Vendor Risk Management and the SEC

Vendor risk management, also known as vendor management and third-party risk management, has become much more important in recent years. Regulators, such as the SEC, have released more and more regulation and expectations that institutions need to follow if they want to keep their doors open. Let’s dive into what the SEC specifically says about vendor risk.

The SEC Vendor Risk Guidance

The U.S. Securities and Exchange Commission (SEC) is a Federal agency responsible for regulating the securities industry. One of the goals of the SEC is that there is transparency in all financial transactions and that privacy and disclosures are upheld by all parties.

The SEC has recently released guidance related to third party risk management due to the number of organizations that the agency governs. The examination responsibility for SEC regulated companies falls to the Office of Compliance Examinations and Inspections (OCIE). In 2018, the SEC released their exam priorities which can be reviewed here.

In the exam priorities, the SEC places a strong focus on anti-money laundering (AML) and cybersecurity - both of which are directly related to areas of vendor management. This focus is quite understandable given the volume and dollar amount of transactions that they regulate, so it requires all SEC regulated companies to pay very close attention to AML issues and to ensure they have an adequate proactive and robust cybersecurity plan. The SEC is expecting more from companies since third party risk management is a vital part of compliance framework.

The SEC is Not Alone - Other Regulators Have Third Party Risk Expectations Too

The SEC is not alone. The other major regulators have put out even more third party risk expectations. In fact, they all end up comparing notes. Unlike other regulators, the SEC currently does not have a voting seat at the table of the Federal Financial Institutions Examination Council (FFIEC), which has been around since 1979, but they absolutely are aware of the standards set by the FFIEC and the best practices of other regulators as it pertains to outsourced technology and examination procedures.

So, one of the best ways to stay ahead of your examinations is to look for ways to model your program around the most stringent guidance – currently the FFIEC IT Examination Handbook and the OCC Bulletins 2013-29, 2017-7 and 2017-21 are the best to reference.

Are you ready for an SEC examination? Download our eBook to help prepare.