Regulatory Compliance in Third-Party Risk Management

Making Sense of DPAs in Third-Party Risk Management The role of Data Processing Agreements (DPAs) in third-party risk management goes beyond mere compliance. It's an essential factor that should align with your purchasing strategy for software, services, or solutions. Is a DPA Always Necessary? - Many organizations require a DPA for all vendor contracts by default, which isn't always necessary. - You should determine whether the processed or stored data is "personal data" to decide the need for a DPA. Applicability to Vendors - Every vendor may not be subject to U.S. data privacy laws. Therefore, a DPA might not be legally mandatory for each one. - Evaluate if the vendor serves as a data processor or service provider, as this role will influence the DPA necessity. Assessing Risks and Benefits - Including a DPA in all agreements may lead to unnecessary complications. - A risk-ranking approach toward vendors allows you to focus DPAs on higher-risk or higher-value relationships. Navigating DPA Negotiations - Starting negotiations with the vendor's DPA template poses risks. These templates often favor the vendor. - Customize provisions to suit your organization's unique requirements, such as implementing technical controls or setting breach notification timelines. Optimizing the DPA Process - A standardized DPA template can reduce the burden during the purchasing process. - Limit DPAs to only high-risk or high-value vendor relationships for targeted and effective negotiations. Business Context - The absence of a DPA should not automatically exclude vendors that are otherwise a strong fit but may not deal with personal data. Ongoing Monitoring - Compliance doesn't stop with an established DPA. Regular audits and monitoring are critical. DPAs should not serve as a blanket requirement but as one aspect of a nuanced approach to third-party risk management. Proper risk assessments and focused DPAs will contribute to a more efficient and effective risk management strategy. #privacy #risk

Fed hits Synapse Partner Evolve Bank with Enforcement action (quoted from the article) Evolve Bank & Trust was hit with a Federal Reserve enforcement action Friday over shortcomings in the bank’s anti-money laundering, risk management and consumer compliance programs. An examination last August revealed West Memphis, Arkansas-based Evolve, a partner bank of bankrupt fintech middleware firm Synapse, engaged in unsafe and unsound banking practices “by failing to have in place an effective risk management framework” for its fintech partnerships, the Fed said in a Friday release. The order was issued jointly with the Arkansas State Bank Department on Tuesday and reflects - The bank’s agreement “to take certain measures to further bolster our compliance oversight and enterprise risk management functions.” - Strengthen board oversight of the bank’s management and operations and its compliance with Bank Secrecy Act/AML requirements and Office of Foreign Assets Control regulations. - Submit a plan to enhance its risk management framework around its fintech partnership , featuring policies and procedures to identify risk associated with partners and programs - Steps to ensure staff have sufficient expertise and independence, and that staffing levels are adequate - Steps to quickly identify and report risk exposures related to fintech partners, programs or services - Measures to make sure the bank’s board gives approval in writing before on new fintech partners or adds products or programs with those partners. - Tap an independent third party to review its fintech partner program for compliance with consumer laws and regulations. That third party will draft a report with its findings and recommendations. - Design a written plan to improve its capital risk management in consideration of its fintech partnerships and activities, evaluate the adequacy of the bank’s capital, include measures to improve the bank’s capital planning framework, accounting for its “elevated risk profile” and fintech partners - Come up with a plan to improve its liquidity risk management, with respect to fintech partner activities “and significant funding concentrations.” - The order included conditions mandating that the bank improve its lending and credit risk management policies related to its fintech partnerships - Enhance its interest rate risk management practices; correct IT and information security deficiencies - Bolster its internal audit program. - Evolve failed to maintain a risk management program or controls sufficient to comply with AML and consumer protection laws, the Fed said. #enterpriserisk #fintechduediligence #liquidity #AML #internalaudit #ITcybersecurity https://lnkd.in/g6u6wiAf

Regulators have made clear that they view “complex, technology-related partnerships” such as bank-fintech partnerships as increasing the risk profile of banks engaged in such partnerships. As I (and my partners) have discussed previously, the question is how to quantify that risk and how to calibrate a risk management strategy when the regulations and guidance are often based on asset size. Of course, banks need to take into account the specific risks of any products or services they offer–whether directly or indirectly. One of the primary mistakes we’ve seen partner banks make is not adequately understanding the nature of the activities and customers in their sponsored programs and the associated risks (e.g., BSA/AML, consumer compliance, strategic risk, etc), and therefore not managing those risks as if the bank were engaging in the activity directly. But even assuming banks identify and manage those “direct” risks, the marginal risk of operating fintech partnerships–over and above the risks the bank would face if conducting the same activities directly–is primarily operational risk. The operational risks associated with bank-sponsored programs will differ from program to program, but many programs are likely to raise the following operational risks: ▪ Payments risk–the risk of errors, disputes, or chargebacks ▪ Custody risk–the risk that customer funds are lost or transmitted in error due to human or technological error ▪ Cyber and information security risk ▪ Business continuity risk ▪ Third-party risk resulting from the need for the bank to effectively oversee any activities carried out by its partners or vendors We have ways of mitigating each of those risks, but they are not easily measured. So, much like regulators are struggling with proposals for how to calibrate an operational risk capital requirement for the largest banks, it will be difficult to develop an operational risk “score” that can be used to determine how much marginal risk a bank incurs by engaging in fintech partnerships. But that doesn’t mean we shouldn’t try. Developing a risk taxonomy for fintech partnerships could provide greater clarity about the risks of sponsored fintech programs. Moreover, an operational risk capital framework that leverages the taxonomy could be used to establish tailored capital requirements for partner banks. The OCC has an operational risk framework for trust banks, whose risks are not well-captured in traditional balance sheet metrics. Perhaps that provides a useful start? I’m sure there are better ideas and contrary views out there–I’d love to hear them.

The SEC's recent move to enforce new cybersecurity rules, effective December 18, 2023, is a significant development in the corporate world, particularly for public companies. These rules, mandating the disclosure of material cybersecurity incidents within four business days, signal a pivotal shift towards greater transparency and compliance integrity in the digital age. ➡ Emphasis on Transparency The requirement for rapid disclosure reflects a growing recognition of the importance of transparency in today's interconnected digital economy. In an era where cyber threats can significantly impact a company's operations and reputation, timely and transparent communication becomes crucial. This approach aligns with the broader trend of increasing investor and public demand for openness in corporate governance, particularly regarding how companies manage and respond to cyber risks. ➡The Role of Compliance Integrity The new rules underscore the critical role of compliance integrity in cybersecurity. It's no longer sufficient for companies to have cybersecurity measures in place; these measures must be effectively integrated into their overall governance structures. This integration is vital for building investor and stakeholder confidence in a company's ability to manage cyber risks proactively and responsibly. ➡Building Compliance Confidence and Executive Accountability In this new regulatory landscape, the focus shifts to building compliance confidence and ensuring executive accountability for material misrepresentations. The rules compel companies to not only implement robust cybersecurity measures but also to ensure that these measures are transparent and accountable. This shift highlights the need for a clear and accurate understanding of a company's cybersecurity posture, emphasizing the importance of having real confidence in the effectiveness of cybersecurity controls and the integrity of internal risk management strategies. ➡Implications for Smaller Organizations While these rules specifically target publicly traded companies, smaller organizations can draw valuable lessons. The emphasis on timely disclosure of cybersecurity incidents underscores the importance of having robust incident detection and response mechanisms. Furthermore, organizations of all sizes must invest in continuous control monitoring and continuous compliance. This proactive approach to cybersecurity risk management, integrating it into the overall business strategy, is becoming increasingly crucial. The SEC's new cybersecurity rules represent a call to action for companies to elevate their cybersecurity practices, ensuring that they are transparent, compliant, and resilient in the face of evolving cyber threats. This development is a reminder of the ongoing need for companies to adapt and strengthen their cybersecurity and risk management strategies in an ever-changing digital landscape. #compliance #cybersecurity #security #SEC #regulatory #enforcement #governance

Attend any #banking conference or scroll your LinkedIn feed in the financial space, and you're likely to find (especially given recent events), ongoing dialogue about the complexity of bank-fintech partnerships. Within the industry, the conversation is much more likely to bubble up about the things that go wrong over those that go right. In catching a recent Bank Director article about compliance struggles in these relationships, it got me thinking - what if we talked about we're doing to try to get things right more often, and created more space to collaborate together as a #fintech community? Sharing the article below and borrowing from a few of the themes, here's some specifics in greater detail about what we do at Nymbus as a fintech trying to make fintech compliance easier for our banking partners, and we'd love to collaborate on how we can all do so better: 📰 Clear-cut brand guidelines of what you expect your partners to do when they're representing your bank. ✅ At Nymbus, we have our own internal marketing compliance playbook that is used by our Labs team when creating content for our partners. Before a client gets any Nymbus-created content, our in-house compliance team reviews all marketing content for compliance with consumer regulations. This review isn't intended to replace the needed work of our client's compliance teams, but to make it much easier. 🗒 Banks' third-party risk management must keep up with the speed and scale of programs and it might be unclear how to share and delegate compliance duties. ✅ We publish a Managed Services Roles & Responsibilities document that outlines what role Nymbus plays in the services offered, and what our #bank or #creditunion partner should expect to provide support and oversight for. We create a partner-specific operating guide to be used as the rule book for our combined teams when bringing a digital brand to life and operating it day-to-day. 🤝 Fintech investment in #compliance capabilities to be better partners for banks, instead of focusing solely on #sales, #marketing, and customer acquisition. ✅ Our #risk and #compliance team of 10 comes from a background working within financial institutions ourselves, as well as for #advisory and #audit firms and as former regulators. Our compliance team is engaged from pre-sales to implementation and ongoing support, and we pride ourselves on providing direct access to our banking partners to our compliance teams. ⚖ Checks and balances (on both sides) ✅ Nymbus' risk management program and CMS was developed based on banking regulatory guidance - including that of the FDIC, OCC, Fed and NCUA, alongside the CFPB. It's inclusive of quality assurance, regulatory change management, internal compliance reviews and risk assessments, and the maintenance of a risk log to address ongoing enhancements and ways to improve our products and services. https://lnkd.in/ecPmiCdU