With summer in full swing, now is as good of a time as any to review your internal processes to see how your programs are performing measured against expectations and determining whether any updates need to be made.  This post will be a high level focus looking under the hood of your third party risk management program.

Supervisory Letter 07-01 contains the NCUA’s guidance on how credit unions should evaluate third party relationships and manage risk through internal policies and procedures.  When reviewing your third party risk management program, it’s important to review your processes in consultation with the NCUA’s and any other applicable regulators’ guidance and examination procedures.  Every credit union should tailor its program to its size, the complexity of the services offered to its members, as well as the risk profiles of the third parties engaged.  Within this context, the Supervisory Letter emphasizes three areas of concentration for any credit union third party risk management program:  initial risk assessment and planning, due diligence, and ongoing risk measurement, monitoring, and control.

An internal review of your third party risk management program should focus on how you are initially assessing third party relationships.  Most notably, how realistic and achievable have your goals and objectives been?  Have you established means to productively measure success in your third party relationships?  Have you accurately assessed how members might be impacted by your relationship with this third party?  When evaluating initial risk assessment specifically, do your third party risk categories and ratings accurately reflect how you assess the third party relationship?  Are there any gaps?

When reviewing your due diligence procedures, have you accurately verified the third party and its business model?  Do you need more information, or additional resources, to evaluate whether the third party’s qualifications meet your service level and financial expectations?  If the third party has access to member information and other sensitive confidential information, has it been adequately protected?  Does the credit union rely on accurate information to make this determination?  The NCUA and other regulatory authorities increasingly emphasize understanding not only your third party relationships, but also your third party’s third party relationships.  How does the credit union evaluate a third party’s risk management program?  Does the credit union perform due diligence, and to what extent, on these additional parties?  It is also important to assess your contract review and negotiation strategies.  Is your credit union adequately protected and have recourse available in your third party service agreements?  Where do you accept risk and is it appropriately recorded and easily accessible?

Finally, how effective has the credit union been at monitoring third party performance?  Does the credit union have, or does it outsource to another party, appropriate expertise, internal controls, and technology to monitor and evaluate third party performance?  In light of changing circumstances affecting the credit union and/or the third party, how effective have you been in modifying your risk assessment of the third party, amending the third party service agreement, or even terminating the relationship?  What way(s) can you better ensure an “easier” termination of the third party relationship to avoid expensive termination fees and to transition the services internally or to another third party service provider?

These are some questions and considerations you should take into account when reviewing your third party risk management program.  As internal and external conditions continue to impact the credit union and the industry as a whole, your policies and procedures should be adaptable and resilient to put the credit union in the best position to succeed.  If you need any assistance with, or have any questions concerning, your third party risk management program, feel free to contact us.

Michael J. Heller
Messick Lauer & Smith P.C.