11

Outsourcing & Vendor Outsourcing & Vendor ManagementManagement

Fiduciary & Investment Risk Fiduciary & Investment Risk Management AssociationManagement Association

2121stst National Training Conference National Training ConferenceApril 18, 2007April 18, 2007

Frederick Yorke, IIIFrederick Yorke, III Member, Citigroup TrustMember, Citigroup Trust

Fiduciary Advisory Fiduciary Advisory CounselCounsel

22

Our AgendaOur Agenda

• A brief history of outsourcingA brief history of outsourcing

• The current regulatory environmentThe current regulatory environment

• Remote vendor managementRemote vendor management

• Performing an on-site vendor reviewPerforming an on-site vendor review

• Some points to ponderSome points to ponder

33

Early Trust AccountingEarly Trust Accounting

• Hand posted recordsHand posted records

• Machine posted recordsMachine posted records

• Electronic data processingElectronic data processing

• In-house hardware and softwareIn-house hardware and software

• Service bureau contractsService bureau contracts

44

Custody of Trust AssetsCustody of Trust Assets

• Physical securities – by account and “FOSBI”Physical securities – by account and “FOSBI”

• FRB “book entry”, DTC and de-securitizationFRB “book entry”, DTC and de-securitization

• Use of correspondent banksUse of correspondent banks

• Holding companies and consolidation of trust Holding companies and consolidation of trust departmentsdepartments

• Stand-alone trust companiesStand-alone trust companies

55

Investment ManagementInvestment Management

• In-house investment managementIn-house investment management

• Use of asset managers from other Use of asset managers from other departmentsdepartments

• Purchase of investment management Purchase of investment management servicesservices

• Purchase of I/M services for specialized Purchase of I/M services for specialized assetsassets

66

Tax and Other ServicingTax and Other Servicing

• Purchasing tax servicingPurchasing tax servicing

• Use of tax experts from elsewhere in Use of tax experts from elsewhere in the institutionthe institution

• Other services:Other services:– Managing real propertyManaging real property– Appraising real estate or closely-held companiesAppraising real estate or closely-held companies– Managing other specialized assetsManaging other specialized assets

• Pricing of specialized servicesPricing of specialized services

77

““Private Labeling” Trust Private Labeling” Trust ServicesServices• The bundling of trust servicesThe bundling of trust services

• Advent of SEI Investments (Trust Advent of SEI Investments (Trust Company) & similar institutionsCompany) & similar institutions

• Deciding what services to retain in-Deciding what services to retain in-house:house:– Sales and marketingSales and marketing– Front-office processingFront-office processing– Middle-office coordinationMiddle-office coordination– Back-office operationsBack-office operations

• Particular concerns regarding sharing of client privacy Particular concerns regarding sharing of client privacy and sharing of client information (see Sarbanes-Oxley, and sharing of client information (see Sarbanes-Oxley, GLBA, USA PATRIOT Act and so forth)GLBA, USA PATRIOT Act and so forth)

88

Holding Companies and Use of Holding Companies and Use of AffiliatesAffiliates

• The FRB’s parts 23A and 23B The FRB’s parts 23A and 23B

• Pricing of services and measuring Pricing of services and measuring profitabilityprofitability

• Proper MIS and risk managementProper MIS and risk management

• Cross-selling products and servicesCross-selling products and services

• ““Arm’s Length Transactions”Arm’s Length Transactions”

99

Recent Regulatory Recent Regulatory DevelopmentsDevelopments

SR 00-4 (SUP) from the Federal ReserveSR 00-4 (SUP) from the Federal Reserve– Outsourcing of Information and Transaction ProcessingOutsourcing of Information and Transaction Processing– Specifically addresses trust activitiesSpecifically addresses trust activities– Footnotes incorporate Fed, FFIEC and other earlier Footnotes incorporate Fed, FFIEC and other earlier

guidance, including parts 23A & B and SAS 70 reportsguidance, including parts 23A & B and SAS 70 reports

OCC Bulletin 2001-35OCC Bulletin 2001-35– Examination procedures focused on client privacyExamination procedures focused on client privacy– Attachment A, part IV details oversight of service Attachment A, part IV details oversight of service

providersproviders

OCC Bulletin 2001- 47OCC Bulletin 2001- 47– Risk Management of Third Party relationshipsRisk Management of Third Party relationships– Supplements, but doesn’t replace, previous guidanceSupplements, but doesn’t replace, previous guidance

1010

OCC Bulletin 2001-47 OCC Bulletin 2001-47 Areas of ConcernAreas of Concern

• The bulletin lists four areas of particular The bulletin lists four areas of particular concern reflecting a chronological orderconcern reflecting a chronological order

– A risk assessment to identify the bank’s needs and A risk assessment to identify the bank’s needs and requirements, requirements,

– Proper due diligence to identify and select the Proper due diligence to identify and select the third party provider,third party provider,

– Written contracts that outline duties, obligations Written contracts that outline duties, obligations and responsibilities of the parties involved, andand responsibilities of the parties involved, and

– Ongoing oversight of the third parties and their Ongoing oversight of the third parties and their activitiesactivities

1111

OCC Bulletin 2001-47 OCC Bulletin 2001-47 An AsideAn AsideObviously, the bulletin anticipates that the Obviously, the bulletin anticipates that the

institution starts at the beginning, i. e. institution starts at the beginning, i. e. first, a decision is made to outsource a first, a decision is made to outsource a product, then a vendor is selected and so product, then a vendor is selected and so onon

However, more often than not, the However, more often than not, the outsourcing has already occurred, the outsourcing has already occurred, the vendor is in place and now we must vendor is in place and now we must establish a programestablish a program

1212

Most Recent Regulatory Most Recent Regulatory Developments Impacting Vendor Developments Impacting Vendor ManagementManagement

OTS Thrift Bulletin TB 82 (03/18/2003)OTS Thrift Bulletin TB 82 (03/18/2003)– Reminder of certain notification requirementsReminder of certain notification requirements– Notes a need for a termination provisionNotes a need for a termination provision– Rescinding of TB-46, “Contracting for Data Rescinding of TB-46, “Contracting for Data

Processing Services or Systems”Processing Services or Systems”(A comprehensive list of references is attached)(A comprehensive list of references is attached)

OTS Thrift Bulletin TB 82a (09/01/2004)OTS Thrift Bulletin TB 82a (09/01/2004)– Replaces TB 82, but not Replaces TB 82, but not – Clarifies definition of “significant” contractsClarifies definition of “significant” contracts– Clarifies responsibilities of boards of directors and Clarifies responsibilities of boards of directors and

managementmanagement– Modifies notification requirement when Modifies notification requirement when

contracting with foreign service providerscontracting with foreign service providers

1313

OTS Thrift Bulletin 82 & 82a OTS Thrift Bulletin 82 & 82a Key IssuesKey Issues

Does not replace CEO Memo #133, “Risk Management of Does not replace CEO Memo #133, “Risk Management of Technology Outsourcing” dated 12/13/2000 [later Technology Outsourcing” dated 12/13/2000 [later replaced by CEO Memo #201 dated 07/15/2004] or TB-replaced by CEO Memo #201 dated 07/15/2004] or TB-81, Interagency Policy Statement on the Internal Audit 81, Interagency Policy Statement on the Internal Audit Function and its Outsourcing” dated 03/17/203; but, Function and its Outsourcing” dated 03/17/203; but, leverage off those documents and expends the concept leverage off those documents and expends the concept to cover other types of third party arrangementsto cover other types of third party arrangements

Provide guidance re risk management on third party Provide guidance re risk management on third party arrangements, whether with affiliates or non-affiliatesarrangements, whether with affiliates or non-affiliates

Advises that safety and soundness examiners will review Advises that safety and soundness examiners will review internal controls and management of third party internal controls and management of third party arrangements and will request appropriate corrective arrangements and will request appropriate corrective action as neededaction as needed

1414

OCC Position regarding Key OCC Position regarding Key RisksRisks

Risks Associated with Most Third-Party Risks Associated with Most Third-Party RelationshipsRelationships

– Strategic RiskStrategic Risk

– Reputation Risk Reputation Risk

– Compliance RiskCompliance Risk

– Transaction RiskTransaction Risk

– Credit RiskCredit Risk

1515

OCC Position - Further RisksOCC Position - Further Risks

Depending on the circumstances, third-party Depending on the circumstances, third-party relationships may also subject the bank to:relationships may also subject the bank to:

– Liquidity riskLiquidity risk

– Interest rate riskInterest rate risk

– Price riskPrice risk

– Foreign currency translation riskForeign currency translation risk

– Country risk (when dealing with a foreign Country risk (when dealing with a foreign based service provider)based service provider)

1616

Key Components for Key Components for establishing aestablishing aVendor Management ProgramVendor Management Program• Drafting and maintaining an effective contractDrafting and maintaining an effective contract

– Periodic updatingPeriodic updating

• Relying on or supplementing the SAS 70 Relying on or supplementing the SAS 70 ReportReport– Recent expansion of the “Report”Recent expansion of the “Report”

• Establishing service level conditions & Establishing service level conditions & escalation proceduresescalation procedures

• Creating, receiving and using MIS reportsCreating, receiving and using MIS reports

• Issues relating to the use of affiliatesIssues relating to the use of affiliates

1717

Creating, Receiving and UsingCreating, Receiving and UsingMIS ReportsMIS Reports

•Meeting regulatory or other Meeting regulatory or other minimum requirementsminimum requirements

– FFIEC minimum standards for trust accounting FFIEC minimum standards for trust accounting systemssystems

– SEC minimum standards for transfer agency SEC minimum standards for transfer agency functionsfunctions

– Standards set by the contracting partiesStandards set by the contracting parties

•Frequency of reportsFrequency of reports– Daily, weekly, monthly or quarterlyDaily, weekly, monthly or quarterly– Hard-copy, electronic, otherHard-copy, electronic, other– Receipt in a timely mannerReceipt in a timely manner

1818

Creating, Receiving and UsingCreating, Receiving and UsingMIS Reports - ContinuedMIS Reports - Continued

•Using the MIS ReportsUsing the MIS Reports– Getting the reports to the right peopleGetting the reports to the right people– Providing feedback to the service providerProviding feedback to the service provider– Modifying the reports as necessaryModifying the reports as necessary

1919

Vendor Management ToolsVendor Management Tools

•Most institutions use a Most institutions use a questionnaire or checklist during questionnaire or checklist during vendor reviewvendor review

•Typical names of these document Typical names of these document include:include:– Vendor qualification questionnaireVendor qualification questionnaire– Environmental control questionnaireEnvironmental control questionnaire– Outsourcing evaluationOutsourcing evaluation– On-site vendor reviewOn-site vendor review

2020

Implementing an Effective Implementing an Effective Management ProgramManagement Program

• Pre-implementation Due Diligence Pre-implementation Due Diligence

• Performing the Annual ReviewPerforming the Annual Review• General InformationGeneral Information• Facility SecurityFacility Security• Human ResourcesHuman Resources• Industry TrendsIndustry Trends• AccountingAccounting• ComplianceCompliance• Use of Third PartiesUse of Third Parties• Disaster Recovery / Continuity of BusinessDisaster Recovery / Continuity of Business• Information Technology Information Technology

• Reporting, Follow-up & Ongoing MonitoringReporting, Follow-up & Ongoing Monitoring

2121

Points to PonderPoints to Ponder• Examiners, auditors and others will be Examiners, auditors and others will be

looking to see how pro-active we are relative looking to see how pro-active we are relative to vendor selection and managementto vendor selection and management

– Selecting a vendorSelecting a vendor

•Cost/benefit analysisCost/benefit analysis•DocumentationDocumentation

– Managing the vendorManaging the vendor

•Frequency of contactFrequency of contact•Condition of filesCondition of files

– Arrangements with affiliatesArrangements with affiliates•Sections 23A and 23BSections 23A and 23B•DisclosureDisclosure

2222

Points to PonderPoints to Ponder• Making the decision to perform an Making the decision to perform an

“on-site” vendor management review“on-site” vendor management review

– The nature of the service providedThe nature of the service provided•Data processingData processing•Custody of assetsCustody of assets•Tax preparationTax preparation

– The nature of the service providerThe nature of the service provider

•Another bankAnother bank•A non-bank firmA non-bank firm•An affiliateAn affiliate

– Dealing with affiliatesDealing with affiliates•Relying on their auditors, compliance people Relying on their auditors, compliance people

and risk managersand risk managers