Today, consumers can access their financial institutions through numerous channels, such as mobile phone, online banking, call center, branch, ATM, email or drive-thru window. So, to remain competitive, most credit unions have found value in outsourcing various services and activities to third-party vendors. Not only is this cost effective, but it also allows staff to focus on credit unions' most important function: Serving their members.

But giving up some control to another company can be risky, as poorly managed third-party providers can cause unexpected legal or reputational issues, as well as expose members' information to possible misuse. As a result, all financial institutions should implement a well-planned vendor management process.

Financial regulators, including the NCUA, know the importance of vendor management, addressing it in response to laws such as the Bank Service Company Act 1962, Gramm Leach Bliley Act of 1999 and Sarbanes Oxley Act of 2002. But regulations can be confusing because while a specific agency might not have authority over your credit union, it may oversee a vendor you use – and you need to know who those regulators are and what their rules say. Further, any service providers you contract with must also comply with rules set by the state and federal regulators that do have authority over your credit union.

Understanding Vendor Management

The obvious reason for a strong vendor management program is that it's a regulatory requirement. Being out of compliance can mean hefty fines, negative exams and lowered CAMEL ratings. Worse, it could shut the credit union down. NCUA regulations (Part 748 Appendix A) require vendor management processes for the following:

  • Oversight and approval of the vendor by your board of directors;

  • Identification and assessment of risks to member information;

  • Processes to manage and control risks to member information;

  • Regular review of vendor management processes to reflect changing conditions; and

  • A report to the board at least annually.

Beyond that, vendor management is a smart business practice. Financial institutions that don't carefully oversee their third-party relationships could face huge costs related to security breaches, complaints of poor service quality, lawsuits and reputational risk, to name a few. Careful vendor management also tightens budget control and helps eliminate redundancies, such as different departments using the same vendor but contracting for services independent of each other. Or, worse, they could be separate firms offering essentially the same services.

But here's the most compelling reason: Members trust their credit union and expect it to ensure the security of their non-public personal information. This includes account types and numbers, and account balances; deposit, loan and savings information; and personally identifiable information such as names, phone numbers, Social Security numbers, phone numbers and addresses.

By implementing a vendor management program, credit unions can understand exactly how members' information is being used – who has access to it, how it's being stored, whether or not it's being transmitted and, if so, to whom.

Starting a Vendor Management Program

The starting point for any vendor management program should be creating a board policy with details such as: Board, management and staff roles and responsibilities; due diligence requirements; methodology for rating risk; contract review and tracking; vendor oversight requirements; an annual board review and dated policy revisions.

Many credit unions have found value in using a vendor management expert to help them with vendor requirements, contracts, requests for proposals and due diligence. At Sollievo, we recommend including these steps for ensuring a complete vendor management program:

  1. Create a vendor inventory. Develop a complete list of vendors, using your accounts payable records as a guide to ensure none are overlooked. Make sure different departments aren't contracting for the same vendor or more than one vendor that performs essentially the same functions.

  2. Develop a vendor risk assessment process and rationale. Determine each vendor's level of risk to your credit union's operation and assign a rating from critical to high, moderate or low. For example, a critical vendor, such as a core processor, could not be easily replaced or could financially affect operations if services were suddenly interrupted. A high-risk vendor is one that has access to sensitive data, such as an electronic or paper statement provider or CRM service; however, it may not be critical to daily operations.

  3. Perform due diligence. Ensure a process is in place to collect information about potential third-party vendors, including qualitative and quantitative aspects. For regulatory and effective management purposes, document that each item on your list has been examined. A short list of items to request from possible vendors might include audited financial statements, SSAE16 or SOC reports, certificate of insurance, level of experience or ability in implementing the service or product, work done overseas, qualifications/experience of the company's principals, use of subcontractors and employee background checks.

  4. Perform a contract review. Make sure legal counsel reviews all contracts and that they meet the FFIEC's guidance. Include performance standards and ask for the right to conduct periodic audits. Also ask what happens to members' data if the vendor is no longer used, how data will be extracted and in what format, the length of time for the process and whether there is an added cost.

  5. Complete contract tracking. At a minimum, credit unions should track termination dates, cancellation deadlines and automatic contract renewals. Review contracts before the cancellation deadline (usually 30 to 90 days prior to termination) to prepare to negotiate changes or ensure time to research other vendors.

  6. Plan for periodic reviews and monitoring. Sollievo may track vendors via an automated web-based solution or a manually updated spreadsheet. Monitor vendors for contract compliance, performance, adherence to SLAs and financial stability. Examine invoices to ensure they match the contract. Also review critical and high-risk vendors each year, and moderate- and low-risk vendors after two and three years, respectively. This includes critical documents, such as the SSAE16 and financial statements. Evaluate their risk rating to see if there is a change.

Using third-party vendors helps credit unions provide the products and services members expect in today's high-tech, mobile world. By implementing a robust vendor management process, credit unions can ensure compliance with regulations, mitigate risk, better control costs and protect their reputations.

strong third party vendor best practice tipsBelinda Mumma is senior consultant, enterprise risk management services at Sollievo. She can be reached at 855-605-5664 or [email protected].

|

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.