Compliance Management System (CMS) Flashcards

1
Q

What are the 3 types of supervisory activities/ strategies conducted by the FDIC?

A

Examinations, visitations, and investigations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Purpose of a visitation?

A

Targeted event aimed at specific operational areas, or entire compliance management systems previously identified as significantly deficient.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Purpose of an investigation?

A

Conducted to follow-up on specific consumer inquiries or complaints, including fair lending complaints.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Purpose of examination? (3)

A

• assess the quality of an FDIC-supervised institution’s CMS for implementing federal consumer protection statutes and regulations;

• review compliance with relevant laws and regulations; and

• initiate effective supervisory action when elements of an institution’s CMS are deficient and/or when violations of law are found.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What does risk-focusing involve? (3)

A

Developing a compliance risk profile for a bank using Products, Services, or Regulations (PSRs), and the bank’s organizational structure, operations, and past performance.

Assessing quality of CMS in light of inherent risks from the level and complexity of business operations, products, and services.

Transaction testing based on residual risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What is reviewed under Board and Management oversight? (7)

A

Commitment and oversight of CMS.

Third party due diligence

Change management

Due diligence from product or service changes (pre and post)

Comprehension and identification of compliance risks including emerging risks in the bank’s products, services, etc.

Management of risk (self-assessments)

Identification and responsiveness to CMS deficiencies, violations, and remediation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What is reviewed under the compliance program?

A

Policies and procedures
Third-party management
Monitoring & audit
Consumer complaint response.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What should be considered when evaluating a bank’s CMS?

A

The size, level complexity of the bank.

A bank is not required to have all elements of a CMS. Conclusions about the adequacy of a bank’s CMS must be based on the
effectiveness of those elements that are in place, taken as a whole, for that bank’s particular operations.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the purpose of the ROE?

A

The Report of Examination
provides an account of the strengths and weaknesses of a CMS to the Board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is Supervisory Guidance?

A

Unlike a law or regulation, supervisory guidance does not have the force and effect of law, and the agencies do not take enforcement actions based on supervisory guidance. Rather, supervisory guidance outlines the agencies’ supervisory expectations or priorities and articulates the agencies’ general views regarding appropriate
practices for a given subject area.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is Consumer Harm?

A

Actual or Potential injury or loss to a consumer whether such injury or loss is economically quantifiable (ex: overcharge) or non-quantifiable (ex: discouragement). May be caused by activities through a third-party.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What is quantifiable harm?

A

Economic harm to a consumer where the injury or loss can be measured.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

What type of consumer harm is this?

Deceptive marketing
practices that entices a consumer to purchase a product without having accurate information regarding the benefits,
costs, or terms of the product in violation of Section 5 of the Federal Trade Commission Act.

A

Quantifiable Harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What type of consumer harm is this?

Bank employs a pricing structure that allows significant discretion, without effective monitoring or controls, resulting in a protected class of borrowers being charged higher prices on average than similarly situated non-protected borrowers in violation of the Equal Credit Opportunity Act

A

Quantifiable harm

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What is non-quantifiable harm?

A

Injury or loss to the consumer that cannot be measured, or is very difficult to measure, yet the consumer may suffer some form of economic or other harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What type of consumer harm is this?

Financial institution unfairly denies the consumer
credit or discourages an application on a prohibited basis in violation of the Equal Credit Opportunity Act

A

Non-quantifiable harm

Consumer was injured economically; however, calculating the monetary value for the injury would be challenging.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What type of consumer harm is this?

Unlawful requirements on consumers before the bank is willing to consider the consumers’ billing disputes or requirements that are not accurately divulged in the bank’s error resolution disclosures.

A

Non-quantifiable harm

The practice could discourage a customer from filing a dispute, but would be difficult to identify or quantify.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

What is potential harm?

A

Involves financial institution activities (or failure to take action) that create the possibility that a consumer may be harmed.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What type of harm is this?

Violation of the regulations that implement the National Flood Insurance Act of 1968 where the financial institution failed to require flood insurance on a residence at loan closing.

A

Potential harm

The consumer has not suffered actual loss but is exposed to potential economic loss should a flood occur.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What is the supervisory approach to consumer harm?

A

Identifying, addressing, and preventing consumer harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

How to examiners identify consumer harm?

A

Identification of inherent risk that may occur in a bank’s business activities.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is inherent risk?

Example?

A

Compliance risk associated with product and service offerings, practices, or other activities that could directly or indirectly result in significant consumer harm or noncompliance with rule or regulations, if no other controls or mitigating factors were in place.

Ex: new loan product, change in deposit account terms, presence of third party relationships.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

How do examiners address consumer harm?

A

When inherent risks are identified, examiners will ensure the bank takes appropriate action to address or mitigate the risks.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

How do examiner’s prevent consumer harm?

Example?

A

Mitigating factors are the strength of the CMS to mitigate inherent risk.

Ex: Strong management controls, effective training, on-going monitoring efforts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

What is residual risk?

A

Risk exposure that remains after identifying the level of inherent risk and factoring in the strength of the mitigating factors that control that risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What is the risk scoping formula?

A

inherent risk - mitigating factors = residual risk

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

What is the level of risk in this scenario?

A bank introduces a new overdraft program with no due diligence, no monitoring or auditing, and numerous customer inquiries.

A

High risk product without effective CMS elements to mitigate inherent risk, thus high level of residual risk remains.

Inherent risk High
No Mitigants
Residual Risk High

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

What should be communicated when an violation is identified? (3)

A

Severity, extent, and actual or potential consumer harm caused by the violation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What should a bank consider when taking appropriate corrective action?

A

Overall effectiveness of the CMS, root cause of deficiencies, and extent or impact of consumer harm.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

Why is communication and technical assistance provided by the FDIC a key component of preventing consumer harm?

A

Communicating the focus of FDIC examination efforts and supervisory priorities through diverse channels assists bankers in identifying and reviewing key areas of concern and addressing deficiencies promptly, prior to and unrelated to a specific
examination activity.

In addition, examiners can provide certain types of technical assistance to community bankers
during the course of an examination that may enable an institution to reduce the risk of consumer harm in the operation of its business.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is an effective CMS commonly comprised of?

A

Board and Management oversight

Compliance Program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

Who is ultimately responsible for developing and administering a CMS?

A

The Board

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Examples of Effective Board and Management oversight? (8)

A

• demonstrating clear and unequivocal expectations about consumer compliance, not only within the institution, but also to third-party providers;
• adopting clear policy statements;
• appointing a compliance officer with authority and accountability;
• allocating resources to compliance functions commensurate with the level and complexity of the institution’s operations;
• anticipating and evaluating changes in the institution’s operating environment and implementing responses across impacted lines of business;
• identifying compliance risk in the institution’s products, services, and other activities, and responding to deficiencies and violations;
• conducting periodic compliance audits; and
• providing for recurrent reports by the compliance officer to the Board.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

Compliance officers need authority and independence to do what? (3)

A

• cross departmental lines;
• have access to all areas of the institution’s operations; and
• effect corrective action.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

What are a compliance officer’s general responsibilities regardless of bank size or complexity? (7)

A

• developing compliance policies and procedures;
• training management and employees in consumer protection laws and regulations;
• reviewing policies and procedures for compliance with applicable laws and regulations and the institution’s stated policies and procedures;
• assessing emerging issues or potential liabilities;
• coordinating responses to consumer complaints;
• reporting compliance activities and audit/review findings to the Board; and
• ensuring that corrective actions are implemented in a timely fashion and are effective at preventing recurrence.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

True or false: Board and Management are not responsible for identifying and controlling compliance risks arising from third-party relationships?

A

False

Board and Management is responsible to the same extent as if the third-party activity was handled within the institution.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is included in an effective compliance risk management process for third-parties? (5)

A

risk assessments
due diligence in selecting provider
appropriate contract structuring and review
sufficient oversight of third-party activities
adequate quality control over products or services provided.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
38
Q

What are the components of a compliance program?

A

Policies and Procedures
Training
Monitoring/Audit
Consumer Complaint response

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
39
Q

Why is a formal, written compliance program important? (4)

A

Planned organized effort to guide compliance activities

training and reference tool

sound business step

will prevent or reduce regulatory violations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
40
Q

true or false: a compliance program is dynamic?

A

true. A compliance program should be constantly amended to focus resources where they are needed most based on risk.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
41
Q

Is a written compliance program required?

A

No. However the programs effectiveness is more important than its formality.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
42
Q

What do effective policies and procedures include? (4)

examples?

A

Goals and Objectives
Procedures for meeting goals and objectives
Information needed to perform a business transaction
Written and reviewed/updated as business, regulatory, or environmental changes occur.

Ex: regulation cites, definitions, sample forms w/ instructions, institution policy, directions for routing, reviewing and retaining/destroying transaction docs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
43
Q

What does effective training include? (4)

A

training to all staff, management, and Board (third parties as applicable) relevant to their jobs

regular training schedule

periodic assessment of employee knowledge and comprehension

training content that is frequently updated and accurate on products, services, and business operations of the bank. As well as, laws and regulations, policies and procedures, and emerging issues.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
44
Q

What is monitoring?

A

A proactive approach by the bank to identify procedural or training weaknesses in an effort to preclude regulatory violations.

45
Q

What is an audit?

A

Independent assessment and validation of a bank’s system of internal controls, operations, and compliance risk management framework. Complements a monitoring system.

46
Q

True or false: If an institution has strong monitoring but no audit, all risks are appropriately mitigated.

A

False - audit and monitoring each play an important but different role in supporting a strong CMS.

47
Q

Effective monitoring includes regularly scheduled reviews of what? (7)

A

• disclosures and calculations for various product offerings;
• document filing and retention procedures;
• posted notices, marketing literature, and advertising;
• various state usury and consumer protection laws and regulations;
• third-party service provider operations; and
• internal compliance communication systems that update and revise the applicable laws and regulations to management and staff.

transaction level reviews are also helpful.

48
Q

Who determines the scope and frequency of audits?

A

The Board

49
Q

What should be considered when determining the scope and frequency of an audit? (12)

A

• expertise and experience of various institution personnel;
• organization and staffing of the compliance function;
• volume of transactions;
• complexity of products offered;
• number and type of consumer complaints received;
• number and type of branches;
• acquisition or opening of additional branch(es);
• size of the institution;
• organizational structure of the institution;
• outsourcing of functions to third-party service providers, including a review of agreements signed or made between the institution and vendors;
• degree to which policies and procedures are defined and detailed in writing; and
• magnitude/frequency of changes to any of the above.

50
Q

True or false: Audit findings should be reported directly to the Board?

A

False: findings should be reported to the Boar OR to a Board level committee.

51
Q

Audit report should include? (4)

A

• scope of the audit (including departments, branches, product types and third-party relationships reviewed);
• deficiencies or modifications identified;
• number of transactions sampled by category of product type; and
• descriptions of, or suggestions for, corrective actions and time frames for correction.

52
Q

What does effective complaint response include? (3)

A

-prompt complaint response

-established procedures for addressing complaints and individuals responsible for handling responses

-compliance officer is aware of complaints received and ensures action is taken to correct any deficiencies complaints are monitored including those from third parties.

53
Q

What is the purpose of the entrance meeting?

A

Facilitate discussion of various admin items and the scope of the exam.

54
Q

What is discussed during the entrance meeting? (10)

A

Overview of exam (PEP info and impact on SCOPE)

FDIC examiners

Length of Exam

EIC availability to discuss exam issues or FDIC policy

Primary contacts for exam issues

Issues identified during PEP, areas with significant risk that will receive close attention

PEP materials requested but not received

Exit meeting procedures

Date of next Board Meeting

CRA and FL reviews

55
Q

What should examiners consider when reviewing the CMS? (4)

A

The quality of the CMS (degree management is proactive and can assure compliance with regs)

If CMS is effective at facilitating compliance

identify CMS deficiencies and areas with great consumer harm risk.

Determine transaction testing areas.

56
Q

What materials should be reviewed at minimum to determine the adequacy of Policies and Procedures? (4)

A

Bank risk profile (business strategy, product offerings, branches, third party relationships)

Policies and Procedures

Board and Committee minutes

Examiner notes from management discussions

57
Q

What materials should be reviewed at minimum to determine the adequacy of Board and Management Oversight? (9)

A

Bank Risk profile
Prior Exam reports
Meeting minutes
New/amended policies or procedures
FDIC internal resources and CRC reports
Management responses to findings (exam, monitoring, audits)
Third party agreements
Org Charts
Examiner Notes

58
Q

Policies and Procedures should cover what areas at minimum? (10)

A

Compliance Policy
Lending
Deposits
Electronic Banking
Privacy
NDIP
Branch Closing
TILA
FCRA
Overdraft

59
Q

What should be in a Compliance Policy?

A

Guidance on daily compliance activities

Authority and responsibilities of CO, Committees, and employees

60
Q

What bank’s are required to maintain a Branch Closing policy?

A

Every bank with one or more branch locations.

61
Q

What are the Six areas that require written policies and procedures?

A

Branch Closing
EFT Remittance Transfers
TILA
FCRA
Safe Act
NDIP

62
Q

Are overdraft policies required?

A

No, but banks providing ODP are recommended to adopt written policies and procedures adequate to address the credit, operational, and other risks.

63
Q

Under what circumstances are examiners not required to review a policy or procedure? (3)

A

policy reviewed LX w/ no deficiencies
no changes or amendments since LX
No significant regulatory or operational changes since LX.

64
Q

What materials should be reviewed to determine the adequacy of training? (3)

A

Training Risk profile
Compliance training documentation
Examiner notes

65
Q

What materials should be reviewed to determine the adequacy of Monitoring? (5)

A

Monitoring Risk profile

Related policies and procedures

Monitoring documentation

Reports with findings, corrective action, and follow-up

Examiner notes

66
Q

What materials should be reviewed to determine the adequacy of Audit? (7)

A

Audit Risk profile

Audit policy, audit agreement/audit guidelines

Audit reports, responses, Follow-up

Audit workpapers

Org Chart

Board & committee minutes

Examiner notes

67
Q

True or false: Request Fair Lending self-testing reports .

A

False: Do not request this; however, if a bank voluntarily provides it then review the findings as part of the FL review.

68
Q

True or false: A financial institution’s audit or review of loan files, internal policies, and training material may indicate difference in the treatment of applicants that could constitute a violation of the fair lending laws.

A

True

69
Q

What materials should examiners review to determine the adequacy of Complaint response? (5)

A

Complaint risk profile
Complaint policies/procedures
Complaint files (internal FDIC and external)
Board & committee minutes
Examiner Notes

70
Q

True or false:
In certain cases management’s admission that a violation occurred is sufficient to warrant a citation without transaction testing.

A

True

71
Q

When should you consult with regional or field office management?

A

If an unusual issue or problem is identified.

72
Q

When should you and regional office or management staff consult with Washington SMEs? (3)

A

When findings, issues, or potential violations require guidance with respect to new regulations, or involve emerging/sensitive policy concerns.

Areas with high sensitivity/high impact.

For actions that require approval or concurrence or formal documentation under DCP policy/Authority.

73
Q

What should be done if an examiner’s recommendation is inconsistent with the outcome from a consultation?

A

Examiner and review examiner ensure language in the ROE is consistent with the final outcome.

74
Q

When is a Board meeting required post-exam?

A

Identified significant problems that required consultations

Enforcement action

Compliance rating 3,4,5

Needs to Improve CRA or lower

meeting requested

75
Q

When is a Board meeting not required?

A

Visitations
Complaint investigations
on-site reviews

76
Q

What is a transmittal letter?

A

Accompanies ROE to Board, and requires follow- up on the exam with the regional office, to:

Address MRBA
Develop violation corrective action
send letter RO detailing corrective action for violations/MRBAs

77
Q

True or false: The consumer compliance rating does not reflect the effectiveness of a banks CMS to ensure compliance with laws and regulations and reduce the risk of consumer harm.

A

False

78
Q

What are the rating adjectives for a CMS in the ROE?

A

1 - Strong CMS
2 - Satisfactory CMS
3 - Deficient CMS
4 - Seriously deficient CMS
5 - Critically deficient

79
Q

What are the Rating assessment factors for Board and Management oversite? (4)

A

Oversight and commitment to the CMS

Effectiveness of bank’s change management processes

comprehension, identification, and management of risks from products, services or activities.

Self-identification and correction of issues.

80
Q

What are the Rating assessment factors for the Compliance Program? (4)

A

policies and procedures appropriate for risks in products, services, activities

degree training is current and tailed to risk and staff

sufficiency of monitoring/audit to encompass compliance risk

responsiveness and effectiveness of consumer complaint resolution.

81
Q

True or false: the root cause of a violation analyzes the degree to which weaknesses in the CMS gave rise to the violation.

A

True. The root cause is often ties to one or more weaknesses in the CMS.

82
Q

What are the strongest types of compliance programs?

A

Ones that are proactive. They promote consumer protection by preventing, self-identifying, and addressing compliance issues in a proactive manner.

83
Q

True or false: Self-identification and prompt corrective action reflect strengths in a CMS.

A

True: a robust CMS appropriate for the size, complexity, and risk profile of a bank’s business often will prevent violations or detect potential violations early on.

84
Q

Which presents greater supervisory concern?

serious weaknesses in the policies and procedures or audit program of the mortgage department at a
mortgage lender

same gaps at an institution that makes very few
mortgage loans and strictly as an accommodation.

A

the first one, greater weight should apply to the bank’s management of material products with significant potential consumer compliance risk.

85
Q

True or false: A bank may not receive a less than satisfactory rating if no violations were identified.

A

False, a bank can receive a less than satisfactory rating with no violations based on deficiencies or weaknesses in the CMS.

86
Q

What are the four basic elements of an effective third-party risk management system?

A

Risk assessment
Due diligence in selecting a third-party
Contract structuring and review
Oversight/ Ongoing monitoring

87
Q

What makes a third party relationship significant? (7)

A

New relationship or implements new banking activities

has material affect on bank revenues or expenses

performs critical functions

stores, accesses, transmits, or performs transactions on sensitive customer info

markets bank products or services

provides or performs subprime lending or card payment transactions.

poses risks that could significantly impact earnings or capital.

88
Q

What is the focus of a third party review?

A

validating management’s record and process of identifying, monitoring, and controlling risks associated with the use of the third party.

89
Q

True or false: The FDIC does not evaluate activities conducted through third-party relationships as though the activities were performed by the bank itself.

A

False. The Board is ultimately responsible for managing activities conducted through third parties.

90
Q

True or False: Indemnity agreements with third-parties insulate the bank from responsibility

A

False. It helps to mitigate risk, but the agreements do not insulate the bank for its ultimate responsibility to be safe and sound and in compliance.

91
Q

What is the definition of a third party?

A

All entities that have entered into a business relationship with the financial institution, whether the third party is a bank or a nonbank, affiliated or not affiliated, regulated or nonregulated, or domestic or foreign.

92
Q

What types of risk arise from third-party relationships? (7)

A

Strategic risk
Reputation risk
Operational risk
Transaction risk
Credit risk
Compliance risk
Other risks

93
Q

What is Operational risk?

A

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. Third-party relationships often integrate the internal processes of other organizations with the bank’s processes and can increase the overall operational complexity.

94
Q

What is Transaction risk?

A

Transaction risk is the risk arising from problems with service or product delivery.

Ex: failure to perform as expected such as inadequate capacity, technological failure, human error, or fraud. The lack of an effective business resumption plan and appropriate contingency plans. Weak control over technology used resulting in threats to security and the integrity of systems and resources.

95
Q

What is Credit risk?

A

Credit risk is the risk that a third party, or any other creditor necessary to the third-party relationship, is unable to meet the terms of the contractual arrangements with the financial institution or to otherwise financially perform as agreed.

Ex: Financial condition of the third party, third-party that markets or is involved in the lending process.

96
Q

What would mitigate credit risk?

A

Appropriate monitoring of third-party activities to ensure credit risk is understood and remains within Board approved limits.

97
Q

What is Compliance risk?

A

Compliance risk is the risk arising from violations of laws, rules, or regulations, or from noncompliance with internal policies or procedures or with the institution’s business standards. This risk exists when the products or activities of a third party are not consistent with governing laws, rules, regulations, policies, or ethical standards.

Ex: marketing that violates ECOA or the FACT act.

98
Q

What are some other risks associated with third parties that are less common? (5)

A

liquidity, interest rate, price, foreign currency translation, and country risks.

99
Q

What should be included in a third-party risk assessment process?

A

Ensure relationship is consistent with bank’s strategic plan.

Risk/Reward analysis for having the relationship vs. conducting activities at the bank

Reviewed by the Board or Committee.

Identify performance criteria, internal controls, reporting needs, and contract requirements for ongoing assessment and control of risks.

Ability to provide ongoing oversight.

Ensure CMS is adapted to effectively address relationship

Estimating long term financial impact of relationship

100
Q

What should be included for due diligence in selecting a third party?

A

Identifying risks and internal controls at start of a relationship and periodically during course (contract renewal)

Review of all info about the third party focusing on financial condition, specific relevant experience, knowledge of laws and regs, reputation, scope and effectiveness of operations and controls.

101
Q

What are the 14 things a bank could review as part of due diligence?

A

•Audited financial statements, annual reports, SEC filings, and other available financial indicators.
•Significance of the proposed contract on the third party’s financial condition.
•Experience and ability in implementing and monitoring the proposed activity.
•Business reputation.
•Qualifications and experience of the company’s principals.
•Strategies and goals, including service philosophies, quality initiatives, efficiency improvements, and employment policies.
•Existence of any significant complaints or litigation, or regulatory actions against the company.
•Ability to perform the proposed functions using current systems or the need to make additional investment.
•Use of other parties or subcontractors by the third party.
•Scope of internal controls, systems and data security, privacy protections, and audit coverage.
•Business resumption strategy and contingency plans.
•Knowledge of relevant consumer protection and civil rights laws and regulations.
•Adequacy of management information systems.
•Insurance coverage.

102
Q

What should be included as part of contract structure and review of third-parties? (4)

A

Board approval of contract

Review of contract by legal counsel

Prohibit assignment, transfer, or subcontracting of third party to other vendors unless approved by the bank.

Pay structure/cost or compensation for the relationship

103
Q

Name 5 topics that should be considered for including in the Scope of a third party contract?

A

•Timeframe covered by the contract.
•Frequency, format, and specifications of the service or product to be provided.
•Other services to be provided by the third party, such as software support and maintenance, training of employees, and customer service.
•Requirement that the third party comply with all applicable laws, regulations, and regulatory guidance.
•Authorization for the institution and the appropriate federal and state regulatory agency to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations.
•Identification of which party will be responsible for delivering any required customer disclosures.
•Insurance coverage to be maintained by the third party.
•Terms relating to any use of bank premises, equipment, or employees.
•Permissibility/prohibition of the third party to subcontract or use another party to meet its obligations with respect to the contract, and any notice/approval requirements.
•Authorization for the institution to monitor and periodically review the third party for compliance with its agreement.
•Indemnification.

104
Q

Name 2 compensation programs with third-parties that would elevate risk?

A

Programs that encourage steering consumers to higher cost products.

Volume and Short-term compensation incentives.

105
Q

What areas should be included in a contract? (12)

A

Scope
Cost/Compensation
Performance Standards
Management information Reports
Audit
Confidentiality and security agreement
Consumer complaints
Business resumption and contingency plans
Default and Termination
Ownership and license
Indemnification
Limits on liability

106
Q

True or false: The existence of indemnification provisions in a contract will not be a mitigating factor where deficiencies indicate the need to seek corrective actions.

A

True - Where violations are present, the FDICs consideration of remedial measures or enforcement actions will be made regardless of indemnification clauses.

107
Q

What should be reviewed as part of third-party oversight?

A

Annual board or committee review/approval of third-party agreements, operations, and risks

Maintain an adequate CMS

Staff to monitor significant relationships

Monitoring of third party quality of service, risk management, financial condition, and applicable controls and reports

108
Q

Name 5 things that should be included in third party monitoring? (15 total)

A

-Relationship effectiveness and alignment with strategic goals
-Legal review
-Annual financial review (audited financial statements)
-Insurance coverage
-Audit reports
-Policies, Procedures, internal controls
-compliance with laws and regs
-Business resumption & contingency plans
-changes in key personelle
-performance reports
-training of bank and third party
-testing programs for relationships w/ direct contact with customers
-Consumer complaint response
-Meet with reps from the third party to discuss performance or other areas of risk.
-Proper documentation of monitoring, oversight, contracts, business plans, risk analyses, and due diligence.