The document discusses regulatory expectations for third-party oversight and governance. It outlines 12 key dimensions regulators expect institutions to address, including risk classification, due diligence, contracts, audits, and governance. Effective third-party oversight requires properly managing risks, maintaining oversight and accountability, and ensuring senior executive engagement. The use of technology and reporting can help institutions strengthen their third-party risk management programs.

1. 1
December 11, 2014
Copyright 2014©, All rights reserved, 3W Partners LLC
Scott Roller

2. 2
 Principal & Founder – 3W Partners LLC
 25 Years – Fortune 500 Companies
• Telecom
• Financial Services
 Leadership Roles in
• Global Vendor Management
• Ops / Strategy / Re-engineering
• Outsourcing / Training
 TL9001 (“ISO for telecom”)
• Certified Lead Auditor
Audited by…
Regulators
Gov’t Entities
Ratings Agencies
Others
OCC, OTS, CFPB
Fannie, Freddie, GAO
Moody’s, Fitch, S&P
ISO, Accounting firms

3. 3
Third-Party Oversight & Governance (TPOG)
Brief History
 Why the intense focus on vendors?
 What led us here?
Changing Landscape
 Financial Crisis ~2008
 Vendor management Prior to… and Now
 Heightened regulator focus areas
What Regulators Expect
 12 Key Dimensions
 Good resources to self-educate
Technology & Tools
 Increase you chances of success

4. 4
Financial Crisis 2008
Prior to the Crisis
Vendor focus very limited:
• Business continuity
• Financial strength
• Credit risk
Activities were outsourced
• Unfortunately, so was
vendor responsibility and
accountability
Post-mortem
Vendors seen as a major
contributing factor to the
crisis
Inadequate oversight from
financial institutions
Resulted in massive fraud and consumer distress
Hidden risks when relationships are not managed closely

5. 5
Regulatory Response to the Financial Crisis
Regulators have a renewed focus on third-party
oversight
OCC
CFPB
Federal Reserve Board
FDIC
NCUA
Considerable Attention
 Institutions must bear responsibility for supplier misdeeds
• Numerous “casualties” already
 Major focus on consumer interaction with vendors
 Enterprise-wide engagement, especially executives
 Push for independent reviews
Will focus on 12 Key Dimensions today

6. 6
What I often see within the industry
Programs are not overly mature
Many organizations only do the basics
 Financials
 Continuity of business
 Data and site security
Hard to budget for vendor risk management
Silo’s - Protecting turf
 Minimal coordination
 Not sharing best practices
Led by single group
 Versus cross-section of the enterprise
Not part of larger enterprise-wide Risk Program
Minimal investment
Have we learned anything from the financial crisis?

7. 7
Recent examples… and consequences
Collectively, they paid a total of more than $530 million to settle complaints
of deceptive selling and predatory behavior by their third-party suppliers.
Net Message: No one ever remembers the vendor name
Source: http://www.mckinsey.com/insights/risk_management/managing_when_vendor_and_supplier_risk_becomes_your_own
July 2013

8. 8
OCC
CFPB
Federal Reserve Board
FDIC
NCUA
On Third-Party Oversight & Governance
OCC Bulletin 2013-29
• OCC Bulletin 2001-47
• OCC Bulletin 2002-16: Foreign-Based Third-Party Service Providers
Bulletin 2012-03 Service Providers
SR 13-19 Guidance on Managing Outsourcing Risk
• SR 00-4 (SUP): Outsourcing of Information Technology and Transaction
• Processing
Letter: Guidance For Managing Third-Party Risk
• FDIC Compliance Manual, December 2012
• FIL-44-2008: Guidance for Managing Third-Party Risk
• FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing
Information Documents
Supervisory Letter No.: 07-01
Fortunately, expectations resemble one another

9. 9
These cover most regulatory expectations
Risk Classification
Due Diligence
On-Boarding
Contracts
Compliance
Audits
MIS / Reporting
Scorecards
Annual Certifications
Complaint Handling
Escalations
Governance
Execute these well… satisfy your regulator(s)

10. 10
For effective third-party oversight
Risk Classification
 Risk-based segmentation
 Scope and intensity of oversight is defined here
 Must consider risks to…
• Legal & Regulatory
• Reputation
• Sensitivity of data
• Process complexity
• Customer interface/impact
• Public or private vendor
Other Considerations
• Domestic
• Offshore
• Core Bank Function
• Non-Core
• Number of similar suppliers
• Percent of volume handled
• Strategic (High)
• Major (Med)
• Basic (Low)

11. 11
Due Diligence
 Assess the process of how suppliers are…
• Sought
• Vetted
• Selected (and retained)
 Consider vendor questionnaire and evaluation
matrix
On-Boarding
 Have a plan to implement the vendor relationship
• Technology, telecom, recruit, train (including compliance), etc.
 Critical: System Entitlements
• Limit vendor access to only what is “required”
• Have a revocation process
o Consider revoking within 24-hours of leaving

12. 12
Contracts
 Regulators have specific expectations regarding vendor contracts
 Examples of often-overlooked clauses:
• Use of subcontractors
• Termination for default
• Compliance with laws
• Privacy policy (sensitive info)
• Electronic Transportable Media
• Right to audit
• Licensing
• Indemnification
• Notification of complaints
• Handling of media inquiries
• Service level monitoring
• Limitation of liability
• GSA “Excluded Party List”
• HUD’s “Limited Denial of Participation”
What is required of you …
Is also required of ALL members of your “supply chain.”
Make it contractual.

13. 13
Compliance
 Identify all relevant compliance requirements and document how
requirements are being met
 Regulatory updates and change management process effectiveness
• Flow down to vendors (operations, contracts, scorecards, etc.)
Audits
 Do your vendors...
• “Say what they do?” (via Policy & Procedure Manual)
• “Do what they say?” (can vendors demonstrate it?)
 Have an audit schedule and comprehensive plan
 Ensure risks are documented and controls are in place.
Risk Classification
• Strategic (High)
• Major (Med)
• Basic (Low)
“Potential” Audit Frequency
• Twice per year
• Once per year
• Every other year

14. 14
MIS / Reporting
 You need timely and effective reporting in all supplier relationships.
 Demonstrate you have sufficient visibility and control.
Hard to achieve safety and soundness without robust reporting
Scorecards
 Identify key performance indicators (KPI)s, track and report on them.
 Document vendor improvement plans.
• Drive accountability.
 Regular reviews.
• Evidence of follow-up and actions
o Warning notices
o Training, certification
o Volume adjustments
o Expanded or decreased scope of work

15. 15
Annual Certifications
 Re-certify vendors annually.
No more
• Financials
• Licensing
• Insurance
• Data security
• Capacity / Staffing
• SLA performance
• Process reviews
• Compliance
• Customer impact
• Fees & incentives
• Use of subcontractors
• Training (especially compliance)
• Business continuity
• Audit results
• Complaints
• Media attention
• Pending litigation
• Mergers & Acquisitions
• Ownership changes
• Compensation practices
 Keeping up with all changes: Yours, vendors, regulators, etc.
• Assessing the impacts annually, at minimum.
Very labor intensive dimension
Due Diligence

16. 16
Complaint Handling
 Requires an effective method of capturing, responding to and
resolving complaints.
• Especially where suppliers are involved.
 Complaint source and severity: Major, Moderate, Minor.
 Linkage of root cause back to the operation.
 Report to senior leadership.
Escalations
Define your future reactions
 When supplier problems arise, must have effective identification,
escalation and management of issues.
 Escalate to appropriate levels. Special review committee?
 Examples:
• Bad press
• Multiple system outages
• Multiple complaints
• SLAs repeatedly not met
• Downgraded financials
• Fraud event
• Audit findings

17. 17
Governance
 Senior executive and/or Board Member engagement
• “Fingerprints everywhere”
o Drive and approve policy
o Monitor vendor platform (via regular readouts)
At-will access to vendor results
o Sign-off on vendor selection and recertification (and action/exit)
o Audit trail of their engagement
 Proposed: Two Tier Governance Model
Executive
Committee
Operations
Committee
Drive Vendor…
• Performance / Quality
• Control & Compliance
• Risk & Change Mgmt.
• Audits
• Volume Allocations
• Contingency plans
Sets “TONE at the TOP”
• Strategic Alignment
• Risk appetite
• Policy
• Verify adequate oversight
• Ask questions
• Approve, Suspend & Terminate

18. Extremely useful when managing vendors and risks
 Centralized repository; Security
 Portal for easy access
 Clear, actionable management reports and well-designed workflow
systems
• Essential for accountability across the institution
 Measure your level of dependence on critical suppliers
Build vs. Buy
 Building a new third-party risk application from scratch is a big
undertaking;
• So too is enhancing a current risk tool to perform new functions
 Consider “off-the-shelf” workflow and risk-management tools
18

19.  Healthy, transparent and compliant
 Consistency across vendors
• OK to manage according to risk segmentation
 Documentation
• Policy & procedure; Roles & responsibilities
• Audit trail
 Performance based criteria
 Adequate staffing for oversight
• Number of resources
• Skill and competency
 Executive engagement
• “Fingerprints everywhere”
19
Third-party relationships must be good for financial institution,
its vendors and consumers
Leverage technology where possible

20. 20
For a copy of today’s presentation…
Scott Roller
Principal / Founder
3W Partners LLC
scott@3Wpartners.net
636.448.3713 cell
www.3Wpartners.net