On Compliance: Smart Vendor Management Goes Beyond the Basics

Nothing strikes fear in the heart of an executive like unforeseen risk: those circumstances beyond the credit union’s control that can wreak havoc on its reputation and bottom line. And nothing can wreak havoc like a vendor gone wild, whose products or business practices pose such threats. But even in the wake of high-profile security breaches and significant enforcement actions involving third parties, most credit union vendor management programs still consist of standard up-front due diligence and a handful of reference checks. In 2019 and forward, going beyond the basics of third-party oversight is a smart management move.

Perpetual Change 

Credit unions are inundated with compliance demands. According to the research Continuity gathers to compile its Banking Compliance Index, regulations affecting credit unions changed 265 times in 2018, and enforcement actions were issued at a rate of roughly 100 per quarter. Regulators are exerting consistent pressure on institutions of all sizes to demonstrate that they have an effective compliance management system.

In such a complex environment, credit unions depend on a long list of vendors. Based on internal data, the average $200 million credit union relies on 40-plus outsiders to conduct its business. With reliance on outside vendors to offer more products and service through robust technologies comes a responsibility to manage the risks they pose. It’s no wonder that third-party risk is escalating!

Scrutiny is on the Rise 

Recently, regulators have taken more vendor management-related enforcement actions against financial institutions. The Banking Compliance Index also shows a five-fold increase in third-party service provider-related enforcement actions since 2015. Credit unions should expect this intense scrutiny of their vendor oversight practices to continue. 

The high-intensity environment is exacerbated by the fact that a risk-based approach is identified in regulator handbooks, but no specific rules are prescribed. Guidelines provide a framework for why and what to consider, but leave the who, when and how to the institution’s discretion. 

A risk-focused approach requires not just up-front evaluation of a particular vendor’s suitability, but also strong oversight of each relationship over time. Ongoing management requires periodic assessments of a vendor’s changing risk profile and an evaluation of its continued ability to perform in accordance with the contract and meet the business needs of the credit union.

When to Modernize

To properly manage this heightened attention, credit unions need a more formal and standardized approach to vendor and compliance management. Traditional tools may no longer suffice. The standards can’t and don’t take into account whether a credit union or its personnel are overworked or overwhelmed--contracts must still be reviewed and signed, initial and ongoing due diligence and performance monitoring performed, and ongoing oversight of key relationships and dependencies undertaken. Thus, for the credit union, efficiency becomes a necessity. Changes must be addressed with modern, automated solutions. 

Consider these warning signals that a credit union is in urgent need of modernizing and simplifying its third-party oversight and compliance management systems: 

1. Exam/audit findings concerning vendor management; 
2. Inadequate resources, such as inexperienced personnel or insufficient time, devoted to vendor oversight ; 
3. Discovering after-the-fact that a vendor has fallen short (publicly or privately) and increased the credit union’s risk exposure; 
4. Over-spending on consultants or software—a good rule of thumb is that only the largest of credit unions should be spending five figures on the work or tools to get it done; 
5. Falling behind on risk assessments and contract review schedules; 
6. Treating all payment recipients as “vendors” for third-party service provider oversight purposes; and/or
7. Inconsistent, inadequate or irrelevant review of vendors’ financial conditions and operating histories.

A modern compliance management system automates vendor management efforts such as: 

1. Identifying significant/critical vendors; 
2. Gathering sufficient data to conduct initial vendor due diligence; 
3. Scheduling and tracking ongoing contract and performance reviews;  
4. Updating risk assessments; and 
5. Preparing vendor oversight reports for the board. 

A strong compliance management system also helps reduce the risk of missing, misinterpreted, mishandled or misplaced vendor information by keeping everything current and in one place. 

It may be time to consider whether more resources applied toward vendor management can drive improvements in your organization. Using a vendor management vendor to manage your vendor management might be a tongue-twister, but chances are that for many credit unions, it’s the smartest move to make.

Pam Perdue is EVP/chief regulatory officer at Continuity, headquartered in New Haven, Connecticut.