Service Provider Oversight Policy

SERVICE PROVIDER OVERSIGHT POLICY

OVERVIEW

The use of service providers can provide greater expertise or efficiency for a particular activity or can aid in attaining strategic objectives by increasing revenues or reducing costs; however, these arrangements can also present risks to systems, facilities, and employees if not properly managed. To mitigate this risk, the following service provider oversight process has been developed, which classifies the type of risk that each service provider presents and the information that needs to be reviewed prior to entering into a contractual agreement.

DEFINITIONS

  • A critical service provider is one that cannot easily be replaced and/or whose services, if interrupted, would cause significant financial and/or operational impact to the institution. In the event a service provider is deemed “critical” by Kredit Financial Inc. (Kredit), additional information is required to determine stability and reliability.

  • Service provider is defined in section 1002(26) of the Dodd-Frank Act as, “any person that provides a material service to a covered person in connection with the offering or provision by such covered person of a consumer financial product or service. A service provider may or may not be affiliated with the person to which it provides services.”

    • Covered person means: (A) any person that engages in offering or providing a consumer financial product or service; and (B) any affiliate of a person described in subparagraph (A) if such affiliate acts as a service provider to such person.

  • Inherent risk is the risk assigned to a service provider before controls are evaluated.

  • Residual risk is the risk after controls are evaluated that mitigate the inherent risk.

  • Personally identifiable information (PII) is information that, when used alone or with other relevant data, can identify an individual.

    • Sensitive PII can include a consumer’s full name, social security number, driver’s license, financial information, and medical records.

  • Recovery time objective (RTO) is the maximum time required to recover the system(s) from a catastrophic failure.

  • Recovery point objective (RPO) is the maximum expected data loss resulting from a catastrophic failure and subsequent recovery.

PURPOSE

This Policy has been created to establish the components of Kredit’s service provider oversight program and the steps necessary to mitigate the risk associated with utilizing external third parties.

POLICY

It is the policy of Kredit to fully evaluate the risk of using an outside service provider prior to entering into a contractual agreement.

SCOPE

This Policy is applicable to all outside service providers.

ROLES AND RESPONSIBILITIES

Kredit’s Chief Compliance Officer (CCO) is responsible for acting as the central coordinator that tracks and manages the service provider oversight program, which includes but is not limited to the following activities: conducting due diligence in accordance with each service provider’s inherent risk rating; working with Kredit’s subject matter experts in the areas of data security, contract compliance, and financial reporting; collecting and storing all records related to the due diligence process; and conducting periodic reviews in accordance with stated timelines. The CCO is also responsible for reviewing this Policy on an annual basis.

Kredit’s Chief Executive Officer (CEO) is responsible for notifying the CCO of any changes to the service provider network, including but not limited to the intended use of a new service provider, changes in the type of service they are providing to Kredit, and the intended termination of an existing service provider.

Kredit’s Chief Technology Officer (CTO) is responsible for reviewing security audit reports, questionnaires, Business Continuity and/or Disaster Recovery Plans and testing, where applicable. The CTO is also responsible for notifying the CCO of any changes to the service provider network, including but not limited to the intended use of a new service provider, changes in the type of service they are providing to Kredit, and the intended termination of an existing service provider.

Kredit’s Chief Financial Officer (CFO) is responsible for reviewing audited financials, where applicable.

PROCEDURE

Prior to entering into a contractual agreement with a service provider, the CCO must ensure that proper due diligence of said provider is performed based upon their inherent risk level. When determining a service provider’s inherent risk to Kredit, the following is taken into consideration:

  • Access to sensitive date (PII);

  • Access to critical applications;

  • Access to infrastructure; and/or

  • Operational, reputational, compliance/legal, or financial risk to Kredit.

The following Due Diligence Chart provides a description of the various risk levels and their related assessment requirements:

DUE DILIGENCE PROCESS

  1. When the need to leverage an outside service provider arises, a request must be submitted to Compliance via email (compliance@trykredit.com) with the following information:

    1. service provider name (company name);

    2. service provider primary contact name, email, and phone number;

    3. type of services they will provide;

    4. whether they will require access sensitive date, infrastructure, or critical applications; and

    5. intended start date.

  2. Based on this information the CCO determines the service provider’s inherent risk rating using the methodology referenced in the Due Diligence Chart.

  3. Once the inherent risk rating has been determined, the CCO requests the required documentation from the service provider’s primary contact.

  4. Documentation varies based on the service provider’s assigned risk rating, and in some instances, it may require review by subject matter experts within Kredit. The parties responsible for reviewing the documentation supplied by the service provider are listed below:

    • (a) Kredit’s Chief Technology Officer (CTO) is responsible for reviewing security audit report(s) and questionnaire responses (where applicable), to ensure the scope of the audit is inclusive of the services being offered to Kredit, to assess the security controls of the service provider, and identify if any critical gaps are called out in the report(s). If critical gaps are identified, the CTO must determine the risk that those gaps pose to Kredit and present those concerns to the CEO and CCO. The CCO is responsible for following up with the service provider to determine how the findings plan to be addressed and the timeframe it will take to remediate the findings.

    • (b) b. The CCO is responsible for reviewing certificates of insurance to ensure they meet the established minimums.

    • (c) The CCO is responsible for performing OFAC checks to determine if the service provider is on a sanctions list (see Office of Foreign Asset Control section).

    • (d) The CCO is responsible for reviewing Background Check Policy and Training Policy to ensure the service provider requires all employees to undergo a criminal background check and complete information security training (annually at minimum).

    • (e) The CCO is responsible for reviewing Business Licenses to ensure they are current and active for the service provider.

    • (f) For critical service providers -

      • (I) The CTO is responsible for reviewing critical service provider’s BCP/DR plans and related testing to assess the adequacy of the plans and to understand their Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for services directly related to Kredit.

      • (II) Kredit’s CFO is responsible for reviewing the critical service provider’s financial position to ensure soundness (see Financial Viability Review section).

    • (g) The CCO should attempt to determine if there have been any recorded violations, adverse news, or complaints about a service provider.

    • (h) Upon completion of the review of all required documentation, the CCO will determine the service provider’s residual risk rating.

      • (I) If the residual risk rating is high, the CCO must advise Kredit’s CEO of the risks associated with utilizing the service provider and suggest compensating controls that may mitigate some or all of the risk. The CEO has final approval on whether or not to move forward with the service provider. If the service provider is approved, the contracting phase can begin (see Contract Review section).

      • (II) If the residual risk rating is medium, the contracting phase can begin; however, on-going monitoring may occur at more frequent interval until the identified gaps are remediated (see Ongoing Monitoring section).

      • (III) If the residual risk rating is low, the contracting phase can begin without any further action.

    • (i) The CCO must document the results of each high and medium risk review on the related Assessment Form and store all documentation related to the process in the Vendor Management folder in Google Drive.

OFFICE OF FOREIGN ASSET CONTROL (OFAC)

  1. Kredit has established an OFAC screening process to identify and prevent transactions that are prohibited by applicable U.S. and non-U.S. Sanctions laws and regulations or that, if not prohibited, may present a reputational risk due to the involvement of individuals or entities associated with narcotics trafficking, terrorism, or the proliferation of weapons of mass destruction.

  2. Kredit utilizes the ‘Sanctions List Search’ application on the U.S. Department of the Treasury’s website (https://sanctionssearch.ofac.treas.gov/) to identify if any proposed or existing service providers are on the sanctions list. The application is designed to facilitate the use of the Specially Designated Nationals and Blocked Persons list ("SDN List") and other sanctions lists administered by OFAC, including the Foreign Sanctions Evaders List, the Sectoral Sanctions Identification List, the List of Foreign Financial Institutions Subject to Correspondent Account or Payable-Through Account Sanctions, the Non-SDN Palestinian Legislative Council List, the Non-SDN Menu-Based Sanctions List, and the Non-SDN Communist Chinese Military Companies List.

  3. The steps for utilizing the search are as follows:

    • (a) Select Entity from the Type drop-down.

    • (b) Enter the exact full business name of the service provider in the Name field.

    • (c) Select All from the Program drop down. The program codes following each sanctions list entry indicate the sanctions program pursuant to which the person has been blocked, designated, or identified, and indicates how a true hit on a returned value should be treated. A Program Code Key is available on the website.

    • (d) Set the Minimum Name Score threshold to 100.

    • (e) Select All from the Country drop-down.

    • (f) Select All from the List drop-down.

    • (g) Click on Search.

  4. If the search results yield a positive match or hit, then the CCO must call the OFAC hotline at 1-800-540-6322 to determine if the hit is a false positive. If it is a true hit, Kredit must not engage in business activities with the service provider and must file a Suspicious Activity Report within 10 business days to OFAC.

FINANCIAL VIABILITY REVIEW

Kredit performs a financial viability review of all critical service providers to ensure financial soundness. Kredit obtains a Business Credit Report on the critical service provider via Business Credit Reports and leverages the Supplier Viability Score on the Report. This score assesses the probability that a company will no longer be in business within the next 12 months based on a variety of financial factors, compared to all US businesses within the D&B database. The scores range from 1 (low risk) to 9 (high risk). A score of 7 or greater warrants further review and consideration by Kredit’s Accountant.

CONTRACT REVIEW

High and medium risk service provider contracts should, at minimum:

  1. Clearly define the rights and responsibilities of both parties.

  2. Contain adequate and measurable service level agreements (SLA) and recourse for not meeting SLA’s.

  3. Require the service provider to have a vendor management program and conduct due diligence on any vendors (4th parties) used to perform their services.

  4. Clearly define Kredit’s right to audit, monitor performance, and require remediation when issues are identified.

  5. Contain clear language that the service provider must remain compliant with the specific laws, regulations, guidance, and self-regulatory standards applicable to the activities involved, including privacy, and safeguarding of consumer information.

    • (a) Contain instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties (see VCDPA PnP).

  6. Clearly define the responsibility of the service provider to notify Kredit of any catastrophic events, information breaches, data loss, or service or system interruptions, in a reasonable amount of time.

  7. Contain confidentiality language that requires the service provider to maintain the confidentiality of company information.

  8. If the service provider stores, transmits, or receives consumer PII or highly confidential information, then the contract should contain language that requires the service provider to utilize appropriate means of encryption to protect the data at rest and in transit.

  9. Contain an Intellectual Property clause that prohibits the use of Kredit’s patents, trade secrets, and other intellectual property rights associated with any ideas, concepts, techniques, inventions, processes, or works of authorship developed or created by Kredit or its personnel.

  10. Contain representations and warranties language or the underlying matters or facts as they are being presented in terms of the contract.

  11. Contain indemnification language that specifies the extent to which Kredit and the service provider will be held liable to the other for damages and loss.

  12. Contain language that stipulates what constitutes default and circumstances for termination, including a provision that enables Kredit to terminate the contract upon reasonable notice and without penalty.

ONGOING MONITORING

Approved service providers must be re-assessed and monitored according to the following frequencies, which is based their inherent risk rating:

  • High risk – annually

  • Medium risk – biennially

  • Low risk – triennially

The CCO is responsible for tracking and monitoring contract and insurance certificate expiration dates, which may occur outside of the frequencies stated above. The CCO is responsible for contacting the service provider to obtain updated insurance certificate and working with the CEO on contract related updates (i.e., renewals, amendments, addendums, or termination of an existing contract).

As part of the on-going monitoring process, the CCO requests each Kredit employee who has had direct involvement with the service provider over the review period, to complete a Performance Evaluation (PE) Form. The Performance Evaluation Form rates the service provider’s performance during the review period in the following 7 (seven) areas:

  1. Quality of service

  2. Responsiveness to Kredit requests

  3. Dependability

  4. Accurate billing

  5. Meets deadlines

  6. Professionalism

  7. Areas of concern/issues with service provider

The average PE score is taken into consideration when determining whether to continue utilizing the service provider and in determining when an amendment or addendum to a contract is necessary to address performance gaps.

TERMINATION OF SERVICES

Kredit may terminate service provider relationships for various reasons, including but not limited to:

  1. The expiration or satisfaction of a contract.

  2. The desire to seek an alternate service provider.

  3. The desire to bring the activity in-house or discontinue the activity.

  4. A breach of contract.

Prior to terminating a relationship with a service provider, Kredit must consider:

  1. The termination clause within each of the service provider contracts (i.e., time period associated with notification of termination).

  2. Whether or not the services that are being provided are critical in nature or if they can be discontinued entirely.

When termination of services has been decided, Kredit requires that all high-risk service providers securely delete any data from their systems and backups within 30 (thirty) days of termination. Kredit defines “securely delete” as sanitizing or deleting data to ensure the data is permanently sanitized, deleted and unrecoverable from any media, in whole or in part, by any means. If a client contractually requires their data to be purged in a shorter timeframe, Kredit will work with the service provider to make the necessary adjustments.

COMMUNICATION

This Policy shall be communicated to all affected employees via email and maintained in the Policies folder, sub-folder Vendor Management on Google Drive for reference purposes.

CONTROL

On an annual basis, beginning one year from the implementation of the Policy, the CCO shall conduct an audit of all service providers that were active during the audit period to ensure they have been assessed according to the above stated procedures.

VIOLATIONS

Utilizing a service provider without performing the procedures set forth in this Policy may result in legal, compliance, financial, and reputational risk for Kredit, as well as the risk of causing harm to consumers.

CHANGE SUMMARY

Purpose: Internal Policy

Category: Regulatory Policy

Policy Name: Service Provider Oversight Policy

PreviousVendor Management Policies

Last updated