SAN DIEGO — Attendance at credit union attorney Mitchell Klein's educational session regarding third-party due diligence, despite stiff competition from perfect San Diego weather on a Friday afternoon, underscored the importance of the subject matter.
Klein, who is senior vice president and general counsel for $3 billion Police and Fire FCU, said the NCUA isn't kidding when it says it will review vendor due diligence this year; in fact, Klein's Philadelphia-based cooperative is scheduled for an audit this month, and examiners have already requested the information.
What is the NCUA looking for? A formalized due diligence policy and documentation the policy is being followed, he said. The agency will also use a checklist to ensure credit unions follow vendor due diligence to a "T." It includes questions regarding the need for a vendor, the bidding process, risk assessment, background checks, business model, cash flows, financial and operational control, contracts, accounting, monitoring and control.
Recommended For You
"It's going to be hard on people, it will take more time, but the NCUA is requiring it, so it's a reality we have to face," Klein said.
Not every vendor requires a full-scale investigation though, he said.
"Your job is to do your own risk assessment on your vendors and determine how you can whittle down those that don't need full due diligence," he said.
At Police and Fire FCU, three types of vendors require full due diligence: those responsible for key processes, like core processors whose failure could bring daily operations to a halt; those that handle confidential member information; and those that are involved in large contracts involving a significant portion of the budget. Some credit unions have created a matrix that groups vendors according to risk, and includes a checklist of due diligence tasks for each risk level.
"You don't need to worry too much about what will happen if the vending machines don't get refilled with Cheetos, and I don't think the NCUA is too concerned about that, either," he said.
Still, the new regulation does require a significant amount of time and effort for credit union administrators, who are already overburdened with regulatory requirements, Klein said. The SVP mused that the industry will probably soon see an emergence of due diligence vendors to handle the task.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
