1 (888) 836-6463 CONTACT US

Fintech Provider


As a provider to the financial services industry, there is increased obligations for you to have an established framework for third party risk management. 

Why Venminder

Expectations Are Increasing for Fintech Providers to Have Third Party Risk Management Programs in Place

There has been a real focus in the financial services community on the vital role that anyone with a direct impact to the customer or confidential data have robust business practices - this was even reinforced further with the new SSAE 18 requirements on disclosure of subservice providers. 

The CFPB has re-emphasized its direct oversight of service providers and as the new proposed OCC fintech charter demonstrate, there's increased obligations for you to have an established framework for third party risk management. 

There has never been a more challenging time to be in the financial services business, but done well, you can create a program that helps protect your company, the financial system and the consumers we're all here to serve.  

As a Fintech provider, we recommend you :

  • Develop a vendor management policy, program and procedures
  • Identify your critical and high-risk vendors
  • Mitigate vendor risk through performing adequate due diligence, additional contract provisions and increased monitoring
  • Implement a vendor ongoing monitoring program 

How We Help

who we help 2


Centralize the data on your third parties to efficiently manage, monitor and risk assess your third parties.

Learn More
who we help 1

Outsourced Services

Our industry experts and certified team can become your cost-effective staff augmentation answer.

Learn More
who we help 3


One size does not fit all. Whether you are a small or large organization, our solutions can be customized to your specific needs.

Learn More

Hot Button Issue
The SSAE 18 Audit

Don't forget that the still relatively new SSAE 18 audit includes the requirement that controls be implemented to monitor the effectiveness of controls for your subservice organizations (your vendors). In other words, you should have an effective vendor management program in place.  

With the introduction of the SSAE 18, if you have subservice organizations, you are now required to do the same with your own vendors and provide evidence of such monitoring to your auditor during your SOC audit.  

It’s not optional - you can’t exclude the requirement from the scope of the audit. If you have a subservice organization (as properly defined, an organization with potential to have an impact to a user entity) then it must be included in Management’s Attestation.

You are required to: 

  • Review and reconcile output reports
  • Hold periodic discussions with the subservice organization
  • Make regular site visits to the subservice organization
  •  Have members of the service organization’s internal audit function test controls at the subservice organization
  • Review SOC type 1 or SOC type 2 reports on the subservice organization’s system
  • Monitor external communications, such as customer complaints relevant to the services by the subservice organization

By running a successful third party risk management program you are

Taking steps to manage and mitigate your own vendor risk
Can avoid being on the receiving end of enforcement actions, large fines or reputational damage
Helping your financial institution clients meet their regulatory obligations
hero bng purple
Request a Demo