What is a Fourth Party Vendor and Why Should I Care About Their Risk

Fourth-party risk is rising to the top of most auditors and examiners list when it comes to evaluating financial institutions vendor management program.  Fourth parties are your vendor’s third parties and subcontractors.  These vendors you will not have a direct contract; however, your vendor does, and relies on these vendors to produce a product or service for them.  Most of the time these vendors will be visible in your vendor’s SOC reports and should also be easily identified by your vendor as those classified as critical in their own vendor management program.

Financial Institutions should care about fourth-party vendors risk, because they are subject to the same risk as your vendors, which puts you at the same risk without having the same oversight that you have over your own vendors. Financial institutions are ultimately responsible for the protection of their customers data, sometimes a fourth-party vendor can expose the financial institution to reputational, operational or cybersecurity risk.  All it takes is a single opening for a threat to compromise protected information.  Like any risk, there can be serious business implications, from fines to legal issues which can negatively affect a business if the fourth-party risk is unchecked.

The most effective way to manage fourth-party risk is to build a mature, comprehensive vendor risk management program.  If you have the right practices and processes in place, then incorporating fourth parties into those processes should feel manageable and mostly seamless.  Your vendor management program should help you identify your most critical vendors.  Once you do that you can ask them who their vendors are; what products and services do they provide to the vendor that cause them to be classified as critical to their operations; and what due diligence on the fourth-party vendor has your vendor perform on them.

Customize Your ODP Manager Letter Templates

Templates for all your necessary Collection and Custom letters are included with Strunk’s hosted ODP Manager software. We’ve provided the letter content for you but there are customizable letter template options to allow your letter appearance to be consistent with other letters sent by your institution.

Do you have a standard letterhead that is used for your customer communications? ODP Manager can save your header and footer information so you can print your letters on plain paper instead of letterhead.

Do you typically sign your letters? ODP Manager allows the flexibility to store signatures for each of your ODP Manager users. No more signing letters – the signature can print with your letter! A signature can be used for all letters, or the signature can change based on the user generating the letters.

Do your customers contact a central location to discuss the ODP Program information or do they contact their local branch? With the hosted software, letters can include a single contact number, or the included phone number can change based on the account’s branch. ODP Manager can even change contact names based on the account’s branch.

Take advantage of hosted ODP Manager’s flexibility to create letter templates specific to your institution. Please contact Strunk Support at support@strunkaccess.com with any questions or for more details.

Taken Your Eye Off the Overdraft Protection Ball?

Have you been worried about taking advantage of account holders in a pandemic environment? Not clear on what regulators expect in terms of accommodating customer hardship situations? The last 14 months certainly haven’t been easy on our account holders. The last thing we want to do is appear to be taking advantage of a bad situation by pushing the envelope on overdraft fees. But where is the right balance? Strunk can help.

We don’t charge a contingency fee – so we’re not going to push you to generate more fees if you think that’s not the right thing for your client base. We also charge a very affordable fixed annual fee – so you don’t have to feel like you should justify the price you pay the OD vendor by driving more fee income. Our goals are to maximize the performance of your program – based on your strategy – and also to ensure compliance.

With StrunkAccess receive the latest hosted ODP Manager software, which will facilitate the generation of proper notifications & reports when they’re needed. ODP Manager is the most powerful tool available to help financial institutions get the most benefit out of their overdraft programs and remain in full compliance with the law. It is provided as a cloud-hosted application, taking full advantage of the latest software developments and eliminates the need for users to maintain a separate application in their own network environment.

Get started today by contacting us at info@strunkaccess.com or 800-728-3116.

Employee Overdraft Privilege Training

As more and more states are reducing their Covid-19 restrictions, we are seeing an increase in employees from financial institutions going back to face-to-face work environments. As workers start returning to their workspace in a safe fashion, this is a great time to have some additional training with your employees regarding your Overdraft Privilege program.

Strunk offers ODP training that is specific for your financial institution.  With each session tailored to your financial institution we can help identify issues that you may be having with your program while also ensuring that your employees fully understand the benefits of the overdraft privilege program. During this ODP training will review how to fully explain the ODP program to customers/members and this will prepare your employees to answer questions that they may receive regarding the program. The ODP training is excellent for both new staff that needs to learn about the service as well as a refresher training for other employees.

Another important item that Strunk covers with its training is the compliance perspective surrounding the program. We are all aware that Overdraft Privilege has been under the microscope of the CFPB, and we would like to make sure that your financial institution stays safe from any regulatory issues. Strunk’s training can be done in person and is still being offered as a webinar, which gives financial institutions the flexibility to choose how they would like their staff to be trained.

If you would like additional information on Strunk’s employee Overdraft Privilege training, please feel free to contact us at 800-728-3116 or info@strunkaccess.com.

Strunk at the ABA’s Virtual Risk Management Conference 2021

We’re getting the hang of these virtual events at Strunk!  Strunk attended the ABA’s annual Risk Management conference last week. During the virtual event we hosted a virtual booth, met with many familiar and new faces via Zoom meetings and attended virtual sessions. We enjoyed the opportunity to connect with bankers across the country.

We welcomed the opportunity to discuss with attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software Risk Manager, which includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and Vendor Manager.

A state of the industry was provided by Dr. Catherine Mann, currently the Global Chief Economist for Citibank. The session included an update on the economy, focusing on pandemic recovery in all key sectors. She also shared thoughts on key economic risks for financial markets and how this impacts risk mitigation efforts. The session also included a keynote address by Rob Nichols, President and CEO of the American Bankers Association.

Attendees had the opportunity to discuss post-pandemic risk management, among many other topics. Bankers were encouraged to reassess and modify risk management frameworks as a result of the pandemic, especially reviewing and adjusting risk appetites and associated metrics.

Congratulations to the winner of Strunk’s giveaway, a $100 gift card to Amazon – Linda Schnitzler of The Canandaigua National Bank and Trust Company!

We hope to see you all in person next year. Until then, stay well.

Do Business Accounts Have To Opt In To Reg E?

Over the years Strunk has been asked a number of times, “do business accounts that have overdraft privilege have to opt into Reg. E to have their debit card point of sale and ATM transactions covered in the program?” To understand this you must first understand that most consumer protection rules do not apply to deposit accounts held by a business. It is also important to understand that a business-purpose account can be held by a legal entity, such as an LLC or a corporation, or by individuals operating a business themselves as a sole proprietorship.

We need to take a look at Regulation E and break it down regarding this topic. The coverage of Reg. E is stated in section 1005.3(a). It applies to “electronic fund transfers” that debit or credit a “consumer’s account.” Paragraph 1005.2(b) (1) defines an “account” as a consumer asset account established primarily for personal, family, or household purposes. Paragraph 1005.2(e) defines a “consumer” as a natural person. The result is if an individual is using their deposit account for the purposes of operation a sole proprietorship or an account is held by a legal entity, it would not be covered by Reg. E either.

Reg. E coverage means that the “opt-in” for overdraft coverage of debit card point of sale and ATM transactions only applies to consumer accounts. Any application of the concept to other accounts (such as business accounts) is a matter of bank policy and should be addressed in the bank’s deposit account agreement for such accounts.

Are you tired of doing Risk Assessments?

We hear comments from community bankers across the country that they don’t like doing risk assessments and that they are time consuming. Risk Assessments generally come in the form of Excel Spreadsheets or Word documents. Often times they are done in silos where each functional area of the bank does their regulatory required risk assessment and periodically reports them to the bank’s board for review/approval.

Many banks do risk assessments for the regulators which is typically the wrong approach, in Strunk’s opinion. Risk assessments are done annually for those required by regulations and sometimes others are done two weeks before the regulators walk in. Risk Assessments should be designed to give senior management, board and ownership a snapshot of what risks your bank faces and what has been done to mitigate those risks. High risks aren’t bad; they just need to be managed.

Regulatory scrutiny of BSA/AML, ACH, Fair Lending, Loan Concentrations, Cybersecurity, Information Technology and other areas of the bank have caused financial institutions to spend more time and money focusing on the risks the bank faces. Outsourcing some of these functions to vendors is an expensive way to manage the risk assessment process and certainly unnecessary. Strunk’s GRC (Governance, Risk Management and Compliance) solution makes the risk assessment process easy to do and it consolidates all areas of risk the bank faces into one report.

Bank examiners often tell the community bank that they are coming out for the annual exam six weeks to two months prior to actually showing up. Generally, they ask the bank to send an extensive amount of information prior to coming onsite. This gives the regulator time to form their opinion on what risks the bank faces before arriving at the bank.

Strunk’s solution lets the bank tell their story rather than have the regulator tell the bank’s story to them. Comprehensive risk assessments are made easy with Strunk’s Risk Assessor Solution https://strunkaccess.com/risk-assessor/.

Help Your Customers Opt In for Regulation E Online

ODP Manager includes letter templates that allow your customers the opportunity to opt in for Regulation E so they can authorize Overdraft Privilege service for ATM withdrawals and everyday debit card purchases. Did you know that ODP Manager can also help you offer your customers the option to opt in on your website?

Strunk can create a Reg E opt in form and Reg E opt out form that mirrors the content in your ODP Manager letters. You would then add links to these forms to your website.

When your customer submits the Consent Form for Overdraft Services or the Consent to Opt-Out, the opt in or opt out request is tracked in ODP Manager. The customer also is emailed a confirmation of their Reg E submission. Periodically, you review the new customer responses in ODP Manager and generate a list of the accounts that need the Reg E election updated. You perform the appropriate maintenance in your core software – updating the account record to either opt in or opt out the customer’s requested account. The ODP Manager software always shows you the most recent responses that you have not yet reviewed. The list of submissions is retained so you can look up past responses.

Let ODP Manager expand your options to allow your customers to choose Overdraft Privilege coverage for ATM and everyday debit card transactions. Please contact Strunk Support at support@strunkaccess.com with any questions or to find out more about using this feature.

Ensuring Employee Compliance With Policies and Procedures

Does your financial institution do annual employee reviews of compliance with your policies and procedures? If not you should. Training employees on specific areas of the bank is crucial to running a successful company and testing for product knowledge is critical to customer service.

All financial institutions have policies that are board approved on an annual basis and a set of procedures that are senior management approved. The question is do your employees know what the policies and procedure say and do they follow them?

In the middle of the 1980’s, the bank I worked at had a product knowledge contest with the winner receiving a trip to Las Vegas. There were three person teams and the questions came from all areas of the bank. So it was important to have a lending person, a retail person and an operations person on each team to have the correct answers. Needless to say, our team won.

Today, we don’t have product or policy knowledge contests but that doesn’t mean you can’t test your employees for knowledge of these. Strunk’s Skills Manager solution allows financial institutions to train your employees on products, procedures or policies. Then through the solution you can test their knowledge based on the training. Test results for each employee funnel up to one person responsible for the training. Many institutions use this for their security or ethics policy requiring their employees to take a test on an annual basis. Could Skills Manager help your financial institution?

Is risk always bad?

In our industry we are accustomed to thinking of risk as something we need to constantly assess and evaluate. At best, this exercise can be laborious and time-consuming. The number of risk factors to consider can run into the hundreds, often with different parts of the organization best qualified to assess each risk. The typical solution, emailing spreadsheets around the organization, is inherently cumbersome and error-prone.

Let’s take a step back and break down what a risk is. The definition of risk is a situation involving exposure to danger. But danger does not always look like we might expect. There is an important distinction to be made as some risks can actually pose a benefit to any company while others cause a greater reason for concern. Without risk, it can become easy to settle into consistency, security and stability.

Wouldn’t you like to know the importance of the risks you face and be able to easily identify them? Strunk’s Risk Manager can help identify risks you may be considering to help grow your business, as well as those risks that may present a greater threat to your organization. It helps to answer the questions:

  • What factors must financial institutions manage against?
  • At this point in time how much risk is each factor creating for us?
  • Do we have adequate management measures in place to manage the inherent risk?
  • And what is the trend – is our situation improving or getting worse?

Risk Manager tracks your risks in a database with fine-grained control over access. It documents your assessment of the inherent risk, the strength of your management of the risk and trend for both. If you must respond to a standards-based set of risks like banking industry requirements or SOC2, explicitly score yourself against these frameworks. The solution will map your policies against control activities to be sure you have appropriate policies in place that address each risk and will allow you to track your risk profile over time.

If you would like to bring together all areas of the risk assessment process into one easy to use format and eliminate your dependency on Excel spreadsheets, invest just 30 minutes to review our solution. Contact us at info@strunkaccess.com to learn more.