Lifecycle. https://www.occ.gov/news-issuances/bulletins/2013/bulletin html

Similar documents
BITS KEY CONSIDERATIONS FOR MANAGING SUBCONTRACTORS

GUIDELINE ON OUTSOURCING

Third party risk management: Friend or foe?

Building a Program to Manage the Vendor Management Lifecycle

By David F. Katz, Richard D. Smith, Elizabeth K. Hinson, Jason Mark Anderman and Sarah Statz

Legal Considerations in Negotiating Cloud Contracts

Conducting KYC of Third Parties: Best Practices for Conducting Due Diligence

ASX SETTLEMENT OPERATING RULES Guidance Note 9

Practical Tips for Vendor Management

HEALTHCARE BREACH TRIAGE

Negotiating SaaS and Cloud Contracts May 28, Peter J. Kinsella 303/

Cyber ERM Proposal Form

Understanding Public-Private Partnerships in Infrastructure

Terms and Conditions

CLOUD COMPUTING RISKS AND HOW TO MITIGATE THEM

DATA PROTECTION ADDENDUM

Cyber Hot Topics: Vendor Management

RISK and. Contractor Insurance

GE Healthcare Hosted Contract Summary

Contractor Prebid and Schedule Risk

Austin Independent School District Contract and Procurement Services 1111 West 6th Street Suite A330 Austin, Texas

DEPOSIT INSURANCE CORPORATION OF ONTARIO BY-LAW NO. 5 STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES

Section 1 - Errors and Omission

Reviewing and Drafting IT Agreements

Mitigating Risk through Construction Contracts and Claims Avoidance

APPLICATION for: TechGuard Liability Insurance Claims Made Basis. Underwritten by Underwriters at Lloyd s, London

Ohio Public Employees Retirement System. Request for Proposal

FINANCIAL POLICIES & PROCEDURES HANDBOOK

Request for Quotations for Shredding Services

RFP GENERAL TERMS AND CONDITIONS

Attachment G - SSI Contract

Ohio Public Employees Retirement System. Request for Proposal. For: Actuarial Consulting Services. Date: October 21, 2016

1997 Part 2. Document B141. Standard Form of Architect's Services: Design and Contract Administration TABLE OF ARTICLES

Technology Professional Liability Proposal Form

Information Security and Third-Party Service Provider Agreements

For years, contractors have struggled to

DEPOSIT INSURANCE CORPORATION OF ONTARIO BY-LAW NO. 5 STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES

Mobile Check Deposit Disclosure & Agreement

STATE OF SOUTH CAROLINA ) ) CONTRACTOR AGREEMENT COUNTY OF HORRY )

IPS RIA, LLC CRD No

BY-LAW N O. 5 BY-LAW RESPECTING STANDARDS OF SOUND BUSINESS AND FINANCIAL PRACTICES. Assessment Workbook: Management

Management s Response to the Auditor General s Review of Management of Construction Contracts Toronto Water and Sewer Emergency Repair Contracts

THIRD-PARTY MANAGEMENT OF INFORMATION RESOURCES

2013 HIPAA Omnibus Regulations: New Rules for Healthcare Providers and Collections Partners

Senior arrangements, Systems and Controls. Chapter 13. Operational risk: systems and controls for insurers

Ethical Contract Negotiation

Global Policy on Anti-Bribery and Anti-Corruption

GUIDELINES ON REINSURANCE PRACTICES AND PROCEDURES

2018 Cyber & Tech Liability Risk Transfer Update Part 2

Better Contracts, Better Projects: The ConsensusDocs Solution

Disaster recovery contracts: Managing the risks J. Kent Holland ConstructionRisk, LLC. unprecedented and complex

Moving to Medicaid Managed Care. David C. Marshall, Esq. Steven M. Montresor, Esq. Latsha Davis & McKenna, P.C.

Cybersecurity Threats: What Retirement Plan Sponsors and Fiduciaries Need to Know and Do

Ten Plus Pointers for Drafting Procurement Documents

The Security Risk Analysis Requirement for MIPS. August 8, 2017, 2:00 p.m. to 3:00 p.m. ET Peter Mercuri, Practice Transformation Specialist

The HIPAA Omnibus Rule and the Enhanced Civil Fine and Criminal Penalty Regime

Managing design professional risks arising out of the Prime/Subcontractor relationship

Jujitsu Techniques for Enforcing & Defending Contract Liability Claims

Information Technology Association of America (ITAA)

HIPAA COMPLIANCE ROADMAP AND CHECKLIST FOR BUSINESS ASSOCIATES

POLICY TITLE: Purchasing District Purchasing POLICY NO: 850 PAGE 1 of 11 PURCHASING POLICY 1 - DISTRICT PURCHASING

AFTER THE OMNIBUS RULE

MILLER COUNTY AMBULANCE DISTRICT. Request for Proposals: EMS Ambulance Billing Services Closing May 9th, 2014

University Contract Recordkeeping Procedure

SeaCrest Wealth Management, LLC. Form ADV Part 2A Disclosure Brochure

On How Not to Draft Agreements

WHITFIELD COUNTY, GEORGIA PURCHASING POLICY AND MANUAL January 14, 2014

Combined Liability Insurance for Financial Technology Companies Proposal Form

NATIONAL RECOVERY AGENCY COMPLIANCE INFORMATION GRAMM-LEACH-BLILEY SAFEGUARD RULE

Errors & Omissions Risk Management Guide. For Information and Network Technology Companies

Design-Build Risk and Insurance Table of Contents

BUFFALO WILD WINGS, INC. GAMING COMPLIANCE PLAN ARTICLE I INTRODUCTION

Procedural Considerations For Insurance Coverage Declaratory Judgment Actions

FINANCIER DATA PROTECTION & PRIVACY LAWS ANNUAL REVIEW ONLINE CONTENT DECEMBER 2016 R E P R I N T F I N A N C I E R W O R L D W I D E.

Bluesphere Advisors LLC. Form ADV Part 2A Disclosure Brochure

General Conditions for Consultancy Services Agreements

Zebra Technologies Corporation Audit Committee Charter (November 3, 2017)

Standard Form of Agreement Between Owner and Contractor for a Residential or Small Commercial Project

HIPAA in the Digital Age. Anisa Kelley and Rachel Procopio Maryan Rawls Law Group Fairfax, Virginia

DATE: November 2, 2017 MANAGEMENT SERVICES

Risk Identification & Contract Risk Management

Example letter of engagement for audit assignment for an incorporated company Period of engagement Scope of services to be provided

DGR ENGINEERING Master Agreement for Professional Services Task Order Version

Wittenberg Investment Management, Inc. Form ADV Part 2A Disclosure Brochure

TERMS AND CONDITIONS OF SERVICE 1. DEFINITIONS: Affiliate means any entity which directly or indirectly owns or controls, is controlled by, or is

Basic business operations for the entrepreneur

Lifesize, Inc. Data Processing Addendum

Negotiating Business Associate Agreements

Cyber Security Insurance Proposal Form

American Bar Association Forum on Construction Law. Writing Outside the Lines: Changes to Contract Clauses (From the Contractor s Perspective)

Lessons Learned from Pipeline Construction Cases

RDC Legal Developments

CONTRACT COST STATEMENT

NACHA Third-Party Sender Certification Program Criteria

Compliance With the Red Flags Rules

Data Processing Addendum

MOBILE REMOTE DEPOSIT SERVICES AGREEMENT

KISS COMPANIES: TERMS AND CONDITIONS OF SUPPLY. NOTE: Your attention is particularly drawn to the contents of clause 13.

6 Critical Documents You Need

REQUEST FOR PROPOSAL FOR. Full Cost Allocation Plan and Citywide User Fee and Rate Study. Finance Department CITY OF HUNTINGTON BEACH

Transcription:

Vendor Management

Vendor Matchmaking 1. Determining the banks needs and wants. 2. Searching for a vendor to fill that need or want. 3. Request for Proposals 4. Selecting Vendor 5. Contract Negotiations 6. Implementation 7. Monitor performance 8. Review Relationship 9. Renew/Terminate

Lifecycle https://www.occ.gov/news-issuances/bulletins/2013/bulletin- 2013-29.html

Vendor Management Starts at the beginning, when you are determining your needs and wants. Compliance needs to be involved from the get go Due diligence begins with a clear understanding of what you need, what you want, and the compliance risk associated with those endeavors.

Control Whenever you engage in a third party to service your clients, your bank loses some control of the client relationship. Third party providers may introduce new risks or increase existing risks. It is critical that you ensure all third parties comply with all applicable compliance laws and regulations.

Risky Business Overreliance on vendor Lack of understanding on what vendor does Failure to monitor Unclear expectations

Operational Risks Third party relationships increase operational risks because the bank may not have direct control of the activity being performed by the third party. Third party relationships that result in concentrations can increase operational risk.

Compliance Risks Compliance risk arises when third party systems, products or services are not consistent with laws, regulations, or bank policies and procedures. These risks increase if the bank s oversight program does not include audit or control features.

Reputation Risk Reputation risk arises when third party systems do not meet the expectations of the bank s customers. These risks increase when the bank is offering products and services actually originated by third parties as its own.

Strategic Risks Strategic risk arises if the bank uses third parties to conduct banking functions or offer products and services that are not compatible with the bank s strategic goals, can t be properly monitored or managed by the bank, or do not provide adequate return on investment. Strategic risk can also arise when the bank does not use a third party when it is prudent to do so.

Credit Risk Credit risk may arise when third parties market or originate certain types of loans on the bank s behalf that were not appropriately monitored by the bank resulting in lowquality receivable and loans. Credit risk may also arise from poor customer service, account management, or collection activities.

Risk Assessment Large/Complex Vendors vs. Small/Lesser Used Vendors Prioritizing Vendor Management Examples: Level 1 Risk: Critical to the bank s operations. Have access to confidential customer information i.e., your core processor, remote deposit capture vendor, internet banking vendor Level 2 Risk: Access to confidential or critical use-only data i.e., outsourced audit functions Level 3 Risk: Not critical to operations, do not have authorized access to confidential information i.e., cleaning people, shred company

Needs and Wants What do you need vs what you want or like to have? What are the risks associated with this particular activity? Compliance risks Financial risks Reputational risks Operational risks Do we have anyone who fully understands this type of activity? Can we do this in house? What are the costs of implementation and monitoring the activity? What are the benefits?

Who can help us Identifying vendors Do they understand your business? What is their reputation? Are they financial sound? Lawsuits and disputes Are they accessible and responsive. How long have they been around? Are they going to be there long term?

Due Diligence and Selection Strategies and Goals Legal and Regulatory Compliance Financial Condition Business Experience and Reputation Fee Structure and Incentives Qualifications, Backgrounds, and Reputations of Principals Risk Management Information Security Management of Information Systems Resilience Incident Reporting and Management Programs Physical Security Human Resource Management Reliance on Subcontractors Insurance Coverage Conflicting Contractual Arrangements with Other Parties

Choosing a Partner What are the most important factors? Price Reputation Quality Scope Compliance Familiarity Experience Security

Quantify it Vendor #1 Vendor #2 Vendor #3 Factor Weight Score Score Score Price 50 30 50 24 Information Security 10 10 5 10 Technical Ability 8.5 8.5 6 6 Compliance 7.5 8 5 5 Support 3 3 1 2 Risk Management 4 4 2.5 3 Resiliance 5 5 3 4 Incident Response 5 4 5 4 Inusrance Coverage 3 3 1 2 Financial Condition 4 4 1 3 Best Score 100 79.5 79.5 63

MoPac-alypse Now!

Bidding Process Bid #1 $198 million, done in 910 days Bid #2 - $204 million, done in 910 days Bid #3 - $137 million, done in 882 days (use tunnels instead of overpass) Before bid Austin estimated the cost at $170 million. By law, must use price as 70% of selection criteria.

What could go wrong? Rock was too hard to tunnel an unforeseen circumstance Re-route 42 inch sewer pipe Too much rain Cost of labor too high Finger pointing

End Result Contractor claims they spend $357 million on the project January 2017 (over 2 years after they were supposed to finish) they subcontract the rest of the work out. Contractor sues for $100 million Final cost ends up being $159 million for the City Still not finished.

Contract Negotiation Scope Term Liability and Indemnification Parties involved Compliance Monitoring (audits and reports) Service Level Agreements Security and Safeguards Disaster recovery Licensing Termination Board approval for critical vendors

Other Considerations Is it one sided? Does it address regulatory requirements? Do you have other contracts and do those contracts terminate at the same time? Software updates What to do with obsolete systems. Disaster recovery. Ambiguity Don t ignore definitions

Review the contract Paragraph by paragraph, line by line. If you don t understand what a paragraph means, clarify it means either rewriting it or amending it. Are all the terms acceptable and are you willing to perform What are your red lines? What is negotiable? Involve your attorney.

Service Level Agreements How much downtime is acceptable to the bank? What is the required response time? When will it be delivered? When possible, quantify these standards don t leave it to the good faith or reasonable standard.

Indemnity Clauses When is it triggered? When an allegation is made against the bank When a claim is made against the bank When a judgement is issued

Monitoring Ongoing monitoring is essential to risk management of your third party relationship. Monitoring should be commensurate with the risk presented by the third party.

Ongoing Monitoring Assess existing relationship periodically Assign responsibility to capable staff Cover due diligence activities Adapt monitoring to changing risk profiles Escalate significant issues Test controls used to manage third-party risks

Monitoring https://www.occ.gov/static/enforcement-actions/ea2017-063.pdf

Review Relationship

Renew or Terminate? The need to terminate a third-party relationship may arise for many reasons. Ensure the relationship is terminated in an efficient manner and a plan is in place.

Termination What will you do next? Plan. What is the time frame for the transaction? What impacts may arise? Are there data retention or destruction issues to manage? Is there joint intellectual property? Are there reputation risks that may arise from terminating the relationship? Do you want to contract with another third party or bring the activity inhouse?

Regulatory Oversight Examiners will evaluate: Whether the Bank is selective in choosing service providers Whether the Bank ensures that the service provider meets licensing or registration requirements Whether the Bank performed initial due diligence concerning the service providers prior regulatory compliance history before entering into an agreement Whether the Bank takes steps to ensure service providers compliance with the company s privacy policy when dealing with company data Whether the Bank review the internal and external audit reports covering service providers activities and whether the Bank responds appropriately to identified concerns.

Regulatory Oversight Examiners will review risk management practices to see: The quality of oversight and management of relationships Management s ability to highlight and discuss material risks and deficiencies Oversight of those activities considered critical Deficiencies in vendor management practices could be deemed unsafe and unsound banking practices as well as demonstrate the strength of your compliance risk management program.

Questions? If you have any additional questions, contact Compliance Alliance at hotline@compliancealliance.com or 888-353-3933.

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback