Embed Size (px)
Citation preview
NAVIGATING THE FINANCIAL CRIMES
LANDSCAPE WITH AN EFFECTIVE VENDOR
MANAGEMENT PROGRAM
JANUARY 15, 2015
2
ABOUT PERFICIENT
Perficient is a leading information technology consulting firm serving clients throughout
North America.
We help clients implement business-driven technology solutions that integrate business
processes, improve worker productivity, increase customer loyalty and create a more agile
enterprise to better respond to new business opportunities.
3
Glo
ba
l D
eli
ve
ry C
en
ters
/Off
sh
ore
De
live
ry
Deep Financial Services Domain Expertise
Enterprise
Information Solutions
Finance
Enterprise Insights
Portal
Web Content
Social Solutions
SOA
Cloud
API Solutions
Company Wide Practices
Deep Financial Services Domain Expertise
BANKINGWholesale
Consumer
Credit Unions
Payment Processing
Trust & Custody
Trade Services
Treasury Services
ASSET & WEALTHMANAGEMENTEquities & Fixed Income
SMA & Wrap
Hedge Funds
OMS & EMS
Portfolio Modeling
Portfolio Accounting
CAPITALMARKETS
Equities & Fixed Income
FX & Commodities
Future & Options
Electronic Trading
INSURANCEInvestments
Customer Acquisition
Property & Casualty
Life Annuities Services
Claims Evaluation
Underwriting
Consumer Direct
Business/
Technology Solution
Rationalization
and Delivery
Business Process
Improvement
Program Value,
Quality and
Cost Management
Client
Centricity
Risk and Regulatory
Compliance
Finance
Transformation
Solutions & Services
INDUSTRY DRIVEN SOLUTIONS
4
ABOUT THE SPEAKER
Richard Brownstein, Director of Risk and Compliance, Perficient
Rich leads Risk and Compliance in Perficient’s Financial Services national
practice. He has more than 20 years of experience working for and with large
financial institutions in the areas of operational risk management, legal and
compliance, IT governance, and project portfolio management. He has a deep
understanding of industry challenges and best practices. Rich has a proven
track record leading strategic business, product and technology initiatives to
minimize risk and maximize effectiveness and efficiency for organizations.
5
WHAT WE WANT TO TALK ABOUT TODAY
• Introduction
• Financial Crimes on the Rise / Increased
Regulatory Pressure
• Taking an Enterprise View of Risk
• Know Your Vendor – KYV
• Vendor Assessment
6
AML COMPLIANCE PENALTIES
Source: “AML & Sanctions Enforcement and the
Price of Dirty Money” Infographic 2014
7
HIDDEN COSTS OF NONCOMPLIANCE*
*In 2014 alone…
$12.4 B in monetary fines as disclosed
in trade publications.
Unknown Costs
Lost Business
Reputational
Damage
Third-Party &
Vendor RisksSource: “AML & Sanctions Enforcement and the
Price of Dirty Money” Infographic 2014
8
2015 RISK & COMPLIANCE CHALLENGES
Agencies and the self-regulatory organizations are continually revising
and adopting new rules and regulations
9
GOALS OF FINANCIAL CRIME PREVENTION
Current Compliance Goals
• Meet regulatory requirements
• Prevent fraud losses
• Reduce false positives
• Manage reputational risk
• Streamline operations and reduce costs
New Compliance Goals
• Governance and enterprise view
• Integrated risk controls and framework
• Data quality and standards
• Risk intelligence
• Vendor risk management
10
AREAS CONTROLS SHOULD BE PUT IN PLACE
Electronic Communication
Surveillance
Information Security
SEC Trade Surveillance
Rules Compliance
AML, KYC
Transaction Monitoring
PATRIOT ACT / CFT
Client Suitability / Broker Fraud
Sales Practice Abuse
Fraud Detection & Surveillance
Corruption / Collusion / Bribery
FACTA Identity Theft Prevention
Regulatory Red Flags
Regulatory Assessment
and Review
Regulatory
Impact Analysis
11
THE VAST LANDSCAPE OF FINANCIAL CRIMESFinancial crimes have been increasing at a disturbing
rate causing increased scrutiny by regulatory bodies and
greater due diligence applied by business risk officers.
Fraudsters are finding more ways to fund activities or profit
by multifarious means both internally and externally.
12
ALTERNATE CHANNELS
New ways of gaining access to customer
information have increased the ways of
committing financial crimes
• Cross-channel and cross-product fraud
• Online banking and bill pay services
• Mobile banking
• Mobile payments
• Virtual currency
• Gift card theft and scams
• Email scams
13
INTERNAL THREATS
Internal Threats are on the rise
• Identity theft
• Embezzlement
• Fraud
• Bribery
• Gifts and entertainment
• Vendor relations
• Information security breaches
14
EXTERNAL THREATS
External threats continue to be on the rise as well,
even with existing regulatory demands increasing
• Fraud
• Trading Violations
• Brokerage Fraud
• Client Suitability / Sales Practice Abuse
• AML / CFT – AML & Countering Funding for
Terrorism
• OFAC / FinCen Sanctions & BSA Requirements
violations
• Mutual Fund Abuses
• Vendor Services SLA breaches / Vendor KYC / Data
breaches
• FATCA – Foreign Account Tax Compliance Act
• FACTA – Fair and Accurate Credit Transaction Act
• Identity Theft
15
CURRENT AML/FRAUD DETECTION FUNCTIONS
Alert / Case
Management
Regulatory
Compliance
Risk Rating / Enhanced
Due Diligence / CIP
Surveillance and
Supervision
KYC / New Account Opening
(NAO) / Client On-boarding
FRAUD SOUCE DETECTION FUNCTIONS
Broker Fraud Misrepresentation KYC Failures Employee Fraud – Internal Controls
Data Security Breaches Information Security Identity Theft
Integrated
AML Compliance
Program
• Identify verification
• Validate source of funds and
product suitability
• Confirm no negative news ,
watch list and PEP
• Central and standardized
Customer, LEI & Account data
• Cross enterprise activity view
• Review changes
• Vet activity against scenarios
• Extended customer behavior
patterns detection
• Alert tuning to increase
accurate/efficient detection
• Alert manager driven by alert
type & research
• SLA and escalation
• Role based workflow
• Procedures and Training
• Reporting, logging, audit
• SAR investigation contents
• Regulatory review and audit
coordination / Exception investigation
• CCO Governance & Control Standards
• AML & Sanction Policy & Procedure
Manager
… evolving process and solutions to
meet evolving Fraud, AML & Sanctions
management objectives …
16
AREAS OF SYNERGY WITH EXISTING FRAMEWORK
Financial Crime and Compliance Technology Environment
17
ENTERPRISE VIEW OF RISKThe current regulatory climate is giving new meaning to the
term‘Governance’.
By focusing on compliance with individual regulations, banks and
insurance companies risk developing a requirements-based, siloed,
myopic approach and creating overlapping, uncoordinated
bureaucracies (and cost centers) that deal
with disparate regulations inconsistently.
“Governance takes a holistic, flexible, and forward-thinking approach
that addresses all areas of the business to create value beyond mere
compliance and minimize risk on an enterprise level.”
– CEB Towergroup
18
ENTERPRISE INTEGRATED RISK & COMPLIANCE
Definition: The ability to integrate All Risk
Management and Compliance activities
Enterprise-Wide.
• Driven from Policies
• 3 Lines of Defense / Front to Back
• Bottom-Up & Top-Down Risk Identification
• GRC Model
Business Process and Assurance
Operational Risk
Operations Risk Control
Validate &
Remediate
Enterprise
Integrated
Compliance &
Risk Mgmt.
19
POLL: How are you currently
managing and identifying vendor
risks?
20
VENDOR PRODUCT / SERVICES POTENTIAL RISK AREAS
Risk Control Self Assessments drive increased management awareness
into strong controls, potential blind spots and key control issues
21
KYV TYPICALLY NOT INCLUDED IN SRM
DUE DILIGENCE ACTIVITYSUPPLIER RISK
MANAGEMENTKYV
Assist or lead RFP/Proof of concept/ Selection Process
Confirm financials and references
Negotiate MSA / Contract / Pricing
Ensure performance measures / SLAs are set Ideally
Ensure SLAs are achieved Rarely
Assure appropriate control entitlements and IT access
Validate Vendor Party ID
Perform upfront on ongoing Sanctions and Watch List
monitoring
Perform Activity Monitoring
Screen Vendor Payments (A/P)
22
INHERENT RISK VS. RESIDUAL RISKThere are two ways to look at vendor risk:
Inherent Risk – The risk that activity would pose if
no controls were in place
• What is the vendor doing for your company?
• How critical are they to your business?
• Where are they located?
• What data are they handling?
• What naturally occurring threats do they face?
Residual risk – The risk that remains after controls
are taken into account
• Cybersecurity/data breaches/InfoSec
• IT Services/IT vendors
• Labor issues
• Bribery and corruption
• Fiduciary responsibility
• Vendor transaction monitoring
23
US Foreign Corrupt Practices Act:
• Offense to bribe public officials.
• Does not cover bribery on a private level.
• Only covers active bribery (the giving of a bribe).
• Companies subject to US jurisdiction can be held
vicariously liable for acts of its employees and
agents.
• Must be proved that the person offering the bribe did
so with a “corrupt” intent.
• FCPA creates an exemption for facilitation payments.
REGULATORY IMPLICATIONS FOR 3rd PARTY
SERVICESUK Bribery Act
• Offense to bribe public officials.
• Covers bribery on a private level.
• Covers the giving (active) and taking (passive) of a
bribe.
• Creates a strict liability corporate offence for failure to
prevent bribery (no vicarious liability).
• No requirement for a “corrupt” or “improper” intent.
• The Bribery Act makes no such exception.
24
A COMBINED VIEWOF RISKThe convergence of Supplier Risk
Management and Compliance in Vendor
acceptance is key:
• Vendor Procurement/Supplier Risk
Management to interface with Compliance
and the business to conduct KYV and more in
depth due diligence
• Risk-rate new and existing vendors
periodically to perform risk-based approach to
support departmental functions…
• Support the departmental functions as well as
protect the enterprise
Supplier Risk
Mgmt. Office
Department
KYV
25
THIRD PARTY VENDOR RISKS CONSIDERATIONS
Several typical Financial Crimes could be sourced at the Third Party Vendor level.
Avoid potential risks and threats from vendor products and service providers by:
• Increasing Third Party Vendor Due Diligence during selection process
• Reviewing and updating Third Party Vendor Contracts
• Inspecting all Third Party Vendor Service Level Agreements (SLAs)
– Make sure all regulatory considerations have been covered
– Make sure Vendor financial viability is strong
– Evaluate Third Party Vendor business and data processes and controls
– Consider data location and access follows strict controls
– Require that vendors endure the same due diligence as customers and employee
• Financial, Reputational, and Legal Risks
– Information security for companies handling sensitive information
– Social responsibility and labor standards, especially in third‐world countries
– Bribery and corruption
– Financial stability of critical suppliers
– Geopolitical risks that threaten to disrupt business
Your comfort with the level of residual risk determines what you do next: continue the business
relationship by working with the vendor to further reduce that risk, or sever the relationship and
find an alternate supplier
26
• Internal controls
– Adopt rigorous accounting policies, procedures and controls, including dual signoff
– Conduct due diligence on suppliers and vendors (special attention and possibly EDD on off-shore providers).
– Establish a system for monitoring transactions and developing review processes to ensure that transactions “fit the business” of
the vendor.
• Regulatory guidance
– Adopt risk management processes commensurate with the level of risk and complexity of its third-party relationships.
• Ensure comprehensive risk management and oversight of third-party relationships involving critical activities.
• An effective risk management process throughout the life cycle of the relationship includes, but is not limited to:
– Planning
– Due diligence and third-party selection
– Contract negotiation
– Ongoing monitoring
– Termination
– Oversight and accountability
– Documentation and reporting
– Independent reviews
OCC SR 2013-29 RISK MANAGEMENT GUIDANCE
27
28
KYV DUE DILIGENCE: HOW WE CAN HELP
• Regulatory Compliance Program
Management
• Vendor Assessments, Solution
Rationalization & Project Roadmaps
• Risk & Controls Assessments
• Business Requirements
• Data Governance & Data Quality
• Testing & Validation
Our risk and compliance expertise,
management consulting experience, reusable
assets, and client track record in the industry,
enable us to delivery business value for firms
leveraging existing sanctions platforms and
evolve their culture of compliance through KYV
processes and controls.
29
VENDOR SELECTION APPROACH
Obtain
Management
Approval to
Proceed
Conduct
Management
Interviews
Identify Unique
Requirements
Review Existing
Requirements
Document
Develop
Solution
Architecture
Develop
Product
Information
Request
Manage Project--Quality Assurance
Select Software
Package
Finalize
Hardware
Requirements &
Costs
Develop
Implementation
Plan
Organize
Project/
Research
Software
Options
GATHER REQUIREMENTS ANALYZE OFFERINGSDEVELOP EVALUTATION
CRITERIASELECT SOFTWARE
Refine Scoring
Methodology
Develop Demo
Scripts
Check
References
Facilitate
Interactive
Demos
Score PRI
A rigorous approach to the Third Party Vendor Product or Service is focused around the concept of high-impact and fast-response,
understanding broad requirements, identifying vendor landscape, due diligence and selection process. Perficient uses a packaged
selection methodology and assets where applicable to accelerate the selection. The approach is flexible based on individual client
requirements for vendor selection and is customized to establish a strong and low risk exposure selection.
The approach is modular and can be easily adapted to client-specific circumstances
Proof of
Concept Test
KNOW-YOUR-VENDOR
Party
Identification
Risk Rating
Enhanced Due
Diligence
30
VENDOR SELECTION BASED ON KEY CRITERIA
Short List of VendorsLong List of Vendors
1. Vendor X
2. Vendor Y
3. Vendor Z
Prioritized Client Criteria
Institutions are challenged in identifying their most suitable partners. The risk and compliance space
requires a diligent yet efficient vendor assessment.
Vendor 1
Vendor 2
Vendor 3
Vendor 4
Functional
Capabilities
Cost
Company/Client base
Technology
Nu
mb
er
of
Ve
nd
ors
VendorsVendors Vendors Vendors
Complete
Enhanced SRM
& KYV
To RFP or
Quick
Selection
31
INTEGRATED RISK MANAGEMENT FRAMEWORK
FRAUD SOUCE DETECTION FUNCTIONS
Broker Fraud Misrepresentation KYC Failures Employee Fraud – Internal Controls
Data Security Breaches Information Security Identity Theft
Alert / Case
Management
Surveillance and
SupervisionIntegrated
AML Compliance
Program
Regulatory
Compliance
Risk Rating / Enhanced
Due Diligence / CIP
KYC / New Account
Opening (NAO) / Client
On-boarding
32
2015 RISK & COMPLIANCE SERIESHow to Drive Value from
Operational Risk Data
Thurs., January, 29 12:00 – 1:00 ET
Registration details will follow in post-
webinar email communications or
visit www.perficient.com.
