Third-Party Relationship Risks Are Manageable
A new white paper from the CUNA CFO Council looks at the risks credit unions need to be aware of with third-party relationships.
The report, "Vendor Due Diligence: Create a Manageable, Relevant Process that Increases Efficiencies and Enhances Revenues," discusses identifying key vendors and their risk levels, gathering information for due diligence reviews, conducting initial and ongoing reviews, tracking and documenting and in-house versus outsourced programs. Authored by Judy Dahl, the paper also includes considerations for those small credit unions with limited resources, along with five case studies of credit unions with successful vendor management programs.
The CFO council said while the guidelines require review of all relationships, the level of review for a particular vendor should depend on the level of risk the relationship poses to the credit union.
"Your due diligence process should thoroughly evaluate potential third parties before you enter relationships with them. It should also include revisiting the partnerships on a regular basis so you'll know if your partners can still provide the support you need," the council wrote.
A number of resources have become available in recent years to assist credit unions with managing third-party relationships, from a questionnaire the NCUA provides on its website, to a free guide developed by the CUNA due diligence taskforce, Dahl wrote.
Two of the sources in the paper provided a checklist for identifying the product or service the vendor will provide and the risks associated with the relationship.
Service provided--what is the service, how does it work, and what's its relationship to core operations? To what degree does the vendor capture, process, transmit or store member information or critical credit union data? For the highest-rated vendors, if the service or product was unavailable, mission-critical functions would be affected.
Vendor dependence--how long could the credit union function without immediate vendor or product replacement? How easily could you replace the service?
Financial commitment--how much would it cost to acquire the service? What's the cost in dollars and effort, of terminating the contract and replacing the vendor?
Regulatory burden--does the vendor have to adhere to numerous regulations? For example, online mortgage vendors may be responsible for ensuring compliance with federal and state regulations.
Member service--what's the member-service impact if the product or service becomes unavailable?
The white paper also encourages credit unions to conduct ongoing reviews to assess whether a relationship is still working by considering the follow issues:
o Whether the risks associated with the vendor have changed.
o If the vendor is meeting contractual obligations and service standards.
o If the vendor is positioned to grow with and meet your credit union's needs. That is, if it's financially strong and keeping pace with or investing in current technology.