Third Party Risk Management Quiz

Questions and Answers

In the context of the provided information, when should a red flag noted during due diligence procedures be escalated to the Operations Director and Risk & Compliance?

• Prior to engaging a third party, regardless of whether it is a contractor, sub-contractor, vendor, or supplier (correct)
• Only when engaging a vendor or supplier of services or purchases
• Only after engaging a third party, for all types of third parties, and not during the due diligence procedures.
• Specifically for contracts and sub-contracts, but not for vendors or suppliers of services or purchases.

Which of the following is NOT mentioned as a due diligence procedure?

• Red flag escalation to Operations Director and Risk & Compliance (correct)
• Supplier/Vendor (services OR purchases) Procurement Policy
• Online Adverse News Search
• Third Party Risk Rating and Due Diligence

What type of third party requires the approval of the Operations Director and Risk & Compliance before engagement?

• Only contractors and sub-contractors
• Only vendors and suppliers of services
• Only third parties that are not subject to the Supplier/Vendor (services OR purchases) Procurement Policy
• All third parties, including contractors, sub-contractors, vendors, and suppliers of services (correct)

Which of the following processes should be completed before engaging a third party?

Third Party Risk Rating and Due Diligence (A)

Based on the provided information, what is the primary objective of due diligence procedures?

To identify and mitigate potential risks associated with engaging a third party (D)

What has increased the risk of title fraud in real estate?

The increased use of remote transactions. (B)

Which of the following is NOT a reason why criminal syndicates are drawn to the property market for money laundering?

The high risk and volatility of real estate as an investment. (A)

What is the primary focus for the Crane Capital Risk & Compliance Training in 2025?

To reinforce compliance commitment, strengthen internal controls, and enhance crisis management (B)

What is a red flag indicator that could suggest money laundering in real estate?

The use of third parties to buy property as legal owner. (D)

What is the primary focus of the Third Party Risk Management Policy?

Customer Due Diligence (D)

What is a potential consequence of increased rental application fraud?

Higher eviction risks and bad debt for property managers. (A)

Which of the following is NOT explicitly mentioned as a key focus area for the training?

Investor Relations (C)

What is the significance of 'Reinforce Compliance Commitment' in the training's key focus?

To emphasize the importance of adhering to internal policies and procedures (B)

Which of the following is NOT explicitly mentioned as a focus area for Crane Capital in 2025?

Market Volatility (A)

Which type of real estate is particularly vulnerable to rental fraud?

Luxury properties. (D)

What type of global watchlists are mentioned in the context of Customer Due Diligence?

OFAC (B)

What is a red flag suggesting potential money laundering in a real estate transaction?

A property being sold at a price below market value. (A)

What is the objective of 'Adapting to Evolving Risks' in the 2025 training?

To train employees on how to identify and mitigate emerging risks (A)

Why is 'Strengthening Internal Controls' a key focus of the 2025 training?

To reduce the risk of financial loss or reputational damage (A)

How can criminals use stolen identities in real estate fraud?

All of the above. (D)

What is the purpose of the Whistleblower Protection policy?

To protect employees from retaliation for reporting illegal activities (A)

What is the purpose of 'Foster a Culture of Accountability' within the training?

To ensure employees are aware of their responsibilities (A)

Why is money laundering through real estate considered relatively easy for criminals?

All of the above. (D)

What is the purpose of the Anti-Fraud, Corruption, Money Laundering and Terrorism Financing Policy?

To prevent financial crimes by ensuring compliance with relevant laws and regulations (D)

Which of the following is an example of a cybercrime threat mentioned in the content?

Social engineering attacks (D)

What is the relationship between 'Business Continuity and Crisis Management' and 'Incident Reporting' in this training?

Business continuity plans are activated in case of an incident (D)

According to the content, what is the significance of the growing digitization of the financial services sector?

It increases the risk of cybercrime (B)

Based on the information provided, what could be a potential topic covered under 'Third Party Risk Management Program'?

Developing a framework for managing risks associated with external vendors (D)

How do financial institutions plan to enhance their cyber resilience in 2025?

By implementing zero-trust security models and multi-layered encryption (C)

Which of the following is NOT a step in the incident closing process?

Repatriation of funds (D)

What is the primary purpose of the Post Incident Review?

To prevent future incidents (B)

What is the final step in the incident closing process?

Completing corrective actions (C)

When should communication plans be tailored?

Before and after the incident (D)

What is the purpose of meeting with the WSIB's Director of Operations and Investment Operational Due Diligence Officer?

To provide an update on the status of the incident investigation (D)

What is the primary purpose of a password vault?

To generate and manage strong, unique passwords for various accounts. (C)

What is NOT a key aspect of strong password policies?

Reusing the same password across multiple accounts. (C)

Which of the following is an example of secure Wi-Fi practice?

Disabling Wi-Fi when not in use. (D)

What is the purpose of incident response and recovery plans in cybersecurity?

To detect and respond to cyberattacks promptly and effectively. (B)

What is a key aspect of governance and risk management in cybersecurity?

Creating a comprehensive information technology policy framework. (A)

Which of the following is a key component of access control and identity management?

Implementing multi-factor authentication for user logins. (D)

What is the purpose of implementing a zero-trust architecture in cybersecurity?

To assume that no user or device can be trusted by default. (C)

What is the importance of regular software updates in cybersecurity?

To fix vulnerabilities and patch security holes in systems. (A)

Flashcards

Non-Disclosure Agreement (NDA)

A contract that prohibits sharing confidential information.

Due Diligence

The process of investigating and evaluating potential vendors or contractors.

Red Flags

Warning signs indicating potential problems in a supplier or vendor.

Online Adverse News Search

A method to find negative news about a third party before engagement.

Third Party Risk Rating

An assessment of potential risks associated with engaging a third party.

Rental Application Fraud

Fraudsters forge documents like bank statements and pay stubs on rental applications.

Title Fraud

Criminals use stolen identities to change ownership records or obtain fraudulent loans.

Luxury Real Estate Risk

Luxury properties are targeted due to unverified documents leading to rental fraud.

Money Laundering in Real Estate

Criminals use real estate for laundering money due to cash purchases and opaque markets.

Third Party Purchases

Using others to buy property, masking the true owner of the asset.

Indicators of Money Laundering

Buying and selling properties at unusually high or low prices as a red flag.

Criminal Syndicates in Real Estate

Groups attracted to real estate for cash purchases and minimal regulatory oversight.

Opaque Markets

Real estate markets lacking transparency and regulatory scrutiny make for risky investments.

Key Risk & Compliance Focus

The main areas Crane Capital aims to concentrate on for 2025 regarding risks and compliance.

Compliance Commitment

A pledge to follow laws, regulations, and internal policies.

Internal Controls

Procedures put in place to ensure compliance and minimize risk.

Due Diligence Screening

Process of checking for adverse news findings before onboarding third parties.

Culture of Accountability

An environment where individuals take responsibility for their actions.

Zero Tolerance Policy

Strict adherence to laws against fraud and corruption without exceptions.

Evolving Risks

New and changing threats that organizations must adapt to.

Cybersecurity and Data Protection

Measures to safeguard information technology systems and sensitive data.

Whistleblower Protection

Safeguards for individuals reporting unethical conduct.

Customer Due Diligence

Verifying identity and assessing risks related to a customer before onboarding.

Crisis Management

Strategies to manage and mitigate emergencies or unexpected events.

Incident Reporting

The process of documenting and communicating incidents that occur.

Sanctions Screening

Checking third parties against global watchlists to prevent risky associations.

AML Regulations

Laws and guidelines designed to combat money laundering and terrorism financing.

Cyber Resilience

Ability of financial institutions to withstand and recover from cyber threats.

Zero-Trust Security Model

A security approach that requires verification for every access attempt.

Incident Closing Criteria

Requirements for concluding an incident report, including investigation and communication with WSIB.

WSIB Communication Plans

Strategies tailored for engaging with stakeholders after an incident.

Post Incident Review

A process involving corrective actions and verification of internal controls after an incident.

Repatriation of Funds

Return of funds to their original source, if applicable in incident resolution.

Incident Closure

Official ending of an incident report after all tasks and actions are completed.

Password Vault

A tool to securely store and manage passwords for various accounts.

Data Protection

Methods used to secure data against unauthorized access or breaches.

Data Disposal

The proper elimination of data that is no longer required.

Software Updates

Regular updates to software to enhance security and functionality.

Strong Password Policies

Guidelines for creating and maintaining secure passwords.

Phishing Awareness

Recognizing and avoiding deceptive attempts to steal information.

Multi-Factor Authentication (MFA)

An extra layer of security requiring multiple forms of identification.

Monitoring

Continuous observation to detect unusual activity or potential breaches.

Study Notes

Crane Capital Risk & Compliance Training

• Date: February 2025
• Agenda:
  • 2025 Crane's Key Risk & Compliance Focus
  • Policies, Procedures and Guidelines
  • Third Party Risk Management Program
  • Anti-Fraud, Corruption, Money Laundering and Terrorism Financing
  • Data Privacy and Cybersecurity Hygiene
  • Business Continuity and Crisis Management
  • Incident Reporting
  • Quiz
  • Closing Remarks

2025 Crane's Key Risk & Compliance Focus

• Reinforce Compliance Commitment
• Foster a Culture of Accountability
• Strengthen Internal Controls
• Adapt to Evolving Risks
• Enhance Crisis Management and Resilience
• Cybersecurity and Data Protection

Third Party Risk Management Program (TPRM) - Lifecycle

• Onboarding: Risk Assessment and Due Diligence, Procurement and Sourcing, Vendor Creation
• Ongoing: Performance Monitoring, Re-assessment and Due Diligence, Renewals, Vendor Maintenance, Governance Oversight and Accountability, Documentation, and Reporting, Independent Review
• Offboarding: Termination, Exit Strategy, Third Party Closure, Vendor Monitoring

Third Party Risk Management (TPRM) - Workflow

• Third Party (Non-Exhaustive List): Joint Venture Partners, Outsourced Service Providers, Commercial Agents/Sales Representatives, Consultants/Advisors, Contractors/Sub-Contractors, Vendors/Suppliers of Services, Insurance Brokers, Service Providers
• Third Party Assessment - Determine whether a service provider is already provided by Crane Capital, Outsourcing.
• Applicable Due Diligence Policies and Procedures- Outsourcing Policy, Outsourcing and Materiality Assessment, Procurement Policy, Vendor Management Policy, Supplier Code of Conduct.
• Tools: Online Adverse News Search, Initial Due Diligence Questionnaire, Outsourced Service Provider Assessment, Ongoing Performance Monitoring, Third Party Risk Rating and Due Diligence, etc.
• Other Relevant Risk and Compliance Requirement: Conflicts of Interest Declaration, Related Party Transactions, Non-disclosure agreements (NDA).

Money Laundering Red Flags Indicator in Real Estate

• Use of Third Parties: Buying property as legal owner (using a friend or family member to purchase property on their behalf)
• Manipulation of Property Values: Buying and selling property at prices above or below market value
• Large Deposits (avoiding reporting thresholds): Paying large deposits for property with checks from multiple banks
• Use of Tenants for Commingling Funds: Using a "tenant" collaborator to combine funds to cover rent payments
• Illicit Funds for Renovations: Using illicit funds to pay for unnecessary renovations and improvements
• Shell Companies/Trusts: Using shell companies, trusts, and company structures
• Overseas Investment: Foreign criminals investing in real estate
• Excessive Renovation: To distance from criminals from the property they own

Real Estate - Prime Target for Money Laundering

• Ease of Cash Purchases
• Disguising Ownership
• Investment Stability
• Increased Market Value

Sector Specific Fraud Tactics - Real Estate and Property Management

• Increase in Rental Application Fraud: Exploiting digital systems to forge documents, leading to higher eviction risk and bad debt.
• Rise in Title Fraud: Criminals altering property ownership records using stolen identities, securing fraudulent loans, or selling properties they don't own. Remote transactions risk this fraud.
• Luxury Real Estate as a High-Risk Target: Rental fraud is especially prevalent in the luxury market where fake documents often go undetected.

Gifts Declaration

• Submission: Gift requests through Concur before purchase.
• Value Limit: Gifts below US$100 are allowed; gifts exceeding US$100 need justification.
• Recipient Specification: Recipient company and individual names/amounts in gift request.
• Prohibited Acts: Offering gifts/hospitality for undue influence, during a tender/contract renewal, exceeding thresholds, using vouchers, etc.

Prevention Measures within Crane Capital Policies and Procedures

• Fraud Prevention: Information Technology Policy, Multifactor Authentication, Biometric authentication, Segregation of Duties, Invoice and Cash Management, and Whistleblower Protection
• Bribery & Corruption Prevention: Travel & Expense Policies, Gift Requests, Third Party Risk Management.

Notable Fraud, Bribery, Corruption, AML/CFT in 2024

• Evergrande: Accused of $78 billion fraud.
• MAS Imposes Composition Penalty: On Swiss-Asia Financial Services for AML/CFT breaches.
• TD Bank Fine: $3 billion fine over drug cartel money laundering.
• UK Engineering Firm Scam: Arup falls victim to a £20 million deepfake scam.
• Deepfake Musk Scam: AI-powered version of Elon Musk appears in thousands of inauthentic ads, creating billions in fraud.

Strengthening Cyber Resilience

• Zero-Trust Security Models
• Multi-Layered Encryption
• Biometric Security Systems
• Voice Recognition Technologies
• Generative AI Defenses

Principles of Data Protection (1/4)

• Data Protection: Embraces technologies/processes/workflows needed for the availability of data when needed.
• Data Security: Safeguards data against theft, corruption, or unauthorized access throughout the data lifecycle.
• Data Privacy: Understanding the collection, use, management, and monetization of sensitive data.

Principles of Data Protection (2/4)

• Data Minimization: Collect only necessary data.
• Principle of Least Privilege: Authorized users are granted the minimum access required for their work.

Principles of Data Protection (3/4)

• Data Classification and Encryption: Classifying data by sensitivity and importance (e.g., Personal, Work - Unprotected, Work - Protected, Confidential, Highly Confidential) and protecting it via encryption.

Principles of Data Protection (4/4)

• Password Vault: Store passwords centrally and protect them with encryption to eliminate the need to memorize multiple passwords.
• Data Storage and Backup: Secure methods for storing data and proper disposal of no-longer-needed data.
• Prevent unauthorized access: Preventing unauthorized access, breaches and data leaks.

Cybersecurity Hygiene (1/2)

• Common Cyber Hygiene Problems: Weak Passwords, Ignoring Updates, Clicking on Suspicious Links, Not Backing Up Data, Sharing Too Much Online.

Cybersecurity Hygiene (2/2)

• Prevention Measures: Regular Software Updates, Strong Password Policies, Phishing Awareness, Secure Wi-Fi Practices, System & Network Security, Regular patching, Secure third-party access, Monitoring for unusual activity.

Business Continuity

• Business Continuity Planning: Ensure Crane Capital can continue operating during and after a crisis.
• Disaster Recovery: Processes for restoring IT infrastructure, data access, IT resources after a disaster.
• Crisis Management: Focus on responding effectively to unexpected events.

Business Continuity - Recovery Strategy

• Recovery Strategy for Office premise compromise, IT equipment destruction, and other scenarios.

Crisis Management - Crisis Classifications and CMT

• Crisis Classification Levels: RED (imminent threat), ORANGE (moderate risk), and YELLOW (low risk) based on impact.
• Crisis Management Team (CMT): Key contact persons responsible for crisis response, including alternate members.
• CMT Responsibilities: Ensuring Crane Capital can operate during and after a crisis, planning for uninterrupted operations, coordinating crisis response, allocating resources, and monitoring communication protocols.

Crisis Communication

• Crisis Communication Plan: Focus on minimizing damage when responding to unexpected events.
• Crisis Communications Coordinator: Contact numbers available for different departments in Hong Kong and Singapore.

Incident Reporting

• Introduction: Crane Capital's formal process for managing incidents to protect its reputation and operations.
• Key Elements: Incident Types (e.g., fraud, theft, cyber threats), Response Strategy (e.g., notification to crisis management team, investigation, validation), and Incident reporting form /process (5W1H)
• Incident Notification: Report incidents to the CMT as soon as possible (ideally within 1-3 hours).
• Incident Investigation: CMT validates and determines whether further investigation is required.
• WSIB Reporting: Reporting escalated incidents to WSIB (if applicable).
• Incident Closing and Following-Up: Incident Resolution, Communication, Corrective action, Internal control verification and Incident closure.

Information Security Incidents

• Examples: Unauthorized disclosure of sensitive information, theft/loss of device, virus/malware outbreaks, denial of service, attempts to gain unauthorized access, compromised user accounts due to phishing.
• Contact Methods: ECI (External Cyber Incident) Security Operations Center (SOC) Contact - Primary Method (email - [email protected]) and SOC Hotline Numbers for different regions (US, UK, HK, SG).

Closing Remarks – Reminder on Ethics Standard

• Reduce Risk: Helps reduce the likelihood of misconduct, regulatory violations, legal actions and reputational harm.
• Promote Ethical Culture: Fosters a workplace culture that prioritizes integrity, honesty, and transparency.
• Employee Engagement: Engage employees who understand the importance of ethics and compliance.