In case you haven’t noticed, vendor management is an ever-increasingly complex task for credit unions and credit union service organizations. Creating and supporting a viable vendor management program is both more important and more difficult today than it has ever been. Increasing regulator focus and audit requirements, a constantly changing risk environment, foreign service providers, cloud service providers, fourth-party vendors (subservice organizations providing and/or delivering some or all of the solutions your vendors provide to you), and the due diligence documentation collection and review process all serve to increase the resource time and expense associated with vendor management. It can be overwhelming.
So, where do you begin? As with most challenges, you begin with information gathering.
Vendor management information resources
Both the NCUA and the FFIEC offer an abundance of guidance on vendor management:
- The NCUA’s Evaluating Third Party Relationships provides a high-level overview and includes links to a large number of supporting documentation.
- The FFIEC’s Appendix J: Strengthening the Resilience of Outsourced Technology Services is another excellent resource that also includes links to a wide variety of supporting documentation.
In addition, connecting with your NCUA Examiner or Regional Director or your state credit union regulatory agency for their advice is advantageous when gathering feedback as you develop and mature your program. Some of the best refinements to our own vendor management program came from dialogs with the examination team during and after audits.
Create/refine your vendor management policy/program
Your vendor management policy should lay out the requirements for your vendor management program. The vendor management program document should detail how you put those requirements into action. For example:
- Purpose
- Roles and responsibilities
- Classifications of vendor risk (low/moderate/high)
- Additional vendor classifications (critical vendor/SOC controls vendor)
- Requirements for new vendors
- Vendor selection
- Vendor contracts
- Foreign-based service providers
- Cloud service providers
- Risk management for cloud service providers
- Ongoing vendor monitoring
- Exemptions
- Reporting
Collect your vendor information
Now that you have the policy and program sorted, it is time to start gathering and organizing information about your vendors. There are a variety of tools that you can use to track this, ranging from a basic Excel workbook as the data source with a Word mail merge to create reports, to complex vendor platforms with many bells and whistles (understanding that using a vendor to manage your vendors does sound ironic). Deciding which tool or tools to use depends on the number and complexity of the vendors you need to manage. Basic tools you already have offer the lowest cost, while vendor platforms offer more elaborate functionality, automation, tracking, and reporting options, albeit at higher costs.
The information you gather should include the vendor’s name, the services they provide, and check boxes for foreign service provider, cloud solutions provider (with additional fields if they are), and (for us) an existing vendor or credit union third-party service provider we provide connectivity and/or data to (or from). We gather contacts for technical, business, and escalation purposes, both internally and at the vendor level. We then have a risk scoring matrix that helps decide the vendor criticality rating, SOC controls rating, overall risk score and risk level. Additional fields are used for the due diligence collection process. These ask about areas such as where we obtained the documentation, when we received it, when it was sent to the appropriate individual for review, when the review was completed and what the results of that review were. This section also provides contract-related information, and additional data (URL, address, phone, etc.) for the vendor.
The information gathered may be from a variety of sources. Hopefully, your vendor management program includes a process for ensuring you are notified of new vendors under consideration so you can complete all the entries and collect (and review) any needed due diligence documentation before someone has signed on the dotted line. In addition to that, records and information related to existing vendors may come from your management team, IT team, or accounting team. Vendors that use subservice organizations (fourth-party vendors) to deliver services to you will also be a key source in identifying and providing contact information for them.
Vendor management DOs and DON'Ts
Vendor management challenges
Increasing regulatory focus on vendor management means it is a constantly moving compliance target for credit unions and CUSOs. We are seeing this manifest itself in multiple ways that you might not think of when developing a vendor management program.
Vendor questions on the call report
In the current filing window for call reports, you may have questions about two new report elements relating to cloud service providers:
- Cloud Services (check all that apply):
- Infrastructure as a Service (IaaS)
- Platform as a Service (PaaS)
- Software as a Service (SaaS)
- Email Services (check one only):
- On-premises
- Cloud
- Hybrid
The cloud services report element pertains to services that you and your vendors deliver to your members. Understanding what these mean and how these services are supplied will be critical to answering these correctly:
Infrastructure as a Service (IaaS) – Your credit union (or your vendors) deploy and operate system software and applications on the cloud service provider’s infrastructure. (Example: a hosted digital banking solution.)
Platform as a Service (PaaS) – Your credit union (or your vendors) deploy internally developed or acquired applications using programming tools and services provided by and residing on the cloud service provider’s platforms and infrastructure. (Example: A custom developed solution hosted on a cloud service provider platform.)
Software as a Service (SaaS) – Like traditional outsourcing, where the supplied applications operate on the cloud service provider’s infrastructure. (Examples: Salesforce or Microsoft 365.)
The Email Services report element relates to the location, resilience, and security of your email platform, which could be installed on a physical or virtual server at your credit union (on-premises), hosted on a vendor supplied platform like Microsoft 365 (cloud), or a combination of the two (hybrid).
New NCUA cyber incident reporting requirements
The new NCUA cyber incident reporting requirements that took effect in September 2023 include three definitions of a reportable cyber incident. The first two are related to impacts at your credit union, but the third one is specific to vendor management:
“A disruption of business operations or unauthorized access to sensitive data facilitated through, or caused by, a compromise of a credit union service organization, cloud service provider, or other third-party data hosting provider or by a supply chain compromise.”
Fourth-party service providers
With the explosion of third-party financial service providers, many new providers rely heavily on subservice organizations, (fourth-party service providers) to deliver those services. Because your agreement is directly with your vendor, oftentimes collecting due diligence documentation from these fourth-parties is cumbersome, difficult, or even impossible. This can present challenges to your credit union and/or your CUSO, because of the increasing regulatory focus on subservice organizations. Solving this will take significant effort across the credit union industry and may even require regulatory changes to require compliance by fourth-party service providers or require third-party service providers to supply attestations as evidence that they have collected, reviewed, and approved due diligence documentation from their subservice organizations.
Conclusion
All this reinforces the need to have a robust vendor management program that includes the support and participation of the entire organization to be effective. These are the key ingredients to managing vendor management.