This document discusses bank vendor management and the vendor risk management life cycle. It provides an overview of understanding vendor risks and regulatory requirements. It describes the categories of vendor risks such as reputation, operational, transaction, financial, legal and compliance, and other risks. It discusses identifying critical vendors and outlines the vendor risk management life cycle, including planning and risk assessment, due diligence and selection, contract review, ongoing monitoring, termination, accountability, documentation, independent reviews, and regulatory reporting.
Vendor Management - Compliance Checklist Manifesto SeriesContinuity Control
Regulatory examiners are expecting to see and review your financial institution's vendor management program, which is to include a process for assessing specific vendor risk, vendor selection, contracting, and ongoing oversight. This webinar will demonstrate that implementing a repeatable process will provide consistency and reduce your institution's Compliance Tax by saving you time and resources, including helping to ensure your valuable dollars are spent wisely.
Objectives:
- Understanding of the regulatory requirements for the vendor management program
- High level overview of the key elements
- Provide guidance in developing your program
Vendor Management Best Practices: Is Your Program Up to Par?EDR
Vendor Management Best Practices: Is Your Program Up to Par?
Webinar presented by Scott Roller, former head of vendor management at Citigroup
August 12, 2015
Among the top challenges lenders face today is the need to meet higher expectations set by the OCC and the Federal Reserve governing the use of third-party vendors. While the guidelines were released over a year ago, there is still confusion about what institutions should be doing.
One thing, however, is certain. Effective vendor management takes resources, and many institutions are finding it necessary to add staff and/or technology to help with the cause, particularly smaller institutions. The regulators have made it clear, vendor management is not just a one-time assessment, but is an ongoing process, and monitoring vendors long term is as important as the initial due diligence.
EDR is pleased to host a webinar on this timely topic on Wednesday, August 12, 2015 at 2:00 p.m. EST. Scott Roller, former head of vendor management at Citigroup, will provide clarity on the new regulations and help break down regulator expectations into easy-to-understand terms. Roller will explore key dimensions that attendees can use as the foundation for building out their own robust vendor management oversight program, from initial vendor risk classification all the way through ensuring adequate executive engagement in vendor management.
Attendees will learn best practices for satisfying regulators with this educational workshop, including answers to the following:
• What does the latest regulatory guidance on vendor management require?
• What are the biggest headaches banks are facing in complying with them?
• What advice is recommended for smaller banks struggling with limited manpower/resources?
• What are bank examiners looking for during audits?
• What are the latest best practices for policies and procedures?
• How are banks coping with the need to track and monitor vendors?
• What are the most common shortcomings that audits reveal?
Are you prepared to manage the current challenges, risks, and complexities related to vendor risk management in the financial industry? In summer 2014, in association with MetricStream, RMA conducted the Third-Party Vendor Risk Management Survey. This presentation brings you the highlights of the survey and some sound advice to manage your third- and fourth-party suppliers.
Jerry Sto. Tomas, Chief Information Security Officer at Allergan, discussed IT security and steps that organizations can take to bolster their security levels during his presentation at the 2015 Chief Information Officer Leadership Forum in Los Angeles on Feb. 10. In his presentation, Sto. Tomas noted that IT security controls must be aligned with an organization’s goals.
Third Party Risk Management IntroductionNaveen Grover
On October 30, 2013 the Office of the Comptroller of the Currency (OCC) issued updated guidance on third-party risks and vendor management. The OCC's bulletin points out that its updated guidance replaces OCC Bulletin 2001-47, "Third-Party Relationships: Risk Management Principles," and OCC Advisory Letter 2000-9, "Third-Party Risk."
Vendor Management - Compliance Checklist Manifesto SeriesContinuity Control
Regulatory examiners are expecting to see and review your financial institution's vendor management program, which is to include a process for assessing specific vendor risk, vendor selection, contracting, and ongoing oversight. This webinar will demonstrate that implementing a repeatable process will provide consistency and reduce your institution's Compliance Tax by saving you time and resources, including helping to ensure your valuable dollars are spent wisely.
Objectives:
- Understanding of the regulatory requirements for the vendor management program
- High level overview of the key elements
- Provide guidance in developing your program
Vendor Management Best Practices: Is Your Program Up to Par?EDR
Vendor Management Best Practices: Is Your Program Up to Par?
Webinar presented by Scott Roller, former head of vendor management at Citigroup
August 12, 2015
Among the top challenges lenders face today is the need to meet higher expectations set by the OCC and the Federal Reserve governing the use of third-party vendors. While the guidelines were released over a year ago, there is still confusion about what institutions should be doing.
One thing, however, is certain. Effective vendor management takes resources, and many institutions are finding it necessary to add staff and/or technology to help with the cause, particularly smaller institutions. The regulators have made it clear, vendor management is not just a one-time assessment, but is an ongoing process, and monitoring vendors long term is as important as the initial due diligence.
EDR is pleased to host a webinar on this timely topic on Wednesday, August 12, 2015 at 2:00 p.m. EST. Scott Roller, former head of vendor management at Citigroup, will provide clarity on the new regulations and help break down regulator expectations into easy-to-understand terms. Roller will explore key dimensions that attendees can use as the foundation for building out their own robust vendor management oversight program, from initial vendor risk classification all the way through ensuring adequate executive engagement in vendor management.
Attendees will learn best practices for satisfying regulators with this educational workshop, including answers to the following:
• What does the latest regulatory guidance on vendor management require?
• What are the biggest headaches banks are facing in complying with them?
• What advice is recommended for smaller banks struggling with limited manpower/resources?
• What are bank examiners looking for during audits?
• What are the latest best practices for policies and procedures?
• How are banks coping with the need to track and monitor vendors?
• What are the most common shortcomings that audits reveal?
Are you prepared to manage the current challenges, risks, and complexities related to vendor risk management in the financial industry? In summer 2014, in association with MetricStream, RMA conducted the Third-Party Vendor Risk Management Survey. This presentation brings you the highlights of the survey and some sound advice to manage your third- and fourth-party suppliers.
Jerry Sto. Tomas, Chief Information Security Officer at Allergan, discussed IT security and steps that organizations can take to bolster their security levels during his presentation at the 2015 Chief Information Officer Leadership Forum in Los Angeles on Feb. 10. In his presentation, Sto. Tomas noted that IT security controls must be aligned with an organization’s goals.
Third Party Risk Management IntroductionNaveen Grover
On October 30, 2013 the Office of the Comptroller of the Currency (OCC) issued updated guidance on third-party risks and vendor management. The OCC's bulletin points out that its updated guidance replaces OCC Bulletin 2001-47, "Third-Party Relationships: Risk Management Principles," and OCC Advisory Letter 2000-9, "Third-Party Risk."
Third-Party Risk Management: A Case Study in OversightNICSA
Two Part Series: Part II of II
Third-Party Risk Management: A Case Study in Oversight
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
Know your suppliers? How can you manage supplier risk?Bureau van Dijk
Sourcing suppliers isn’t just about costs and provision. You need to know about risk.
BvD works extensively with regulated firms on their customer and supplier due diligence.
Find out how you can manage your supplier risk. What checks should you consider and how can you include them in your workflow?
EDR Webinar
Presented by June Jewell, CPA, President AEC Business Solutions
November 18, 2015
Project Managers (PMs) are the key to a professional services firm’s success. Yet many firms promote technical people into roles they are not prepared or ready for. As a result, project profitability suffers and there is frustration at every level of the organization. By enabling project managers, through financial and systems training, automation, and accountability measures, the firm’s profit margins can increase substantially.
In this webinar, attendees will be able to:
-Evaluate the challenges that cause many Project Managers to struggle with project profitability
-Understand the reasons that projects go over budget
-Review the financial aspects of project management that Project Managers need to know to be successful
-Learn how technology can help Project Managers deliver more profitable projects
-Develop some best practices to help Project Managers succeed
Speaker
June R. Jewell, CPA, President AEC Business Solutions
Jewell, a thought leader and expert in AEC firm profitability, has more than 28 years of business management consulting experience, and unsurpassed knowledge of the AEC industry. In addition to this role, she is the original founder and current strategic advisor of Acuity Business Solutions, a Deltek Premier Partner and consulting firm that works with AEC firms to support business profitability through web-based enterprise management technology.
She is the Amazon best-selling author of the book “Find The Lost Dollars: 6 Steps to Increase Profits in Architecture, Engineering and Environmental Firms.” Jewell has built and run a successful consulting practice, and is a highly sought after speaker at industry events and conferences. Her past speaking engagements include AIA, ACEC, SMPS, Design and Construction Network (DCN), Society for Design Administration (SDA), Zweig Group (formerly ZweigWhite), PSMJ, ROG Growth and Ownership Conference, Project Management Institute (PMI), Deltek Insight and Business of Architecture (BOA).
Here is a brief description of third-party risk management (TPRM), how to onboard third-party vendors, and what the role of a CISO is in this process. To know more about TPRM and information security management, click here: https://www.eccouncil.org/information-security-management/
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
Derive more value from your risk and control self-assessment process, and integrate your organization’s overall operational risk management process to comply with Dodd Frank and other legislation. We specialize in working with clients to help identify, remediate and resolve assessment gaps so they efficiently meet or exceed regulatory requirements.
Third-party Governance and Risk Management - 2018Deloitte UK
This report shows how Third-party Risk Management had continued to benefit from greater executive awareness in 2017 which have allowed organisations to tackle the topic with a renewed focus and investment. This is even more important due to amid prevalent threats of high profile business failure, illegal third-party actions, or regulatory action with punitive fines.
What Every Procurement Professional Should Know About Supplier Risk Managemen...IBM Watson Commerce
See this on-demand webinar on Supplier Risk, "What Every Procurement Professional Should Know About Supplier Risk Management: The IBM Story."
You will learn:
-Precise framework around supplier risk management and why and where it’s needed
-How IBM manages supplier qualifications, compliance, financial continuity and supplier code of conduct
-Common mistakes made and solutions to supplier risk management
View here: http://procureconwest.wbresearch.com/the-ibm-story-mloc-h-iframe
Spotting the banana skins - avoiding FCA enforcement through better complianc...Bovill
Bovill - the UK financial services regulatory consultancy - runs regular briefings. These are the slides from the May briefing on FCA enforcement and compliance oversight. For more information visit www.bovill.com.
Further information on the event is below:
The FCA’s Risk Outlook last month sent a strong signal that the responsibility of compliance officers goes beyond ticking boxes. And enforcement action shows that increasingly individuals are held accountable.
But what does this mean practically for day to day governance and oversight? One way to spot the banana skins is to understand who’s slipped on them before.
The FCA has recently imposed significant personal fines on compliance officers and other approved persons for:
• Inadequate oversight of the implementation of a firm’s policies and procedures
• Failure to disclose a potential conflict of interest
• Failure to recognise the regulatory significance and have sufficient oversight of the firm’s overseas activities.
Bovill’s briefing explored effective oversight.
We looked at the FCA’s reasons for imposing these fines, and suggested ways of making sure your firm has sufficient oversight of its business –
helping you spot the banana skins before you slip up.
Third-Party Risk Management: A Case Study in OversightNICSA
Two Part Series: Part II of II
Third-Party Risk Management: A Case Study in Oversight
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
Know your suppliers? How can you manage supplier risk?Bureau van Dijk
Sourcing suppliers isn’t just about costs and provision. You need to know about risk.
BvD works extensively with regulated firms on their customer and supplier due diligence.
Find out how you can manage your supplier risk. What checks should you consider and how can you include them in your workflow?
EDR Webinar
Presented by June Jewell, CPA, President AEC Business Solutions
November 18, 2015
Project Managers (PMs) are the key to a professional services firm’s success. Yet many firms promote technical people into roles they are not prepared or ready for. As a result, project profitability suffers and there is frustration at every level of the organization. By enabling project managers, through financial and systems training, automation, and accountability measures, the firm’s profit margins can increase substantially.
In this webinar, attendees will be able to:
-Evaluate the challenges that cause many Project Managers to struggle with project profitability
-Understand the reasons that projects go over budget
-Review the financial aspects of project management that Project Managers need to know to be successful
-Learn how technology can help Project Managers deliver more profitable projects
-Develop some best practices to help Project Managers succeed
Speaker
June R. Jewell, CPA, President AEC Business Solutions
Jewell, a thought leader and expert in AEC firm profitability, has more than 28 years of business management consulting experience, and unsurpassed knowledge of the AEC industry. In addition to this role, she is the original founder and current strategic advisor of Acuity Business Solutions, a Deltek Premier Partner and consulting firm that works with AEC firms to support business profitability through web-based enterprise management technology.
She is the Amazon best-selling author of the book “Find The Lost Dollars: 6 Steps to Increase Profits in Architecture, Engineering and Environmental Firms.” Jewell has built and run a successful consulting practice, and is a highly sought after speaker at industry events and conferences. Her past speaking engagements include AIA, ACEC, SMPS, Design and Construction Network (DCN), Society for Design Administration (SDA), Zweig Group (formerly ZweigWhite), PSMJ, ROG Growth and Ownership Conference, Project Management Institute (PMI), Deltek Insight and Business of Architecture (BOA).
Here is a brief description of third-party risk management (TPRM), how to onboard third-party vendors, and what the role of a CISO is in this process. To know more about TPRM and information security management, click here: https://www.eccouncil.org/information-security-management/
An industrial approach to risk and control self-assessmentsGrant Thornton LLP
Derive more value from your risk and control self-assessment process, and integrate your organization’s overall operational risk management process to comply with Dodd Frank and other legislation. We specialize in working with clients to help identify, remediate and resolve assessment gaps so they efficiently meet or exceed regulatory requirements.
Third-party Governance and Risk Management - 2018Deloitte UK
This report shows how Third-party Risk Management had continued to benefit from greater executive awareness in 2017 which have allowed organisations to tackle the topic with a renewed focus and investment. This is even more important due to amid prevalent threats of high profile business failure, illegal third-party actions, or regulatory action with punitive fines.
What Every Procurement Professional Should Know About Supplier Risk Managemen...IBM Watson Commerce
See this on-demand webinar on Supplier Risk, "What Every Procurement Professional Should Know About Supplier Risk Management: The IBM Story."
You will learn:
-Precise framework around supplier risk management and why and where it’s needed
-How IBM manages supplier qualifications, compliance, financial continuity and supplier code of conduct
-Common mistakes made and solutions to supplier risk management
View here: http://procureconwest.wbresearch.com/the-ibm-story-mloc-h-iframe
Spotting the banana skins - avoiding FCA enforcement through better complianc...Bovill
Bovill - the UK financial services regulatory consultancy - runs regular briefings. These are the slides from the May briefing on FCA enforcement and compliance oversight. For more information visit www.bovill.com.
Further information on the event is below:
The FCA’s Risk Outlook last month sent a strong signal that the responsibility of compliance officers goes beyond ticking boxes. And enforcement action shows that increasingly individuals are held accountable.
But what does this mean practically for day to day governance and oversight? One way to spot the banana skins is to understand who’s slipped on them before.
The FCA has recently imposed significant personal fines on compliance officers and other approved persons for:
• Inadequate oversight of the implementation of a firm’s policies and procedures
• Failure to disclose a potential conflict of interest
• Failure to recognise the regulatory significance and have sufficient oversight of the firm’s overseas activities.
Bovill’s briefing explored effective oversight.
We looked at the FCA’s reasons for imposing these fines, and suggested ways of making sure your firm has sufficient oversight of its business –
helping you spot the banana skins before you slip up.
This presentation is prepared to be presented by VP SCM in BTel Internal University.
Brief overview about Supply Chain Management and discuss about TCO when purchase a product.
Purchasing, Procurement, Vendor, Contract and RFP Process Management with Sha...Optimus BT
Using the Document management, Collaborative and Self service features of SharePoint to implement a turn key procurement management business solution, that will streamline the procurement process, help you comply with regulations, enable you manage contracts, empower self service and participative procurement, aid in informed procurement decisions, in executing an effective procurement strategy and make your procurement function hassle free. Optimus BT is a leader in providing Procurement software and other turnkey solutions using SharePoint.
The Consumer Financial Protection Bureau (CFPB) recently celebrated its second birthday. During its first two years of existence, the CFPB has shown itself to be an aggressive consumer-protection agency. It is particularly noteworthy because its broad jurisdictional mandate could impact virtually any business that makes a loan to any consumer. Consumer lenders need to be alert to the sweeping implications this agency will have for their future business activities.
MODULE 3:
Credit Risks Credit Risk Management models - Introduction, Motivation, Funtionality of good credit. Risk Management models- Review of Markowitz’s Portfolio selection theory –Credit Risk Pricing Model – Capital and Rgulation. Risk management of Credit Derivatives.
The new Bank Secrecy Act (BSA) rule codifies existing regulatory expectations regarding customer due diligence and imposes a new requirement on covered financial institutions. Learn about the new requirement to identify and verify the natural persons behind institutions’ legal entity customers.
Compliance implications of crossing the $10 billion asset thresholdGrant Thornton LLP
Since the passage of the Dodd-Frank Act, small regional banks have been forced to rethink their growth strategies as they inch closer to the $10 billion assets threshold. Here’s guidance on navigating the new regulatory field.
The Role of Regulations in the Development of Digital FinanceJohn Owens
This presentation focuses on the balancing act between innovation, safety and soundness of digital financial services as well as steps to support consumer protection. It also includes a review of the current guidelines and a checklist format to guide regulators and policy makers to compare their own regulations, policies, environments and supervisory capacity in relation to emerging developments in the field of DFS.
Navigate the Financial Crime Landscape with a Vendor Management ProgramPerficient, Inc.
What is the impact of a failed risk management program as a result of actions committed by a vendor or service provider? Your financial institution may be exposed to reputational damage and financial losses running into billions of dollars.
During this webinar, our financial crime and risk management experts discussed current financial crime trends, steps to identifying vendor risks, the need for Know Your Vendor (KYV) and due diligence, and creating a cross-functional risk-based approach to vendor governance.
Mortgage Banking: A Holistic Approach to Managing Compliance RiskCognizant
With regulatory compliance requirements rapidly on the rise, we offer a full-spectrum approach for mortgage banks for compliance risk management, combining regulatory analysis, identifying competing regulations, instituting operational process controls, effective data quality and document management strategies.
PwC Publication: TRID industry landscape 042216Tom Gere
PwC continues to provide client guidance to integrate TRID process and procedures. Happy to Discuss.
Tom Gere, Managing Director, PwC Thomas.gere@pwc.com
Outsourcing Strategy Risks Outsourcing strategy is the process of .pdfaparnaagenciestvm
Outsourcing Strategy Risks
Outsourcing strategy is the process of determining whether or not to outsource and, if so, what
to outsource.
Outsourcing Selection Risks
Outsourcing selection is the process of finding and evaluating potential outsourcing partners.
Outsourcing Implementation Risks
Outsourcing implementation is where the relationship between outsourcing partners is defined
and established.
Outsourcing Management Risks
Outsourcing management is the monitoring and evolution of the ongoing relationship.
Future Trends in Outsourcing
The Supply Chain Consortium will examine more of the risks of outsourcing within specific
levels of the supply chain in the future. Already, the consortium has administered surveys to its
member companies on the outsourcing of transportation and distribution center (DC) operations.
Among the findings:
The use of service providers to perform operational functions presents various risks to financial
institutions. Some risks are inherent to the outsourced activity itself, whereas others are
introduced with the involvement of a service provider. If not managed effectively, the use of
service providers may expose financial institutions to risks that can result in regulatory action,
financial loss, litigation, and loss of reputation. Financial institutions should consider the
following risks before entering into and while managing outsourcing arrangements.
• Compliance risks arise when the services, products, or activities of a service provider fail to
comply with applicable U.S. laws and regulations.
• Concentration risks arise when outsourced services or products are provided by a limited
number of service providers or are concentrated in limited geographic locations.
• Reputational risks arise when actions or poor performance of a service provider causes the
public to form a negative opinion about a financial institution.
Country risks arise when a financial institution engages a foreign-based service provider,
exposing the institution to possible economic, social, and political conditions and events from the
country where the provider is located.
• Operational risks arise when a service provider exposes a financial institution to losses due to
inadequate or failed internal processes or systems or from external events and human error.
• Legal risks arise when a service provider exposes a financial institution to legal expenses and
possible lawsuits.
who should be held liable for any breaches that occur
The use of service providers does not relieve a financial institution\'s board of directors and
senior management of their responsibility to ensure that outsourced activities are conducted in a
safe-and-sound manner and in compliance with applicable laws and regulations. Policies
governing the use of service providers should be established and approved by the board of
directors, or an executive committee of the board. These policies should establish a service
provider risk management program that addresses risk a.
Similar to The Hazards of Vendor Management - presented to NC Bankers Association by Richard Lafferty and Bardin Simmons (20)
Just released - the 2015 Health Law Case Update presented by Todd Hemphill and Matt Fisher at the North Carolina Society of Healthcare Attorneys Annual Meeting October 1, 2015. Included in the update are several relevant NC health law cases, the facts in each case, the holdings, and our analysis.
Presented to the NC Association of CPAs - Healthcare Industry Conference - Includes an overview of CON Law, services and equipment subject to CON law, application filing and review process, comparative analysis, appeals of application decisions
Ken Burgess, Matt Fisher and David Broyles present to the Association of Home & Hospice Care on Alternative Sanctions and Minimizing the Impact on Your Agency
Presentation for the NC Society of Health Care Attorneys 2014 Healh Law Case Update - Includes recent developments in Medical Malpractice, Certificate of Need, Licensing agencies and boards, Affordable Care Act (ObamaCare), and other cases of note
In 2020, the Ministry of Home Affairs established a committee led by Prof. (Dr.) Ranbir Singh, former Vice Chancellor of National Law University (NLU), Delhi. This committee was tasked with reviewing the three codes of criminal law. The primary objective of the committee was to propose comprehensive reforms to the country’s criminal laws in a manner that is both principled and effective.
The committee’s focus was on ensuring the safety and security of individuals, communities, and the nation as a whole. Throughout its deliberations, the committee aimed to uphold constitutional values such as justice, dignity, and the intrinsic value of each individual. Their goal was to recommend amendments to the criminal laws that align with these values and priorities.
Subsequently, in February, the committee successfully submitted its recommendations regarding amendments to the criminal law. These recommendations are intended to serve as a foundation for enhancing the current legal framework, promoting safety and security, and upholding the constitutional principles of justice, dignity, and the inherent worth of every individual.
Car Accident Injury Do I Have a Case....Knowyourright
Every year, thousands of Minnesotans are injured in car accidents. These injuries can be severe – even life-changing. Under Minnesota law, you can pursue compensation through a personal injury lawsuit.
How to Obtain Permanent Residency in the NetherlandsBridgeWest.eu
You can rely on our assistance if you are ready to apply for permanent residency. Find out more at: https://immigration-netherlands.com/obtain-a-permanent-residence-permit-in-the-netherlands/.
ALL EYES ON RAFAH BUT WHY Explain more.pdf46adnanshahzad
All eyes on Rafah: But why?. The Rafah border crossing, a crucial point between Egypt and the Gaza Strip, often finds itself at the center of global attention. As we explore the significance of Rafah, we’ll uncover why all eyes are on Rafah and the complexities surrounding this pivotal region.
INTRODUCTION
What makes Rafah so significant that it captures global attention? The phrase ‘All eyes are on Rafah’ resonates not just with those in the region but with people worldwide who recognize its strategic, humanitarian, and political importance. In this guide, we will delve into the factors that make Rafah a focal point for international interest, examining its historical context, humanitarian challenges, and political dimensions.
NATURE, ORIGIN AND DEVELOPMENT OF INTERNATIONAL LAW.pptxanvithaav
These slides helps the student of international law to understand what is the nature of international law? and how international law was originated and developed?.
The slides was well structured along with the highlighted points for better understanding .
The Hazards of Vendor Management - presented to NC Bankers Association by Richard Lafferty and Bardin Simmons
1. BANK VENDOR MANAGEMENT:
These materials have been prepared by Poyner Spruill LLP for informational purposes
only and are not legal advice. This information is not intended to create, and receipt of it
does not constitute, a lawyer-client relationship.
UNDERSTANDING THE RISK MANAGEMENT LIFE CYCLE
AND AVOIDING THE PITFALLS
MARCH 25, 2015
2. Overview
• Goals of Session
– Understand risks associated with using vendors
– Understand general regulatory requirements
– Understand how to identify “critical vendors”
– Understand the risk management life cycle
2
3. Understanding Vendor Risks
• “The buck stops with YOU”: Reliance on outside vendors
(including compliance consultants) to provide services or
operations to the bank does not relieve a bank from
potential liability or from its responsibility to ensure that
outsourced activities are conducted in a safe and sound
manner and in compliance with applicable laws.
• As a result, problems experienced by vendors can
become the bank’s problems.
3
4. Vendor Risks: Cautionary Tales
• In 2014, the OCC & CFPB assessed $57 million in fines and restitution
against U.S. Bank in Cincinnati for overcharging more than 420,000
consumer accounts for add-on services (such as credit monitoring and
identity theft protection). Accounts were charged by the vendor,
Affinion and its subsidiary Trilegiant, and errors were discovered by
the bank. The bank terminated the vendor relationship but was still
fined two years after the relationship ended.
• In 2013, a processing center for banking software provider Jack Henry
& Associates was flooded by Hurricane Sandy. Bank clients had
transaction processing disruptions and the vendor faced regulatory
enforcement action for failure to resume operations in a timely
manner.
4
5. Vendor Risks: Cautionary Tales
• In 2013, First California Bank was fined by the FDIC for unfair and
deceptive trade practices because its vendor Achieve promoted
certain features on Achieve’s website related to a prepaid reloadable
MasterCard product that weren’t actually available.
• In 2012, the OCC fined Capital One Bank $35 million for failure to
develop a comprehensive enterprise risk management system after
one of its vendors was offering debt cancellation and credit monitoring
programs in an unfair and deceptive manner.
• In 2012, the FDIC and FinCEN fined First Bank of Delaware $15
million for failure to implement an effective BSA/AML compliance
program – specifically, failure to adequately oversee payment
processor relationships and related products and services in a manner
commensurate with associated risks.
5
6. Categories of Vendor Risks
• Reputation risk. Reputation risk is the risk arising from
negative public opinion. Vendor relationships that result in
dissatisfied customers, interactions not consistent with
institution policies, inappropriate recommendations,
security breaches resulting in the disclosure of customer
information, and violations of law and regulation are all
examples that could harm the reputation and standing of
the financial institution in the communities it serves. Also,
any negative publicity involving the vendor, whether or not
the publicity is related to the institution's use of the vendor,
could result in reputation risk to the institution itself.
6
7. Categories of Vendor Risks
• Operational risk. Operational risk is the risk of loss
resulting from inadequate or failed internal processes,
personnel, and systems, or from external events. Vendor
relationships often integrate the internal processes of
other organizations with the bank's processes and can
increase the overall operational complexity.
7
8. Categories of Vendor Risks
• Transaction risk. Transaction risk is the risk arising from
problems with service or product delivery. A vendor's
failure to perform as expected by customers or the
financial institution due to reasons such as inadequate
capacity, technological failure, human error, or fraud
exposes the institution to transaction risk. The lack of
effective business resumption and contingency plans
increases transaction risk. Weak control over technology
used in the vendor arrangement may result in threats to
security and the integrity of systems and resources. These
issues could result in unauthorized transactions or the
inability to transact business as expected.
8
9. Categories of Vendor Risks
• Financial or credit risk. Financial or credit risk is the
risk that a vendor, or any other party necessary to the
vendor relationship, is unable to meet the terms of the
contractual arrangements with the financial institution or
to otherwise financially perform as agreed. Thus, the
financial condition of the party is a key factor in
assessing credit risk.
9
10. Categories of Vendor Risks
• Legal and compliance risk. Legal risk arises when a
vendor exposes a financial institution to legal expenses
and possible lawsuits or even criminal charges.
Compliance risk arises when a vendor violates applicable
laws, rules or regulations or the institution’s own internal
policies/procedures or business standards.
10
11. Categories of Vendor Risks
• Other risks. The types of risk introduced by an
institution's decision to use an outside vendor cannot be
fully assessed without a complete understanding of the
resulting arrangement, and even then it may be difficult if
not impossible to identify all potential risks in advance.
Thus, a comprehensive list of potential risks that could be
associated with a third-party relationship is not possible.
11
12. Regulatory Requirements
• Bank regulators seek to mitigate the risks described above
by requiring institutions to implement and maintain vendor
management controls.
• Vendor oversight is not new. Traditionally, this area has
been regulated from a safety and soundness standpoint.
• In the past, regulators’ concerns were mainly focused on
IT capabilities, information security, service level
standards and the like. Cybersecurity and guarding
against customer data breaches are still at the top of the
list, but now there is also increasing scrutiny in other
areas.
12
13. Regulatory Requirements
• Regulators now expect financial institutions to
appropriately assess, measure, monitor and control a
broader spectrum of service provider risks.
• Vendor risk management is expected to be addressed in
the bank’s compliance management policies/procedures
and systems.
13
14. Regulatory Requirements (Dodd-Frank)
14
• Dodd-Frank vests the CFPB with supervisory and enforcement authority over
large (greater than $10 billion in assets) insured banks and credit unions,
certain non-depository consumer financial services companies, and each of
their affiliates and service providers. For institutions up to $10 billion, the
CFPB may require reports relating to consumer financial protection and may
participate in prudential regulators’ consumer financial protection
examinations on a “sampling” basis, but it does not have direct
supervisory/enforcement authority. It does, however, have direct
supervisory/enforcement authority over service providers that serve a
substantial number of smaller insured depository institutions. The CFPB’s
primary focus is to determine compliance with federal consumer protection
laws and regulations, and it will “take a close look at service providers’
interactions with consumers.”
15. Regulatory Requirements (Sources of Recent Guidance)
• FDIC Letter FIL-13-2014, “Technology Outsourcing: Informational
Tools for Community Bankers” (April 7, 2014)
• FDIC Compliance Manual Section VII-4.1, “Abusive Practices – Third
Party Procedures” (January 2014) (content is similar to earlier FDIC
Letter FIL-44-2008, “Guidance for Managing Third-Party Risk” (June 6,
2008))
• FRB Letter SR 13-19, “Guidance on Managing Outsourcing Risk”
(December 5, 2013)
• OCC Bulletin 2013-29, “Third-Party Relationships: Risk Management
Guidance” (October 30, 2013)
• FDIC Letter FIL-46-2012, “Supervision of Technology Service
Providers and Outsourcing Technology Services” (November 6, 2012)
• CFPB Bulletin 2012-03, “Service Providers” (April 13, 2012)
15
16. Vendor Risk Management Programs
• A bank should implement and maintain a vendor risk
management program that is commensurate with the level
of risk and complexity of its vendor relationships.
• The program should ensure that for critical vendors the
risk management and oversight of the vendor relationship
is “comprehensive.”
• Aspects of vendor risk management itself may be
outsourced (for example, to consultants specializing in this
area), but this does not diminish the responsibility of the
bank’s board of directors and senior management to
ensure that vendor risk is addressed in a safe and sound
manner and in compliance with applicable laws.
16
17. Critical Vendors
• As stated above, a bank should adopt comprehensive risk
management and oversight of relationships with critical
vendors.
• When a vendor relationship is or becomes “critical” may
not always be clear, and it may vary depending on the
bank, its business mission and other factors. There is,
however, some guidance from regulators.
17
18. Critical Vendors
• Generally, vendor relationships that involve critical bank
activities such as payments, check clearing, or
custodianship of funds; significant shared services like
information technology; or other activities that:
– could cause a bank to face significant risk if the vendor fails to
meet expectations
– could have significant adverse customer impacts
– require significant investment in resources to implement the vendor
relationship and manage the risk
– could have a major impact on bank operations if the bank has to
find an alternate vendor or if the outsourced activity has to be
brought in-house
18
19. Critical Vendors (Examples)
19
• An online banking/bill pay or mobile banking/deposit platform service
provider is clearly a critical vendor.
• Vendors providing consumer disclosure software for loans, credit
cards, deposit accounts, etc., are likely critical, due to the problems
that can ensue from errors.
• A lawn maintenance service for one or more branches would not be a
critical vendor.
• What about janitorial services? The answer may not be clear-cut.
Probably not “critical,” but they would have access after hours to bank
premises where confidential customer and other information is kept.
Thus, at a minimum, careful attention should be given in choosing the
vendor and in contract negotiations to things like company reputation,
personnel background checks, and bonding/insurance requirements.
20. Community Banks
• Smaller banks tend to rely on vendors more than their larger peers, which
have more resources to keep functions in-house. Smaller banks also often
have more limited resources to monitor vendors. See, for example,
“Regulators step up focus on cybersecurity at community banks,”
charlotteobserver.com, January 30, 2015.
• FRB acknowledges that community bank programs may be simpler and utilize
fewer elements/considerations than those of larger banks.
• OCC note on community bank compliance: Vendor risk management
guidance applies to all banks with outside vendor relationships. A community
bank should adopt risk management practices commensurate with the level of
risk and complexity of its vendor relationships. Just as with larger institutions,
a community bank’s board and management should particularly focus on
identifying those relationships that involve critical activities and ensuring that
the bank has risk management practices in place to assess, monitor and
manage the risks.
20
22. Risk Management Life Cycle (Overview)
• A bank’s vendor risk management program should, at a minimum,
address the following processes:
– Planning and Risk Assessment. The bank should assess risk and options for
controlling risk through vendor agreements.
– Due Diligence and Selection. The bank should select only qualified entities to
implement the activity or program.
– Contract Negotiating and Review. The bank should ensure that the specific
expectations and obligations of both the institution and the vendor are outlined
in a written contract prior to entering into the arrangement.
– Ongoing Monitoring and Oversight. The bank should perform continuing
oversight of the operational and financial performance of the vendor on an
ongoing basis to meet the terms of the contract.
– Termination. Contingency plans must ensure that the bank can transition the
activities to another vendor, bring them in-house, or discontinue them when a
contract expires or the terms of the contract have been satisfied, in response
to a default under the contract, or in response to changes in the bank’s or
vendor’s business strategy.
22
23. Risk Management Life Cycle (Overview)
• In addition, a bank should perform the following
throughout the life cycle of the relationship as part of its
risk management process:
– Accountability and oversight. Assigning clear roles and responsibilities for
managing vendor relationships and integrating the bank’s vendor risk
management process with its enterprise risk management framework enables
continuous accountability and oversight.
– Documentation and reporting. Proper documentation and reporting facilitates
accountability, oversight and risk management associated with vendor
relationships.
– Independent reviews. Conducting periodic independent reviews of the risk
management process enables management to assess whether the process
aligns with the bank’s strategy and effectively manages risk posed by vendor
relationships.
23
24. Risk Management Life Cycle (Accountability)
• The bank’s board of directors (or a board committee) and
senior management are responsible for overseeing the
bank’s overall risk management processes. The board,
senior management, and employees within the lines of
business who manage vendor relationships have distinct
but interrelated responsibilities to ensure proper
management of outside service provider risk.
24
25. Risk Management Life Cycle (Accountability)
25
• Board of directors responsibilities include:
– Ensure an effective vendor risk management process is in place consistent with the
bank’s strategic goals, organizational objectives, and risk appetite.
– Approve the bank’s risk-based policies that govern the vendor risk management
process and identify critical activities.
– Review and approve management plans for using vendors that involve critical
activities.
– Review summary of due diligence results and management’s recommendations to
use vendors that involve critical activities.
– Approve contracts with vendors that involve critical activities.
– Review the results of management’s ongoing monitoring of vendor relationships
involving critical activities.
– Ensure management takes appropriate actions to remedy significant deterioration
in performance or address changing risks or material issues identified through
ongoing monitoring.
– Review results of periodic independent reviews of the bank’s vendor risk
management process.
26. Risk Management Life Cycle (Accountability)
26
• Senior bank management responsibilities include:
– Develop, establish and implement the bank’s vendor risk management
process.
– Develop plans for engaging vendors and identify those that involve critical
activities.
– Ensure appropriate due diligence is conducted.
– Review and approve contracts with vendors.
– Ensure ongoing monitoring of vendors.
– Ensure appropriate documentation and reporting throughout the life cycle
for all vendor relationships.
– Ensure periodic independent reviews of vendor relationships.
– Hold accountable bank employees who manage relationships with
vendors.
– Escalate issues involving critical vendors to the board as necessary.
– Terminate arrangements with vendors when appropriate.
27. Risk Management Life Cycle (Accountability)
27
• Bank employee responsibilities include:
– Conduct due diligence of prospective vendors and report results to
senior management.
– Perform ongoing monitoring of vendors and ensure compliance
with contract terms, service level agreements, bank policies, etc.
– Ensure that the bank and/or vendor addresses any identified
problems.
– Escalate significant issues to senior management.
– Notify the vendor of any significant operational issues at the bank
that may affect the vendor.
– Maintain appropriate documentation throughout the life cycle of the
relationship.
– Recommend termination of arrangements with vendors when
appropriate.
28. Risk Management Life Cycle (Independent Reviews)
• Senior management should ensure that periodic
independent reviews are conducted on the bank’s vendor
risk management process, particularly when a bank
involves vendors in critical activities. The bank’s internal
auditor or an outside auditor may perform the reviews, and
senior management should ensure that the results are
reported to the board.
28
29. Risk Management Life Cycle (Documentation)
• A bank should properly document and report on its vendor risk
management process and specific arrangements throughout their life
cycle. Proper documentation and reporting facilitates the
accountability, monitoring and overall risk management associated
with vendor relationships and typically includes:
– approved plans for the use of vendor relationships
– a current inventory of all vendor relationships, identifying critical vendors
– due diligence results and recommendations
– analysis of costs associated with each vendor relationship
– maintenance of executed contracts and any amendments
– regular performance and other reports required from the vendor (for example,
audit reports, security reviews, and reports showing performance in relation to
service level agreements)
– regular reports to the board and senior management on the results of
independent reviews of the bank’s risk management processes and the
monitoring of vendors involved in critical activities
29
30. Risk Management Life Cycle (Regulatory Reporting)
• Bank Service Company Act (12 USC Sec. 1863,1867):
– notice required to primary federal regulator of certain vendor
arrangements, which are then subject to regulation and
examination by the regulator to the same extent as if the services
were performed by the regulated institution itself
– notice must be given within 30 days after the contract is executed
or performance begins, whichever occurs first
– applies to:
• check and deposit sorting and posting
• computation and posting of interest and other credits and charges
• preparation and mailing of checks, statements, notices and similar
items
• any other clerical, bookkeeping, accounting, statistical or similar
functions
30
31. Risk Management Life Cycle (Planning/Risk Assessment)
• Planning and risk assessment are fundamental to the initial decision of
whether to enter into a vendor relationship with respect to any product
or service. Questions to be answered should include:
– Is the function in question appropriate for outsourcing or better handled in-
house?
– Is the proposed relationship consistent with the bank’s strategic planning and
business strategy?
– What are the benefits, costs, legal considerations and potential risks
associated with using an outside vendor (or any particular vendor)?
– What is the bank’s ability to provide adequate ongoing oversight over the
vendor relationship?
– What is the long-term financial impact of the proposed relationship?
• Upon completion of the risk assessment phase, the bank may want to
develop a detailed business requirements document for significant or
critical services to assist in the task of selecting a vendor.
31
32. Risk Management Life Cycle (Due Diligence)
• Due diligence is the process of ensuring that only qualified vendors
are selected, particularly to provide significant or critical services. The
scope of due diligence may vary depending on the importance of the
services and risk to the bank. If applicable, the bank should review a
prospective vendor’s due diligence process for selecting
subcontractors, and the bank may do its own due diligence on
subcontractors.
• Due diligence is not a one-time event. It should be performed prior to
selecting a vendor and periodically during the relationship, such as
when considering a contract renewal.
• “Risk scoring” of vendors is gaining popularity among regulators.
32
33. Risk Management Life Cycle (Due Diligence)
• In conducting due diligence, a bank should assess:
• Technical and Industry Expertise
– assess vendor’s business reputation and experience and
ability to provide services to meet present and future needs
– evaluate principals, key project personnel and any
subcontractors
– assess knowledge of laws/regulations
– verify any required licenses, certifications, etc.
– consider intangibles (values, culture, etc.)
– identify areas where the bank may need to
supplement the vendor’s expertise to reduce risk
33
34. Risk Management Life Cycle (Due Diligence)
• Operations and Controls
– as applicable, evaluate (through audit reports, etc.) adequacy of:
• vendor’s risk management program, including policies, processes and
internal controls
• facilities management (for example, access requirements)
• training for employees (including compliance training)
• data security
• privacy protections
• employment policies including background checks
• insurance coverage (liability, fire and other hazards, fidelity, errors and
omissions, etc.)
• records maintenance (including whether the bank will have timely
access to its data maintained by the vendor)
• business resumption and contingency planning
34
35. Risk Management Life Cycle (Due Diligence)
35
• Financial Condition
– analyze vendor’s financial statements, annual reports, SEC filings,
etc.
– analyze market share (and whether trending up or down)
– consider financial impact of proposed contract on vendor
– assess vendor’s technological expenditures and whether it has
adequate resources to invest in and support necessary technology
– examine significant complaints, litigation or regulatory actions that
might affect the vendor’s financial condition
36. Risk Management Life Cycle (Due Diligence)
• Special consideration should be given to proposed vendor relationships with
affiliated parties and parties that may be wholly or partially foreign based or
that use foreign subcontractors.
• Agreements with affiliated parties must still be on an “arms-length” or
substantially “market terms” basis, in accordance with applicable guidance
and regulations such as Regulation W.
• Vendors with foreign aspects should be evaluated for additional risks of doing
business in the applicable country or countries (for example, risks involving
the economic, social, political or military environment) and for the vendor’s
ability to comply with applicable U.S. laws, regulations and guidance.
36
37. Risk Management Life Cycle (Contracts)
• Any vendor risk identified in risk assessment or due
diligence phase should be addressed in vendor contracts
themselves.
• Contract is critical in satisfying requirement of oversight –
supplier’s controls, conditions, performance, etc.
• Without adequate contract, no effective way to satisfy
regulatory obligations.
• Counsel should review all significant vendor contracts.
37
38. Risk Management Life Cycle (Contracts)
• General principle - the scope of services being provided
and risks associated with those services determine:
– required contract provisions
– importance of contract provisions
– level of detail in contract provisions
38
39. Risk Management Life Cycle (Contracts)
• Required/Suggested Provisions
– scope of services
– performance standards
– security and confidentiality
– controls
– audits and other reports; regulatory oversight
– compliance with laws
– business resumption and contingency plans
– subcontracting (including “offshoring”)
– access to or use of bank’s premises, equipment, and employees
– insurance
39
40. Risk Management Life Cycle (Contracts)
• Required/Suggested Provisions
– costs and compensation
– use of intellectual property and other property
– customer complaints
– duration
– dispute resolution
– indemnifications
– limitations of liability
– default and termination
– assignment
40
41. Risk Management Life Cycle (Contracts)
• Scope of Services
– specifications for services and vendor’s obligations
– bank’s obligations
– time frames for performance
– party responsible for delivering any required customer disclosures
– notification to bank and bank’s approval rights regarding material
changes to services, systems, controls, personnel, locations, etc.
– guidelines for modifying or adding services or renegotiating
contract
41
42. Risk Management Life Cycle (Contracts)
• Performance Standards
– minimum service levels
– remedies/penalties for failure to meet service levels
42
43. Risk Management Life Cycle (Contracts)
43
• Security and Confidentiality
– limits on use and disclosure of information
– compliance with privacy and other laws and bank’s privacy policy
– notification of breaches of security
– corrective actions
– responsibilities relating to destruction/return
44. Risk Management Life Cycle (Contracts)
• Controls
– internal controls of vendor
– records to be maintained by vendor and bank’s access to records
– parameters relating to any financial functions, such as payment
processing or extensions of credit
44
45. Risk Management Life Cycle (Contracts)
45
• Audits and Reports; Regulatory Oversight
– types: financial, internal controls, security reviews, other reports
– internal vs. external audits; on-site examinations by bank
– frequency and timeliness
– costs
– resolution of deficiencies
– access by regulators
• Now includes CFPB under Dodd-Frank
46. Risk Management Life Cycle (Contracts)
• Compliance with Laws
– vendor’s agreement to comply
46
47. Risk Management Life Cycle (Contracts)
• Business Resumption and Contingency Plans
– natural disasters or man-made causes
– backup systems and record protection
– right of bank to obtain copy or summary
– testing and results of testing; at least annual typical for critical
services
– costs
– frequency of updates
– notification when implemented
47
48. Risk Management Life Cycle (Contracts)
• Subcontracting
– “hot button” issue with examiners
– bank to approve significant subcontractors
– primary vendor to be responsible
– notice and approval of changes
48
49. Risk Management Life Cycle (Contracts)
49
• Offshoring
– either foreign vendors or domestic vendors with foreign operations
or subcontractors
– privacy/confidentiality of customer information and bank records in
compliance with U.S. laws
– all information transferred offshore remains bank’s property and
will be returned at termination
– authority of U.S. regulators to examine offshore activities
– choice of governing law and jurisdiction for disputes
50. Risk Management Life Cycle (Contracts)
• Access to or Use of Bank’s Premises, Equipment,
Employees
– conditions for access to premises and/or equipment
– provisions covering vendor’s use of bank employees
• Insurance
– required coverages
– notice to bank of changes
50
51. Risk Management Life Cycle (Contracts)
51
• Costs and Compensation
– fees/calculations for base services
– charges based on activity
– charges for nonrecurring items, special requests or services
– costs/responsibility for purchase and maintenance of hardware
and software
– cost increases and limits
– compensation schemes must be carefully structured for safety and
soundness
52. Risk Management Life Cycle (Contracts)
• Use of Bank’s Intellectual and Other Property
– ownership
– allowable use
– work products developed by vendor for bank
– timely return of items
52
53. Risk Management Life Cycle (Contracts)
• Customer Complaints
– Bank or vendor to respond?
– if vendor responsible, send copies with responses to bank
– periodic reports regarding status and resolution
53
54. Risk Management Life Cycle (Contracts)
54
• Duration
– consider technology involved and state of industry
– benefits of longer terms vs. wisdom of shorter terms for rapidly
changing technologies
– coordination of interrelated contracts
55. Risk Management Life Cycle (Contracts)
• Dispute Resolution
– consider process to resolve problems/disputes expeditiously
55
56. Risk Management Life Cycle (Contracts)
• Indemnifications
– mutual indemnification provisions
– should be carefully reviewed
– bank ultimately responsible for safety/soundness and compliance
56
57. Risk Management Life Cycle (Contracts)
• Limitations of Liability
– supplier may attempt to limit its liability
– bank must consider whether reasonable in light of anticipated loss
from failure to perform
57
58. Risk Management Life Cycle (Contracts)
• Default and Termination
– what constitutes default, remedies, opportunity to cure
– termination provisions vary with service
– convenience
– change in control
– substantial cost increases
– failure to meet service levels or otherwise perform
– insolvency
– ability to timely terminate without prohibitive expense/penalties
– adequate time for notice and transition
– return/destruction of bank’s data, records, other property
58
59. Risk Management Life Cycle (Contracts)
• Assignment
– no assignment without bank’s consent
– no changes to subcontractors without bank’s consent
59
60. Risk Management Life Cycle (Oversight)
• In general
– regularly evaluate relationship in light of bank’s strategic goals
– meet as needed with vendor personnel to discuss performance,
etc.
– oversight activities vary with services
60
61. Risk Management Life Cycle (Oversight)
• Monitor Financial Condition and Operations
– evaluate financial condition at least annually
– ensure vendor meeting obligations to subcontractors and others
– review audit and other reports and evaluate vendor’s systems and
controls; follow up on deficiencies
– review vendor’s adherence to policies regarding internal controls,
security, backup plans, etc.
– monitor compliance with laws and regulations
– assess effects of changes in personnel
– review insurance coverage
– review licensing/registration requirements
61
62. Risk Management Life Cycle (Oversight)
62
• Assess Quality of Service and Support
– review performance reports; follow up on deficiencies
– evaluate vendor’s ability to support bank’s strategic direction
– evaluate adequacy of training for vendor/bank employees
– review customer complaints; follow up as needed
63. Risk Management Life Cycle (Oversight)
• Monitor Contract Compliance and Revision Needs
– review service level performance
– determine whether other contract terms are being met
– assess whether revisions to service levels or other terms needed
– review invoices for proper charges and appropriateness of any
price changes
– monitor external environment (regulatory changes, economic
conditions, competition, etc.) to determine if contract revisions (or
termination) needed
63
64. Risk Management Life Cycle (Oversight)
64
• Monitor Business Resumption and Contingency Plans
– review plans to ensure any critical services can be restored in
acceptable time
– review testing program and results
65. Risk Management Life Cycle (Termination)
• A bank may terminate vendor relationships for various
reasons, including:
– expiration or satisfaction of the contract
– desire to seek an alternate vendor
– desire to bring the activity in-house or discontinue the activity
– breach of contract
65
66. Risk Management Life Cycle (Termination)
66
• The bank’s policies should ensure that relationships terminate in an
efficient manner, whether the activities are transitioned to another
vendor or in-house, or discontinued. In the event of contract default or
termination, the bank should have a plan to bring the service in-house
if there are no alternative vendors. This plan should cover:
– capabilities, resources, and the timeframe required to transition the activity
while still managing legal, regulatory, customer, and other impacts that might
arise
– risks associated with data retention and destruction, information system
connections and access control issues, or other control concerns that require
additional risk management and monitoring during and after the end of the
vendor relationship
– handling of joint intellectual property developed during the course of the
arrangement
– reputation risks to the bank if the termination happens as a result of the
vendor’s inability to meet expectations
– the extent and flexibility of termination rights may vary with the type of activity