Tag: Vendor Management

  • Home
  • Vendor Management
28 Dec 2010
From the Field Tom Hinkel 3 Comments

Looking back – 2010 compliance hits & misses

Every year about this time, I’m asked to look ahead to the upcoming year and prognosticate on regulatory compliance trends.  I  intend to do just that in a future post, but today I wanted to do something very few other prognosticators do…look back at last years’ predictions and see which ones hit and which missed (and why).

Here was the list of 2010 trends as I saw them early last year:

  • Risk Assessments –New standards and expectations
  • Documentation–Who, What, How and Why
  • Disaster Recovery –Compliant and Recoverable
  • Vendor Management –Trust but Verify

Overall I scored 2 hits and 2 misses, although to be fair the misses are more along the line of “not yet hits”.  Here is how 2010 actually shaped up:

  • Risk Assessments – miss.  This prediction was taken from the Winter 2009 FDIC Supervisory Insights Newsletter article entitled “Customer Information Risk Assessments: Moving Toward Enterprise-wide Assessments of Business Risk”.  It described how examiners should start to evaluate risk on an enterprise-wide basis instead of simply focusing on information security risks.  I predicted that examiners would start to adjust their examination procedures for the new criteria in 2010, but it hasn’t manifested itself in examination work papers yet.  However, some of the enterprise-wide risk criteria has made its way into various risk assessment best practices.  Criteria such as strategic risk, operational/transactional risk, reputation risk and legal/regulatory risk are now part of the vernacular for disaster recovery, retail payment systems and new technology risk assessments.  We’ll call this a miss…for now.
  • Documentation – hit.  The vast majority of audit and examination findings I’ve seen this year we’re not related to missing or insufficient policies or procedures, they were due to the institutions inability to document (prove) that they were following their own procedures.  Expect this trend to continue in 2011.
  • Disaster Recovery – hit.  Both auditors and examiners are finding fault with DR plans that do not strictly conform to the FFIEC guidance.  Specifically, they must contain a business impact analysis, risk assessment, risk management and testing sections, and in that order.  A non-compliant plan that may even be able to demonstrate (through testing) recoverability will still be written up.  (More here.)
  • Vendor Management – miss.  With the increasing reliance of financial institutions on third-party vendors, I predicted that 2010 would be the year that the examiners started scrutinizing vendor management programs more closely.  It hasn’t happened…yet.  It may be because of the continued overwhelming emphasis on asset quality during the safety and soundness examination, but I’m leaving this on the list for 2011.  Asset quality will undoubtedly still dominate in 2011, but there are indications that the pendulum is starting to swing back around.  (More on that later.)

My next post will be my predictions for 2011.  I’m also collecting survey responses from auditors and examiners on where they think the areas of focus will be, and I’ll report that in early 2011 as well.

All the best for a Happy and Compliant New Year!!

23 Dec 2010
Hot Topics Tom Hinkel 0 comment

New FDIC Survey Results and Third-Party Providers

The new FDIC Supervisory Insights Winter 2010 newsletter addresses several issues of interest to bankers, including Trust Preferred Securities, Managing Agricultural Credit, and Senior Life Settlements.  But there was also a section that analyzed the results of a survey that was conducted by FDIC examiners over the past year.   The more than 2,100 responses are producing some interesting results, especially when correlated with other financial reports like call reports, but of particular interest to me were the findings examining how financial institutions are “responding to the recent period of economic and competitive challenges”. One of the trends identified in the survey results was how financial institutions are increasingly “…making use of third-party providers to offer new and innovative products”, and particularly, “how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.”

Community financial institutions are no strangers to vendor management, particularly the importance of addressing privacy and security issues, but the article makes reference to the risk of Unfair or Deceptive Acts and Practices (UDAP).  This is not a traditional risk category in and of itself, and may not be a consideration in your current vendor management program, but based on recent enforcement cases, maybe it should be.  The article makes reference to FDIC guidance here, and the FFIEC provides additional guidance here and here, but none of the existing guidance specifically mentions the significant financial liabilities and increased reputation risk that can result from a lawsuit based on UDAP.

The conclusion states:

Overall, Survey results show that banks are responding to ongoing economic and competitive challenges in a variety of ways, for example, by tightening underwriting standards and making use of third-party service providers to offer new and innovative products. These operational changes can affect an individual institution’s risk profile and its ability to effectively manage the resulting consumer compliance risks. The analysis of data gathered through this Survey will continue to help the FDIC understand how effectively bank safety-and-soundness and compliance risk management systems are keeping pace with these changes.

I suggest you incorporate UDAP risk into your existing vendor management risk assessment by assuring that it is identified as one of the potential contributors to reputation risk (along with privacy and security breaches), and that the  legal risks are assessed along with standard regulatory/compliance risks.

13 Dec 2010
Hot Topics Tom Hinkel 1 Comment

SAS 70 replacement…3 alternatives

I’ve written about this  here, here and here, and we are still waiting on additional guidance from the AICPA, now expected March/April 2011.   But of greater interest to financial institutions is the opinion of the FFIEC, which refers to the SAS 70 in the IT Examination Handbooks 30 times, and has yet to officially endorse a replacement.

Although the SSAE 16 is designated as the replacement report by the AICPA, you’ll need to become familiar with a couple of terms before determining if it will be suitable in your circumstances;  ICFR and non-ICFR.  ICFR stands for Internal Controls over Financial Reporting, and non-ICFR (logically) stands for controls other than those used for financial reporting.

Why is it important to understand this?  Because the SSAE 16 standard specifically states that it be used only for ICFR, NOT non-ICFR.  That means for the vast majority of financial institution’s vendor relationships such as core vendors and IT vendors, the SSAE 16 may not be the most relevant report to request or to receive.

You’ll also need to understand SOC reports.  SOC stands for Service Organization Controls, and there are 3 options; SOC 1, SOC 2 and SOC 3 (and a Type I and Type II for the first 2).  Here is the best way to understand them:

  • SOC 1 – equivalent to the current SAS 70 for ICFR engagements
  • SOC 2 – attests to controls relevant to data privacy, security, confidentiality, integrity and availability
  • SOC 3 – equivalent to the current SysTrust and WebTrust reporting standards

Again, the SOC 1 and SOC 2 reports can be prepared as either a Type I (a point in time) or Type II (a period of time, typically 6 months).

Will the SOC 1 or the SOC 2 become the de-facto replacement for the SAS 70?  In my opinion, the SOC 2 directly addresses all the concerns a financial institution would have regarding their (and their customers’) information.  But will the SOC 1 morph into something its’ not supposed to be, as the SAS 70 did?  Only time will tell, so stay tuned…

16 Nov 2010
Hot Topics Tom Hinkel 0 comment

SAS 70 vs. SSAE 16 from the service provider perspective

Although it’s unclear what, if anything, the FFIEC* will say about the new standard before it is officially adopted in June of next year, one thing is certain…both vendors and financial institutions will need to become familiar with the differences in the interim.  And one of the most significant differences between the two reporting standards from the service provider’s perspective is the wider scope of the new standard.  While the SAS 70 auditing standard only called for a description of “controls”, the SSAE 16 standard requires a description of the service provider’s “system”.  A “system” is defined as the services provided, along with the supporting processes, policies, procedures, personnel and operational activities that constitute the service organization’s core activities that are relevant to user entities...including third-party providers.   A SAS  70 report, on the other hand, does not, and might in fact contain language similar to “our examination did not extend to controls of the third-party service organizations…”

The implication of this expansion from “controls” to “system” is more than conceptual.  On the plus side for the financial institution, a more expansive report allows for a more accurate representation of the actual risk, resulting in a more thorough risk assessment.  The primary advantage for the service provider is that they won’t be required to re-issue a report if they add additional products or services, only if there are material changes in the supporting infrastructure.  This makes sense, because the adequacy and effectiveness of controls depends more on the environment in which the controls operate, and less on the specific services the environment supports or provides.

The new standard definitely places a bigger burden on the service provider, but the financial institution is still required to carefully and critically evaluate whether the new report adequately supports their oversight responsibilities.

*The term “SAS 70” is used 30 times, and in 8 of the 12 FFIEC Examination Handbooks.

08 Oct 2010
Hot Topics Tom Hinkel 1 Comment

The FFIEC Handbooks and the SAS 70

I’ve written about the 6/15/2011 phase-out of the SAS 70 report in favor of the SSAE 16 series (SOC 1, SOC 2, SOC3) here and here.  The AICPA isn’t expected to update their audit guide until sometime early next year, but financial institutions are anxious to get the FFIEC to comment, as the SAS 70 is mentioned no fewer than 31 times, and in a total of 8 of the 12 IT Examination Handbooks.  It’s mentioned 10 times in the Information Security Handbook alone!

I predict that the FFIEC will remove all references to the SAS 70, or to any specific report for that matter, and replace them with generic references to “audit reviews” or “audit reports”.  It will then fall to the financial institution to determine the most appropriate report for each service provider, based on their risk assessment.  However, the service provider will deliver whatever report they decided to prepare, which may or may not match the report requested.

07 Oct 2010
From the Field Tom Hinkel 1 Comment

The 5 trickiest FDIC IT examination questions (part 5).

In my last post, I asked you to weigh in on what question you wanted me to address in this final post of the series.  This one came from a bank that was in the process of actually filling out the questionnaire, and it’s a good one.  It’s found in the Vendor Management section:

“Has the bank identified and reported its service provider relationships (both domestic and foreign-based) to the FDIC (Y/N)?”

At first glance, you may be tempted to interpret this as asking “Has the bank identified and reported its MAJOR or CRITICAL service provider relationships…?”, but the question does not seem to limit your reporting requirement to a particular class or size of service provider.  So are you really obligated to report ALL vendor relationships, from your core provider to your cleaning crew?  Taken a face value it would certainly seem so.

To figure out exactly what is required you have to look at the 2 references listed under the question:

  • “Notification of Performance of Bank Services” FDIC Rules and Regulations 304.3, and
  • 12USC1867 Section 7(c)(2) Bank Service Company Act (BCSA)

In researching this, it appeared at first that it only applied to Banks that owned more than 1% of a bank service provider.  But upon further review (sorry, it’s football season), Section 7(c)(2) of the Bank Service Company Act states that any FDIC-supervised institution that has services performed by a third party “shall notify such agency of the existence of the service relationship within 30 days after the making of such service contract or the performance of the service, whichever occurs first.”  So again, this looks like ALL vendor relationships need to be reported.

However, in a recent interview at bankinfosecurity.com with Donald Saxinger  (senior examination specialist with the FDIC), this exact issue was addressed in the context of reporting social media vendors.  Simply put, his response was that only if the vendor provides “banking functions” does it need to be reported to the regulators.   Banking functions are defined in Section 3 of the Bank Service Company Act as:

  • check and deposit sorting and posting,
  • computation and posting of interest and other credits and charges,
  • preparation and mailing of checks, statements, notices, and similar items, and
  • any other clerical, bookkeeping, accounting, statistical, or similar functions performed for a depository institution

Using this list as a reference, only core vendors, item processors and outsourced accounting firms fall into these categories.  (Whether or not IT vendors fall into this category will be addressed in a future post.  Mr Saxinger makes the point that IT vendors are one of the dependency layers that supports the business process, and as such MAY fall into one of the categories above, depending on the outcome of your risk assessment.)  To be safe, since there is no penalty for over reporting, it’s best to report all vendor relationships that even come close to fitting the definition of a bank service company.

So the correct answer is “Yes, we report all of our service provider relationships that provide banking functions to us, as well as any vendors providing a critical dependency to those service providers, as determined by our risk assessment.”  Of course, make sure that you do report them.  The FDIC form is here, other regulators may have their own reporting mechanism.

© 2025 UFS Tech. All rights reserved. Compliance Guru is a registered trademark of UFS Tech. Privacy Policy