Technology Service Provider Contracts

/in , , , , /by

Understanding the increasing dependence that financial institutions have on technology service providers, bank regulators have ramped up their efforts to require banks to appropriately handle third-party risk management. The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance. These contracts were missing or inadequately addressed key provisions, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lacking standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response.

Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, as promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology-related services can create special risks for depository institutions that must be properly addressed in their service contracts. The FDIC indicated that it plans to hold boards and senior management of financial institutions accountable for controlling those risks, in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract. All financial institutions should have provisions that they review for all of their contracts, along with a robust vendor management program that will help uncover any weakness in business continuity and data recovery early in the process.

Strunk at WBA’s Education Summit & Regulatory Compliance Conference

/in , , , , , , /by

Strunk is excited to be exhibiting once again at the Western Bankers Association’s Education Summit & Regulatory Compliance Conference next week, August 25th-28th. This year hosted at the Hyatt Regency Huntington Beach, the event always proves to have many learning opportunities for bankers to gain insight into the most current information facing our industry.

In addition to visiting with many current clients, we look forward to showing attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software. The solution now includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and the all new Vendor Manager.

Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and stores all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

Please stop by booth 28 to learn how to improve compliance, streamline responses, and enhance collaboration… all with less effort. All bankers will also have the opportunity to enter to win a $250 Amazon gift card from Strunk. We can’t wait to see you!

Latest ODP Manager Enhancements

/in , , , /by

At Strunk, we are committed to providing best-in-class software solutions, and are constantly providing enhancements that we feel will best serve our clients. This month we are pleased to announce the addition of ODP Manager Dashboard within our industry-leading overdraft management application, ODP Manager.

ODP Manager clients will now be able to see their performance over time, as well as in comparison to our entire customer base, for five key indicators: Percent with Limit, Percent Opt In, Overdraft Fee, Consumer Overdraft Limit, and Business Overdraft Limit. The dashboard will graphically display the organization’s performance in purple as compared to the 25th, 50th and 75th percentile statistics for our entire client base. The Dashboard will also display the organization’s monthly trend for Percent with Limit and Percent Opt In.

Each quarter we will email clients a summary of their performance, along with tailored recommendations to address areas that may need attention. We believe the new ODP Dashboard will help clients more effectively monitor overdraft program key indicators and improve performance over time.

New Website Featuring GRC & ODP Software Tools

/in , , /by

Strunk today announced the launch of a new public website at a new domain: StrunkAccess.com.  The new site provides more information about Strunk’s GRC and ODP software tools in an updated design.

In addition to fee enhancement consulting, Strunk provides comprehensive, easy-to-use and affordable Governance, Risk Management and Compliance software tools that improve compliance and productivity for financial, online and healthcare services providers. These tools are:

Risk Assessor helps prepare comprehensive risk assessments in a matter of days, not weeks.

Policy Manager organizes organization policies into a single database, mapped to the relevant audit standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Issues Manager is a centralized database for tracking all compliance issues and incidents across the entire organization.

Vendor Manager is a specialized tool for managing vendor risk that standardizes methodology and organizes all the documentation.

Skills Manager provides online testing and training to ensure employees are knowledgeable about organization policies.

According to Strunk CEO Dan Roderick, “Strunk has grown quite a bit over the past few years and we wanted our public-facing website to demonstrate more comprehensively our expanded services and growth into new markets. We also felt it was time to update our domain name to more accurately reflect who we are.”

Strunk’s old domain name, StrunkLP.com, will continue to work for the online application, which is being transitioned to app.strunkaccess.com.

Law Firms Seeking Plaintiffs to Sue Credit Unions

/in , , , /by

Law firms have started using social media and web advertising to recruit class action plaintiffs to sue credit unions regarding their overdraft practices and disclosures. Demand letters or complaints filed may make several allegations, including:

  • Violations of EFTA and Reg. E, even where the credit union uses the Model A-9 form.
  • Breach of contract due to unclear or ambiguous terminology in account agreements, such as lack of clarity as to how the credit union will determine that there are insufficient funds in the account.
  • Violations of state consumer laws, such as California’s Unfair Competition Law, New York’s statute addressing deceptive acts and practices, or New Jersey’s Consumer Fraud Act.

Strunk agrees with the risk mitigation recommendations from the CUNA: Credit unions should review their processes for handling reinitiated/resubmitted incoming electronic debits to member accounts that the credit union previously returned unpaid due to insufficient or uncollected funds resulting in an NSF fee. If your credit union charges another NSF fee for reinitiated/resubmitted items that are returned unpaid again, review your account agreement to ensure it discloses that NSF fees may be imposed on the same transaction.

If your credit union assesses overdraft fees based on available balance rather than actual balance/ledger balance, review your account agreement to ensure it contains a description of how certain transactions, such as debit card pre-authorization holds and check holds, impact the available balance, including examples of each. For debit card pre-authorization holds, ensure the account agreement discloses how subsequent debits to the account impact the available balance and that an overdraft fee could be assessed when the debit card transaction posts to the account taking it negative.

It has always been Strunk’s recommendation to precisely disclose the method used to calculate available balance in your account agreement. Because Strunk ODP documents refer to the use of Available Balance, which should be properly disclosed in the member account agreement, there are currently no recommended changes to Strunk’s ODP documentation. We will provide additional information if there are any upcoming changes to our disclosure documentation.

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.