Technology Service Provider Contracts

Understanding the increase dependence that financial institutions have on technology service providers, bank regulators have increased their efforts to require banks to appropriately handle third-party risk management.  The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance.  These contracts were missing or inadequately addressed key terms, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lack standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response. Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology related services can create special risks to depository institutions that need to be properly addressed in their service contracts.  The FDIC indicated that it plans to hold the board and senior management of financial institutions accountable for controlling those risks in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract.  All financial institutions should have provisions that they review for all of their contracts with a robust vendor management program, this will help uncover any weakness in business continuity and data recovery early in the process.

 

Why is Overdraft Protection Important

Financial institutions across the country have to make decisions every day when it comes to accounts that show insufficient funds. Should the institutions pay an overdrawn item and take a chance the customer will pay them back or should they return or deny the transaction?

Most banks and credit unions charge the same fee whether they pay an item into overdraft status or return it to the merchant (in the case of paper checks). The question always comes up…who would want you to return the item to the merchant? Furthermore, what happens when the item is returned and what are the consequences to the customer? There is nothing good that happens when an item is returned and it only causes grief to the consumer. In this particular case, grief in the form of additional fees from the merchant or being redlined for future non-cash purchases.

Formal consumer centric overdraft payment programs started in the early 1990s and consumers have benefited greatly. Since the same fee is levied either way, the grief and embarrassment of returned checks is eliminated. For debit card or ATM transactions, consumers can decide on their own if they want the debit authorized or not. About half of a financial institution’s customers want to take the groceries or prescriptions home rather than being denied when using a debit card. Others never want to overdraw their account regardless of the situation.

This is the reason Overdraft Privilege and other forms of overdraft protection programs work. The daily overdraft decision process is easier for the financial institution and consumers like the program. A rare win-win in banking.

Take Advantage of ODP Opt-In Opportunities

How are you communicating with your account holders in your Overdraft Privilege Program? Are you able to not only advise account holders of the benefits of Overdraft Privilege but also remind them that they can authorize Overdraft Privilege service for ATM withdrawals and everyday debit card purchases? Strunk’s overdraft management application, ODP Manager, allows you to do just that!

You should consider sending both Welcome and Reinstatement letters to your account holders when overdraft limits have been assigned or when account holders requalify for Overdraft Privilege. When you send these letters to accounts that have not opted in for Regulation E, you should remind account holders that they have the option to authorize Overdraft Privilege for ATM and debit card transactions. ODP Manager can identify the accounts that have not opted in and generate a letter that includes the Consent Form for Overdraft Services and information about other ways to opt in. You can even set up a form in ODP Manager to allow your account holders to opt in online.

Additionally, ODP Manager allows you to send a letter periodically to account holders in your Overdraft Privilege program who have not opted in to or opted out of the ATM/everyday debit card Overdraft Privilege coverage. This is another opportunity to explain this additional feature to your account holders and to provide a consent form and additional opt-in methods.

Once you start taking advantage of these additional opportunities, the ODP Manager software can help you monitor your progress using daily reports and a dashboard that tracks progress over time.

You Can Outsource, But You Cannot Hide

Companies may outsource an activity, but cannot outsource accountability.

In today’s economic environment, almost every aspect of a company’s operations can be outsourced efficiently. As a result companies interact with vendors on a daily basis, opening themself up to additional risk. Vendor Risk is a type of Operational Risk associated with the potential risk that may occur from relying upon outside parties to perform services or activities on an organization’s behalf. When a company outsources a need to a vendor, it is still the responsibility of the company to ensure that the vendor operates in compliance with established policies, procedures and regulator expectations.

For financial institutions in particular, this has been a clear message from all banking regulatory agencies to their members. Regulatory agencies have identified instances in which financial service institutions have:

  • Failed to properly assess and understand the risks and the direct and indirect costs involved in vendor relationships.
  • Failed to perform adequate due diligence and ongoing monitoring of vendor relationships.
  • Entered into contracts without assessing the adequacy of a vendor’s risk management practices.
  • Entered into contracts that incentivize a vendor to take risks that are detrimental to the financial institution or its customers, in order to maximize the vendor’s revenues.
  • Engaged in informal vendor relationship without contracts in place.

All companies, and especially financial services institutions, must establish an effective vendor management program to protect their business, clients and employees. Having an effective vendor management program enables institutions to control costs, drive service excellence, mitigate risks, and gain increased value over the life cycle of the vendor relationships. Selection, contract structuring and ongoing monitoring of third party service providers are the consistent theme from the regulatory agencies and other risk experts.

Our GRC Services

Our roots go back to 1976, when we began providing consulting services to banks and credit unions. Since then, we have worked with more than 1,500 clients in all fifty states. Among banks and credit unions, we are best known for our compliant fee income improvement programs, including Overdraft Privilege, Rewards Checking and Value Checking. Because risk management and compliance have always been a big part of what we do, in recent years we have gradually expanded our focus to helping clients in all industries improve their risk management and compliance processes and productivity using our software.

We now offer six comprehensive, easy-to-use and affordable compliance management tools that are useful for clients in any industry:

Risk Assessor helps you prepare comprehensive risk assessments consistent with regulatory or other requirements, in days, not weeks.

Policy Manager organizes all your policies into a single database, mapped to the relevant standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Vendor Manager is a specialized tool for managing vendor risk that standardizes risk assessment methodology and organizes all vendor related documentation.

Issues Manager is a centralized database for tracking all compliance issues and incidents across your entire organization.

Skills Manager provides online testing and training to ensure employees are knowledgeable about your policies.

All our tools are securely and reliably hosted at Amazon AWS, from which they are available on a variety of devices from anywhere. We’ve gotten some great feedback from our clients. Here are a few comments:

Our policy and control structure is very complex having both a broker/dealer and an investment advisory firm. Policy Manager allows us to easily organize a large volume of policies and maintain our control testing documentation all in one convenient place—a significant improvement over our previous process! — Laura Hendricks: Woodlands Securities / Woodlands Asset Management

We currently use Strunk’s Policy Manager to update and track changes to our policies. We like the audit trail it leaves of changes and also the PDF Redline that indicates changes used for the Board to review and approve. Strunk Customer Support has been prompt and they always assist with any issues we might have. — Karen Lomax, Vice President and CFO Kinetic Credit Union

Strunk’s program brings efficiency to the process and allows us to focus on areas of high risk. Our team sees great value in the process and reporting generated by the Strunk program. It is an affordable way to manage regulatory required risk assessments. — Bob Sundquist, CFO/CRO, NebraskaLand National Bank

Our core customer base has always been smaller and medium-sized organizations and so, unlike most providers, we have tried to price Risk Manager at a level that is affordable by all. In order to encourage usage, we charge a flat annual fee based an organization size. That fee gets you unlimited access to the tools for an unlimited number of users, along with unlimited support from for our support team.

Strunk at WBA’s Education Summit & Regulatory Compliance Conference

Strunk is excited to be exhibiting once again at the Western Bankers Association’s Education Summit & Regulatory Compliance Conference next week, August 25th-28th. This year hosted at the Hyatt Regency Huntington Beach, the event always proves to have many learning opportunities for bankers to gain insight into the most current information facing our industry.

In addition to visiting with many current clients, we look forward to showing attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software. The solution now includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and the all new Vendor Manager.

Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and stores all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

Please stop by booth 28 to learn how to improve compliance, streamline responses, and enhance collaboration… all with less effort. All bankers will also have the opportunity to enter to win a $250 Amazon gift card from Strunk. We can’t wait to see you!

Report from AICPA Vegas

Recently I had the pleasure of attending the AICPA conference in Las Vegas Nevada, where I was able to connect with some of the most interesting companies in the accounting and auditing space. I was able to learn about products from companies like Peerview Data, which specializes in “turning client data into actionable insights” and GruntWorx, which organizes and pre-fills tax documents, as well as many others. The biggest lesson I learned from the conference was the need for data protection and SOC 2 framework compliance.

Many of the companies I talked with had either completed a SOC 2 audit, were in the middle of an audit or were acutely aware of the need for a SOC 2 exam because of the many third-party vendor assessments they constantly must complete for prospective clients. As we discussed their different software applications, and how they deal with customer data, I saw what we always see: spreadsheets and word documents rule the day, creating frustration and wasted time responding to vendor assessment requests. The more we dove into the topic the clearer it became that the Strunk Risk Manager system of policy management was not just a nice to have but was a need to have. I heard from a managing partner at a tax software company that she spends two to three hours answering vendor assessments for nearly all of her new clients, as she was the only person in the company who could pull together all of the required information. Strunk Risk Manager allows your organization to respond with far less effort, freeing up your executive team for more important tasks.

One company told me that it took around 20% of one of their senior consultant’s time working with their CPA firm to complete their first SOC 2 and were planning on utilizing 10-15% of his time for future exams. When we started to discuss how Strunk Risk Manager transforms your policy and control documentation process they were instantly interested in learning more.

At Strunk, we believe that your challenges with compliance are our opportunity to provide best practice solutions and streamlined responses to managing all your compliance processes.

The Four Compliance Commandments

We’ve spent a lot of time working on and thinking about Governance, Risk Management and Compliance. Whole books have been written on this subject and there are graduate-level university courses on it as well. But in the practical world, for most businesses we think the whole GRC universe can be boiled down to four basic principles that we call the Four Compliance Commandments:

1) Know Your Risks
2) Ensure Your Policies Mitigate Key Risks
3) Trust, But Verify
4) Prove It

Every CEO and Board worries about this stuff … or should, so let’s break the commandments down:

Compliance Commandment I : Know Your Risks

Every organization must understand the risks it faces if it wants to survive. Organizations tend to get in trouble when they mis-perceive the risks they are up against. Many organizations falter because they under-estimate a risk, but over-estimating a risk can be just as bad, causing an organization to miss a key opportunity.

Over the years, society has created rules designed to limit organizations from taking risks unnecessarily or unknowingly. Often these rules come from the government, but there are other rules, like the SOC2 framework, that come from other sources, like accountants or professional associations. Good examples of these include:

  • Banks or credit unions must comply with regulatory requirements
  • Service providers must comply with external frameworks like SOC2
  • Health care providers need to show compliance with HIPAA requirements

Essentially these frameworks are checklists of risks to consider. These lists can run to a hundred or more items. Reviewing each item and assessing trends can be quite time consuming.

At Strunk we have extensively automated these checklists, making them easier to assess, easier to delegate and easier to summarize.

Compliance Commandment II : Ensure Your Policies Mitigate Key Risks

To keep your organization healthy everyone needs to understand what risks to avoid, what risks to take and under what circumstances. This is where policies come in. Policies communicate what is appropriate risk-taking behavior to your organization.

Strunk recommends organizations evaluate their policies versus the risks. Do you have policies in place that adequately address your key risks? If not, you might want to update your policies. Conversely, do you have policies that don’t really map to any of your key risks? If the answer is yes, then consider simplifying or eliminating that policy.

Strunk provides an automated tool for mapping your policies against your risks. At a glance you can then see which risks are not covered by any policies and which policies are not covering any risk. Strunk Policy Manager organizes all your policies into a relational database, with extensive version tracking, granular ownership assignment, and PDF reports for board or external use.

Compliance Commandment III : Trust, But Verify

Policies are pointless unless the organization follows them. Human nature being what it is, there is a natural tendency for people to cut corners. Too many times organizations let months or even years go by assuming that a policy is still being followed when, due to turnover or distractions or work pressure, that is no longer the case. To maintain policy effectiveness you must test periodically. You can only expect what you inspect.

Our Controls Manager automates the verification process. You create a set of control procedures for testing compliance with your policies, establish a testing schedule for these controls and assign responsibility. The system automatically schedules the testing, creates a calendar showing the month’s tests at a glance, generates alerts on upcoming or overdue tests and provides a dashboard summarizing testing status, including highlighting tests that are overdue or have failed.

You can map your controls to your policies. One control can cover more than one policy and one policy may be covered by more than one control. You can then use the maps to identify policies which need controls or controls which are no longer covering a policy and perhaps should be discontinued.

Compliance Commandment IV : Prove It

Unfortunately it is just not enough to adhere to commandments I through III. You must also be able to prove your adherence, which means abiding by what we call “the law of physical evidence”: a thing isn’t done until you can provide physical evidence that it occurred. You can’t just say you did it; your board, regulators, auditors and customers are going to want proof that you did it.

Many organizations approach this process somewhat haphazardly. They do some kind of paper-based risk assessment, write some policies, set up some checklists, fill out some forms, put some basic tracking in place … easy. The result is a patchwork of Word documents and PDFs and spreadsheets. Then they start emailing them around, and storing different versions on different computers and pretty soon you have a mess: multiple versions, unclear responsibilities, status hard to track. Managing risks, policies and controls is not rocket science by any means, but it really helps to stay organized.

We believe the best way to stay organized is to get out of spreadsheet land and move everything into a modern relational database. A relational database helps connect all the dots so you can keep track of the status of different policies and policy versions, know who is responsible for each compliance activity, log changes, produce consistent reports, provide a single source of truth, with fine-grained control over access and edit rights.

With a system like Strunk Access, when your auditors show up for their exam, you have at your fingertips your latest risk assessment, your compliance map showing how your policies map to your risks and your controls map to your policies, your log of all the changes to your policies over the past year, and a complete record of all your control testing. The result: fewer surprises, your auditors can get their work done more quickly, and your staff spends less time responding to auditor requests.

New Website Featuring GRC & ODP Software Tools

Strunk today announced the launch of a new public website at a new domain: StrunkAccess.com.  The new site provides more information about Strunk’s GRC and ODP software tools in an updated design.

In addition to fee enhancement consulting, Strunk provides comprehensive, easy-to-use and affordable Governance, Risk Management and Compliance software tools that improve compliance and productivity for financial, online and healthcare services providers. These tools are:

Risk Assessor helps prepare comprehensive risk assessments in a matter of days, not weeks.

Policy Manager organizes organization policies into a single database, mapped to the relevant audit standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Issues Manager is a centralized database for tracking all compliance issues and incidents across the entire organization.

Vendor Manager is a specialized tool for managing vendor risk that standardizes methodology and organizes all the documentation.

Skills Manager provides online testing and training to ensure employees are knowledgeable about organization policies.

According to Strunk CEO Dan Roderick, “Strunk has grown quite a bit over the past few years and we wanted our public-facing website to demonstrate more comprehensively our expanded services and growth into new markets. We also felt it was time to update our domain name to more accurately reflect who we are.”

Strunk’s old domain name, StrunkLP.com, will continue to work for the online application, which is being transitioned to app.strunkaccess.com.

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.