7 the best supporting actor - prodevmedia.com€¦ · the best supporting actor is… ... security...

The Best Supporting Actor is… Your Third-Party Vendor!

Debbie Peace, AAP ACH AlertPaul Phillips, CFA BankRegLawPam Rodriguez, AAP, CIA, CISA Payments Space AdvisorsBrent Siegel Broken Sales Consulting & Business Advisory Services

© 2015 EastPay. All Rights Reserved

Resp

ect

Team

wor

kPa

ssion

Integr

ityTr

ust

Not-for-profit Regional Payments Association Educational Programs Member Benefits

– Voice & Representation in National Rule Making and Regulatory Process

– Toll Free Operational Assistance and – Discounts on Seminars, Publications, and Conferences

Online Purchasing and Registration 9 ACH Accredited Professionals (AAP) 3 National Check Payments Professionals (NCP) 3 Certified NCP Instructors 2 Certified Treasury Professionals (CTP) 2 Certified Internal Auditor (CIA) 1 Certified Information Systems Auditor (CISA)


Disclaimer

This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice.

You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature.

Image source: Thinkstock

Agenda

Recent Regulatory Guidance Regulator Expectations Due Diligence and Vendor Selection Six Things You Didn’t Ask Your Vendor Service Level Agreements Disaster Recovery/Incident Management Contract Negotiation & Scope Common Gaps Steps to Follow

© 2015 EastPay. All Rights Reserved 4

OCC Bulletin 2013-29

First, the Third-Party Guidance’s title itself (replacing the word “Principles” with “Guidance”), closely aligns with the phrase “compliance with all applicable Legal Requirements and OCC supervisory guidance” -language frequently used in Cease and Desist Orders.

Second, the final section of the Third-Party Guidance, entitled Supervisory Reviews of Third-Party Relationships plainly states: “A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.”


OCC Bulletin 2013-29

Third, the Third Party Guidance makes it clear that the OCC has the power to examine third party-vendors, and to charge the financial institution with a special examination or investigation fee for the OCC’s examination of a third party for the bank.

And finally, for community banks, the Third-Party Guidance makes it clear that regulatory expectations have increased. While OCC Bulletin 2001-47 stated: “community banks may be able to adopt this guidance in a less formal and systematic manner…”, that is not the case with 2013-29.


FDIC Financial Institution Letter-13-2014

Effective practices for selecting a service provider.

Tools to manage technology providers risk: Service Level Agreements (SLA’s).

Techniques for managing multiple service providers.


Regulator Expectations

1. Due Diligence & Vendor Selection2. Monitoring3. Ensure Vendors are Risk Ranked4. Adherence to Service Level Agreements &

Contract Provisions5. Disaster Recover & Incident Management6. Contract Negotiation & Scope


Due Diligence & Vendor Selection

Due Diligence– Static and Dynamic Information


Static Requirements Dynamic Requirements

RFI Credit Rating – Payment Activity

RFP Management Stability

Strategic Alignment Compliance

Financial Condition Financial Condition

Audit Contract Performance

Insurance Staff Training

BCP Customer Complaints

Licensed Risk Profile

On-Site Meeting Monitoring

Controls

Security Documentation: SOC, PenTest

Six Things You Didn’t Ask Your Vendor Finances: Mission Critical and Sound Practice

– Profitability, Stability, Mission Criticality– Impact of a future event – can they withstand the

shock?

Tell me you have customers just like me– Give me your customer list – not just references

Management Departures– CFO, Controller, Finance Executives


Six Things You Didn’t Ask Your Vendor Fees and Agreements

– Upgrades contingent on ‘buying’ the new module/service

What was your worst customer experience – Why, what did you do

Implementation Plan– guarantee, warranty


Service Level Agreements

Uptime Guarantee Specifics on SLA Coverage, Procedures, Escalation Severity Levels, Response & Resolution Time

Commitments Notification of Changes To FI Environment Maintenance Windows & Release Notification Incident Monitoring Availability Standards, Monthly Reporting, Credits


Disaster Recovery & Incident Management

Licensed Software– Does the license allow operation on additional

equipment should primary equipment be down or is a separate license required?

Hosted SaaS– Primary & Backup Facility, all SOC certified?– Proof of DR recovery exercise, checklist, timeline,

results– Transparency for incidents?


Contract Negotiation

Audit rights, self assessments, monthly compliance reviews, obtain vendor’s annual SOC report on its control compliance

Service level agreements and financial penalties


Contract Scope

Timeframe covered by the contract Frequency, format, and specifications of the

service or product to be provided Other services to be provided by the third party,

such as software support and maintenance, training of employees, and customer service


Contract Scope (cont’d)

Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance

Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations



Identification of which party will be responsible for delivering any required customer disclosures

Insurance coverage to be maintained by the third party

Terms relating to any use of bank premises, equipment, or employees



Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements

Authorization for the institution to monitor and periodically review the third party for compliance with its agreement

Indemnification


Contracting with Vendors

Remember – Any material or significant contract with a third party should prohibit

assignment, transfer or subcontracting by the third party of its obligations to another entity, unless and until the financial institution determines that such assignment, transfer, or subcontract would be consistent with the due diligence standards for selection of third parties.

– All contracts should state that the vendor is subject to regulatory review and allow for the financial institution to monitor the vendor.• Periodic reviews and audits

– Expectations and performance standards help to determine if the vendor is adequately performing services. • Termination of contract

– Who is responsible for what?– Appropriate legal counsel should review higher risk contracts prior

to execution.


COMMON GAPS IN VENDOR MANAGEMENT PROGRAM


Common Gaps in Vendor Management Program

Lack of Board Approved Policy Limited Board of Directors involvement Lack of Risk Rating Vendors Inadequate Monitoring of SLAs SLAs have not been defined Limited ongoing monitoring Business continuity inadequate


Steps to Follow Follow these steps to establish a safe and sound

vendor management program. – Step 1 - Ensure that proper internal risk analysis is

performed, proper approval is obtained.• Strategic Plan

– Step 2 - Perform due diligence prior to contracting with a vendor.

– Step 3 - Ensure contracts are appropriate.– Step 4 - Monitor performance of the vendor and vendor’s

compliance with contractual and regulatory requirements.• Perform ongoing due-diligence and “appropriate intervals”.


Questions?


Contact The Presenters

Debbie [email protected] Paul [email protected] Pam [email protected], x305 Brent [email protected]


7 the best supporting actor - prodevmedia.com€¦ · the best supporting actor is… ... security...

Documents