Vendor Risk Management (Banks and Financial Institutions) Speaker: Jay Ranade/Ram Engira CIA, CRMA, CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT Director of Education Risk Management Professionals Intl. New York City, USA [email protected][email protected][email protected][email protected]Phone +1-917-971-9786
66
Embed
Vendor Risk Management - Love From the Other Sideaiba-us.org/.../uploads/2012/05/Vendor-Risk-Management.pdfVendor Risk Management (Banks and Financial Institutions) Speaker: Jay Ranade/Ram
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Vendor Risk Management (Banks and Financial Institutions)
Speaker:
Jay Ranade/Ram Engira CIA, CRMA, CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT
Director of Education Risk Management Professionals Intl.
Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called “Jay Ranade Series”. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the “Best of Byte”. He is currently working on a number of books on various subjects such as IT Audit, IT Security, Business Continuity, and IT Risk Management. Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee(2005-07).
He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University. Jay is also adjunct professor at St John’s University and teaches Accounting Information Systems, IT Auditing, Internal Auditing, and Operational Risk Management.
Instructor Introduction
Ram Engira has more than 22 years of experience collected through some of Wall Street’s largest firms. He has fundamental business operation and technology skills, especially surrounding key initiatives in Banking, trading & investment bank arenas. Ram is currently working as a senior vice President/Senior IT Infrastructure Manager for the Retail Bank O&T division at a major financial firm. He works for the business office focused on strategic planning, proper business & technology alignment, client service delivery management, business realignment, engagement planning and Risk Management. He is a subject matter expert in BCP/DR, Enterprise and IT Risk Management, Information security and Infrastructure optimization. Ram is involved with BCP/DR, Information Security, System Auditing from both strategic and tactical points of view. Ram is among the industry leaders in planning and executing Data Center Consolidation programs and infrastructure virtualization leading to IT optimization. Ram is also an adjunct professor at St. John’s University and New York Institute of Technology (NYIT) teaching Master’s level courses in Business continuity planning, enterprise Risk Management and IT security and auditing as well as Database Management systems.
• Credit risk – 3rd party not able to meet contract terms
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 19
Vendor Risk Types Examples
• Deceptive vendor marketing
• Credit discrimination
• Privacy issues (data loss or leakage) – GLBA issue
• UDAP – unfair deceptive acts or practices – UDAP not always apparent, may be commonly
accepted bank practices
• Solution: Oversee vendors as you would a department in your bank
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 20
What practices Increase Vendor Risk?
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 21
Bad Practices
• Overreliance on 3rd party vendors
– Expertise in staffing vendors, products, and services does not mean expertise in compliance and regulations.
• Failure to monitor vendor
– Monitoring is variation in risk. You can not outsource accountability
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 22
Bad Practices
• Failure to retain knowledgeable staff – Vendor staff has expertise but organization’s
staff does not know vendor activities. Risk is to the organization.
• NO clear expectations set – Contracts must include consumer protection
requirements
– Other expectations
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 23
Bad Practices
• GIGO effect
– Not providing enough information to vendor to do job
• Vendor activities in violations
– No verification process whether vendor complying with the law/regulation or not
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 24
Some Examples of Vendor Risks
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 25
Examples of Vendor Risk
• Flood insurance monitoring
– Vendor is used to monitor flood insurance
– Vendor’s error in calculating required coverage
– Civil money penalty (CMP) lawsuits
• HAMP Program
– Home affordable-loan modification program
– Vendor delay in processing
– Vendor sending duplicate applications
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 26
Examples of Vendor Risk
• Credit Card Administration – Vendors to market credit cards programs – Balance transfer – Non-disclosure of fees, UDAP violation – CFPB has enforcement actions against 3 major
credit card issuers in 2013
• Disclosure generation software – Vendor SW generates consumer disclosures – Regulatory changes need SW changes/alignment – Management depends on vendor to make changes
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 27
Examples of Vendor Risk
• Revenue enhancement – 3rd party offer for revenue enhancement
– For many products and services
– Compliance issues not considered
• 3rd party payment processors (TPPP) – Customers use accounts to process payments for
merchant clients
– TPPP issued payments for merchants in high risk illegal activity
– Can also result in UDAP risk
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 28
What is a Vendor RISK
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 29
Bank’s Vendor Risk
• Banks use third party vendors to – Outsource internal operations
– Provide products and services to customers that they do not provide
– Lend their name for services or activities to others for a fee
• Why use 3rd party? – Resource constraint with bank
– Provide additional products and services
– Provide expertise not available with the bank
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 30
Regulator’s concern
• Does outsourcing create more risk?
• Can financial institution
– Identify such risk
– Manage/Control this risk
– Monitor this risk
• Two aspects of regulator’s concern
– Financial institution’s business and solvency
– Consumer’s protection from harm
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 31
Regulator’s concern
• 3rd party vendors are not subject to banking and financial reporting requirements
• 3rd party vendor’s lack of accountability to regulators
• So, banks and non-banks subject to civil and criminal penalties
– Because they have the accountability
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 32
Regulator’s new tools
• Bank Service Company Act – When 3rd party performing function for bank
operations, regulators treat 3rd party subject to act • Bank Service Company Act, 12 USC 1861-1867(c). Sec. 1861
– Regulator can examine operations of 3rd party as if they are performed by the bank
• Dodd-Frank Act - Consumer Finance Protection Bureau (CFPB) has jurisdiction over any “person” that provides material service to bank (or non-bank) for consumer financial product or service
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 33
VRM Facts
• You outsource responsibility, not accountability
– Board and senior management own that
• CFPB - financial institutions responsible for actions of companies they CONTRACT
– Financial institutions expected to manage such risk
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 34
So what 7 things do you do?
• Proper vendor governance • 3rd party due diligence • Contracting • RCA • LCA • Continuous monitoring (KRIs, KCIs) and
oversight – Proper training for those who monitor
• Tracking consumer complaints
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 35
Cause vs. Effect in VR
• Cause Event
• Event Effect (aka consequence)
• VR is managed through PCs by managing the “causes”
• VR is managed through DCs and CCs by mitigating “effects”
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 36
Cross Border Outsourcing
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 37
Cross Border Outsourcing – Life Cycle
• Strategic assessment
• Business case development
• Vendor selection – due diligence
• Contracting
• Service transition
• Post transition management
– monitoring
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 38
Cross Border Outsourcing – Inherent Risks
• Financial risk- fraudulent transactions
• Privacy risk for PII
• Brand and reputation risk
• Regulatory risk
• Competitive risk from loss of IP
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 39
Cross Border Outsourcing – 9 risks
• Vendor selection risk- lack of due diligence • Strategic risk- inconsistent with organization's
goals • Regulatory compliance risk
– Laws, regulations, policies, oversight, EU data protection, SOX, FFIEC, export restrictions
• Technology risks- – Processes not aligned with organizational
objectives – Business interruptions due to technology failure
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 40
Cross Border Outsourcing – 9 risks
• Security risk
– Lack of protection of customer information, IP, and loss of CIA
• Legal risk
– Inability to enforce contractual terms due to legal jurisdiction
• Country risk
– Geopolitical, economic, social issues
3/4/2014 Copyright by Risk Management
Professionals International (Version 19) 41
Cross Border Outsourcing – 9 risks
• BC risk
– Lack of recovery plans for critical business processes
• Exit strategy risk
– Lack of contract terms for orderly exit from termination of services
• Does vendor comply with federal consumer finance laws and has ICs to do that
• Provision to terminate relationship when problems exceed threshold
2. VRM – Due Diligence
• 11 Things to look for in Due Diligence – Vendor’s experience – Reputation, complaints, litigation – IC environment and Internal audit – BC and contingency plan – Insurance coverage – Security status- ISO 27001? – Audited financial statements – Qualifications and background – Sufficiency of MIS (computer-based) – Technology recovery plans (DR plans) – Reliance on sub-contractors
3. VRM - Contracting
• Contract should minimize risk of non performance by vendor
• Scope of contract must be precisely defined
• Outsourcer should have contractual right to assess IC environment for vendor
– Internal audit of outsourcer
– SOC 1 and SOC 2 (SSAE 16 and ISAE 3402)
3. VRM - Contracting
• Requirements must be defined, understood, and enforceable
• Performance measures and benchmarks defined
• Responsibility to communicate information
• Ownership and licensing of bank’s data, HW, SW, IP, and documentation