Post on 06-May-2015
www.rtefs.comwww.rtefs.com
Vendor Due Diligence
Supervisory Committee and Director’s Conference
January 2013
www.rtefs.comwww.rtefs.com
September 15, 2011Walking back from lunch at the
Lake Calhoun Beach Club
www.rtefs.comwww.rtefs.com
Target Field
The summer we do not tell anyone about.
www.rtefs.comwww.rtefs.com
AGENDA• Ripped from the Headlines – Important not only
because the regulators say so.
• Responsibility
• Vendor Due Diligence – General Requirements
• Vendor Due Diligence – Specific Areas
• The Top Five
• Forms and Guidance
• Credit Union and Member Benefits
www.rtefs.comwww.rtefs.com
www.rtefs.comwww.rtefs.com
www.rtefs.comwww.rtefs.com
www.rtefs.comwww.rtefs.com
www.rtefs.comwww.rtefs.com
WHAT IS A VENDOR?
www.rtefs.comwww.rtefs.com
What is a Vendor?
• IT
• Internet Provider
• Indirect Lending
• Application Provider
• Third Party Contractors
• Social Media – Facebook, LinkedIn, etc.
• Accounting and Legal firms
• Maintenance firms
• Cloud Computing - GMail
www.rtefs.comwww.rtefs.com
Responsibility
• NCUA Part 715.3 General Responsibilities of the Supervisory Committee
• Supervisory Letter 07-01 October 2007
www.rtefs.comwww.rtefs.com
NCUA Part 715.3
• (a)(2) Establish practices and procedures sufficient to safeguard members' assets.
• (b)(4) Policies and control procedures are sufficient to safeguard against error, conflict of interest, self-dealing and fraud.
www.rtefs.comwww.rtefs.com
Supervisory Letter 07-01
• Credit unions must complete the due diligence necessary to ensure the risks undertaken in a third party relationship are acceptable in relation to their risk profile and safety and soundness requirements.
www.rtefs.comwww.rtefs.com
Supervisory Letter 07-01
• What is your risk profile?
• What are your safety and soundness requirements?
www.rtefs.comwww.rtefs.com
Supervisory Letter
• Risk Assessment and Planning Risks and benefits of outsourcing vs. internal operation
• Financial Projections
www.rtefs.comwww.rtefs.com
Supervisory Letter
• Due Diligence Background check
Business plan/model
Cash Flows
Financial and Operational Control Review
Contract and Legal Review
Accounting Considerations
www.rtefs.comwww.rtefs.com
Supervisory Letter
• Risk Measurement, Monitoring and Control of Third Party Relationships Policies and Procedures
Risk Measuring and Monitoring
Control System and Reporting
www.rtefs.comwww.rtefs.com
Top Five• IT
• Indirect Lending
• Mortgage
• Cloud Computing Platform Products, Social Media, etc.
• Loan Participations
www.rtefs.comwww.rtefs.com
Top Five
• IT
• NCUA Exam Guide – Information Systems and Technology
www.rtefs.comwww.rtefs.com
Top Five
• Indirect Lending
• Letter to Credit Unions 10 – CU - 15
www.rtefs.comwww.rtefs.com
Top Five
• Mortgage
www.rtefs.comwww.rtefs.com
Top Five
• Cloud Computing
• FFIEC Cloud Computing Statement http://ithandbook.ffiec.gov/media/153119/06-28-12_-
_external_cloud_computing_-_public_statement.pdf
www.rtefs.comwww.rtefs.com
Top Five
• Loan Participations
• Letter to Credit Unions 08 – CU – 26 Supervisory Letter Attached to Letter
Examiner Guide Attached to Letter
www.rtefs.comwww.rtefs.com
GUIDANCE
www.rtefs.comwww.rtefs.com
Guidance
• Letter to Credit Unions 01 – CU – 20
• Letter to Credit Unions 07 – CU - 13
• Letter to Credit Unions 10 – CU – 26
• Examiner’s Guide – Information Systems and Technology http://www.ncua.gov/Legal/GuidesEtc/
ExaminerGuide/Chapter06.pdf
www.rtefs.comwww.rtefs.com
Checklist for Management
• Request a list of vendors that the credit union has today.
• Request a statement on the due diligence performed today on vendors.
• Compare against what you have learned here.
• Do the policies and procedures need to be updated?
www.rtefs.comwww.rtefs.com
Checklist for Management
• Alert all areas of the credit union you require a report on any new vendors
• Prepare a list of questions for the report: Vendor Name
Vendor function
Due Diligence performed
Issues in due diligence assessment
Recommendation
www.rtefs.comwww.rtefs.com
The Future
• FinCEN ANPR on enhanced Customer Due Diligence (CDD) – March 2012
• Do we think this is the last we will hear of Vendor Due Diligence??
www.rtefs.comwww.rtefs.com
Questions??
www.rtefs.comwww.rtefs.com
Resources
• IT Due Diligence Guide – Checklist
• FFIEC IT Handbook and Guidelines
www.rtefs.comwww.rtefs.com
THANK YOU
• Gary Hess
• President, RTE Financial Services
• 1-320-260-0135
• Gary.hess@rtefs.com
• www.rtefs.com