Technology Service Provider Contracts

Understanding the increase dependence that financial institutions have on technology service providers, bank regulators have increased their efforts to require banks to appropriately handle third-party risk management.  The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance.  These contracts were missing or inadequately addressed key terms, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lack standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response. Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology related services can create special risks to depository institutions that need to be properly addressed in their service contracts.  The FDIC indicated that it plans to hold the board and senior management of financial institutions accountable for controlling those risks in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract.  All financial institutions should have provisions that they review for all of their contracts with a robust vendor management program, this will help uncover any weakness in business continuity and data recovery early in the process.

 

Why is Overdraft Protection Important

Financial institutions across the country have to make decisions every day when it comes to accounts that show insufficient funds. Should the institutions pay an overdrawn item and take a chance the customer will pay them back or should they return or deny the transaction?

Most banks and credit unions charge the same fee whether they pay an item into overdraft status or return it to the merchant (in the case of paper checks). The question always comes up…who would want you to return the item to the merchant? Furthermore, what happens when the item is returned and what are the consequences to the customer? There is nothing good that happens when an item is returned and it only causes grief to the consumer. In this particular case, grief in the form of additional fees from the merchant or being redlined for future non-cash purchases.

Formal consumer centric overdraft payment programs started in the early 1990s and consumers have benefited greatly. Since the same fee is levied either way, the grief and embarrassment of returned checks is eliminated. For debit card or ATM transactions, consumers can decide on their own if they want the debit authorized or not. About half of a financial institution’s customers want to take the groceries or prescriptions home rather than being denied when using a debit card. Others never want to overdraw their account regardless of the situation.

This is the reason Overdraft Privilege and other forms of overdraft protection programs work. The daily overdraft decision process is easier for the financial institution and consumers like the program. A rare win-win in banking.

Strunk Applications Have a New Home

Strunk is proud to announce the launch of https://app.strunkaccess.com/v2/ – the new dedicated URL for Strunk’s software solutions. Strunk applications are still hosted with Amazon Web Services (AWS).

With this change comes Strunk’s updated website, found at https://strunkaccess.com. Learn more about our expanded GRC offering which includes Risk Assessor, Policy Manager, Controls Manager, Vendor Manager, Issues Manager, and Skills Manager.

As a result of this domain change, clients should add @strunkaccess.com to their approved sender lists so as not to miss any valuable updates from Strunk.

The separation of the application from the public facing website will allow Strunk to serve clients more quickly and easily. Client logins remain the same and any questions should be directed to support@strunkaccess.com or 800-728-3116. Be on the look-out for our monthly releases, which include valuable feature updates and enhancements.

 

About Strunk

For more than 40 years, Strunk has developed and implemented successful profit improvement, compliance and risk management solutions for hundreds of community FIs. In addition to our core Overdraft Privilege Service, we offer other easy to use solutions that help FIs boost profitability and more efficiently identify and manage risk.

About AWS

In 2006, Amazon Web Services (AWS) began offering IT infrastructure services to businesses in the form of web services — now commonly known as cloud computing. Amazon Web Services provides a highly reliable, scalable, low-cost infrastructure platform in the cloud that powers hundreds of thousands of businesses in 190 countries around the world.

Take Advantage of ODP Opt-In Opportunities

How are you communicating with your account holders in your Overdraft Privilege Program? Are you able to not only advise account holders of the benefits of Overdraft Privilege but also remind them that they can authorize Overdraft Privilege service for ATM withdrawals and everyday debit card purchases? Strunk’s overdraft management application, ODP Manager, allows you to do just that!

You should consider sending both Welcome and Reinstatement letters to your account holders when overdraft limits have been assigned or when account holders requalify for Overdraft Privilege. When you send these letters to accounts that have not opted in for Regulation E, you should remind account holders that they have the option to authorize Overdraft Privilege for ATM and debit card transactions. ODP Manager can identify the accounts that have not opted in and generate a letter that includes the Consent Form for Overdraft Services and information about other ways to opt in. You can even set up a form in ODP Manager to allow your account holders to opt in online.

Additionally, ODP Manager allows you to send a letter periodically to account holders in your Overdraft Privilege program who have not opted in to or opted out of the ATM/everyday debit card Overdraft Privilege coverage. This is another opportunity to explain this additional feature to your account holders and to provide a consent form and additional opt-in methods.

Once you start taking advantage of these additional opportunities, the ODP Manager software can help you monitor your progress using daily reports and a dashboard that tracks progress over time.

Tell Your Story … Before the Examiner Does

Most bankers understand the importance of explaining their philosophy, strategic direction, successes and challenges to directors, auditors, examiners, analysts, and even their fellow executives and employees. They know it’s always better to tell their story before opinions are formed and judgements made about the condition and direction of their institution. Waiting until questions are asked after financial statements or audit reports reflect any weakness, or worse, when examiners arrive on-site, often means responding defensively to what is typically a very good story about management’s ability to identify, measure, monitor and mitigate risks. Given its undeniable importance, the best bankers excel at presenting the facts first and then reinforcing the message about the quality of their management team. If done efficiently, your comprehensive enterprise risk management report will provide the perfect opportunity to tell your story.

The issue is one of timing. Everybody’s busy and nobody has time to continuously repeat what we may naively assume is a message everybody has already heard and retained. But we aren’t always in front of the audience when issues arise. Examiners, for example, spend a considerable amount of time off-site analyzing the institution before coming through your doors. Their pre-work is critical to ensure an effective, risk-focused examination. In the process, it’s inevitable to have opinions formed and even CAMEL ratings roughed-out before speaking with management. Bankers must ensure their own viewpoint is timed to arrive before being judged by examiners, directors, auditors, and others. In particular, your enterprise risk assessments should clearly communicate management’s perspective on all risks, and especially your highest risks.

Equally important is presenting all the facts in a credible manner. The truth eventually comes out, and if people closest to the work fail to acknowledge high risks and other issues before they are obvious, it means they either can’t be trusted because they hid the facts, or they are deficient because they didn’t know the facts. Bankers conduct comprehensive risk assessments for this exact reason: identify the risks and then measure, monitor and mitigate them. ,Risk assessments are fundamental to the business of banking. Done right, they ensure no stone is left unturned and they validate management credibility. They provide the facts backing the story.

Identifying risks comes naturally to most bankers – we’re in the risk taking business after all – but completing and communicating risk assessment results has often been labor intensive and time consuming. If not done efficiently, individual and enterprise risk assessments can drain resources, incur opportunity costs by diverting resources from other important assignments, and lead to frustration and corner-cutting. The key is ensuring individuals closest to the action conduct or oversee the risk assessment in their functional area, but not require them to spend an inordinate amount of time on the work. About an hour each quarter should prove sufficient at most institutions for executives to complete the task…provided they have the right tools to perform the assessment.

Most bankers appreciate how important it is to tell their story to the right audience before opinions are formed and judgement passed. Comprehensive Enterprise Risk Assessments present a golden opportunity to do just that if they can be done efficiently and without draining resources or busting the budget. Enterprise Risk Assessments are the perfect way to back your story with facts.

Take The Scary Out of Your SOC2 Exam

SOC 2 examinations can be scary and complicated, taking up extended amounts of your employees‘ and stakeholders‘ time. Changes to the AICPA framework can throw your SOC 2 exam into a tailspin, if you discover you don’t have policies and controls to address the newer principles. Utilizing a patchwork of spreadsheets, word docs and PDFs ensures your company will be sinking the maximum human investment into SOC 2 compliance, helping to increase frustration and the possibility of a qualified report.

Strunk Risk Manager can decrease the frustration and the complexity of your policy management process. Our software includes six basic tools for managing risks, policies, controls, compliance issues, vendors and employee knowledge, helping you seamlessly manage your compliance and policy frameworks. Strunk SOC 2 tools don’t just stop at management. We also include a suite of SOC 2 Trust Principle templates to help jump start your policy creation or fill gaps in your already-developed policy regime.

What can you expect from Strunk’s SOC 2/Risk Framework enablement tools?

  1. Your company submits your current policies to our secure portal. If your company does not have developed policies, we have you covered. Use our library of policies and controls to pick and choose templates applicable to your company, helping to speed up the policy and control creation process.
  2. From there we load your policies into the system. Once completed we will train you and your team on how to utilize the system, enabling your team to take off running.
  3. Once your policies are in the system, we will work with your team to map these policies to the correct SOC 2 trust principles.
  4. When your policies and controls are loaded and mapped to the correct trust principles, the heavy lifting is over. Modifying existing policies or adding new ones takes very little time, and your team can easily document board and management approvals.
  5. Help speed along your compliance audits using our Policy Map View, which provides a single document, showing the SOC 2 trust principles, your mapped policies and controls, as well as your control test history and applicable documents. Give your auditors most of what they will need in a single shot, reducing overhead and delays caused by communication lag.

At Strunk, we know our solution works because we use it on our own SOC 2. Contact us today for a demo to see if our solution is right for your company.

Technology Service Provider Contracts

Understanding the increasing dependence that financial institutions have on technology service providers, bank regulators have ramped up their efforts to require banks to appropriately handle third-party risk management. The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance. These contracts were missing or inadequately addressed key provisions, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lacking standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response.

Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, as promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology-related services can create special risks for depository institutions that must be properly addressed in their service contracts. The FDIC indicated that it plans to hold boards and senior management of financial institutions accountable for controlling those risks, in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract. All financial institutions should have provisions that they review for all of their contracts, along with a robust vendor management program that will help uncover any weakness in business continuity and data recovery early in the process.

Strunk at WBA’s Education Summit & Regulatory Compliance Conference

Strunk is excited to be exhibiting once again at the Western Bankers Association’s Education Summit & Regulatory Compliance Conference next week, August 25th-28th. This year hosted at the Hyatt Regency Huntington Beach, the event always proves to have many learning opportunities for bankers to gain insight into the most current information facing our industry.

In addition to visiting with many current clients, we look forward to showing attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software. The solution now includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and the all new Vendor Manager.

Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and stores all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

Please stop by booth 28 to learn how to improve compliance, streamline responses, and enhance collaboration… all with less effort. All bankers will also have the opportunity to enter to win a $250 Amazon gift card from Strunk. We can’t wait to see you!

Latest ODP Manager Enhancements

At Strunk, we are committed to providing best-in-class software solutions, and are constantly providing enhancements that we feel will best serve our clients. This month we are pleased to announce the addition of ODP Manager Dashboard within our industry-leading overdraft management application, ODP Manager.

ODP Manager clients will now be able to see their performance over time, as well as in comparison to our entire customer base, for five key indicators: Percent with Limit, Percent Opt In, Overdraft Fee, Consumer Overdraft Limit, and Business Overdraft Limit. The dashboard will graphically display the organization’s performance in purple as compared to the 25th, 50th and 75th percentile statistics for our entire client base. The Dashboard will also display the organization’s monthly trend for Percent with Limit and Percent Opt In.

Each quarter we will email clients a summary of their performance, along with tailored recommendations to address areas that may need attention. We believe the new ODP Dashboard will help clients more effectively monitor overdraft program key indicators and improve performance over time.

New Website Featuring GRC & ODP Software Tools

Strunk today announced the launch of a new public website at a new domain: StrunkAccess.com.  The new site provides more information about Strunk’s GRC and ODP software tools in an updated design.

In addition to fee enhancement consulting, Strunk provides comprehensive, easy-to-use and affordable Governance, Risk Management and Compliance software tools that improve compliance and productivity for financial, online and healthcare services providers. These tools are:

Risk Assessor helps prepare comprehensive risk assessments in a matter of days, not weeks.

Policy Manager organizes organization policies into a single database, mapped to the relevant audit standards and control procedures.

Controls Manager schedules tests of policy compliance and tracks test results.

Issues Manager is a centralized database for tracking all compliance issues and incidents across the entire organization.

Vendor Manager is a specialized tool for managing vendor risk that standardizes methodology and organizes all the documentation.

Skills Manager provides online testing and training to ensure employees are knowledgeable about organization policies.

According to Strunk CEO Dan Roderick, “Strunk has grown quite a bit over the past few years and we wanted our public-facing website to demonstrate more comprehensively our expanded services and growth into new markets. We also felt it was time to update our domain name to more accurately reflect who we are.”

Strunk’s old domain name, StrunkLP.com, will continue to work for the online application, which is being transitioned to app.strunkaccess.com.