Third-party risk is a hot button issue for regulators. When a financial institution (FI) outsources an activity to an outside vendor, it can enhance the member experience, but it can also introduce new and/or increased risk to the FI. Vendor management is all about identifying, assessing, measuring, monitoring and controlling those risks.
Different regulators may use different terms and take different approaches to vendor management, but they all ultimately have the same goal, to ensure FIs clearly understand the risks they are undertaking and balance and control those risks considering the FIs safety and its constituents’ best interests. Today we are looking at the NCUA’s approach to vendor management, to better understand what the agency really wants from FIs.
The NCUA outlines its expectations in Supervisory Letter No.: 07-01, Evaluating Third Party Relationships. Its guidance is based on three key concepts:
Risk Assessment and Planning
Risk assessment should begin by looking within. A credit union should know how much strategic risk its willing to embrace based on its strategic plans, business plans, and philosophies. There should be a discussion about long and short-term goals, and an action plan to address these goals. Similarly, officials should weigh the risks and benefits of outsourcing business functions with the risks and benefits of maintaining those functions in-house. The officials must clearly understand the credit union’s strengths and weaknesses in relation to the third-party relationship. Only then can the credit union conduct an initial assessment of a vendor and follow up with monitoring and regular reviews. The NCUA wants to see “measurable, achievable goals and clearly defined levels of authority and responsibility.” Credit unions should develop detailed financial projections, outlining the range of expected and possible financial outcomes. Credit unions should also project a return on their investment in the proposed third party arrangement, considering expected revenues, direct costs, and indirect costs. including the cost of monitoring vendors.
The discussion of risk should be detailed. The seven types of risk (credit, interest rate, liquidity, transaction, compliance, strategic, and reputation) should be analyzed with respect to:
- Expectations for outsourced functions
- Staff expertise
- Risk-reward or cost-benefit of the relationship
- Impact on membership
- Exit strategy
Less complex vendors may be subject to simpler risk assessments that are “part of a broader risk management program or documented in board minutes.”
Due diligence should be tailored to the complexity of the third-party relationship. Not every vendor requires the same level of due diligence. More complex relationships mandate a wider breadth of due diligence and requires deeper digging. Examiners, when evaluating a credit union’s vendor management program will consider a credit union’s “risk profiles, internal controls and overall complexity” when reviewing an institution’s approach.
Necessary elements may include:
- Background check
- Business model
- Cash flows
- Financial operational control review
- Accounting considerations.
- Contract issues and legal review.
The section on contracts is particularly detailed. Credit unions should exercise their rights to negotiate contracts to achieve terms that are mutually beneficial to both parties, such as favorable early termination, escape clauses and default terms. Contracts should emphasize a credit union’s safety or soundness and should be reviewed by legal professionals, who are versed in the specific nature of the contact. Special emphasis is placed on reviewing a vendor’s practices to ensure they comply with all laws and regulations, including consumer regulations, as ultimately, the risk will rest with the credit union.
At a minimum, contracts should address:
- Scope of arrangement, services offered, and activities authorized.
Responsibilities of all parties (including subcontractor oversight).
- Service level agreements addressing performance standards and measures.
- Performance reports and frequency of reporting.
- Penalties for lack of performance.
- Ownership, control, maintenance and access to financial and operating records.
- Ownership of servicing rights.
- Audit rights and requirements (including responsibility for payment).
- Data security and member confidentiality (including testing and audit).
- Business resumption or contingency planning.
- Member complaints and member service.
- Compliance with regulatory requirements (e.g. GLBA, Privacy, BSA, etc.).
- Dispute resolution.
- Default, termination, and escape clauses.
- Risk Measurement, Monitoring and Control.
Risk Measurement, Monitoring and Control of Third Party Relationships
From the beginning of the vendor relationship, a credit union should have clearly outlined expectations and regularly measure performance to ensure those expectations are met. Third party arrangements and risk profiles will vary; thus, credit unions risk mitigation efforts will vary, as well. To assess whether a credit union effectively mitigates risk, examiners will assess the following items in light of the risks identified, the vendor management program and the complexity of the credit union:
Policies and procedures. Policies should outline expectations and limit risk. Policies, supplemented with procedures should outline staff responsibilities and reporting schedules. Additionally, policies should set forth the content and frequency of vendor management reporting to credit union management and officials.
Risk measurement and monitoring. Credit unions need to be able to measure a vendor’s risks and performance, including “profitability, benefit, and service delivery.” Controls to measure these should be included in the contract. Independent auditors should periodically verify the accuracy of the results.
Recognizing that vendor management is a significant task, the guidance also says that examiners want to see that a credit union has the “staff, equipment and technology” to reliably monitor a vendor.
Control systems and reporting. Like all elements of vendor risk management, ongoing controls should depend on the complexity of the vendor and the vendor relationship and be designed to mitigate risk. They should be part of the credit union’s ongoing risk management and should be adjusted as needed. The staff responsible for overseeing these controls and reports should be knowledgeable and provide management and others periodic reports with enough detail for them to evaluate a vendor’s performance.
Now that we know what the NCUA is looking for, it’s important to understand what they tell us about the NCUA’s overall approach to vendor management.
Ultimately, the NCUA sees vendor risk management as an ongoing process, one that begins with documented risk assessment and planning that details goals, objectives and costs. It continues with due diligence, carefully negotiated contracts, and monitoring throughout the length of the relationship. It emphasizes a system built around comprehensive reviews, documentation and reporting, and oversight and management.
For the NCUA, compliance is about more than vendor lists and vendor reports. It’s about understanding and documenting the choices and decisions an FI makes in selecting a vendor and in actively choosing to continue that relationship. It wants to understand the credit union’s approach to vendor management and how it fits in with its ERM program. Concurrently, it seeks to confirm that the vendor management program reflects the nature complexity of the credit union and the vendors with whom it has relationships. The NCUA wants FIs to have the necessary resources to conduct proper due diligence, analyze reports and carefully negotiate contracts to understand their short and long term financial implications. It wants to be sure that the credit union is aware of all changes in the relationship and how those changes impact risk.
For this to happen effectively and efficiently, credit unions need a comprehensive, top-down approach to vendor management. There are too many moving pieces, including procedures and documentation, touching too many areas and departments to let vendor management casually languish. Credit unions need a robust process that takes a comprehensive view of ERM and vendor management, allowing it to leverage the vendor management functions performed throughout the institution to streamline and improve processes while effectively identifying and mitigating risk.