As credit unions review and consider their strategic plans, one of the areas that frequently comes up is deciding if certain functions should be outsourced to third parties. A common thing that many credit unions have done, or are currently considering, is outsourcing their ATM operations.
For many credit unions, this makes sense. ATM machines are still an area where many credit unions have fallen behind their peers. Many use ATMs with outdated operating systems or technology. These outdated machines are a potential risk area, not only in terms of maintenance, but also in terms of cybersecurity and potential non-compliance with federal laws and regulations, such as the Americans with Disabilities Act. The same principles apply to other operations at a credit union as well.
If your credit union is considering outsourcing its ATM operations—or any function for that matter— you need to consider what that means for your credit union’s operations and how you will be able to manage these third-party relationships effectively and safely. A good place to start is NCUA’s guidelines on third party and vendor management found in Letter to Credit Unions, 13-CU-07, “Evaluating Third- Party Relationships (opens new window),” that can help you manage the risks associated with outsourcing your operations or services.
Credit unions need to focus on three specific area when deciding to enter into a third-party agreement:
- Risk assessments and planning;
- Due diligence; and
- Risk management, monitoring, and controls.
Risk Assessment and Planning Considerations for Third-party Relationships
Before entering into a third-party relationship, you should determine whether the relationship complements your credit union’s overall mission and philosophy. It is important that you document how the potential third-party relationship relates to your strategic plan, long-term goals, objectives, and resource allocation requirements. Additionally, you should weigh the risks and benefits of outsourcing any of your business functions with the risks and benefits of maintaining those functions in-house.
You should also complete a risk assessment to determine what internal changes, if any, will be needed to participate in the agreement safely. It’s also important to remember that risk assessments are a dynamic process and should be part of an on-going broader risk-management strategy.
Your initial risk assessment for a third-party relationship should consider all seven risk areas that NCUA examiners look at (credit, interest rate, liquidity, transaction, compliance, strategic, and reputation), and more specifically the following:
- Expectations for Outsourced Functions — Have you clearly defined the nature and scope of your needs? Which of your needs will the third-party meet? Will the third party be responsible for the desired results? To what extent?
- Staff Expertise — Is your staff qualified enough to manage and monitor the third-party relationship?
- Criticality — How important is the activity you’re considering outsourcing? Is that particular activity considered mission critical for your credit union? What other alternatives exist?
- Risk, Reward or Cost-Benefit of the Relationship — Does the potential benefit of the arrangement outweigh the potential risks or costs? Will this change over time?
- Insurance — Will the arrangement create new or additional liabilities for your credit union? Is your insurance coverage sufficient to cover the potentially increase in liabilities? Will the third party carry “key man” insurance or other forms of insurance to protect your credit union?
- Effects on Membership — How will you evaluate the positive or negative effects of the arrangement on your members? How will you manage your members’ expectations?
- Exit Strategy — Is there a reasonable way out of the relationship if it becomes necessary to change course in the future? Is there another party that can provide the same level of operations or service?
Due Diligence for Third-party Relationships
When considering any third-party relationship, proper due diligence includes developing an understanding of a perspective vendor’s organization, business model, financial health, and risks associated with its products or services. Your level of due diligence should be tailored to fit the nature of the relationship, how critical the service is to your credit union’s operations, and to your risk profile, internal control structure, and overall complexity.
Risk Measurement, Monitoring and Control of Third-party Relationships
In addition to careful due diligence, you should establish ongoing expectations and limitations for your vendor or third-party provider, compare their actual performance to the expectations outlined in the agreement, and ensure all parties to the arrangement are fulfilling their responsibilities. Each third-party arrangement and its potential risks will vary depending on the service provided. As a result, a one-size-fits-all approach to managing a third party will not work in all cases. Instead, you should tailor your risk-mitigation efforts to the specifics of the program or service, the materiality of the risks identified in your assessments, and to your credit union’s overall size and complexity.
Third-party relationships can be invaluable to credit unions and credit union members. However, these relationships have to be managed properly to ensure they are compatible with a credit union’s long-term interests.