Did you know your credit union could be responsible for the performance of your vendors?
No credit union wants to encounter regulatory trouble or face reputational risk; especially as a result of vendor activities. It’s a well-known fact that vendor management due diligence is a topic of increasing importance for all credit unions. The National Credit Union Administration (NCUA) has provided clear direction regarding vendor due diligence. Additionally, the NCUA has deemed several areas as critical in third-party vendor management.
Risk Assessment & Planning
- Credit unions should complete a comprehensive risk assessment prior to engaging a third-party relationship.
- Risk areas include Credit, Interest Rate, Liquidity, Transaction, Compliance, Strategy and Reputational.
- Officials should document how the relationship will relate to their credit union’s strategic plan.
- Credit unions must demonstrate an understanding of the vendor in order to effectively identify and mitigate risks. Key due diligence elements include Organization, Business Model, Financial Health, and Program Risks.
- It is important to contemplate what degree of due diligence rigor is required. Not all vendors are created equal. More complex vendor relationships with more risk will typically require increased due diligence; less complexity and risk means less rigorous due diligence.
Ongoing monitoring and control is equally as important as upfront due diligence. Credit unions must be able to continually measure performance and risk.
Risk Measurement, Monitoring & Control
- Documented policies and procedures are critical in terms of clearly outlining processes and responsibilities.
- A method for vendor performance management should be developed and implemented to validate expectations are being met. One commonly used performance management tool is a scorecard.
A solid performance management tool will aid in ensuring vendor processes are in control and risks are mitigated; if performance is below expectations, then the credit union must take appropriate corrective action to ensure remediation occurs.
All credit unions utilize vendors to help them achieve their strategic objectives. As the NCUA has conveyed, the utilization of vendors does not in any way diminish the credit union’s level of responsibility. In fact, vendors are essentially extensions of the credit union.
Ultimately, the performance of vendors can directly influence how credit unions are viewed. Furthermore, failure to conduct thorough due diligence and effectively monitor vendors places a credit union at risk.
Failure to conduct thorough due diligence and effectively monitor vendors places a credit union at risk.
Again, it is important to keep in mind that all vendor relationships will not require the same level of due diligence and ongoing monitoring. Credit unions must determine, based on a risk assessment what is appropriate for a particular vendor.
There are a number of important questions credit unions should contemplate in their vendor management programs. We will explore five that are focused on ensuring credit unions understand and effectively mitigate risks they face as well as the risks to their members.
1. How do you ensure my members’ information is protected?
This is a critically important question. Credit unions must ensure Gramm Leach Bliley Act (GLBA) compliance. Questions related to the flow of member data should be explored and documentation obtained as to what occurs with member information in various processes (marketing, billing, servicing, etc.). In addition, the documentation should include member data touchpoints that take place even beyond the primary vendor; i.e. with subcontractors. Topics such as data encryption are critical for credit unions to thoughtfully consider. This point cannot be stressed enough. Privacy compliance is non-negotiable, and credit unions should obtain evidence to confirm their vendors’ processes are effective and compliant.
2. What industry-recognized certifications does your company hold?
There are a number of certifications vendors may hold that attest to their capabilities. Credit unions should request and even require vendors to provide certifications and documentation to validate the soundness of internal controls. A few examples include:
- SSAE16 (Statement on Standards for Attestation Engagements) Report: Based on an independent party’s evaluation of a service provider’s control policies and procedures.
- PCI (Payment Card Industry) Certification: Based on a set of requirements designed to ensure companies that process, store, or transmit credit card information in order to maintain a secure environment.
- ISO (International Organization of Standardization) Certification: 27001 is based on a set of Information Security System standards to ensure data security.
3. What is your level of experience and market position?
Credit unions should consider the experience of vendors. Are they new to the market or proven in their industries? Credit unions should request documentation or evidence of vendors’ market stability. Additionally, a valuable exercise is to complete a competitive analysis to better understand the vendors’ position in the market and to help validate that the best vendors are being considered and ultimately selected.
4. What ongoing reporting can you provide?
An important point is ensuring a positive member experience. Credit unions should work with their vendors to ensure an appropriate reporting process is agreed upon and implemented. The credit union is required to monitor vendors, and to accomplish this, quality data is needed. Information related to service level performance, complaints, etc. is critical to understand the experience a vendor is providing to members. A best practice is to contemplate reporting requirements in the contracting process.
5. Is your company financially stable?
Visibility into the financial stability of vendors is vital. Credit unions must understand the financial structure and health of vendors. Many independent ratings agencies can assist in this review. Obtaining and reviewing financial statements and reports is a best practice. It is also important to understand the growth trajectory as well as challenges of vendors. EBITA (earnings before interest, taxes, and amortization) is an example of a helpful metric to understand. This is a widely recognized indicator of a company’s efficiency and profitability. Understanding a vendor’s profitability is critical; regardless of whether the company is privately or publicly owned.
Know Your Vendors
There are many additional questions that should be raised by credit unions as they engage with and actively manage third-party vendors. To this point, it is always helpful if credit unions engage with vendors who have a clear understanding of regulatory requirements related to vendor management. Ideally, vendors will have a well-developed vendor due diligence program or process that aligns to regulatory requirements. This will make credit union due diligence much easier and you’ll know the vendor you’re working with takes vendor management seriously.