CFPB Readiness Series:Compliant Vendor ManagementOverview

Legal DisclaimerThis information is not intended to be legal advice andmay not be used as legal advice. Legal advice must betailored to the specific circumstances of each case.Every effort has been made to assure that thisinformation is up-to-date as of the date of publication.It is not intended to be a full and exhaustiveexplanation of the law in any area, nor should it beused to replace the advice of your own legal counsel.

Who is KirkpatrickPrice?KirkpatrickPrice is a licensed CPA firm, providingassurance services to over 200 clients in morethan 40 states, Canada, Asia and Europe. Thefirm has over 10 years of experience ininformation assurance by performingassessments, audits, and tests that strengtheninformation security, and compliance controls.

WelcomeTodd Stephenson is an Information SecuritySpecialist helping collection agencies and law firmsprepare for a CFPB examination.– Certified Information Systems Auditor (CISA)– Information Security Specialist– Over four years working with the ARM industry

What’s Changed? In the past:– Vendor compliance managed contractually– Compliance risk/responsibility was transferred– Compliance activity kept at arms length

What’s Changed? Now:– Full chain of custody– The CFPB expects you to “oversee their businessrelationships with service providers in a mannerthat ensures compliance with Federal consumerfinancial law.”– “Effective Process”– CFPB Bulletin 2012-03 dated April 13, 2012

Who’s Responsible for What? If you have "any person (i.e. service provider) that provides amaterial service to a covered person (i.e. you) in connectionwith the offering or provision by such covered person of aconsumer financial product or service" then you areresponsible for their compliance to all relevant CFPBrequirements. The service provider is also responsible to the CFPB. No one gets a free pass – Its both! “The CFPB’s exercise of its supervisory and enforcementauthority will closely reflect this orientation and emphasis.”

WelcomeJessie Skibbe is a Certified Credit and CollectionsCompliance Officer & former Chief Compliance Officerwith 10 years of ARM industry experience. A recentaddition to the KirkpatrickPrice team, she is focused onassisting the ARM Industry in meeting regulatorycompliance & information security objectives.– Certified Credit & Collections Compliance Officer (CCCO)– Certified Information Systems Security Professional (CISSP)– Certified Information Security Manager (CISM)

Vendor Compliance Managment 5 Core Components– Risk Assessment– Due Diligence in Onboarding– Written Contractual Requirements– Ongoing Monitoring and Audit– Termination

Before you Begin Risk Assessment– Evaluate the risk associated with the outsourcedfunction.– Determine vendor types & areas of risk to consider Vendors performing consumer facing activities Vendor receiving & storing confidential information Vendors requiring unattended access

Program Components Risk Assessment Policy & Procedure– Requires the review of the dependency of thefunction– Review of applicable federal and state law(s)associated with the function– Defined frequency

Program Components Risk Assessment Template or Worksheet– Evaluation of estimated account volume– Evaluation of the data elements required to perform theservices– Information Security Assessment– Business Continuity Plan– Insurance Coverage– Is the use of subcontractors required to perform theservices

Program Components Due Diligence in Onboarding– Policy listing the requirement– Procedure detailing: Responsibility for performing a checklist of functions Formal evaluation of risk and management sign off– Templates

Program Components Due Diligence in Onboarding– Policy and Procedure RFP or Questionnaire is used to gather information forutilization in the risk assessment process. Requirement for formal risk assessment and acceptanceof risk by executive management Corresponds with the contract review stage Corresponds to the monitoring and audit phase

Program Components Written Contractual Requirements– Policy, Procedure & Checklists Clear expectations about compliance with applicablefederal and state consumer financial protection laws. Clear definition of each party’s responsibilities forinformation security and privacy of consumer dataincluding maintaining fully documented informationsecurity policies and procedures.

Program Components Written Contractual Requirements– Policy, Procedure & Checklists The third party’s responsibility to conduct employeebackground checks for all employees The third party’s responsibility to conduct adequateemployee training. Training on policies, procedures,applicable state and federal consumer financial laws andinformation security awareness training is required. The third party’s responsibility to notify you upon anysuspected data breach.

Program Components Written Contractual Requirements– Policy, Procedure and Checklists The third party’s responsibility to obtain permission fromyou prior to sharing confidential consumer data with anyother entity. The right for you to terminate the contract uponreasonable notice and without penalty.– Instructions for data destruction if applicable.

Program Components Ongoing Monitoring and Audit– Policy and Procedure Define the requirement for monitoring and audit Define the responsibility for the function Define the audit report requirements– What to Monitor Telephone Calls Employee Training Consumer Complaints

Prepare for Audit Retain copies of formal risk assessments Perform a review of your vendor contracts now toensure the required components are met. Have themreadily available. Retain copies of contract review checklists Retain copies of monitoring efforts and auditsperformed Ensure retention period match with documentedpolicy and procedure.

Program Components Termination– Policy and Procedure Define the process of terminating a relationship to tie uploose ends.– Destruction of the data– Cancellation of the contract– Extension of Non Disclosure Agreements if applicable.

Thank you for attending ourWebinarQ&AFor further information contact:Todd .3154 Ext. 202

KirkpatrickPrice Services Compliance Management System– Program development and consulting Policy & procedure drafting Risk assessment guidance Internal audit plan development– CFPB Readiness AuditInformation Security Audit– Guidance and audit services: PCI DSS 3.0 SSAE 16 SOC 2 FISMA ISO 27001 / 27002

Coming up NextCFPB Readiness Series: Complaint Resolution andTrackingWhen: September 24thThe CFPB Examination Procedures for Debt Collection indicates areview of “the comprehensiveness of systems, proceduresand/or flowcharts for capturing, logging, tracking, handling,and reporting disputes and/or complaints and theirresolutions” will be performed. Will you be ready?