Embed Size (px)
Citation preview
www.nicsa.org
Sleep Better at Night: Learn techniques to manage risks associated with third-party relationships.
Third-Party Risk Management: A Case Study in Oversight
Part II of II
SPONSORED BY:
www.nicsa.org
I. Moderator - Welcome RemarksRob Rafferty – Principal, Beacon Consulting Group
II. Today’s Panelists• Paul Feuerborn - Director of Projects and Technology, American Funds
• Mark Roth - First Vice President, Wells Fargo Advisors
• Mike McNeill - Managing Director, BFDS
III. FormatPresentationsPaul Feuerborn – Asset Manager PerspectiveMark Roth – Intermediary PerspectiveMike McNeill – Transfer Agent Perspective
Interactive Discussion – Panelists and Moderator
Q&A – Audience and Panelists
Agenda
www.nicsa.org
Asset Manager Perspective
Risk Reduction / Oversight
www.nicsa.org
Step 1: Inventory Your Vendors & Partners
www.nicsa.org
Commodity Strategic Vendor
Partner
Telecommunication Providers
Interactive Voice Response
Fund Accounting
Proxy Services
Mail/Shipping
Web Hosting
Production Operations
Pricing Distribution
Literature Fulfillment
Document Management
Investor Services
Retirement Plan Record-keeping
CRM
Marketing Communications
Transfer Agency?
Information Technology
Step 2: Classify Them For Your Business Strategy & Risk
Transfer Agency? Transfer Agency?
www.nicsa.org
CPE CODE:
560
www.nicsa.org
Commodity Strategic Vendor
Step 3: Determine Appropriate Oversight Techniques
Partner
www.nicsa.org
Intermediary Perspective
Risk Reduction / Oversight
www.nicsa.org
Life Cycle Vendor
Management
Stage 1: Strategic Planning and Internal Assessment •Determine the appropriateness of sourcing a product or service (referred to as “services” )
•Understand basic criteria necessary to begin evaluating the business need for a service
•Obtain initial business approval to pursue the engagement of a third party service provider
•Engage Supply Chain ManagementStage 2: Due Diligence and Third Party Selection •Ensure the appropriate third party is selected based on business needs and risks presented
•Understand the risks associated with the selected third party service provider and establish a risk mitigation plan, as appropriate
•Finalize contract terms • Identify individuals responsible for the ongoing management of the third party service provider engagement
• Implement the necessary support activities to successfully manage the third party service provider prior to contract signing and using the third party service provider
Stage 3: Engagement Implementation •Ensure all required activities are complete prior to contract signing and using the third party service provider
•Sign and archive the contract •Confirm all roles are understood •Use preferred fulfillment channels or engage Accounts Payable, as appropriate
Stage 4: Monitoring and Oversight •Contractual obligations are met •Performance is as expected •Risk is assessed on a defined frequency or upon the occurrence of an off-cycle trigger event
•All required activities and assessments are completed prior to a pre-determined due date
•Business reviews occur on a defined schedule
•Any identified issues are escalated
Stage 5: Disengagement •Minimize risk when terminating
business with a third party service provider at an engagement or relationship level
• Identify the rationale for disengagement, including risk implications considered in the decision
•Ensure all required tasks related to each disengagement are fully executed
www.nicsa.org
349
CPE CODE:
www.nicsa.org
- DTCC Networking*Individual account and activity records at the broker dealers and funds with
daily interactive file transmissions.
- Fund Serv Development*Individual client orders sent to the Fund/Transfer Agent with full registration
detail and accounting requirements for both the broker dealers and funds
- Omnibus Processing*Customer account detail/record kept at the broker dealer firm and omnibus
vendor – Funds/Transfer Agent books and records kept at the aggregate house account level
1980’s
1990’s
2000’s
EVOLUTION OF BROKER / DEALER MUTUAL FUND PROCESS
*Transformational shift of Client Ownership* “Our” Client to “My” Client
www.nicsa.org
CONTRACTUAL
• SALES AGREEMENTS• NETWORKING AGREEMENT• FICCA
– Financial Intermediary Controls & Compliance Assessment
• EXTERNAL CONTROLS
OPERATIONAL
• DSA/DSP – Data Share Activity – Data Share Positions
• 22C RULES 1 & 2 - SEC Guidelines for Pricing & Fee Allocation
• OPERATIONAL SLA’s• OPERATIONAL/SUPERVISORY
POLICY & PROCEDURES• DTCC STANDARDIZATION• SOC REVIEW
– Statement of Operational Controls
PARTNERSHIP
• FUND/FIRM VISITS• DTCC MEMBERSHIP• SUB ACCOUNTING VENDOR• INTERNAL VENDOR
MANAGEMENT
INTERMEDIARY DAILY GOVERNANCE - OVERSIGHT -
www.nicsa.org
Transfer Agent Perspective
Risk Reduction / Oversight
www.nicsa.org
Evolution of the Transfer AgentTransfer AgentCore services
Support services
Financial/cash control (e.g., super sheets, commissions)
Compliance monitoring and reporting, including AML, late trading and market timing, regulation monitoring
Corporate actions (e.g., fund mergers) DTCC/NSCC processing
Intermediary servicing
Fund complex support including communication with fund custodian and fund accounting
Technology support including web and mobile services, information security and software development
Call center Transaction processing/recordkeeping Tax reporting/withholding Mail/correspondence Fulfillment (e.g., account statements,
check processing)
SubTransfer AgentServices moved to the SubTA in an omnibus environment Call center Transaction processing/recordkeeping Tax reporting /withholding Mail/correspondence Printing/fulfillment
Intermediary position and activity reporting
New! Omnibus-level transaction processing, compliance functions, reporting, and SubTA oversight
SubTA dependency on the TA
www.nicsa.org
CPE CODE:
121
www.nicsa.org
SHAREHOLDER SERVICING
EVENT MANAGEMENT
DIGITAL STRATEGY
Mail ProcessingTransaction ProcessingInstitutional ProcessingFinancial ControlContact Center
Digital ConsultingSolutions Development
Proxy SolutionsEvent CenterSettlement AdministrationCorporate Actions
Evolution of the TA to Support Oversight
COMPLIANCEINTERMEDIARY SERVICING
DTCC/NSCC ProcessingIntermediary Call Center
Position and Activity ReportingDealer Compensation
Payment Administration
22c-1 and 22c-2 Trade MonitoringAML/CIPFraud Monitoring
FUND SUPPORT
Blue SkyUnclaimed Property Administration
www.nicsa.org
How the TA Supports OversightPo
licie
s
Information Security Information Sensitivity Email and Internet
Security Acceptable Use Mobile Computing,
Mobile Device USB, Transportable
Media, Clean Desk, Remote Access
Records Retention Privacy and Information
Sharing Privacy Incident Business
Continuity/Disaster Recovery
Code of Ethics and Professional Standards
Ethical Reporting and Anti-Retaliation
(Staff) Fingerprinting, Security, Identity and Employment
Peop
le
Board-level Audit Committee
Risk Management Committee
Loss Awareness Team Quality Assurance Team BCP/DR Group Information Protection
Committee Information Protection
Board
Chief Information Officer Chief Operating Officer Chief Compliance Officer Chief Risk Officer Information Security
Officer Business Continuity
Consultant Business Unit Risk
Coordinators
Third party vendors
Proc
esse
s
Material risk identification process
3rd party system and compliance audit
Internal audit
3rd party penetration and vulnerability testing
Patch management Monthly system access
audit
Business continuity impact analysis and planning
Quarterly BCP/DR testing
BPO quality tools
Annual staff training
Vendor management
Part
ners
hip
Annual strategic planning and performance review meeting
Negotiated SLAs Secure, online
dashboard and other reporting: standard, customized, ad-hoc
Due diligence questionnaires
Board-level due diligence presentations
Intermediary oversight solutions : Payment Administration and 22c-2 Market Timing Monitoring
www.nicsa.org
Oversight Focus for Clients20
1520
1420
13
Business Process BCP/DR Cybersecurity Technology and Systems Misc.
21.9% 3.4% 45.1% 27.2%2.4%
18.4% 3.8% 25.5% 44.2% 8.1%
7.7% 7.0% 33.4% 51.3%0.6%
0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
9
42
51 YTD
Number of Questionnaires
Completed
www.nicsa.org
Questions?
