In early 2008, the NCUA announced its highest exam priority for credit unions-the risk management of third-party relationships. Well that was before the collapse in the financial markets and a series of related regulatory responses. Whether vendor management remains a priority for the NCUA in 2009, we shall see. However, the time for effective vendor management has never been more critical.
More and more financial services companies are struggling and making painful layoffs to shore up their financials. Too often in these scenarios, performance suffers. Choosing the right service providers or critically analyzing a current relationship requires solid risk management tools and a well-organized vendor-management program.
The NCUA's Guidance for Evaluating Third Party Relationship Risk (NCUA Letter 07-CU-13) outlines how credit unions should manage the risks related to their significant third-party relationships. Credit unions must now devote additional resources to expand their risk-management functions. The NCUA outlined four main components of a credit union's management responsibility over each significant vendor relationship at every stage of the lifecycle of the vendor relationship: risk assessment and planning; due diligence; contract review; and ongoing monitoring and oversight.
As with other NCUA guidance over the last two years, the guidance is technically not a regulation. However, it might as well be. The NCUA has issued a new examination questionnaire (NCUA Letter 08-CU-09) for field examiners' evaluation of vendor management. Failure to adhere to the guidance will result in negative examination feedback.
The increased regulatory burden of the guidance lies with the level of documentation a credit union is expected to create and maintain for its vendor relationships, as well as a more organized and thorough approach to due diligence and contract management. The requirements are not met with just a new board policy but rather changes to practices and systems and increased levels of staff time and effort are necessary.
Vendor Management Components. Vendor management begins at the planning stage and continues throughout the life cycle of each significant vendor relationship. The NCUA expects credit unions to plan for and manage third-party relationships just as if such activities were conducted in-house.
Risk Assessment and Planning. Management's first step in evaluating a third-party relationship involves considering the prospective relationship within the credit union's long-term strategic and current business plans. In addition to this planning evaluation, the credit union must conduct a risk assessment of a wide variety of risk factors. Credit union must now systematically document this analysis for its significant third-party relationships.
Due Diligence. The NCUA's guidance requires a credit union to conduct due diligence tailored to the complexity of the third-party relationship. For larger relationships, the key goals of due diligence are to thoroughly know the third-party organization, its business model and financial health, its strengths and weaknesses, its reputation, and its ability to meet the credit union's needs identified in the planning phase. This determination would include a review of the third party's product and service expertise, experience, performance reputation and a review of financials, external audits and SAS-70 reports.
Contract Review and Negotiation. The heart of the third-party relationship is the contract, and there is no such thing as a "standard contract." The contract should clearly establish the scope and services, performance requirements and standards, confidentiality and security of data, deadlines and terms, use of and responsibility for subcontractors, indemnification, default, and termination rights and dispute resolution. For its significant third-party relationships, credit unions should obtain a legal review-not to satisfy a checklist item but to protect the credit union.
Ongoing Monitoring and Oversight. The program should include ongoing monitoring of the vendor's service quality, financial condition and performance as well as contract and policy compliance. The results of management's monitoring activities should be reported to the credit union board at least annually.
Developing a Comprehensive Vendor Management Program. While an effective risk management program obviously needs to address the goals and requirements of the NCUA's guidance for significant vendors, it must also provide the operational organization necessary to manage all current and future vendor contracts and relationships. Credit unions need to move beyond Excel spreadsheets and file cabinet record retention to develop automated systems and evaluation tools for more effective vendor management.
There are many contract management software programs available today, but few are designed to satisfy the specific NCUA document requirements. Credit unions should shop carefully and look for contract management software that enables the credit union to document, manage and report all aspects of its vendor relationships and includes integrated forms and guidelines to satisfy the specific NCUA document requirements. For credit unions, a comprehensive vendor management program should include contract management software to organize and maintain a complete database of all existing and new contracts and relationships; scan and save all contracts and contract documents (RFPs, e-mail, correspondence, legal review notes) for each vendor; create and save all required NCUA risk management documents (planning reviews, risk assessments, due diligence reviews, contract reviews, and performance monitoring checklists); track key contract terms, such as renewals, price increases and notice requirements; organize and generate management reports for board review and examination compliance; instant access to key information of all vendor relationships; and provide e-mail alerts to key staff of important contract dates.
An effective vendor management program can help the credit union protect and manage its resources and maintain successful long-term vendor relationships.

Brian Witt is a credit union
attorney with Farleigh Wada Witt.
He can be reached at 503-228-6044
or [email protected]