By Jim Vilker
When it comes to compliance, I am constantly amazed at the amount of redundant work being performed in the credit union industry. One institution does the same exact work that others are performing and rarely is there consideration for sharing or cooperating on that work. This is most obvious in one area in particular, an area with mounting regulatory pressure: vendor management.
For many years vendor management was a once a year type of event. Credit unions stumbled at creating a methodology for assessing criticality, determining the amount of due diligence performed, monitoring the due diligence, and reporting their progress to their boards and regulators. I say ‘stumbled’ because they were operating under a requirement in which no standards were actually set in place by the governing powers, but they’re still regulated on it and required to have a system.
So, what changed in the last few years? First, vendor management became a dynamic process; not just one necessitating an update to a spreadsheet annually. Second, documented procedures and methodologies became a requirement. Cyber-crime was most notably the influencing environmental impetus as FFIEC guidelines began to include vendor management in not only their guidance but also the newly required self-assessment tool. This change has required financial institutions to reinvest and almost reinvent their vendor management programs, in many cases doubling the expense to perform the required processes.
What I observed is that most if not all financial institutions rebuilt, retooled, and reengineered their processes one at a time. Although they shared many critical vendors with their peers, they never considered what it would take to share that work.
As an employee of a cooperative, the approach to managing compliance has always been to work for the many to drive down the cost of regulatory requirements. That means eliminating duplication of efforts for the many credit unions with vendor relationships in common. We got to work designing such a service to deliver a way of managing vendor relationships while incorporating all the current guidelines promulgated by the OCC and FFIEC.
That work yielded a robust database of the most relevant due diligence on the financial institutions’ population of critical vendors. More than that, by cooperating and aggregating the work, we built a standard for assessing, monitoring, communicating, documenting and reporting on critical events over the life cycle of the process.
Credit unions need to as an industry learn from themselves as individual institutions. The same spirit of cooperation and collaboration that they foster with their members can be applied at the institutional level. You don’t have to go it alone. You don’t have to buy everything you need. It’s time for the industry to take on a build mentality, and a great place to start is with compliance.
Jim Vilker is VP Professional Services with AuditLink, a division of cooperative CUSO CU*Answers.