Outsourcing Vendor Management Fiduciary Investment Risk

Outsourcing & Vendor Management Fiduciary & Investment Risk Management Association 21 st National Training Conference April 18, 2007 Frederick Yorke, III Member, Citigroup Trust Fiduciary Advisory Counsel 1

Our Agenda • A brief history of outsourcing • The current regulatory environment • Remote vendor management • Performing an on-site vendor review • Some points to ponder 2

Early Trust Accounting • Hand posted records • Machine posted records • Electronic data processing • In-house hardware and software • Service bureau contracts 3

Custody of Trust Assets • Physical securities – by account and “FOSBI” • FRB “book entry”, DTC and de-securitization • Use of correspondent banks • Holding companies and consolidation of trust departments • Stand-alone trust companies 4

Investment Management • In-house investment management • Use of asset managers from other departments • Purchase of investment management services • Purchase of I/M services for specialized assets 5

Tax and Other Servicing • Purchasing tax servicing • Use of tax experts from elsewhere in the institution • Other services: – Managing real property – Appraising real estate or closely-held companies – Managing other specialized assets • Pricing of specialized services 6

“Private Labeling” Trust Services • The bundling of trust services • Advent of SEI Investments (Trust Company) & similar institutions • Deciding what services to retain inhouse: – – Sales and marketing Front-office processing Middle-office coordination Back-office operations • Particular concerns regarding sharing of client privacy and sharing of client information (see Sarbanes. Oxley, GLBA, USA PATRIOT Act and so forth) 7

Holding Companies and Use of Affiliates • The FRB’s parts 23 A and 23 B • Pricing of services and measuring profitability • Proper MIS and risk management • Cross-selling products and services • “Arm’s Length Transactions” 8

Recent Regulatory Developments SR 00 -4 (SUP) from the Federal Reserve – – – Outsourcing of Information and Transaction Processing Specifically addresses trust activities Footnotes incorporate Fed, FFIEC and other earlier guidance, including parts 23 A & B and SAS 70 reports OCC Bulletin 2001 -35 – Examination procedures focused on client privacy – Attachment A, part IV details oversight of service providers OCC Bulletin 2001 - 47 – Risk Management of Third Party relationships – Supplements, but doesn’t replace, previous guidance 9

OCC Bulletin 2001 -47 Areas of Concern • The bulletin lists four areas of particular concern reflecting a chronological order – A risk assessment to identify the bank’s needs and requirements, – Proper due diligence to identify and select the third party provider, – Written contracts that outline duties, obligations and responsibilities of the parties involved, and – Ongoing oversight of the third parties and their activities 10

OCC Bulletin 2001 -47 An Aside Obviously, the bulletin anticipates that the institution starts at the beginning, i. e. first, a decision is made to outsource a product, then a vendor is selected and so on However, more often than not, the outsourcing has already occurred, the vendor is in place and now we must establish a program 11

Most Recent Regulatory Developments Impacting Vendor Management OTS Thrift Bulletin TB 82 (03/18/2003) – Reminder of certain notification requirements – Notes a need for a termination provision – Rescinding of TB-46, “Contracting for Data Processing Services or Systems” (A comprehensive list of references is attached) OTS Thrift Bulletin TB 82 a (09/01/2004) – Replaces TB 82, but not – Clarifies definition of “significant” contracts – Clarifies responsibilities of boards of directors and management – Modifies notification requirement when contracting with foreign service providers 12

OTS Thrift Bulletin 82 & 82 a Key Issues Does not replace CEO Memo #133, “Risk Management of Technology Outsourcing” dated 12/13/2000 [later replaced by CEO Memo #201 dated 07/15/2004] or TB 81, Interagency Policy Statement on the Internal Audit Function and its Outsourcing” dated 03/17/203; but, leverage off those documents and expends the concept to cover other types of third party arrangements Provide guidance re risk management on third party arrangements, whether with affiliates or non-affiliates Advises that safety and soundness examiners will review internal controls and management of third party arrangements and will request appropriate corrective action as needed 13

OCC Position regarding Key Risks Associated with Most Third-Party Relationships – Strategic Risk – Reputation Risk – Compliance Risk – Transaction Risk – Credit Risk 14

OCC Position - Further Risks Depending on the circumstances, third-party relationships may also subject the bank to: – Liquidity risk – Interest rate risk – Price risk – Foreign currency translation risk – Country risk (when dealing with a foreign based service provider) 15

Key Components for establishing a Vendor Management Program • Drafting and maintaining an effective contract – Periodic updating • Relying on or supplementing the SAS 70 Report – Recent expansion of the “Report” • Establishing service level conditions & escalation procedures • Creating, receiving and using MIS reports • Issues relating to the use of affiliates 16

Creating, Receiving and Using MIS Reports • Meeting regulatory or other minimum requirements – FFIEC minimum standards for trust accounting systems – SEC minimum standards for transfer agency functions – Standards set by the contracting parties • Frequency of reports – Daily, weekly, monthly or quarterly – Hard-copy, electronic, other – Receipt in a timely manner 17

Creating, Receiving and Using MIS Reports - Continued • Using the MIS Reports – Getting the reports to the right people – Providing feedback to the service provider – Modifying the reports as necessary 18

Vendor Management Tools • Most institutions use a questionnaire or checklist during vendor review • Typical names of these document include: – Vendor qualification questionnaire – Environmental control questionnaire – Outsourcing evaluation – On-site vendor review 19

Implementing an Effective Management Program • Pre-implementation Due Diligence • Performing the Annual Review • General Information • Facility Security • Human Resources • Industry Trends • Accounting • Compliance • Use of Third Parties • Disaster Recovery / Continuity of Business • Information Technology • Reporting, Follow-up & Ongoing Monitoring 20

Points to Ponder • Examiners, auditors and others will be looking to see how pro-active we are relative to vendor selection and management – Selecting a vendor • Cost/benefit analysis • Documentation – Managing the vendor • Frequency of contact • Condition of files – Arrangements with affiliates • Sections 23 A and 23 B • Disclosure 21

Points to Ponder • Making the decision to perform an “on- site” vendor management review – The nature of the service provided • Data processing • Custody of assets • Tax preparation – The nature of the service provider • Another bank • A non-bank firm • An affiliate – Dealing with affiliates • Relying on their auditors, compliance people and risk managers 22