DAMA MN December 16, 2015 Risk... · Marketing Compliance – Who are your Marketing Vendors? Call center outsourcing? Digital Marketing Internet and Advertising Compliance – How

© 2015 FIS All rights reserved. Proprietary and Confidential.

DAMA MN December 16, 2015

Vendor Risk Management:

Best Practices for Consumer Protection and Regulatory Compliance Assurance


YOUR SPEAKER

Rebecca Frederick CRCM CIPP/US, CIPP/C

Compliance Officer, ChexSystems, FIS Global

2


IMPORTANT NOTE

This presentation is provided for informational purposes only with the understanding that neither the presenter nor FIS nor ChexSystems® is rendering legal advice and that this presentation is not to be used as a substitute for legal counsel.

3


POLLING QUESTIONS

Know Your Customer – Know Your Audience

1. Has your organization changed its approach to third party risk management due to recent events and guidance?

2. How many of your organizations are service providers to regulated financial institutions?

3. What’s your vertical?

5


THE NEW NORMAL ROADMAP

6


BUILDING YOUR PROGRAM ROADMAP

START

Initiate Scoping to address Non-IT

Risks

Conduct Inventory and Assessment

Define Triage Process to cascade

requirements

Identify Compliance Management System Needs

Understand Consumer Protection Landscape

Revamp Vendor

Classification and Criteria

Address Marketing Oversight

Obligations

Incorporate Social Media and Campaign

Compliance

Build Vendor Profiles for oversight functions

Enhance Corporate Governance and

Risk Culture

Enable Contract Lifecycle

Modernization

Build External Assurance Maturity

STOP

Leverage existing Risk Assessments

7


1.0 BUILDING YOUR ROADMAP FOR NON-IT THIRD PARTY RISK

8

Consumer Protection

Regulatory Compliance

Operational Risk &

Governance

The New Normal for Third Party

Risk


KNOW BEFORE YOU GO

CFPB

Overdraft Practices

Payday Loans

Prepaid Products

Mortgage Lending

Credit Card Account

Management

Supervisory Highlights

Legal Violations

FFIEC/OCC/FDIC /NCUA

Sound Risk Management Processes

FFIEC Business Continuity Booklet

OCC Risk Assessment System – 8 Types of Risk

OCC Model Validation

OCC Overdraft – Feb. and March Releases

Cyber Threats

Information Technology Vulnerabilities

Interagency Effort to Reduce Regulatory Burden

FTC

Debt Collectors

Alternative Scoring Products

Big Data

Auto Loans

Hot Topics in the Current Regulatory Landscape

9


LET’S SET THE CONTEXT: 2 VIEWPOINTS

10

• What are my obligations?

• What are my requirements?

• Regulatory expectations?

• Which third parties?

• Who evaluates?

Client or Customer

• Consumer Protection

• Regulatory Compliance

• Operational Risk

Regulatory Scope • Which obligations?

• Which requirements?

• Whose expectations?

• How to Assess?

• How to respond?

Service Provider


MARKET CHALLENGES

11

• What are my obligations?

• What are my requirements?

• Regulatory expectations?

• Which third parties?

• Who evaluates?

Client or Customer

• Consumer Protection

• Regulatory Compliance

• Operational Risk

Regulatory Scope • Which obligations?

• Which requirements?

• Whose expectations?

• How to Assess?

• How to respond?

Service Provider


ALPHABET SOUP FOR 3RD PARTY OVERSIGHT

EFTA4 FDIC8 OCC10

NCUA4 CFPB10 FTC7

BSA6 TSR and TCPA9

PATRIOT ACT8

HiTech10 FCC7 SEC6

PCI10 SOX10 FFIEC10

STATE LAWS5

HIPAA10 GLBA10

FACTA8 FCPA2 EU1

NACHA5 OSHA1 STATE AGs1

Third Party Risk

12


OCC MYTHS AND REALITIES – THEMES

• Broadened definition of “third party relationship”

• Identifies “critical activities”

• Increased Board Involvement for critical functions

• Heightened expectations for Risk Management functions

• Expanded topic areas for contract stipulations with 3rd parties

• Enhanced on-going monitoring of “critical suppliers”

• Expects due diligence to be conducted on critical fourth parties as necessary

• Expands oversight topic areas (regulatory compliance)

• Independent Reviews of TPSP functions

13


OCC MYTHS AND REALITIES – MISINFORMATION

• Does NOT mandate site visits to all subcontractors

• Does increase need for right to audit contract provisions

• Does NOT apply to ALL service providers

• Does require Senior Management to obtain board approval for new critical suppliers

• Does expand notification/consent for 4th party relationships

• Does NOT mandate no offshore service providers

14


SCOPING YOUR 3RD PARTY OVERSIGHT PROGRAM

ADDRESS NON-IT RISKS

KNOW YOUR OBLIGATIONS

Fair Lending

Complaint Management

Credit Card Account Management

UDAAP

Consumer Protection

Debt Collections

FCRA

15

What Non-IT Regulations affect your organization that may require

changes to your third party oversight program?


CONDUCT AN INVENTORY AND ASSESSMENT Defining Your Risk Approach

The New 3rd Party Risk Funnel

Identify key regulations that you address in your compliance management program

Identify key attributes or obligations you need to vet or confirm for your compliance

Identify 3rd parties by NAME and FUNCTION they perform

16

Create your Third Party Compliance Regulatory Inventory Impact Matrix

Step #3 Map to Your

3rd Parties

Step # 2 Your

Obligations

Step #1 Regulations


CONDUCT AN INVENTORY AND ASSESSMENT

17

Third Party Service

Provider Oversight

for Non-IT

functions is based

on common

understanding of

regulatory

obligations and

compliance

considerations

Regulatory Focus Area Compliance Considerations

Gramm-Leach-Bliley Act or Regulation P

Data Collection and Use – Who are your GLBA vendors?

CAN SPAM and Telephone Consumer Protection Act (TCPA)

Marketing Compliance – Who are your Marketing Vendors? Call center outsourcing?

Digital Marketing Internet and Advertising Compliance – How do you use the web to market to customers?

Fair Credit Reporting Act

Credit Products – Who supports you? Restrictions and requirements for making solicitations using eligibility information, responding to direct disputes


DEVELOP A TRIAGE PROCESS TO CASCADE REQUIREMENTS TO YOUR THIRD PARTY

18

Develop Criteria for

prioritization of

Third Party Oversight

based on risk.

Compliance Risk

Brand Risk

Customer Risk

Enforcement Action

Complexity

Privacy Risk Considerations


High Risk – Medium Risk- Low Risk


High Risk – Medium Risk- Low Risk

Digital Marketing High Risk – Medium Risk- Low Risk

Fair Credit Reporting Act High Risk – Medium Risk- Low Risk


REVIEW YOUR ANNUAL RISK ASSESSMENTS

Integrate Third Party Risk into Applicable Risk Assessments and Compliance Programs

CFPB’s Consumer Risk Assessment

Emerging Risks

Cyber Threats

Credit Interest Rate Liquidity Price Operational Compliance Strategic Reputation

19


IDENTIFY COMPLIANCE MANAGEMENT SYSTEMS NEEDS AND REQUIREMENTS

RIMS RISK MATURITY MODEL (RRM) For ERM

Evaluate the effectiveness and adequacy of your organization’s risk mgmt program and determine where and how their program can improve.

The RIMS RMM is an umbrella framework that covers ISO 31000, OCEG Red Book, BS 31100, COSO, FERMA and Solvency II standards.

Take the free assessment at www.rims.org

20

Integrate third party risk into applicable risk assessments

http://www.rims.org/


LEVERAGE A SIPOC APPROACH

Key Regulations High Risk Vendors Functions Performed

How do you audit? Vendor Artifacts?

- Regulation A - Regulation B - Regulation C

- Vendor A - Vendor B - Vendor C

- Function 1 - Function 2 - Function 3

- Requirement 1 - Requirement 2 - Requirement 3

- Requirement 1 - Requirement 2 - Requirement 3

22

SIPOC: Suppliers, Inputs, Processes, Outputs, Customers


2.0 PRODUCTS & SERVICES COMPLIANCE JOURNEY

23

Consumer Protection


Operational Risk &

Governance


Risk


ASSESS CONSUMER PROTECTION LANDSCAPE

UDAAP

FTC Act Section 5

Dodd Frank Act

State Laws

Can be compliant with applicable laws and still be cited for UDAAP violations

Consumer Protection

State Attorney Generals

Class Actions

Call Center Governance

FCRA Compliance

CFPB

24


THE COMPLIANCE STOP SIGNS: REVIEWING THE RECENT ENFORCEMENT ACTIONS

CFPB: Deceptive mortgage advertising and kickbacks CFPB: Refund $2.7 million to 98,000 consumers charged illegal credit card fees CFPB: Unfair debt collection tactics and credit reporting practices OCC: Identity protection products, including credit monitoring and credit report retrieval OCC: Foreign exchange business where OCC identified certain deficiencies and unsafe or unsound practices

25


CONSUMER PROTECTION

Can be compliant but still have a Legal Violation

Would you sell this product to your grandmother?

Develop and implement a Consumer Protection policy and implement initial and ongoing training

Develop internal monitoring and auditing processes to evaluate potential consumer protection issues and analyze consumer complaints

Review all advertising and promotional materials before publication, including website

Review customer service scripts and call recordings

Compliance Considerations

26


UDAAP FUNDAMENTALS

An act or practice is considered unfair when all of the following are true:

It causes or is likely to cause substantial injury, usually monetary, to consumers

It can not be reasonably avoided by consumers

The injury is not outweighed by benefits to consumers or competition

Key Definition: Unfair Practice

27

Remember: Legal Violations


UDAAP FUNDAMENTALS

A representation, omission, act or practice is deceptive when all of the following are true:

Misleads or is likely to mislead the consumer

The consumer’s interpretation is reasonable under the circumstances

The misleading representation, omission, or practice is material

Key Definition: Deceptive Practice

28



UDAAP FUNDAMENTALS

Abusive conduct is prohibited. An act or practice is considered abusive if:

The consumer is not able to understand a term or condition of a financial product or service because of the actions of the provider; and

It takes unreasonable advantage of the consumer

Key Definition: Abusive Practice

29



UDAAP FUNDAMENTALS

Does the third party have initial and ongoing UDAAP training?

Does the third party have a UDAAP policy?

Does the third party conduct internal monitoring and auditing processes to evaluate potential UDAAP issues?

Does the third party have compensation or incentive programs that could create UDAAP risks?

Does the third party have governance mechanisms for customer service scripts and call recordings?

Does the third party have processes to monitor, track and analyze consumer complaints?

Compliance Considerations For Third Party Oversight

30


FEEDBACK AND COMPLAINTS

MONITORING SYSTEMS AND RESPONSE

Complaint escalation process

Incident management and notification

Policy for disparaging remarks

Dispute resolution process

Third Parties, Clients, Customers, and Service Providers

#@$%!

%&$#!

31


BIG DATA AND DATA PRIVACY

Data Collection and Data Use

Data is expanding so quickly it is compared to creating a new Google every 4 days

Privacy Bill of Rights

Mobile Payments

Cloud Service Providers

SaaS

Data brokers

32

Did You Know? 87%

Of the US population can be identified by

3 simple data elements:

Gender Date of Birth

Zip Code


MODEL GOVERNANCE OVERSIGHT

33

Model Risk Management

Model Development

Model Implementation and Use

Model Validation

Disparate Impact

Third Party Contracts and Agreements

Third Party Oversight

Governance, Policies and Controls

Third Party Monitoring and Audit Program

Embed Third Party oversight in your

Model Governance Compliance Program


REVAMPING VENDOR CLASSIFICATION

Build Vendor

Profiles by Function

Who gives you data?

Who markets to customers?

Who provides

services to an account?

Who creates

offers or rewards?

Who provides

call center services?

Who provides

online content or

advertising?

Step #1

Re-Think Vendor Risk

Point of View

By Function

Step #2


Point of View

By Criticality

Step #3


Point of View

By Requirements

34


CREATING A RISK BASED APPROACH FOR PRODUCTS AND SERVICES OVERSIGHT

35

Create a Risk-Based

Approach to identify

the frequency and

level of oversight to

“flow down” to your

Third Party based on

the PRODUCT or

SERVICE

Identify what to do

BY CONTRACT and

BY MONITORING

Privacy Define Your Requirements


Annual Obligations


Monitoring and Due Diligence

Digital Marketing Complaint Management

Fair Credit Reporting Act Audit and Compliance Review Data Accuracy and Integrity


TELEMARKETING VENDOR OVERSIGHT

Best Practices Checklist for Call Centers and Telemarketing

36

Understand and

define which call

center compliance

obligations leverage

or utilize Third Party

Service Providers

Map to your policies

Identify

Requirements

Telemarketing Focus Area Third Party Oversight Considerations

Call Recording and Monitoring

Audit and oversight options

Complaint Management Monitor volume and categorization

Incentive Programs Assess for potential UDAAP risks

Call Script Reviews Level of oversight

Employee Training Topics, Frequency


DIGITAL MARKETING VENDOR OVERSIGHT

37

Best Practices Checklist

Digital Marketing Focus Area Third Party Oversight Considerations

Online Behavioral

Advertising

Subscriber to ad networks – industry

guidelines - onward transfer to 3rd parties

Cookies Who collects? Type? Usage?

Contests and Sweepstakes Oversight for structure of the offer –

Disclosures? Notice?

Marketing Campaigns Opt out? Consent options? Just in time

Social Media Monitoring and usage – compliance

integration – Digital Best Practices


SOCIAL MEDIA COMPLIANCE

38

A Complicated Landscape


SOCIAL MEDIA COMPLIANCE RISKS

Data Leakage

• Personal Information

• Intellectual property

• Credit Card, SSN

• Client Records

Incoming Threats

• Malware, Spyware

• Viruses, Trojans

• Inappropriate Content

Compliance and eDiscovery

• SEC, FINRA

• HIPPA, FISMA

• SOX, PCI

• FRCP – eDiscovery

• FERC, NERC

User Behavior

• Employee Productivity

• Bandwidth Explosion

• Face of the business

!

39


SOCIAL MEDIA COMPLIANCE AND LEGAL RISKS

Enforcement actions and/or civil lawsuits

Violations or non conformance with

internal policies and procedures

Different obligations based

on type of financial

institution or function

Violations or non conformance with

laws, rules and regulations

Defamation or libel risks

EMERGING MEDIUM = EMERGING RISKS

40


REWARDS PROGRAMS SCRUTINY Best Practices – Frequent Buyers and Flyers Create Standard List of Rewards Triggers

Identify disclosure requirements associated with the triggers - Reg DD – Truth in Savings

Identify special 1099 Tax Reporting - 1099-INT and 1099-MISC

Implement COPPA controls to ensure program is utilized by adults and not by minors

Access to account holder data is need to know basis per GLBA

Controls must be in place to mitigate internal fraud relating to Card Act and SOX requirements due to offer of retail gift cards

PCI controls if offer allows payments via credit cards

Direct Marketing Association (DMA) Guidelines to Ethical Marketing.

CAN-SPAM Opt In Requirements for Promotional Emails

41


CONTESTS/SWEEPSTAKES/CAMPAIGNS

• Eligibility by Age

• State Registration and Bonding

• Use of Entries

• Advertising

• Contests of Skill

• Prize Value and IRS

• Disputes

• Liability

• Terms and Conditions

• Use of the term “sweepstakes”

• No purchase option

• Chance of winning

• Prizes and Premiums

• Disclosure of Rules

• Alphabet soup Compliance

• Interest Considerations and Limitations

• Disclosure Rules

42


CREATING YOUR VENDOR PROFILES

VENDOR PROFILE

BY FUNCTION

DUE DILIGENCE

CATEGORIES

CONTRACT OVERSIGHT ONGOING MONITORING TERMINATION

Data Centric

Service Providers

Marketing

Service Providers

Digital/Web

Service Providers

Customer Contact

and Consumer

Protection Service

Providers

44


3.0 OPERATIONAL RISK & REGULATORY COMPLIANCE

45

Consumer Protection


Operational Risk &

Governance


Risk


REGULATORY, REPUTATION & OPERATIONAL RISK FOCUS AREAS


Fraud Prevention

Brand and Reputation

Business Continuity

Operational Risk

Corporate Responsibility

Enhance Corporate

Governance + Risk Culture

46


REGULATORY COMPLIANCE OVERSIGHT

Strong Compliance Management System (CMS)

Clear Reporting Structure for Compliance Officer

Board of Directors Role

Compliance Committee Role

Data Governance Role

Vendor Management Program

Vendor Performance Monitoring

Best Practices

47


PROFESSIONAL ETHICS, FRAUD PREVENTION AND BUSINESS PRACTICES

DMA Guidelines for Ethical Business Practices

Terms of the offer

Marketing to children

Special offers and claims

Sweepstakes

Fulfillment

Collection, Use, and Maintenance of Marketing Data

Digital Marketing

Telephone marketing to landlines and wireless devices

Mobile marketing

Fundraising

48

Direct Marketing Association - thedma.org


RISK MANAGEMENT CULTURE Three Tenets of Successful Risk Management Risk Management Framework and System

Identifying emerging risks and improvement opportunities Risk appetite and thresholds/choice architecture Delegated authority and limits Policy statements

Culture and Behavior Three lines of defense - Embedding risk management Understanding risk culture Tone at the top and tone at the middle Compensation linked to risk outcomes

Risk Governance Leveraging assurance processes Composition/responsibilities of board committees with respect to risk oversight Board reporting to facilitate change Defining effective risk oversight objectives

49

Source: KPMG: Enhancing Business Performance through Governance, Risk, and Compliance


CORPORATE GOVERNANCE

Board of Directors

Minutes and Board Packet

Formalize Selection Criteria

Compliance Training for Board of Directors

Audit and Risk Committees

Best Practices

50

https://sharedassessments.org/2015/02/boards-role-managing-third-party-relationships/

Catherine Allen

Chairman and CEO

The Santa Fe Group


MERGER AND ACQUISITION IMPLICATIONS

Two Way Scenarios

If your organization is bought or acquires another company

If your service provider is bought or acquires another company

51


MERGER AND ACQUISITION IMPLICATIONS

Expanding Due Diligence obligations

Map differences in compliance management systems

Vendor consolidation to minimize costs of oversight and due diligence monitoring

Costs of compliance for dual products and services

Preference management reconciliation

Inheritance of Consumer Protection issues

Enhance complaint monitoring during transition

Limitations on grandfathered products or service

Build out a Third Party Oversight 1-3 year plan

52


RISK PRIORITIZATION ACTIVITY Update your Board of Directors & Management Oversight Approach

Governance Perspectives

What do you need to Change?

How will you measure success?

What resource do you need?

What approvals are needed?

Risk Assessments

Compliance Programs

Governance Process

Management Reporting

54


4.0 BEST PRACTICES FOR MAINTAINING AND ADAPTING YOUR PROGRAM

55

Consumer Protection


Operational Risk &

Governance


Risk


EFFECTIVE CONTRACT LIFECYCLE MANAGEMENT AND CONTRACT MODERNIZATION

Understand Your Needs

Key considerations in developing effective vendor contracts Prioritize – rank your contract requirements and develop

alternatives when possible Risk ranking vendors to understand the contract provisions

required for different types of vendor services Establish stakeholders and define roles Define business requirements Define technical requirements Define vendor requirements Vendor outsourcing

56



Key considerations in developing effective vendor contracts Access Availability Marketing Compliance Corporate structure and financial viability Insurance Regulatory/Compliance Special Considerations

Corporate social responsibility Corporate diversity strategy

57

Defining Vendor Requirements



Clearly define success criteria They should be mutually exclusive - no two should measure the same

thing They must be objective and very clearly defined They must be easily measurable If calculations are necessary, they should be defined They should cover specific periods of time They should be actionable They should be fair and reasonable Establish a process and time frame for remediation, including

consequences for failure Include your obligations to the process Strive for mutual success, but be prepared to walk away

58

Key considerations for SLAs and KPIs


BUILD MATURITY TO YOUR RISK PROGRAM

Shared Assessments

Vendor Risk Management Maturity Model

1. Assess your VENDORS by asking them to use the tool to self-assess their maturity program for 3rd party risk

2. Do a Gap Analysis to each layer in the pyramid for what is missing from your program to address consumer protection and regulatory risk

3. Create Action Plan to update your Third Party Risk Program, policies, and framework

59


STRENGTHEN MANAGEMENT REPORTING Metrics that matter

Key Performance Indicators (KPIs)

Board Reporting

Third Party Vendor Performance

Complaint Management

60

Ensure metrics and

dashboards are meaningful to track


EXAMINATION READINESS

Best Practices

Timing: Months Before Examination Thorough inventory to identify gaps or concerns

before examination document request, including: • Written documentation, policies and procedures • Data flows and control points • Depth/Breadth of review • End-to-end compliance • Look across compliance programs

61


LEVERAGING EXTERNAL ASSURANCE

The benefit of expanded scope of external assurance engagements can reduce the number and depth of on site reviews

62


UPDATING YOUR PROGRAM ROADMAP

START

Initiate Scoping to address Non-IT

Risks

Conduct Inventory and Assessment

Define Triage Process to cascade

requirements

Identify Compliance Management System Needs

Understand Consumer Protection Landscape

Revamp Vendor

Classification and Criteria

Address Marketing Oversight

Obligations

Incorporate Social Media and Campaign

Compliance

Build Vendor Profiles for oversight functions

Enhance Corporate Governance and

Risk Culture

Enable Contract Lifecycle

Modernization

Build External Assurance Maturity

STOP

Leverage existing Risk Assessments

64


QUESTIONS

65

Lessons Learned

Recap the day

Questions

Aha Moments

Identify 3 Critical Messages for your

Senior Management team

Elevator speech!


WHERE WE STARTED – THE WAY FORWARD

66


TOOLS: THIRD PARTY MATURITY MODEL Leverage Industry Benchmarking

Shared Assessments Vendor Risk Management Maturity Model

• 2014 Benchmarking Study

• 2015 Survey Results

• Develop Action Plan

69

https://sharedassessments.org/member-projects/






FTC Announcements: http://www.ftc.gov/sites/defau

lt/files/attachments/press-releases/ftc-staff-revises-

online-advertising-disclosure-guidelines/130312dotcomdisclo

sures.pdf

FFIEC Guidance:

https://www.ffiec.gov/press/pr121113.htm

FTC Guidance http://www.ftc.gov/news-

events/press-releases/2013/06/ftc-

consumer-protection-staff-updates-agencys-guidance-

search

FTC Testimonial Guidance

http://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-publishes-final-

guides-governing-endorsements-

testimonials/091005revisedendorsementguides.pdf

TOOLS: SOCIAL MEDIA RESOURCES

70

http://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-staff-revises-online-advertising-disclosure-guidelines/130312dotcomdisclosures.pdf




















http://www.ftc.gov/news-events/press-releases/2013/06/ftc-consumer-protection-staff-updates-agencys-guidance-search



















http://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-publishes-final-guides-governing-endorsements-testimonials/091005revisedendorsementguides.pdf


















TOOLS: RIMS –THE RISK MANAGEMENT SOCIETY Tools to supplement

your assessment efforts

RIMS is a global not-for-profit organization representing:

>3,500 industrial, service, nonprofit, charitable and government entities throughout the world.

Membership of >11,000 risk management professionals who are located in more than 60 countries.

71

https://www.rims.org/Pages/Default.aspx




CONTACT INFORMATION

Rebecca Frederick

[email protected]

72

mailto:[email protected]


DAMA MN December 16, 2015

Thank You for Attending

73

Documents

DAMA MN December 16, 2015 Risk... · Marketing Compliance – Who are your Marketing Vendors? Call center outsourcing? Digital Marketing Internet and Advertising Compliance – How