7 the best supporting actor - prodevmedia.com€¦ · the best supporting actor is… ... security...
TRANSCRIPT
The Best Supporting Actor is… Your Third-Party Vendor!
Debbie Peace, AAP ACH AlertPaul Phillips, CFA BankRegLawPam Rodriguez, AAP, CIA, CISA Payments Space AdvisorsBrent Siegel Broken Sales Consulting & Business Advisory Services
© 2015 EastPay. All Rights Reserved
Resp
ect
Team
wor
kPa
ssion
Integr
ityTr
ust
Not-for-profit Regional Payments Association Educational Programs Member Benefits
– Voice & Representation in National Rule Making and Regulatory Process
– Toll Free Operational Assistance and – Discounts on Seminars, Publications, and Conferences
Online Purchasing and Registration 9 ACH Accredited Professionals (AAP) 3 National Check Payments Professionals (NCP) 3 Certified NCP Instructors 2 Certified Treasury Professionals (CTP) 2 Certified Internal Auditor (CIA) 1 Certified Information Systems Auditor (CISA)
© 2015 EastPay. All Rights Reserved
Disclaimer
This presentation and applicable materials are intended for general education purposes and nothing in this presentation should be considered to be legal, accounting or tax advice.
You should contact your own attorney, accountant or tax professional with any specific questions you might have related to this presentation that are of a legal, accounting or tax nature.
Image source: Thinkstock
Agenda
Recent Regulatory Guidance Regulator Expectations Due Diligence and Vendor Selection Six Things You Didn’t Ask Your Vendor Service Level Agreements Disaster Recovery/Incident Management Contract Negotiation & Scope Common Gaps Steps to Follow
© 2015 EastPay. All Rights Reserved 4
OCC Bulletin 2013-29
First, the Third-Party Guidance’s title itself (replacing the word “Principles” with “Guidance”), closely aligns with the phrase “compliance with all applicable Legal Requirements and OCC supervisory guidance” -language frequently used in Cease and Desist Orders.
Second, the final section of the Third-Party Guidance, entitled Supervisory Reviews of Third-Party Relationships plainly states: “A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.”
© 2015 EastPay. All Rights Reserved
OCC Bulletin 2013-29
Third, the Third Party Guidance makes it clear that the OCC has the power to examine third party-vendors, and to charge the financial institution with a special examination or investigation fee for the OCC’s examination of a third party for the bank.
And finally, for community banks, the Third-Party Guidance makes it clear that regulatory expectations have increased. While OCC Bulletin 2001-47 stated: “community banks may be able to adopt this guidance in a less formal and systematic manner…”, that is not the case with 2013-29.
© 2015 EastPay. All Rights Reserved 6
FDIC Financial Institution Letter-13-2014
Effective practices for selecting a service provider.
Tools to manage technology providers risk: Service Level Agreements (SLA’s).
Techniques for managing multiple service providers.
© 2015 EastPay. All Rights Reserved
Regulator Expectations
1. Due Diligence & Vendor Selection2. Monitoring3. Ensure Vendors are Risk Ranked4. Adherence to Service Level Agreements &
Contract Provisions5. Disaster Recover & Incident Management6. Contract Negotiation & Scope
© 2015 EastPay. All Rights Reserved
Due Diligence & Vendor Selection
Due Diligence– Static and Dynamic Information
© 2015 EastPay. All Rights Reserved 9
Static Requirements Dynamic Requirements
RFI Credit Rating – Payment Activity
RFP Management Stability
Strategic Alignment Compliance
Financial Condition Financial Condition
Audit Contract Performance
Insurance Staff Training
BCP Customer Complaints
Licensed Risk Profile
On-Site Meeting Monitoring
Controls
Security Documentation: SOC, PenTest
Six Things You Didn’t Ask Your Vendor Finances: Mission Critical and Sound Practice
– Profitability, Stability, Mission Criticality– Impact of a future event – can they withstand the
shock?
Tell me you have customers just like me– Give me your customer list – not just references
Management Departures– CFO, Controller, Finance Executives
© 2015 EastPay. All Rights Reserved 10
Six Things You Didn’t Ask Your Vendor Fees and Agreements
– Upgrades contingent on ‘buying’ the new module/service
What was your worst customer experience – Why, what did you do
Implementation Plan– guarantee, warranty
© 2015 EastPay. All Rights Reserved 11
Service Level Agreements
Uptime Guarantee Specifics on SLA Coverage, Procedures, Escalation Severity Levels, Response & Resolution Time
Commitments Notification of Changes To FI Environment Maintenance Windows & Release Notification Incident Monitoring Availability Standards, Monthly Reporting, Credits
© 2015 EastPay. All Rights Reserved 12
Disaster Recovery & Incident Management
Licensed Software– Does the license allow operation on additional
equipment should primary equipment be down or is a separate license required?
Hosted SaaS– Primary & Backup Facility, all SOC certified?– Proof of DR recovery exercise, checklist, timeline,
results– Transparency for incidents?
© 2015 EastPay. All Rights Reserved 13
Contract Negotiation
Audit rights, self assessments, monthly compliance reviews, obtain vendor’s annual SOC report on its control compliance
Service level agreements and financial penalties
© 2015 EastPay. All Rights Reserved
Contract Scope
Timeframe covered by the contract Frequency, format, and specifications of the
service or product to be provided Other services to be provided by the third party,
such as software support and maintenance, training of employees, and customer service
© 2015 EastPay. All Rights Reserved
Contract Scope (cont’d)
Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance
Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations
© 2015 EastPay. All Rights Reserved
Contract Scope (cont’d)
Identification of which party will be responsible for delivering any required customer disclosures
Insurance coverage to be maintained by the third party
Terms relating to any use of bank premises, equipment, or employees
© 2015 EastPay. All Rights Reserved
Contract Scope (cont’d)
Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements
Authorization for the institution to monitor and periodically review the third party for compliance with its agreement
Indemnification
© 2015 EastPay. All Rights Reserved
Contracting with Vendors
Remember – Any material or significant contract with a third party should prohibit
assignment, transfer or subcontracting by the third party of its obligations to another entity, unless and until the financial institution determines that such assignment, transfer, or subcontract would be consistent with the due diligence standards for selection of third parties.
– All contracts should state that the vendor is subject to regulatory review and allow for the financial institution to monitor the vendor.• Periodic reviews and audits
– Expectations and performance standards help to determine if the vendor is adequately performing services. • Termination of contract
– Who is responsible for what?– Appropriate legal counsel should review higher risk contracts prior
to execution.
© 2015 EastPay. All Rights Reserved
Common Gaps in Vendor Management Program
Lack of Board Approved Policy Limited Board of Directors involvement Lack of Risk Rating Vendors Inadequate Monitoring of SLAs SLAs have not been defined Limited ongoing monitoring Business continuity inadequate
© 2015 EastPay. All Rights Reserved
Steps to Follow Follow these steps to establish a safe and sound
vendor management program. – Step 1 - Ensure that proper internal risk analysis is
performed, proper approval is obtained.• Strategic Plan
– Step 2 - Perform due diligence prior to contracting with a vendor.
– Step 3 - Ensure contracts are appropriate.– Step 4 - Monitor performance of the vendor and vendor’s
compliance with contractual and regulatory requirements.• Perform ongoing due-diligence and “appropriate intervals”.
© 2015 EastPay. All Rights Reserved
Contact The Presenters
Debbie [email protected] Paul [email protected] Pam [email protected], x305 Brent [email protected]
© 2015 EastPay. All Rights Reserved