![Page 1: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/1.jpg)
THIRD-PARTY RISK MANAGEMENT
Beyond a Regulatory Requirement
April 28, 2017
Ken Glascock, CPA, CAMS, CIA, CFSA, CRCMDirector
![Page 2: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/2.jpg)
• Let’s Break It Down – What Is Third-Party Risk Management?
• It’s Just for Big Institutions, Right? – Why You Need a Third-Party Risk Management Program
• Regulatory Requirements
• Are the Right People Involved? – It’s Not Just an IT Responsibility
• Common Pitfalls in Third-Party Risk Management Programs
• Best Practices
AGENDA
![Page 3: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/3.jpg)
Let’s Break It Down
What Is Third-Party Risk Management?
![Page 4: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/4.jpg)
What Is a Third Party?
• More than just IT services
• More than just critical vendors
Formal Definition
How to Identify All Third Parties
LET’S BREAK IT DOWN
![Page 5: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/5.jpg)
• What Is Risk Management?
Process of
• Assessing
• Measuring
• Monitoring
• Controlling
LET’S BREAK IT DOWN
![Page 6: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/6.jpg)
It’s Just for Big Institutions, Right?
Why You Need a Third-Party Risk Management Program
![Page 7: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/7.jpg)
No size threshold
For all institutions using third parties
Applicable to all third-party arrangements
IT’S JUST FOR BIG INSTITUTIONS, RIGHT?
![Page 8: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/8.jpg)
WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM
![Page 9: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/9.jpg)
• Lack of control of process (increased risk)
• Regulatory requirement
• Evaluate whether capital is sufficient to support risk exposures – think AIG in the great recession
• Evaluate whether third party is doing its job properly
WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM
![Page 10: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/10.jpg)
Unirush, LLC and MasterCard International
OUTSOURCING – CASE STUDY
![Page 11: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/11.jpg)
RushCard breakdowns cut off consumers’ access to funds
Preventable failures left tens of thousands of economically vulnerable consumers unable to pay for necessitates
Many customers could not use their RushCard to get their paychecks and other direct deposits, take out cash, make purchases, pay bills or get accurate balance information
CFPB ORDERS MASTERCARD AND UNIRUSH, LLC TO PAY $13 MILLION
![Page 12: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/12.jpg)
![Page 13: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/13.jpg)
![Page 14: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/14.jpg)
![Page 15: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/15.jpg)
Regulatory Requirements
![Page 16: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/16.jpg)
• NCUA
• OCC
• FDIC
• Federal Reserve
• FFIEC
• CFPB
POTENTIAL REGULATORS
![Page 17: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/17.jpg)
Evaluating Third Party Relationships
“Ultimately, credit unions are responsible for safeguarding member assets and ensuring sound operations irrespective of whether or not a third party is involved.”
“Risks may be mitigated, transferred, avoided, or accepted; however, they are rarely eliminated.”
NCUA SUPERVISORY LETTER NO.: 07-01, 10/2007
![Page 18: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/18.jpg)
• Exposure to full range of risks:
Credit
Interest rate
Liquidity
Transaction
Compliance
Strategic
Reputation
NCUA SUPERVISORY LETTER (CONT.)
![Page 19: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/19.jpg)
“Credit unions must complete the due diligence necessary to ensure the risks undertaken in a third party relationship are acceptable in relation to their risk profile and safety and soundness requirements.”
NCUA SUPERVISORY LETTER (CONT.)
![Page 20: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/20.jpg)
Risk Assessment
“Credit unions should complete a risk assessment prior to engaging in a third party relationship to assess what internal changes, if any, will be required to safely and soundly participate.”
NCUA SUPERVISORY LETTER (CONT.)
![Page 21: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/21.jpg)
Risk Assessment – consider all seven risk areas and specifically:
• Expectations for Outsourced Functions
• Staff Expertise
• Criticality
• Risk-Reward or Cost-Benefit Relationship
• Insurance
• Impact on Membership
• Exit Strategy
NCUA SUPERVISORY LETTER (CONT.)
![Page 22: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/22.jpg)
Due Diligence
• Background Check
• Business Model
• Cash Flows
• Financial and Operational Control Review
• Contract Issues and Legal Review
• Accounting Considerations
NCUA SUPERVISORY LETTER (CONT.)
![Page 23: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/23.jpg)
• SAS70
• SSAE16
• SSAE18
• SOC I-III
• Type I-II
AUDIT REPORTS
![Page 24: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/24.jpg)
![Page 25: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/25.jpg)
• Effective May 1, 2017:
SOC Reports will now be issued under SSAE 18 (AT-C Section 320)
• SSAE 18 replaces SSAE 10-14, 16 & 17
• SSAE 18 covers all attestation engagements
• Refer to reports by their individual names (i.e., SOC1, SOC2 and SOC3), and not SSAE 18
AUDIT REPORTS (CONT.)
![Page 26: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/26.jpg)
• Monitoring the effectiveness of internal controls at subservice organizations
Service organizations must implement sufficient controls to monitor the relevant controls at their subservice organizations
• Assess the risk of material misstatement and perform procedures in response to those risks, i.e., perform a risk assessment
Under SSAE 18, service auditors are instructed to better identify potential areas of risk specifically in regards to material misstatement
SSAE 18 - IMPACT TO SERVICE ORGANIZATIONS AND USER ENTITIES
![Page 27: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/27.jpg)
• Complimentary subservice organization controls and modifications to management’s assertion SSAE 18 introduces an additional requirement to include complementary
subservice organization controls in SOC reports
• Evaluating the reliability of evidence produced by the service organization
SSAE 18 clarifies the requirements to ensure that evidence provided by service organizations is complete, accurate and sufficiently detailed.
• The management assertion must be signed by management of the company.
SSAE 18 - IMPACT TO SERVICE ORGANIZATIONS AND USER ENTITIES (CONT.)
![Page 28: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/28.jpg)
![Page 29: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/29.jpg)
![Page 30: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/30.jpg)
• Scope of arrangement, services offered and activities authorized
• Responsibilities of all parties• Service level agreements• Performance reports• Penalties for lack of performance• Ownership, control, maintenance
and access• Ownership of servicing rights• Audit rights and requirements• Data security and member
confidentiality
• Business resumption or contingency planning
• Insurance
• Member complaints and member service
• Compliance with regulatory requirements
• Dispute resolution
• Default, termination and escape clauses
NCUA SUP. LETTER (CONT.) – CONTRACT ISSUES
![Page 31: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/31.jpg)
“Since credit unions may ultimately be responsible for consumer compliance violations committed by their agents, credit unions should be familiar with the third party’s internal controls for ensuring regulatory compliance and adherence to agreed upon practices.”
NCUA SUPERVISORY LETTER (CONT.)
![Page 32: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/32.jpg)
Risk Measurement, Monitoring and Control of Third Party Relationships
• Policies and Procedures
• Risk Measurement and Monitoring
• Control Systems and Reporting
NCUA SUPERVISORY LETTER (CONT.)
![Page 33: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/33.jpg)
“ ”“The CFPB expects supervised banks and nonbanks to have an effective process for managing the risks of service provider relationships”
CFPB Bulletin 2012-03
![Page 34: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/34.jpg)
“ ”“To limit the potential for statutory or regulatory violations and related consumer harm, supervised banks and nonbanks should take steps to ensure that their business arrangements with service providers do not present unwarranted risks to consumers”
CFPB Bulletin 2012-03
![Page 35: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/35.jpg)
CFPB Orders Navy Federal Credit Union to Pay $28.5 Million for Improper Debt Collection Actions
• Credit Union Used False Threats to Collect Debts and Placed Unfair Restrictions on Account Access - OCT 11, 2016
CFPB & CREDIT UNIONS
![Page 36: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/36.jpg)
Outsourcing Technology Services
Supervision of Technology Service Providers
FFIEC
![Page 37: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/37.jpg)
![Page 38: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/38.jpg)
![Page 39: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/39.jpg)
• Comptroller’s Handbooks
OCC
Asset Management
Other Real Estate Owned
Internal and External Audits
Merchant Processing
Retail Nondeposit
Investment SalesEtc.
![Page 40: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/40.jpg)
“ ”“A bank should adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships”
OCC Bulletin 2013-29, Third-Party Relationships
![Page 41: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/41.jpg)
“ ”“ … the OCC expects more comprehensive and rigorous oversight and management of third-party relationships that involve critical activities—significant bank functions (e.g., payments, clearing, settlements, custody) or significant shared services (e.g., information technology) … ”
OCC Bulletin 2013-29, Third-Party Relationships
![Page 42: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/42.jpg)
“ ”“Appropriately managed third-party relationships can enhance competitiveness, provide diversification, and ultimately strengthen the safety and soundness of insured institutions. Third-party arrangements can also help institutions attain key strategic objectives”
FDIC’s Summer 2011 Supervisory Insights
![Page 43: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/43.jpg)
“ ”“A third-party relationship should be considered significant if the institution’s relationship with the third party is a new relationship or involves implementing new bank activities … ”
FDIC Financial Institution Letter 44-2008, Guidance for Managing Third-Party Risk
![Page 44: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/44.jpg)
“ ”“A community banking organization may have critical activities being outsourced, but the number may be few and to highly reputable service providers. Therefore, the risk management program may be simpler and use less elements and considerations”
Federal Reserve SR 13-19, Guidance on Managing Outsourcing Risk
![Page 45: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/45.jpg)
“ ”“As the service provider represents the institution by selling products or services on its behalf, the institution should consider whether the incentives provided might encourage the service provider to take imprudent risks”
Federal Reserve SR 13-19, Guidance on Managing Outsourcing Risk
![Page 46: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/46.jpg)
Are the Right People Involved?
It’s Not Just an IT Responsibility
![Page 47: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/47.jpg)
• Must know aspects of proper third-party risk management program to know who should be involved
ARE THE RIGHT PEOPLE INVOLVED?
![Page 48: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/48.jpg)
• Five Phase Approach
1. Planning & risk assessment
2. Due diligence & third-party selection
3. Contracts
4. Ongoing monitoring
5. Termination
ARE THE RIGHT PEOPLE INVOLVED?
![Page 49: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/49.jpg)
• Phase I - Planning & Risk Assessment
(board of directors, management, line personnel)
Is it a need or a want?
Will it help accomplish strategy?
Opportunity cost?
ARE THE RIGHT PEOPLE INVOLVED?
![Page 50: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/50.jpg)
• Phase II - Due Diligence & Third-Party Selection
Persons involved should be those who can properly evaluate
• Whether vendor will perform task(s) assigned (direct users)
• Cost/benefit (CFO, executive management, board)
ARE THE RIGHT PEOPLE INVOLVED?
![Page 51: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/51.jpg)
Legal
CEO
CFO
ARE THE RIGHT PEOPLE INVOLVED?
Phase III Contracts
![Page 52: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/52.jpg)
• Phase IV - Ongoing Monitoring
Performance (direct users & IT)
Financial stability (CFO, credit analysts)
Business continuity (IT)
Cybersecurity (IT)
ARE THE RIGHT PEOPLE INVOLVED?
![Page 53: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/53.jpg)
WASHINGTON — Banks are woefully unprepared to face potential cybersecurity threats stemming from third-party technology providers, according to a report issued Wednesday by the Federal Deposit Insurance Corp.’s independent watchdog.
• The FDIC's Office of Inspector General found that financial institutions failed to include important cybersecurity provisions in their contracts with the third-party firms.
• “Typically, financial institution contracts with technology service providers did not clearly address TSP responsibilities and lacked specific contract provisions to protect FI interests or preserve FI rights,” the report said.
BANKS FAIL TO ENFORCE CYBERSECURITY STANDARDS ON THIRD-PARTY PROVIDERS: FDIC WATCHDOG
![Page 54: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/54.jpg)
• Phase V - Termination
Legal
IT
Project management
Business owner
AP
ARE THE RIGHT PEOPLE INVOLVED?
![Page 55: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/55.jpg)
Common Pitfalls in Third-Party Risk Management Programs
![Page 56: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/56.jpg)
1. Assuming IT can/should take on the responsibility alone
2. Performing only to appease examiners (checking the box)
3. Not including [*****] third parties
4. Board of directors not taking responsibility for oversight• What do they see and when do they see it?
5. Obtaining documentation but doing nothing more
6. Not anticipating exit/transition costs in contract negotiations
7. Not having the VM Program reviewed/audited on a recurring basis
COMMON PITFALLS
![Page 57: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/57.jpg)
8. Insufficient reference checks &/or not calling references
9. No risk ratings and/or outdated ratings
10. Not reviewing third party promotional (advertising) materials, as it represents your institution and/or contractually limiting use of your name / logo
11. Inadequate staff training & organizational communication
12. Out of synch with regulatory issuances and expectations
13. Not understanding business case for having a VM program
COMMON PITFALLS (CONT.)
![Page 58: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/58.jpg)
14. Decentralization of contracts – where are they?
15. Accepting automatically renewable clauses in contracts
16. Allowing contracts to renew automatically and unintentionally
17. Decentralized purchase / acquisition process
18. Relying on the wrong SOC report
COMMON PITFALLS (CONT.)
![Page 59: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/59.jpg)
• New Vendor Form
AP will not set-up a new vendor until:
• Business Owner signs off
• Business Owner’s superior signs off
• Vendor Management team signs off
BEST PRACTICES
![Page 60: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/60.jpg)
• Vendor Monitoring / Performance Review Form – Annual Process
Dated?
Business Owner Signoff?
Meeting Service Level Agreements?
Site Visit?
Customer Complaints Reviewed?
BEST PRACTICES (CONT.)
![Page 61: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/61.jpg)
Vendor Manager Signoff
Risk Rating Affirmed / Changed
Financial Analysis Complete?
Risk Trend Noted
• Annual monitoring sufficient?
Implementation / Testing of User Considerations Complete – IT Security Involved?
BEST PRACTICES (CONT.) ANNUAL SUMMARY SHEET
![Page 62: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/62.jpg)
• Software / Vendors – Can We Outsource Vendor Management?
Can the “vendor manager-manager” monitor itself?
• Software Vendor / Functionality
Repository of documents
Risk Assessment / Risk Rating Functionality
Tickler Email Alerts / Contract Renewals
Financial Analysis
Security / Audited
BEST PRACTICES – SOFTWARE
![Page 63: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/63.jpg)
Vendor Manager Qualifications / Experience• People person + detail oriented• Audit / exam administration• Project management • Contract administration • Compliance• Risk assessment• Appreciates the value of documentation• IT background• Financial statement analysis
BEST PRACTICES (CONT.)
![Page 64: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/64.jpg)
• Risk Considerations
Possession of or access to member data (physical or logical)
Direct contact with members
IT infrastructure / provides critical application(s)
Loan underwriting
Compliance services
VENDOR CRITICALITY
![Page 65: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/65.jpg)
• Other Issues
What’s a manageable number?• Critical
• Total vendors tracked
How many risk ratings?
Can I safely ignore non-critical vendors?
VENDOR CRITICALITY (CONT.)
![Page 66: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/66.jpg)
• Vendor Management Program Review• Policies & Procedures• Risk Assessment / Risk Ranking Methodology• Sample High Risk (Critical Vendors)
Assess due diligence performed• Review contracts
Assess annual monitoring• Financial statement analysis• SOC report / Client Considerations implemented
• Sample Terminated Critical Vendors• Top 30 payees? Are they tracked in the VM Program?• Board / Supervisory Reporting – Adequacy and Frequency
WHAT’S IN YOUR AUDIT PROGRAM?
![Page 67: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/67.jpg)
CFO
Insurance
Procurement
Credit Analysis
Accounts Payable
Legal
Compliance
Internal Audit
Contract Administration
BCP
IT Security
Project Management Business Owners
ERM + Vendor Manager + Software
PULLING IT ALL TOGETHER – INTERNAL STAKEHOLDERS
Board & Supervisory Committee
![Page 68: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/68.jpg)
![Page 69: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/69.jpg)
Ken Glascock | 303-837-3598 | [email protected]
![Page 70: THIRD-PARTY RISK MANAGEMENT - ACUIA...WHY YOU NEED A THIRD-PARTY RISK MANAGEMENT PROGRAM. ... Improper Debt Collection Actions •Credit Union Used False Threats to Collect Debts and](https://reader033.vdocuments.net/reader033/viewer/2022060208/5f040c527e708231d40c0fb8/html5/thumbnails/70.jpg)