Vendor Compliance Management Series: Performing an Effective Risk Assessment
Legal Disclaimer
This information is not intended to be legal advice and may not be used as legal advice. Legal advice must be tailored to the specific circumstances of each case. Every effort has been made to assure that this
information is up-to-date as of the date of publication. It is not intended to be a full and exhaustive
explanation of the law in any area, nor should it be used to replace the advice of your own legal counsel.
Who is KirkpatrickPrice?
KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 300 clients in more than 42 states, Canada, Asia and Europe. The firm has over 10 years of experience in
information assurance by performing
assessments, audits, and tests that strengthen information security, and compliance controls.
Services Overview
• Regulatory Compliance
– CFPB Guidance and audit services:
• Policy & Procedure • Risk Assessment • Vendor Compliance Management • CFPB Mock Audit • Information Security
– Guidance and audit services: • PCI DSS 3.0 • SSAE 16 • SOC 2 • FISMA • ISO 27001 / 27002
Welcome
Joseph Kirkpatrick, Managing Partner at KirkpatrickPrice, is a certified specialist in data security, IT governance, and
regulatory compliance. He has provided consulting and security assessments for more than 14 years.
- Certified in the Governance of Enterprise IT (CGEIT) - Certified Information Systems Auditor (CISA)
- Certified in Risk and Information Systems Control (CRISC) - Qualified Security Assessor (QSA)
External Guidance
• OCC Bulletin 2013-29/2014-37 • OCC News Release 2013-116 • FDIC FIL – 44-2008
• Federal Reserve Guidance on Managing Outsourcing Risk
• FFIEC Outsourcing Technology Services • CFPB Bulletin 2012 - 03
OCC Bulletin 2013-29
• Planning
• Due diligence and third-party selection • Contract negotiation
• Ongoing monitoring • Termination
• Oversight and accountability • Documentation and reporting • Independent reviews
OCC News Release 2013 - 116
• Establish oversight committee • Use debt buyer scorecards
• Maintain account accuracy and documentation
• Use clear, consistent contract terminology • Provide sufficient documentation
OCC News Release 2013 - 116
• Limit the resale of debt
• Limit the litigation strategy
• Maintain quality Management Information Systems
OCC Bulletin 2014 - 37
• Ensure appropriate internal policies and
procedures are developed and implemented to govern debt-sale arrangements consistently across the bank.
• Perform appropriate due diligence when selecting a debt buyer.
• Ensure debt-sale arrangements with debt buyers cover all important considerations.
OCC Bulletin 2014 - 37
• Provide accurate and comprehensive
information regarding each debt sold, at the time of sale.
• Certain types of debt are not appropriate for sale.
• Comply with applicable laws and regulations. • Implement appropriate oversight of the
Federal Reserve Guidance on
Managing Outsourcing Risk
• Risk assessments
• Due diligence and selection of service providers
• Contract provisions and considerations • Incentive compensation review
• Oversight and monitoring of service providers • Business continuity and contingency plans
FFEIC Outsourcing Technology
Services
• Evaluate the quantity of risk present from the institutions outsourcing arrangements
CFPB Bulletin 2012 - 03
• Conducting thorough due diligence to verify that the service provider understands and is capable of complying with Federal consumer financial law • Requesting and reviewing the service provider’s
policies, procedures, internal controls, and training materials to ensure that the service provider conducts appropriate training and oversight of employees or agents that have
CFPB Bulletin 2012 - 03
• Including in the contract with the service provider clear expectations about compliance, as well as appropriate and enforceable consequences for violating any compliance-related responsibilities, including engaging in unfair, deceptive, or abusive acts or practices
• Establishing internal controls and on-going
monitoring to determine whether the service provider is complying with Federal consumer financial law
CFPB Bulletin 2012 - 03
• Taking prompt action to address fully any problems identified through the monitoring
process, including terminating the relationship where appropriate
Welcome
Brett Soldevila serves as the Chief Compliance Officer for Security Credit Services, LLC. Prior to joining Security Credit Services, Brett served in the internal audit department of a global consumer and commercial services company, and in the audit & enterprise risk services department of one of the world’s largest professional services firms.
- Certified Public Accountant - Certified Fraud Examiner - DBA Certification Council
Who is Security Credit Services,
LLC?
Security Credit Services, LLC (SCS) has been in business since 2003, and is a wholly-owned subsidiary of Security Holdings, LLC. SCS acquires delinquent consumer
accounts receivable from financial institutions and
manages the collections. SCS is based in Oxford, MS and also has offices in Atlanta, GA.
Overview
• Related Risk Management Guidance
– Committee of Sponsoring Organizations of the Treadway Commission (COSO)
Enterprise-Wide Risk Assessment
• Gain an understanding of procedures throughout your company
• Identify and rate risks
• Implement an annual risk-based audit calendar
Data Security Risk Assessment –
3
rdParty Vendors
• Create listing of vendors • Description of Services
• Confidentiality Agreements • Calculate risk ratings
– Likelihood – Impact
3
rdParty Vendor Risk Assessment
• Additional Vendor Risk Assessment Criteria – Financial Statement Review
– Gross Collections
– Time since last audit – Prior audit score
– Complaints/Disputes – BBB Rating
Data Security Risk Assessment –
3
rdParty Vendors
• Calculate risk rating for each vendor
• Determine frequency and type of procedures necessary
Welcome
Tony Bailey has served as the Director of Business &
Strategic Development at Cornerstone Support for the past 11 years. He has assisted hundreds of debt buyers,
collection agencies and collection law firms with various state licensing projects. He also assists many agencies in
avoiding possible licensing issues in the M&A process as well as assisting foreign agency firms in
entering the US market and domestic firms looking to expand internationally.
Who is Cornerstone Support?
Since its inception in 1998, Cornerstone has provided licensing services and compliance
support to many of the top collection agencies, debt buyers and attorneys in the accounts
receivable industry. Cornerstone offers a wide range of services; from assisting credit grantor and debt buyers in auditing their partner
collection agencies for licenses to advising clients on the errors and omissions insurance policy that best lowers their operational risk.
Why Third-Party Validation of
Licensing is Important with Vendor
Selection
• State licensing is fluid – Agency could be 100% compliant on Jan. 1, but 75% by Dec. 30
• State requirements are changing – “Oh, I don’t need a license there.”
• Trust but Verify – Most agencies are honest, but everyone makes mistakes.
Why Third-Party Validation of
E&O Insurance is Important with
Vendor Selection
• Do partner agencies’ policies include details that are important to your firm? (e.g., TCPA exclusions, additional insured, FCRA
exclusions, lower limits for class action claims) • Cyber Liability Insurance Coverage
Thank you for attending our
Webinar
Q & A
For further information contact:
Todd Stephenson
t.stephenson@kirkpatrickprice.com
Coming up Next
Vendor Compliance Management Series: Developing an Audit Framework
When: November 2014 (TBD)
A detailed look at developing effective
Information Security and Regulatory Compliance audit frameworks for third parties.