Downloaded 153 times
Uploaded byNICSA
Third-Party Risk Management: A Case Study in Oversight
The document outlines a case study focusing on third-party risk management, detailing steps for managing vendor relationships through strategic planning, due diligence, oversight techniques, and disengagement processes. It emphasizes the importance of identifying and classifying vendors, ensuring compliance with regulations, and maintaining effective communication and performance monitoring. Additionally, it highlights the evolution and core services of transfer agents in the context of oversight and compliance.
More Related Content
Similar to Third-Party Risk Management: A Case Study in Oversight
Third-Party Risk Management: A Case Study in Oversight
- 1. www.nicsa.org Sleep Better atNight: Learn techniques to manage risks associated with third-party relationships. Third-Party Risk Management: A Case Study in Oversight Part II of II SPONSORED BY:
- 2. www.nicsa.org I. Moderator -Welcome Remarks Rob Rafferty – Principal, Beacon Consulting Group II. Today’s Panelists • Paul Feuerborn - Director of Projects and Technology, American Funds • Mark Roth - First Vice President, Wells Fargo Advisors • Mike McNeill - Managing Director, BFDS III. Format Presentations Paul Feuerborn – Asset Manager Perspective Mark Roth – Intermediary Perspective Mike McNeill – Transfer Agent Perspective Interactive Discussion – Panelists and Moderator Q&A – Audience and Panelists Agenda
- 3.
- 4. www.nicsa.org Step 1: InventoryYour Vendors & Partners
- 5. www.nicsa.org Commodity Strategic Vendor Partner Telecommunication Providers InteractiveVoice Response Fund Accounting Proxy Services Mail/Shipping Web Hosting Production Operations Pricing Distribution Literature Fulfillment Document Management Investor Services Retirement Plan Record-keeping CRM Marketing Communications Transfer Agency? Information Technology Step 2: Classify Them For Your Business Strategy & Risk Transfer Agency? Transfer Agency?
- 6.
- 7. www.nicsa.org Commodity Strategic Vendor Step3: Determine Appropriate Oversight Techniques Partner
- 8.
- 9. www.nicsa.org Life Cycle Vendor Management Stage 1:Strategic Planning and Internal Assessment •Determine the appropriateness of sourcing a product or service (referred to as “services” ) •Understand basic criteria necessary to begin evaluating the business need for a service •Obtain initial business approval to pursue the engagement of a third party service provider •Engage Supply Chain Management Stage 2: Due Diligence and Third Party Selection •Ensure the appropriate third party is selected based on business needs and risks presented •Understand the risks associated with the selected third party service provider and establish a risk mitigation plan, as appropriate •Finalize contract terms •Identify individuals responsible for the ongoing management of the third party service provider engagement •Implement the necessary support activities to successfully manage the third party service provider prior to contract signing and using the third party service provider Stage 3: Engagement Implementation •Ensure all required activities are complete prior to contract signing and using the third party service provider •Sign and archive the contract •Confirm all roles are understood •Use preferred fulfillment channels or engage Accounts Payable, as appropriate Stage 4: Monitoring and Oversight •Contractual obligations are met •Performance is as expected •Risk is assessed on a defined frequency or upon the occurrence of an off-cycle trigger event •All required activities and assessments are completed prior to a pre-determined due date •Business reviews occur on a defined schedule •Any identified issues are escalated Stage 5: Disengagement •Minimize risk when terminating business with a third party service provider at an engagement or relationship level •Identify the rationale for disengagement, including risk implications considered in the decision •Ensure all required tasks related to each disengagement are fully executed
- 10.
- 11. www.nicsa.org - DTCC Networking *Individualaccount and activity records at the broker dealers and funds with daily interactive file transmissions. - Fund Serv Development *Individual client orders sent to the Fund/Transfer Agent with full registration detail and accounting requirements for both the broker dealers and funds - Omnibus Processing *Customer account detail/record kept at the broker dealer firm and omnibus vendor – Funds/Transfer Agent books and records kept at the aggregate house account level
- 12. www.nicsa.org CONTRACTUAL • SALES AGREEMENTS •NETWORKING AGREEMENT • FICCA – Financial Intermediary Controls & Compliance Assessment • EXTERNAL CONTROLS OPERATIONAL • DSA/DSP – Data Share Activity – Data Share Positions • 22C RULES 1 & 2 - SEC Guidelines for Pricing & Fee Allocation • OPERATIONAL SLA’s • OPERATIONAL/SUPERVISORY POLICY & PROCEDURES • DTCC STANDARDIZATION • SOC REVIEW – Statement of Operational Controls PARTNERSHIP • FUND/FIRM VISITS • DTCC MEMBERSHIP • SUB ACCOUNTING VENDOR • INTERNAL VENDOR MANAGEMENT
- 13.
- 14. www.nicsa.org Evolution of theTransfer Agent Transfer Agent Core services Support services Financial/cash control (e.g., super sheets, commissions) Compliance monitoring and reporting, including AML, late trading and market timing, regulation monitoring Corporate actions (e.g., fund mergers) DTCC/NSCC processing Intermediary servicing Fund complex support including communication with fund custodian and fund accounting Technology support including web and mobile services, information security and software development Call center Transaction processing/recordkeeping Tax reporting/withholding Mail/correspondence Fulfillment (e.g., account statements, check processing) SubTransfer Agent Services moved to the SubTA in an omnibus environment Call center Transaction processing/recordkeeping Tax reporting /withholding Mail/correspondence Printing/fulfillment Intermediary position and activity reporting New! Omnibus-level transaction processing, compliance functions, reporting, and SubTA oversight SubTA dependency on the TA
- 15.
- 16. www.nicsa.org SHAREHOLDER SERVICING EVENT MANAGEMENT DIGITAL STRATEGY Mail Processing Transaction Processing InstitutionalProcessing Financial Control Contact Center Digital Consulting Solutions Development Proxy Solutions Event Center Settlement Administration Corporate Actions Evolution of the TA to Support Oversight COMPLIANCE INTERMEDIARY SERVICING DTCC/NSCC Processing Intermediary Call Center Position and Activity Reporting Dealer Compensation Payment Administration 22c-1 and 22c-2 Trade Monitoring AML/CIP Fraud Monitoring FUND SUPPORT Blue Sky Unclaimed Property Administration
- 17. www.nicsa.org How the TASupports Oversight Policies Information Security Information Sensitivity Email and Internet Security Acceptable Use Mobile Computing, Mobile Device USB, Transportable Media, Clean Desk, Remote Access Records Retention Privacy and Information Sharing Privacy Incident Business Continuity/Disaster Recovery Code of Ethics and Professional Standards Ethical Reporting and Anti-Retaliation (Staff) Fingerprinting, Security, Identity and Employment People Board-level Audit Committee Risk Management Committee Loss Awareness Team Quality Assurance Team BCP/DR Group Information Protection Committee Information Protection Board Chief Information Officer Chief Operating Officer Chief Compliance Officer Chief Risk Officer Information Security Officer Business Continuity Consultant Business Unit Risk Coordinators Third party vendors Processes Material risk identification process 3rd party system and compliance audit Internal audit 3rd party penetration and vulnerability testing Patch management Monthly system access audit Business continuity impact analysis and planning Quarterly BCP/DR testing BPO quality tools Annual staff training Vendor management Partnership Annual strategic planning and performance review meeting Negotiated SLAs Secure, online dashboard and other reporting: standard, customized, ad-hoc Due diligence questionnaires Board-level due diligence presentations Intermediary oversight solutions : Payment Administration and 22c- 2 Market Timing Monitoring
- 18. www.nicsa.org Oversight Focus forClients201520142013 Business Process BCP/DR Cybersecurity Technology and Systems Misc. 21.9% 3.4% 45.1% 27.2% 2.4% 18.4% 3.8% 25.5% 44.2% 8.1% 7.7% 7.0% 33.4% 51.3% 0.6% 0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100% 9 42 51 YTD Number of Questionnaires Completed
- 19.
Editor's Notes
- #5 (
- #6 (
- #8 (
- #15 Thanks Mark. To complement what Mark referenced related to the evolution of the broker/dealer mutual fund process, I want to provide some additional detail related to how the transfer agency has evolved over recent years due to the move to Omnibus. Historically, the left side of this slide represents the core functions that would be provided by an internal TA or an outsourced service provider. With the move to omnibus, the Sub TA is now introduced into the process and with that they have assumed additional responsibilities that previously would have been handled by the transfer agency of the asset manager. Level 3 accounts are now being held in house accounts, and the shareholder servicing functions has been transferred to these 3rd parties. Before the evolution of the SubTA, broker/dealers would have been responsible for some functions, such as tax reporting and call center servicing, on their Level 3 business. Under SubTA arrangements, more of these shareholder servicing functions are transitioned further away from the asset manager. With that additional migration away from the asset manager, new functions and intermediary oversight needs have arisen for the TA to ensure risk is being managed for the asset management firm and their shareholders.
- #17 The evolution of the transfer agent and the rise of the SubTA have expanded the due diligence and oversight responsibilities for asset management firms. Increased scrutiny from fund boards and the SEC continue to be drivers in this area in addition to the regulatory requirements and additional oversight needs in an omnibus environment. To meet this need of asset management firms in this arena, we have proactively developed back office solutions that offer complementary, stand-alone oversight of intermediary functions. A great example of this is 22c-2 monitoring, which has seen processing volumes grow by more than 800% over the last five years. (EXAMPLE: 66M transactions analyzed annually, up from 7M in 2010). Blue Sky is another area for us that has seen a dramatic increase over the past year. We also worked with our clients to collaborate on identifying their growing intermediary oversight needs several years ago and that resulted in the expansion of our intermediary servicing solutions. As we know, intermediary payments and Distribution in Guise had been identified as key areas of focus for the SEC exam priorities going back to 2013. This is just another example of how funds and transfer agents need to collaborate on various aspects of intermediary oversight.
- #18 Operational oversight of a business processing partner, like a TA, is ideally driven by the asset management firm’s need to ensure our services are sufficient to help protect the firm and its clients from financial, reputational and regulatory risk. During this webex, we have discussed a lot of valuable points related to intermediary or dealer oversight but we also see this in the way we approach oversight both internally as well as with our clients I would now like to bring the discussion to a more granular level related to how we, as a TA, are creating a culture designed to help support your operational oversight needs. I am not going to review all of these points but they are all integral parts of how we have developed a culture of oversight here. The first areas is Policies It is the foundation of our infrastructure and consists of: IT risk management Compliance, including BCP Employee management People Ours is a culture of oversight, where everyone has responsibility for operational oversight – a key example of this would be annual staff training on topics like BCP/DR awareness, Privacy and Data Management, AML, and Information Security Within the business and the enterprise, there are also teams and individuals with specific responsibility for aspects of operational oversight – starting at the Chief Operating Officer and extending to business unit-level risk coordinators. Processes There is a comprehensive mix of processes that are integrated which provide clients with insight into the integrity of our operations. These would be things such as: Internal audit and risk management processes IT risk management processes BCP/DR processes Day-to-day business process management and quality controls (e.g., dual data entry, journal review, etc.) Annual staff training: information security, red flag-identity theft, AML, business continuity, code of ethics, and privacy policy Vendor management program –requires varying degrees of due diligence based on risk ranking process. We would be conducting these type of in-depth analysis with our vendor relationships similar to what an asset manager would do with a sub-TA or dealer. Lastly but one of the most important aspects is Partnership Paul touched on this in his opening but it is critical to work closely with your clients… Collaborative planning Engagement in due diligence questionnaires and presentations Having strategic discussions related to new products and solutions
- #19 If operational oversight of a business processing partner is a form of check/balance to ensure risk is being tightly managed, ideally it is a continuous process. With our clients, this continuous process looks like monthly performance reporting, regular client meetings, semi-annual (optional) engagement in the business continuity planning process, and at least annual strategic planning sessions. As this slide shows, we’re also seeing an increase in the annual, formal due diligence process. On the far left side you can see that when we look at the last three years, we had received: 9 questionnaires consisting of 197 questions in 2013 This jumped to 42 questionnaires in 2014 and 2,400 questions in 2014. Based on YTD volumes, we are on track to complete more than 60 questionnaires and 3,500 questions in 2015. We also have participated in 75 Info Security presentations for clients and their Boards this year In addition to seeing significant changes in the volumes of formal due diligence questionnaires, we’re also seeing changes in the types of questions being asked. Cybersecurity and IT risk management is still king, making up more than 70% of all the questions our team has answered in each of the last three years. In sync with the growing sophistication of our understanding of risk management, we’re seeing an increase in the percentage of questions related to operational processes, performance management, and quality control review – up from 7.7% of questions to nearly 22%. Consistently, at least 55% of these questions are about compliance operations and audit functions. Vendor outsourcing questions typically also fall here. There has been a declining percentage of questions focused on BCP/DR but the type and quality of questions is not changing substantially. They are primarily focused on: Data back-up and recovery plans Data center locations Crisis management plan (including communication plans) Pandemic plan Testing scope, frequency, results, relevance to client Testing in a production environment The Miscellaneous questions focus on personnel stability (e.g., rates of turnover and tenure), staff training programs, financial stability, etc. With that, I would now like to turn it back to Rob, thank you.