Two Part Series: Part II of II
Third-Party Risk Management: A Case Study in Oversight
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
Third-Party Risk Management: A Case Study in Oversight
1. www.nicsa.org
Sleep Better at Night: Learn techniques to manage
risks associated with third-party relationships.
Third-Party Risk Management:
A Case Study in Oversight
Part II of II
SPONSORED BY:
2. www.nicsa.org
I. Moderator - Welcome Remarks
Rob Rafferty – Principal, Beacon Consulting Group
II. Today’s Panelists
• Paul Feuerborn - Director of Projects and Technology, American Funds
• Mark Roth - First Vice President, Wells Fargo Advisors
• Mike McNeill - Managing Director, BFDS
III. Format
Presentations
Paul Feuerborn – Asset Manager Perspective
Mark Roth – Intermediary Perspective
Mike McNeill – Transfer Agent Perspective
Interactive Discussion – Panelists and Moderator
Q&A – Audience and Panelists
Agenda
5. www.nicsa.org
Commodity Strategic
Vendor
Partner
Telecommunication Providers
Interactive Voice Response
Fund Accounting
Proxy Services
Mail/Shipping
Web Hosting
Production Operations
Pricing Distribution
Literature Fulfillment
Document Management
Investor Services
Retirement Plan Record-keeping
CRM
Marketing Communications
Transfer Agency?
Information Technology
Step 2: Classify Them For Your Business Strategy & Risk
Transfer Agency? Transfer Agency?
9. www.nicsa.org
Life Cycle
Vendor
Management
Stage 1: Strategic Planning and Internal
Assessment
•Determine the appropriateness of sourcing a
product or service (referred to as “services” )
•Understand basic criteria necessary to begin
evaluating the business need for a service
•Obtain initial business approval to pursue
the engagement of a third party service
provider
•Engage Supply Chain Management
Stage 2: Due Diligence and Third Party
Selection
•Ensure the appropriate third party is
selected based on business needs and
risks presented
•Understand the risks associated with
the selected third party service
provider and establish a risk
mitigation plan, as appropriate
•Finalize contract terms
•Identify individuals responsible for
the ongoing management of the third
party service provider engagement
•Implement the necessary support
activities to successfully manage the
third party service provider prior to
contract signing and using the third
party service provider
Stage 3: Engagement Implementation
•Ensure all required activities are
complete prior to contract signing and
using the third party service provider
•Sign and archive the contract
•Confirm all roles are understood
•Use preferred fulfillment channels or
engage Accounts Payable, as
appropriate
Stage 4: Monitoring and Oversight
•Contractual obligations are met
•Performance is as expected
•Risk is assessed on a defined frequency
or upon the occurrence of an off-cycle
trigger event
•All required activities and assessments
are completed prior to a pre-determined
due date
•Business reviews occur on a defined
schedule
•Any identified issues are escalated
Stage 5: Disengagement
•Minimize risk when terminating
business with a third party service
provider at an engagement or
relationship level
•Identify the rationale for
disengagement, including risk
implications considered in the decision
•Ensure all required tasks related to each
disengagement are fully executed
11. www.nicsa.org
- DTCC Networking
*Individual account and activity records at the broker dealers and funds with
daily interactive file transmissions.
- Fund Serv Development
*Individual client orders sent to the Fund/Transfer Agent with full registration
detail and accounting requirements for both the broker dealers and funds
- Omnibus Processing
*Customer account detail/record kept at the broker dealer firm and omnibus
vendor – Funds/Transfer Agent books and records kept at the aggregate house
account level
14. www.nicsa.org
Evolution of the Transfer Agent
Transfer Agent
Core services
Support services
Financial/cash control (e.g., super
sheets, commissions)
Compliance monitoring and reporting,
including AML, late trading and market
timing, regulation monitoring
Corporate actions (e.g., fund mergers)
DTCC/NSCC processing
Intermediary servicing
Fund complex support including
communication with fund custodian and
fund accounting
Technology support including web and
mobile services, information security and
software development
Call center
Transaction processing/recordkeeping
Tax reporting/withholding
Mail/correspondence
Fulfillment (e.g., account statements,
check processing)
SubTransfer Agent
Services moved to the
SubTA in an omnibus
environment
Call center
Transaction processing/recordkeeping
Tax reporting /withholding
Mail/correspondence
Printing/fulfillment
Intermediary position
and activity reporting
New! Omnibus-level
transaction
processing,
compliance functions,
reporting, and SubTA
oversight
SubTA dependency
on the TA
16. www.nicsa.org
SHAREHOLDER
SERVICING
EVENT
MANAGEMENT
DIGITAL
STRATEGY
Mail Processing
Transaction Processing
Institutional Processing
Financial Control
Contact Center
Digital Consulting
Solutions Development
Proxy Solutions
Event Center
Settlement Administration
Corporate Actions
Evolution of the TA to Support Oversight
COMPLIANCE
INTERMEDIARY
SERVICING
DTCC/NSCC Processing
Intermediary Call Center
Position and Activity Reporting
Dealer Compensation
Payment Administration
22c-1 and 22c-2 Trade Monitoring
AML/CIP
Fraud Monitoring
FUND
SUPPORT
Blue Sky
Unclaimed Property
Administration
17. www.nicsa.org
How the TA Supports Oversight
Policies
Information Security
Information Sensitivity
Email and Internet
Security
Acceptable Use
Mobile Computing,
Mobile Device
USB, Transportable
Media, Clean Desk,
Remote Access
Records Retention
Privacy and Information
Sharing
Privacy Incident
Business
Continuity/Disaster
Recovery
Code of Ethics and
Professional Standards
Ethical Reporting and
Anti-Retaliation
(Staff) Fingerprinting,
Security, Identity and
Employment
People
Board-level Audit
Committee
Risk Management
Committee
Loss Awareness Team
Quality Assurance Team
BCP/DR Group
Information Protection
Committee
Information Protection
Board
Chief Information
Officer
Chief Operating Officer
Chief Compliance Officer
Chief Risk Officer
Information Security
Officer
Business Continuity
Consultant
Business Unit Risk
Coordinators
Third party vendors
Processes
Material risk
identification process
3rd party system and
compliance audit
Internal audit
3rd party penetration
and vulnerability testing
Patch management
Monthly system access
audit
Business continuity
impact analysis and
planning
Quarterly BCP/DR
testing
BPO quality tools
Annual staff training
Vendor management
Partnership
Annual strategic
planning and
performance review
meeting
Negotiated SLAs
Secure, online
dashboard and other
reporting: standard,
customized, ad-hoc
Due diligence
questionnaires
Board-level due
diligence presentations
Intermediary oversight
solutions : Payment
Administration and 22c-
2 Market Timing
Monitoring
18. www.nicsa.org
Oversight Focus for Clients201520142013
Business Process BCP/DR Cybersecurity
Technology
and Systems Misc.
21.9% 3.4% 45.1% 27.2%
2.4%
18.4% 3.8% 25.5% 44.2% 8.1%
7.7% 7.0% 33.4% 51.3%
0.6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
9
42
51
YTD
Number of
Questionnaires
Completed
Thanks Mark. To complement what Mark referenced related to the evolution of the broker/dealer mutual fund process, I want to provide some additional detail related to how the transfer agency has evolved over recent years due to the move to Omnibus. Historically, the left side of this slide represents the core functions that would be provided by an internal TA or an outsourced service provider.
With the move to omnibus, the Sub TA is now introduced into the process and with that they have assumed additional responsibilities that previously would have been handled by the transfer agency of the asset manager. Level 3 accounts are now being held in house accounts, and the shareholder servicing functions has been transferred to these 3rd parties. Before the evolution of the SubTA, broker/dealers would have been responsible for some functions, such as tax reporting and call center servicing, on their Level 3 business. Under SubTA arrangements, more of these shareholder servicing functions are transitioned further away from the asset manager.
With that additional migration away from the asset manager, new functions and intermediary oversight needs have arisen for the TA to ensure risk is being managed for the asset management firm and their shareholders.
The evolution of the transfer agent and the rise of the SubTA have expanded the due diligence and oversight responsibilities for asset management firms. Increased scrutiny from fund boards and the SEC continue to be drivers in this area in addition to the regulatory requirements and additional oversight needs in an omnibus environment.
To meet this need of asset management firms in this arena, we have proactively developed back office solutions that offer complementary, stand-alone oversight of intermediary functions. A great example of this is 22c-2 monitoring, which has seen processing volumes grow by more than 800% over the last five years. (EXAMPLE: 66M transactions analyzed annually, up from 7M in 2010). Blue Sky is another area for us that has seen a dramatic increase over the past year.
We also worked with our clients to collaborate on identifying their growing intermediary oversight needs several years ago and that resulted in the expansion of our intermediary servicing solutions. As we know, intermediary payments and Distribution in Guise had been identified as key areas of focus for the SEC exam priorities going back to 2013.
This is just another example of how funds and transfer agents need to collaborate on various aspects of intermediary oversight.
Operational oversight of a business processing partner, like a TA, is ideally driven by the asset management firm’s need to ensure our services are sufficient to help protect the firm and its clients from financial, reputational and regulatory risk.
During this webex, we have discussed a lot of valuable points related to intermediary or dealer oversight but we also see this in the way we approach oversight both internally as well as with our clients
I would now like to bring the discussion to a more granular level related to how we, as a TA, are creating a culture designed to help support your operational oversight needs. I am not going to review all of these points but they are all integral parts of how we have developed a culture of oversight here.
The first areas is Policies
It is the foundation of our infrastructure and consists of:
IT risk management
Compliance, including BCP
Employee management
People
Ours is a culture of oversight, where everyone has responsibility for operational oversight – a key example of this would be annual staff training on topics like BCP/DR awareness, Privacy and Data Management, AML, and Information Security
Within the business and the enterprise, there are also teams and individuals with specific responsibility for aspects of operational oversight – starting at the Chief Operating Officer and extending to business unit-level risk coordinators.
Processes
There is a comprehensive mix of processes that are integrated which provide clients with insight into the integrity of our operations. These would be things such as:
Internal audit and risk management processes
IT risk management processes
BCP/DR processes
Day-to-day business process management and quality controls (e.g., dual data entry, journal review, etc.)
Annual staff training: information security, red flag-identity theft, AML, business continuity, code of ethics, and privacy policy
Vendor management program –requires varying degrees of due diligence based on risk ranking process. We would be conducting these type of in-depth analysis with our vendor relationships similar to what an asset manager would do with a sub-TA or dealer.
Lastly but one of the most important aspects is Partnership
Paul touched on this in his opening but it is critical to work closely with your clients…
Collaborative planning
Engagement in due diligence questionnaires and presentations
Having strategic discussions related to new products and solutions
If operational oversight of a business processing partner is a form of check/balance to ensure risk is being tightly managed, ideally it is a continuous process. With our clients, this continuous process looks like monthly performance reporting, regular client meetings, semi-annual (optional) engagement in the business continuity planning process, and at least annual strategic planning sessions.
As this slide shows, we’re also seeing an increase in the annual, formal due diligence process. On the far left side you can see that when we look at the last three years, we had received:
9 questionnaires consisting of 197 questions in 2013
This jumped to 42 questionnaires in 2014 and 2,400 questions in 2014.
Based on YTD volumes, we are on track to complete more than 60 questionnaires and 3,500 questions in 2015.
We also have participated in 75 Info Security presentations for clients and their Boards this year
In addition to seeing significant changes in the volumes of formal due diligence questionnaires, we’re also seeing changes in the types of questions being asked. Cybersecurity and IT risk management is still king, making up more than 70% of all the questions our team has answered in each of the last three years.
In sync with the growing sophistication of our understanding of risk management, we’re seeing an increase in the percentage of questions related to operational processes, performance management, and quality control review – up from 7.7% of questions to nearly 22%. Consistently, at least 55% of these questions are about compliance operations and audit functions. Vendor outsourcing questions typically also fall here.
There has been a declining percentage of questions focused on BCP/DR but the type and quality of questions is not changing substantially. They are primarily focused on:
Data back-up and recovery plans
Data center locations
Crisis management plan (including communication plans)
Pandemic plan
Testing scope, frequency, results, relevance to client
Testing in a production environment
The Miscellaneous questions focus on personnel stability (e.g., rates of turnover and tenure), staff training programs, financial stability, etc.
With that, I would now like to turn it back to Rob, thank you.