Vendor management has always been a key part of financial institution (FI) compliance and risk management efforts. And recently, FIs have witnessed the importance of proper vendor management begin to receive even more emphasis. One area in particular that is contributing to this emphasis is the Statement on Standards for Attestation Engagements (SSAE) No. 18 (SSAE 18) report. That’s right, SSAE 18, not 16. Effective May 1st, 2017, the SSAE 18 became the new standard report for vendors to provide to financial institutions.
Now, in my opinion, there has not been a lot of hype regarding this change. At least not like what we saw when the SAS70 report became the SSAE 16. The reason for this is due largely to the fact that the SSAE 18 does not appear to be drastically different from the SSAE 16. Which is definitely good news for community FIs.
While the changes between the SSAE 16 and 18 will not completely change an FI’s approach to vendor management, there are some changes that will impact the due diligence efforts of FIs, especially in regard to more critical vendors.