Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
RAC Intermediary Partner Annual Due-Diligence Checklist and Certification This annual Due-Diligence Check and Certification has been developed to provide RAC with an assurance that there is an appropriate level of competence and compliance in place to protect RAC and its customers/members. This certificate is issued on an annual basis to all Intermediary partners of RAC. Its purpose is to provide assurance to RAC that partners internal systems and controls are sufficient to mitigate any residual brand reputational damage to RAC. RAC aims only to work with partners who are able to demonstrate a strong ethical business philosophy and which put the customer at the heart of their business. Partners should immediately notify RAC, (via their Account Manager) of any event which may impinge upon its ability to conduct business on behalf of RAC or of any censure by the regulator(s) or adverse publicity. This certificate should be signed by a Director or Senior Officer. When completed and signed, please return this certificate to; [email protected] Guide for Completion In each case the reference to "You" and “Your” means the RAC Partner for whom an authorised representative is completing the checklist. If a question asks if a document exists please provide the date of the document in the ‘comments’ column of the last review. If the answer to any of the questions is ‘No’ please provide full details of the work being undertaken to bring the business into a ‘Yes’ condition including anticipated timescales. Revision History Version Date Status Author Remarks 1.0 16/07/2014 Draft D Christie Document Creation 1.1 10/11/2014 Live A Stuart Updated RAC Intermediary Partner Due Diligence Version 1.1 October 2014 i Due Diligence Checklist RAC Partner Name & Registered or Business address: Financial Conduct Authority / Prudential Regulation Authority registration number: Data Protection Registration number: Contact Details of the authorised person completing this document: Name: Tel: Email: No N/A Ye s Comment: Please provide further detail if required 1. AML, UK Sanctions and Anti-Bribery & Corruption 1.1. What arrangements do you have in place to comply with HMT sanctions screening requirements so far as RAC introduced customers are concerned? 1.2. How often do you review these arrangements? 1.3. When was the last review conducted? 1.4. What was the result of the last review? 1.5. When and how would you notify RAC of a potential or confirmed match? RAC Intermediary Partner Due Diligence Version 1.1 October 2014 1 No 1.6. Do you have a current anti-bribery and corruption (ABC) policy, or list those policy sections relating to ABC contained within other company policies. 1.7. When was the policy or policies last reviewed? 1.8. Do you have a current Whistleblowing policy? 1.9. What date was the policy last reviewed and updated? N/A Ye s Comment: Please provide further detail if required Date: Date: 2. Insurance 2.1. Do you have all insurances required by law? 2.2. Please confirm your Professional Indemnity Insurance is compliant with any regulatory/legal requirements? 2.3. What are the limits of your indemnity? 2.4. Do you have any unusual limitations or exclusions? 3. Business Continuity 3.1. Has there been any material change in ownership or control of your business during the last year? 3.2. Do you have a formal disaster recovery/business continuity plan? 3.2.1. What date was the policy last reviewed & updated? 3.3. Please provide details of how you would ensure continuity of service to RAC customers in the event of a serious incident/disaster. 3.4. How often do you practically test your disaster recovery arrangements? 3.4.1. When was this last carried out? 3.5. Were any failings in the plan identified that could impact your ability to service RAC customers? If so please provide details of the action proposed/completed RAC Intermediary Partner Due Diligence Date: Date: Version 1.1 October 2014 2 No 3.6. N/A Ye s Comment: Please provide further detail if required Is there a documented incident management policy / program / procedure in place which addresses the following: 1. Incident discovery 2. Incident notification 3. Risk ranking 4. Incident resolution 5. Reporting? 3.7. Is there an incident / event response team with defined roles and responsibilities? 3.8. Is documentation maintained on incidents / events (issues, notifications, outcomes, and remediation)? 3.9. Is there a documented process to notify RAC of any RAC related incident? 4. Information & Data Security 4.1. Will you hold or process the personal data of RAC customers while performing the services (including data held under 'white labelled' arrangements)? 4.2. Do you have an approved & published Information Security Policy document? 4.3. If “Yes” how is this communicated to employees/other relevant parties? 4.4. If “Yes”, what date was it last reviewed & approved? 4.5. Are IT facilities and services protected against malicious attack, accidental damage, natural hazards and unauthorised physical access? 4.6. Have comprehensive, up-to-date malware protection software been deployed? RAC Intermediary Partner Due Diligence Date: Version 1.1 October 2014 3 No 4.7. Are controls and processes in place to protect system logs and monitor important security events? 4.8. Are system hardening standards/procedures documented? (Please explain in comments how consistent secure build is achieved)? 4.9. Does an external independent company perform annual vulnerability assessments / penetration tests of the IT environment? 4.10. Is there a vulnerability management program with a process (e.g. alert service) in place to identify newly discovered security threats and vulnerabilities? 4.11. Is usage of the following software restricted? 1. 2. 3. 4. 5. 6. 7. N/A Ye s Comment: Please provide further detail if required public instant messaging P2P file sharing games and recreational software any unauthorised software unsolicited software received from any source software written privately by an employee software distributed with magazines? 4.12. Are electronic communication applications (e.g. email, instant messaging and VoIP) protected? 4.13. Is an approved method for identifying, maintaining and protecting personally identifiable information applied? 4.14. Is the use of portable storage devices controlled? Is any RAC data held on a portable storage device? If so please provide details 4.15. Do you have a Data Protection Officer registered with the Information Commissioners Office with clearly defined roles and responsibilities for Data protection risk management? RAC Intermediary Partner Due Diligence Version 1.1 October 2014 4 No 4.16. Do you have processes in place to support adherence to Data Protection requirements? 4.17. Does the information security policy address system and network security including the following: N/A Ye s Comment: Please provide further detail if required 1. Access Controls 2. System Hardening 3. Intrusion Detection/Prevention 4. System logging/monitoring 5. Vulnerability scanning/penetration testing? 4.18. What arrangements are in place for staff training for DPA both as new starters and annually 4.19. What arrangements have you in place to ensure that RAC customer data is held in compliance with the Act? 4.20. Does all the Information collected from RAC, its customers, employees or others, have an identified valid business need? 4.21. Is RAC Information deleted / destroyed securely (i.e. wiped or shredded) after the end of its retention period / operational use? 4.22. Is sensitive RAC information encrypted while at rest (i.e. data stored on servers, workstations or laptops)? 4.23. Is RAC Information encrypted in transit / accessed using secure protocols (e.g. sFTP, SSH, TLS, etc.) when communicating via untrusted networks? 4.24. Do you meet any external information security standards? 4.25. Do you possess independently awarded information security or other certifications? RAC Intermediary Partner Due Diligence Version 1.1 October 2014 5 No N/A Ye s 4.26. Have you received in the past 12 months any complaint alleging a breach of the data protection act in respect of customer information? If so, please provide details. 4.27. In the previous 12 months have you received any adverse comment from the Information Commissioner? If so, please supply details 4.28. How do you identify and deal with breaches of the Data Protection Act – e.g. Unauthorised access to customer information by employees. 4.29. Do you employ any network service providers? If so, How do you ensure they are compliant with all DPA and security requirements? 4.30. Do you currently, or do you plan to give access to any RAC customer data outside the EEA? If yes, please provide further information 4.31. Has there been an internal review completed of adherence to Data Protection requirements by Risk, Compliance or Internal Audit in the last 18 months? If yes, what was the result Comment: Please provide further detail if required 5. PCI DSS (Payment Card Industry Data Security Standard) 5.1. Are you PCI DSS Compliant? 5.2. Do you store, process or transmit credit card data for RAC as part of the services provided to RAC? If Yes, please continue with Section 5. If No, please skip to section 6. 5.3. Have you previously validated compliance against PCI standards formally for the services or products rendered to RAC (whether hardware, software or a solution) by way of third party assessment (e.g. QSA)? 5.4. Do you appear either on the Visa Europe list of Merchant Agents or Member Agents? 5.5. Do you have validated compliance or have experience with PCI DSS for other services, which are currently not provided to RAC? RAC Intermediary Partner Due Diligence Version 1.1 October 2014 6 No 5.6. Do you have any plans or intentions to validate compliance of the product/services provided currently to RAC, in the near future? 5.7. Do you have an appropriate breach notification process in place and does it include best practice from industry bodies? E.g. Visa Europe 5.8. Have you had breaches in respect of PCI DSS? Please provide details N/A Ye s Comment: Please provide further detail if required 6. Physical Security 6.1. Are there security policies related to HR including sections on the following: 1. Termination/change of role for employees 2. Employee screening? 3. Non-disclosure? 6.2. Are there policies & procedures related to physical security including: 1. Physical access control systems 2. Physical access logging 3. Controlled access by non-employees 4. Security of IT devices 5. Security of physical media 6. Clear desk 7. Destruction of media 6.3. Is access to important information and systems restricted to approved companies and their access limited to specific applicable systems? 6.4. Is there a process in place to ensure proper removal of access to RAC information upon employee termination or job role change? The process should include the following provisions: 1. Notification to provisioning team of employee termination RAC Intermediary Partner Due Diligence Version 1.1 October 2014 7 No N/A Ye s Comment: Please provide further detail if required 2. Removal of access (terminations & role changes) 6.5. Do you have restrictions against taking devices containing RAC Information (PCs, laptops, and removable media) off-site without appropriate authorisation and approval? 6.6. When storage devices containing RAC information are to no longer be used within your organisation are they rendered unreadable before being taken offsite or decommissioned? 6.7. Do you have a security incident response plan in place which includes handling and reporting (notification of) data breaches? 6.8. Is RAC data separated from other customer client data? 7. Sales Processes 7.1. Are all agents’ scripts & financial promotions which use or mention any connection with the RAC brand signed off by your Compliance Team and sent to RAC for agreement prior to use? 7.2. Are all Financial Promotions which use or mention the RAC brand compliant with FCA, ASA and other relevant regulators rules and guidance 7.3. Do you have an independent Q & A function? 7.4. What percentage of your sales are subject to Q & A? 7.5. Have you had serious failings of you sales processes in the last 12 months? Please provide details 7.6. Please confirm you have a Training & Competence (T&C) policy/guide and the date it was last reviewed 7.7. In the previous 12 months have there been any material breaches of your T&C policy which have impacted on customers introduced by RAC? If so, please provide details. RAC Intermediary Partner Due Diligence Version 1.1 October 2014 8 No 7.8. How do you ensure that staff who interact with customers introduced by RAC are competent? 7.9. Can you confirm that any financial incentive programmes linked to sales adhere to the FCA guidance on Financial Incentives N/A Ye s Comment: Please provide further detail if required 8. Treating Customers Fairly 8.1. Please confirm you have TCF policy & TCF statement and the dates these were last reviewed 8.2. What TCF training do your staff receive? 8.3. Have you recorded any breaches of your TCF policy in respect of your RAC work? 9. Relationship with Regulators 9.1. In the previous 12 months, has your business been asked to explain any incident or action, which may impact on your servicing of RAC customers, to any of your regulators? 9.2. Has your business been, censured, fined, or voluntarily or otherwise, provided any undertaking to any of your regulators on any matter? If so, please provide details 9.3. Do you have appropriate permissions from the FCA for Consumer Credit? If so, have you received any adverse comment, or firm specific guidance, from the OFT/FCA in the previous 12 months? 9.4. Please provide your consumer credit reference number? 10. Outsourcing 10.1. Do you further outsource any part of your sales/admin process regarding customers introduced by RAC? 10.2. What due diligence was carried out prior to outsourcing? 10.3. Please provide details of the controls in place. RAC Intermediary Partner Due Diligence Version 1.1 If no please go to question 11 October 2014 9 No N/A Ye s Comment: Please provide further detail if required 11. Complaints Management 11.1. What process do you have in place to deal with complaints from RAC introduced customers? 11.2. How many complaints relating to RAC introduced customers have you received in the previous 12 months? 11.3. How many RAC introduced customers appealed to FOS in the previous 12 months? 11.4. What is your FOS overturn rate for the previous 12 months for RAC introduced customers? 11.5. What root cause analysis (RCA) do you carry out to prevent repeat complaints? 11.6. Have there been any changes to process resulting from RCA in the last 12 months? 12. Audit & Monitoring 12.1. How often are your RAC related processes audited? 12.2. Please provide action plans & outcomes arising from issues raised by auditors which may have impinged upon your ability to provide appropriate levels of service to RAC introduced customers? 12.3. Do you have a compliance monitoring plan in place? Please provide details of monitoring activities 13. Management and Oversight 13.1. What MI is provided to senior management to enable effective oversight? 13.2. How often is this MI reviewed? 13.3. How do your senior management ensure they have appropriate oversight of sales channels? I certify that the information given above is true Signature: .............................................................. Name of Signatory: .............................................................. Position within the Company: .............................................................. RAC Intermediary Partner Due Diligence Version 1.1 October 2014 10 Date: .............................................................. RAC Intermediary Partner Due Diligence Version 1.1 October 2014 11