Menu
Banking Exchange Home
Menu

Vendor review: It’s not enough!

Time to take it to the next level

Vendor review: It’s not enough!

It you thought that simply reviewing the SSAE-16 report (the replacement for AICPA’s SAS-70) and the annual report of those vendors who provide outsourced solutions to your financial institution was all you needed to manage your vendor and complete a risk assessment, you’re wrong!

Why? Outsourcing vendors can be complex organizations with many business units. It can be very difficult to review all of the applicable SSAE-16 reports of the applicable business units your organization might use. (SSAE-16 is “Statement on Standards for Attestation Engagements (SSAE) No. 16, Reporting on Controls at a Service Organization”) An example would be if your organization uses a vendor for core banking application processing, hosting the Internet Bank, driving your ATMs, and/or producing your debit cards. These solutions could be located in three different data centers and with three different business units of the vendor or more.

Next, managing your technology risk with outsourcing vendors doesn’t just stop at reviewing a couple of reports. More importantly, your vendor may have an unqualified opinion from the audit firm who conducted the SSAE-16 review, but it may very well have an unsatisfactory data processing exam from the regulator.

In addition, reviewing the vendor’s annual report may only hint that there is trouble brewing. You would have follow the 10Q filings for every quarter, attend the investor conference calls (if they are publically traded), ask questions if you’re allowed to, and you may still find yourself in an uninformed position.

Furthermore, you may review the correct reports, but the control objectives reviewed as a function of the report, may not reveal any problems and most certainly do not go to the same level of that an FFIEC Data Center exam does.

You need to go to the next level in vendor management and continued relationship due diligence. The recommendation for those institutions that have contracted for outsourced applications is to contact your lead regulator and ask for a copy of the most recent data center exam report. This request should be in writing and come from a C-level executive from your organization.

From our point of view, outsourced vendors are not immune to system security failures, breakdown in procedures, weak management structures and complacency.  Some or all of these may or may not be found in the SSAE-16 or annual reports.

Asking for, and receiving a copy of the data center exam of your outsourcing vendors on an annual basis from your lead regulator should be a mandatory step in your risk management and vendor management program. Stay informed… get the report!

The Wombat!           

Dan Fisher

Dan Fisher is president and CEO of The Copper River Group, a consulting firm headquartered in Fargo, N. D., that focuses on technology and payment systems research and consulting for community financial institutions. For nearly 30 years, Fisher has worked in the financial industry using technology to improve the bottom line. He was CIO of Community First Bankshares (now part of Bank of the West), has served as a director of the Federal Reserve Board of Minneapolis, the chairman of the American Bankers Association Payment Systems Committee, and was a member of the Independent Community Bankers of America Payments Committee. Fisher has written numerous articles on banking technology and the payments system. He has authored or co-authored six books and recently published a book titled, "Capturing Your Customer! The New Technology of Remote Deposit." You can contact Fisher at dan@copperrivergroup.com.
P.S. To understand Dan's nickname, check out "About the Wombat" on his website.       

back to top

Sections

About Us

Connect With Us

Resources