Vendor management has become a hot topic and a cottage industrysince the NCUA published guidelines in 2007 that required creditunions to perform due diligence on everyone from their coreprocessors to their janitorial services.

A variety of service and software providers have stepped forwardto help credit unions comply with the “Guidance for EvaluatingThird-Party Relationships Risk” (NCUA Letter 07-CU-13), offeringcombinations of business process and legal consulting and workflowsoftware.

For instance, $1.5 billion Langley Federal Credit Union inVirginia has begun using a service called CU Vendor, formed in2008, that offers software and training from business continuityspecialist Quantivate, due diligence specialist the Paragon Groupand a compliance guaranty produced by the law firm of Farleigh WadaWitt.

Then there's Ventelligence, an automated, Web-based system fromthe LSCU Service Corp., part of the League of Southeast CreditUnions. It includes contract management features such as keepingtrack of automatic rollovers, expired insurance proof documents andunpaid rebates as well as regulatory must-haves such as automatedrisk scoring, its developers said.

“The really powerful thing about this kind of solution is thatyou don't have to start from scratch to build anything. We createda workflow of templates. You just transition your contracts intoour software and then manage their lifecycles from there,” saidLori Vary, director of e-purchasing at the Tallahassee, Fla.,operation.

Another specialist who has emerged in the vendor managementbusiness is Rock

Carter, president of Credit Union Vendor Management in Morrison,Colo. He said he had been involved in risk management, primarilycomparing insurance vendors, for 25 years when he joined with theCredit Union Association of Colorado and 10 area credit unions toform the new CUSO.

Carter said CUVM blends what he calls “the glorified filingcabinets of a software-only-type provider with a service approach.We use the software to gather and organize the information, andthen we parse it and view and look for anomalies and concerns thatcredit unions should be aware of in terms of their vendorrelationships.”

He said, for instance, the focus includes SAS70 audit andfinancial statements. “When you read the notes and financialdetails, there are a lot of well-funded and well-capitalizedvendors and credit unions alike, but clearly there also are a lotthat are having financial difficulties. If it's critical, thatcould pose a danger for some credit unions, and we note thosethings that are of concern,” he said.

“As the NCUA has expressed, it's important for credit unions tobe aware of this and to have an exit strategy to continue to dobusiness” if the provider of a key service were to go out ofbusiness, Carter said.

The big trade groups also are getting involved. CUNA StrategicServices offers VendorTrack, for instance, which Robert Reh, chiefinformation officer at Nassau Financial FCU in Westbury, N.Y., saidreplaced a manual Excel spread sheet at his $358 millioninstitution and now helps keep track of about 200 vendorrelationships.

“There's been no learning curve. We have one person primarilyresponsible for maintaining it, scanning all the documents, the SAS70 reports and all that, and then all that information is reviewedby our executives and our internal auditors,” Reh said.

“It provides us with much greater visibility of the informationwe need, and the examiners who were here earlier this year werevery pleased, too,” said Reh, a member of the CUNA TechnologyCouncil's Executive Committee.

For many credit unions, the most central relationship inoperational continuity is the core processor and that industry ispaying attention to the vendor management trend, too.

For instance, CUOL, a Massachusetts-based service bureauprovider of the Fiserv XP2 platform, has just hired a new chiefinformation officer with that in mind.

Kevin Keener, who came to CUOL with more than 20 years ofexperience in systems auditing and assurance, bank examination andcompliance, will focus on helping the company satisfy audits andexaminations itself and do the same for its credit unionclients.

He said he spent one of his first weekends at his new jobhelping prepare for the Reg E overdraft opt-in go-live date on July1.

“We tested the patches, had all our systems brought down,installed them and made sure everything was in compliance with thenew regulations, then had it up and ready in time for business onMonday morning,” he said. “It was quite a team effort.”

CUOL serves smaller credit unions, which Keener said can find it“particularly difficult to keep up with all the regulations,changes and the extra burden of regulatory insight if they try todo with their own internal data processing functions.”

Some larger credit unions, however, continue to go it alone. Forinstance, $1.5 billion Baxter Credit Union in Vernon Hills, Ill.,has put together its own vendor management and compliance solutionusing a piece of MEGA enterprise architecture software and internalteamwork.

Jeff Johnson, Baxter CU's senior vice president/chiefinformation officer, said the team was assembled in response to theNCUA guidance. “That was the springboard,” said Johnson, who alsoserves on the CUNA Technology Council's executive committee. “Ilooked at that and the FFIEC handbook and came up with a vendormanagement policy that was then approved by our board. We thenassembled the cross-functional team that looks at vendorsholistically and talks about risk. We review and rank them and keepup with them in a way that gives us consistency around riskcontrol.”

Not only has the process helped Baxter ensure regulatorycompliance, Johnson said, but it also helps save money. “It'shelped our managers really focus on pricing while they're managingtheir contracts,” he said. “We've saved in excess of a milliondollars in vendor concessions in the past three years.”

Reh at Nassau Financial said his credit union also has been ableto better negotiate its various contracts, in part because of thealert functions which let he and his colleagues know well inadvance of a contract expiration.

Group purchasing also is a byproduct. For instance,Ventelligence has added a purchasing feature that includes groupbuying.

“We had one small credit union buy one laptop and a computercase through this, while another bought 58 desktops and 17 laptops.Others bought something completely different but because they wereall participating together, the vendors were more interested intheir business and could compete more aggressively for it,” Varysaid. She said the group purchasing also has been used for cashrecyclers, coin counters, maintenance services and armored cardeliveries.

While it's, of course, a business for them, the people offeringthe service argue that it's also good for the credit unions.

“NCUA guidelines for risk assessment and third-party duediligence for credit unions really are in their best interest,”said Vary at Ventelligence. “The whole premise behind doing thesetypes of activities is to keep credit unions and their member safefrom potentially harmful vendors.

“That's really what it's all about.”

–[email protected]