2015 EastPay Info Exchange - Best Supporting Actor is Vendor Management

The Best Supporting Actor is…

Your Third-Party Vendor!

Debbie Peace, AAP ACH Alert

Paul Phillips, CFA BankRegLaw

Pam Rodriguez, AAP, CIA, CISA Payments Space Advisors

Brent Siegel Broken Sales Consulting & Business Advisory Services

© 2015 EastPay. All Rights Reserved

Resp

ect

Team

wor

kPa

ssion

Integr

ityTr

ust

Not-for-profit Regional Payments Association

Educational Programs

Member Benefits– Voice & Representation in National Rule Making and Regulatory

Process

– Toll Free Operational Assistance and

– Discounts on Seminars, Publications, and Conferences

Online Purchasing and Registration

9 ACH Accredited Professionals (AAP)

3 National Check Payments Professionals (NCP)

3 Certified NCP Instructors

2 Certified Treasury Professionals (CTP)

2 Certified Internal Auditor (CIA)

1 Certified Information Systems Auditor (CISA)


Disclaimer

This presentation and applicable materials are

intended for general education purposes and

nothing in this presentation should be considered

to be legal, accounting or tax advice.

You should contact your own attorney, accountant

or tax professional with any specific questions you

might have related to this presentation that are of

a legal, accounting or tax nature.

Image source: Thinkstock

Agenda

Recent Regulatory Guidance

Regulator Expectations

Due Diligence and Vendor Selection

Six Things You Didn’t Ask Your Vendor

Service Level Agreements

Disaster Recovery/Incident Management

Contract Negotiation & Scope

Common Gaps

Steps to Follow

© 2015 EastPay. All Rights Reserved 4

OCC Bulletin 2013-29

First, the Third-Party Guidance’s title itself (replacing the word “Principles” with “Guidance”), closely aligns with the phrase “compliance with all applicable Legal Requirements and OCC supervisory guidance” -language frequently used in Cease and Desist Orders.

Second, the final section of the Third-Party Guidance, entitled Supervisory Reviews of Third-Party Relationships plainly states: “A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.”


OCC Bulletin 2013-29

Third, the Third Party Guidance makes it clear that the OCC has the power to examine third party-vendors, and to charge the financial institution with a special examination or investigation fee for the OCC’s examination of a third party for the bank.

And finally, for community banks, the Third-Party Guidance makes it clear that regulatory expectations have increased. While OCC Bulletin 2001-47 stated: “community banks may be able to adopt this guidance in a less formal and systematic manner…”, that is not the case with 2013-29.


FDIC Financial Institution Letter-13-2014

Effective practices for selecting a service

provider.

Tools to manage technology providers risk:

Service Level Agreements (SLA’s).

Techniques for managing multiple service

providers.


Regulator Expectations

1. Due Diligence & Vendor Selection

2. Monitoring

3. Ensure Vendors are Risk Ranked

4. Adherence to Service Level Agreements &

Contract Provisions

5. Disaster Recover & Incident Management

6. Contract Negotiation & Scope


Due Diligence & Vendor Selection

Due Diligence

– Static and Dynamic Information


Static Requirements Dynamic Requirements

RFI Credit Rating – Payment Activity

RFP Management Stability

Strategic Alignment Compliance

Financial Condition Financial Condition

Audit Contract Performance

Insurance Staff Training

BCP Customer Complaints

Licensed Risk Profile

On-Site Meeting Monitoring

Controls

Security Documentation: SOC, PenTest


Finances: Mission Critical and Sound Practice

– Profitability, Stability, Mission Criticality

– Impact of a future event – can they withstand the

shock?

Tell me you have customers just like me

– Give me your customer list – not just references

Management Departures

– CFO, Controller, Finance Executives



Fees and Agreements

– Upgrades contingent on ‘buying’ the new

module/service

What was your worst customer experience

– Why, what did you do

Implementation Plan

– guarantee, warranty


Service Level Agreements

Uptime Guarantee

Specifics on SLA Coverage, Procedures, Escalation

Severity Levels, Response & Resolution Time

Commitments

Notification of Changes To FI Environment

Maintenance Windows & Release Notification

Incident Monitoring

Availability Standards, Monthly Reporting, Credits


Disaster Recovery & Incident

Management

Licensed Software

– Does the license allow operation on additional

equipment should primary equipment be down or is

a separate license required?

Hosted SaaS

– Primary & Backup Facility, all SOC certified?

– Proof of DR recovery exercise, checklist, timeline,

results

– Transparency for incidents?


Contract Negotiation

Audit rights, self assessments, monthly

compliance reviews, obtain vendor’s annual

SOC report on its control compliance

Service level agreements and financial

penalties


Contract Scope

Timeframe covered by the contract

Frequency, format, and specifications of the

service or product to be provided

Other services to be provided by the third party,

such as software support and maintenance,

training of employees, and customer service


Contract Scope (cont’d)

Requirement that the third party comply with all

applicable laws, regulations, and regulatory

guidance

Authorization for the institution and the

appropriate federal and state regulatory agency

to have access to records of the third party as

are necessary or appropriate to evaluate

compliance with laws, rules, and regulations



Identification of which party will be responsible

for delivering any required customer disclosures

Insurance coverage to be maintained by the

third party

Terms relating to any use of bank premises,

equipment, or employees



Permissibility/prohibition of the third party to

subcontract or use another party to meet its

obligations with respect to the contract, and any

notice/approval requirements

Authorization for the institution to monitor and

periodically review the third party for

compliance with its agreement

Indemnification


Contracting with Vendors

Remember – Any material or significant contract with a third party should prohibit

assignment, transfer or subcontracting by the third party of its obligations to another entity, unless and until the financial institution determines that such assignment, transfer, or subcontract would be consistent with the due diligence standards for selection of third parties.

– All contracts should state that the vendor is subject to regulatory review and allow for the financial institution to monitor the vendor.• Periodic reviews and audits

– Expectations and performance standards help to determine if the vendor is adequately performing services. • Termination of contract

– Who is responsible for what?

– Appropriate legal counsel should review higher risk contracts prior to execution.


COMMON GAPS IN

VENDOR MANAGEMENT PROGRAM


Common Gaps in

Vendor Management Program

Lack of Board Approved Policy

Limited Board of Directors involvement

Lack of Risk Rating Vendors

Inadequate Monitoring of SLAs

SLAs have not been defined

Limited ongoing monitoring

Business continuity inadequate


Steps to Follow

Follow these steps to establish a safe and sound vendor management program.

– Step 1 - Ensure that proper internal risk analysis is performed, proper approval is obtained.

• Strategic Plan

– Step 2 - Perform due diligence prior to contracting with a vendor.

– Step 3 - Ensure contracts are appropriate.

– Step 4 - Monitor performance of the vendor and vendor’s compliance with contractual and regulatory requirements.

• Perform ongoing due-diligence and “appropriate intervals”.


Questions?


Contact The Presenters

Debbie Peace

[email protected]

423-702-4380

Paul Phillips

[email protected]

813-404-5517

Pam Rodriguez

[email protected]

800-681-4224, x305

Brent Siegel

[email protected]

612-850-6304


mailto:[email protected]




Documents

2015 EastPay Info Exchange - Best Supporting Actor is Vendor Management