cfpb readiness series: making risk assessment work for you · prepare for a cfpb examination....

CFPB Readiness Series:

Making Risk Assessment Work For You

Who is KirkpatrickPrice?

KirkpatrickPrice is a licensed CPA firm, providing assurance services to over 250 clients in more than 40 states, Canada, Asia and Europe. The firm has over 10 years of experience in information assurance by performing assessments, audits, and tests that strengthen information security, and compliance controls.

Welcome

Todd Stephenson is an Information Security Specialist helping collection agencies and law firms prepare for a CFPB examination.

– Certified Information Systems Auditor (CISA)

– Information Security Specialist

– Over four years working with the ARM industry

• A systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking.

• It involves evaluating:

– Operational risks

– Compliance risks

– Reputational risks

What is Risk Assessment?

• The CFPB is mandated

• Why should you care?

– To maintain revenue and business operations –Operational Risk

– Insure future growth and opportunities –Reputational Risk

– Avoid costly lawsuits and fines –Compliance Risk

Why Care About Risk

Assessment?

Risk Assessment is

Interconnected

A Look at Vendor Risk

• “The Office of the Comptroller of the Currency (OCC) expects a bank to practice effective risk management …A bank’s use of third parties does not diminish the responsibility of its board of directors and senior management to ensure that the activity is performed in a safe and sound manner and in compliance with applicable laws.”

OCC: Third-Party Relationships: Risk Management Guidance (OCC 2013-29)

A Look at Vendor Risk

• “The institution’s officials are expected to have a clearly defined system of risk management controls built into the management system that governs the institution’s compliance operations, including controls over activities conducted by affiliates and third-party vendors.”

FDIC Compliance Manual — January 2014

Making it Work for You

• Confidence– I know where my risks are and I’ve addressed

them. I sleep better at night.

• Clear Direction– I know what we need to be doing and what we

don’t need to be doing.• Ex: Internal Audit

• Cost savings– Ex: My vendor has a SOC 2 or PCI RoC and CFPB

Welcome

Jessie Skibbe is a former Chief Compliance Officer with 10 years of ARM industry experience. As Director of Compliance Services for KirkpatrickPrice, she is focused on assisting clients in meeting regulatory compliance & information security objectives.

– ACA Certified Credit & Collections Compliance Officer (CCCO)

– ISC2 Certified Information Systems Security Professional (CISSP)

– DBA Certified Receivables Compliance Professional (CRCP)

– PCI SSC Qualified Security Assessor (QSA)

• Business Continuity Planning– Disaster Preparation

– Identifying Critical Business Components

• Information Security Compliance– PCI DSS

– ISO 27001

– SSAE 16

– HIPAA

Common Uses for Risk

Assessment

• Where do I begin?

– Begin by having a clear understanding of what federal, state and local laws are applicable to you.

• State Law Resources:– http://www.acainternational.org/state-collection-laws-and-

practices.aspx

– http://www.nationallist.com/white_papers

– Stay up to date

• Review consent order and recent litigation.

Compliance Risk Assessment

• What’s Next?

– Determine the most likely way a violation of these laws will occur.

• Consumer telephone calls

• Letters

• Non-compliant vendors

Compliance Risk Assessment

• Begin the process

– Policies and Procedures

• Risk Assessment Policy

• Risk Assessment Procedure

• Risk Assessment Template

– Document Document Document

• Remediation action needed

• Changes as a result of the risk assessment

Compliance Risk Assessment

Compliance Risk Assessment

Compliance Risk Assessment

• Next Steps– Perform Third-Party Risk Assessments

– Internal Audit Procedures

– Internal Monitoring Procedures

– Third-Party Audit Procedures

– Third-Party Monitoring Procedures

• Risk Levels should determine what to monitor and how often

Compliance Risk Assessment

Third-Party Risk Assessment

Thank you for attending

Q & AFor further information contact:

Todd Stephenson

t.stephenson@kirkpatrickprice.com

800.977.3154 Ext. 202

Jessie Skibbe

j.skibbe@kirkpatrickprice.com

800.977.3154 Ext 103

Coming up Next

CFPB Readiness Series: Developing Your Vendor Audit Framework and Questionnaire

When: May 29, 2014 at 2:30pm EST