AIG in the great recession
• Evaluate whether third party is doing its job properly
WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM
Unirush, LLC and MasterCard International
OUTSOURCING – CASE STUDY
RushCard breakdowns cut off consumers’ access to funds
Preventable failures left tens of thousands of economically vulnerable consumers unable to pay for necessitates
Many customers could not use their RushCard to get their paychecks and other direct deposits, take out cash, make purchases, pay bills or get accurate balance information
CFPB ORDERS MASTERCARD AND UNIRUSH, LLC TO PAY $13 MILLION
Regulatory Requirements
• NCUA
• OCC
• FDIC
• Federal Reserve
• FFIEC
• CFPB
POTENTIAL REGULATORS
Evaluating Third Party Relationships
“Ultimately, credit unions are responsible for safeguarding member assets and ensuring sound operations irrespective of whether or not a third party is involved.”
“Risks may be mitigated, transferred, avoided, or accepted; however, they are rarely eliminated.”
NCUA SUPERVISORY LETTER NO.: 07-01, 10/2007
• Exposure to full range of risks:
Credit
Interest rate
Liquidity
Transaction
Compliance
Strategic
Reputation
NCUA SUPERVISORY LETTER (CONT.)
“Credit unions must complete the due diligence necessary to ensure the risks undertaken in a third party relationship are acceptable in relation to their risk profile and safety and soundness requirements.”
NCUA SUPERVISORY LETTER (CONT.)
Risk Assessment
“Credit unions should complete a risk assessment prior to engaging in a third party relationship to assess what internal changes, if any, will be required to safely and soundly participate.”
NCUA SUPERVISORY LETTER (CONT.)
Risk Assessment – consider all seven risk areas and specifically:
• Expectations for Outsourced Functions
• Staff Expertise
• Criticality
• Risk-Reward or Cost-Benefit Relationship
• Insurance
• Impact on Membership
• Exit Strategy
NCUA SUPERVISORY LETTER (CONT.)
Due Diligence
• Background Check
• Business Model
• Cash Flows
• Financial and Operational Control Review
• Contract Issues and Legal Review
• Accounting Considerations
NCUA SUPERVISORY LETTER (CONT.)
• SAS70
• SSAE16
• SSAE18
• SOC I-III
• Type I-II
AUDIT REPORTS
• Effective May 1, 2017:
SOC Reports will now be issued under SSAE 18 (AT-C Section 320)
• SSAE 18 replaces SSAE 10-14, 16 & 17
• SSAE 18 covers all attestation engagements
• Refer to reports by their individual names (i.e., SOC1, SOC2 and SOC3), and not SSAE 18
AUDIT REPORTS (CONT.)
• Monitoring the effectiveness of internal controls at subservice organizations
Service organizations must implement sufficient controls to monitor the relevant controls at their subservice organizations
• Assess the risk of material misstatement and perform procedures in response to those risks, i.e., perform a risk assessment
Under SSAE 18, service auditors are instructed to better identify potential areas of risk specifically in regards to material misstatement
SSAE 18 - IMPACT TO SERVICE ORGANIZATIONS AND USER ENTITIES
• Complimentary subservice organization controls and modifications to management’s assertion SSAE 18 introduces an additional requirement to include complementary
subservice organization controls in SOC reports
• Evaluating the reliability of evidence produced by the service organization
SSAE 18 clarifies the requirements to ensure that evidence provided by service organizations is complete, accurate and sufficiently detailed.
• The management assertion must be signed by management of the company.
SSAE 18 - IMPACT TO SERVICE ORGANIZATIONS AND USER ENTITIES (CONT.)
• Scope of arrangement, services offered and activities authorized
• Responsibilities of all parties• Service level agreements• Performance reports• Penalties for lack of performance• Ownership, control, maintenance
and access• Ownership of servicing rights• Audit rights and requirements• Data security and member
confidentiality
• Business resumption or contingency planning
• Insurance
• Member complaints and member service
• Compliance with regulatory requirements
• Dispute resolution
• Default, termination and escape clauses
NCUA SUP. LETTER (CONT.) – CONTRACT ISSUES
“Since credit unions may ultimately be responsible for consumer compliance violations committed by their agents, credit unions should be familiar with the third party’s internal controls for ensuring regulatory compliance and adherence to agreed upon practices.”
NCUA SUPERVISORY LETTER (CONT.)
Risk Measurement, Monitoring and Control of Third Party Relationships
• Policies and Procedures
• Risk Measurement and Monitoring
• Control Systems and Reporting
NCUA SUPERVISORY LETTER (CONT.)
“ ”“The CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships”
CFPB Bulletin 2012-03
“ ”“To limit the potential for statutory or regulatory violations and related consumer harm, supervised banks and nonbanks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers”
CFPB Bulletin 2012-03
CFPB Orders Navy Federal Credit Union to Pay $28.5 Million for Improper Debt Collection Actions
• Credit Union Used False Threats to Collect Debts and Placed Unfair Restrictions on Account Access - OCT 11, 2016
CFPB & CREDIT UNIONS
Outsourcing Technology Services
Supervision of Technology Service Providers
FFIEC
• Comptroller’s Handbooks
OCC
Asset Management
Other Real Estate Owned
Internal and External Audits
Merchant Processing
Retail Nondeposit
Investment SalesEtc.
“ ”“A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships”
OCC Bulletin 2013-29, Third-Party Relationships
“ ”“ … the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology) … ”
OCC Bulletin 2013-29, Third-Party Relationships
“ ”“Appropriately managed third-party relationships can enhance competitiveness, provide diversification, and ultimately strengthen the safety and soundness of insured institutions. Third-party arrangements can also help institutions attain key strategic objectives”
FDIC’s Summer 2011 Supervisory Insights
“ ”“A third-party relationship should be considered significant if the institution’s relationship with the third party is a new relationship or involves implementing new bank activities … ”
FDIC Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk
“ ”“A community banking organization may have critical activities being outsourced, but the number may be few and to highly reputable service providers. Therefore, the risk management program may be simpler and use less elements and considerations”
Federal Reserve SR 13-19, Guidance on Managing Outsourcing Risk
“ ”“As the service provider represents the institution by selling products or services on its behalf, the institution should consider whether the incentives provided might encourage the service provider to take imprudent risks”
Federal Reserve SR 13-19, Guidance on Managing Outsourcing Risk
Are the Right People Involved?
It’s Not Just an IT Responsibility
• Must know aspects of proper third-party risk management program to know who should be involved
ARE THE RIGHT PEOPLE INVOLVED?
• Five Phase Approach
1. Planning & risk assessment
2. Due diligence & third-party selection
3. Contracts
4. Ongoing monitoring
5. Termination
ARE THE RIGHT PEOPLE INVOLVED?
• Phase I - Planning & Risk Assessment
(board of directors, management, line personnel)
Is it a need or a want?
Will it help accomplish strategy?
Opportunity cost?
ARE THE RIGHT PEOPLE INVOLVED?
• Phase II - Due Diligence & Third-Party Selection
Persons involved should be those who can properly evaluate
• Whether vendor will perform task(s) assigned (direct users)
• Cost/benefit (CFO, executive management, board)
ARE THE RIGHT PEOPLE INVOLVED?
Legal
CEO
CFO
ARE THE RIGHT PEOPLE INVOLVED?
Phase III Contracts
• Phase IV - Ongoing Monitoring
Performance (direct users & IT)
Financial stability (CFO, credit analysts)
Business continuity (IT)
Cybersecurity (IT)
ARE THE RIGHT PEOPLE INVOLVED?
WASHINGTON — Banks are woefully unprepared to face potential cybersecurity threats stemming from third-party technology providers, according to a report issued Wednesday by the Federal Deposit Insurance Corp.’s independent watchdog.
• The FDIC's Office of Inspector General found that financial institutions failed to include important cybersecurity provisions in their contracts with the third-party firms.
• “Typically, financial institution contracts with technology service providers did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights,” the report said.
BANKS FAIL TO ENFORCE CYBERSECURITY STANDARDS ON THIRD-PARTY PROVIDERS: FDIC WATCHDOG
• Phase V - Termination
Legal
IT
Project management
Business owner
AP
ARE THE RIGHT PEOPLE INVOLVED?
Common Pitfalls in Third-Party Risk Management Programs
1. Assuming IT can/should take on the responsibility alone
2. Performing only to appease examiners (checking the box)
3. Not including [*****] third parties
4. Board of directors not taking responsibility for oversight• What do they see and when do they see it?
5. Obtaining documentation but doing nothing more
6. Not anticipating exit/transition costs in contract negotiations
7. Not having the VM Program reviewed/audited on a recurring basis
COMMON PITFALLS
8. Insufficient reference checks &/or not calling references
9. No risk ratings and/or outdated ratings
10. Not reviewing third party promotional (advertising) materials, as it represents your institution and/or contractually limiting use of your name / logo
11. Inadequate staff training & organizational communication
12. Out of synch with regulatory issuances and expectations
13. Not understanding business case for having a VM program
COMMON PITFALLS (CONT.)
14. Decentralization of contracts – where are they?
15. Accepting automatically renewable clauses in contracts
16. Allowing contracts to renew automatically and unintentionally
17. Decentralized purchase / acquisition process
18. Relying on the wrong SOC report
COMMON PITFALLS (CONT.)
• New Vendor Form
AP will not set-up a new vendor until:
• Business Owner signs off
• Business Owner’s superior signs off
• Vendor Management team signs off
BEST PRACTICES
• Vendor Monitoring / Performance Review Form – Annual Process
Dated?
Business Owner Signoff?
Meeting Service Level Agreements?
Site Visit?
Customer Complaints Reviewed?
BEST PRACTICES (CONT.)
Vendor Manager Signoff
Risk Rating Affirmed / Changed
Financial Analysis Complete?
Risk Trend Noted
• Annual monitoring sufficient?
Implementation / Testing of User Considerations Complete – IT Security Involved?
BEST PRACTICES (CONT.) ANNUAL SUMMARY SHEET
• Software / Vendors – Can We Outsource Vendor Management?
Can the “vendor manager-manager” monitor itself?
• Software Vendor / Functionality
Repository of documents
Risk Assessment / Risk Rating Functionality
Tickler Email Alerts / Contract Renewals
Financial Analysis
Security / Audited
BEST PRACTICES – SOFTWARE
Vendor Manager Qualifications / Experience• People person + detail oriented• Audit / exam administration• Project management • Contract administration • Compliance• Risk assessment• Appreciates the value of documentation• IT background• Financial statement analysis
BEST PRACTICES (CONT.)
• Risk Considerations
Possession of or access to member data (physical or logical)
Direct contact with members
IT infrastructure / provides critical application(s)
Loan underwriting
Compliance services
VENDOR CRITICALITY
• Other Issues
What’s a manageable number?• Critical
• Total vendors tracked
How many risk ratings?
Can I safely ignore non-critical vendors?
VENDOR CRITICALITY (CONT.)
• Vendor Management Program Review• Policies & Procedures• Risk Assessment / Risk Ranking Methodology• Sample High Risk (Critical Vendors)
Assess due diligence performed• Review contracts
Assess annual monitoring• Financial statement analysis• SOC report / Client Considerations implemented
• Sample Terminated Critical Vendors• Top 30 payees? Are they tracked in the VM Program?• Board / Supervisory Reporting – Adequacy and Frequency
WHAT’S IN YOUR AUDIT PROGRAM?
CFO
Insurance
Procurement
Credit Analysis
Accounts Payable
Legal
Compliance
Internal Audit
Contract Administration
BCP
IT Security
Project Management Business Owners
ERM + Vendor Manager + Software
PULLING IT ALL TOGETHER – INTERNAL STAKEHOLDERS
Board & Supervisory Committee
Ken Glascock | 303-837-3598 | kglascock@bkd.com
top related