You Can Outsource, But You Cannot Hide

Companies may outsource an activity, but cannot outsource accountability.

In today’s economic environment, almost every aspect of a company’s operations can be outsourced efficiently. As a result companies interact with vendors on a daily basis, opening themself up to additional risk. Vendor Risk is a type of Operational Risk associated with the potential risk that may occur from relying upon outside parties to perform services or activities on an organization’s behalf. When a company outsources a need to a vendor, it is still the responsibility of the company to ensure that the vendor operates in compliance with established policies, procedures and regulator expectations.

For financial institutions in particular, this has been a clear message from all banking regulatory agencies to their members. Regulatory agencies have identified instances in which financial service institutions have:

  • Failed to properly assess and understand the risks and the direct and indirect costs involved in vendor relationships.
  • Failed to perform adequate due diligence and ongoing monitoring of vendor relationships.
  • Entered into contracts without assessing the adequacy of a vendor’s risk management practices.
  • Entered into contracts that incentivize a vendor to take risks that are detrimental to the financial institution or its customers, in order to maximize the vendor’s revenues.
  • Engaged in informal vendor relationship without contracts in place.

All companies, and especially financial services institutions, must establish an effective vendor management program to protect their business, clients and employees. Having an effective vendor management program enables institutions to control costs, drive service excellence, mitigate risks, and gain increased value over the life cycle of the vendor relationships. Selection, contract structuring and ongoing monitoring of third party service providers are the consistent theme from the regulatory agencies and other risk experts.

Technology Service Provider Contracts

Understanding the increasing dependence that financial institutions have on technology service providers, bank regulators have ramped up their efforts to require banks to appropriately handle third-party risk management. The Federal Deposit Insurance Corporation (FDIC) has identified gaps noted by some examiners regarding several technology service provider contracts that were inadequate under existing guidance. These contracts were missing or inadequately addressed key provisions, such as:

  • Requiring the service provider to maintain a business continuity plan,
  • Lacking standards for data recovery along with appropriate remedies when a recovery standard is missed.
  • Defining key terms in the contracts relevant to business continuity and/or incident response.

Contracts lacking these provisions violate the Interagency Guidelines Establishing Information Security Standards, as promulgated under the Gramm-Leach-Bliley Act.

Vendors that provide technology-related services can create special risks for depository institutions that must be properly addressed in their service contracts. The FDIC indicated that it plans to hold boards and senior management of financial institutions accountable for controlling those risks, in accordance with the requirements of the law and its existing regulatory guidance.

Financial Institutions should be willing to hold their service providers accountable and negotiate an appropriate contract. All financial institutions should have provisions that they review for all of their contracts, along with a robust vendor management program that will help uncover any weakness in business continuity and data recovery early in the process.

Strunk at WBA’s Education Summit & Regulatory Compliance Conference

Strunk is excited to be exhibiting once again at the Western Bankers Association’s Education Summit & Regulatory Compliance Conference next week, August 25th-28th. This year hosted at the Hyatt Regency Huntington Beach, the event always proves to have many learning opportunities for bankers to gain insight into the most current information facing our industry.

In addition to visiting with many current clients, we look forward to showing attendees the latest features offered by our Governance, Risk Management and Compliance (GRC) software. The solution now includes six GRC tools – Risk Assessor, Policy Manager, Controls Manager, Skills Manager, Issues Manager and the all new Vendor Manager.

Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and stores all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

Please stop by booth 28 to learn how to improve compliance, streamline responses, and enhance collaboration… all with less effort. All bankers will also have the opportunity to enter to win a $250 Amazon gift card from Strunk. We can’t wait to see you!

The Four Compliance Commandments

We’ve spent a lot of time working on and thinking about Governance, Risk Management and Compliance. Whole books have been written on this subject and there are graduate-level university courses on it as well. But in the practical world, for most businesses we think the whole GRC universe can be boiled down to four basic principles that we call the Four Compliance Commandments:

1) Know Your Risks
2) Ensure Your Policies Mitigate Key Risks
3) Trust, But Verify
4) Prove It

Every CEO and Board worries about this stuff … or should, so let’s break the commandments down:

Compliance Commandment I : Know Your Risks

Every organization must understand the risks it faces if it wants to survive. Organizations tend to get in trouble when they mis-perceive the risks they are up against. Many organizations falter because they under-estimate a risk, but over-estimating a risk can be just as bad, causing an organization to miss a key opportunity.

Over the years, society has created rules designed to limit organizations from taking risks unnecessarily or unknowingly. Often these rules come from the government, but there are other rules, like the SOC2 framework, that come from other sources, like accountants or professional associations. Good examples of these include:

  • Banks or credit unions must comply with regulatory requirements
  • Service providers must comply with external frameworks like SOC2
  • Health care providers need to show compliance with HIPAA requirements

Essentially these frameworks are checklists of risks to consider. These lists can run to a hundred or more items. Reviewing each item and assessing trends can be quite time consuming.

At Strunk we have extensively automated these checklists, making them easier to assess, easier to delegate and easier to summarize.

Compliance Commandment II : Ensure Your Policies Mitigate Key Risks

To keep your organization healthy everyone needs to understand what risks to avoid, what risks to take and under what circumstances. This is where policies come in. Policies communicate what is appropriate risk-taking behavior to your organization.

Strunk recommends organizations evaluate their policies versus the risks. Do you have policies in place that adequately address your key risks? If not, you might want to update your policies. Conversely, do you have policies that don’t really map to any of your key risks? If the answer is yes, then consider simplifying or eliminating that policy.

Strunk provides an automated tool for mapping your policies against your risks. At a glance you can then see which risks are not covered by any policies and which policies are not covering any risk. Strunk Policy Manager organizes all your policies into a relational database, with extensive version tracking, granular ownership assignment, and PDF reports for board or external use.

Compliance Commandment III : Trust, But Verify

Policies are pointless unless the organization follows them. Human nature being what it is, there is a natural tendency for people to cut corners. Too many times organizations let months or even years go by assuming that a policy is still being followed when, due to turnover or distractions or work pressure, that is no longer the case. To maintain policy effectiveness you must test periodically. You can only expect what you inspect.

Our Controls Manager automates the verification process. You create a set of control procedures for testing compliance with your policies, establish a testing schedule for these controls and assign responsibility. The system automatically schedules the testing, creates a calendar showing the month’s tests at a glance, generates alerts on upcoming or overdue tests and provides a dashboard summarizing testing status, including highlighting tests that are overdue or have failed.

You can map your controls to your policies. One control can cover more than one policy and one policy may be covered by more than one control. You can then use the maps to identify policies which need controls or controls which are no longer covering a policy and perhaps should be discontinued.

Compliance Commandment IV : Prove It

Unfortunately it is just not enough to adhere to commandments I through III. You must also be able to prove your adherence, which means abiding by what we call “the law of physical evidence”: a thing isn’t done until you can provide physical evidence that it occurred. You can’t just say you did it; your board, regulators, auditors and customers are going to want proof that you did it.

Many organizations approach this process somewhat haphazardly. They do some kind of paper-based risk assessment, write some policies, set up some checklists, fill out some forms, put some basic tracking in place … easy. The result is a patchwork of Word documents and PDFs and spreadsheets. Then they start emailing them around, and storing different versions on different computers and pretty soon you have a mess: multiple versions, unclear responsibilities, status hard to track. Managing risks, policies and controls is not rocket science by any means, but it really helps to stay organized.

We believe the best way to stay organized is to get out of spreadsheet land and move everything into a modern relational database. A relational database helps connect all the dots so you can keep track of the status of different policies and policy versions, know who is responsible for each compliance activity, log changes, produce consistent reports, provide a single source of truth, with fine-grained control over access and edit rights.

With a system like Strunk Access, when your auditors show up for their exam, you have at your fingertips your latest risk assessment, your compliance map showing how your policies map to your risks and your controls map to your policies, your log of all the changes to your policies over the past year, and a complete record of all your control testing. The result: fewer surprises, your auditors can get their work done more quickly, and your staff spends less time responding to auditor requests.

Strunk at COCC Foxwoods

We were happy to see so many friends and clients at the COCC Annual Client Conference earlier this month. We were definitely on friendly ground, as we have now implemented our solutions for well over half the COCC base. This event set a new attendance record for COCC. Thank you to everyone who dropped in to see us and congrats to Maria Sgambati at Everett Co-operative Bank who was the winner of our $250 Amazon gift card.

At the conference we were able to show off some of the latest improvements in our Governance, Risk Management and Compliance (GRC) software. We have upgraded Risk Assessor to version 2. It now includes automated feeds of peer data from the FDIC, consolidated risk and trend scoring, and an inline scoring history so you can see at the indicator level your scores on prior assessments. Policy Manager now includes more fine-grained reader logging and alerts.

We also were able to demo our new Vendor Manager tool for managing vendor risk. Vendor Manager provides an easy to follow standardized process to assess risk, gather due diligence materials, evaluate contracts and store all vendor documentation in one convenient place. Vendor Manager keeps everything organized, is simple to use and of course follows the latest FFIEC guidelines.

Law Firms Seeking Plaintiffs to Sue Credit Unions

Law firms have started using social media and web advertising to recruit class action plaintiffs to sue credit unions regarding their overdraft practices and disclosures. Demand letters or complaints filed may make several allegations, including:

  • Violations of EFTA and Reg. E, even where the credit union uses the Model A-9 form.
  • Breach of contract due to unclear or ambiguous terminology in account agreements, such as lack of clarity as to how the credit union will determine that there are insufficient funds in the account.
  • Violations of state consumer laws, such as California’s Unfair Competition Law, New York’s statute addressing deceptive acts and practices, or New Jersey’s Consumer Fraud Act.

Strunk agrees with the risk mitigation recommendations from the CUNA: Credit unions should review their processes for handling reinitiated/resubmitted incoming electronic debits to member accounts that the credit union previously returned unpaid due to insufficient or uncollected funds resulting in an NSF fee. If your credit union charges another NSF fee for reinitiated/resubmitted items that are returned unpaid again, review your account agreement to ensure it discloses that NSF fees may be imposed on the same transaction.

If your credit union assesses overdraft fees based on available balance rather than actual balance/ledger balance, review your account agreement to ensure it contains a description of how certain transactions, such as debit card pre-authorization holds and check holds, impact the available balance, including examples of each. For debit card pre-authorization holds, ensure the account agreement discloses how subsequent debits to the account impact the available balance and that an overdraft fee could be assessed when the debit card transaction posts to the account taking it negative.

It has always been Strunk’s recommendation to precisely disclose the method used to calculate available balance in your account agreement. Because Strunk ODP documents refer to the use of Available Balance, which should be properly disclosed in the member account agreement, there are currently no recommended changes to Strunk’s ODP documentation. We will provide additional information if there are any upcoming changes to our disclosure documentation.

An independent certified public accountant has examined Strunk’s operations and found them to be in compliance with the AICPA’s Trust Service Principles. It was determined that Strunk meets the Security, Availability, Processing Integrity, Confidentiality, and Privacy criteria for SOC 2 established by the AICPA.