Evaluating and Selecting Third-Party Vendor Relationships – What your Credit Union Needs to Know
The majority of credit unions rely on third-party service providers for specialized IT services and technology that improve the overall quality and efficiency of the organization and for mission-critical software and hardware to actually run their business. As such, third-party providers have become an essential component of day-to-day operations, but it is important that credit unions understand the operational and reputational risks they assume if they do not select and manage these relationships and providers appropriately.
Some of the potential risks of using a third-party service provider include:
- Compliance risks including violations of laws, rules or regulations or non-compliance with policies and procedures;
- Reputational risks including dissatisfied members or regulation violations that lead to public enforcement actions;
- Operational risks including losses from failed processes or systems, or losses of data that result in privacy issues;
- Transaction risks including problems with service or delivery; and
- Credit risks if a third-party is unable to meet its contractual obligations.
To help eliminate some of the risk that comes when working with third-party providers, there are several steps a credit union should take and processes that should be put into place before entering into an agreement with an outsourced provider. Before entering into a third-party relationship, credit unions should:
- Determine whether the relationship complements their credit union’s overall mission and philosophy;
- Document how the relationship will relate to the credit union’s strategic plan;
- Design action plans to achieve short-term and long-term objectives;
- Perform proper due diligence on all vendors;
- Assign authority and responsibility for new third-party arrangements; and
- Weigh the risks and benefits of outsourcing business functions with the risks and benefits of maintaining those functions in-house, if possible.
Once a vendor is selected, credit unions should:
- Adopt risk management processes to coincide with the level of risk and complexity of its third-party relationship;
- Implement an effective risk management process throughout the life cycle of the relationship including: plans that outline the credit union’s strategy, identification of the inherent risks of the activity, and detailing of how the credit union selects, assesses, and oversees the third-party;
- Have written contracts that outline the rights and responsibilities of all parties;
- Implement a process for ongoing monitoring of the third-party’s activities and performance;
- Have a contingency plan for terminating the relationship in an effective manner; and
- Have clear documentation and reporting to meet NCUA regulations and requirements.
Following all of these steps and ensuring third-party relationships are managed correctly can be a time-consuming, often cumbersome responsibility for credit union staff. In response, credit unions are looking for ways to more efficiently perform due diligence and manage their outsourced vendors, protect themselves from risk, and maintain NCUA compliance and requirements. Credit unions often determine that implementing an industry-specific and automated vendor management program is the most cost-efficient method to control and manage these risks. When implemented correctly, automated vendor management solutions can save a tremendous amount of time and money, reduce risks and eliminate potential compliance issues.
For more information please download our white paper, Why Automation is the Answer to Credit Unions’ Vendor Management Challenge