putting the management back in vendor management€¦ · • first bank of delaware consent order...
TRANSCRIPT
Putting the Management Back in Vendor Management
Panelists: Calvin Hagins, CFPB Ken Markison, MBA Jonathan McKernan, Wilmer Hale Dan Mugge, CoreLogic
Moderator: Brian O’Reilly The Collingwood Group, LLC
February 20, 2014
2
The New Landscape: Increasing Regulatory Scrutiny
• Vendor management practices have recently been subject to increased
regulatory scrutiny.
• Banking regulators issued new guidance in 2012 and 2013.
• Recent enforcement actions have targeted vendor management
deficiencies.
• Possible drivers of increased scrutiny
• Shift in supervisory focus to operational risks: operational risks increase
when a vendor is involved in bank operations.
• Evolving nature of outsourcing relationships: increased reliance on cloud
computing and other technology service providers that present greater
operational risks.
• Some areas of focus:
• Data security
• Consumer protection compliance
3
Regulatory Guidance
• OCC
• OCC Bulletin 2013-29: Third-Party Relationships
• OCC Bulletin 2002-16: Foreign-Based Third-Party Service Providers
• FDIC
• FIL-44-2008: Guidance for Managing Third-Party Risk
• FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing
Information Documents
• Federal Reserve
• SR 13-19: Guidance on Managing Outsourcing Risk
• SR 00-4 (SUP): Outsourcing of Information Technology and Transaction
Processing
• CFPB
• CFPB Bulletin 2012-03: Service Providers
4
Regulatory Guidance (cont.)
• FFIEC
• IT Examination Booklet on the Supervision of Technology Service
Providers (Oct. 2012)
• Guidance for examiners and banks on supervising TSPs.
• Uniform Rating System for Information Technology (URSIT).
• Exam Booklet on Outsourcing Technology Services Risk (Jun. 2004)
• Risk Management of Outsourced Technology Services (Nov. 2000)
• Administrative Guidelines – Implementation of Interagency Programs for
the Supervision of Technology Service Providers (Oct. 2012)
5
Enforcement Activity
• Several consent orders targeted alleged telemarketing sales tactics and/or
billing issues by vendors involved in credit card add-ons.
• Amex: $16.2 million in penalties, $59.9 million in customer redress
• JPMorgan: $60 million in penalties, $309 million in customer redress.
• Discover: $14 million in penalties, $200 million in customer redress.
• Capital One: $60 million in penalties, $150 million in customer redress.
• Amex 2012 consent orders targeted alleged deceptive and other unlawful
credit card practices arising out of oversight of affiliated service providers.
• $27.5 million in penalties and $85 million in customer redress.
• First Bank of Delaware consent order targeted alleged AML violations arising
out of inadequate oversight of vendor payment processors.
• $15 million in civil money penalties, $500,000 in customer redress, and
loss of charter.
• Mortgage foreclosure orders
6
Mortgage Foreclosure Orders
• Consent orders with servicers targeted unsafe and unsound practices related
to servicing and foreclosure processing.
• Many of the deficiencies in foreclosure processing were by vendors acting on
behalf of the banks, in particular by foreclosure attorneys.
• Among other things, vendor management deficiencies included:
• Insufficient policies and procedures governing the selection, management
and termination of the law firms facilitating foreclosures;
• Absence of formal contracts with the law firms;
• Inadequate oversight of law firms; and
• Failures to retain originals or copies of documents maintained by
foreclosure attorneys.
• Regulators even took enforcement action directly against vendors – LPS and
MERS – under the Bank Service Company Act.
7
General Regulatory Expectations
• Banking regulators generally expect that a bank will ensure that each vendor:
• does not present a safety and soundness risk; and
• complies with applicable law when acting on behalf of the bank.
• Vendor management is risk-based: a bank should take appropriate risk
management steps to identify, assess, monitor and control vendor risks.
• Risk management steps include: (i) a risk assessment; (ii) due diligence; (iii) an
appropriate vendor contract; (iv) monitoring of vendor’s performance and
financial condition; and (v) contingency planning.
• OCC also identifies several additional “phases” of the “continuous life
cycle” that include “oversight and accountability,” “documentation and
reporting” and “independent reviews.”
• No “one size fits all” approach: tailored to a vendor’s risk profile.
• Expectations apply not just to vendors, but to all third-party relationships.
• Includes “other business arrangements where the bank has an ongoing
relationship,” e.g. joint ventures and affiliate relationships. OCC Bulletin.
8
CFPB Requirements
CFPB Bulletin 2012-03 requires
• Due diligence to verify service provider understands and is capable of
complying with Federal consumer financial law;
• Requesting and reviewing service provider’s policies, procedures, internal
controls, and training materials to ensure service provider conducts
appropriate training and oversight of employees or agents having consumer
contact or compliance responsibilities;
• Including in contract with service provider clear expectations about
compliance, as well as appropriate and enforceable consequences for
violating any compliance-related responsibilities, including engaging in unfair,
deceptive, or abusive acts or practices;
• Establishing internal controls and on-going monitoring to determine
whether service provider is complying with Federal consumer financial law; and
• Taking prompt action to address fully any problems identified through
monitoring process, including terminating relationship where appropriate.
9
The Paradigm Has Shifted
• CFPB regulated entities
are expected to carry out
consumer protection
responsibilities including
vendor management.
T
h
e
P
a
r
a
d
i
g
m
s
h
i
f
t
e
d
o
f
a
v
a
r
i
e
t
y
o
f
r
e
a
s
o
n
s
10
Industry Challenges
Important consumer protection objectives of policy are understood but
there are legitimate concerns. For all regulated entities challenges
include:
1. Uncertainty about expectations
Which service providers are covered?
Some are obvious?
Independent entities?
2. Managing risks
How much is enough?
How much is too much?
3. Managing costs
Due diligence, changes to practices, establishing controls,
monitoring, etc. all have costs.
4. For independent mortgage bankers and many servicers requirements
for vendor management on this scale are new.
12
Direct Cost to Service ($/loan)
Source: MBA’s Servicing Operations Study
* Excludes corporate administration costs, unreimbursed FC and REO costs, and compensatory fees. Fully loaded
servicing operations costs were $312 per loan for prime servicers and $687 per loan for specialty servicers.
55 58 89 96 121 164 217 191 325 412 392 535
2007 2008 2009 2010 2011 2012
Prime Servicers Specialty Servicers
13
Managing Challenges
• Regulatory concerns beyond vendor management requirements make
vendor control imperative
• Servicing imperatives
• RESPA tolerances and RESPA TILA integration
• Data security issues
• Affiliations are one way to manage but QM points and fees calculation
has made these difficult at least for “third party charges”
• Path-
• Policies and procedures that guide due diligence – Compliance
Essentials
• New agreements
• Monitoring and scrutiny
Vendor Risk Management
Presented by: Dan Mugge Vice President, Technology Solutions Asset Management & Processing Solutions
15
Vendor Risk Management Framework
First it should be part of larger Enterprise Governance
Risk and Compliance Program…
Second it should consider numerous risk types…
Third, it should be based on five main pillars:
1. Due Diligence & Vendor Selection
2. Risk Assessment
3. Contract Management
4. Monitoring and Oversight
5. Exit Plan
Strategy
Governance
Risk Compliance
Co
mp
lian
ce
Rep
uta
tio
nal
Op
era
tio
nal
Fin
an
cia
l S
tab
ilit
y
Info
rmati
on
Secu
rity
Bu
sin
ess C
on
tin
uit
y
Oth
ers
…
Ultimately the lender is responsible for compliance but remember that
one size does not fit all…
16
Enterprise Governance, Risk & Compliance (GRC) Framework
Governance
Enterprise Risk Management
(ERM)
Compliance Management
Issues Management
• Establishes corporate oversight and
organizational strategy, goals, objectives, risk
appetite, and compliance expectations
• Identifies and assesses risks that , should they
occur, may affect the ability of the organization
to achieve its goals and objectives
• Ensures organization operates in accordance
with laws, regulations, industry standards,
internal policies and processes, contracts and
other commitments
Corporate Strategy, Goals, Objectives
• Risk Appetite Statement
• Enterprise Laws, Regs, Policies, Standards,
Contracts
Examples of Artifacts Purpose
• Enterprise Risk Assessment
• ERM Process
• Risk Scan Form and Process
• Risk Action Plans
• Annual Compliance Plan & Assessment
• Compliance Process
• Legal and Regulatory Inventory
• Compliance reports
• Issue Identification Form
• Issues Management Process
• Issues Reporting
• Provides formal mechanism for tracking,
escalating, reporting and resolving all
organizational issues (e.g., non-compliance,
complaints, IT gaps, etc.
You must have your house in order
17
Vendor Risk Management Program
Vendor Risk Management
•Old World Order
•New World Order
1. Due Diligence &
Vendor Selection
• Price
• Performance
• Expertise
• Consumer Impact
• GRC Maturity
• Policies & Procedures
• Fiscal Health
• Business Model
• Lawsuits/Complaints
• Training Programs
2. Contract Management
• Performance Penalties
• Compliance Expectations
• Enforceable Consequences
3. Risk Assessment
• Operational
• Information Security
• Business Resiliency
• Consumer Risk
• Compliance Risk
• Financial Risk
• Reputational Risk
4. Monitoring and Oversight
• Spend
• Transactional Performance
• Critical Quality Indicators
• Key Risk Indicators
• Key Performance Indicators
• Corrective Action Plans
5. Exit Plan
• Loosely follow exit terms
• Documented for critical vendors
• Transfer phase identified
Third parties can provide staffing, services and expertise
but do not assume ultimate responsibility for compliance
18
Pitfalls
• Inadequate understanding internally
and externally of expectations
• Broader range of risks not
considered
• Lack of expertise within the
institution on what the vendor
actually does
• Approaching without a continuous
improvement mindset
• Accountability not clearly defined
• Lack of investment in mock or
internal audits
• Training and communication not
funded
• Information to support the program
and survive an audit was not
considered and/or defined
A holistic and sustainable
approach can help identify and
manage risk
19
Be Prepared: Check and Check Twice
COMPLIANCE
What measurements are possible,
practicable and meaningful?
Are you effectively communicating
expectations?
STRATEGY
What is your supplier adoption
strategy?
Is there alignment to corporate
strategies?
Do you have exit strategies?
GOVERNANCE
Do you have VRM policies and
procedures?
Are your contractual terms aligned to
risks?
RISK
Can you determine your vendor risk?
Does your vendor have operational
policies and procedures?
Does your vendor have VRM policies
and procedures?