Is your third-party vendor or fintech partner putting your credit union at risk?

The only thing more frustrating than getting in trouble is getting in trouble for something someone else did.

It’s a situation that all-too common for credit unions partnered with third parties, including vendors, consultants and fintechs. A debt collection vendor doesn’t go by the book and violates The Fair Debt Collection Practices Act (FDCPA). A mobile app provider experiences an outage and members are upset when they can’t access their account information. Lax cybersecurity at a vendor leads to a breach of valuable and sensitive member data.

Mistakes made by third parties are more than just an inconvenience. They can result in reputational damage, enforcement actions, lawsuits, fines, and additional costs.

For example, a Washington-state credit union is defending itself against a proposed class action lawsuit after disclosing it was the victim of a third-party data breach. The credit union’s printing vendor was hit with ransomware, causing some of the credit union’s members’ sensitive data to be leaked.

Third-party relationships create risk, but they also create opportunities. Cornerstone Advisors recently reported that two out of every three banks and credit unions have entered at least one fintech partnership in the last three years.

Beyond fintechs, financial institutions are tapping into many other third-party vendors, partners, and consultants for efficiency gains and to access outside talent. How many? That depends, but many institutions have upwards of 400 to as many as 1,000 vendors.

Minimizing Third-Party Risk

With so many vendors, credit unions need a strong vendor management program to ensure efficient oversight.

It begins with strategy. Before looking at vendors, a credit union needs to evaluate its strategic reasons for outsourcing an activity in the first place and whether it will help the credit union achieve its goals. It should weigh the risks and benefits of working with a third-party vendor or fintech versus keeping the function in house, including the costs for both. These reasons should be clear and documented.

Knowledge of third-party criticality sets the stage for the next step, due diligence. Due diligence is a regulatory requirement of the third-party vendor management process. Credit unions are required to collect and review due diligence documentation before signing a contract and throughout the duration of the third-party vendor relationship.

Due diligence should be tailored to the complexity of the third-party relationship. Not every vendor requires the same level of due diligence. More complex relationships mandate a wider breadth of due diligence and requires deeper digging. Examiners, when evaluating a credit union’s vendor management program will consider a credit union’s “risk profiles, internal controls and overall complexity” when reviewing an institution’s approach.

This evaluation should also reveal whether this will be a critical (or significant or Tier 1) vendor that requires enhanced oversight. (A critical vendor is one that poses a material threat to the credit union.)

The data collected during the due diligence phase is then used to assess the third party with an eye towards inherent risk, or the risk the credit union is exposed to after considering all the controls to limit risk. This includes everything from the third party’s compliance management system (CMS) and cybersecurity to its business continuity plans and complaint management processes. This lets the credit union know if more controls are needed—or if the potential partner is just too great of a risk.

If the credit union decides to move forward with a third party, the next step is to negotiate the contract. This goes beyond pricing and terms and should address controls and access to reports that keep the credit union informed of the third party’s control effectiveness. Contracts should include additional controls the credit union needs to feel confident in the relationship. Any contract with a critical vendor should be approved by the board.

Once the vendor is onboarded, vendor management moves to the monitoring phase. Just as with the due diligence phase, the credit union should collect documents and data about the third party and evaluate it periodically to ensure the third party is meeting expectations and contractual obligations. This information should also be communicated to the board, with special attention given to any problems with critical vendors, partners, or fintechs.

It’s also a good idea to have real-time cyber monitoring if dealing with a vendor that has access to sensitive credit union or member data. The sooner a credit union is aware of a cybersecurity issue, the quicker it can act to prevent or mitigate the problem.

The Vendor Risk Management Lifecycle

Third-party partner management lifecycle (commonly known as vendor management) is an ongoing process. Meeting regulatory requirements and managing vendor risk goes beyond making vendor lists and collecting vendor reports.

It’s about understanding and documenting the choices and decisions a credit union makes in selecting a vendor and in actively choosing to continue that relationship. It’s understanding how the credit union’s approach to vendor management fits with its ERM program. It reflects the complexity of the credit union and the third parties it works with. And it’s ensuring there are sufficient resources for due diligence, risk assessments, contract negotiation, and ongoing monitoring to understand how changes impact vendor risk.

For this to happen effectively and efficiently, credit unions need a comprehensive, top-down approach to vendor management. There are too many moving pieces, including procedures and documentation, touching too many areas and departments to let vendor management casually languish.

Don’t get caught off guard by a third-party vendor, consultant or fintech mistake that could end up hurting your institution. Make sure you have a strong vendor management program so your credit union remains aware of the risks and can take steps to manage them.

Michael Berman

Michael Berman

Michael Berman is Founder & CEO of Ncontracts. Web: Details