Vendor Management Best Practices: Is Your Program Up to Par? Webinar presented by Scott Roller, former head of vendor management at Citigroup August 12, 2015 Among the top challenges lenders face today is the need to meet higher expectations set by the OCC and the Federal Reserve governing the use of third-party vendors. While the guidelines were released over a year ago, there is still confusion about what institutions should be doing. One thing, however, is certain. Effective vendor management takes resources, and many institutions are finding it necessary to add staff and/or technology to help with the cause, particularly smaller institutions. The regulators have made it clear, vendor management is not just a one-time assessment, but is an ongoing process, and monitoring vendors long term is as important as the initial due diligence. EDR is pleased to host a webinar on this timely topic on Wednesday, August 12, 2015 at 2:00 p.m. EST. Scott Roller, former head of vendor management at Citigroup, will provide clarity on the new regulations and help break down regulator expectations into easy-to-understand terms. Roller will explore key dimensions that attendees can use as the foundation for building out their own robust vendor management oversight program, from initial vendor risk classification all the way through ensuring adequate executive engagement in vendor management. Attendees will learn best practices for satisfying regulators with this educational workshop, including answers to the following: • What does the latest regulatory guidance on vendor management require? • What are the biggest headaches banks are facing in complying with them? • What advice is recommended for smaller banks struggling with limited manpower/resources? • What are bank examiners looking for during audits? • What are the latest best practices for policies and procedures? • How are banks coping with the need to track and monitor vendors? • What are the most common shortcomings that audits reveal?

1. 1
Copyright 2015©, All rights reserved, 3W Partners LLC
August 12, 2015
Sponsored by…
Scott Roller

2. 2
 Principal & Founder – 3W Partners LLC
 25 Years – Fortune 500 Companies
• Telecom
• Financial Services
 Leadership Roles in
• Global Vendor Management
• Ops / Strategy / Re-engineering
• Outsourcing / Training
 TL9001 (“ISO for telecom”)
• Certified Lead Auditor
Regulators
Gov’t Entities
Ratings Agencies
Others
OCC, OTS, CFPB
Fannie, Freddie, GAO
Moody’s, Fitch, S&P
ISO, Accounting firms
Audited by…

3. 3
Brief History
 Why the intense focus on vendors?
 What led us here?
Changing Landscape
 Financial Crisis ~2008
 Vendor management Prior to… and Now
 Heightened regulator focus areas
What Regulators Expect
 12 Key Dimensions
 Good resources to self-educate
Technology & Tools
 Increase you chances of success
Third-Party Oversight & Governance (TPOG)

4. 4
Financial Crisis 2008
Vendor focus very limited:
• Business continuity
• Financial strength
• Credit risk
Prior to the Crisis
Activities were outsourced
• Unfortunately, so was
vendor responsibility and
accountability
Vendors seen as a major
contributing factor to the
crisis
Post-mortem
Inadequate oversight from
financial institutions
Hidden risks when relationships are not managed closely
Resulted in massive fraud and consumer distress

5. 5
Regulators have a renewed focus on third-party
oversight
Regulatory Response to the Financial Crisis
OCC
CFPB
Federal Reserve Board
FDIC
NCUA
Considerable Attention
 Institutions must bear responsibility for supplier misdeeds
• Numerous “casualties” already
 Major focus on consumer interaction with vendors
 Enterprise-wide engagement, especially executives
 Push for independent reviews
Will focus on 12 Key Dimensions today

6. 6
What I often see within the industry
Programs are not overly mature
 Financials
 Continuity of business
 Data and site security
Hard to budget for vendor risk management
Led by single group
 Versus cross-section of the enterprise
Not part of larger enterprise-wide Risk Program
Minimal investment
In Smaller Organizations
 Lack of manpower
 Inadequate skills
 Problems often tied to 2nd tier vendors
Have we learned anything from the financial crisis?

7. 7
Recent examples… and consequences
Collectively, they paid a total of more than $530 million to settle complaints
of deceptive selling and predatory behavior by their third-party suppliers.
Source: http://www.mckinsey.com/insights/risk_management/managing_when_vendor_and_supplier_risk_becomes_your_own
July 2013
Net Message: No one ever remembers the vendor name

8. 8
OCC
CFPB
Federal Reserve Board
NCUA
FDIC
On Third-Party Oversight & Governance
OCC Bulletin 2013-29
Supervisory Letter No.: 07-01
Letter: Guidance For Managing Third-Party Risk
Bulletin 2012-03 Service Providers
SR 13-19 Guidance on Managing Outsourcing Risk
Fortunately, expectations resemble one another
• OCC Bulletin 2001-47
• OCC Bulletin 2002-16: Foreign-Based Third-Party Service Providers
• FDIC Compliance Manual, December 2012
• FIL-44-2008: Guidance for Managing Third-Party Risk
• FIL-50-2001: Bank Technology Bulletin: Technology Outsourcing
Information Documents
• SR 00-4 (SUP): Outsourcing of Information Technology and Transaction
• Processing

9. 9
Risk Classification
Due Diligence
On-Boarding
Contracts
Compliance
Audits
MIS / Reporting
Scorecards
Annual Certifications
Complaint Handling
Escalations
Governance
These cover most regulatory expectations
Execute these well… satisfy your regulator(s)

10. 10
Risk Classification
For effective third-party oversight
 Risk-based segmentation
 Scope and intensity of oversight is defined here
 Must consider risks to…
• Legal & Regulatory
• Reputation
• Sensitivity of data
• Process complexity
• Customer interface/impact
• Public or private vendor
• Domestic
• Offshore
• Core Bank Function
• Non-Core
• Number of similar suppliers
• Percent of volume handled
Other Considerations
• Strategic (High)
• Major (Med)
• Basic (Low)

11. 11
On-Boarding
Due Diligence
 Assess the process of how suppliers are…
• Sought
• Vetted
• Selected (and retained)
 Consider vendor questionnaire and evaluation
matrix
 Have a plan to implement the vendor relationship
• Technology, telecom, recruit, train (including compliance), etc.
 Critical: System Entitlements
• Limit vendor access to only what is “required”
• Have a revocation process
o Consider revoking within 24-hours of leaving

12. 12
Contracts
 Regulators have specific expectations regarding vendor contracts
 Examples of often-overlooked clauses:
• Use of subcontractors
• Termination for default
• Compliance with laws
• Privacy policy (sensitive info)
• Electronic Transportable Media
• Right to audit
• Licensing
• Indemnification
• Notification of complaints
• Handling of media inquiries
• Service level monitoring
• Limitation of liability
• GSA “Excluded Party List”
• HUD’s “Limited Denial of Participation”
What is required of you …
Is also required of ALL members of your “supply chain.”
Make it contractual.

13. 13
Compliance
Audits
 Identify all relevant compliance requirements and document how
requirements are being met
 Regulatory updates and change management process effectiveness
• Flow down to vendors (operations, contracts, scorecards, etc.)
 Do your vendors...
• “Say what they do?” (via Policy & Procedure Manual)
• “Do what they say?” (can vendors demonstrate it?)
 Have an audit schedule and comprehensive plan
 Ensure risks are documented and controls are in place.
• Strategic (High)
• Major (Med)
• Basic (Low)
Risk Classification
• Twice per year
• Once per year
• Every other year
“Potential” Audit Frequency

14. 14
MIS / Reporting
Scorecards
 You need timely and effective reporting in all supplier relationships.
 Demonstrate you have sufficient visibility and control.
Hard to achieve safety and soundness without robust reporting
 Identify key performance indicators (KPI)s, track and report on them.
 Document vendor improvement plans.
• Drive accountability.
 Regular reviews.
• Evidence of follow-up and actions
o Warning notices
o Training, certification
o Volume adjustments
o Expanded or decreased scope of work

15. 15
Annual Certifications
 Re-certify vendors annually.
No more
• Financials
• Licensing
• Insurance
• Data security
• Capacity / Staffing
• SLA performance
• Process reviews
• Compliance
• Customer impact
• Fees & incentives
• Use of subcontractors
• Training (especially compliance)
• Business continuity
• Audit results
• Complaints
• Media attention
• Pending litigation
• Mergers & Acquisitions
• Ownership changes
• Compensation practices
Very labor intensive dimension
 Keeping up with all changes: Yours, vendors, regulators, etc.
• Assessing the impacts annually, at minimum.
Due Diligence

16. 16
Complaint Handling
 Requires an effective method of capturing, responding to and
resolving complaints.
• Especially where suppliers are involved.
 Complaint source and severity: Major, Moderate, Minor.
 Linkage of root cause back to the operation.
 Report to senior leadership.
Escalations
 When supplier problems arise, must have effective identification,
escalation and management of issues.
 Escalate to appropriate levels. Special review committee?
 Examples:
• Bad press
• Multiple system outages
• Multiple complaints
• SLAs repeatedly not met
• Downgraded financials
• Fraud event
• Audit findings
Define your future reactions

17. 17
Governance
 Senior executive and/or Board Member engagement
• “Fingerprints everywhere”
o Drive and approve policy
o Monitor vendor platform (via regular readouts)
At-will access to vendor results
o Sign-off on vendor selection and recertification (and action/exit)
o Audit trail of their engagement
 Proposed: Two Tier Governance Model
Executive
Committee
Operations
Committee
Drive Vendor…
• Performance / Quality
• Control & Compliance
• Risk & Change Mgmt.
• Audits
• Volume Allocations
• Contingency plans
Sets “TONE at the TOP”
• Strategic Alignment
• Risk appetite
• Policy
• Verify adequate oversight
• Ask questions
• Approve, Suspend & Terminate

18. Extremely useful when managing vendors and risks
 Centralized repository; Security
 Portal for easy access
 Clear, actionable management reports and well-designed workflow
systems
• Essential for accountability across the institution
 Measure your level of dependence on critical suppliers
Build vs. Buy
 Building a new third-party risk application from scratch is a big
undertaking;
• So too is enhancing a current risk tool to perform new functions
 Consider “off-the-shelf” workflow and risk-management tools
18

19.  Healthy, transparent and compliant
 Consistency across vendors
• OK to manage according to risk segmentation
 Documentation
• Policy & procedure; Roles & responsibilities
• Audit trail
 Performance based criteria
 Adequate staffing for oversight
• Number of resources
• Skill and competency
 Executive engagement
• “Fingerprints everywhere”
19
Third-party relationships must be good for financial institution,
its vendors and consumers
Leverage technology where possible

20. 20
Questions?
Scott Roller
Principal / Founder
3W Partners LLC
scott@3Wpartners.net
636.448.3713 cell
www.3Wpartners.net
Sponsored by…