Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group.

Slides:

Advertisements

Similar presentations

Module N° 4 – ICAO SSP framework

Advertisements

Organizational Governance

Reliability Center Data Request Task Force Report WECC Board Meeting April 2009.

Transition from Q1- 8th to Q1- 9th edition

INTRODUCTION TO ISO Joan Kithika. OUTLINE DEFINITIONS WHY ENVIRONMENTAL MANAGEMENT? LEGAL OVERVIEW HOW TO MANAGE THE ENVIRONMENT-AN ENVIRONMENTAL.

Risk Management and Internal Controls ASSAL 20 November 2014 Annick Teubner Chair, IAIS Governance Working Group.

 BITS BITS Framework for Managing IT Service Provider Relationships Sharon O’Bryan, ABN AMRO Technology Outsourcing and Due Diligence American.

UPDATE OF GUIDELINES FOR PUBLIC DEBT MANAGEMENT Sudarshan Gooptu Sector Manager PREM Economic Policy and Debt, World Bank MDB Meetings, Washington DC May.

September 5, 2013 Southern Region Break-Out NAAA Annual Convention.

E B a n k i n g Information Security Guidelines ABA’s Technology Risk Management – A Strategic Approach Telephone/Webcast Briefing June 17, 2002.

ISO General Awareness Training

IS Audit Function Knowledge

TEMPUS ME-TEMPUS-JPHES

Office of Inspector General (OIG) Internal Audit

The CPA Profession Chapter 2.

Opportunities for RAC Participation. Three Part discussion General presentation; Example of oil and gas decision making; and Panel Discussion of RAC involvement.

Vendor Management Frequent regulatory findings:

Supplier Ethics: Program Checklist

Copyright © 2014 Lender Performance Group, LLC. All rights reserved. Managing risks associated with third-party relationships, in other words Vendor Management.

Division of Depositor and Consumer Protection Banker Teleconference Series Third-Party Compliance Risk Management Tuesday, June 5, 2012.

Guidance for Managing Third-Party Risk Chicago Region Regulatory Conference Call December 8, 2010.

Welcome ISO9001:2000 Foundation Workshop.

Vendor Risk: Effective Management is Essential

Internal Auditing and Outsourcing

ISO 9001:2015 Revision overview - General users

1 Next Generation ISO Susan LK Briggs Presented to EFCOG/DOE EMS Implementation, Lessons Learned & Best Practices Training Workshop, 3/05.

Continual Service Improvement Process

OECD Guidelines on Insurer Governance

BITS Proprietary and Confidential © BITS Security and Technology Risks: Risk Mitigation Activities of US Financial Institutions John Carlson Senior.

Moving into Design SYSTEMS ANALYSIS AND DESIGN, 6 TH EDITION DENNIS, WIXOM, AND ROTH © 2015 JOHN WILEY & SONS. ALL RIGHTS RESERVED. 1 Roberta M. Roth.

ADB Project TA 3696-PAK, Regulation for Corporate Governance 1 REGULATION FOR CORPORATE GOVERNANCE IN PAKISTAN CAPITAL MARKETS.

Corporate Governance: Basel II and Beyond Corporate Governance Program for Bank Directors of Indian Banks Mumbai December 14, 2005.

Planning an Audit The Audit Process consists of the following phases:

IAEA International Atomic Energy Agency Reviewing Management System and the Interface with Nuclear Security (IRRS Modules 4 and 12) BASIC IRRS TRAINING.

1 DOE IMPLEMENTATION WORKSHOP ASSESSING MY EMS Steven R. Woodbury

Maximizing Captive Value Through Teamwork. Speakers: Irena Kaler, Executive Director/CAO, RWJ Health Network Insurance Services Ken Rand, Managing Director,

CERTIFICATION In the Electronics Recycling Industry © 2007 IAER Web Site - -

Chapter 4 of the Executive Guide manual

Advanced Program in Auditing and Accounting Regulation Module 12 Enhancing Statutory Audit Quality from a Financial Regulator’s Perspective Presenter:

Supervision of Information Security and Technology Risk Barbara Yelcich, Federal Reserve Bank of New York Presentation to the World Bank September 10,

Strengths & Weaknesses noted in recent examinations September 16, 2016.

FOURTH EUROPEAN QUALITY ASSURANCE FORUM "CREATIVITY AND DIVERSITY: CHALLENGES FOR QUALITY ASSURANCE BEYOND 2010", COPENHAGEN, NOVEMBER IV FORUM-

Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.

NEGOTIATING TRADE FACILITATION Kennedy Mbekeani UNDP, RSC.

FleetBoston Financial HIPAA Privacy Compliance Agnes Bundy Scanlan Managing Director and Chief Privacy Officer FleetBoston Financial.

MANAGING THIRD-PARTY RISK New York Region Regulatory Conference Call March 3, 2011.

Get Your "Party" Started: Establishing a Successful Third-party Evaluation Martha Thurlow, Ph.D. & Vitaliy Shyyan, Ph.D.—National Center on Educational.

Enterprise Risk Management for US Operations of International Banks Communication and Education.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process A course for the Department of Commerce contracting and contracting.

International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.

Vendor Management from a Vendor’s Perspective. Agenda Regulatory Updates and Trends Examiner Trends Technology and Solution Trends Common Issues and Misconceptions.

Chapter 8 Auditing in an E-commerce Environment

SOLGM Wanaka Retreat Health and Safety at Work Act 2015 Ready? 4 February 2016 Samantha Turner Partner DDI: Mob:

0 Due Diligence Monitoring and Auditing of Third Party Vendors October 28, 2008 Pharmaceutical Regulatory and Compliance Congress and Best Practices Forum.

Alex Ezrakhovich Process Approach for an Integrated Management System Change driven.

FDIC Perspective on Environmental Risk Presented by: Gordon Stoner Legal Division Federal Deposit Insurance Corporation May 6, 2008.

Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.

Organization and Implementation of a National Regulatory Program for the Control of Radiation Sources Program Performance Criteria.

Using GAO’s Fraud Risk Management Framework

1Third Party Assurance Optimization and Control RationalizationCopyright © 2016 Deloitte Development LLC. All rights reserved. Third-Party Assurance (TPA)

Improving Compliance with ISAs Presenters: Al Johnson & Pat Hayle.

Compliance Risk Management

Washington State Auditor’s Office Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA.

Internal and external control in an automated environment

Session objectives After completing this session you will:

Update on the Latest Developments in Government Auditing Standards

Auditing Cloud Services

Vendor Management & Business Value

Update on the Developments in Government Auditing Standards

DRAFT ISO 10007:2017 Revision Overview Quality management – Guidelines for configuration management ISO/TC176 TG 01.

Presentation transcript:

Due Diligence - The Regulator’s Perspective ABA Telephone/Webcast Briefing August 14, 2001 Cynthia Bonnette, Assistant Director FDIC Bank Technology Group

Presentation Overview n Outsourcing trends and developments n Highlights of the FFIEC’s outsourcing guidance n FDIC’s brochures on technology outsourcing n Regulatory oversight of service providers n Outsourcing-related provisions of GLBA

Outsourcing Trends n TowerGroup estimates banks outsource over 85% of their information technology n Significant technical expertise and skills are required in the current environment n The cost to license software or purchase services can be lower than the cost to develop and maintain a proprietary system n Time to market and technology dynamics require rapid development and enhancement

Outsourcing Trends n What’s new about outsourcing today? –Outsourced functions include mission critical and customer-facing applications –Vendors may be new companies--less familiar with the financial services industry –Niche providers and specialization often results in multiple vendor relationships –Industry dynamics create new challenges for vendor oversight

FFIEC Guidance n “Risk Management of Outsourced Technology Services” -- FFIEC Guidance, November 2000 n Key elements of the risk management process: –Risk assessment –Due diligence in selecting service provider –Contract Requirements –Oversight of service provider Regardless of the decision to outsource, the bank remains ultimately responsible.

FDIC’s Outsourcing Brochures n FDIC recognized that community banks may face challenges in achieving the goals of the FFIEC guidance n Internal and external experts were consulted to identify areas where additional information would be useful n Goal: Provide practical information that “maps back” to the FFIEC guidance

n Three topics: –Selecting a Service Provider –Service Level Agreements –Managing Multiple Service Providers n Why did we choose these topics? n Involvement of key players –External experts (Gartner Group) –Industry representatives –FDIC experts in IT and contracting –Technology companies FDIC’s Outsourcing Brochures

n White papers were drafted and shared with the industry n The content was revised and re-circulated n Documents became available on June 4, 2001 –Bulletin announcing the brochures was issued 6/4/01 –Documents are available online at –Printed brochures are available upon request FDIC’s Outsourcing Brochures

n What they are… –Reference documents that a banker may use in relevant situations –Optional tools/resources n What they aren’t… –Official guidance –Examination procedures FDIC’s Outsourcing Brochures

Selecting a Service Provider n Objectives of the selection process n Identifying potential vendors n Evaluation and selection n Negotiating the contract n Appendix on using an RFP

Selecting a Service Provider - Tips n Negotiate flexibility - e.g., shorter term contracts n Be specific in defining responsibilities –Use institution-wide approach –Address resource allocation n Include service level agreements n Remember exit/termination clauses n Include legal counsel in the process n Don’t rush

Service Level Agreements n Definition and overview of SLAs n Four steps for developing SLAs n Tips for drafting SLAs n Tips for managing SLAs n Appendix on SLA development - details n Appendix with sample SLA “If you can’t measure it, you can’t manage it.” --Peter Drucker

Service Level Agreements - Tips n Four step process to developing SLAs: n Determining objectives –How does the outsourced service fit into the bank’s strategic plan? (e.g., customer service) n Defining requirements –What are the operating/performance needs? (e.g., availability) n Setting target measurements –What metrics can be used? (e.g., % “up time”) n Establishing accountability

Managing Multiple Provider Relationships n Examples of multiple provider relationships and related challenges n Lead-contractor structure n Inter-provider agreements n Tips for coordinating multiple providers n Appendix with tips for agreement terms and conditions

Managing Multiple Provider Relationships - Tips n Contracts should explicitly state: –Roles and responsibilities –When and how subcontractors will be used n Consider security and insurance implications n When subs are involved, determine the bank’s legal relationship and “privity” n Ensure effective communication between all relevant parties

Relationship to Regulatory Guidance and BITS Framework n The outsourcing brochures are NOT official guidance n Can be used to compliment the existing guidance and provide supplemental information and “good ideas” n Can be used as educational material or practical examples

Regulatory Oversight of Service Providers n Authority comes from the Bank Service Company Act n Interagency exams are coordinated by the FFIEC Information Systems Subcommittee –MultiRegional Data Processing Servicer Program –Shared Application Software Review Program n Recently, Internet banking service providers have been included in the MDPS program n Onsite exams are staffed by examiners from all agencies and a joint report is produced

n Copies of the exam report can be obtained by client banks only from the regional office of their federal regulator n Exam reports are not a substitute for due diligence and oversight by bank management (e.g., regular receipt of independent audits and security reviews) n The scope and frequency of the exams should be considered when using the reports as a resource Regulatory Oversight of Service Providers

GLBA Implications for Outsourcing n GLBA Section 501(b) Standards for Protecting Customer Data n Each bank shall: –Exercise appropriate due diligence in selecting its service providers –Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines

n Each Bank shall (continued)… –Monitor (where indicated by the bank’s risk assessment) its service providers to confirm that they have satisfied their obligations n Review audits, summaries of test results n The extent of monitoring should be based on risk assessment GLBA Implications for Outsourcing

The guidelines define a service provider broadly: “Service provider means any person or entity that maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to the bank.” GLBA Implications for Outsourcing

Questions & Discussion Cynthia A. Bonnette, Assistant Director FDIC Bank Technology Group th Street, NW, Room H-1005 Washington, DC