Like any corporation, credit unions rely on a number of other businesses for materials, support, maintenance and more. Outsourcing these other activities allows credit unions to keep their costs efficient and their resources focused on their core banking functions instead. Because more and more credit unions are out-sourcing activities, the National Credit Union Association (NCUA) has outlined requirements for managing third party relationships.
Detailed under NCUA Letter 07-CU-13, credit unions have to ensure an active balance between seeking efficiencies for improved operations and customer experience versus controlling and preventing risks. The regulations don’t stop outsourcing per se; credit unions can still maintain their contract support just as before. However, the governance of these activities and controls cannot be delegated to a third party. Instead, under the NCUA Letter’s definitions, credit union management has to always be in charge and overseeing all activities. The given credit union also has to be directly in control of its security as well at all phases of financial transactions and operations.
To assist credit unions the NCUA defined the responsibilities of credit unions in three general categories of accountability: due diligence, risk evaluation and planning, and monitoring/control:
- Risk Assessment and Planning – Before a vendor is picked up with a contract, the credit union should have performed a cost/benefit analysis regarding outsourcing the given activity in general. A function should only be contracted out when the evaluation clearly favors doing so. Some risks to consider are: credit, interest rate, liquidity, transaction, compliance, strategic, and reputation.
- Due Diligence – Credit unions cannot be passive in their vendor management. After a cost/benefit analysis supports outsourcing, the given vendor needs to be proactively vetted as well. This includes background checks, consideration of the vendor’s business model, past practices, and the potential changes that will occur in the credit union working with the given vendor. The prospective vendor contract should also be analyzed based on how it will impact the credit union in terms of finance, operations, legalities, and accounting processes.
- Risk Measurement, Monitoring and control of third party relationships – Clear policies should be in place for the credit union’s employees and a vendor’s employees as they interact and work together. The policies need to be written to anticipate as many common ambiguities as possible to reduce risks to the contractual relationship. These credit union operational policies for each vendor should also be qualified in terms of risk the vendor represents, from high to low. It’s also important for the policies to spell out how the vendor’s activities will be monitored. In this regard, credit unions can’t rely on a default approach; what works for one vendor may not be necessary for another. Each monitoring plan should be custom-designed to provide regular review but not hinder the vendor from efficient performance.
Most weaknesses and financial breaches come from internal sources, not outright external attacks. Thus, vendors who are given an authorized access to aspects of a credit union represent a critical asset that has to be monitored regularly. Remember the Target breach? That was traced to a third party vendor that was providing maintenance to stores HVAC systems. Cyber risk and member data protection only heighten the need for controlling who has access to credit union functions, specifically in data transmission and storage. Through the three stages of risk assessment and planning, due diligence, and risk measurement, monitoring and third party relationships, vendor management can become a strength in making the credit union as beneficial to its members as possible.