Managing the 3rd Party Risks & Regulatory Impact in Banking & Financial Services Buyers

Ring Fencing: Compliance Matters

3rd Party Risk Management Approach & Lifecycle

OCTOBER 2014

© Copyright 2014 Energica Advisory Services Private Limited (Energica ASPL). All Rights Reserved. The recipient agrees not to distribute, share or use any part of the material without express written permission of Energica ASPL. Any other company and product names mentioned are used for identification purposes only, and may be trademarks of their respective owners. Energica ASPL disclaims all warranties as to the accuracy, completeness or adequacy of such information. Energica ASPL shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Reproduction of this publication in any form without prior written permission is forbidden. www.energica-global.com

Energica Governance Matters > Perfecting Partnership > Delivering Value

Ramesh Somasundaram CEO & Head IT Sourcing Mgt. & Managed Governance

Services ENERGICA ASPL

3rd Party Supplier Risk Management Approach &

Lifecycle STRATEGIC SOURCING GOVERNANCE

THROUGH

YOUR EXTENDED PARTNER

IT SOURCING MANAGEMENT. GOVERNANCE. ADVISORY.

2 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

Regulation has challenged the business strategies, operational frameworks and functional business processes of every organization operating across the banking and financial services industry.

Managing the 3rd Party Suppliers, IT Service Providers, Extended Partner’s, GICs and CSPs is becoming very critical considering the emerging risks in today’s multi geography, multi sourcing, multivendor environments for the buyer organization.

The purpose of this Thought Paper (Ring Fencing – A Perspective View on managing the 3rd Party Risks and the Regulatory Impact in Banking & Financial Services Industry ) is to share our view on Regulatory Impact and information regarding the strategic nature of the compliance and operational risks.

What are the various Regulatory Requirements and Control Issues in BFSI industry? Managing the Operational and Compliance Risks with your service provider | GICs | Captives |

Shared Services through Ring Fencing. Overview on the Impact of Regulatory components on Business & IT services standpoint. Energica’ Risk Management approach & framework for managing the 3rd Party Relationships

across the sourcing lifecycle to minimize and mitigate the operational and compliance risks.

This will help our clients (buyer organizations) to effectively manage the 3rd Party Risks more effectively by leveraging a comprehensive risk management frameworks (Ring Fencing) & tools in a continual manner throughout the sourcing lifecycle and more specifically to minimize the Risk from Operational Standpoint.

Please contact Ramesh Somasundaram (Energica) with any questions or for specific consultative expertise | Advise in 3rd Party Supplier Relationship Risk Assessment.

Background: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

3 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

Ring Fencing: Business Drivers

The following are the major business drivers for the 3rd Party Vendor Risk Management in Banking and Financial service industry due to complex risks.

Structural Reforms in USA, UK and European Banking & Financial Industries

Resolution Requirements

Extra Territoriality

Cross Border Trade across geographies and implications

Impact on IT Systems & Services

Fragmented Systems

The IT infrastructure of most financial firms is fragmented and inconsistent. Data resides across multiple systems. This fragmentation drives up operating costs, slows the development of new products and hinders managers making decisions that require them to understand the contributions of customers, products and lines of business to the firm’s overall performance.

Operational Risks

Data & Regulatory Reporting

Risk Management:

Meeting the Regulatory Changes & Implications

Solvency II Implications for Insurance Companies

Dependency Constraints & Compliance on Multi Geography Financial Regulatory Requirements (market structures in different countries)

Business Levers: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

4 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

Ring Fencing - 3rd Party Risk Assessment: Driving Factors

Lack of Regulatory Oversight & Neglected Warnings.

Increased Regulatory Scrutiny and Compliance Requirements

Third parties representing the biggest compliance risk.

Lack of Regulatory Impact Assessment on IT Sourcing Transactions, Supply Base and Technology

Customers (buyers) have no or minimal systems or processes in place to manage and monitor third-party relationships.

To evaluate, understand and mitigate both supply base and emerging risks

Implement a consistent vendor governance | Risk & Performance management across different region

Meeting the Regulatory Changes & Implications

Data & Regulatory Reporting

DPA for Financial Institutions located outside Europe

Solvency II Implications

Cost, Data and Timeline Pressures

Change management & Implications

Poor or Lack of 3rd Party Risk Management programs

Dependency Constraints & Compliance on Multi Geography Financial Regulatory Requirements (market structures in different countries)

IT Security Breach | Data Theft

Buyers of

IT Services

Supply Side

Partners | Service

Providers

Vendors | SP |

Suppliers

Program

Management

Technology

Product Mgt

SVM | VMO

Governance

Supply Side

Partners | Captives |

GICs

Demand Side

Partners |

Customers Customers |

Distributors | OEMs

Region |

Geography |

Country

Regulatory

Banks & Financial

Institutions Source © Energica ASPL

Driving Factors: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

5 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

Ring Fencing: Market Trends & Operational Levers

The New Regulatory Environment will create opportunities, challenges for Banking, Financial Institution Companies (Buyers). Before looking at ways of managing complex risks better, it is useful to understand the sources of complexity, regulatory impact and complex parameters revolving around Banking & Financial institutions.

New Regulatory Scrutiny and Compliance Requirements across Banking, Capital Markets, Insurance and Investment Management Sectors

Expanding Geographical foot-print

Customer Demands

New Product Offerings

Distribution Innovation - Multi Channel Customer Interactions (Cross Border, ATM, Internet, Bank, Mobile, Call Centers, market places)

Structural Impedimental Issues & Fragmented Systems

Technology Management

Product Proliferation: The number of products offered by financial firms has increased dramatically in the past 20+ years.

Fragmented Systems: The IT infrastructure of most financial firms is fragmented and inconsistent. Lead to Modernization and development of new systems.

Data & Regulatory Reporting: Regulatory compliance now requires much more from banks and insurers: more data collection, more risk analysis, and more monitoring and reporting

Regulatory Impact Index: The table depicted on the next page indicates on overview of the Regions and the Regulatory Components impacting the BFSI industry segment.

Market Trends: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

6 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

Source © Energica ASPL

RING FENCING

Regulatory Impact:

Industry-Country NEXUS

Bank

ing

&

Secu

ritie

s

Fina

ncia

l

Serv

ices

Inve

stm

ent

Mgm

t.

Insu

ranc

e

Bank

ing

&

Secu

ritie

s

Fina

ncia

l

Serv

ices

Inve

stm

ent

Mgm

t.

Insu

ranc

e

Bank

ing

&

Secu

ritie

s

Fina

ncia

l

Serv

ices

Inve

stm

ent

Mgm

t.

Insu

ranc

eBa

nkin

g&

Secu

ritie

sFi

nanc

ial

Serv

ices

Inve

stm

ent

Mgm

t.

Insu

ranc

e

Financial Services

Capital Requirements Regulation and Directive (CRD IV)

European Market Infrastructure Regulation (EMIR)

Financial Transaction Tax (FTT) P**

The Foreign Account Tax Compliance Act (FATCA)

The Fourth Money Laundering Directive (MLD4)

General Data Protection Regulation (GDPR) P**

Market Abuse Directive Legislative Package (MAD II)

Markets in Financial Instruments Regulation & Directive (MiFID II)

Wire Transfer Regulation (WTR) D*

Securities Financing Transactions Regulation (SFT) P**

TARGET2-Securities (T2S)

Dodd-Frank Wall Street Reform and Consumer Protection Act

Network and Information Security Directive (NISD) P**

Banking | Financial Services | Securities

Bank Levy Act

Bank Recovery and Resolution Directive (BRRD)

BCBS 239 - Risk data aggregation and risk reporting

Benchmark Regulation D*

Central Securities Depositary Regulation (CSDR)

EU Banking Structural Reforms

European Commission Communication on Shadow Banking D*

The Financial Services (Banking Reform) Act 2013 D*

Mortgage Credit Directive (MCD)

Payment Accounts Directive (HM Treasury)

FCA review of client assets regime for investment business

International Financial Reporting Standards (IFRS 9)

Payment Service Directive

Insurance

CASS 5A P**

ComFrame D* - The Common Framework for the Supervision of

Internationally Active Insurance Groups (ComFrame)

Insurance Distribution Directive (IDD) D*

Solvency II

Investment Management

Alternative Investment Fund Managers Directive (AIFMD)

European Long-Term Investment Funds Regulation (ELTIF)

Client Assets Review

Regulation on Key Information Documents for PRIIPs - D*

UCITS V Directive - V & VI - D*

EuSEF and EuVECA Regulation

Money Market Funds Regulation (MMF) - D*

UCITS V Directive - VI P**

UK EUROPEUSA GLOBAL

BFSI Regulatory Components : Ring Fencing - Compliance Matters Regulatory Impact Index: The table depicted below indicates an overview of the Regions and the Regulatory Components impacting the BFSI industry segments.

7 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

IT Sourcing

Risk Spectrum :

Emerging

Risks

BFSI

Regulatory

Impact

Managing Your

Supply Base |

3rd Party Risks

Go Beyond

Internal Audit

Plan

Outsourced

Activities &

Retained

Organizations

Responsibilities

Risk

Management

Programs

Enhance Your

Risk Radar by

3rd Party Risk

Relationship

Assessments

Feed Back

Loop –

Continual

Improvements

& Optimizing

your 3rd Party

Risks

I. IT Sourcing is aggressive and the momentum will continue.

II. Emerging Risks and widening Risk Spectrum.

III. Managing 3rd Party Risks and Compliance Matters in a highly regulated BFSI industry is VERY CRITICAL.

IV. Define a Responsibility Matrix for the Outsourced Activities & Retained Organization

V. Establish a Comprehensive Risk Management Programs for the BFSI Regulatory Changes

VI. Vendor Risk Assessment and Risk Profiling

VII. Optimizing Your compliance and operational Risks through Feed Back Loop

Source © Energica ASPL

Enhance Your Risk Radar : Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

8 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

BFSI Regulatory Impact: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

Accommodating Business Changes & New Rules

Stress Testing

Documentation

Regulatory Reporting

Data Governance

Risk Management Programs

Personalization

IT Security

Wealth Mgt. & Investment Advisory

Mortgages – Consumer Lending

Investment Banking

Securities Trading

Hedge Funds

Insurance

Banking

• Regulatory Reporting • Enhanced GRC Systems &

Solutions • BI | EDW Solution

Requirements • IT Security • Distribution Innovation |

Technologies • Personalization • Improved Products &

Services on Customer Excellence

• Privacy Intrusion

• Data Mgt. Strategy • Data Quality • Data Governance • DMT Programs

• Geography Specific Impact

• Business Transactions | IT Services on Cross Border Trade across geographies and implications

• IT compliance due to New Regulatory components like BASEL III, Dodd Frank Act, SEPA , FATCA

• Refined GRC reporting requirements

• Risk Management Programs

• Consolidated GRC Systems

• Dependency Constraints & Compliance on Multi Geography Financial Regulatory Requirements (market structures in different countries)

• 3rd Party Risk Assessments

GRC Territory |

Region

IT Systems Data

Regulatory Impact on IT Systems and Services | Change Management | Key Process Areas (KPA)

Key P

roce

ss A

reas

(KP

A)

In

du

stry

Im

pact

9 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

Approach and Methodology* will be refined based on the client’ actual scope and requirements

Source © Energica ASPL

Third Party Risk

Management &

Strategic Planning

•Assess alignment

of outsourced

activity with Buyer’s

strategy and

oversight capacity

•Assess risk inherent

in outsourced

activity individually

and as part of

broader

operational

strategy

Due Diligence

•Assess risk

associated with a

specific third party

and in context with

other outsourced

activities

Contracting

•Define Compliance

expectations &

Regulatory Impact

Roadmap

•Enable effective

oversight

•Create 3rd Party

Risk Management

Reporting

framework

Risk Assessment

•Monitor changes in

risk profile,

financial,

operational,

reputation,

regulatory and

litigation activity

and personnel

•Periodic onsite

reviews , site visits,

compliance audits

etc..

Risk Profiling

• Implement

consistent

approach to

documenting

compliance

activities

throughout third-

party life cycle

•Evaluate systems’

capacity for

documenting,

aggregating, and

reporting relevant

data

Ongoing

Monitoring &

Reporting

•Enable assessment

of third-party

performance, key

risk indicators, and

alignment with

strategic objectives

• Feed Back Loop

and Continual

Improvement

Programs

3rd Party Risk Management Approach & Lifecycle: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

Ring Fencing Energica’s Integrated Approach* towards 3rd Party Supplier Risk Management

10 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

3rd Party Risk

Management

Strategic Planning

Outsourced

Activities

Retained

Organization

Responsibilities

Contract

Management

BFSI Regulatory

Impact | IT

|Business |

Technology Operational &

Compliance

Risks

3rd Party Risks

Risk

Assessment &

Control

Assessments

Monitoring and

Reporting

Feed Back

Loop

Banking

Investment Banking

Mortgages

Financial Services

Treasury Services

Card Services

Insurance

Banking Financial Services Insurance

Suppliers |

Service

Providers

GICs |

Captives

Shared

Services

3rd Party Risk Management Approach & Lifecycle: Ring Fencing - Compliance Matters Banking & Financial Services Regulatory Compliance

Buy Side

Supply Side

BFSI – Regulatory Components

Europe

USA UK

BFSI Industry Sectors

3rd Party Risk Management Lifecycle

11 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

Key Takeaways Extra Territoriality

IT Compliance is very critical due to New Regulatory components like BASEL III, Dodd Frank Act, SEPA , FATCA

Consolidated GRC Systems Regulatory Impact on IT Systems

Distribution Innovation Improved Products & Services on Customer Excellence Privacy Intrusion

Operational Risk Management

Monitoring Supply base Risks are very critical from Operational and Strategic aspects. Auditing Outsourced Operations | Business Processes covering supply base, 3rd Party vendors,

Captives/GICs/SSC across onsite/off-site/near-shore/offshore locations. Disaster Recovery/Business Continuity Planning Audits IT Security Audits Carry out Compliance audits across the 3rd Party Relationships on a periodical basis Continual Supply base monitoring and Improvement programs Build/Enhance appropriate GRC systems to aggregate and report accurate risk data to ensure

compliance Risk Management:

Meeting the Regulatory Changes & Implications- Enhanced GRC Systems Solvency II Implications for Insurance Companies Dependency Constraints & Compliance on Multi Geography Financial Regulatory

Requirements (market structures in different countries

Takeaways: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

12 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

Key Takeaways

Emerging risks should be addressed as an unavoidable part of the business growth and expansion.

Technology and the shifting geopolitical landscape are creating ever more complex and interrelated risks.

Change Management is a Key to Risk Management considering the regulatory Impact across BFSI industry segments covering Region /Country of operations and the underlying Business Units.

Risk managers should develop and maintain a ‘risk radar’ database of all risks including emerging risks, based on active investigation and detailed information about each threat.

Oversight that precedes a third-party relationship covering strategic planning, diligence, and contracting is essential to defining expectations, enabling effective risk management, and ensuring that outsourcing can satisfy both business and regulatory objectives.

Enhancing and Leveraging the Cross functional relationship to manage the risks between IT and Business (technology risks), with Procurement/Sourcing teams (supply chain risks), by establishing/refining the standard procedures and processes (regulatory and compliance).

Conducting periodical 3rd Party Vendor Risk Assessments as a part of the Risk Management Programs (Supplier Governance) to enhance your risk appetite and minimize the business Impact.

Takeaways: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

13 © 2014 Energica ASPL Energica IT SOURCING MANAGEMENT | GOVERNANCE | ADVISORY SERVICES

In Closing… Way Forward. How Energica Can help the Buyer Organization on 3rd Party Vendor Risk Assessments across

the Sourcing and Vendor Management (SVM) Value Chain? Energica’ Approach and Methodology* on 3rd Party Relationship Risk Assessment will be

refined based on the client’ actual scope, requirements, sourcing and vendor landscape etc..

Enegica’s 3rd Party Relationship Risk Assessments (Ring Fencing) methodology varies depending on the size and actual scope of the client’s outsourcing contract(s).

Energica considers several environmental factors when evaluating the scope of 3rd Party Relationship Risk Assessments | Audit Programs, including: the sourcing landscape, number of deals, geography, country, business units, IT services, service provider, maturity of the relationship, degree of VRM Risk Management Strategy, Process and 3rd Party Vendor Risk Management programs, maturity of the Vendor Risk monitoring processes, practices and reporting.

Energica has a network of consultants with GRC Expertise and Capabilities cut across BFSI, Telecom and Healthcare arena. Energica will designate internationally experienced associate(s), who will support the client depends on the nature of engagement.

Energica will provide you with Assessment reporting that includes an executive summary, our approach, Risk Assessment | Audit findings and practical recommendations for the 3rd Party Relationship(s) audited as well as other sourcing agreements that you may have with similar vendors.

We would welcome the opportunity to further discuss about the 3rd Party Supplier Risk Assessment

/or/ about our managed governance services with you. Please feel free to contact Ramesh Somasundaram @ +91 99620.55678 or write to info@energica-global.com /or/ ramesh.somasundaram@energica-global.com

Way Forward: Ring Fencing - Compliance Matters Managing the 3rd Party Risks in Banking & Financial Services Buyers

© Copyright 2014 Energica Advisory Services Private Limited (Energica ASPL). All Rights Reserved. This document is confidential and is intended solely for the use and information of the client to whom it is addressed. The information contained within this document is proprietary to Energica ASPL and it reserves the right to all information provided. The recipient agrees not to distribute, share or use any part of the material without express written permission of Energica ASPL.. The recipient would treat this material as Confidential Information. The information contained herein has been Collated/obtained from sources believed to be reliable. Energica ASPL disclaims all warranties as to the accuracy, completeness or adequacy of such information. Energica ASPL shall have no liability for errors, omissions or inadequacies in the information contained herein or for interpretations thereof. The opinions expressed herein are subject to change without notice. Reproduction of this publication in any form without prior written permission from Energica ASPL is forbidden.

www.energica-global.com

Energica

Ring Fencing: Compliance Matters Energica’s Integrated Approach* towards

3rd Party Supplier Risk Management

Sourcing Mgt & Governance IT Vendor Management & Managed Governance

Services

Sourcing Governance Through Your Extended Governance Partner

IT SOURCING MANAGEMENT. GOVERNANCE. ADVISORY.

Governance Matters > Perfecting Partnership > Delivering Value

Ramesh Somasundaram CEO & Head IT Sourcing Mgt. & Managed Governance Services, (C) +91.99620.55678 Email: ramesh.somasundaram@energica-global.com

ENERGICA ASPL Energica Advisory Services Private Ltd

OCTOBER 2014

EASPLMGS102014005