(270) 506-5140 CONTACT US

Vendor Risk Management and the SEC

Jun 26, 2018 by Branan Cooper

Vendor risk management, also known as vendor management and third party risk management, has become much more important in recent years. Regulators, such as the SEC, have released more and more regulation and expectations that institutions need to follow if they want to keep their doors open. Let’s dive into what the SEC specifically says about vendor risk.

The SEC Vendor Risk Guidance

The U.S. Securities and Exchange Commission (SEC) is a Federal agency responsible for regulating the securities industry. One of the goals of the SEC is that there is transparency in all financial transactions and that privacy and disclosures are upheld by all parties.

The SEC has recently released guidance related to third party risk management due to the number of organizations that the agency governs. The examination responsibility for SEC regulated companies falls to the Office of Compliance Examinations and Inspections (OCIE). In 2018, the SEC released their exam priorities which can be reviewed here.

In the exam priorities, the SEC places a strong focus on anti-money laundering (AML) and cybersecurity - both of which are directly related to areas of vendor management. This focus is quite understandable given the volume and dollar amount of transactions that they regulate, so it requires all SEC regulated companies to pay very close attention to AML issues and to ensure they have an adequate proactive and robust cybersecurity plan. The SEC is expecting more from companies since third party risk management is a vital part of compliance framework.

The SEC is Not Alone - Other Regulators Have Third Party Risk Expectations Too

The SEC is not alone. The other major regulators have put out even more third party risk expectations. In fact, they all end up comparing notes. Unlike other regulators, the SEC currently does not have a voting seat at the table of the Federal Financial Institutions Examination Council (FFIEC), which has been around since 1979, but they absolutely are aware of the standards set by the FFIEC and the best practices of other regulators as it pertains to outsourced technology and examination procedures.

So, one of the best ways to stay ahead of your examinations is to look for ways to model your program around the most stringent guidance – currently the FFIEC IT Examination Handbook and the OCC Bulletins 2013-29, 2017-7 and 2017-21 are the best to reference.

Are you ready for an SEC examination? Download our eBook to help prepare.

New Call-to-action

Branan Cooper

Written by Branan Cooper

Branan Cooper is the Chief Risk Officer at Venminder. Branan has nearly 30 years of experience in the financial services industry with a focus on the management of operational and regulatory processes and controls—most notably in the area of third party risk and operational compliance. Branan leads the Venminder delivery team as the third party risk management subject matter expert in residence. Branan also serves as an industry thought leader. He's a member of InfraGard and the Professional Risk Management Industry Association (PRMIA). And, he was selected in 2018 as an advisor to the Center for Financial Professionals (CEFPro) and board member for the Global Sourcing Resource Network (GSRN).

Follow Branan Cooper

Subscribe to the Venminder Blog