How to Stay on Top of Third-Party Vendor Compliance
In 2008, NCUA announced its highest exam priority for credit unions-the risk management of third-party relationships.
NCUA's exam focus followed their Guidance for Evaluating Third Party Relationship Risk (NCUA Letter 07-CU-13), which outlines how credit unions should manage the risks related to their significant third-party relationships.
While an effective vendor-management program needs to address the goals and requirements of NCUA's Guidance for significant vendors, it must also provide the operational organization necessary to manage all of the credit union's current and future vendor contracts and relationships.
Credit unions should shop carefully and look for contract management software/services that enable the credit union to document, manage, and report all aspects of its vendor relationships and include integrated forms and guidelines to satisfy the specific NCUA document requirements.
If the CU is maintaining the program in-house, it is vital to have proper tools available to document the planning, risk assessment and due-diligence process. "There are many contract management software programs available today but few are designed with the flexibility to manage vendors for small and large credit unions. Our difficulty was finding the time and staff to perform a thorough due diligence on our critical vendors. We felt outsourcing our due diligence process was the most cost effective method to manage our program and we are very pleased with the results of our vendor management program." Nordstrom FCU CEO, Wilma Robison.
Key Features for Managing Vendor Due Diligence
The following are key components to effectively manage vendor due diligence:
Business Planning for New Vendors. Business planning for new outsourced products and services is the initial focus of the due-diligence process for the credit union. This analysis provides the opportunity to evaluate and weigh the in-house vs. outsource options before committing to a multi-year contract. How much does it cost to outsource a vendor service vs. performing the task in house? Does the CU have the staff and knowledge to perform the task? How about an exit strategy if the vendor should fail?
Classifying Vendors. Completing an effective vendor management process involves classifying vendors for criticality. Some vendors are easy, such as the core processor or debit/credit card processor. But some decisions are more difficult. Should the janitorial service be a critical vendor? Reviewing the classification elements will assist in determining which vendors are critical.
Risk Assessment. Completing the risk assessment requires a strong knowledge of the vendor product or service and a comprehensive understanding of the impact on the CU. Will the CU meet its strategic goals if a particular vendor should fail? What is the likelihood of failure and what would the impact be if the vendor or service failed?
Due Diligence Process. Performing the actual due-diligence requires a knowledge of financials, contracts, and SAS-70s. One CEO described their vendor-management program as a "hobby"; it was the project that was worked on when there was nothing else to do. Outsourcing the vendor-management process may be a cost-effective way to complete the due diligence. The documents are reviewed with consistency and thoroughness by experts with vast experience at evaluating the critical information.
Whether the CU performs the due diligence or outsources the process, ultimately it is the credit union's responsibility to be compliant.
SAS-70 Review. A SAS-70 is an auditing standard designed to enable an independent auditor to evaluate and issue an opinion on the organization's controls. Examiners typically want to see an updated SAS-70 at least every two years. Is the CU fully aware of all exceptions noted in the SAS-70? Of the control considerations listed in the SAS-70? A SAS-70 Review with exceptions and control considerations listed indicates the credit union has thoroughly reviewed the document and is aware of any vendor weaknesses as well as its own responsibility for maintaining compliance.
Contract Review. Before signing with a new vendor, it is imperative to obtain or conduct, a complete review of the proposed contract. This process is never a replacement for the legal review but may provide the opportunity to negotiate or renegotiate a contract based on the due-diligence results. Most contracts tend to favor the vendor and this evens the playing field.
Langley FCU in Newport News, Va., recently purchased a vendor-management system. Jean Yokum, LFCU President/CEO, said, "Our highest priority is protecting our members' assets and performing due diligence on key vendors is critical. A good Vendor Management System (VMS) provides consistent and comprehensive analysis. It also keeps staff well informed about contracts coming due. Yes, a well-managed VMS will please the examiners, more importantly though, it will reduce risk at your credit union."
NCUA has indicated that once again vendor-management will become a priority in annual examinations. Although a thorough vendor-management program will take a significant amount of staff resources and funding, ultimately it will be worth it when the credit union receives a clean bill of health and knows that vendor risk has been minimized.
Susan Girsch-Arnsdorf is VP-compliance for The Paragon Group, a wholly owned CUSO of TwinStar Credit Union in Olympia, Wash. She can be reached at firstname.lastname@example.org or 360-412-1736 x 112.