Today, consumers can access their financial institutions throughnumerous channels, such as mobile phone, online banking, callcenter, branch, ATM, email or drive-thru window. So, to remaincompetitive, most credit unions have found value in outsourcingvarious services and activities to third-party vendors. Not only isthis cost effective, but it also allows staff to focus on creditunions' most important function: Serving their members.
|But giving up some control to another company can be risky, aspoorly managed third-party providers can cause unexpected legal orreputational issues, as well as expose members' information topossible misuse. As a result, all financial institutionsshould implement a well-planned vendor management process.
|Financial regulators, including the NCUA, know the importance ofvendor management, addressing it in response to laws such as theBank Service Company Act 1962, Gramm Leach Bliley Act of 1999 andSarbanes Oxley Act of 2002. But regulations can be confusingbecause while a specific agency might not have authority over yourcredit union, it may oversee a vendor you use – and you need toknow who those regulators are and what their rules say. Further,any service providers you contract with must also comply with rulesset by the state and federal regulators that do have authority overyour credit union.
|Understanding Vendor Management
|The obvious reason for a strong vendor management program isthat it's a regulatory requirement. Being out of compliance canmean hefty fines, negative exams and lowered CAMEL ratings. Worse,it could shut the credit union down. NCUA regulations (Part 748Appendix A) require vendor management processes for thefollowing:
Oversight and approval of the vendor by your board ofdirectors;
Identification and assessment of risks to memberinformation;
Processes to manage and control risks to member information;
Regular review of vendor management processes to reflectchanging conditions; and
A report to the board at least annually.
Beyond that, vendor management is a smart business practice.Financial institutions that don't carefully oversee theirthird-party relationships could face huge costs related to securitybreaches, complaints of poor service quality, lawsuits andreputational risk, to name a few. Careful vendor management alsotightens budget control and helps eliminate redundancies, such asdifferent departments using the same vendor but contracting forservices independent of each other. Or, worse, they could beseparate firms offering essentially the same services.
|But here's the most compelling reason: Members trust theircredit union and expect it to ensure the security of theirnon-public personal information. This includes account types andnumbers, and account balances; deposit, loan and savingsinformation; and personally identifiable information such as names,phone numbers, Social Security numbers, phone numbers andaddresses.
|By implementing a vendor management program, credit unions canunderstand exactly how members' information is being used – who hasaccess to it, how it's being stored, whether or not it's beingtransmitted and, if so, to whom.
||Starting a Vendor Management Program
|The starting point for any vendor management program should becreating a board policy with details such as: Board, management andstaff roles and responsibilities; due diligence requirements;methodology for rating risk; contract review and tracking; vendoroversight requirements; an annual board review and dated policyrevisions.
|Many credit unions have found value in using a vendor managementexpert to help them with vendor requirements, contracts, requestsfor proposals and due diligence. At Sollievo, we recommendincluding these steps for ensuring a complete vendor managementprogram:
Create a vendor inventory. Develop a completelist of vendors, using your accounts payable records as a guide toensure none are overlooked. Make sure different departments aren'tcontracting for the same vendor or more than one vendor thatperforms essentially the same functions.
Develop a vendor risk assessment process andrationale. Determine each vendor's level of risk to yourcredit union's operation and assign a rating from critical to high,moderate or low. For example, a critical vendor, such as a coreprocessor, could not be easily replaced or could financially affectoperations if services were suddenly interrupted. A high-riskvendor is one that has access to sensitive data, such as anelectronic or paper statement provider or CRM service; however, itmay not be critical to daily operations.
Perform due diligence. Ensure a process is inplace to collect information about potential third-party vendors,including qualitative and quantitative aspects. For regulatory andeffective management purposes, document that each item on your listhas been examined. A short list of items to request from possiblevendors might include audited financial statements, SSAE16 or SOCreports, certificate of insurance, level of experience or abilityin implementing the service or product, work done overseas,qualifications/experience of the company's principals, use ofsubcontractors and employee background checks.
Perform a contract review. Make sure legalcounsel reviews all contracts and that they meet the FFIEC'sguidance. Include performance standards and ask for the right toconduct periodic audits. Also ask what happens to members' data ifthe vendor is no longer used, how data will be extracted and inwhat format, the length of time for the process and whether thereis an added cost.
Complete contract tracking. At a minimum,credit unions should track termination dates, cancellationdeadlines and automatic contract renewals. Review contracts beforethe cancellation deadline (usually 30 to 90 days prior totermination) to prepare to negotiate changes or ensure time toresearch other vendors.
Plan for periodic reviews and monitoring.Sollievo may track vendors via an automated web-based solution or amanually updated spreadsheet. Monitor vendors for contractcompliance, performance, adherence to SLAs and financial stability.Examine invoices to ensure they match the contract. Also reviewcritical and high-risk vendors each year, and moderate- andlow-risk vendors after two and three years, respectively. Thisincludes critical documents, such as the SSAE16 and financialstatements. Evaluate their risk rating to see if there is achange.
Using third-party vendors helps credit unions provide theproducts and services members expect in today's high-tech, mobileworld. By implementing a robust vendor management process, creditunions can ensure compliance with regulations, mitigate risk,better control costs and protect their reputations.
||
Belinda Mumma is senior consultant, enterprise riskmanagement services at Sollievo. She can be reachedat 855-605-5664 or [email protected].
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
