Presentation is loading. Please wait.

Presentation is loading. Please wait.

Advanced Third-Party Risk Issues

Published byDayna Howard Modified over 6 years ago

Similar presentations

Presentation on theme: "Advanced Third-Party Risk Issues"— Presentation transcript:

1 Advanced Third-Party Risk Issues
Now that You've Created a Vendor Management Program, How Do You Keep Vendor Oversight Effective and Ongoing?

2 Agenda Due diligence (Kevin) Contractual requirements (Kerry)
Onboarding/ongoing monitoring (Tanya) Contract termination (natural term/closure or term for cause) (Felix) When something goes wrong (breach, bankruptcy, other issues) (Robin)

3 Due Diligence

4 What counts for Due Diligence
Assurance that a potential vendor is financially stable, ethically sound & has a strong corporate structure. Reviews should be tailored to the risk the vendor may present to your organization. Performed by the Vendor Management Office (VMO). The VMO is responsible for having a non-biased view of vendors and manages the vendor relationship.

5 Risks auditors and regulators could impose penalties, revoke licenses to practice or take legal action against your company if the vendor is not compliant to the standards. The press can also damage your company's reputation if a vendor's lack of compliance is exposed. This could negatively affect investor ratings, rating agency scores, shareholders and more.

6 Types of Vendors Support Technology Non-essential
Most intense review Review: Handling PII, compliance, legal, financial, corporate structure and stability, annual spend Technology Depends on type of product Handling of PII, security of systems (SSAE 16 or similar audit), financial, legal, corporate structure & stability, annual spend Non-essential Financial, legal, corporate structure and stability Google search on all (news…)

7 RFP When to do How to review Deviations Advice in advance
Follow-through Build into contracts what promise in RFP and presentation

8 contracts

9 Depends on Vendor Type: Location Expansion of services
Support, Technology, Non-essential, Contractor Location Key regional differences Expansion of services One-time or build relationship Regulatory concerns

10 Key Provisions Services or goods Payment terms Termination
Reps and warranties Confidentiality Exclusivity IP Limitation of Liability Indemnification

11 Special Contracts Business associate agreements
Data processing agreements Employment

12 monitoring

13 External Data Sources Watch List Lookup PCI Lookup
Thomson Reueters World Check tool comprises of over 300 global watchlists worldwide, including OFAC. Watchlist findings can indicate if the vendor is working with any “bad players” or terrorist organizations. PCI Lookup If the vendor is used to electronically process, store or transmit credit or debit cardholder information they are run through Visa and MasterCard’s global registry of organizations compliant with their security standards. Consumer Financial Protection Bureau (CFPB) Lookup The CFPB maintains a database of consumer complaints raised against organizations operating in the United States. Reviewing the entries in the CFPB provides insight to public perception of a vendor, as well as their ability to properly deliver services. Office of the Comptroller of Currency (OCC) Lookup A review of the data from the independent bureau within the Department of Treasury that periodically issues consent orders against regulated entities including cease and desist orders, monetary penalties, and general findings. Financial Lookups Vendors receive a financial health review from several financial data sources to properly identify any bankruptcy or solvency risk. All issues identified in the external data review are logged within the vendor risk management platform, decisioned, and tracked.

14 Vendor Required Updates
3rd party Service Auditor Reports (SOC 1, SOC 2 or ISAE 3402) Breach Notification Plan Business Continuity/Disaster Recovery Program Materials and Test Results Applicable PCI Attestations of Compliance Financial Package Proof of Insurance Policies and other program documentation Any other client requested documentation All evidence collected will be reviewed and any issues will be logged.

15 Internal Data Sources SLA’s Deliverables Relationship
Have SLAs been consistently met, and/or timely credits issued where appropriate? Deliverables Have deliverables met expectations or had to be modified due to vendor requirements? Relationship How does the vendor interact with internal relationship managers? Internal Data Sources

16 Findings & Issues All potential matches or indications of risk stemming from the external data review, vendor control survey and evidence review are referred to as ‘findings’. When a ‘finding’ meets the appropriate level of control weakness or gap, it becomes an ‘issue’. All issues from any external data review, vendor control survey or evidence review will be logged and decisioned. Issues can be decisioned in multiple ways: mitigation, terminated vendor relationship, risk acceptance. All issues that are risk accepted are periodically reviewed to ensure that risk is still appropriate to accept.

17 termination

18 Termination of Vendor Contract
Normal Termination Timing Termination for Cause Insolvency/ Trigger Event Breach of contract Elimination of the business basis

19 Ramp Down Often hostile or neutral enviroment
Periods for handing over / Ramp down + Ramp up Process of handing over Communication with new vendor Motivations for current vendor to cooperate with the new one

20 Transfer of documentation
Transfer of processes? Transfer of employees? Transfer of Data + Software; IP-Rights and NDAs Right to withhold goods stored at location in case of a dispute

21 Right to data portability
Art. 20 GDPR Data subject Structured, commonly used and machine-readable form Right to transfer to third party Directly from one controller to another

22 When something goes wrong

23 Discovering News No longer receiving services Fail in SLA
Law enforcement notice Regulatory action Business changes: staff, model, owner

24 Special “wrongs” Breaches Bankruptcy Natural disasters

25 Managing Ending relationship Manage transition within vendor
Move to another vendor Regulatory issues? Contract changes Insurance coverage

26 questions

27 resources

28 As submitted

Download ppt "Advanced Third-Party Risk Issues"

Similar presentations

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.

HIPAA: An Overview of Transaction, Privacy and Security Regulations Training for Providers and Staff.
IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.

IS BIG DATA GIVING YOU A BIG HEADACHE? Risk Reduction - Transactional, International and Liability Issues Oregon State Bar Corporate Counsel Section Fall.
Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations

Presented by : Vivian Eberhardt, Supervisor Cash and Credit Operations
Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA 2014. The policy advocacy and regulatory work of the GSMA Mobile Money team.

Code of Conduct for Mobile Money Providers 6 November 2014 All material © GSMA The policy advocacy and regulatory work of the GSMA Mobile Money team.
© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.

© 2012 McGladrey LLP. All Rights Reserved.© 2014 McGladrey LLP. All Rights Reserved. © 2012 McGladrey LLP. All Rights Reserved. © 2013 McGladrey LLP. All.
Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.
HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.

HIPAA COMPLIANCE IN YOUR PRACTICE MARIBEL VALENTIN, ESQUIRE.
Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Section 12-2-Regulatory Agencies and Laws.   These agencies make or enforce rules and regulations  Agencies provide oversight or supervision of activities.

Section 12-2-Regulatory Agencies and Laws.   These agencies make or enforce rules and regulations  Agencies provide oversight or supervision of activities.
Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.

Managing Risk in Cloud Computing Contracts Henry Ward and Todd Taylor April 30, 2015.
REGULATORY LEGAL AND CONTRACTUAL ASPECTS OF PPP IN WATER AJAY RAGHAVAN Counsel Training Workshop, Bhopal, February 2009.

REGULATORY LEGAL AND CONTRACTUAL ASPECTS OF PPP IN WATER AJAY RAGHAVAN Counsel Training Workshop, Bhopal, February 2009.
Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.

Compliance and Regulation for Mobile Solutions Amanda J. Smith Messick & Lauer, P.C. May 16, 2013.
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.

Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.

Outsourcing Louis P. Piergeti VP, IIROC March 29, 2011.
Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli.

Managing Third Party Risk In a world fraught w/Risk Trust In the Cloud How are you Protecting Customer Data? February 26, 2014 Case Study Vincent Campitelli.
TDCI TennCare Oversight Division Provider Complaint Process A Summary for TennCare Providers April 18, 2013.

TDCI TennCare Oversight Division Provider Complaint Process A Summary for TennCare Providers April 18, 2013.
FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.
ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.

ThankQ Solutions Pty Ltd Tech Forum 2013 PCI Compliance.
Luke Montoya. Vendor Services Agreement Description and Structure Agreement for vendor to provide services (and often deliverables) (e.g., maintain website,

Luke Montoya. Vendor Services Agreement Description and Structure Agreement for vendor to provide services (and often deliverables) (e.g., maintain website,

Similar presentations

Ads by Google