Credit union auditing and compliance staffers are well aware that vendor management practices have been on the radar of regulators since the 2013 Target breach in which hackers accessed data for nearly 100 million accounts through a third-party IT vendor’s login credentials. NCUA is contemplating more auditing requirements for IT vendors, and credit unions across the country are undergoing audits of their vendor management programs.
Purdue Federal Credit Union ($941.64M, West Lafayette, IN) underwent its first audit last August. Two years before, the credit union had converted from a paper-based system to an electronic vendor management portal from Indiana-based Passageways to manage contracts and compliance documents for some 300 outside vendors. That made the process go more smoothly, but Kristen E. Edmundson, vice president of audit and compliance at Purdue Federal, says more work needs to be done across the industry to enhance compliance with Federal Financial Institutions Examination Council (FFIEC) requirements.
Kristen E. Edmundson, VP of Audit & Compliance, Purdue FCU
Edmundson, a lawyer who previously worked in commercial real estate and in the Indiana Attorney General’s office, took the top compliance post at Purdue Federal in the midst of the system transformation. In this Q&A, she shares her perspectives on pain points, best practices, and the future of compliance.
How was Purdue Federal’s first audit of its vendor management program?
Kristen Edmundson: Last August was the first time a regulator really looked at our vendor management. Right as they should, they focused on the IT area. They had no issue with the vendor management program itself, but there were certain departments that they were not happy with the level of compliance with the vendor management system.
There are a lot of vendor management systems out there, but each one is only as good as what your managers are willing to input into the system. If they don’t take the time to answer the questions and provide the supporting documentation, it doesn’t matter what framework you have to store it.
What role does vendor management play in helping to secure customer data?
KE: Ideally, if you’re doing vendor management right and you’re getting your due diligence, it will help you eliminate fly-by-night companies and find ones that have invested in outside validation and have a business continuity plan.
If you’ve done your risk classification and it’s a vendor you highly rely on, then the due diligence should be asking for the types of documents that show the company is capable, has thought through the problems that might arise, and is prepared to respond to a natural disaster.
Also, you can open your inbox and read about a breach at another company. If you have a good vendor management system, you can at least determine whether it’s a vendor that you have been using, and you should be able to look pretty quickly to see the contract and risk classification. How much did we use them? Did we buy a one-off resource from them? Are they storing our data?
CU QUICK FACTS
Purdue federal credit union
Data as of 06.30.15
HQ: West Lafayette, IN
12-MO SHARE GROWTH: 12.60%
12-MO LOAN GROWTH: 7.75%
How do you convince people throughout the organization to take vendor management seriously?
KE: We were reacting to regulatory requirements when we initially went to the electronic version. But the way I’ve sold this to the different departments is that this is their core business. If we weren’t a credit union and we were just another $900 million-asset business, we would be watching our vendors, we’d be doing all of these risk assessments, we’d be asking for all of these documents for due diligence, we would be tracking the contracts, we would be able to have a glance at our annual outlay for this particular vendor. These are all critical business concepts regardless of what a regulator is dictating. We should be doing this as a business, period.
How are these federal requirements impacting vendor selection?
KE: It does cause us to pare down vendors. Because of the administrative burden and due diligence requirements, our vendor relationship managers might think twice before they add another vendor and instead try to deepen relationships with existing vendors.
In our IT department, we are actively looking at relationship-level pricing and trying not to split it up among vendors. There’s definitely a conscious effort to consolidate, especially when it comes to vendors who have member data.
It helps to be more transparent because the vendor relationship managers can see the number of high-risk classification vendors. Sometimes with a new vendor relationship they’ll look for ways to avoid sending member data. Then, the vendor’s going to have a lower risk classification and need fewer required due diligence documents. Particularly in marketing, you can frequently push back when member data might be requested.
We have a distributed model where every department does vendor management for vendors they are contracting for and placing in their budget.
How beneficial is your legal background in managing audit and compliance?
KE: I accepted this vice president of audit and compliance position two years ago. Purdue was looking for someone with either CPA audit background or legal background because it recognized that federal regulations have increased astronomically in the past few years and someone with that background could have a better handle on how to advise the credit union. It has definitely come in handy on a daily basis. I think we’ll see more people with legal backgrounds getting into compliance and regulatory affairs. There already are a number, mainly in general counsel-type positions, but I think we’ll see more within the compliance and audit world as it becomes more complex.
What are the pros and cons of centralized versus decentralized vendor management?
KE: We have a distributed model where every department does vendor management for vendors they are contracting for and placing in their budget. There’s a lot of debate out there, and I know some people strongly think it has to be consolidated. Longer term, we will probably go to that model as we grow, but we’re still small enough that that communication is not an obstacle. But as you get bigger, it makes sense to consolidate some of those administrative functions and put them with someone in a vendor management position. Right now, all of our vice presidents have vendors they personally manage.
What should credit unions be preparing for?
KE: The big thing NCUA is pushing for is what it calls “third-party regulatory authority.” It wants to be able to look into mainly our IT vendors. The banking world already has this and regulators are doing some of this direct examination of vendors or are requiring reports on business continuity, control, and testing. NCUA wants parity with what the banking industry is doing, peeking into what some of those IT vendors are doing. If I were a vendor, I would be closely watching this for any increased costs because ultimately it will be passed on to credit unions. That’s another pending piece NCUA has been mulling for the past few months that will have an effect on how we will get our due diligence.