How does the criticality of a third-party relationship affect the level of oversight required for the vendor?
- The more critical a vendor is deemed to be; the more risk the relationship poses to the credit union.
- The more critical the vendor, the more planning, due diligence and monitoring is required.
What due diligence practices are recommended by NCUA regarding a potential vendor?
- Conducting a background check to review things such as performance with other financial institutions, compliance with required licenses and certifications, and the existence of lawsuits and other legal proceedings involving the third-party
- Understanding the third-party’s business model, as well as its sources of income and expenses
- Understanding how cash flows move between all parties
- Reviewing the third-party’s financial and operational condition
- Having legal counsel review the contract that covers the proposed relationship
- Considering how the relationship may affect the credit union’s accounting
Do vendor relationships alleviate a credit union from liability when there is a member complaint or compliance violation? Is this still true if the credit union includes certain contractual provisions?
Even where a contract provides that the vendor is responsible for compliance with regulatory requirements, this does not alleviate the credit union from liability if the vendor fails to comply with applicable regulatory requirements.
- The credit union is responsible for ensuring that the vendor is indeed complying with applicable regulations.
Should vendor contracts be reviewed by anyone in particular before a credit union enters into a contractual agreement with a third party?
Legal counsel with the appropriate experience and expertise should review contracts with vendors.
What due diligence areas does the FFIEC indicate are important to cover for technology service providers?
- Service delivery capability, status and effectiveness
- Technology and systems architecture
- Internal controls environment, security history and audit coverage
- Insurance coverage
- Ability to meet disaster recovery and business continuity requirements
When does the vendor management process end?
Vendor management is an ongoing process; it does not end after vendor selection and signing the contract.
