For those of you who use products/services such as ChexSystems (for deposit accounts) or HART (for providing the risk-based notice based on credit information), what do you require from the vendor or review on an annual basis (e.g., SAS70 or equivalent, financials, etc.).

Typically, if they handle/process customer information then they are a critical vendor and we require an annual review of financials and SAE-16/SAS70 or equivalent.

Our annual reviews are only on our critical vendors. Our critical vendor list is short and consist of those vendors that we would be in trouble if they disappeared (i.e., core systems, online banking, network compancy) For critical vendors we look at SSAE16 (if applicable), financial information (once or twice a year reviews), disaster recovery plans or assurance they have one, inquire if they have any pending legal issues. For companies like Chex we do not do an annual review (they are important but not critical to our operations).

Thanks to both of you.

You may want to take a look at the OCC guidance that came out last October that provides a list of items that could be incorporated into ongoing monitoring/due diligence.

Who in your institution reviews the SSAE 16? Do they use a checklist, did they received outside training, etc.? We don't have anyone experienced in reviewing these and so I am thinking we should send someone to training, just not sure who and was curious how other Bank's are handling these reviews.

Thanks!

I review them. I wouldn't say I'm qualified, but it's better than nothing. I purchased training from a vendor and self-taught pretty much. I pulled together some review forms that I found from different sources, customized them a little bit, and that's what I go with.

I do have to consult with IT occasionally if there are exception findings in any of the testing that are over my head, to determine the severity/relevance of the finding as it applies to us. Exceptions and the complementary user-entity controls are areas I focus on a lot.

You definitely want someone with at least some technological savviness to be involved though!

Like, Matt I review them and I wouldn't say I'm qualified. I go through to see the testing that was done and if there are any exceptions. I also will work with our IT if I don't understand the testing being done.

I am in the process of trying to create some sort of checklist for reviewing a SSAE 16 since examiners recommended it the last time they were in.

There's some good info here.

http://www.sans.org/reading-room/whitepapers/auditing/understanding-service-organizations-ssae-34475

Thanks everyone! I will look over that Whitepaper, I appreciate you putting the link up.

Any one have a Vendor / Third Party Risk Assessment they would be willing to share?

Any checklist, resources etc.

Thanks

Yes, I was wondering the same thing. Does anyone have an actual Third Party Risk Management Policy or know where I might can buy one?