bsa/aml regulatory update and vendor management for ......b. vendor management – financial...

Frank A. Mayer, IIIChair, Financial Services Regulatory and Enforcement GroupStevens & Lee

Richard M. BermanShareholderStevens & Lee

Stephanie R. HagerAssociateStevens & Lee

2018 Stevens & Lee/Griffin Banking Institute

BSA/AML Regulatory Updateand

Vendor Management for Financial Institutions

STEVENS & LEE/GRIFFIN

AgendaA. Bank Secrecy Act (“BSA”) / Anti-Money Laundering (“AML”)

I. Customer Due Diligence Rule II. Transaction MonitoringIII. Proposed Regulatory ExpansionIV. Other Hot Topics in BSA/AMLV. BSA/AML Enforcement TrendsVI. Federal and State Enforcement Matters

B. Vendor Management – Financial Institutions I. Selecting a VendorII. Negotiating the ContractIII. Security Breaches/Incident ReportingIV. Business Continuity/Disaster RecoveryV. Sub-contractingVI. Service LevelsVII. Additional Notices to FI

2

A. BANK SECRECY ACT / ANTI-MONEYLAUNDERING REGULATORY UPDATE

3STEVENS & LEE/GRIFFIN


I. Customer Due Diligence –Beneficial Ownership Rule

May 11, 2018 Applicability Date. The Federal Financial Institutions Examination Council (“FFIEC”) released examination procedures covering the Bank Secrecy Act Customer Due Diligence Beneficial Ownership Rule (“CDD Rule”). The CDD Rule requires covered financial institutions (“FIs”) to verify the beneficial owners of legal entity customers.

• The CDD Rule requires FIs to obtain and verify the identities of natural persons who own or control legal entity customers.

• In essence, the CDD Rule requires covered financial institutions to “find the beating heart” in each legal entity customer account.

4


CDD Rule: Check for a PULSE

• Procedures• ProceduresP• Uncover Beneficial Owners• Uncover Beneficial OwnersU• Legal Entities• Legal EntitiesL• Services Sought• Services SoughtS• Exclusions and Exemptions• Exclusions and ExemptionsE

5

How can you find the “beating heart” of your corporate client? Check for a PULSE:


CDD Rule: Procedures

Internal Controls

Independent Testing

DesignatedCompliance

Official

Employee Training

Ongoing Customer

Due Diligence

6

The CDD Rule adds a fifth pillar to FinCEN’s core AML program requirements:

An FI’s AML procedures must be reasonably designed to identify and verify the beneficial owners of each legal entity customer at the time of account opening unless an exclusion or exemption applies to the customer or the account.

Covered FIs must implement and

maintain appropriate written risked-based

procedures for conducting ongoing

customer due diligence.


CDD Rule: Uncover Beneficial Owners

Ownership test: Identify each individual who, directly or

indirectly, owns 25% or more of the equity interests of entity

Ownership test: Identify each individual who, directly or

indirectly, owns 25% or more of the equity interests of entity

Control test: Identify at least one person with significant

responsibility to control, manage or direct entity

Control test: Identify at least one person with significant

responsibility to control, manage or direct entity

Identify Beneficial Owners at the time account is opened or upon certain triggering events

Identify Beneficial Owners at the time account is opened or upon certain triggering events

Legal Entity

Control Ownership

25% Owner

25% Owner

25% Owner

25% Owner

7

Covered institutions must (1) identify beneficial owners and (2) verify the identity of each beneficial owner and at least one “control” person

At a minimum, verification procedures must contain elements currently existing in the customer identification program, including collecting information directly from the entity and confirming its accuracy.


CDD Rule: Legal Entities

Legal Entity

Customer

CorporationsLLCs

Partnerships

Statutory Trusts

Entities created by public filing

Similar foreign legal

entities

8

Beneficial ownership identification only applies to “legal entity customers.” Subject to exclusions, “Legal Entity Customers” include:

“Legal entity customers” do not include: sole proprietorships, unincorporated associations, estate planning trusts, natural persons


CDD Rule: Services Sought

• The Rule requires FIs to obtain beneficial ownership information on “new accounts.” • The Rule defines a “new account” as each account opened at a covered financial

institution by a legal entity customer on or after May 11, 2018.

• The Rule requires FIs to obtain beneficial ownership information on “new accounts.” • The Rule defines a “new account” as each account opened at a covered financial

institution by a legal entity customer on or after May 11, 2018.

New Accounts

• An institution that has already obtained a Certification may rely on that information to fulfill the beneficial ownership requirement for subsequent accounts, provided:

(i) the customer certifies or confirms (verbally or in writing) that such information is up-to-date and accurate at the time each subsequent new account is opened; and

(ii) the financial institution has no knowledge of facts that would reasonably call into question thereliability of such information.

• An institution that has already obtained a Certification may rely on that information to fulfill the beneficial ownership requirement for subsequent accounts, provided:

(i) the customer certifies or confirms (verbally or in writing) that such information is up-to-date and accurate at the time each subsequent new account is opened; and

(ii) the financial institution has no knowledge of facts that would reasonably call into question thereliability of such information.

Multiple Accounts

9


CDD Rule: Services Sought (cont’d)

• Covered FIs do not have an obligation to solicit or update beneficial ownership information as a matter of course during regular or periodic reviews, absent specific risk-based concerns.

The obligation to obtain or update beneficial ownership information on Legal Entity Customers is triggered when:

(1) The FI becomes aware of information about the customer during the course of normal monitoring;

(2) The information is relevant to assessing or reassessing the risk posed by the customer; and

(3) Such information indicates a possible change of beneficial ownership.

• Covered FIs do not have an obligation to solicit or update beneficial ownership information as a matter of course during regular or periodic reviews, absent specific risk-based concerns.

The obligation to obtain or update beneficial ownership information on Legal Entity Customers is triggered when:

(1) The FI becomes aware of information about the customer during the course of normal monitoring;

(2) The information is relevant to assessing or reassessing the risk posed by the customer; and

(3) Such information indicates a possible change of beneficial ownership.

Other Triggering Events

10


CDD Rule: Services Sought (cont’d)

• Covered FIs may choose to implement stricter written internal policies and procedures for the collection and verification of beneficial ownership information than the requirements prescribed by the Rule.

There may be circumstances where a financial institution may determine that collection and verification of beneficial ownership information at a lower threshold that the mandatory 25% level may be warranted, based on the financial institution’s own assessment of its risk relating to its customer.

Consider your institution’s assessment of the risk relating to the customer. For instance:

• Large loan • Newly-formed entity• Complex ownership structure

• Covered FIs may choose to implement stricter written internal policies and procedures for the collection and verification of beneficial ownership information than the requirements prescribed by the Rule.

There may be circumstances where a financial institution may determine that collection and verification of beneficial ownership information at a lower threshold that the mandatory 25% level may be warranted, based on the financial institution’s own assessment of its risk relating to its customer.

Consider your institution’s assessment of the risk relating to the customer. For instance:

• Large loan • Newly-formed entity• Complex ownership structure

Risk-Based Assessment

11


CDD Rule: Exclusions & Exemptions

Legal Entity Exclusions:

• Sole proprietorships• Unincorporated

institutions• Estate planning trusts• Natural persons

• Sole proprietorships• Unincorporated

institutions• Estate planning trusts• Natural persons

Legal Entity Exemptions:

• Publicly-traded US Companies• Regulated Financial

Institutions• US non-bank entities >51%

owned by listed company• Department or agency of the

US• Registered investment advisors

• Publicly-traded US Companies• Regulated Financial

Institutions• US non-bank entities >51%

owned by listed company• Department or agency of the

US• Registered investment advisors

Customer Account Exemptions:

• Point-of-sale credit for purchase of retail goods, up to $50,000

• Accounts to finance leased equipment for which payments are remitted directly to the vendor/lessor

• Accounts to finance insurance premiums for which payments are remitted directly to the broker

• Rollovers, renewals, modifications or extensions of certain accounts

• Point-of-sale credit for purchase of retail goods, up to $50,000

• Accounts to finance leased equipment for which payments are remitted directly to the vendor/lessor

• Accounts to finance insurance premiums for which payments are remitted directly to the broker

• Rollovers, renewals, modifications or extensions of certain accounts

12

CDD Procedures should determine whether an exclusion or exemption applies to either: (1) type of legal entity customer, or (2) type of customer account.


CDD Rule: Recent Exceptive ReliefAnnounced September 7, 2018. FinCEN has granted exceptive relief such that financial institutions will not be required to identify and verify the identity of customers which roll over or renew certain accounts:

• Rollover of a certificate of deposit;• Loan renewal, modification, or extension that does not require

underwriting review and approval; • Renewal, modification, or extension of a commercial line of credit or

credit card account that does not require underwriting review and approval; and

• Renewal of a safe deposit box rental

13


CDD Rule: FDIC Examination Procedures1. CDD Examination Procedures: Regulatory exam seeks to determine whether

the FI collects appropriate information sufficient to understand the nature and purpose of the customer relationship and effectively incorporates customer information, including beneficial ownership information for legal entity customers, into the customer risk profile

Appropriate written risk-based procedures for conducting ongoing CDD Effective process to develop customer risk profiles and to identify suspicious transactions CDD policies and procedures are in line with the BSA/AML risk profile Policies and procedures contain clear management and staff responsibilities Policies and procedures identify higher risk customers Analysis for high risk customers, including when it is appropriate to obtain additional info Customer and beneficial ownership information is used to meet regulatory requirements

including identifying suspicious activity, private banking accounts

14


CDD Rule: FDIC Examination Procedures2. Beneficial Ownership Examination Procedures: Regulatory Exam seeks to

determine whether the FI has adequate written procedures for gathering and verifying information required to be obtained and retained Written procedures for collecting and verifying information about legal entity customers Risk-based procedures for updating and maintaining customer information, including

beneficial owner information Testing includes reviewing the process and procedures FI has used to:

• Open the account• Obtain identifying information for each beneficial owner of a legal entity customer (e.g.

name, date of birth, address, and identification number)• Verify identities of beneficial owners • Resolve situations in which beneficial owners could not be reasonably identified• Maintain records• File SARs as appropriate

15


II. Transaction Monitoring1. FinCEN: Corrupt Foreign Political Figures. Announced June 12, 2018.

• FinCEN issued an advisory on financial activities of corrupt foreign political figures and their involvement in human rights abuses. The advisory includes a list of 14 red flags for which U.S. financial institutions should be alert

• Financial activities of corrupt foreign political figures can include:• Misappropriation of state assets• Use of shell companies• Corruption in the real estate sector

16


Corrupt Foreign Political Figures: Red FlagsUse of third parties when it is not normal business practiceUse of third parties when it appears to shield the identity of a politically exposed person (“PEP”)Use of family members or close associates as legal ownersUse of corporate vehicles (legal entities and legal arrangements) to obscure (i) ownership, (ii) involved industries, or (iii) countriesDeclarations of information that are inconsistent with other information, such as publicly available informationSeeking to use the services of a financial institution that would normally not cater to foreign or high-value clientsRepeatedly moving funds to and from countries from which the PEP doesn’t appear to have tiesPEP has a substantial authority over or access to state assets and funds, polices and operations

17


Corrupt Foreign Political Figures: Red Flags(cont’d)

PEP has an ownership interest in or otherwise controls the financial institution that is a counterparty or correspondent in a transactionTransactions involving government contracts directed to companies operating in an unrelated line of businessTransactions involving government contracts originating with, or directed to, shell corporations, general “trading companies,” or companies without a general business purposeTransaction documents involving government contracts charging substantially higher prices than market ratesPayments involving government contracts originating from third parties that are not official government entities andTransactions involving property or assets expropriated by corrupt regimes, including individual senior foreign officials or their cronies

18


Corrupt Foreign Political Figures: Due Diligence

• FIs should establish risk-based controls and procedures that include reasonable steps to ascertain the status of an individual as a foreign PEP and to conduct scrutiny of assets held by such individuals

• FIs should assess the risk for laundering of the proceeds of public corruption associated with particular customers, products and services, countries, industries and transactions

• Enhanced due diligence obligations for private banking accounts:

• In addition to these general risk-based due diligence obligations, U.S. FIs have regulatory obligations to implement a due diligence program for private banking accounts held for non-U.S. persons that is designed to detect and report any known or suspected money laundering or other suspicious activity

• This program must be designed to identify any such account owned by, or on behalf of, a senior foreign political figure, and financial institutions are required to apply enhanced scrutiny to such accounts reasonably designed to detect and report transactions that may involve the proceeds of foreign corruption

19


III. Proposed Regulatory Expansion1. FinCEN Improvement Act of 2018. Passed by the U.S. House of

Representatives September 12, 2018.

• A bipartisan bill that, if enacted, would expand the role of FinCEN:

i. FinCEN’s mandate currently only covers "international terrorism," but the bill broadens this to cover “terrorism.”

ii. The bill specifies that FinCEN should work with tribal law enforcement agencies, in addition to the federal, state, local, and foreign enforcement agencies with which it currently works.

iii. The bill adds that FinCEN's data collection and analysis efforts should include cryptocurrency, or, in the words of the bill, "matters involving emerging technologies or value that substitutes for currency."

20


IV. Other Hot Topics in BSA/AML 1. CIP Rule: Recent Exemption Relief Announced September 27, 2018

• The OCC, Federal Reserve, FDIC and NCUA, with FinCEN’s concurrence, granted an exemption from customer identification program rules for loans extended by banks and their subsidiaries to commercial customers to facilitate purchases of property and casualty insurance policies

• “Premium finance loans” provide short-term financing to businesses to facilitate their purchases of property and casualty (“P&C”) insurance policies

• Commercial customers include businesses organized as corporations, partnerships, sole proprietorships and trusts

• The exemption does not apply to life insurance policies, annuity contracts or any other insurance product with features of cash value or investment

21


BSA/AML Hot Topics (cont’d)

2. FinCEN Updates to Suspicious Activity Report (“SAR”) Form Announced January 26, 2018• New/Modified types (and subtypes) of suspicious activities

• New “Cyber event” suspicious activity type category

• New/Modified subtype selections associated with the following categories of suspicious activities: Structuring, Fraud, Gaming activities (formally labeled “Casinos”), Money laundering, Identification/Documentation, Other suspicious activities, Securities/Futures/Options, and Mortgage fraud

• IP Address: Date and Timestamp

• New Cyber Event Indicators

• New category of fields to record up to 99 cyber events associated with the suspicious activity

22


BSA/AML Hot Topics (cont’d)

2a. Reporting Cyber Events • At a minimum, an institution’s response program should contain:

Procedures for: (i) assessing the nature and scope of an incident; (ii) identifying the customer information systems that have been accessed; and (iii) identifying the types of customer information that has been accessed

Initial notification to primary regulator of a security incident involving unauthorized access to sensitive customer information;

Consistent with SAR regulations, timely file SAR;

Appropriate steps to contain and control the incident to prevent further unauthorized use; and

Procedures for notifying customers when warranted

23


V. BSA/AML Enforcement Actions1. Risk management and BSA/AML Compliance Weaknesses

• US Bank, NA (February 2018)

• Deficiencies included the bank’s failure to adopt and implement a compliance program that adequately covered the required BSA/AML program elements because of an inadequate system of internal controls, ineffective independent testing, and inadequate training

• Penalties: OCC, $75 million civil penalty; FinCEN: $185 million civil penalty; US Attorney S.D.N.Y.: prosecution of a criminal complaint deferred for 2 years and bank to forfeit $528 million less OCC penalty; the Fed: $15 million penalty on parent bank holding company

2. SARs Related Failures • Wells Fargo Advisors LLC (November 2017)

• $3.5 million civil penalty based on failure to timely file SARs, particularly regarding continuing suspicious activity in international accounts. AML program managers misinformed the firm’s SAR investigators as to legal requirements

24


VI. Federal and State Enforcement Matters1. Federal Agency Statements on Enforcement Actions

a. FFIEC agencies’ policy statement regarding notice, announced June 12, 2018• An agency considering a formal enforcement action against a regulated

company will provide prior notice to any other agency with an interest in the matter and, if two or more agencies are considering such an action, they should coordinate their activities from beginning to end

b. Interagency statement on supervisory guidance, announced September 11, 2018• Supervisory guidance is not a basis for enforcement actions because it does

not have the force of law

25


Enforcement Matters (cont’d)

2. Regulatory Changes to Asset Thresholdsa. Interim rule jointly adopted by the Fed, OCC, and FDIC, announced

August 23, 2018• The asset threshold to qualify for the 18-month schedule has been raised to

cover institutions with less than $3 billion, up from the previous < $1 billion

• More FIs will be eligible for on-site examinations every 18 months rather than every 12 months

b. Expanded applicability of the Fed’s small bank holding company policy statement, announced August 23, 2018• Increases the asset threshold to $3 billion from the previous $1 billion

• The amendment also applies the policy statement to savings and loan holding companies

26



27

3. Changes to Regulatory Capital Treatment for High Volatility Commercial Real Estate (“HVCRE”) Exposures, announced September 18, 2018.

• Loans made before January 1, 2015 are exempt from HVCRE classification

• Loans to improve existing income producing properties are not HVCRE loans if the property’s income sufficiently supports debt service and property expenses consistent with the lender’s criteria for permanent financing

• Current appraised property values may be used in calculating whether the borrower’s contributed capital amount meets (or falls outside) the criteria for HVCRE classification

• Capital generated by the property can be used and withdrawn if the property is generating income sufficient to satisfy the debt service

• Lenders can reclassify loans as non-HVCRE, before the loan is converted to permanent financing, when: (i) construction is substantially completed; and (ii) the property’s cash flow sufficiently supports debt service and property expenses consistent with the lender’s permanent financing underwriting criteria



4. Economic Growth, Regulatory Relief, and Consumer Protection Acta. National bank powers for savings and loan associations. Proposed rule

announced September 10, 2018.• The OCC is proposing a rule that would allow smaller savings and loan

associations to operate with national bank powers. The rule, which is required by the EGRRCPA, would apply to all thrifts with assets that do not exceed $20 billion.

b.Municipal Obligations. Announced August 22, 2018. • Bank regulatory agencies are required to treat a municipal obligation as a level

2B liquid asset if the obligation, as of the calculation date, is liquid and readily-marketable and investment grade. The rule, which is required by the EGRRCPA, makes changes to the liquidity coverage ratio rules of the OCC, FDIC and the Fed.

28



5. Community Reinvestment Act• Announced June 15, 2018. OCC bulletin to "clarify" its Community

Reinvestment Act supervision policy and evaluation process

• Announced August 15, 2018. OCC bulletin addresses how evidence of credit discrimination or other illegal lending practices will affect a bank’s Community Reinvestment Act ratings in the future

• Announced August 28, 2018. The OCC has published an advanced notice of proposed rulemaking to begin the process of revising its CRA regulation with the goals of enhancing banks’ ability to provide credit and investment where needed, improving the review and rating process, and reducing reporting and regulatory burden

29

B. VENDOR MANAGEMENT –FINANCIAL INSTITUTIONS



I. Selecting a Vendor

1. Planning2. Due Diligence and Third-Party

Selection

3. Contract Negotiations 4. Monitoring

5. Termination/Contingency

Planning

31

Not all third-party relationships present the same level of risk.

Five phase lifecycle of third-party relationships:

Determine the Risk Adjust Risk Management Practices

Compliance Risk Reputation Risk

Operational Risk Transaction Risk

Credit Risk

The goal is for FI’s risk management practices to be commensurate with the

level of risk and complexity of the third-party relationship.

*Reminder: Assessments should be periodically updated.


Selecting a Vendor (cont’d)

Compliance risks such as violations of laws, rules, or regulations or noncompliance with policies or procedures

such as violations of laws, rules, or regulations or noncompliance with policies or procedures

Reputation riskssuch as dissatisfied customers or violations of laws

or regulations that lead to public enforcement actions

such as dissatisfied customers or violations of laws or regulations that lead to public enforcement

actions

Operational risks such as losses from failed processes or systems or losses of data that result in privacy issues

such as losses from failed processes or systems or losses of data that result in privacy issues

Transaction risks such as problems with service or deliverysuch as problems with service or delivery

Credit risks such as the inability of a third party to meet its contractual obligations

such as the inability of a third party to meet its contractual obligations

32

Assessing the risks associated with the third-party relationship:

Remember that the FI may be ultimately responsible for the actions of the Vendor.


Selecting a Vendor: Initial Communications

1. Requests for Proposals (RFP)• The FI outlines its business

objectives and technical requirements and solicits a response that describes how the Vendor will provide the service(s) and at what cost

2. Requests for Information (RFI)• Targeted at obtaining

specific information about technical solutions that are available

3. Requests for Quote (RFQ)• Targeted at obtaining prices

charged for a particular service

33

Remember to implement a confidentiality agreement that prohibits the Vendor from disclosing any information shared by the FI.


Selecting a Vendor: Evaluating the Vendor

Technical Expertise

• Compatibility/co-ordination of outsourced service with existing services

• Functionality of proposed service

• Type of technology used and how it can be updated and upgraded

• Compatibility/co-ordination of outsourced service with existing services

• Functionality of proposed service

• Type of technology used and how it can be updated and upgraded

Operating Controls& Risk Management

• On-site visit results• Risk management program

• Service Organization (“SOC”) Reports

• Information Security program and infrastructure

• Business Continuity; back-up systems for data recovery;

• Physical security; Incident reporting and incident management systems

• On-site visit results• Risk management program

• Service Organization (“SOC”) Reports

• Information Security program and infrastructure

• Business Continuity; back-up systems for data recovery;

• Physical security; Incident reporting and incident management systems

Compliance Function

• Legal and regulatory compliance

• Legal and regulatory compliance

Financial

• Obtain financial statements during due diligence (and then at least annually during term)

• Insurance• Initial cost, recurring fees, fee structures, fee increases

• Obtain financial statements during due diligence (and then at least annually during term)

• Insurance• Initial cost, recurring fees, fee structures, fee increases

Management

• Business experience and reputation

• Assess principals of Vendor

• Lawsuits /customer complaints against the Vendor and/or its principals

• Sub-contractors• Vendor strategies and goals aligned with FI

• Business experience and reputation

• Assess principals of Vendor

• Lawsuits /customer complaints against the Vendor and/or its principals

• Sub-contractors• Vendor strategies and goals aligned with FI

34

II. Negotiating the Contract1. Basic Terms – Nature and Scope of

Arrangements2. Data Security3. Confidentiality4. Information Management/Reports5. Audit Issues/Regulator Oversight6. Compliance with Applicable Laws

and Regulations7. Location of Services/Data8. Fees

9. Default, Termination and Transition10. Subcontracting/Assignment11. License and Ownership Issues12. Business Continuity Disaster

Recovery13. Service Level Agreements14. Insurance15. Disputes16. Liability Limits17. Customer Complaints


Negotiating the Contract (cont’d)

1. Don’t forget the basics:

Party Names Addresses Authority

• Confirm authorization levels

Dates Exhibits Term

Nature and scope of services Reporting obligations Billing procedures General boilerplate

• Such as Governing Law, Jurisdiction, Arbitration, etc.

STEVENS & LEE/GRIFFIN 36



2. Privacy Concerns/Data Security Security Policy

• FI should have a security policy with which Vendors must comply – especially those that will physically access the FI’s premises

Data retention• Certain data needs to be retained for a certain number of years based on various laws

Data ownership:

• Clearly spell out which party owns what data• FI owns FI data and Vendor is not permitted to use it for any other purpose besides providing the services

Vendor should be required to:

• Comply with all laws relating to data privacy, personal data, transfer of information, data flow, and data protection

• Implement procedures and policies to ensure compliance with such laws

Vendor’s information security management program:• Vendor should have an information security management program and should provide FI with details of such

program and FI should be able to audit such system

37



3. Confidentiality Concerns

Define Vendor’s obligations to protect the FI’s information in compliance with applicable laws and regulations (e.g. GLBA, HIPAA)

Prohibit unauthorized disclosure to third parties or employees that are not on a “need-to-know” basis

Limit the use of confidential information to scope of the services to be provided and during the term of the contract

38



4. Audit Issues

FI should generally reserve the right to audit the Vendor’s performance and include provisions for receiving independent audits (e.g., Financial, SSAE 18, SOC 1, SOC 2, etc.)

Address remediation issues when issues are identified

Include provisions to permit FI’s regulator to have access to examine/audit Vendor

39



5. Compliance with Applicable Laws and Regulations

Require Vendor to comply with laws and regulations applicable to Vendor’s performance, such as:

• GLBA• BSA/AML • OFAC• Fair Lending • Consumer protection laws and regulations

40



6. Location of Services/Data Identify location(s) where Vendor will provide the services

• It is important that all data resides on servers in the U.S. and for FI need consent from FI to allow data to be moved. Special consideration is required if data may be accessed or is stored outside of the U.S. in order to protect the privacy of customers and the confidentiality of bank records given U.S. law and the foreign jurisdiction's legal and regulatory environment.

Consider requiring FI’s consent for changes in service location(s), particularly if FI’s customer information is involved

Identify what equipment is required and who is responsible for it• e.g., facilities access, office services, technology, computers, employees, etc.

41



7. Term If possible, the term for all services under the same Vendor should run

concurrently• Concurrent terms smooth termination and transition issues

Consider whether automatic renewals (“evergreen clauses”) are appropriate or if the parties should to consent to renew

Consider the length of time needed for notices prior to end of current term • e.g., notice of price increase, notice of non-renewal • Should times be uneven between the FI and the Vendor? (FI may need more time as it

may need to find a new vendor)

42



8. Termination

Termination for Convenience

• FI should be able to terminate without any reason with notice to the Vendor. FI may have to pay an agreed upon reasonable termination fee (“Liquidated Damages”)

Automatic termination

• Breach of confidentiality, bankruptcy, violation of law/regulation, if a regulator directs termination

43



9. Transition Services

Define the Vendor’s obligations to facilitate the transition of the services back to the FI or to another vendor, including a transition period where the Vendor still provides the services even after the termination

• The requirement to provide transition services should apply regardless of which party caused the reason for the termination or if terminated for convenience

If possible, negotiate a price at the start of the relationship

• Vendor’s “then-current” or “standard” rates may be unreasonably high

44



10. Assignment

Address limitations on a party’s right to assign the contract without the other party’s prior written consent

• In particular, as a result of a merger/acquisition

11. Liability Issues

Address scope and limits of liability

• Strategy with examiners

45


III. Security Breaches/Incident ReportingDefine “Security Breach”

• Security breach should be defined to include unauthorized access, disclosure, or misuse of FI data or information that can be used to access FI data.

Define Vendor’s Duties:

• to promptly notify the FI upon a breach; • to investigate, remediate, and mitigate the effects of the breach at its expense and to provide FI

with assistance and information in its mitigation efforts; and• to revise its information security management system and its data safeguards from time to time

in accordance with industry practices and inform FI of such revisions as part of the services, unless such a change would prevent the Vendor from meeting its obligations under the contract or compromise the confidentiality or security of FI’s information and data.

Define Joint Obligations

• The contract should define the joint obligations and responsibilities of the parties with respect to incidents involving intrusions or other security breaches.

46


IV. Business Continuity/Disaster RecoveryThe contract should define or reference the Vendor’s business continuity and disaster recovery plan which should describe the Vendor’s capabilities and obligations

If possible, the plan should be subject to the FI’s reasonable approval

The Vendor should be able to continue delivery of the services in the event of a disaster or other service interruption affecting a location from where the services are provided

Prompt notice of an incident should be provided to FI

Force majeure event should not excuse Vendor from performing the business continuity/disaster recovery services

If the Vendor can no longer continue providing services because of the disaster, then the contract should provide that the Vendor, in these cases, would provide transition services for the FI to set up with a new Vendor

The contract should require that the disaster recovery procedures should be tested periodically and include obligations for Vendor to correct any failures identified during testing within a defined timeframe and re-test as necessary to ensure such failures have been corrected

47


V. Sub-contracting• The FI needs to understand how much leverage it actually has with the particular

Vendor, the nature of the services and address subcontracting issues accordingly

• Depending on the type of Vendor, sub-contracting may or may not be permitted

• Consider subjecting sub-contracting (Major/critical Subcontractors) to FI’s approval, including when an existing sub-contractor is changed

• FI and FI’s regulators need to have access to the Vendor and its subcontractors

• Vendors must remain liable for the actions/omissions of their sub-contractors

• Sub-contractors must be required to comply with the agreement between the FI and the Vendor, especially with the provisions relating to service levels, confidentiality, business continuity and disaster recovery

48


VI. Service Levels• Should be in support of FI’s business goals, as determined at the

start of the relationship

Should not encourage undesirable behaviors such as speed without regard for accuracy

• Service level definitions and targets can be measured a number of ways, including percentage of down-time or an error rate per matters processed

Effort should be made to develop a measurement which is easily calculated

49


Service Levels (cont’d)

• The contract should be specific about the processes and tools used to measure and collect data for the service level measurements

• Vendor should have reporting obligations regarding service levels and attempts to cure defects/issues

• Industry standards may provide a reference point, but for unique activities there may be no standards, in which case the FI and Vendor should agree on appropriate measures

• Performance reports should not only address performance levels but also what steps the Vendor has taken to cure any reported defects

• In certain cases, contract may provide for Vendors to perform a root cause analysis for incidents and service level failures and to remediate those deficiencies that are uncovered by the root cause analysis

50



• Uptime Calculator: https://uptime.is/• 99.9% seems like plenty, but it equals:

• Daily: 1m 26.4s• Weekly: 10m 4.8s• Monthly: 43m 49.7s• Yearly: 8h 45m 57.0s

• Compared to 99.99%:• Daily: 8.6s• Weekly: 1m 0.5s• Monthly: 4m 23.0s• Yearly: 52m 35.7s

51



• Vendor should be required to both respond to the issue and fix it, with varying times for each depending on the level of the service issue

• Include service level credits as a possible remedy with termination as an option for:

• Repeated issues with service

• More serious issues with service (e.g., total shut down of system)

52


VII. Additional Notices to FIConsider provisions requiring Vendor to notify the FI of the following issues:

• Commencement of material litigation, enforcement actions or other regulatory, administrative or judicial actions adverse to Vendor, including but not limited to a criminal or regulatory proceeding or investigation with Vendor (or its principals) as a subject

• Notices of violation or noncompliance in connection with any laws applicable to the services or Vendor

• Mergers, acquisitions, joint ventures, divestitures, outsourcing or other business activities or strategy change planned by Vendor

53

DISCUSSION


2018 Stevens & Lee/Griffin. All rights reserved. No part of this document may be reproduced, transmitted or otherwise distributed in any form or by any means, electronic or mechanical, including by photocopying, facsimile transmission, recording, rekeying, or using any information storage and retrieval system, without written permission from Stevens & Lee/Griffin. Any reproduction, transmission or distribution of this form or any of the material herein is prohibited and is in violation of law.

bsa/aml regulatory update and vendor management for ......b. vendor management – financial...

Documents