There has been a real focus in the financial services community on the vital role that anyone with a direct impact to the customer or confidential data have robust business practices - this was even reinforced further with the new SSAE 18 requirements on disclosure of subservice providers.
The CFPB has re-emphasized its direct oversight of service providers and as the new proposed OCC fintech charter demonstrate, there's increased obligations for you to have an established framework for third party risk management.
There has never been a more challenging time to be in the financial services business, but done well, you can create a program that helps protect your company, the financial system and the consumers we're all here to serve.
As a Fintech provider, we recommend you :
Centralize the data on your third parties to efficiently manage, monitor and risk assess your third parties.
Our industry experts and certified team can become your cost-effective staff augmentation answer.
Don't forget that the still relatively new SSAE 18 audit includes the requirement that controls be implemented to monitor the effectiveness of controls for your subservice organizations (your vendors). In other words, you should have an effective vendor management program in place.
With the introduction of the SSAE 18, if you have subservice organizations, you are now required to do the same with your own vendors and provide evidence of such monitoring to your auditor during your SOC audit.
It’s not optional - you can’t exclude the requirement from the scope of the audit. If you have a subservice organization (as properly defined, an organization with potential to have an impact to a user entity) then it must be included in Management’s Attestation.
You are required to: