Download Supplier Check List and Certification

RAC Intermediary Partner
Annual Due-Diligence Checklist and
Certification
This annual Due-Diligence Check and Certification has been developed to provide RAC with an
assurance that there is an appropriate level of competence and compliance in place to protect RAC and
its customers/members.
This certificate is issued on an annual basis to all Intermediary partners of RAC. Its purpose is to
provide assurance to RAC that partners internal systems and controls are sufficient to mitigate any
residual brand reputational damage to RAC.
RAC aims only to work with partners who are able to demonstrate a strong ethical business philosophy
and which put the customer at the heart of their business.
Partners should immediately notify RAC, (via their Account Manager) of any event which may impinge
upon its ability to conduct business on behalf of RAC or of any censure by the regulator(s) or adverse
publicity.
This certificate should be signed by a Director or Senior Officer.
When completed and signed, please return this certificate to; [email protected]
Guide for Completion
In each case the reference to "You" and “Your” means the RAC Partner for whom an authorised
representative is completing the checklist.
If a question asks if a document exists please provide the date of the document in the ‘comments’
column of the last review.
If the answer to any of the questions is ‘No’ please provide full details of the work being undertaken to
bring the business into a ‘Yes’ condition including anticipated timescales.
Revision History
Version
Date
Status
Author
Remarks
1.0
16/07/2014
Draft
D Christie
Document Creation
1.1
10/11/2014
Live
A Stuart
Updated
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
i
Due Diligence Checklist
RAC Partner Name
& Registered or Business address:
Financial Conduct Authority / Prudential Regulation Authority registration
number:
Data Protection Registration number:
Contact Details of the authorised person completing this document:
Name:
Tel:
Email:
No
N/A
Ye
s
Comment: Please provide further detail if required
1. AML, UK Sanctions and Anti-Bribery & Corruption
1.1.
What arrangements do you have in place to comply with HMT sanctions screening
requirements so far as RAC introduced customers are concerned?
1.2.
How often do you review these arrangements?
1.3.
When was the last review conducted?
1.4.
What was the result of the last review?
1.5.
When and how would you notify RAC of a potential or confirmed match?
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
1
No
1.6.
Do you have a current anti-bribery and corruption (ABC) policy, or list
those policy sections relating to ABC contained within other company
policies.
1.7.
When was the policy or policies last reviewed?
1.8.
Do you have a current Whistleblowing policy?
1.9.
What date was the policy last reviewed and updated?
N/A
Ye
s
Comment: Please provide further detail if required
Date:
Date:
2. Insurance
2.1.
Do you have all insurances required by law?
2.2.
Please confirm your Professional Indemnity Insurance is compliant with
any regulatory/legal requirements?
2.3.
What are the limits of your indemnity?
2.4.
Do you have any unusual limitations or exclusions?
3. Business Continuity
3.1.
Has there been any material change in ownership or control of your
business during the last year?
3.2.
Do you have a formal disaster recovery/business continuity plan?
3.2.1.
What date was the policy last reviewed & updated?
3.3.
Please provide details of how you would ensure continuity of service to RAC customers in the
event of a serious incident/disaster.
3.4.
How often do you practically test your disaster recovery arrangements?
3.4.1.
When was this last carried out?
3.5.
Were any failings in the plan identified that could impact your ability to
service RAC customers? If so please provide details of the action
proposed/completed
RAC Intermediary Partner Due Diligence
Date:
Date:
Version 1.1
October 2014
2
No
3.6.
N/A
Ye
s
Comment: Please provide further detail if required
Is there a documented incident management policy / program / procedure
in place which addresses the following:
1. Incident discovery
2. Incident notification
3. Risk ranking
4. Incident resolution
5. Reporting?
3.7.
Is there an incident / event response team with defined roles and
responsibilities?
3.8.
Is documentation maintained on incidents / events (issues, notifications,
outcomes, and remediation)?
3.9.
Is there a documented process to notify RAC of any RAC related
incident?
4. Information & Data Security
4.1.
Will you hold or process the personal data of RAC customers while
performing the services (including data held under 'white labelled'
arrangements)?
4.2.
Do you have an approved & published Information Security Policy
document?
4.3.
If “Yes” how is this communicated to employees/other relevant parties?
4.4.
If “Yes”, what date was it last reviewed & approved?
4.5.
Are IT facilities and services protected against malicious attack,
accidental damage, natural hazards and unauthorised physical access?
4.6.
Have comprehensive, up-to-date malware protection software been
deployed?
RAC Intermediary Partner Due Diligence
Date:
Version 1.1
October 2014
3
No
4.7.
Are controls and processes in place to protect system logs and monitor
important security events?
4.8.
Are system hardening standards/procedures documented? (Please
explain in comments how consistent secure build is achieved)?
4.9.
Does an external independent company perform annual vulnerability
assessments / penetration tests of the IT environment?
4.10.
Is there a vulnerability management program with a process (e.g. alert
service) in place to identify newly discovered security threats and
vulnerabilities?
4.11.
Is usage of the following software restricted?
1.
2.
3.
4.
5.
6.
7.
N/A
Ye
s
Comment: Please provide further detail if required
public instant messaging
P2P file sharing
games and recreational software
any unauthorised software
unsolicited software received from any source
software written privately by an employee
software distributed with magazines?
4.12.
Are electronic communication applications (e.g. email, instant messaging
and VoIP) protected?
4.13.
Is an approved method for identifying, maintaining and protecting
personally identifiable information applied?
4.14.
Is the use of portable storage devices controlled? Is any RAC data held
on a portable storage device? If so please provide details
4.15.
Do you have a Data Protection Officer registered with the Information
Commissioners Office with clearly defined roles and responsibilities for
Data protection risk management?
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
4
No
4.16.
Do you have processes in place to support adherence to Data Protection
requirements?
4.17.
Does the information security policy address system and network security
including the following:
N/A
Ye
s
Comment: Please provide further detail if required
1. Access Controls
2. System Hardening
3. Intrusion Detection/Prevention
4. System logging/monitoring
5. Vulnerability scanning/penetration testing?
4.18.
What arrangements are in place for staff training for DPA both as new starters and annually
4.19.
What arrangements have you in place to ensure that RAC customer data is held in compliance
with the Act?
4.20.
Does all the Information collected from RAC, its customers, employees or
others, have an identified valid business need?
4.21.
Is RAC Information deleted / destroyed securely (i.e. wiped or shredded)
after the end of its retention period / operational use?
4.22.
Is sensitive RAC information encrypted while at rest (i.e. data stored on
servers, workstations or laptops)?
4.23.
Is RAC Information encrypted in transit / accessed using secure protocols
(e.g. sFTP, SSH, TLS, etc.) when communicating via untrusted
networks?
4.24.
Do you meet any external information security standards?
4.25.
Do you possess independently awarded information security or other
certifications?
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
5
No
N/A
Ye
s
4.26.
Have you received in the past 12 months any complaint alleging a breach of the data protection
act in respect of customer information? If so, please provide details.
4.27.
In the previous 12 months have you received any adverse comment from the Information
Commissioner? If so, please supply details
4.28.
How do you identify and deal with breaches of the Data Protection Act – e.g. Unauthorised
access to customer information by employees.
4.29.
Do you employ any network service providers? If so, How do you ensure they are compliant
with all DPA and security requirements?
4.30.
Do you currently, or do you plan to give access to any RAC customer
data outside the EEA? If yes, please provide further information
4.31.
Has there been an internal review completed of adherence to Data
Protection requirements by Risk, Compliance or Internal Audit in the last
18 months? If yes, what was the result
Comment: Please provide further detail if required
5. PCI DSS (Payment Card Industry Data Security Standard)
5.1.
Are you PCI DSS Compliant?
5.2.
Do you store, process or transmit credit card data for RAC as part of the
services provided to RAC?
If Yes, please continue with Section 5. If No, please skip to section 6.
5.3.
Have you previously validated compliance against PCI standards formally
for the services or products rendered to RAC (whether hardware,
software or a solution) by way of third party assessment (e.g. QSA)?
5.4.
Do you appear either on the Visa Europe list of Merchant Agents or
Member Agents?
5.5.
Do you have validated compliance or have experience with PCI DSS for
other services, which are currently not provided to RAC?
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
6
No
5.6.
Do you have any plans or intentions to validate compliance of the
product/services provided currently to RAC, in the near future?
5.7.
Do you have an appropriate breach notification process in place and
does it include best practice from industry bodies? E.g. Visa Europe
5.8.
Have you had breaches in respect of PCI DSS? Please provide details
N/A
Ye
s
Comment: Please provide further detail if required
6. Physical Security
6.1.
Are there security policies related to HR including sections on the
following:
1. Termination/change of role for employees
2. Employee screening?
3. Non-disclosure?
6.2.
Are there policies & procedures related to physical security including:
1. Physical access control systems
2. Physical access logging
3. Controlled access by non-employees
4. Security of IT devices
5. Security of physical media
6. Clear desk
7. Destruction of media
6.3.
Is access to important information and systems restricted to approved
companies and their access limited to specific applicable systems?
6.4.
Is there a process in place to ensure proper removal of access to RAC
information upon employee termination or job role change? The process
should include the following provisions:
1. Notification to provisioning team of employee termination
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
7
No
N/A
Ye
s
Comment: Please provide further detail if required
2. Removal of access (terminations & role changes)
6.5.
Do you have restrictions against taking devices containing RAC
Information (PCs, laptops, and removable media) off-site without
appropriate authorisation and approval?
6.6.
When storage devices containing RAC information are to no longer be
used within your organisation are they rendered unreadable before being
taken offsite or decommissioned?
6.7.
Do you have a security incident response plan in place which includes
handling and reporting (notification of) data breaches?
6.8.
Is RAC data separated from other customer client data?
7. Sales Processes
7.1.
Are all agents’ scripts & financial promotions which use or mention any
connection with the RAC brand signed off by your Compliance Team and
sent to RAC for agreement prior to use?
7.2.
Are all Financial Promotions which use or mention the RAC brand
compliant with FCA, ASA and other relevant regulators rules and
guidance
7.3.
Do you have an independent Q & A function?
7.4.
What percentage of your sales are subject to Q & A?
7.5.
Have you had serious failings of you sales processes in the last 12
months? Please provide details
7.6.
Please confirm you have a Training & Competence (T&C) policy/guide and the date it was last
reviewed
7.7.
In the previous 12 months have there been any material breaches of your
T&C policy which have impacted on customers introduced by RAC? If
so, please provide details.
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
8
No
7.8.
How do you ensure that staff who interact with customers introduced by
RAC are competent?
7.9.
Can you confirm that any financial incentive programmes linked to sales
adhere to the FCA guidance on Financial Incentives
N/A
Ye
s
Comment: Please provide further detail if required
8. Treating Customers Fairly
8.1.
Please confirm you have TCF policy & TCF statement and the dates these were last reviewed
8.2.
What TCF training do your staff receive?
8.3.
Have you recorded any breaches of your TCF policy in respect of your
RAC work?
9. Relationship with Regulators
9.1.
In the previous 12 months, has your business been asked to explain any
incident or action, which may impact on your servicing of RAC
customers, to any of your regulators?
9.2.
Has your business been, censured, fined, or voluntarily or otherwise,
provided any undertaking to any of your regulators on any matter? If so,
please provide details
9.3.
Do you have appropriate permissions from the FCA for Consumer
Credit? If so, have you received any adverse comment, or firm specific
guidance, from the OFT/FCA in the previous 12 months?
9.4.
Please provide your consumer credit reference number?
10. Outsourcing
10.1.
Do you further outsource any part of your sales/admin process regarding
customers introduced by RAC?
10.2.
What due diligence was carried out prior to outsourcing?
10.3.
Please provide details of the controls in place.
RAC Intermediary Partner Due Diligence
Version 1.1
If no please go to question 11
October 2014
9
No
N/A
Ye
s
Comment: Please provide further detail if required
11. Complaints Management
11.1.
What process do you have in place to deal with complaints from RAC introduced customers?
11.2.
How many complaints relating to RAC introduced customers have you received in the previous
12 months?
11.3.
How many RAC introduced customers appealed to FOS in the previous 12 months?
11.4.
What is your FOS overturn rate for the previous 12 months for RAC introduced customers?
11.5.
What root cause analysis (RCA) do you carry out to prevent repeat complaints?
11.6.
Have there been any changes to process resulting from RCA in the last 12 months?
12. Audit & Monitoring
12.1.
How often are your RAC related processes audited?
12.2.
Please provide action plans & outcomes arising from issues raised by auditors which may have
impinged upon your ability to provide appropriate levels of service to RAC introduced
customers?
12.3.
Do you have a compliance monitoring plan in place? Please provide
details of monitoring activities
13. Management and Oversight
13.1.
What MI is provided to senior management to enable effective oversight?
13.2.
How often is this MI reviewed?
13.3.
How do your senior management ensure they have appropriate oversight of sales channels?
I certify that the information given above is true
Signature:
..............................................................
Name of Signatory:
..............................................................
Position within the Company:
..............................................................
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
10
Date:
..............................................................
RAC Intermediary Partner Due Diligence
Version 1.1
October 2014
11