Vendor management has always been a key part of financial institution (FI) compliance and risk management efforts. And recently, FIs have witnessed the importance of proper vendor management begin to receive even more emphasis. One area in particular that is contributing to this emphasis is the Statement on Standards for Attestation Engagements (SSAE) No. 18 (SSAE 18) report. That’s right, SSAE 18, not 16. Effective May 1st, 2017, the SSAE 18 became the new standard report for vendors to provide to financial institutions.
Now, in my opinion, there has not been a lot of hype regarding this change. At least not like what we saw when the SAS70 report became the SSAE 16. The reason for this is due largely to the fact that the SSAE 18 does not appear to be drastically different from the SSAE 16. Which is definitely good news for community FIs.
While the changes between the SSAE 16 and 18 will not completely change an FI’s approach to vendor management, there are some changes that will impact the due diligence efforts of FIs, especially in regard to more critical vendors.
Today, I want to highlight two key changes with the new SSAE 18 report. Both changes deal with subcontractors and are probably the most significant differences between the SSAE 16 and 18.
While these changes will help provide financial institutions with the additional detail to perform better and more thorough due diligence reviews of their vendors, it also means that these types of reviews take much longer to complete. However, I think that this may not necessarily be a bad thing.
Vendors, especially those Technology Service Providers (TSPs), have become critical to the day-to-day operations of FIs. Spending a bit of extra time on due diligence reviews only helps the FI in the long run.
The FDIC’s Office of Inspector General released a report in February of this year highlighting the results of an evaluation of FI efforts in regards to the contracts of their TSPs. One of the findings in this report noted that only a small percentage of FIs documented consideration of subcontractors in their due diligence reviews and risk assessments. Hopefully the introduction of the SSAE 18 will help FIs alleviate this due diligence weakness.
We will most certainly see a continuation of the reliance on outsourced products/services as the technologies used by financial institutions continue to rapidly advance. With this reliance, vendor management efforts must also evolve. As part of that evolution, the implementation of the SSAE 18 should prove highly beneficial for financial institutions by affording them more insight into the use of subcontractors by their vendors and pushing FIs to be more thorough in their due diligence reviews of those vendors.
Stay up to date with the latest people-inspired innovation at Jack Henry.
Learn more about people-inspired innovation at Jack Henry.
Who We Serve
What We Offer
Who We Are