The Best Supporting Actor is…
Your Third-Party Vendor!
Debbie Peace, AAP ACH Alert
Paul Phillips, CFA BankRegLaw
Pam Rodriguez, AAP, CIA, CISA Payments Space Advisors
Brent Siegel Broken Sales Consulting & Business Advisory Services
© 2015 EastPay. All Rights Reserved
Resp
ect
Team
wor
kPa
ssion
Integr
ityTr
ust
Not-for-profit Regional Payments Association
Educational Programs
Member Benefits– Voice & Representation in National Rule Making and Regulatory
Process
– Toll Free Operational Assistance and
– Discounts on Seminars, Publications, and Conferences
Online Purchasing and Registration
9 ACH Accredited Professionals (AAP)
3 National Check Payments Professionals (NCP)
3 Certified NCP Instructors
2 Certified Treasury Professionals (CTP)
2 Certified Internal Auditor (CIA)
1 Certified Information Systems Auditor (CISA)
© 2015 EastPay. All Rights Reserved
Disclaimer
This presentation and applicable materials are
intended for general education purposes and
nothing in this presentation should be considered
to be legal, accounting or tax advice.
You should contact your own attorney, accountant
or tax professional with any specific questions you
might have related to this presentation that are of
a legal, accounting or tax nature.
Image source: Thinkstock
Agenda
Recent Regulatory Guidance
Regulator Expectations
Due Diligence and Vendor Selection
Six Things You Didn’t Ask Your Vendor
Service Level Agreements
Disaster Recovery/Incident Management
Contract Negotiation & Scope
Common Gaps
Steps to Follow
© 2015 EastPay. All Rights Reserved 4
OCC Bulletin 2013-29
First, the Third-Party Guidance’s title itself (replacing the word “Principles” with “Guidance”), closely aligns with the phrase “compliance with all applicable Legal Requirements and OCC supervisory guidance” -language frequently used in Cease and Desist Orders.
Second, the final section of the Third-Party Guidance, entitled Supervisory Reviews of Third-Party Relationships plainly states: “A bank’s failure to have an effective third-party risk management process that is commensurate with the level of risk, complexity of third-party relationships, and organizational structure of the bank may be an unsafe and unsound banking practice.”
© 2015 EastPay. All Rights Reserved
OCC Bulletin 2013-29
Third, the Third Party Guidance makes it clear that the OCC has the power to examine third party-vendors, and to charge the financial institution with a special examination or investigation fee for the OCC’s examination of a third party for the bank.
And finally, for community banks, the Third-Party Guidance makes it clear that regulatory expectations have increased. While OCC Bulletin 2001-47 stated: “community banks may be able to adopt this guidance in a less formal and systematic manner…”, that is not the case with 2013-29.
© 2015 EastPay. All Rights Reserved 6
FDIC Financial Institution Letter-13-2014
Effective practices for selecting a service
provider.
Tools to manage technology providers risk:
Service Level Agreements (SLA’s).
Techniques for managing multiple service
providers.
© 2015 EastPay. All Rights Reserved
Regulator Expectations
1. Due Diligence & Vendor Selection
2. Monitoring
3. Ensure Vendors are Risk Ranked
4. Adherence to Service Level Agreements &
Contract Provisions
5. Disaster Recover & Incident Management
6. Contract Negotiation & Scope
© 2015 EastPay. All Rights Reserved
Due Diligence & Vendor Selection
Due Diligence
– Static and Dynamic Information
© 2015 EastPay. All Rights Reserved 9
Static Requirements Dynamic Requirements
RFI Credit Rating – Payment Activity
RFP Management Stability
Strategic Alignment Compliance
Financial Condition Financial Condition
Audit Contract Performance
Insurance Staff Training
BCP Customer Complaints
Licensed Risk Profile
On-Site Meeting Monitoring
Controls
Security Documentation: SOC, PenTest
Six Things You Didn’t Ask Your Vendor
Finances: Mission Critical and Sound Practice
– Profitability, Stability, Mission Criticality
– Impact of a future event – can they withstand the
shock?
Tell me you have customers just like me
– Give me your customer list – not just references
Management Departures
– CFO, Controller, Finance Executives
© 2015 EastPay. All Rights Reserved 10
Six Things You Didn’t Ask Your Vendor
Fees and Agreements
– Upgrades contingent on ‘buying’ the new
module/service
What was your worst customer experience
– Why, what did you do
Implementation Plan
– guarantee, warranty
© 2015 EastPay. All Rights Reserved 11
Service Level Agreements
Uptime Guarantee
Specifics on SLA Coverage, Procedures, Escalation
Severity Levels, Response & Resolution Time
Commitments
Notification of Changes To FI Environment
Maintenance Windows & Release Notification
Incident Monitoring
Availability Standards, Monthly Reporting, Credits
© 2015 EastPay. All Rights Reserved 12
Disaster Recovery & Incident
Management
Licensed Software
– Does the license allow operation on additional
equipment should primary equipment be down or is
a separate license required?
Hosted SaaS
– Primary & Backup Facility, all SOC certified?
– Proof of DR recovery exercise, checklist, timeline,
results
– Transparency for incidents?
© 2015 EastPay. All Rights Reserved 13
Contract Negotiation
Audit rights, self assessments, monthly
compliance reviews, obtain vendor’s annual
SOC report on its control compliance
Service level agreements and financial
penalties
© 2015 EastPay. All Rights Reserved
Contract Scope
Timeframe covered by the contract
Frequency, format, and specifications of the
service or product to be provided
Other services to be provided by the third party,
such as software support and maintenance,
training of employees, and customer service
© 2015 EastPay. All Rights Reserved
Contract Scope (cont’d)
Requirement that the third party comply with all
applicable laws, regulations, and regulatory
guidance
Authorization for the institution and the
appropriate federal and state regulatory agency
to have access to records of the third party as
are necessary or appropriate to evaluate
compliance with laws, rules, and regulations
© 2015 EastPay. All Rights Reserved
Contract Scope (cont’d)
Identification of which party will be responsible
for delivering any required customer disclosures
Insurance coverage to be maintained by the
third party
Terms relating to any use of bank premises,
equipment, or employees
© 2015 EastPay. All Rights Reserved
Contract Scope (cont’d)
Permissibility/prohibition of the third party to
subcontract or use another party to meet its
obligations with respect to the contract, and any
notice/approval requirements
Authorization for the institution to monitor and
periodically review the third party for
compliance with its agreement
Indemnification
© 2015 EastPay. All Rights Reserved
Contracting with Vendors
Remember – Any material or significant contract with a third party should prohibit
assignment, transfer or subcontracting by the third party of its obligations to another entity, unless and until the financial institution determines that such assignment, transfer, or subcontract would be consistent with the due diligence standards for selection of third parties.
– All contracts should state that the vendor is subject to regulatory review and allow for the financial institution to monitor the vendor.• Periodic reviews and audits
– Expectations and performance standards help to determine if the vendor is adequately performing services. • Termination of contract
– Who is responsible for what?
– Appropriate legal counsel should review higher risk contracts prior to execution.
© 2015 EastPay. All Rights Reserved
COMMON GAPS IN
VENDOR MANAGEMENT PROGRAM
© 2015 EastPay. All Rights Reserved
Common Gaps in
Vendor Management Program
Lack of Board Approved Policy
Limited Board of Directors involvement
Lack of Risk Rating Vendors
Inadequate Monitoring of SLAs
SLAs have not been defined
Limited ongoing monitoring
Business continuity inadequate
© 2015 EastPay. All Rights Reserved
Steps to Follow
Follow these steps to establish a safe and sound vendor management program.
– Step 1 - Ensure that proper internal risk analysis is performed, proper approval is obtained.
• Strategic Plan
– Step 2 - Perform due diligence prior to contracting with a vendor.
– Step 3 - Ensure contracts are appropriate.
– Step 4 - Monitor performance of the vendor and vendor’s compliance with contractual and regulatory requirements.
• Perform ongoing due-diligence and “appropriate intervals”.
© 2015 EastPay. All Rights Reserved
Questions?
© 2015 EastPay. All Rights Reserved
Contact The Presenters
Debbie Peace
423-702-4380
Paul Phillips
813-404-5517
Pam Rodriguez
800-681-4224, x305
Brent Siegel
612-850-6304
© 2015 EastPay. All Rights Reserved