The Third Party Payment Processors Association (TPPPA) is a national not-for-profit industry association representing and promoting the interests of payment processors, their financial institutions, and their merchants. The mission of the TPPPA is advocating on behalf of its members about the critical role that payment processors play in the economy and creating and promoting industry best practices in compliance for third party payment processing. In this webinar, our panelist will provide an overview of the TPPPA’s compliance management system modules and how your organization can utilize a SOC 1 audit to obtain TPPPA certification.

Why Utilize a SOC 1 Audit for TPPPA Certification?

SOC 1 is an audit and report on audit controls. It is performed by a certified CPA and is customized based on the services provided by an entity. Because a SOC 1 audit is based on risk, any objective and control that is relevant to an entitiy’s risk would be included in the audit report, including controls impacting your client’s financial security, information security reporting, regulatory compliance, and contractual requirements.

Because the SOC 1 audit report is written in an industry-recognized standard format, it is usually immediately recognizable. Because the report itself is standardized, it’s easier for readers to review because they are familiar with reading and reviewing them. Apart from financial institutions familiarity with the SOC 1 audit report, there are a few other reasons that would justify utilizing a SOC 1 audit for TPPPA certification:

  • It is intentionally designed to be customizable.
  • It allows TPPPA to specify regulatory compliance objectives.
  • It allows the service provider to add objectives that are also relevant to their clients.

To learn more about SOC 1 audits and how they can be used to obtain TPPPA certification, download the full webinar. For more information about SOC 1 assessments and how KirkpatrickPrice can help you meet your compliance objectives, contact us today.

Contact:
Sarah Morris
KirkpatrickPrice
800-977-3154 x207

s.morris@3.95.165.71

FOR IMMEDIATE RELEASE 

TPPPA and KirkpatrickPrice Announce Partnership in TPPPA’s Compliance Management System (CMS) Certification Program

The Third Party Payment Processors Association (TPPPA) and KirkpatrickPrice are excited to announce their partnership in the TPPPA’s Compliance Management System (CMS) Certification program. The TPPPA CMS is expertly crafted model policies specifically designed for third-party payment processors and financial institutions that have payment processors as their clients. All policies have been designed to address the oversight of relevant regulatory agencies, including FDIC, OCC, FRB, CFPB, and FinCEN.

The processor module contains policies to help processors comply with regulatory guidance and establish best practices for the industry. Processor policies include Bank Secrecy Act and Anti-Money Laundering (BSA/AML), consumer protection policies such as Unfair, Deceptive or Abusive Acts and Practices (UDAAP), and Consumer Complaints, Information Security, Privacy Policies, and more.

The financial institution module is a single policy that helps frame a distinct and cohesive third-party payments processing program, utilizing and integrating existing bank policies and disciplines. Together these modules close the compliance gaps that have existed in third-party payment processing relationships in the past.

“This product is designed to help responsible processors and financial institutions distinguish themselves, from those that give third-party payment processing a bad name,” said Marsha Jones, President of the TPPPA, “However, policies are just words on paper unless they are implemented and applied. The TPPPA CMS Certification is designed to help processor members to apply the CMS and to be able to demonstrate this through third-party review.”

The TPPPA CMS Certification is based on an SSAE 16 Audit that is built on a control framework determined by the TPPPA. The first year of certification, the member will have a SOC 1 audit performed validating that the controls are in place. The SOC 1 Type I process helps the processors ensure that they have the proper control framework and make necessary adjustments to align with the TPPPA established controls. In subsequent years, the certification will consist of a SOC 1 Type II audit, measuring the control is in place over time. “We like this framework because it is understandable and readily recognized by auditors and examiners, and the graduated approach allows members to strengthen their controls over time,” said Jones.

“Utilizing the SOC 1 is a great choice in allowing the use of an established audit framework to provide third-party validation for the payments processors’ internal controls as they relate to their regulatory and client requirements,” said Todd Stephenson, Vice President of Sales and Marketing, KirkpatrickPrice. “We are very excited about our partnership with TPPPA. It allows us both to leverage our unique strengths to educate, empower, and inspire the payments industry to greater levels of assurance to meet their challenging compliance goals.”

About the TPPPA

The Third Party Payment Processors Association (TPPPA) is a national not-for-profit industry association representing and promoting the interests of payment processors, their financial institutions and their merchants. Financial institutions and processor members have access to our exclusive Compliance Management System (CMS) as a part of their member benefits. Members must apply and be accepted into the TPPPA and agree to abide by a strict Code of Conduct. www.tpppa.org

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA and PCI QSA firm, registered with the PCAOB, providing assurance services to over 300 clients in more than 40 states, Canada, Europe, and Asia. The firm has over 100 years of combined experience in information security by performing assessments, audits, and tests, which strengthen information security and compliance controls. KirkpatrickPrice most commonly provides advice on PCI, SSAE 16, SOC 2, HIPAA, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com

Once you’ve determined that you need to undergo a CFPB audit, conducting a risk assessment enables you to find and address gaps before the audit begins.

What is a Risk Assessment and Why Should I Care?

A risk assessment is a systematic process of evaluating the potential risks that may be involved in a projected activity or undertaking. It involves evaluating operational, compliance, and reputational risks. Aside from being mandated by the CFPB, risk assessments help you:

  • Maintain revenue and business operations
  • Ensure future growth and opportunities
  • Avoid costly lawsuits and fines

Risk assessments also help to instill confidence, develop a clear direction, and reduce costs for your organization. However, in order to reap these benefits, you’ll need to begin your risk assessment by:

  • Identifying and understanding the federal, state, and local laws that are applicable to your organization. It is essential that you have a clear understanding of the laws that regulate your organization’s collection practices
  • Staying up-to-date on consent orders and recent litigation
  • Determining the most likely way of a violation of those laws will occur
  • Establishing policies and procedures
  • Documenting all remediation actions need and any changes as a result of the risk assessment

For more information on how KirkpatrickPrice can help you conduct your risk assessment, contact us today!

When you begin preparing for your CFPB examination, it is critical that you develop and implement an internal audit process to provide an independent, objective evaluation the operational effectiveness of your organizational controls. In this webinar, Information Security Specialists at KirkpatrickPrice will review how to develop an internal audit process for your organization and why it is essential for CFPB compliance.

Why Should I Have an Internal Audit Process?

According to the CFPB, “An effective compliance management system commonly has four interdependent control components: board and management oversight, compliance program, response to consumer complaints, and compliance audit. When all of these four control components are strong and well-coordinated, a supervised entity should be successful at managing its compliance responsibilities and risks.”

How Do I Develop an Internal Audit Process?

To develop your internal audit process, you can begin by doing the following:

  • Establishing authority for an internal audit process to operate: Your organization’s leadership, such as the Board of Directors or an owner, must give authorization and support for the policy.
  • Creating a reporting structure: You will need to identify independence, daily operational reporting, and audit deliverable reporting.
  • Determining the scope of the internal audit goals, deliverables, and objectives: Choose control frameworks and audit cycles.
  • Gathering internal audit staffing: Select staff based on professional competencies, develop internal audit performance metrics, and establish internal audit compensation schedules.
  • Developing an internal audit operational work process: Determine the documented frameworks needed, the audit plans to support those frameworks, the audit work paper requirements, and the data security and retention of audit work paper. You should also report the findings and recommendations, as well as the corrective action recommendations.
  • Using an internal audit program evaluation and updating accordingly: Analyze your program to see if it provides an independent objective evaluation of the operational effectiveness of organizational controls; if it includes findings, recommendations, and corrective action reporting in a timely manner; and if it requires that the current business model/cycle be updated.

For more information about CFPB compliance, contact us today.

Are you in the process of developing procedures for your organization? Are you unsure about what needs to be included in your company’s procedures? In this webinar, you’ll hear from Joseph Kirkpatrick, President of KirkpatrickPrice, as he provides an overview of the importance of establishing procedures for your organization and how to go about doing so in the most efficient way.

What are Procedures?

Often policies and procedures are mistaken as synonymous terms, but they mean different things. Where policies serve to define rules, guide employee decision making, are incorporated in the risk management process, and require enforcement, procedures are process or task instructions on how policy is followed, and they also communicate the responsibility for tasks or processes. When drafting procedures, they should include:

  • Name
  • Procedure reference
  • Records of audit, change, and review
  • Effective date
  • Approval

Having established procedures is crucial for all organizations in their attempt to meet their compliance objectives. Procedures help ensure that policies are implemented correctly and efficiently, thus assisting your organization in maintaining compliance.

What Do I Begin Drafting Procedures?

When you begin drafting your organization’s procedures, start at a high level and become more specific. For example:

  • Step 1: Define the scope of your procedure, including a start and end point
  • Step 2: Consider all possibilities and decision points
  • Step 3: Interview the responsible parties
  • Step 4: Utilize flow charts and checklists

These procedures should be written in a clear, concise format that utilizes active voice in the present tense. By organizing your procedures in a way that is easy to navigate, understand, and implement, your employees will be more likely to comply with them.

To learn more about procedure drafting, including what to do after you have drafted procedures and examples of effective procedures, contact us today.