Advanced Third-Party Risk Issues

Slides:



Advertisements
Similar presentations
HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
Advertisements

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Vendor Risk: Effective Management is Essential
Section 12-2-Regulatory Agencies and Laws.   These agencies make or enforce rules and regulations  Agencies provide oversight or supervision of activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
REGULATORY LEGAL AND CONTRACTUAL ASPECTS OF PPP IN WATER AJAY RAGHAVAN Counsel Training Workshop, Bhopal, February 2009.
Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli.
TDCI TennCare Oversight Division Provider Complaint Process A Summary for TennCare Providers April 18, 2013.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
Luke Montoya. Vendor Services Agreement Description and Structure Agreement for vendor to provide services (and often deliverables) (e.g., maintain website,
Data Security & Privacy: Fundamental Risk Mitigation Tactics 360° of IT Compliance Anthony Perkins, Shareholder Business Law Practice Group Data Security.
Protecting your Managed Services Practice: Are you at Risk?
Legal, Regulations, Investigations, and Compliance Chapter 9 Part 2 Pages 1006 to 1022.
The Law Offices of Sheila Deselich Cohen. Generally subject to the Employee Retirement Income Security Act of 1974 (“ERISA”). Two main types of plans:
INTERNAL AUDIT BRIEFING Business Objectives Business Objectives: What are they and how are they used?
Wisconsin Department of Health Services Purchase of Services Contract Guide Julie Anstett and Lucinda Champion Friday, May 6, 2016 Wisconsin Department.
Mark Kaufmann. Objectives Share and discuss common tips and traps and ways to address Identify strategies for various vendor “ploys” Reality Check Negotiations.
Vendor Management by Banks: How Law Firms Are Affected Peter Swire Huang Professor of Law and Ethics Scheller College of Business Georgia Institute of.
Data Breach ALICAP, the District Insurance Provider, is Now Offering Data Breach Coverage as Part of Our Blanket Coverage Package 1.
Legal and Compliance Workshop July 28, 2016 Presented by: Lucy Du-Jones, Founder and Managing Director, du-tian.
Contracts A contract is an agreement between two or more parties which creates an obligation to do or not to do a particular thing. The document containing.
2013 LBA Bank Counsel Conference
Contracts – the small print
Audit Trail LIS 4776 Advanced Health Informatics Week 14
Accountability & Structured Privacy Management
The future of data protection: General Data Protection Regulation
CPA Gilberto Rivera, VP Compliance and Operational Risk
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Vendor Statements of Work: Your Role as an IT Professional
ENTERPRISE RISK MANAGEMENT IN THE CASE OF THE FINANCIAL SERVICE SECTOR
What is HIPAA? HIPAA stands for “Health Insurance Portability & Accountability Act” It was an Act of Congress passed into law in HEALTH INSURANCE.
Regulatory Compliance
Contingent Workforce: Global Privacy Laws Overview
Responding to a Data Breach 360° of IT Compliance
Internet Payment.
Microsoft 365 Get help with regulatory compliance
Privacy of Client Data.
Session 11 Other Assurance Services
E&O Risk Management: Meeting the Challenge of Change
Whistleblower Program
Service Organization Control (SOC)
The CFPB’s Legal Minefield for CREDIT UNIONS
Vendor Management & Business Value
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
Radar Watchkeeping: Have you monitored your Communication department’s radar to avoid collisions with the new Regulation? 43rd EDPS-DPO meeting, 31 May.
Bob Siegel President Privacy Ref, Inc.
Presented by Harry A. Strausser III Collections Industry Consultant
Service & Vendor Provider Oversight
Cyber Trends and Market Update
Payment Card Industry (PCI) Data Security Standard (DSS) Compliance
G.D.P.R General Data Protection Regulations
Vitol’s Compliance systems against bribery and corruption
Current Privacy Issues That May Affect Your Credit Union
ALTA Best Practices.
Data Protection What’s new about The General Data Protection Regulation (GDPR) May 2018? Call Kerry on Or .
Cyber Security: What the Head & Board Need to Know
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
General Data Protection Regulation “11 months in”
Colorado “Protections For Consumer Data Privacy” Law
PERSONALLY IDENTIFIABLE INFORMATION: AUDIT CONSIDERATIONS
Presentation transcript:

Advanced Third-Party Risk Issues Now that You've Created a Vendor Management Program, How Do You Keep Vendor Oversight Effective and Ongoing?

Agenda Due diligence (Kevin) Contractual requirements (Kerry) Onboarding/ongoing monitoring (Tanya) Contract termination (natural term/closure or term for cause) (Felix) When something goes wrong (breach, bankruptcy, other issues) (Robin)

Due Diligence

What counts for Due Diligence Assurance that a potential vendor is financially stable, ethically sound & has a strong corporate structure. Reviews should be tailored to the risk the vendor may present to your organization. Performed by the Vendor Management Office (VMO). The VMO is responsible for having a non-biased view of vendors and manages the vendor relationship.

Risks auditors and regulators could impose penalties, revoke licenses to practice or take legal action against your company if the vendor is not compliant to the standards. The press can also damage your company's reputation if a vendor's lack of compliance is exposed. This could negatively affect investor ratings, rating agency scores, shareholders and more.

Types of Vendors Support Technology Non-essential Most intense review Review: Handling PII, compliance, legal, financial, corporate structure and stability, annual spend Technology Depends on type of product Handling of PII, security of systems (SSAE 16 or similar audit), financial, legal, corporate structure & stability, annual spend Non-essential Financial, legal, corporate structure and stability Google search on all (news…)

RFP When to do How to review Deviations Advice in advance Follow-through Build into contracts what promise in RFP and presentation

contracts

Depends on Vendor Type: Location Expansion of services Support, Technology, Non-essential, Contractor Location Key regional differences Expansion of services One-time or build relationship Regulatory concerns

Key Provisions Services or goods Payment terms Termination Reps and warranties Confidentiality Exclusivity IP Limitation of Liability Indemnification

Special Contracts Business associate agreements Data processing agreements Employment

monitoring

External Data Sources Watch List Lookup PCI Lookup Thomson Reueters World Check tool comprises of over 300 global watchlists worldwide, including OFAC. Watchlist findings can indicate if the vendor is working with any “bad players” or terrorist organizations. PCI Lookup If the vendor is used to electronically process, store or transmit credit or debit cardholder information they are run through Visa and MasterCard’s global registry of organizations compliant with their security standards. Consumer Financial Protection Bureau (CFPB) Lookup The CFPB maintains a database of consumer complaints raised against organizations operating in the United States. Reviewing the entries in the CFPB provides insight to public perception of a vendor, as well as their ability to properly deliver services. Office of the Comptroller of Currency (OCC) Lookup A review of the data from the independent bureau within the Department of Treasury that periodically issues consent orders against regulated entities including cease and desist orders, monetary penalties, and general findings. Financial Lookups Vendors receive a financial health review from several financial data sources to properly identify any bankruptcy or solvency risk. All issues identified in the external data review are logged within the vendor risk management platform, decisioned, and tracked.

Vendor Required Updates 3rd party Service Auditor Reports (SOC 1, SOC 2 or ISAE 3402) Breach Notification Plan Business Continuity/Disaster Recovery Program Materials and Test Results Applicable PCI Attestations of Compliance Financial Package Proof of Insurance Policies and other program documentation Any other client requested documentation All evidence collected will be reviewed and any issues will be logged.

Internal Data Sources SLA’s Deliverables Relationship Have SLAs been consistently met, and/or timely credits issued where appropriate? Deliverables Have deliverables met expectations or had to be modified due to vendor requirements? Relationship How does the vendor interact with internal relationship managers? Internal Data Sources

Findings & Issues All potential matches or indications of risk stemming from the external data review, vendor control survey and evidence review are referred to as ‘findings’. When a ‘finding’ meets the appropriate level of control weakness or gap, it becomes an ‘issue’. All issues from any external data review, vendor control survey or evidence review will be logged and decisioned. Issues can be decisioned in multiple ways: mitigation, terminated vendor relationship, risk acceptance. All issues that are risk accepted are periodically reviewed to ensure that risk is still appropriate to accept.

termination

Termination of Vendor Contract Normal Termination Timing Termination for Cause Insolvency/ Trigger Event Breach of contract Elimination of the business basis

Ramp Down Often hostile or neutral enviroment Periods for handing over / Ramp down + Ramp up Process of handing over Communication with new vendor Motivations for current vendor to cooperate with the new one

Transfer of documentation Transfer of processes? Transfer of employees? Transfer of Data + Software; IP-Rights and NDAs Right to withhold goods stored at location in case of a dispute

Right to data portability Art. 20 GDPR Data subject Structured, commonly used and machine-readable form Right to transfer to third party Directly from one controller to another

When something goes wrong

Discovering News No longer receiving services Fail in SLA Law enforcement notice Regulatory action Business changes: staff, model, owner

Special “wrongs” Breaches Bankruptcy Natural disasters

Managing Ending relationship Manage transition within vendor Move to another vendor Regulatory issues? Contract changes Insurance coverage

questions

resources

As submitted