Fitting the Core to the Pieces

In this Q&A, Cornerstone Advisors Managing Director of Technology Solutions Brad Smith describes the lay of the credit union technology arena, the challenges credit unions face in integrating and managing many technologies and vendors, and some strategies they can use to get the best return on their technology investment.

Q: There’s a lot of hype about technology in the credit union space. What’s really going on?

Smith: As CUs spend more of their technology dollars on member-facing systems like internet banking, mobile services, online account opening, and loan origination and payments systems, core vendors are buying up digital and payments providers as a way to keep that revenue. In fact, many core vendors now make upwards of 30 percent of their revenue from payments, where margins are significantly higher.

Fiserv and Symitar, the two largest core processing vendors, use their core accounting systems as the glue that bonds them to customers for digital, payments and a large number of add-on services.

The dominance of Fiserv and Symitar is being shaken by Corelation, a small, relatively new core vendor that is making an impact as a market disruptor. Started by several former Symitar employees, Corelation has benefited from a slick-looking demo and a market frustrated by the Big Two.

Whether or not credit unions buy into the risk of early stage market disruptors, Corelation and others like it can have a positive impact on the marketplace by raising customer expectations and forcing other companies to up their game. It will be interesting to see what happens with core systems going forward. 

Q: What does this shift away from core mean for credit unions?

Smith: As credit unions buy all this new technology outside of their core systems, they are focused on how to get all those vendors to play nice with each other. How do you get your Fiserv, Symitar or other core vendor to work well with your internet banking provider or loan origination system? Integration is a big pain point for many credit unions.

Twenty years ago, the information technology department controlled an organization’s technology, often serving as both system administrator and subject matter expert. Now, the subject matter expertise and vendor relationships have become much more distributed. These days, the head of loan operations is probably the SME for the lending systems, while a key person in retail or payments owns the digital vendors for those areas. Understandably, this evolution of the IT support, governance and security control models creates challenges for the credit union.

Q: Does the integration of all these new systems add to the IT workload, or does operations get involved as well?

Smith: Sometimes, in larger credit unions especially, the IT department doesn’t know what’s going on in every line of business—even though it’s up to IT to make sure everything runs securely and on time. IT typically owns the processing, backups, cybersecurity and overall information security, even if it doesn’t control all the vendor relationships.

We’re clearly in the middle of an evolution of how to run the IT department and technology functions. Today, the business line managers want to control the choice of vendors. They want to talk directly to the vendor support people when they have issues. But they really don’t want to be responsible for running the systems and dealing with the headaches of integration, daily processing, security and disaster recovery.

There are some parallels with human resources. HR owns the payroll process and benefit vendors and oversees the employee review process, but when it’s time to hire a new employee, a business line manager does the interview and makes the hiring decision. Once employees are on staff, business line managers oversee their work, and human resources provides administrative support. IT is getting closer to that model. It offers resources and administrative support but doesn’t control every part of the process.

Q: Is this changing the focus of examiners when they look at technology in credit unions?

Smith: At most credit unions, IT is expected to “own” security even if it is not the owner of all vendor relationships. Examiners are looking for consistent processes, and they will have issues if there are gaps and confusion about who owns what.

Q: So how can a credit union best manage the “vendor relationship” and “vendor management compliance”?

Smith: “Vendor management” is a top priority for examiners. The pain point for credit unions is balancing who owns the day-to-day vendor relationship with who owns vendor management compliance and reports about it to examiners and the board.

A majority of credit unions still have the compliance part of vendor management under IT, but others assign it to compliance. Some larger credit unions have put their chief risk officer in charge of vendor management.

If IT is nominally in charge of vendor management compliance, the business owner of each system still owns the relationship day in and day out. That raises the challenge of who should do the due diligence, including conducting the annual vendor risk reviews and asking for financials and audit reports. The line of business typically doesn’t want to do that, and IT doesn’t always have enough information to do it well.

One of the reasons examiners push so hard to make sure credit unions’ vendor management programs and annual vendor reviews are reported to the board level is because it enables them to confirm whether any of these controls are getting lost between IT and the lines of business.

It’s hard to say that vendor management should always be in one area or the other. The reality is that a committee or team approach can add perspective and save the CU time and resources.

Here’s an example of how an enterprise view of risks can be helpful and may even be worth paying an outsider to get: Asked about system priorities, the accounting department would probably say accounts payable is a mission critical system. But from a holistic, enterprise-wide viewpoint, accounts payable is probably pretty low on the list of vendor management priorities. A CU could go a day or two without accounts payable, and because that system doesn’t store members’ Social Security numbers, the exposure is considerably less than that of an outsourced core provider.

Q: When it comes to vendors, are the stories of bad performance and client satisfaction exaggerated?

Smith: There are a number of reasons so many vendors have a bad reputation when it comes to performance and satisfaction. But the truth is, vendor dissatisfaction is not always the fault of the vendor. A credit union-vendor relationship should be a partnership, with each side upholding its end of the deal, and there are many things credit unions can do that can strengthen or impede the relationship.

The issue: The credit union bought the “wrong system.” The bottom line: This sentiment is often a result of an ineffective review process. A credit union that did not spend the time and effort to painstakingly evaluate several competitive solutions to ensure it chose the solution that best meets its needs has only itself to blame. On the other hand, maybe the vendor is not doing everything it can to ensure the CU is fully utilizing all of the system’s features.

The issue: The vendor’s solution is not performing up to the CU’s expectations. The bottom line: A credit union that is only using 50 percent of its vendor’s solution needs to take advantage of training and participate in vendor product update webinars so it can use all the functionality of all the technology at its fingertips. A 90-day or annual review of the vendor’s performance as well as the credit union’s utilization of the system will help ensure the solution is consistently meeting the CU’s expectations.

The issue: The credit union is paying too much for its system. The bottom line: Every credit union I’ve ever negotiated a vendor contract for —and I’ve been doing this for 25 years—is paying its vendors too much and getting too little in return. Pricing is not transparent, and unfortunately there’s no free Consumer Reports to tell CUs how much they should be paying.

Q: How can CUs ensure they are getting the most for their tech investment?

Smith: The very first step is for CUs to redefine their “vendor management” programs as “vendor performance management” programs. This new way of thinking reinforces that they should be working across the enterprise to improve their vendor benefits, lower their vendor costs and manage their vendor risks.

As member expectations evolve and technology investments increase outside of the IT department, it’s critically important that credit unions develop and manage rolling three-year technology plans; establish sound governance processes around vendor evaluation, contracting and implementation practices; and expand their vendor management programs to include vendor benefit and vendor cost management on top of existing vendor risk management efforts.

Karen Bankston is a long-time contributor to Credit Union Management. She is the proprietor of Precision Prose, Portland, Ore.