Vendor Compliance Management Series: Performing an Effective Risk Assessment

Vendor Compliance Management Series: Performing an Effective Risk Assessment

Legal Disclaimer

This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the specific circumstances of each case. Every effort has been made to assure that this

information is up-to-date as of the date of publication. It is not intended to be a full and exhaustive

explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel.

Who is KirkpatrickPrice?

KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 300 clients in more than 42 states, Canada, Asia and Europe. The firm has over 10 years of experience in

information assurance by performing

assessments, audits, and tests that strengthen information security, and compliance controls.

Services Overview

• Regulatory Compliance

– CFPB Guidance and audit services:

• Policy & Procedure • Risk Assessment • Vendor Compliance Management • CFPB Mock Audit • Information Security

– Guidance and audit services: • PCI DSS 3.0 • SSAE 16 • SOC 2 • FISMA • ISO 27001 / 27002

Welcome

Joseph Kirkpatrick, Managing Partner at KirkpatrickPrice, is a certified specialist in data security, IT governance, and

regulatory compliance. He has provided consulting and security assessments for more than 14 years.

- Certified in the Governance of Enterprise IT (CGEIT) - Certified Information Systems Auditor (CISA)

- Certified in Risk and Information Systems Control (CRISC) - Qualified Security Assessor (QSA)

External Guidance

• OCC Bulletin 2013-29/2014-37 • OCC News Release 2013-116 • FDIC FIL – 44-2008

• Federal Reserve Guidance on Managing Outsourcing Risk

• FFIEC Outsourcing Technology Services • CFPB Bulletin 2012 - 03

OCC Bulletin 2013-29

• Planning

• Due diligence and third-party selection • Contract negotiation

• Ongoing monitoring • Termination

• Oversight and accountability • Documentation and reporting • Independent reviews

OCC News Release 2013 - 116

• Establish oversight committee • Use debt buyer scorecards

• Maintain account accuracy and documentation

• Use clear, consistent contract terminology • Provide sufficient documentation

OCC News Release 2013 - 116

• Limit the resale of debt

• Limit the litigation strategy

• Maintain quality Management Information Systems

OCC Bulletin 2014 - 37

• Ensure appropriate internal policies and

procedures are developed and implemented to govern debt-sale arrangements consistently across the bank.

• Perform appropriate due diligence when selecting a debt buyer.

• Ensure debt-sale arrangements with debt buyers cover all important considerations.

OCC Bulletin 2014 - 37

• Provide accurate and comprehensive

information regarding each debt sold, at the time of sale.

• Certain types of debt are not appropriate for sale.

• Comply with applicable laws and regulations. • Implement appropriate oversight of the

Federal Reserve Guidance on

Managing Outsourcing Risk

• Risk assessments

• Due diligence and selection of service providers

• Contract provisions and considerations • Incentive compensation review

• Oversight and monitoring of service providers • Business continuity and contingency plans

FFEIC Outsourcing Technology

Services

• Evaluate the quantity of risk present from the institutions outsourcing arrangements

CFPB Bulletin 2012 - 03

• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law • Requesting and reviewing the service provider’s

policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have

CFPB Bulletin 2012 - 03

• Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices

• Establishing internal controls and on-going

monitoring to determine whether the service provider is complying with Federal consumer financial law

CFPB Bulletin 2012 - 03

• Taking prompt action to address fully any problems identified through the monitoring

process, including terminating the relationship where appropriate

Welcome

Brett Soldevila serves as the Chief Compliance Officer for Security Credit Services, LLC. Prior to joining Security Credit Services, Brett served in the internal audit department of a global consumer and commercial services company, and in the audit & enterprise risk services department of one of the world’s largest professional services firms.

- Certified Public Accountant - Certified Fraud Examiner - DBA Certification Council

Who is Security Credit Services,

LLC?

Security Credit Services, LLC (SCS) has been in business since 2003, and is a wholly-owned subsidiary of Security Holdings, LLC. SCS acquires delinquent consumer

accounts receivable from financial institutions and

manages the collections. SCS is based in Oxford, MS and also has offices in Atlanta, GA.

Overview

• Related Risk Management Guidance

– Committee of Sponsoring Organizations of the Treadway Commission (COSO)

Enterprise-Wide Risk Assessment

• Gain an understanding of procedures throughout your company

• Identify and rate risks

• Implement an annual risk-based audit calendar

Data Security Risk Assessment –

3

_{Party Vendors}

• Create listing of vendors • Description of Services

• Confidentiality Agreements • Calculate risk ratings

– Likelihood – Impact

3

_{Party Vendor Risk Assessment}

• Additional Vendor Risk Assessment Criteria – Financial Statement Review

– Gross Collections

– Time since last audit – Prior audit score

– Complaints/Disputes – BBB Rating

Data Security Risk Assessment –

3

_{Party Vendors}

• Calculate risk rating for each vendor

• Determine frequency and type of procedures necessary

Welcome

Tony Bailey has served as the Director of Business &

Strategic Development at Cornerstone Support for the past 11 years. He has assisted hundreds of debt buyers,

collection agencies and collection law firms with various state licensing projects. He also assists many agencies in

avoiding possible licensing issues in the M&A process as well as assisting foreign agency firms in

entering the US market and domestic firms looking to expand internationally.

Who is Cornerstone Support?

Since its inception in 1998, Cornerstone has provided licensing services and compliance

support to many of the top collection agencies, debt buyers and attorneys in the accounts

receivable industry. Cornerstone offers a wide range of services; from assisting credit grantor and debt buyers in auditing their partner

collection agencies for licenses to advising clients on the errors and omissions insurance policy that best lowers their operational risk.

Why Third-Party Validation of

Licensing is Important with Vendor

Selection

• State licensing is fluid – Agency could be 100% compliant on Jan. 1, but 75% by Dec. 30

• State requirements are changing – “Oh, I don’t need a license there.”

• Trust but Verify – Most agencies are honest, but everyone makes mistakes.

Why Third-Party Validation of

E&O Insurance is Important with

Vendor Selection

• Do partner agencies’ policies include details that are important to your firm? (e.g., TCPA exclusions, additional insured, FCRA

exclusions, lower limits for class action claims) • Cyber Liability Insurance Coverage

Thank you for attending our

Webinar

Q & A

For further information contact:

Todd Stephenson

t.stephenson@kirkpatrickprice.com

Coming up Next

Vendor Compliance Management Series: Developing an Audit Framework

When: November 2014 (TBD)

A detailed look at developing effective

Information Security and Regulatory Compliance audit frameworks for third parties.