Vendor Management and Strategic Planning: How to Tackle the Key Examination Issues of 2008

Interview with Gigi Hyland of the NCUA
Vendor Management and Strategic Planning: How to Tackle the Key Examination Issues of 2008

Vendor management and pandemic preparation are huge topics for financial institutions and regulators alike. On January 29, the National Credit Union Administration (NCUA) spotlighted these issues in a webinar, "Key Examination Issues for 2008" (Audio), (Transcript), (Presentation). Following the session, we spoke to NCUA Board Member Gigi Hyland about the top challenges facing credit unions in 2008.

Q: Among the "Key Examination Issues for 2008" were evaluation of third-party relationships (vendor management) and increased strategic planning. Why did the NCUA focus on these as key exam issues now, and what can institutions expect to see in 2008?

Hyland: There are always issues that bleed over year to year, for example, [Bank Secrecy Act] compliance is still a very hot issue that institutions need to pay attention to. But since we already have a lot of information out on that topic, we thought it would be useful to hold a webinar that focused on what examiners are seeing out in the field, and will get greater scrutiny from examiners this year. We focused on those two issues. Evaluation of third-party relationships has become a big issue in the last three years. There are a variety of circumstances that have led to the letter which we issued late last year to our examiners, and then repackaged it and released it to credit unions on evaluating third-party relationships. And those circumstances include a very flat yield curve and credit unions having trouble in keeping return on assets at traditional levels, (i.e., above or near 1 %); trying to get enough money to meet operating expenses, and trying to provide all the products and services that their members want. I think that in an effort to try and make up on interest income, trying to compensate for the fact that they weren't getting any interest income, a lot of credit unions may have engaged in products and services that looked like a good deal to bring in income, but they may not have done all the due diligence before they jumped into the product or service.

The real example that started this focus is indirect lending, where we saw a lot of credit unions contract with a third party and outsourced everything in the process, from loan decisions to policy decisions on indirect auto lending.

You may recall the circumstances surrounding the Centrix portfolios that a lot of credit unions held, where everything was outsourced, and no due diligence was performed on Centrix itself, what the cash flow issues were, what the guarantees were, whether the contracts were balanced or not. We found a lot of credit unions not realizing the types of returns they anticipated on those types of loans in addition to delinquency rates that had been quoted in contracts wound up being in practice much, much higher than credit unions had anticipated. In many instances, credit unions were left holding the bag on these types of portfolios.

Had credit unions done more due diligence on Centrix -- and I'm not just picking on them, but also other indirect lenders as well -- they may have realized that what Centrix was claiming as return rates was just too good to be true. Or possibly another action would have been to hold only a few loans in the portfolio and try it out for a while to determine if you wanted to offer to all members. Crawl before you walk, walk before you run, don't go investing in a limited field until you've tested it out and determine that it's going to give you the returns you anticipate.

Another example is in credit unions such as Huron River, Cal State Nine and New Horizons -- credit unions that have been placed into conservatorship because they engaged in portfolios that didn't align with their business practices, or hadn't done the due diligence to realize if the circumstances had changed. What I mean by that is in these cases that I cited, the credit unions contracted with a real estate lender, mortgage lender or construction company in a certain part of Florida several years ago the market was great, it was hot, they were building, but suddenly the market turned and the valuation of those properties dropped precipitously, and again, the credit union was left holding a lot of those loans to the detriment of their net worth, and were held liable to contracts that were fairly one-sided. Again, if those credit unions had done due diligence and entered into only a few contracts, they may have been more aware to the changes in the marketplace, and how changes in real estate pricing affected their portfolio, and could have minimized or limited losses.

Then last but not least, we've seen where credit unions have engaged in participation lending with other credit unions. Maybe because they're all credit unions, they don't feel the need to perform the same amount of due diligence with each other. Again, a contract is in place and credit unions need to know what their responsibilities are; if the worst case scenario happens, what are they left with and can they get out of it without too much collateral damage?

Q: The other key examination topic, strategic planning, what are the reasons why you felt it was so important for credit unions to pay attention to this?

Hyland: We saw a focus on strategic planning is needed at credit unions and for many of the same reasons as third party relationships -- credit unions have been so wrapped up in the day to day activities of running their credit union, getting over a flat yield curve, and the time spent with members and meeting their needs, that the time spent on a strategic look into the future and charting out a path to the future has been minimized. Examiners have seen that in the field, where credit unions have not spent a lot of time thinking about what the future of their institution might be. So we thought it was useful to focus on strategic planning, along with the letter the NCUA issued in late December 2007 on eliminating the CAMEL matrix, which was a formula to analyze capital assets and earnings of credit unions. It was very backward way to try and look into the future and see how a credit union is doing by looking in the rearview mirror, versus what our examination process does, which is to look at the seven areas of risk prospectively to see where a credit union is managing the various risks that their particular operation faces. We thought it would be useful because strategic risk is one of the seven areas of risk, and to focus on that and encourage credit unions to take the necessary time to look three to five years down the pike and figure out 'what is our plan for serving our members?' as well as the plan for the institution.

To have those conversations with the board of directors, who frankly are charged with the strategic direction of a credit union, and make sure that they have a plan that their operations will lead them down the road and that their plan has a check on it from time to time to see what may have changed in the environment. You need to ask 'Are we doing what we need to be doing to survive and really to thrive into the future?'

Even smaller credit unions may look and see that their future would be better if they merged with another credit union. We do a survey of the credit unions that have merged to try and find out some of the reasons they merge with other credit unions. One of the reasons about 70 percent of them offered as to why they decided to merge was the fact they were not able to offer the expected level of products and services to members.

Whether a credit union chooses to grow, merge or even change its charter, those actions are made easier with strategic planning where they can sit back and look at the bigger picture and decide the best paths to their future. Step up and take a look over the edge of the horizon.

Q: In the Evaluation of Third-Party Relationships as a key examination point, what are some of the must haves for institutions to consider? Hyland: I'd cast it in the light of utilizing common sense when it comes to due diligence. An analogy I used in the webinar was about due diligence, and whatever due diligence you would use in your personal life, would be the level you would want to use in vetting third-party service providers. That type of thought process, checking references, checking contracts, making sure you are comfortable with it, making sure you know what would happen if something goes wrong, and who is responsible for what, all of those elements translate very nicely into the business world and the credit union world. In the webinar we talked about the need to think about due diligence as creating an effective program. You need to look at the risks that are involved in contracting with a new vendor or continuing a contract with an existing vendor to plan out how that particular contract fits into the products and services you offer to your members. Then perform effective due diligence, check them out, make sure things feel good, sound good, and are good in the contract and then measure and monitor and try to control the risks.

Q: In one portion of the webinar you made the comparison of a credit union having to decide between either a Maserati or a mini van, would you explain this comparison?

Hyland: Part of the thing that a credit union has to remember when they're at the crossroads of deciding to go with a particular vendor to offer a particular service is to look at what their particular credit union needs. It's great to get references from colleagues at other credit unions, and all of the other reference checks we suggest, but ultimately you must answer what is the need of your credit union? This is where that analogy comes in, so if you need to have a really fast, cool looking car that will get you to where you need to go quickly, then maybe a Maserati would be the car for you. However, if you need a reliable, comfortable car that will haul the four kids and the two Great Danes to wherever you need to go, then the mini van is the better choice.

The fork in the road for credit unions is to really understand their own needs, and how that particular vendor fits into their strategic plan, their services, and making sure it is a good fit. Not just because someone you know at another credit union uses that vendor, but how does the vendor align with what you need at your credit union.

Q: Regarding the third-party vendor management, what about vendors who are new to the industry and may not have a background or history, does this new examination focus prohibit credit unions from using these new, untested vendors?

Hyland: The answer to this is bold, all cap letters and underlined NO. We recognize that credit unions need to do what is best for their strategic plan and operations. That may mean going with the newer vendor who may not have been around for a long time to provide a product or service. One good example is the mobile phone technology under development to conduct banking over your cell phone. Some credit unions have engaged in this service, and customers are using it. There is still a lot to work out about the security issues surrounding this technology, which type is best, etc. Credit unions should feel free to contract with those types of service providers, but the same common sense rules apply when vetting those vendors. Do your due diligence, make sure you are looking at all angles in the contract and be sure to go slowly. Don't jump necessarily both feet first into something until you have some experience in it. If you get a year of experience with the new vendor and things are great, then take a few more steps if they are the right fit to your business plan.

Q: There have been several significant guidance issued in the last 18 months, including the ones on pandemic planning and ID Theft Red Flags; what are the NCUA's recommendations in meeting compliance requirements?

Hyland: I think a lot of this guidance is geared not only to credit unions, but to helping their customers as well. We talked about having an exit strategy in the webinar, and I'll elaborate on what was mentioned in the webinar. An exit strategy can include a Business Continuity plan or Disaster Recovery plan, when you think about contracting with a third-party vendor. Credit unions need to take a 360 degree approach in thinking about the vendor relationship, how is this vendor going to operate not just in good times but also in bad times? How is this vendor going to help and assist the credit union no matter what might happen? While the pandemic guidance is separate and apart from the guidance we've issued on third-party vendor management, they're connected. For a credit union to be able to do a 360 and realize how this vendor will be able to provide services to its customers is really critical.

Q: From the NCUA's unique perspective as a regulator, do you see that credit unions are adequately prepared for a pandemic? What are some areas to improve upon?

Hyland: I use Hurricanes Katrina and Rita as examples of when crisis comes and happens, people learn a lot of lessons from the crisis. In the pandemic scenario, we've tried to be ahead of the game, and anticipate and prepare. BCP, or preparedness for a pandemic, is really hard for credit unions and other financial institutions. You have to find the time to plan and give it your best effort in trying to anticipate what the risks might be and what you'll need to do to mitigate those risks.

Trying to anticipate all the contingencies in a pandemic is hard, because something could happen that no one thought of, so do you have a plan to address that as well. The short answer to the question is yes, but there is always room for improvement. It's one of those areas that needs to be "chewed on" and revisited on a regular basis as new developments come in.

Q: In mentioning Hurricanes Katrina and Rita, what are some of the lessons learned from these and other recent disasters that credit unions can use to hone their recovery plans?

Hyland: Some of the most simple are - where is their disaster recovery site? It shouldn't be located two blocks away or even five miles away. It should be in another part of the state or even another state or another part of the country to hopefully preserve their records and data. How easy are the records to access in either electronic or paper format? That's a big one. Having contact information for everybody at the credit union is important. What I mean by that is who works for the credit union, where do they live, how can they be contacted, both at home and on cell phone, (without violating any privacy). In an emergency you want to know where your people are, not only for their own safety, but also hopefully to help get the credit union up and running and be able to serve members in need. Another lesson learned is the importance of shared branching, which we saw work after Hurricane Katrina and Rita. In order to have members be able to have access to their funds, shared branching was essential in the hardest hit areas. We want to make sure we maintain consumer confidence in the entire banking system to give them a sense of relief that they know they can access their money if they need to.

I don't mean to compare banks and credit unions here, but I think it is a worthwhile comparison. Bank of America, which has many branches in New Orleans, offered their customers who relocated to other parts of the state or to another area, the ability to access their Bank of America branch from where they were relocated; and so the customers had a sense of security about their money and confidence they could access it. For smaller credit unions that may only have one or two branches, they need to be able to compete in that marketplace and meet the expectations of customers who want to be able to access their money from anyplace, on any day. The way to do this is by having credit unions cooperate with one another, either in shared branching or some other mechanism. So credit union customers can have their money in a credit union and be able to access it anytime, anywhere, anyhow.

Q: Is there any strategic plans for regulatory relief should a pandemic occur, and if there are, will financial institutions be able to know what they are prior to the pandemic?

Hyland: Bluntly, I don't know the answer to that question. I know that our regulators are working closely with other banking regulatory bodies to create the wider pandemic response plans from the federal agencies. I think it would be a little dangerous to do that in advance and make it public, because that would potentially encourage some of those institutions not to come up with their plan, or hedge their bets and not develop a full plan, because they know they will get relief anyway.

Q: Your final thoughts on meeting the key examination points for 2008?

Hyland: My best advice is to have a good dialogue with your examiner, engage in a conversation with them. Many credit unions view their examiners as the be-all, end-all judge of the success of their credit union, which they are not. As an auditor who would tell them if things were going right or wrong, which also is not true. Examiners are there to look at the safety and soundness of a credit union, and to measure the risk that it poses to the insurance fund. How likely will this credit union be to cause a loss to the insurance fund? So it's not a measure of success, but rather one of failure. I think credit unions need to be able to have good, robust dialogue with their examiner, where they may not see eye to eye, but at least they've laid out the issues and hopefully it is beneficial for both sides. For the examiner, it helps them better understand the credit union's business model, and it helps the credit union understand the examiner's concerns. When you're thinking about getting into a new project, or already are in one, ask for your examiner's opinions. It's not meant to dissuade you from entering into a new area, but it will give you a perspective from a different point of view, from your examiner who has gone into a lot of other credit unions and has seen a lot of different things and has a different view the world when it comes to risk. Remember, examiners are risk averse, so they are going to be very conservative in their approach to risk. That's just good information for a credit union to have to inform their own process of due diligence. It's not meant to say "don't do that product or service," but rather, "hey, I didn't think of that, maybe we should take that into account." Sharing expertise through a robust dialogue with your examiner is a better place to be for credit unions. Examiners are human, they don't like to be surprised by things, and they're already risk adverse and they have a very short time to do an evaluation of a credit union, so the more information they have about a credit union beforehand, and how the credit union's business is modeled, and the rationale behind it, the more comfortable they will be doing the review.

Supporting Materials


About the Author

Linda McGlasson

Linda McGlasson

Managing Editor

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.