Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial...
Transcript of Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial...
![Page 1: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/1.jpg)
Outsourcing in the Financial Services IndustryFinancial Services Industry
March 22, 2012
John Ayanian | Barbara Melby | Marc Stark | Peter Watt-Morse | Joe Zanko
www.morganlewis.com
| | | |
![Page 2: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/2.jpg)
Introduction
Please note that any advice contained in this presentation is not intended or written to be used, and should not be used, as legal advice.
© Morgan, Lewis & Bockius LLP 3
![Page 3: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/3.jpg)
AgendaAgenda
I t d ti• Introduction
• Industry Trends (Marc Stark and Joe Zanko)
• An Overview of the Regulatory Environment (John Ayanian)y )
• Identifying Key Security Issues (Peter Watt-Morse)
• Wrap-up and CLE information
© Morgan, Lewis & Bockius LLP 4
![Page 4: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/4.jpg)
ParticipantsParticipants
John Ayanian Peter Watt MorseJo ya aPartnerMorgan LewisP: 202.739.5946 Email: [email protected]
Peter Watt-MorsePartner Morgan LewisP: 412.560.3320 E: [email protected]
Barbara MelbyPartnerMorgan Lewis
p @ g
Joe ZankoKPMGg
P: 215.963.5053E: [email protected]
Marc Stark
P: 908.403.0964E: [email protected]
Marc StarkDirectorKPMGP: 917.375.9610E: [email protected]
© Morgan, Lewis & Bockius LLP 5
asta @ p g co
![Page 5: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/5.jpg)
Industry Trends
© Morgan, Lewis & Bockius LLP© 2012 KPMG LLP 6
![Page 6: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/6.jpg)
Overarching Issues Impacting theFi i l S i I d tFinancial Services Industry
R l t h• Regulatory changes– Emerging FINRA Rules (e.g. 3190)
– Dodd-Frank Act
– Stricter capital requirements (e.g., Basel III)
• Market turbulence/uncertainty• Continued margin pressures
O it• Overcapacity• Continued industry contraction
© Morgan, Lewis & Bockius LLP© 2012 KPMG LLP 7
![Page 7: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/7.jpg)
Key Services Trends by SegmentKey Services Trends by Segment
Banking Capital Markets InsuranceBanking Capital Markets Insurance
Increasing regulatory scrutinyforcing core operational changes
Evolving regulatory requirements forcing operational changes
Increased margin pressures pushing continued evaluationof alternative operating models
Difficult market conditions putting new pressure on operational efficiency
Continued expansion of
Continued pressure on back and middle office operationsto transform operating models and enable a lower cost, high-performance environment
of alternative operating models
Slow but continued expansion of alternative delivery models with horizontal process areas (Finance HR) Continued expansion of
alternative operating modelsfor horizontal process areas
Continued expansion of alternative operating models
performance environment
Profitability challenges due to excess capacity and increased capital requirements
(Finance, HR)
Financial pressures forcing continued adoption of alternative models for middle-office operations (claimsalternative operating models
for core operational areas Increased adoption of outsourcing
Continued evaluation of viability of captive operations
operations (claims,calls, underwriting)
Intense competition and increased customer turnover
© Morgan, Lewis & Bockius LLP© 2012 KPMG LLP
![Page 8: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/8.jpg)
Financial Services Firms are Increasing Outsourcingin Response to Unrelenting Market Pressures
OutsourcingOutsourcinggaininggaining
Investment banks are increasingly opting for a buy model to support their transactional processes, rather than housing them in their local or offshore centers
This is primarily being driven by a need to lower costs by leveraging the scale of the outsourcing provider and its expertise and experience
A th SSC t b k l ki t i hi h d l
g gg gstrengthstrength – Two large financial institutions have recently sold off their captive centers in India to outsourcing providers and are
purchasing services back under BPO arrangements– Several other institutions are in the process of outsourcing activities from their captive operations, or are in early
planning stages
MoreMorevaluevalue--addedaddedwork movingwork movingto capti esto capti es
As the SSCs mature, banks are now looking at moving more high-end, complex or analytical processes to their offshore centers, while they move more vanilla processes to third parties. Examples at several institutions include:– Many institutions are adopting multigeography strategies (even, at times, with multiple sites in a single country)
– One European institution uses its nearshore centers in the US and UK, to support any outages in its offshore centers
DecreasingDecreasing More banks are now spreading their operations across locations in an effort to
decrease their dependence on certain geographies and ensure business continuity
to captivesto captives p , pp y g
– Banks are also mitigating risk by adopting multivendor strategies, moving toward a stable of vendors as opposed to a single partner
risk appetite risk appetite makes banks makes banks adopt a adopt a multilocationmultilocationt tt t
decrease their dependence on certain geographies and ensure business continuityof processes– Many institutions are adopting multigeography strategies (even, at times, with multiple sites in a single country)
– One European institution uses its nearshore centers in the United States and UK to support any outages in its offshore centers
B k l iti ti i k b d ti lti d t t i i t d t bl f d
© Morgan, Lewis & Bockius LLP© 2012 KPMG LLP
strategystrategy – Banks are also mitigating risk by adopting multi vendor strategies, moving toward a stable of vendors as opposed to a single partner
![Page 9: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/9.jpg)
Shared Services and Outsourcing: Well-Established Methods for Managing SG&A g g
Functions
Shared Services has become … with a growing portion of services
Global Outsourcing Expenditures($ B)
Over 80% of Large CompaniesHave Adopted Shared Services
Shared Services has become the delivery model of choice…
… with a growing portion of services delivered through outsourcing
250
300
($ B)
IT Outsourcing
Level Integrated Across Functions, Geographies & Business Units
100
150
200
Business ProcessOutsourcing
High
MediumLow
None
0
50
2001 2005 2009 2013
Of these, nearly two-thirds are operatingin a model that is multifunctional
and globally integrated
© Morgan, Lewis & Bockius LLP© 2012 KPMG LLP 10
“Gartner on Outsourcing, 2009 – 2010,” Gartner, Inc., December 23, 2009Source: Corporate Executive Board
and globally integrated
![Page 10: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/10.jpg)
For Many Organizations, Their Approach into a LeveragedService Model Follows a Traditional Maturity Life Cycle
Significant interest levels over the past BPO as Key Element
Transformed Global Operating
Service Model Follows a Traditional Maturity Life Cycle
AdoptionSt
12 months suggest that the insurance segment, in general, is accelerating maturity
Domestic BPO Pilot
Scale
yof Business
Strategy
Global Operating Model
• Expanded scope
• Offshore integrated as holistic part of
• In-country operation only
Stage
Strategic
Global ServiceDelivery
Service DeliveryBPO Pilot
• Initial offshoringsteps
• Build on successful pilot
• Grow initial processes/functions
Add f ti
• Expanded scope (strategic supplier relationships, captive, etc.)
global service delivery framework
ROI/ Value Realization/Risk Awareness
No Global
• May includeonshore outsourcing
Characteristics
ExamplesPilot/Education/Proof of Concept
StrategicSupplier
p
• Disparate initiatives
• Add new functions
Delivery Examples
Strategic Consideration
© Morgan, Lewis & Bockius LLP© 2012 KPMG LLP 11
Onshore Cost saving Integrated Strategy/Transformation Consideration
![Page 11: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/11.jpg)
An Overview of the Regulatory Environment
© Morgan, Lewis & Bockius LLP 12
![Page 12: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/12.jpg)
FINRA Regulatory HistoryFINRA Regulatory History
NASD Notice to Members 05-48 – July 2005– Primary focus on accountability and supervision
P hibiti t i t i “ d ti iti ”– Prohibitions on outsourcing certain “covered activities”• E.g., order taking, handling of customer funds and securities,
and supervisory responsibilities
– A member may not “contract its supervisory and compliance activities away from its direct control”• “Does not preclude a member from outsourcing certain activities
that support the performance of its supervisory and compliance responsibilities”
© Morgan, Lewis & Bockius LLP 13
![Page 13: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/13.jpg)
Proposed FINRA Rule 3190Proposed FINRA Rule 3190
B k dBackground– Clarify obligations and supervisory responsibilities
– Codify FINRA outsourcing guidance
– Require additional obligations for clearing and carrying membersmembers
© Morgan, Lewis & Bockius LLP 14
![Page 14: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/14.jpg)
Proposed FINRA Rule 3190Proposed FINRA Rule 3190
G l R i t A li bl t All FINRA M bGeneral Requirements Applicable to All FINRA Members– Continued responsibility to comply with applicable
securities laws and FINRA and MSRB rulessecurities laws and FINRA and MSRB rules
– No delegation of responsibilities for, or control over, covered outsourced activities
– Supervisory system and written procedures for covered activities
– Registration and qualifications
– Ongoing due diligence requirements
© Morgan, Lewis & Bockius LLP 15
![Page 15: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/15.jpg)
Proposed FINRA Rule 3190Proposed FINRA Rule 3190
Cl i d C i FiClearing and Carrying Firms– Restrictions on outsourcing specified activities
– Oversight requirements
– Notifications to FINRA
– Exceptions
© Morgan, Lewis & Bockius LLP 16
![Page 16: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/16.jpg)
Proposed FINRA Rule 3190Proposed FINRA Rule 3190
Restrictions for Clearing and Carrying Firms– A clearing or carrying member shall “vest” an associated
person of the member with the “authority andperson of the member with the authority and responsibility” for:• The movement of customer or proprietary cash or securities;
• The preparation of net capital or reserve formula computations; and
• The adoption or execution of compliance or risk-management systems.
© Morgan, Lewis & Bockius LLP 17
![Page 17: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/17.jpg)
Proposed FINRA Rule 3190Proposed FINRA Rule 3190
Clearing and Carrying Firms Must AdoptProcedures to:
– Enable the firms to take “prompt corrective action” to achieve compliance with applicable securities laws and FINRA and MSRB rules
– Approve transfer of third-party service provider duties to a subvendor
© Morgan, Lewis & Bockius LLP 18
![Page 18: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/18.jpg)
Proposed FINRA Rule 3190Proposed FINRA Rule 3190
N tifi ti R i t f Cl i C iNotification Requirements for a Clearing or CarryingMember
– Must notify FINRA of outsourcing agreements with– Must notify FINRA of outsourcing agreements with third-party service providers and subvendors “to perform any function or activities related to the member's businessas a regulated broker dealer” within 30 days of enteringas a regulated broker-dealer within 30 days of entering into the agreement
– Within three months of rule adoption, must notify FINRAp , yof all such outsourcing arrangements in effect as of the rule’s effective date
© Morgan, Lewis & Bockius LLP 19
![Page 19: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/19.jpg)
Proposed FINRA Rule 3190Proposed FINRA Rule 3190
N tifi ti t i l dNotification must include:– Functions being performed by a third-party service
provider (and subvendors if known)provider (and subvendors if known)
– Identity and location of the third-party service provider (and subvendors if known)
– The identity of the third-party service provider’s regulator (if any)
– A description of any affiliation between the firm and the third-party service provider
© Morgan, Lewis & Bockius LLP 20
![Page 20: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/20.jpg)
Proposed FINRA Rule 3190Proposed FINRA Rule 3190
Exceptions:– Ministerial activities
– Carrying agreement approved under FINRA Rule 4311
© Morgan, Lewis & Bockius LLP 21
![Page 21: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/21.jpg)
FINRA Regulatory Notice 11-14FINRA Regulatory Notice 11 14
Status of Rule Proposal
© Morgan, Lewis & Bockius LLP 22
![Page 22: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/22.jpg)
Identifying Key Security Issues
© Morgan, Lewis & Bockius LLP 23
![Page 23: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/23.jpg)
Security: Key Outsourcing IssueSecurity: Key Outsourcing Issue
R l t R i t– Regulatory Requirements
– Potential DamagesPotential Damages• Amount of Damages vs. Service Costs
• “Customer Relation” Payments• Customer Relation Payments
• Cost of Corrective Measures
– Reputational Risk
© Morgan, Lewis & Bockius LLP 24
![Page 24: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/24.jpg)
Regulatory BackgroundRegulatory Background
F d l R• Federal Reserve– Federal Reserve Bank of New York:
Whit P• White Paper– Independent validation of security processes– Responsible for management
– Federal Reserve Board (FRB):
• Supervisory Letter– Institutional controls for security are at least equivalent to
internal controls
© Morgan, Lewis & Bockius LLP 25
![Page 25: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/25.jpg)
Regulatory BackgroundRegulatory Background
FDIC• FDIC– Guidance:
St t t t t t i t i t l d t l• Structure agreements to protect against internal and external security threats
– Recommendations:eco e da o s
• Due diligence/risk assessment
• Monitoring/audit
• Termination rights
© Morgan, Lewis & Bockius LLP 26
![Page 26: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/26.jpg)
Regulatory BackgroundRegulatory Background
E i ti OCC OTS FFIEC• Examinations – OCC, OTS, FFIEC– Compliance with Section 501 of Gramm-Leach-Bliley
C h i i f ti it t f d• Comprehensive information security program to safeguard nonpublic personal financial information
– Security Guidelines:Secu y Gu de es
• Outsourcing agreement includes all requirements contained in customer’s internal written information security program
– Information Access:
• Transparency
© Morgan, Lewis & Bockius LLP 27
• Limits on service provider
![Page 27: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/27.jpg)
Due DiligenceDue Diligence
V dVendors: “Don’t worry – our security protections are adequate”:
“We will provide you the same protection we provide for our own information”
“We are regulated and those regulations protect you”
“You cannot review our internal procedures based on confidentiality/security concerns”
© Morgan, Lewis & Bockius LLP 28
![Page 28: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/28.jpg)
Due DiligenceDue Diligence
Understand the what, where, who, and how
What is the security offering vs. What are the security requirements?
Work with Security,
security requirements?
What types of data will be processed/hosted?– Nonpublic personal information (NPPI),
b i iti i f ti Security, Audit, Risk,
DR, Compliance
business-sensitive information
Where are the services being provided?
Who is providing the services? Who is providing the services?
How is data segregated and used?– May vary by environment (production,
DR back p archi e)
© Morgan, Lewis & Bockius LLP 29
DR, backup, archive)
![Page 29: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/29.jpg)
Due DiligenceDue Diligence
I t f tti ti t t th• Importance of getting respective teams together– Early in due diligence process – contract and exhibit
documents align with discussions
• Comparison of security policies: – Meeting or exceeding internal security
– Bridging the gaps
– Attachment to contract
C l t i d d t i k t• Complete independent risk assessment
© Morgan, Lewis & Bockius LLP 30
![Page 30: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/30.jpg)
Contract Provisions – ConfidentialityContract Provisions Confidentiality
C fid ti lit P i i• Confidentiality Provisions:– Important but not sufficient – need process standards,
monitoring and management breach responsemonitoring and management, breach response
– Issues:
• Vendor Sensitive Information – balancing• Vendor Sensitive Information – balancing transparency/vendor confidentiality
• Segregation of Data – access and third-party information
© Morgan, Lewis & Bockius LLP 31
![Page 31: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/31.jpg)
Data ProtectionData Protection
O hi f D t• Ownership of Data• Limitations on Other Uses• Storage• Storage
– Backup
– Access
– Return
• Record Retention– Policy alignment
– Litigation holds/regulatory requirements
D t ti t ti
© Morgan, Lewis & Bockius LLP
– Destruction protections
32
![Page 32: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/32.jpg)
Data ProtectionData Protection
Ch t S it P li i• Changes to Security Policies– Regulatory Requirements (e.g. PCI)
– Customer-Initiated
• Change management process
– Vendor-Initiated
• No negative impact on security
Ad ti /d t ti li• Advance notice/documentation – compliance
• Cost issues
© Morgan, Lewis & Bockius LLP 33
![Page 33: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/33.jpg)
Data ProtectionData Protection
C t D t (NPPI)• Customer Data (NPPI) – Compliance with GLBA
C li i d f b t t• Compliance required of subcontractors
• Ensure proper disposal of NPPI
• Provide notice and information regarding breach includingProvide notice and information regarding breach, including payment for resultant credit monitoring services
– Fair Credit Reporting Act (Red Flags)
– Massachusetts Regulations
• 3/1/12 – Certification
© Morgan, Lewis & Bockius LLP 34
![Page 34: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/34.jpg)
AuditAudit
Wh C d t A dit?• Who Conducts Audit?– Existing Internal Processes – Independent Auditors
• Frequencyq y– Annual Plus
• Breaches
P li Ch• Policy Changes
• Vendor Audits– Right to Notice of Results
• Regulatory Requirements• SSAE16
© Morgan, Lewis & Bockius LLP 35
![Page 35: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/35.jpg)
SubcontractorsSubcontractors
• “Permitted Subcontractors”– Right of Approval/Customer Data
S• Standards– GLBA Compliance
R i• Revocation– Regulatory Issues
– Change Management
• Audit Rights
© Morgan, Lewis & Bockius LLP 36
![Page 36: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/36.jpg)
Remote WorkersRemote Workers
W ld id bil k l ti ill t 20% f• Worldwide mobile worker population will grow to 20% of workforce (1.19 billion people) by the end of this year
• Review internal policiesReview internal policies – Laptops, mobile devices, noncompany devices, network
connections
• Align vendor policies– Passwords, monitoring requirements, antivirus software,
local storage, encryption, incident management
• Monitoring/future modifications
© Morgan, Lewis & Bockius LLP 37
![Page 37: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/37.jpg)
Data BreachData Breach
R i t f N ti• Requirements for Notice– Security vs. Data Breach
– Investigation/Transparency/Participation
• Remediation R di l Pl A t T ti– Remedial Plan – Acceptance Testing
– Change Management
© Morgan, Lewis & Bockius LLP 38
![Page 38: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/38.jpg)
Data BreachData Breach
Li bilit• Liability– Cap Issues
C t f i ti ti / tifi ti / it i l d d f• Costs of investigation/notification/monitoring excluded from cap
– Consequential DamagesCo seque a a ages
• Primary damage
• Exception to exclusion
• Nonexcluded but capped
© Morgan, Lewis & Bockius LLP 39
![Page 39: Outsourcing in the Financial Services IndustryFinancial ......strength – Two large financial institutions have recently sold off thei r captive centers in India to outsourcing providers](https://reader034.fdocuments.net/reader034/viewer/2022050407/5f8804bf43082c50dd72c2d4/html5/thumbnails/39.jpg)
international presence
© Morgan, Lewis & Bockius LLP 42
Beijing Boston Brussels Chicago Dallas Frankfurt Harrisburg Houston IrvineLondon Los Angeles Miami New York Palo Alto Paris Philadelphia Pittsburgh Princeton San Francisco Tokyo Washington Wilmington