Page 1

Third Party Receipting Presented to Washington Public Ports Association June 2016 Peg Bodin, CISA

Wa s h i n gto n S tate A u d i to r ’s O ff i ce


Overview This session will cover use of third party vendors, including: 

Risks

Requirements

Solutions

Wa s h i n gto n S tate A u d i to r ’s O ff i ce


Receipting Cashiers

Third party vendor

Employee

Non-employee

Counter

Website, P.O. Box, drop box

Cash, check

Check, credit card

Receipt report

Remittance report

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

3


Government – vendor relationship For third party receipting status, the relationship with the vendor involves more than simply receiving the payment.

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

4


Risks

Customer

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

Receipting interface

Credit card system

Public depository

Vendor’s bank account

5


Risks: Evaluate the legal agreement

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

6


Risk summary The risks involved in third party receipting include: 

Multiple vendors, multiple solutions (even with the same vendor), each with its own risks

Legal Agreements (standard or customized)

PCI non-compliance fees

Data breach

Theft / loss of funds  Redirecting funds to other bank accounts  Bank or vendor default  Cyber theft

Wa s h i n gto n S tate A u d i to r ’s O ff i ce


Small group discussion questions

1. Where do you accept payments through a third party vendor? 2. What risks are you concerned about in your environment?

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

8


Requirements Third party receipting involves two primary requirements: 1. Timely and intact deposit in a PDPC approved public depository 2. Contractual compliance

Wa s h i n gto n S tate A u d i to r ’s O ff i ce


Timely deposit Deposits that go through a vendor’s bank must meet timeliness requirements. 

Best practice: Direct remittance from the credit card system to the local government’s PDPC approved depository OK practice: Remittance from vendor’s bank account to local government’s PDPC approved depository within one day, or five days if the treasurer authorizes an exception Service and receipting provider exception: Up to a month

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

10


Service and receipting providers

 Service is primary purpose 

Digital Signatures

Collection Agencies

Food Service Permit Testing

 Also performs receipting

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

11


Merchant services agreement

Local government

Vendor

Customer

Receipting interface

Public depository

Credit card system

Vendor agreement Merchant services agreement Wa s h i n gto n S tate A u d i to r ’s O ff i ce

12


Payment facilitator Vendor

Local government

Customer

Receipting interface

Payment facilitator's bank

Credit card system

Payment facilitator

Public depository

Vendor agreement Payment facilitator agreement

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

13


Vendor

Local government

Customer

Vendor Receipting interface

Public depository

Vendor’s bank account

Credit card system

Vendor agreement Wa s h i n gto n S tate A u d i to r ’s O ff i ce

14


Intact deposits Reserves, in most cases, are not allowable. 

Withholding

Unauthorized accounts

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

15


Reserves and withholding contract language Selected sections from the standard PayPal agreement:

Wa s h i n gto n S tate A u d i to r ’s O ff i ce


Payment card industry standards

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

17


Group discussion questions The nature of your third party vendor agreements contributes significantly to your risks. 1. Does your local government have any vendor agreements where the funds are deposited in a third party vendor’s bank account? 2. Does your local government complete a PCI SAQ (PCI Self Assessment Questionnaire)?

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

18


Solutions Ways of addressing the risks with third party vendors include: 

Contractual language

PCI compliance verification

External reviews

Insurance, bonds

Oversight and monitoring

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

19


Controls

Customer

Receipting interface

Vendor’s bank account

Credit card system

Public depository Wa s h i n gto n S tate A u d i to r ’s O ff i ce

• PCI security compliance • PCI self assessment questionnaire • Independent third party review • Cyber security insurance

• Contractual language • Insurance, bonds • Independent third party review • Remittance review 20


Contracts Contracts have three areas of inconsistency or concern: 1. Remittance of proceeds 2. Payment card industry (PCI) compliance 3. Reserves

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

21


Sample contract language This is not a substitute for legal advice. Please consult your legal advisor! Here are a couple of examples of language that could be used in a contract with a vendor: ď ą

ď ą

Vendor shall be responsible for establishing and maintaining an information security program that is designed to (i) ensure the security and confidentiality of Customer Data, (ii) protect against any anticipated threats or hazards to the security or integrity of Customer data. Customer shall be responsible for maintaining security for its own systems, servers, and communications links as necessary to (a) protect the security and integrity.

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

22


Sample contract language (continued) This is not a substitute for legal advice. Please consult your legal advisor! ď ą

ď ą

Vendor shall cause a Third Party review of its operations and related internal controls to be conducted annually by its independent auditors. Vendor shall provide to Customer, upon request, one copy of the audit report resulting from such review. Vendor shall maintain for its own protection crime insurance coverage for its personnel.

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

23


Sample contract language (continued) This is not a substitute for legal advice. Please consult your legal advisor! 

…during the term of this Agreement and at its expense, acquire and maintain in full force and effect, a fidelity bond that ensures that every officer, director, Subcontractor or employee who is authorized to act on behalf of the vendor for the purpose of receiving, processing and depositing funds pursuant to this Agreement shall be bonded to provide protection against loss. The bond must be signed by an approved surety (or sureties)…

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

24


Management oversight Activity must be monitored regardless of contract language.  Reconcile remittance reports to bank deposits.  Monitor reasonableness of remittances received. Are you getting everything you should?  Monitor banking fees. Are they appropriate?

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

25


Solutions

What types of controls are you using to address the risks associated with third party receipting vendors?

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

26


Resources  For further guidance, please consult the following resources: 

Local Government Performance Center – Third Party Receipting: http://portal.sao.wa.gov/PerformanceCenter/#/addre ss?mid=6&rid=18501 GFOA Best Practice: Accepting Payment Cards and Selection of Payment Card Service Providers (GFOA, October 2009): http://www.gfoa.org/acceptingpayment-cards-and-selection-payment-card-serviceproviders

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

27


Questions

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

28


Contacts

Kelly Collins Director of Local Audit (360) 902-0091 Kelly.Collins@sao.wa.gov

Peg Bodin Local Info Systems Audit Manager (360) 464-0113 Peggy.Bodin@sao.wa.gov

Website: www.sao.wa.gov

Wa s h i n gto n S tate A u d i to r ’s O ff i ce

29

WPPA 2016 Finance & Admin Seminar - Third Party Receipting, Bodin  
WPPA 2016 Finance & Admin Seminar - Third Party Receipting, Bodin  
Advertisement