No More Handshake Agreements With Vendors

Directors play a key in role in ensuring the viability of third-party relationships.

June 30, 2015

As credit unions become more sophisticated, their third-party vendor management programs must follow suit. The days of handshake agreements are over.

Credit union boards play an essential role in this evolution.

Directors NL subscribeNCUA and the Consumer Financial Protection Bureau expect credit unions to have an effective process for managing third-party relationship risks.

This involves some duties that apply to the credit union as a whole, and others specific to directors.

The CU’s responsibilities

Consider three key vendor management responsibilities for credit unions:

1. Determine which services to outsource. Every credit union’s capabilities for handling certain operations in-house differ.

Regardless of which operations and products other credit unions delegate to third parties, examine and discuss how outsourcing would create value for your members and strengthen your credit union’s position.

2. Conduct due diligence in proportion to risk. Gather and analyze detailed information about potential vendors—including financials, policies and procedures, and insurance policies—so the credit union can demonstrate an understanding of the potential vendor’s business.

Although a one-size-fits-all method to due diligence is easier, devote a higher level of due diligence to more critical or complex relationships and third-party agreements.

And for critical vendors, consider the degree to which the product or service exposes the credit union to NCUA’s seven risk categories: credit, interest rate, liquidity, transaction, compliance, strategic, and reputation.

3. Establish clear obligations and expectations for relationships. Carefully review, negotiate, and understand the contract and any legal issues relevant to the third-party vendor. Legal counsel should review all contracts to ensure they sufficiently cover the parties’ obligations.

Finally, require all vendors to carry sufficient insurance coverage to protect your credit union.

The board’s role

Generally, the board’s obligation is advisory and oversight. You approve your credit union’s strategy, protect its assets and reputation, and identify and monitor risk areas.

Consider five tips for fulfilling this role regarding third-party vendor relationships:

1. Review and approve vendor management policy and procedures. Written vendor management policies and procedures should outline expectations, objectives, and goals, and also detail a method of assessing the risks originating from third-party arrangements. 

2. Support the capability to monitor vendor relationships. Provide your leadership team the tools and education necessary to continuously monitor your third-party vendors. Scrutinize vendors’ performance to ensure they meet your needs efficiently and effectively.

3. Use the budget as an annual checkpoint. To ensure the credit union effectively allocates resources, the board should review and approve all major budget decisions regarding third-party vendors.

Use your annual approval of these expenditures to confirm these relationships satisfy your credit union’s expectations, objectives, and goals.

4. Ensure the credit union meets regulatory and legal obligations. Encourage your leadership team to seek vendors that understand your regulatory requirements and can help you interpret and achieve them. Confirm you have on file properly executed and updated contracts.

Each contract should identify which party is required to ensure compliance with all applicable regulatory rules and regulations. Regularly evaluate whether vendors meet these obligations.

5. Watch for new and better options. Effective vendor management is a continuous process. Due diligence doesn’t end once you choose a vendor, sign a contract, and initiate the working relationship.

Recommend your management team periodically reassess outsourcing arrangements—even if the vendors meet or exceed expectations—to gauge whether different vendors could better meet the needs of your credit union and its members.

No substitute for due diligence

Vendor recommendations from other credit unions remain an important part of the due diligence process. But your credit union must follow up on even the most positive recommendations with your own documented process of gathering information, assessing potential risks and rewards, and securing a comprehensive contract.

JACK D. WILLIAMS is a senior risk management consultant for CUNA Mutual Group. Contact him at jack.williams@cunamutual.com.

This article initially appeared in Credit Union Directors Newsletter, which provides strategic insights for policy makers