DAMA MN December 16, 2015 Risk... · Marketing Compliance – Who are your Marketing Vendors? Call...
Transcript of DAMA MN December 16, 2015 Risk... · Marketing Compliance – Who are your Marketing Vendors? Call...
© 2015 FIS All rights reserved. Proprietary and Confidential.
DAMA MN December 16, 2015
Vendor Risk Management:
Best Practices for Consumer Protection and Regulatory Compliance Assurance
© 2015 FIS All rights reserved. Proprietary and Confidential.
YOUR SPEAKER
Rebecca Frederick CRCM CIPP/US, CIPP/C
Compliance Officer, ChexSystems, FIS Global
2
© 2015 FIS All rights reserved. Proprietary and Confidential.
IMPORTANT NOTE
This presentation is provided for informational purposes only with the understanding that neither the presenter nor FIS nor ChexSystems® is rendering legal advice and that this presentation is not to be used as a substitute for legal counsel.
3
© 2015 FIS All rights reserved. Proprietary and Confidential.
POLLING QUESTIONS
Know Your Customer – Know Your Audience
1. Has your organization changed its approach to third party risk management due to recent events and guidance?
2. How many of your organizations are service providers to regulated financial institutions?
3. What’s your vertical?
5
© 2015 FIS All rights reserved. Proprietary and Confidential.
THE NEW NORMAL ROADMAP
6
© 2015 FIS All rights reserved. Proprietary and Confidential.
BUILDING YOUR PROGRAM ROADMAP
START
Initiate Scoping to address Non-IT
Risks
Conduct Inventory and Assessment
Define Triage Process to cascade
requirements
Identify Compliance Management System Needs
Understand Consumer Protection Landscape
Revamp Vendor
Classification and Criteria
Address Marketing Oversight
Obligations
Incorporate Social Media and Campaign
Compliance
Build Vendor Profiles for oversight functions
Enhance Corporate Governance and
Risk Culture
Enable Contract Lifecycle
Modernization
Build External Assurance Maturity
STOP
Leverage existing Risk Assessments
7
© 2015 FIS All rights reserved. Proprietary and Confidential.
1.0 BUILDING YOUR ROADMAP FOR NON-IT THIRD PARTY RISK
8
Consumer Protection
Regulatory Compliance
Operational Risk &
Governance
The New Normal for Third Party
Risk
© 2015 FIS All rights reserved. Proprietary and Confidential.
KNOW BEFORE YOU GO
CFPB
Overdraft Practices
Payday Loans
Prepaid Products
Mortgage Lending
Credit Card Account
Management
Supervisory Highlights
Legal Violations
FFIEC/OCC/FDIC /NCUA
Sound Risk Management Processes
FFIEC Business Continuity Booklet
OCC Risk Assessment System – 8 Types of Risk
OCC Model Validation
OCC Overdraft – Feb. and March Releases
Cyber Threats
Information Technology Vulnerabilities
Interagency Effort to Reduce Regulatory Burden
FTC
Debt Collectors
Alternative Scoring Products
Big Data
Auto Loans
Hot Topics in the Current Regulatory Landscape
9
© 2015 FIS All rights reserved. Proprietary and Confidential.
LET’S SET THE CONTEXT: 2 VIEWPOINTS
10
• What are my obligations?
• What are my requirements?
• Regulatory expectations?
• Which third parties?
• Who evaluates?
Client or Customer
• Consumer Protection
• Regulatory Compliance
• Operational Risk
Regulatory Scope • Which obligations?
• Which requirements?
• Whose expectations?
• How to Assess?
• How to respond?
Service Provider
© 2015 FIS All rights reserved. Proprietary and Confidential.
MARKET CHALLENGES
11
• What are my obligations?
• What are my requirements?
• Regulatory expectations?
• Which third parties?
• Who evaluates?
Client or Customer
• Consumer Protection
• Regulatory Compliance
• Operational Risk
Regulatory Scope • Which obligations?
• Which requirements?
• Whose expectations?
• How to Assess?
• How to respond?
Service Provider
© 2015 FIS All rights reserved. Proprietary and Confidential.
ALPHABET SOUP FOR 3RD PARTY OVERSIGHT
EFTA4 FDIC8 OCC10
NCUA4 CFPB10 FTC7
BSA6 TSR and TCPA9
PATRIOT ACT8
HiTech10 FCC7 SEC6
PCI10 SOX10 FFIEC10
STATE LAWS5
HIPAA10 GLBA10
FACTA8 FCPA2 EU1
NACHA5 OSHA1 STATE AGs1
Third Party Risk
12
© 2015 FIS All rights reserved. Proprietary and Confidential.
OCC MYTHS AND REALITIES – THEMES
• Broadened definition of “third party relationship”
• Identifies “critical activities”
• Increased Board Involvement for critical functions
• Heightened expectations for Risk Management functions
• Expanded topic areas for contract stipulations with 3rd parties
• Enhanced on-going monitoring of “critical suppliers”
• Expects due diligence to be conducted on critical fourth parties as necessary
• Expands oversight topic areas (regulatory compliance)
• Independent Reviews of TPSP functions
13
© 2015 FIS All rights reserved. Proprietary and Confidential.
OCC MYTHS AND REALITIES – MISINFORMATION
• Does NOT mandate site visits to all subcontractors
• Does increase need for right to audit contract provisions
• Does NOT apply to ALL service providers
• Does require Senior Management to obtain board approval for new critical suppliers
• Does expand notification/consent for 4th party relationships
• Does NOT mandate no offshore service providers
14
© 2015 FIS All rights reserved. Proprietary and Confidential.
SCOPING YOUR 3RD PARTY OVERSIGHT PROGRAM
ADDRESS NON-IT RISKS
KNOW YOUR OBLIGATIONS
Fair Lending
Complaint Management
Credit Card Account Management
UDAAP
Consumer Protection
Debt Collections
FCRA
15
What Non-IT Regulations affect your organization that may require
changes to your third party oversight program?
© 2015 FIS All rights reserved. Proprietary and Confidential.
CONDUCT AN INVENTORY AND ASSESSMENT Defining Your Risk Approach
The New 3rd Party Risk Funnel
Identify key regulations that you address in your compliance management program
Identify key attributes or obligations you need to vet or confirm for your compliance
Identify 3rd parties by NAME and FUNCTION they perform
16
Create your Third Party Compliance Regulatory Inventory Impact Matrix
Step #3 Map to Your
3rd Parties
Step # 2 Your
Obligations
Step #1 Regulations
© 2015 FIS All rights reserved. Proprietary and Confidential.
CONDUCT AN INVENTORY AND ASSESSMENT
17
Third Party Service
Provider Oversight
for Non-IT
functions is based
on common
understanding of
regulatory
obligations and
compliance
considerations
Regulatory Focus Area Compliance Considerations
Gramm-Leach-Bliley Act or Regulation P
Data Collection and Use – Who are your GLBA vendors?
CAN SPAM and Telephone Consumer Protection Act (TCPA)
Marketing Compliance – Who are your Marketing Vendors? Call center outsourcing?
Digital Marketing Internet and Advertising Compliance – How do you use the web to market to customers?
Fair Credit Reporting Act
Credit Products – Who supports you? Restrictions and requirements for making solicitations using eligibility information, responding to direct disputes
© 2015 FIS All rights reserved. Proprietary and Confidential.
DEVELOP A TRIAGE PROCESS TO CASCADE REQUIREMENTS TO YOUR THIRD PARTY
18
Develop Criteria for
prioritization of
Third Party Oversight
based on risk.
Compliance Risk
Brand Risk
Customer Risk
Enforcement Action
Complexity
Privacy Risk Considerations
Gramm-Leach-Bliley Act or Regulation P
High Risk – Medium Risk- Low Risk
CAN SPAM and Telephone Consumer Protection Act (TCPA)
High Risk – Medium Risk- Low Risk
Digital Marketing High Risk – Medium Risk- Low Risk
Fair Credit Reporting Act High Risk – Medium Risk- Low Risk
© 2015 FIS All rights reserved. Proprietary and Confidential.
REVIEW YOUR ANNUAL RISK ASSESSMENTS
Integrate Third Party Risk into Applicable Risk Assessments and Compliance Programs
CFPB’s Consumer Risk Assessment
Emerging Risks
Cyber Threats
Credit Interest Rate Liquidity Price Operational Compliance Strategic Reputation
19
© 2015 FIS All rights reserved. Proprietary and Confidential.
IDENTIFY COMPLIANCE MANAGEMENT SYSTEMS NEEDS AND REQUIREMENTS
RIMS RISK MATURITY MODEL (RRM) For ERM
Evaluate the effectiveness and adequacy of your organization’s risk mgmt program and determine where and how their program can improve.
The RIMS RMM is an umbrella framework that covers ISO 31000, OCEG Red Book, BS 31100, COSO, FERMA and Solvency II standards.
Take the free assessment at www.rims.org
20
Integrate third party risk into applicable risk assessments
© 2015 FIS All rights reserved. Proprietary and Confidential.
LEVERAGE A SIPOC APPROACH
Key Regulations High Risk Vendors Functions Performed
How do you audit? Vendor Artifacts?
- Regulation A - Regulation B - Regulation C
- Vendor A - Vendor B - Vendor C
- Function 1 - Function 2 - Function 3
- Requirement 1 - Requirement 2 - Requirement 3
- Requirement 1 - Requirement 2 - Requirement 3
22
SIPOC: Suppliers, Inputs, Processes, Outputs, Customers
© 2015 FIS All rights reserved. Proprietary and Confidential.
2.0 PRODUCTS & SERVICES COMPLIANCE JOURNEY
23
Consumer Protection
Regulatory Compliance
Operational Risk &
Governance
The New Normal for Third Party
Risk
© 2015 FIS All rights reserved. Proprietary and Confidential.
ASSESS CONSUMER PROTECTION LANDSCAPE
UDAAP
FTC Act Section 5
Dodd Frank Act
State Laws
Can be compliant with applicable laws and still be cited for UDAAP violations
Consumer Protection
State Attorney Generals
Class Actions
Call Center Governance
FCRA Compliance
CFPB
24
© 2015 FIS All rights reserved. Proprietary and Confidential.
THE COMPLIANCE STOP SIGNS: REVIEWING THE RECENT ENFORCEMENT ACTIONS
CFPB: Deceptive mortgage advertising and kickbacks CFPB: Refund $2.7 million to 98,000 consumers charged illegal credit card fees CFPB: Unfair debt collection tactics and credit reporting practices OCC: Identity protection products, including credit monitoring and credit report retrieval OCC: Foreign exchange business where OCC identified certain deficiencies and unsafe or unsound practices
25
© 2015 FIS All rights reserved. Proprietary and Confidential.
CONSUMER PROTECTION
Can be compliant but still have a Legal Violation
Would you sell this product to your grandmother?
Develop and implement a Consumer Protection policy and implement initial and ongoing training
Develop internal monitoring and auditing processes to evaluate potential consumer protection issues and analyze consumer complaints
Review all advertising and promotional materials before publication, including website
Review customer service scripts and call recordings
Compliance Considerations
26
© 2015 FIS All rights reserved. Proprietary and Confidential.
UDAAP FUNDAMENTALS
An act or practice is considered unfair when all of the following are true:
It causes or is likely to cause substantial injury, usually monetary, to consumers
It can not be reasonably avoided by consumers
The injury is not outweighed by benefits to consumers or competition
Key Definition: Unfair Practice
27
Remember: Legal Violations
© 2015 FIS All rights reserved. Proprietary and Confidential.
UDAAP FUNDAMENTALS
A representation, omission, act or practice is deceptive when all of the following are true:
Misleads or is likely to mislead the consumer
The consumer’s interpretation is reasonable under the circumstances
The misleading representation, omission, or practice is material
Key Definition: Deceptive Practice
28
Remember: Legal Violations
© 2015 FIS All rights reserved. Proprietary and Confidential.
UDAAP FUNDAMENTALS
Abusive conduct is prohibited. An act or practice is considered abusive if:
The consumer is not able to understand a term or condition of a financial product or service because of the actions of the provider; and
It takes unreasonable advantage of the consumer
Key Definition: Abusive Practice
29
Remember: Legal Violations
© 2015 FIS All rights reserved. Proprietary and Confidential.
UDAAP FUNDAMENTALS
Does the third party have initial and ongoing UDAAP training?
Does the third party have a UDAAP policy?
Does the third party conduct internal monitoring and auditing processes to evaluate potential UDAAP issues?
Does the third party have compensation or incentive programs that could create UDAAP risks?
Does the third party have governance mechanisms for customer service scripts and call recordings?
Does the third party have processes to monitor, track and analyze consumer complaints?
Compliance Considerations For Third Party Oversight
30
© 2015 FIS All rights reserved. Proprietary and Confidential.
FEEDBACK AND COMPLAINTS
MONITORING SYSTEMS AND RESPONSE
Complaint escalation process
Incident management and notification
Policy for disparaging remarks
Dispute resolution process
Third Parties, Clients, Customers, and Service Providers
#@$%!
%&$#!
31
© 2015 FIS All rights reserved. Proprietary and Confidential.
BIG DATA AND DATA PRIVACY
Data Collection and Data Use
Data is expanding so quickly it is compared to creating a new Google every 4 days
Privacy Bill of Rights
Mobile Payments
Cloud Service Providers
SaaS
Data brokers
32
Did You Know? 87%
Of the US population can be identified by
3 simple data elements:
Gender Date of Birth
Zip Code
© 2015 FIS All rights reserved. Proprietary and Confidential.
MODEL GOVERNANCE OVERSIGHT
33
Model Risk Management
Model Development
Model Implementation and Use
Model Validation
Disparate Impact
Third Party Contracts and Agreements
Third Party Oversight
Governance, Policies and Controls
Third Party Monitoring and Audit Program
Embed Third Party oversight in your
Model Governance Compliance Program
© 2015 FIS All rights reserved. Proprietary and Confidential.
REVAMPING VENDOR CLASSIFICATION
Build Vendor
Profiles by Function
Who gives you data?
Who markets to customers?
Who provides
services to an account?
Who creates
offers or rewards?
Who provides
call center services?
Who provides
online content or
advertising?
Step #1
Re-Think Vendor Risk
Point of View
By Function
Step #2
Re-Think Vendor Risk
Point of View
By Criticality
Step #3
Re-Think Vendor Risk
Point of View
By Requirements
34
© 2015 FIS All rights reserved. Proprietary and Confidential.
CREATING A RISK BASED APPROACH FOR PRODUCTS AND SERVICES OVERSIGHT
35
Create a Risk-Based
Approach to identify
the frequency and
level of oversight to
“flow down” to your
Third Party based on
the PRODUCT or
SERVICE
Identify what to do
BY CONTRACT and
BY MONITORING
Privacy Define Your Requirements
Gramm-Leach-Bliley Act or Regulation P
Annual Obligations
CAN SPAM and Telephone Consumer Protection Act (TCPA)
Monitoring and Due Diligence
Digital Marketing Complaint Management
Fair Credit Reporting Act Audit and Compliance Review Data Accuracy and Integrity
© 2015 FIS All rights reserved. Proprietary and Confidential.
TELEMARKETING VENDOR OVERSIGHT
Best Practices Checklist for Call Centers and Telemarketing
36
Understand and
define which call
center compliance
obligations leverage
or utilize Third Party
Service Providers
Map to your policies
Identify
Requirements
Telemarketing Focus Area Third Party Oversight Considerations
Call Recording and Monitoring
Audit and oversight options
Complaint Management Monitor volume and categorization
Incentive Programs Assess for potential UDAAP risks
Call Script Reviews Level of oversight
Employee Training Topics, Frequency
© 2015 FIS All rights reserved. Proprietary and Confidential.
DIGITAL MARKETING VENDOR OVERSIGHT
37
Best Practices Checklist
Digital Marketing Focus Area Third Party Oversight Considerations
Online Behavioral
Advertising
Subscriber to ad networks – industry
guidelines - onward transfer to 3rd parties
Cookies Who collects? Type? Usage?
Contests and Sweepstakes Oversight for structure of the offer –
Disclosures? Notice?
Marketing Campaigns Opt out? Consent options? Just in time
Social Media Monitoring and usage – compliance
integration – Digital Best Practices
© 2015 FIS All rights reserved. Proprietary and Confidential.
SOCIAL MEDIA COMPLIANCE
38
A Complicated Landscape
© 2015 FIS All rights reserved. Proprietary and Confidential.
SOCIAL MEDIA COMPLIANCE RISKS
Data Leakage
• Personal Information
• Intellectual property
• Credit Card, SSN
• Client Records
Incoming Threats
• Malware, Spyware
• Viruses, Trojans
• Inappropriate Content
Compliance and eDiscovery
• SEC, FINRA
• HIPPA, FISMA
• SOX, PCI
• FRCP – eDiscovery
• FERC, NERC
User Behavior
• Employee Productivity
• Bandwidth Explosion
• Face of the business
!
39
© 2015 FIS All rights reserved. Proprietary and Confidential.
SOCIAL MEDIA COMPLIANCE AND LEGAL RISKS
Enforcement actions and/or civil lawsuits
Violations or non conformance with
internal policies and procedures
Different obligations based
on type of financial
institution or function
Violations or non conformance with
laws, rules and regulations
Defamation or libel risks
EMERGING MEDIUM = EMERGING RISKS
40
© 2015 FIS All rights reserved. Proprietary and Confidential.
REWARDS PROGRAMS SCRUTINY Best Practices – Frequent Buyers and Flyers Create Standard List of Rewards Triggers
Identify disclosure requirements associated with the triggers - Reg DD – Truth in Savings
Identify special 1099 Tax Reporting - 1099-INT and 1099-MISC
Implement COPPA controls to ensure program is utilized by adults and not by minors
Access to account holder data is need to know basis per GLBA
Controls must be in place to mitigate internal fraud relating to Card Act and SOX requirements due to offer of retail gift cards
PCI controls if offer allows payments via credit cards
Direct Marketing Association (DMA) Guidelines to Ethical Marketing.
CAN-SPAM Opt In Requirements for Promotional Emails
41
© 2015 FIS All rights reserved. Proprietary and Confidential.
CONTESTS/SWEEPSTAKES/CAMPAIGNS
• Eligibility by Age
• State Registration and Bonding
• Use of Entries
• Advertising
• Contests of Skill
• Prize Value and IRS
• Disputes
• Liability
• Terms and Conditions
• Use of the term “sweepstakes”
• No purchase option
• Chance of winning
• Prizes and Premiums
• Disclosure of Rules
• Alphabet soup Compliance
• Interest Considerations and Limitations
• Disclosure Rules
42
© 2015 FIS All rights reserved. Proprietary and Confidential.
CREATING YOUR VENDOR PROFILES
VENDOR PROFILE
BY FUNCTION
DUE DILIGENCE
CATEGORIES
CONTRACT OVERSIGHT ONGOING MONITORING TERMINATION
Data Centric
Service Providers
Marketing
Service Providers
Digital/Web
Service Providers
Customer Contact
and Consumer
Protection Service
Providers
44
© 2015 FIS All rights reserved. Proprietary and Confidential.
3.0 OPERATIONAL RISK & REGULATORY COMPLIANCE
45
Consumer Protection
Regulatory Compliance
Operational Risk &
Governance
The New Normal for Third Party
Risk
© 2015 FIS All rights reserved. Proprietary and Confidential.
REGULATORY, REPUTATION & OPERATIONAL RISK FOCUS AREAS
Regulatory Compliance
Fraud Prevention
Brand and Reputation
Business Continuity
Operational Risk
Corporate Responsibility
Enhance Corporate
Governance + Risk Culture
46
© 2015 FIS All rights reserved. Proprietary and Confidential.
REGULATORY COMPLIANCE OVERSIGHT
Strong Compliance Management System (CMS)
Clear Reporting Structure for Compliance Officer
Board of Directors Role
Compliance Committee Role
Data Governance Role
Vendor Management Program
Vendor Performance Monitoring
Best Practices
47
© 2015 FIS All rights reserved. Proprietary and Confidential.
PROFESSIONAL ETHICS, FRAUD PREVENTION AND BUSINESS PRACTICES
DMA Guidelines for Ethical Business Practices
Terms of the offer
Marketing to children
Special offers and claims
Sweepstakes
Fulfillment
Collection, Use, and Maintenance of Marketing Data
Digital Marketing
Telephone marketing to landlines and wireless devices
Mobile marketing
Fundraising
48
Direct Marketing Association - thedma.org
© 2015 FIS All rights reserved. Proprietary and Confidential.
RISK MANAGEMENT CULTURE Three Tenets of Successful Risk Management Risk Management Framework and System
Identifying emerging risks and improvement opportunities Risk appetite and thresholds/choice architecture Delegated authority and limits Policy statements
Culture and Behavior Three lines of defense - Embedding risk management Understanding risk culture Tone at the top and tone at the middle Compensation linked to risk outcomes
Risk Governance Leveraging assurance processes Composition/responsibilities of board committees with respect to risk oversight Board reporting to facilitate change Defining effective risk oversight objectives
49
Source: KPMG: Enhancing Business Performance through Governance, Risk, and Compliance
© 2015 FIS All rights reserved. Proprietary and Confidential.
CORPORATE GOVERNANCE
Board of Directors
Minutes and Board Packet
Formalize Selection Criteria
Compliance Training for Board of Directors
Audit and Risk Committees
Best Practices
50
https://sharedassessments.org/2015/02/boards-role-managing-third-party-relationships/
Catherine Allen
Chairman and CEO
The Santa Fe Group
© 2015 FIS All rights reserved. Proprietary and Confidential.
MERGER AND ACQUISITION IMPLICATIONS
Two Way Scenarios
If your organization is bought or acquires another company
If your service provider is bought or acquires another company
51
© 2015 FIS All rights reserved. Proprietary and Confidential.
MERGER AND ACQUISITION IMPLICATIONS
Expanding Due Diligence obligations
Map differences in compliance management systems
Vendor consolidation to minimize costs of oversight and due diligence monitoring
Costs of compliance for dual products and services
Preference management reconciliation
Inheritance of Consumer Protection issues
Enhance complaint monitoring during transition
Limitations on grandfathered products or service
Build out a Third Party Oversight 1-3 year plan
52
© 2015 FIS All rights reserved. Proprietary and Confidential.
RISK PRIORITIZATION ACTIVITY Update your Board of Directors & Management Oversight Approach
Governance Perspectives
What do you need to Change?
How will you measure success?
What resource do you need?
What approvals are needed?
Risk Assessments
Compliance Programs
Governance Process
Management Reporting
54
© 2015 FIS All rights reserved. Proprietary and Confidential.
4.0 BEST PRACTICES FOR MAINTAINING AND ADAPTING YOUR PROGRAM
55
Consumer Protection
Regulatory Compliance
Operational Risk &
Governance
The New Normal for Third Party
Risk
© 2015 FIS All rights reserved. Proprietary and Confidential.
EFFECTIVE CONTRACT LIFECYCLE MANAGEMENT AND CONTRACT MODERNIZATION
Understand Your Needs
Key considerations in developing effective vendor contracts Prioritize – rank your contract requirements and develop
alternatives when possible Risk ranking vendors to understand the contract provisions
required for different types of vendor services Establish stakeholders and define roles Define business requirements Define technical requirements Define vendor requirements Vendor outsourcing
56
© 2015 FIS All rights reserved. Proprietary and Confidential.
EFFECTIVE CONTRACT LIFECYCLE MANAGEMENT AND CONTRACT MODERNIZATION
Key considerations in developing effective vendor contracts Access Availability Marketing Compliance Corporate structure and financial viability Insurance Regulatory/Compliance Special Considerations
Corporate social responsibility Corporate diversity strategy
57
Defining Vendor Requirements
© 2015 FIS All rights reserved. Proprietary and Confidential.
EFFECTIVE CONTRACT LIFECYCLE MANAGEMENT AND CONTRACT MODERNIZATION
Clearly define success criteria They should be mutually exclusive - no two should measure the same
thing They must be objective and very clearly defined They must be easily measurable If calculations are necessary, they should be defined They should cover specific periods of time They should be actionable They should be fair and reasonable Establish a process and time frame for remediation, including
consequences for failure Include your obligations to the process Strive for mutual success, but be prepared to walk away
58
Key considerations for SLAs and KPIs
© 2015 FIS All rights reserved. Proprietary and Confidential.
BUILD MATURITY TO YOUR RISK PROGRAM
Shared Assessments
Vendor Risk Management Maturity Model
1. Assess your VENDORS by asking them to use the tool to self-assess their maturity program for 3rd party risk
2. Do a Gap Analysis to each layer in the pyramid for what is missing from your program to address consumer protection and regulatory risk
3. Create Action Plan to update your Third Party Risk Program, policies, and framework
59
© 2015 FIS All rights reserved. Proprietary and Confidential.
STRENGTHEN MANAGEMENT REPORTING Metrics that matter
Key Performance Indicators (KPIs)
Board Reporting
Third Party Vendor Performance
Complaint Management
60
Ensure metrics and
dashboards are meaningful to track
© 2015 FIS All rights reserved. Proprietary and Confidential.
EXAMINATION READINESS
Best Practices
Timing: Months Before Examination Thorough inventory to identify gaps or concerns
before examination document request, including: • Written documentation, policies and procedures • Data flows and control points • Depth/Breadth of review • End-to-end compliance • Look across compliance programs
61
© 2015 FIS All rights reserved. Proprietary and Confidential.
LEVERAGING EXTERNAL ASSURANCE
The benefit of expanded scope of external assurance engagements can reduce the number and depth of on site reviews
62
© 2015 FIS All rights reserved. Proprietary and Confidential.
UPDATING YOUR PROGRAM ROADMAP
START
Initiate Scoping to address Non-IT
Risks
Conduct Inventory and Assessment
Define Triage Process to cascade
requirements
Identify Compliance Management System Needs
Understand Consumer Protection Landscape
Revamp Vendor
Classification and Criteria
Address Marketing Oversight
Obligations
Incorporate Social Media and Campaign
Compliance
Build Vendor Profiles for oversight functions
Enhance Corporate Governance and
Risk Culture
Enable Contract Lifecycle
Modernization
Build External Assurance Maturity
STOP
Leverage existing Risk Assessments
64
© 2015 FIS All rights reserved. Proprietary and Confidential.
QUESTIONS
65
Lessons Learned
Recap the day
Questions
Aha Moments
Identify 3 Critical Messages for your
Senior Management team
Elevator speech!
© 2015 FIS All rights reserved. Proprietary and Confidential.
WHERE WE STARTED – THE WAY FORWARD
66
© 2015 FIS All rights reserved. Proprietary and Confidential.
TOOLS: THIRD PARTY MATURITY MODEL Leverage Industry Benchmarking
Shared Assessments Vendor Risk Management Maturity Model
• 2014 Benchmarking Study
• 2015 Survey Results
• Develop Action Plan
69
https://sharedassessments.org/member-projects/
© 2015 FIS All rights reserved. Proprietary and Confidential.
FTC Announcements: http://www.ftc.gov/sites/defau
lt/files/attachments/press-releases/ftc-staff-revises-
online-advertising-disclosure-guidelines/130312dotcomdisclo
sures.pdf
FFIEC Guidance:
https://www.ffiec.gov/press/pr121113.htm
FTC Guidance http://www.ftc.gov/news-
events/press-releases/2013/06/ftc-
consumer-protection-staff-updates-agencys-guidance-
search
FTC Testimonial Guidance
http://www.ftc.gov/sites/default/files/attachments/press-releases/ftc-publishes-final-
guides-governing-endorsements-
testimonials/091005revisedendorsementguides.pdf
TOOLS: SOCIAL MEDIA RESOURCES
70
© 2015 FIS All rights reserved. Proprietary and Confidential.
TOOLS: RIMS –THE RISK MANAGEMENT SOCIETY Tools to supplement
your assessment efforts
RIMS is a global not-for-profit organization representing:
>3,500 industrial, service, nonprofit, charitable and government entities throughout the world.
Membership of >11,000 risk management professionals who are located in more than 60 countries.
71
https://www.rims.org/Pages/Default.aspx
© 2015 FIS All rights reserved. Proprietary and Confidential.
CONTACT INFORMATION
Rebecca Frederick
72
© 2015 FIS All rights reserved. Proprietary and Confidential.
DAMA MN December 16, 2015
Thank You for Attending
73