Credit unions establish relationships and partnerships with third-party providers to meet strategic objectives, enhance member services, and manage competitive pressures. When a credit union actively manages its third-party relationships, the institution can then provide a wide range of potential benefits to its members.
However, third-party relationships also come with a high level of risk for financial institutions, making it crucial for them to have a solid vendor management program in place to effectively manage their vendors. A number of regulatory agencies including the National Credit Union Administration (NCUA) provide guidance to help credit unions evaluate the risks of working with third-party providers and understand examiner expectations related to their vendor management processes.
In a Supervisory Letter, the NCUA identified the following 3 concepts that credit unions should address and examiners should ensure are commensurate with the credit union’s size, complexity, and risk profile:
- Risk Assessment and Planning
Before entering into a new third-party relationship, credit unions should determine whether the relationship complements their overall mission and philosophy. The credit union should evaluate the risks and benefits of outsourcing this process with the risk and benefits of keeping it internal. An explanation of how the relationship relates to the credit union’s strategic plan, long-term/short-term goals, objectives, and resource allocation requirements should all be documented. The credit union should conduct an initial risk assessment that includes the evaluation of enterprise risks including compliance, strategic, and reputation.
- Due Diligence
Conducting thorough due diligence includes demonstrating a strong understanding of a third party’s organization, business model, financial health, and program risks. To ensure the proper risk controls are in place, credit unions must understand a prospective vendor’s responsibilities and all of the processes involved. Examiners should evaluate if the credit union’s due diligence process includes background checks, examining the third-party’s business model, the determination of how cash flows move between all parties in the proposed third party arrangement, financial and operational controls, contract evaluation and accounting considerations.
- Risk Measurement, Monitoring and Control
Credit unions must establish ongoing expectations and limitations, compare program performance to expectations, and ensure all parties are fulfilling their responsibilities. Credit unions should develop policies and procedures detailing the responsibilities of the credit union and third-party including management oversight and reporting. On-going monitoring of controls over the third-party relationship should be implemented to mitigate risks.
Reduce Risk, Increase Compliance with Vendor Management Software
Regulations repeatedly make it clear that the use of third-party vendors or service providers does not reduce the responsibility of your credit union to ensure that data is safe, secure and complies with all applicable laws, regulations and security best practices. While it is more important than ever for credit unions to manage their vendors, many struggle with the best way to efficiently and successfully accomplish this. Until recently, most credit unions had only a handful of managed vendors, which could be tracked manually via a spreadsheet. While this may have worked in the past, regulators’ expectations today are much more sophisticated.
To comply with NCUA regulations, every credit union must be able to provide proper documentation on the ongoing monitoring and management of its vendor management program. Automating vendor management functions not only saves your staff time but also helps to ensure the institution is in compliance with regulatory requirements. An automated vendor management solution is an effective tool to help credit unions reduce risks and improve examination results.