Why should your vendors be SSAE-16 compliant?
Within the NCUA Rules and Regulations, the NCUA requires the credit unions take the following steps in the Oversee Service Provider Arrangements section of part 748: "Exercise appropriate due diligence in selecting its service providers; Require its service providers by contract to implement appropriate measures designed to meet the objectives of these guidelines; and where indicated by the credit union's risk assessment, monitor its service providers to confirm that they satisfied their obligations..."
The National Credit Union Administration (NCUA) was created to "provide, through regulation and supervision, a safe and sound credit union system." The NCUA discusses the significance and delicacy of outsourcing Information Systems and Technology functions in their Examiner's Guide.
"Outsourcing can help manage costs, provide expertise, and expand and improve services offered..." The NCUA also reminds credit unions that there should be "an oversight program to monitor each service provider's operations and controls, financial condition and performance standards."
As far back as 2000, the NCUA has recognized that the FFIEC's guidance when outsourcing technology services must be taken to heart. In this NCUA Letter to Credit Unions, credit unions are urged to "implement an oversight program to monitor each service provider's controls, condition, and performance."
In 2007, the NCUA released this Letter to Credit Unions in which they warn that "inadequately managed and controlled third party relationships can result in unanticipated costs, legal disputes, and financial loss…"
The Statements on Standards for Attestation Engagements (SSAE) No. 16 SOC 2: AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy was designed to fully address how secure your service providers are. Meeting the strict controls set forth in order to achieve SSAE compliance is the best way to ensure that your vendors are treating your organization's information in a secure manner that will satisfy the NCUA and FFIEC requirements.
The Federal Financial Institutions Examination Council (FFIEC) is a council created to prescribe uniform principles, standards and reports forms in order to promote uniformity in the supervision of financial institutions.
When it comes to outsourcing operations, the FFIEC recommends that financial institutions ensure that the service provider utilized "implement(s) and maintain(s) controls sufficient to appropriately mitigate risks... the institution may prescribe the use of standardized reports, such as an AICPA Statement of Standards for Attestation Engagement report" (SSAE).