4 Tips To Manage Vendors
Lori Gall, CEO of vendor management specialist Sollievo, a CUSO of Vizo Financial Corporate Credit Union, offers best practices for vendor management programs.
Conduct due diligence. Before a contract is signed, review a vendor’s references, financial statements, and SSAE16 audits.
Set clear expectations. Be consistent and include expectations for vendor performance in the vendor agreement.
Conduct ongoing risk assessments. Develop an efficient, effective approach to understand the credit union's potential risk and minimize existing risk as best it can.
Establish ongoing oversight. Companies grow and change, and a yearly review of critical vendors is essential.
Norley’s colleague, Quantivate vice president of risk management services Bill Hord, agrees.
“Having a good vendor management program is tantamount to preserving the safety and soundness of the Share Insurance Fund,” he says. “You’re staying within the requirements of the regulators in ways that help protect and preserve members’ capital, their money.”
Exposure to risk has been growing as credit unions have expanded their footprint, products, and services. Service availability and disaster recovery are known issues. And integrating ancillary services to the core processing system has brought a new level of complexity and risk, particularly around the threat of debit and credit card breaches exposing member information.
To be sure, there are different levels of risk and criticality. But, how risky, for example, can a custodial service be?
Quite risky, it turns out. Remember the 2014 massive Target data breach? That originated with access gained through an HVAC contractor working at multiple locations for the retailer.
Even the folks plowing the parking lot can be an issue.
“What if the plow runs into someone’s $100,000 Beemer in your parking lot?” Hord asks. “Is that vendor insured for that? If not, you’re stuck. These things can snowball.”
These illustrations are easy to point to to prove a point, but there are numerous other, serious risks inherent in operating a financial institution — ones that exist outside of card processing and snow plowing.
“Vendors deliver a lot of different products and services to credit union members,” says Lori Gall, president and CEO of vendor management specialist Sollievo, a CUSO of Vizo Financial Corporate Credit Union in Middletown, PA.
Gall says third-party partners present a broad range of risks, including:
Compliance risks, such as violations of laws, rules, or regulations.
Reputational risks, such as dissatisfied members or violations of laws or regulations that lead to public enforcement actions.
Operational risks, such as losses from failed processes or systems or data losses that result in privacy issues.
Transactional risks, such as problems with service or delivery.
“All of these things can not only hurt your organization’s brand and reputation but also greatly affect your earning power,” Gall says. “If you practice bad vendor management, you run the risk of losing your members and collapsing the entire organization. That’s how important vendor management is.”
CU QUICK FACTS
VAntage Trust FCU
HQ: Wilkes-Barre, PA
Data as of 12.30.16
12-MO SHARE GROWTH: 3.0%
12-MO LOAN GROWTH: 21.1%
Size seems to matter when it comes to managing service providers, according to Colleen Madar, president and CEO of VAntage Trust Federal Credit Union ($57.7M, Wilkes-Barre, PA). Madar says she’s found it is generally easier to work with larger companies.
“They have the information we need readily available because their other clients are asking the same things,” she says. “It’s the small vendors that we have the most problems with when we request information. Many times, they don’t understand what we’re asking for.”
And regardless of size, sometimes suppliers promise more than they can deliver.
“Vendor salespeople will tell you everything you want to hear,” Madar says. “You need to do your research and find out if it’s all true.”
The VAntage Trust CEO recounts one situation where performing her own due diligence, which included calling current clients for reference checks and talking to people outside of the sales team, nipped in the bud a possible core problem.
“A salesperson promised me his system could do everything my current system couldn’t do,” she says. “It seemed too good to be true, so I asked for a follow-up meeting with his IT department. Sure enough, the things he was promising me were not possible at all.”
A Little Help From Friends
Madar relies on a third-party service to help her manage her third-party services, in this case Sollievo. VAntage Trust uses Sollievo’s software for tracking, risk assessment, and electronic document storage.
“Before using vendor management software, we had filing cabinets full of documents and contracts with checklists in each vendor’s file folder,” Madar says. “Now that everything’s online, the process is much easier and less time consuming.”
Find your next solution in Callahan’s online Buyer’s Guide. Browse hundreds of supplier profiles by name, keyword, or service area.
Madar and her staff still maintain regular contact with their service providers but rely on the automation to help everyone get through that big-ticket item in every credit union’s life: compliance.
“We print one report from our software that shows everything examiners want to know about our vendors,” Madar says. “The NCUA examiner picks a few contracts to review and that’s it. The way we manage vendors makes our exams and audits easy.”
6 Cybersecurity Questions
A credit union's due diligence for information security should include a contract that specifies service-level agreements as well as consequences for when results fall outside those agreements, advises John Cuneo, senior consultant for information security risk management services for Sollievo. When evaluating a potential third-party vendor, Cuneo suggests asking these questions:
Does the vendor provide encryption in transit and at rest?
Will other third-party vendors have access to the credit union’s sensitive data?
What level of privileges are required to run applications and systems?
Do these applications and systems require additional software?
Will the credit union receive a periodic user access report?
Does the vendor have patching and security testing processes?
SSAE 16 SOC 2 Type 2 audit standards also are something worth becoming familiar with, but Cuneo notes that the scope of the audits are at the discretion of the vendor. “Ask questions to provide a clearer picture of the information security controls the vendor has in place,” Cuneo says. “Do this before you make any decisions so you're sure you've found a vendor you are comfortable with.”
The NCUA and other regulators who work together through the FFIEC have already raised expectations when it comes to vendor management and are pushing for more control, including seeking direct examination authority over suppliers like CUSOs.
Gall at Sollievo says the NCUA has particularly stepped up its examination focus on cybersecurity.
“You might not understand what cybersecurity has to do with vendor management at first, but you quickly find it’s critical,” she says. “The NCUA wants to see the credit union is protecting confidential data and that its policies ensure its vendors are doing the same.”
Gall says credit unions should know their third-party partners and conduct risk assessments on those that have access to member data by reviewing SSAE 16s, privacy statements, security policies, insurance policies, and financials.
Click here to view vendor and third-party management guidance from the Federal Financial Institutions Examination Council.
Gall says good vendor management provides a roadmap for credit unions so they understand the sequence of events in each situation.
“When operational issues arise, you need to know what the vendor is obligated to do,” the Sollievo CEO says. “For instance, what are the vendor’s service-level standards and recovery times, and do they adequately support the credit union’s operations? Does the vendor have contingency and incident response plans? What are the credit union’s obligations during that type of event?”
Paying attention to those service-level agreements not only helps satisfy compliance demands but also can save the credit union money, says Hord at Quantivate.
He offers an example from his time as the risk manager at a Midwest credit union and a business banking member was experiencing downtime in the credit union’s internet banking service.
“Because we had that in the service-level agreements and we were paying attention, we were able to recover a few thousand dollars for substandard performance,” Hord says.
Indeed, diligence does pay off.
“Good vendor management gives the credit union confidence that it can trust its vendors because it knows almost everything about them,” says Madar at VAntage Trust.