CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination....
Transcript of CFPB Readiness Series: Making Risk Assessment Work For You · prepare for a CFPB examination....
CFPB Readiness Series:
Making Risk Assessment Work For You
Who is KirkpatrickPrice?
KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 250 clients in more than 40 states, Canada, Asia and Europe. The firm has over 10 years of experience in information assurance by performing assessments, audits, and tests that strengthen information security, and compliance controls.
Welcome
Todd Stephenson is an Information Security Specialist helping collection agencies and law firms prepare for a CFPB examination.
– Certified Information Systems Auditor (CISA)
– Information Security Specialist
– Over four years working with the ARM industry
• A systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking.
• It involves evaluating:
– Operational risks
– Compliance risks
– Reputational risks
What is Risk Assessment?
• The CFPB is mandated
• Why should you care?
– To maintain revenue and business operations –Operational Risk
– Insure future growth and opportunities –Reputational Risk
– Avoid costly lawsuits and fines –Compliance Risk
Why Care About Risk
Assessment?
Risk Assessment is
Interconnected
A Look at Vendor Risk
• “The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management …A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”
OCC: Third-Party Relationships: Risk Management Guidance (OCC 2013-29)
A Look at Vendor Risk
• “The institution’s officials are expected to have a clearly defined system of risk management controls built into the management system that governs the institution’s compliance operations, including controls over activities conducted by affiliates and third-party vendors.”
FDIC Compliance Manual — January 2014
Making it Work for You
• Confidence– I know where my risks are and I’ve addressed
them. I sleep better at night.
• Clear Direction– I know what we need to be doing and what we
don’t need to be doing.• Ex: Internal Audit
• Cost savings– Ex: My vendor has a SOC 2 or PCI RoC and CFPB
Welcome
Jessie Skibbe is a former Chief Compliance Officer with 10 years of ARM industry experience. As Director of Compliance Services for KirkpatrickPrice, she is focused on assisting clients in meeting regulatory compliance & information security objectives.
– ACA Certified Credit & Collections Compliance Officer (CCCO)
– ISC2 Certified Information Systems Security Professional (CISSP)
– DBA Certified Receivables Compliance Professional (CRCP)
– PCI SSC Qualified Security Assessor (QSA)
• Business Continuity Planning– Disaster Preparation
– Identifying Critical Business Components
• Information Security Compliance– PCI DSS
– ISO 27001
– SSAE 16
– HIPAA
Common Uses for Risk
Assessment
• Where do I begin?
– Begin by having a clear understanding of what federal, state and local laws are applicable to you.
• State Law Resources:– http://www.acainternational.org/state-collection-laws-and-
practices.aspx
– http://www.nationallist.com/white_papers
– Stay up to date
• Review consent order and recent litigation.
Compliance Risk Assessment
• What’s Next?
– Determine the most likely way a violation of these laws will occur.
• Consumer telephone calls
• Letters
• Non-compliant vendors
Compliance Risk Assessment
• Begin the process
– Policies and Procedures
• Risk Assessment Policy
• Risk Assessment Procedure
• Risk Assessment Template
– Document Document Document
• Remediation action needed
• Changes as a result of the risk assessment
Compliance Risk Assessment
Compliance Risk Assessment
Compliance Risk Assessment
• Next Steps– Perform Third-Party Risk Assessments
– Internal Audit Procedures
– Internal Monitoring Procedures
– Third-Party Audit Procedures
– Third-Party Monitoring Procedures
• Risk Levels should determine what to monitor and how often
Compliance Risk Assessment
Third-Party Risk Assessment
Thank you for attending
Q & AFor further information contact:
Todd Stephenson
800.977.3154 Ext. 202
Jessie Skibbe
800.977.3154 Ext 103
Coming up Next
CFPB Readiness Series: Developing Your Vendor Audit Framework and Questionnaire
When: May 29, 2014 at 2:30pm EST