Vendor management has always been a key part of financial institution (FI) compliance and risk management efforts. And recently, FIs have witnessed the importance of proper vendor management begin to receive even more emphasis. One area in particular that is contributing to this emphasis is the Statement on Standards for Attestation Engagements (SSAE) No. 18 (SSAE 18) report. That’s right, SSAE 18, not 16. Effective May 1st, 2017, the SSAE 18 became the new standard report for vendors to provide to financial institutions.
Now, in my opinion, there has not been a lot of hype regarding this change. At least not like what we saw when the SAS70 report became the SSAE 16. The reason for this is due largely to the fact that the SSAE 18 does not appear to be drastically different from the SSAE 16. Which is definitely good news for community FIs.
While the changes between the SSAE 16 and 18 will not completely change an FI’s approach to vendor management, there are some changes that will impact the due diligence efforts of FIs, especially in regard to more critical vendors.
Today, I want to highlight two key changes with the new SSAE 18 report. Both changes deal with subcontractors and are probably the most significant differences between the SSAE 16 and 18.
- Vendors are now required to have a Vendor Management Program in place for any subcontractors they use. The goal with this requirement is to provide FIs with greater insight into the extent of the role played by subcontractors. Specifically, vendors are expected to examine the scope of the relationship with the subcontractor to determine the subcontractor’s responsibilities and if the subcontractor is a critical one.
- Performance reviews are essential. These reviews should evaluate if the subcontractor’s product/service is effective and working as anticipated. As part of the performance reviews, the vendor should be having regular discussions and site visits with the subcontractor.
- Vendors need to demonstrate that they have received and reviewed the SSAE 18 reports of the subcontractors.
- The vendor needs to monitor the subcontractor, looking at customer complaints and any regulatory issues that may exist.
- Vendors need to document complementary user controls they have put in place, as suggested by the subcontractor. Financial institutions are familiar with the concept of complementary user controls. Of course, these are controls suggested by the vendor that should be implemented by the FI to better ensure the security and operation of the service. With this move, FIs will have a better understanding of the controls involved in the design of the service/product.
While these changes will help provide financial institutions with the additional detail to perform better and more thorough due diligence reviews of their vendors, it also means that these types of reviews take much longer to complete. However, I think that this may not necessarily be a bad thing.
Vendors, especially those Technology Service Providers (TSPs), have become critical to the day-to-day operations of FIs. Spending a bit of extra time on due diligence reviews only helps the FI in the long run.
The FDIC’s Office of Inspector General released a report in February of this year highlighting the results of an evaluation of FI efforts in regards to the contracts of their TSPs. One of the findings in this report noted that only a small percentage of FIs documented consideration of subcontractors in their due diligence reviews and risk assessments. Hopefully the introduction of the SSAE 18 will help FIs alleviate this due diligence weakness.
We will most certainly see a continuation of the reliance on outsourced products/services as the technologies used by financial institutions continue to rapidly advance. With this reliance, vendor management efforts must also evolve. As part of that evolution, the implementation of the SSAE 18 should prove highly beneficial for financial institutions by affording them more insight into the use of subcontractors by their vendors and pushing FIs to be more thorough in their due diligence reviews of those vendors.