SCOTTSDALE, Ariz.—NCUA’s increased scrutiny over vendor management is costing credit unions money and leading to the wrong outcomes.
The money going out the door, says Cornerstone Advisors, is due to CUs not managing vendors well in other areas outside of risk and security as they try to keep regulators happy.
Brad Smith, managing director at Cornerstone, said that vendor management today must be much more than evaluating the partner’s risk, which includes their ability to protect sensitive member data.
“But, unfortunately, that is what is happening at credit unions now as NCUA is asking CUs to carefully evaluate their vendors’ risk,” said Smith. “Credit unions are only focusing on the risk side, and not on vendor performance in their evaluations, and that is costing them money. NCUA does not care how much Fiserv is charging you or if Symitar is performing. They want you to assess their security and risk.”
He added that Cornerstone in its work with credit unions believes this situation is occurring at 90% of credit unions nationwide.
“The key point is vendor management today—despite what NCUA and the auditors want—is really a three-legged stool,” explained Smith. “It’s the risk associated with a vendor, their performance, and their cost. If you assess less, you are missing the whole point of the relationship.”
What Smith said is generally occurring at credit unions is that the CU prioritizes vendors on which are the riskiest or have the greatest access to member data.
“Then they go through the process of gathering documents from vendors, they look at them, and then do something with them,” said Smith. “But in reality, most credit unions are doing little more with these documents they collect than sticking them in a binder and saying they looked at them. This is a checklist approach to managing vendors.”
Smith said the work is typically performed by someone in IT or compliance, and not by the business manager responsible for the vendor relationship.
Again, Smith said, this approach to vendor management is satisfying NCUA, because the documents retrieved typically show that the vendor is financially sound and has been audited by an independent third party and has a business continuity plan.
“You have someone inside the credit union spending 40 to 80 hours a year on average to do this, and the result is that we checked the box and we should be OK for the examiners,” Smith said. “But no one is really asking how well is Digital Insights doing for us, what is our Internet banking penetration rate, how much are we actually spending compared to what we thought we would be spending with a vendor? These kinds of question are not being asked and these kinds of conversations are not being held. Everything with vendors today is pretty much risk and security focused. These two things are certainly important, but you don’t build a business case for new technology and only look at risk.”
Smith emphasized that credit unions must shift gears to focus more on the ROA of a vendor, and if the partner is living up to its contract.
“We are shifting more money to technology, especially as transactions move out of the branch and online,” said Smith. “Credit unions need to start managing these relationships closely. They need a better approach. You don’t want to waste a significant amount of your technology spend—maybe 3% to 10% of your technology budget—on leakage, overspending on things you don’t even know you are overspending on and missing out on the benefits of existing technology.”
Fully Utilize Systems
Smith said that it is not uncommon for credit unions to be unaware of how to fully utilize the functionality of their systems. He said many CUs need to spend more time on understanding all their systems deliver.
“Many times a credit union has come to us and complained about their core system, saying that the vendor is not performing. But after we look closely and their core we find out that tools are available that the credit union did not know about, and often that new updates have fixed the issues the credit union is concerned about,” said Smith.
Smith said it is “exceedingly rare” to see credit unions—even the big ones with project management offices and full-time vendor management staff—paying attention to all three legs of the vendor management stool.
“But to be fair,” said Smith, “this is not happening much at banks, either.”