6 minutes
Software can be a key tool in an overall vendor management compliance program.
Automating vendor compliance can be a helpful tool for credit unions seeking to eliminate human error, identify vulnerabilities and mitigate regulatory risk. The best vendor management software can not only verify a supplier’s qualifications, certifications and financials but also track performance.
However, simply having vendor management software is not a guarantee a credit union will be compliant, according to Daniel Loritz, Esq., managing partner, Okun Loritz LLP, a Glendale, California-based law firm that represents financial institutions. Vendor selection and management is a complex undertaking that also requires thoughtful human beings to set the goals and oversee the process.
“This critical understanding is driven home by NCUA Supervisory Letter No. 07-01 and the NCUA Letter to Credit Unions 08-CU-09, which are the nucleus of any vendor management system,” Loritz says.
Loritz clarifies that while the supervisory letter explains many of the risks associated with outsourcing to third parties and describes a host of best practices for vendor management, the letter to credit unions includes the NCUA’s field examiner questionnaire for evaluating third-party relationships. Loritz emphasizes that “the clear thrust of these two NCUA Letters” is that leaders must be deeply involved in the vendor management process “and that automated software is not the proverbial ‘silver bullet.’
“Frequently, the … products feature numerous automated functions supported by rather impressive software programs that appear to ‘take the work out of it,’” he adds. “While these systems are attractive to busy credit union executives that have their hands full running day-to-day operations, the NCUA expects credit unions to develop their own expertise in making risk assessments, conducting due diligence and monitoring vendor relationships.”
Given the importance of vendor oversight and the abundance of competing products in the vendor management software space, how can leaders determine which product is best for their credit union?
Here are eight top questions credit unions should ask when shopping for vendor management software.
1. Is the Vendor’s Due Diligence Questionnaire Compliant With FFIEC guidelines?
CUES member Doug La Tour, VP/risk management, $1.9 billion KEMBA Financial Credit Union, Gahanna, Ohio, says there are many factors to consider when selecting a vendor, but when first researching vendor management software, one of the most important points is whether the vendor’s due diligence questionnaire is compliant with the guidelines spelled out in the Federal Financial Institutions Examination Council’s BSA/AML Examination Manual.
“If you go through the FFIEC manual, it will tell you if your questionnaires and due diligence processes are strong enough,” La Tour explains. “Most of the software will be compliant, but you want to make sure it is.”
Loritz agrees. “It is possible that automated vendor management software can assist the credit union with these tasks,” and you should determine to what extent it does, he says. “In the event that the software does not address each item, the credit union should develop the internal ability to do so.”
2. What Percentage of Customers Renew With the Vendor?
Julia O’Connell, SVP/product development at Quantivate, Woodinville, Washington, says credit unions should ask potential vendors whether and how it can meet the CU’s needs, including scaling with it and providing data reporting tools that generate needed insights. One of the biggest indicators of a product’s reputation is renewal rates, she adds.
“Vendors where the majority of customers renew the software indicates that there is a high degree of satisfaction with the software,” O’Connell says. “Non renewals are often due to lack of support, functionality or a product that is not meeting expectations or customer needs.”
3. Can the System’s Workflow Grow with Your CU?
La Tour says that because he and his team are trying to automate as much of the management and compliance process as possible, the ability of the workflow to be configured and expanded is critical.
“Can it grow with your credit union?” he asks. “When I’m vetting or doing my due diligence, can I use the software to automate the questionnaire through each department so that each subject matter expert can review their areas for compliance of the documentation?” As an example, he cites the ability to have his CFO check how the software handles financial issues and the information security office perform a security review.
4. Are There Hidden Costs or Fees?
“Vendors will sometimes quote a lower software price but then not disclose additional services or fees that you’ll need to successfully implement,” O’Connell says. “Ensure you’re getting into the weeds on what’s included and what’s not with the pricing. Think about your growth trajectory and what additional needs you may have a year, two years and even three years out. Consider the additional services you might need to address the growth.”
5. Does the System Track Performance Against SLAs?
This is important because service-level agreements (a mutual understanding of system performance and “up time”) has come up a couple of times with examiners, La Tour says.
“Two different examiners we’ve had in the last two years have asked how we track—or know—that our vendors are doing what they are supposed to be doing,” he explains. “We have an enterprise risk management suite, and our vendor management is a module that goes into that suite. It’s been upgraded to the point where we do have performance tracking, so that’s a nice feature. It helps us continue to score and make sure that we’re getting what we paid for.”
Loritz stresses that credit union officials should receive periodic reports on the performance of all material third-party programs.
6. Have Any Customers Been Through an Exam or Audit With the Software?
“This is a great way to test out if the software will meet your compliance requirements,” O’Connell says. “If the vendor has a good track record of providing the necessary information out of the box to meet your examiner’s needs, it can make your life significantly easier during an audit or exam.”
7. How Easy Will Implementation Be?
“You really want to make sure you’re in lockstep with your IT department and that what you’re purchasing is going to have an easy implementation process,” La Tour says.
He adds that credit unions should have training materials available and that the product you are purchasing should be easy to learn and use.
“I have been places where the software was such a hindrance to us that we couldn’t get people to use it,” La Tour says. “Vendor management software is simply a big database. If it’s not being used to its full potential and accepted, you’re not going to get your money’s worth.”
Loritz adds that credit unions should consider whether staff is qualified to manage and monitor the third-party relationship. If not, it might be time to invest in some training.
8. How Easy is Importing and Exporting Data?
“Some vendors make it extraordinarily difficult to pull data in and out of the software,” O’Connell says. “Ensure that you are able to manage your data as you need it at no additional cost.”
The purchase of an automated vendor management system can increase efficiency and help manage labor costs. Knowing which questions to ask, what your credit union’s needs are and what NCUA expects and requires can relieve some of the stress and help you make the best decision for your credit union. cues icon
Formerly a member of the CUES marketing staff, Felicia Hudson Hannafan is a writer based in Chicago.