Due Diligence: Keep Members and Regulators Happy

Norine Richards, Credit Union Magazine
October 9, 2007 | COMMENTS

The NCUA often repeats the "due diligence" theme in regulations, letters to federally insured credit unions, and examiner questionnaires. Here are five ways to regret an outsourcing decision:

1. Have only one person at the credit union responsible for due diligence.
2. Choose a vendor only because several other credit unions use the company.
3. Rely on the vendor to manage the credit union's data, without stringent oversight.
4. Don't conduct a due diligence review, because the vendor is a small company.
5. Assume outsourcing will save money, without a thorough cost analysis.

The following eight steps incorporate the points outlined in the NCUA's 2001 letter:

1. Know your problem or goal.

Approach vendor selection with predefined objectives tied to your short- and long-term strategies. Don't pursue products or services unless they directly contribute to a defined credit union objective.

2. Know your expectations and desired results.

Staff must be clear on why they're soliciting vendors and the desired outcome. Before arranging a client demonstration or visit, create a cross-functional project team and brainstorm business, technology, and financial requirements.

3. Know your due diligence analysis standards.

Due diligence should precede all outsourcing activity or product purchases. The biggest risks often are associated with the most innocuous, nonintrusive vendor relationships.

4. Know your vendor.

Sometimes credit unions shortcut the due diligence process due to preconceived ideas or opinions about vendors. Some view a vendor's reputation as sufficient evidence of impeccable service. Or a tip from a trusted credit union colleague might cause your CEO to ask, "Why aren't we using them?"

Ask these questions during vendor selection:

• Will your credit union be the vendor's largest customer or a small client? You may lose your ability to negotiate with larger companies, but deal with small firms with care because they may not have the resources to support your needs adequately.
• Is the vendor willing to share its financial statements? If not, be suspicious. If the vendor worries about a confidentiality issue, agree to sign a nondisclosure agreement to assure the vendor that your credit union won't distribute the vendor's financial data.
• Who provided the client contacts? The vendor should provide a comprehensive list of clients, allowing you to choose the clients you wish to contact. And seek user forums for opinions.

5. Know your costs.

Why outsource? Cost reduction is among the top answers. But how many deals actually reduce expenses? Typically, contracts define direct costs that may include the service or license fees, implementation, continuing support and maintenance, and vendor training. Consider important intangibles and how outsourcing affects internal operations. If you aren't clear about service levels, terms, recourse and liability, and fees, consider an attorney review.

6. Know your data.

Data protection by far is the most important aspect of any outsourcing relationship. Remember, NCUA issued Section 748's Appendix A to comply with the 1999 privacy law. Data breaches and identity theft are of utmost concern to members and regulators.

7. Know your internal operations.

Outsourcing usually means internal change. Therefore, identify how this vendor service or product alters your current policies, processes, operations, and in-house skill sets.

8. Know your monitoring requirements.

Outsourcing may relieve the credit union of direct management of a process or function, but responsibility for risk and successful operation remains with the credit union. Define measurable service levels. Then monitor vendor performance, and document and report problems.

Credit unions ultimately are responsible for performance lapses of third-party service providers. Monitoring can protect your credit union against claims of negligence and support regulatory compliance. Due diligence is ongoing through monitoring—it is not a one-time event that's finished when the contract is signed.

Norine Richards is director of risk management for Ent Federal Credit Union in Colorado Springs, Colorado. This story first appeared at www.creditunionmagazine.com and is reprinted with permission.