SSAE 16 SOC 1 certification means the security of your financial data will be assured.

A company assumes risk anytime they send private financial data to a third-party vendor. Collection agencies manage this risk by initiating debt collection security controls that establish and maintain cyber security best practices.

One of the numerous control standards widely accepted as a best practice is SSAE 16 SOC 1. Complying with these standards means the collection agency has adopted an industry standard that ensures all the financial data you share is secure in transit and at rest.

The fourth in a series of articles that explain the details of TSI’s efforts at ensuring cyber security and protection of our client’s information, this article will look more closely at SSAE 16 SOC 1 and how collection agencies like TSI leverage these standards to ensure the security of your critical financial data. In previous articles we covered HIPAA compliance, FISMA compliance, and PCI compliance.

SSAE 16 SOC 1 – Why it Matters

The Statement on Standards for Attestation Engagements No. 16 (SSAE 16) System and Organization Controls (SOC) is a methodology used to test the security of the financial data that a third-party vendor organization holds.

The SSAE 16 SOC 1 compliance documents were finalized by the American Institute of Certified Public Accountants (AICPA) in January 2010. Their requirements include a reporting framework that allows third-party organizations to share their card payment security architectures and cyber security infrastructures, allowing them to seek and obtain SSAE 16 SOC 1 compliance.

It’s important to note that this is not strictly a self-reporting mechanism; instead, a third-party auditor must conduct a review of these controls in order for certification to occur. These audits are done by independent and non-partisan agencies experienced in cyber security, audit and risk, accounting, and technology.

SSAE 16 SOC 1 certifies the organization has taken steps to control card payment security.

The SSAE 16 website points out:
A Service Auditor’s Report with an unqualified opinion that is issued by an Independent Auditing Firm differentiates the service organization from its peers by demonstrating the establishment of control objectives and effectively designed control activities.

The point of the SSAE 16 SOC 1 is to reinforce collection agencies as worthy of maintaining debt collection security. For the client, it shows that there are internal cyber security controls in place that will give them peace of mind to know that their critical data is protected.

SSAE 16 SOC 1 is made up of three critical components:

  1. A description of the systems they use to hold and transport data. It’s a narrative of data security processes designed to enforce the daily technology and control systems that keep financial information safe.
  2. The date these controls were implemented and an attestation that the controls in place are currently in use.
  3. These systems must be audited by a third party and require validation that they are adequate.


TSI and SSAE 16 SOC 1 Compliance

TSI is a certified SSAE 16 SOC 1 compliant organization. This means the people, processes, and technology that we use to manage debt collection security is best in class. TSI sought and obtained these credentials to show our commitment to debt collection security. We believe our clients recognize the rigor it takes to be independently certified as SSAE 16 SOC 1 compliant, and this designation provides complete assurance that crucial data is handled with the utmost attention and care.

For more information on how we keep your data safe, contact us.

Learn more about TSI’s commitment to Cyber Security in “A Guide to Cyber Security and Third-Party Collections”

Want to learn more about TSI? Fill out the form and a TSI representative will contact you shortly.