Vendor management has become a hot topic and a cottage industry since the NCUA published guidelines in 2007 that required credit unions to perform due diligence on everyone from their core processors to their janitorial services.
A variety of service and software providers have stepped forward to help credit unions comply with the "Guidance for Evaluating Third-Party Relationships Risk" (NCUA Letter 07-CU-13), offering combinations of business process and legal consulting and workflow software.
For instance, $1.5 billion Langley Federal Credit Union in Virginia has begun using a service called CU Vendor, formed in 2008, that offers software and training from business continuity specialist Quantivate, due diligence specialist the Paragon Group and a compliance guaranty produced by the law firm of Farleigh Wada Witt.
Then there's Ventelligence, an automated, Web-based system from the LSCU Service Corp., part of the League of Southeast Credit Unions. It includes contract management features such as keeping track of automatic rollovers, expired insurance proof documents and unpaid rebates as well as regulatory must-haves such as automated risk scoring, its developers said.
"The really powerful thing about this kind of solution is that you don't have to start from scratch to build anything. We created a workflow of templates. You just transition your contracts into our software and then manage their lifecycles from there," said Lori Vary, director of e-purchasing at the Tallahassee, Fla., operation.
Another specialist who has emerged in the vendor management business is Rock
Carter, president of Credit Union Vendor Management in Morrison, Colo. He said he had been involved in risk management, primarily comparing insurance vendors, for 25 years when he joined with the Credit Union Association of Colorado and 10 area credit unions to form the new CUSO.
Carter said CUVM blends what he calls "the glorified filing cabinets of a software-only-type provider with a service approach. We use the software to gather and organize the information, and then we parse it and view and look for anomalies and concerns that credit unions should be aware of in terms of their vendor relationships."
He said, for instance, the focus includes SAS70 audit and financial statements. "When you read the notes and financial details, there are a lot of well-funded and well-capitalized vendors and credit unions alike, but clearly there also are a lot that are having financial difficulties. If it's critical, that could pose a danger for some credit unions, and we note those things that are of concern," he said.
"As the NCUA has expressed, it's important for credit unions to be aware of this and to have an exit strategy to continue to do business" if the provider of a key service were to go out of business, Carter said.
The big trade groups also are getting involved. CUNA Strategic Services offers VendorTrack, for instance, which Robert Reh, chief information officer at Nassau Financial FCU in Westbury, N.Y., said replaced a manual Excel spread sheet at his $358 million institution and now helps keep track of about 200 vendor relationships.
"There's been no learning curve. We have one person primarily responsible for maintaining it, scanning all the documents, the SAS 70 reports and all that, and then all that information is reviewed by our executives and our internal auditors," Reh said.
"It provides us with much greater visibility of the information we need, and the examiners who were here earlier this year were very pleased, too," said Reh, a member of the CUNA Technology Council's Executive Committee.
For many credit unions, the most central relationship in operational continuity is the core processor and that industry is paying attention to the vendor management trend, too.
For instance, CUOL, a Massachusetts-based service bureau provider of the Fiserv XP2 platform, has just hired a new chief information officer with that in mind.
Kevin Keener, who came to CUOL with more than 20 years of experience in systems auditing and assurance, bank examination and compliance, will focus on helping the company satisfy audits and examinations itself and do the same for its credit union clients.
He said he spent one of his first weekends at his new job helping prepare for the Reg E overdraft opt-in go-live date on July 1.
"We tested the patches, had all our systems brought down, installed them and made sure everything was in compliance with the new regulations, then had it up and ready in time for business on Monday morning," he said. "It was quite a team effort."
CUOL serves smaller credit unions, which Keener said can find it "particularly difficult to keep up with all the regulations, changes and the extra burden of regulatory insight if they try to do with their own internal data processing functions."
Some larger credit unions, however, continue to go it alone. For instance, $1.5 billion Baxter Credit Union in Vernon Hills, Ill., has put together its own vendor management and compliance solution using a piece of MEGA enterprise architecture software and internal teamwork.
Jeff Johnson, Baxter CU's senior vice president/chief information officer, said the team was assembled in response to the NCUA guidance. "That was the springboard," said Johnson, who also serves on the CUNA Technology Council's executive committee. "I looked at that and the FFIEC handbook and came up with a vendor management policy that was then approved by our board. We then assembled the cross-functional team that looks at vendors holistically and talks about risk. We review and rank them and keep up with them in a way that gives us consistency around risk control."
Not only has the process helped Baxter ensure regulatory compliance, Johnson said, but it also helps save money. "It's helped our managers really focus on pricing while they're managing their contracts," he said. "We've saved in excess of a million dollars in vendor concessions in the past three years."
Reh at Nassau Financial said his credit union also has been able to better negotiate its various contracts, in part because of the alert functions which let he and his colleagues know well in advance of a contract expiration.
Group purchasing also is a byproduct. For instance, Ventelligence has added a purchasing feature that includes group buying.
"We had one small credit union buy one laptop and a computer case through this, while another bought 58 desktops and 17 laptops. Others bought something completely different but because they were all participating together, the vendors were more interested in their business and could compete more aggressively for it," Vary said. She said the group purchasing also has been used for cash recyclers, coin counters, maintenance services and armored car deliveries.
While it's, of course, a business for them, the people offering the service argue that it's also good for the credit unions.
"NCUA guidelines for risk assessment and third-party due diligence for credit unions really are in their best interest," said Vary at Ventelligence. "The whole premise behind doing these types of activities is to keep credit unions and their member safe from potentially harmful vendors.
"That's really what it's all about."