FIRMA National Risk Management Training Conference – Orlando, FL Wednesday April 9, 2008

1. FIRMA National Risk Management Training Conference – Orlando, FLWednesday April 9, 2008 Third Party / SAS 70 Reports A Regulatory and Standards Update Francis P. Thomas The Glenmede Trust Co., N.A.

2. Background • If you use an outside service organization to accomplish a task, you need to know something about that organization’s control structure. • If clients hire your firm to make investment decisions for them, (especially employee benefit clients) they want to know about your controls.

3. Regulatory References • FFIEC Outsourcing Technology Services IT Exam Handbook June 2004 • FFIEC Supervision of Technology Service Providers Handbook March 2003 • OCC Bulletin 2001-47 “Third Party Relationships” • OCC Advisory Letter AL 2000-9 “Third Party Risk”

4. Board and Management Responsibilities • Ensuring each outsourcing relationship supports the institution’s overall requirements and strategic plans • Ensuring the institution has sufficient expertise to oversee and manage the relationship • Evaluating prospective providers based on the scope and criticality of oursourced services

5. Board and Management Responsibilities (continued) • Tailoring the enterprise-wide, service provider monitoring program based on initial and ongoing risk assessments of outsourced services; and • Notifying the primary regulator regarding outsourced relationships when required (OTS needs 30 day notice before establishing a relationship with a foreign service provider)

6. Risk Management approach to Vendor Management • Inventory all vendors – establish database to record information • Establish initial due diligence criteria • Identify “significant” vendors • Establish annual due diligence criteria for significant vendors • Vendor Management Com. oversight

7. What is a significant vendor? • Someone with access to client or employee NPI • High business impact if product or service not available from vendor • High business impact due to vendor interaction with clients/prospects • High business impact if vendor fails

8. Vendor Management Committee Duties • Oversee the establishment of all practices and procedures • Review exceptions to the program and recommend or implement responses • Report up in the committee structure and escalate any security concerns • Report any risk concerns to the Risk Management Committee

9. Using a vendor SAS-70 • What type of report is supplied (Type I/A or Type II/B – with testing results)? • Is the product or service you purchase specifically addressed in the report? • Go to results and look for disclosures about the controls over your product or service. Are they acceptable?

10. Using a vendor SAS-70 cont. • If control weaknesses were identified, do they have a management response. Are the situations deemed significant to you? • If significant, do you have an action plan to discuss with the vendor? • If vendor is unwilling to address your concerns, can you modify or exit the contract? If you are locked in, what alternate controls can be used?

11. Does your SAS-70 give away too much information? • Don’t give flowcharts on how data moves and is controlled. • Don’t identify the actual systems you use. Say “trust accounting system” or “trade order entry system” • Don’t identify your strategic partners by name (telecommunications vendor, name brand routers and switches, etc.)

12. Questions / comments • Thank you for attending this session and we hope you take home some good information to implement in your shops! • Have a safe trip home.