Вы находитесь на странице: 1из 13

Do Your Homework

Pass the Exam


Satisfying the NCUA with Vendor Selection Due Diligence

By Andrea Stritzke, PolicyWorks Regulatory Counsel*


and Brian Scott, TMG Vice President of Sales

It’s no secret that due diligence is on the NCUA’s


radar. In 2007, the federal agency named vendor
management as one of the areas that would soon
be receiving extra attention from its Office
of Examination and Insurance.

Citing an industry-wide lack of business-impact


analysis, the NCUA’s Gerry Wyland, a regional
information security officer, told 2007 CUISPA
attendees, “Credit unions need analysis to identify
and quantify risk to upper management. Examiners
will be looking at the scope of testing.”

Card Processing . Payment Solutions . Prepaid Cards . Customized Solutions . Consulting Services
Satisfying the NCUA with Vendor Selection Due Diligence

Introduction Pg 3

Step 1 – Pull Out the Calendar Pg 3

Step 2 – Answer Your Own Questions First Pg 3–4

Step 3 – Survey the Landscape Pg 5

Step 4 – Drafting the RFP Pg 5–10

Step 5 – Analysis Pg 10

Step 6 – Contract Negotiations Pg 11

Step 7 – Ongoing Evaluation Pg 11– 12

About the Authors, PolicyWorks and TMG Pg 13

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 3

Since Wyland and his NCUA colleagues made this declaration, VENDOR SELECTION
the credit union community – and those who serve it – has
1 – Pull Out the Calendar
come up against some of the most turbulent challenges in
history, putting an exclamation point on the NCUA’s call for 2 – Answer Your Own
due diligence in the selection of credit union vendors. Questions First
Perhaps no other vendor relationship is more critical for a 3 – Survey the Landscape
credit union than that with its card processor. Not only does 4 – Drafting the RFP
the processor drive a vital revenue-generating activity, it also
houses and secures member data – a hot commodity on the 5 – Analysis
ever-intensifying identity black market. It’s easy to see why the 6 – Contract Negotiations
performance of due diligence (or lack thereof) in the selection
7 – Ongoing Evaluation
of a card processor is likely to garner the attention of an
NCUA examiner.

So, how should your credit union prepare for the selection of a new card processor? What
steps should you take and how should they be documented; which questions should you
ask and how should the answers look? Over the next few pages, we’ll give you step-by-step
guidance and some practical advice for navigating this crucial course of action – and for
doing so within NCUA guidelines.

Step 1 – Pull out the Calendar

To give your team a clear picture of your due diligence project, it will be important to
develop a project timeline. Start by pinpointing a target date for finalizing the selection of
your card processor and work backwards, allowing approximately 30 days for each of the
following:

• RFP Development & Distribution • Analysis & Final Decision


• Vendor Responses & Follow Up • Contract Negotiation

Depending on what is driving your need for a new card processor, you will also need to allow
up to 180 days for the implementation of a new program, be that a card conversion or rollout
of a new product or program.

Step 2 – Answer Your Own Questions First

Before preparing to ask questions of potential processors, it’s important for your selection
team to know what they are looking for in the answers. Below is a list of eight questions

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 4

designed to get your team organized and thinking about the root goals and objectives of
your card programs, as well as which questions it will be important to ask of potential card
processors.

In addition to discussing the below items, it’s a good idea to keep a record of your team’s
answers and file it away for reference, as well as to demonstrate your credit union’s ground-up
commitment to due diligence come examination time.

1. Why are we looking for a new card processor? Your team’s answer should include
expectations for all outsourced functions, including the scope of your needs and to what
extent the partner will be responsible for the success of your card programs.

2. Who at the credit union will manage and monitor the relationship? Does your team
require additional training or expertise to manage the vendor relationship, and if so, will
you seek this training from the processor?

3. Criticality. How important are card programs to the credit union’s strategic goals?
Is it mission critical? What other alternatives exist?

4. How are card programs consistent with the credit union’s values, risk tolerances and
business strategies? How critical is it that the card processor understands and adheres to
these principals?

5. Address the risks of the activity, product or service as defined below:


• Loss of capital if the card program fails
• Loss of member confidence if the program fails
• Costs associated with training existing or hiring new personnel
• Costs associated with investing in required technology

6. Return on Investment
• Attach a list of how each card program will affect revenue, expenses and net income.
• Project how changes in economic conditions may affect items above.
• Attach a cost benefit analysis for any portion of the card program, such as a fraud
prevention strategy, that does not generate direct income.

7. Insurance Review. Is our credit union’s insurance coverage sufficient to cover the
liabilities related to a card program? Will the card processor carry “key man” insurance or
other insurance to protect the credit union?

8. Exit Strategy. Is there a reasonable way out of the relationship if it becomes necessary to
change course in the future? Is there another party that can provide any services officials
deem critical?

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 5

Step 3 – Survey the Landscape

While it may seem like an obvious step, there are a few tricks to determining which card
processors should receive your request for proposal.

Many credit unions choose to use referrals as a basis for selecting potential vendors. And
while leveraging the knowledge and first-hand experience of your colleagues is an efficient
idea, it can lead to lost opportunity. What satisfies one credit union may not satisfy another.
Conversely, misunderstandings and other out-of-context anecdotes could cause your credit
union to miss out on a vendor perfectly tailored to its expectations.

When turning to colleagues for their advice, be sure to ask follow-up questions to get to the
root of a potential processor’s skills, service and expertise.

Contacting your state’s credit union trade association or national trade association for a list
of vendors is another way to locate potential card processors. Internet searches can also be
helpful when looking for information on vendors that offer a variety of card programs to
credit unions.

With the advent of Web 2.0, many credit union processors host blogs that can give potential
clients insight into more than just the company’s products and services. Reading these
real-time journals can give your selection team a better feel for a potential processor’s
philosophies, attitudes and industry expertise.

Using the findings of your research, narrow your field to no more than five and no less
than three potential card processors. Reach out to each vendor directly to get the most
appropriate contact person and to verify they are currently accepting new clients.

An RFP offers black- Step 4 – Drafting the RFP

and-white support for a Requests for proposals (or RFPs) are a traditional method for gathering
decision as critical as a card information in a digestible format that keeps the incoming data
consistent across responding vendors. While the spirit of the document
processor – a relationship
is on-target, execution can be off-base, adding to the RFP’s unfortunate
NCUA examiners consider reputation as a superfluous exercise.
significant to a credit union’s
When drafted by a team of credit union individuals who know exactly
security and risk liability. what they are looking for, however, the RFP can be an excellent tool
for weeding through the information supplied by vendors. In addition,

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 6

it offers black-and-white support for a decision as critical as a card KEY QUALITIES


processor – a relationship NCUA examiners consider significant TO EXAMINE
to a credit union’s security and risk liability. 1 – Overall Health
of the Company
Before diving too far into your RFP’s development, ask other
departments within the credit union if they are willing to share 2 – Expertise
RFPs they have used in the past. This will help you with the 3 – Security
simple (yet often headache-inducing) tasks like layout and
formatting. (Alternatively, PolicyWorks has attached a sample 4 – Fraud Protection
RFP to this white paper to help guide you in the development 5 – Customer Service
of your own.) Of course, an RFP will not satisfy the requirements
6 – Technology
of every situation, so it’s always a good idea to seek advice from
legal counsel. 7 - Pricing

After you have the foundation of your document prepared, go back to your planning report
(Step 2 above) and determine which questions must be answered of the card processors you
are considering. Draft the questions in a manner that encourages respondents to answer fully.
Avoid questions that can be answered with a yes or no.

After drafting the questions, determine how you will weight the responses. Which categories
of questions are most vital to your decision? Over the years, PolicyWorks’ credit union
clients have found seven qualities that rise to the top as key in the evaluation of card
processors: 1) overall health of the company, 2) expertise, 3) security, 4) fraud prevention,
5) customer service, 6) technology and 7) pricing.

Key Quality #1 – Overall Health of the Company

Request three-years of financial statements and analyze these documents for debt-to-equity
ratios, debt and income trends, profit margins and the potential for longevity.

In addition, ask the vendor to identify all parent companies and all subsidiaries. What
you are looking for, in addition to the overall financial health of the company, is where
card processing falls within the company’s profitability. Is card processing the main piece
of business for the company? Is the processor making a lucrative, revenue-generating
contribution to the corporation?

The company’s relationships also give you clues as to the nature of its business. Are
subsidiaries and sister companies also involved in the credit union industry? Can this
vendor leverage the expertise of affiliated companies, and will that resource benefit your
credit union?

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 7

Sample Questions:
Give a brief description and history of your organization, including the company structure
(i.e. publicly traded, privately held, subsidiary of publicly traded, etc.). Identify any parent
corporation and/or subsidiaries.

What are the company’s growth expectations over the next five years?

Provide the company’s audited financial report for the last three years. If an audited financial
report is unavailable, please provide a year-end balance sheet and income statement.

Key Quality #2 – Expertise

Nailing down a potential card processor’s expertise in the card industry is one thing, but for
credit unions, experience and understanding of the credit union philosophy is extremely
pertinent when evaluating processors. That’s because card processors are often responsible for
everything that happens behind a piece of plastic carrying your credit union’s brand. Every
rate increase, fee introduction, fraudulent transaction or customer service inquiry has the
potential to jeopardize your good standing with members.

Therefore, it’s vital that your RFP includes questions designed to reveal a card processor’s
core philosophies and experience. You want to know who they are working with, what they
are doing to manage their clients’ reputations and how they are delivering on the promises
their clients have made to members.

Sample Questions:
Provide a short summary of the company’s philosophy, product lines and scope of services.

Who is your competition? What differentiates your company’s service(s) from your
competitors? What will your company provide that others cannot?

Describe your ideal client.

Please breakdown the number of credit unions you serve as a percentage of the overall total.

Key Quality #3 – Security

Because a card processor will have access to member data, determining the company’s
security systems and policies is critically important. Be sure to request a SAS 70 – the annual
audit report evaluating a company’s internal control policies and procedures. Request proof
of your potential partners’ PCI compliance, as well.

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 8

In addition, ask questions to determine the proactive nature Armed with the expertise
of the card processor’s controls. Is the company compliant
with all necessary regulations; do they empower officers to to grow your credit union
remain educated on fraud trends; do they perform the necessary and the experience to
background checks, request employee confidentiality, etc.
gain member loyalty,
These questions should also be asked of any third parties that card processors have
will have access to your member data. Be sure you understand
the potential to take your
to which companies your potential partners are outsourcing
functions of your contracted services. Does the third party credit union to an entirely
have a confidentiality agreement? What are the third-party new level of profitability.
company’s policies and procedures?

Sample Questions:
How does the company protect the privacy of any credit union, credit union member and/
or account information that may be collected, maintained or transmitted as a part of your
service?

Provide the company’s infrastructure incident response policies and procedures, including
but not limited to security breach, virus or network attacks, data tampering and unauthorized
access.

Describe the company’s logical security policies and procedures, including but not limited to
user ID and password access, authentication, access rights, authority levels and data back-up.

Identify any third-party relationships to facilitate, service, maintain or impact the product or
service provided. Provide any related vendor service level agreements or related maintenance
contracts covering hardware and software.

Key Quality #4 – Fraud Protection

As criminals learn new and more devious ways of intercepting funds and identities,
protection against card fraud is paramount. When determining which card processor will
drive your members’ card programs, it is important to collect information on how that
company prevents fraud.

Of equal importance is how that prevention impacts your cardholding member base.
Aggressive fraud systems will stop financial losses, but they will also stop legitimate
transactions along the way. How will the processors you are considering balance member
protection with member satisfaction?

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 9

Sample Questions:
Describe the company’s fraud prevention program.

Does the company provide customizable fraud prevention strategies tailored to a credit
union’s unique membership?

Are fraud analysts in-house or does the company outsource this service? Does the company
provide member service and what is the response time for problems reported?

Key Quality #5 – Customer Service

During the planning stage, your team designated a person or team of people as responsible for
the vendor relationship and determined whether or not extra training was required. Among
card processors, there are different levels of training support. Be sure you are aware how
involved your card processor will be in getting staff up-to-speed and assisting with ongoing
education.

When problems arise, are you confident the processor will be available to assist your staff?
What about your members? Ask the kinds of questions that will uncover the processor’s
commitment to customer service and describe how your day-to-day relationship will look.
Remember that your brand is on the plastic this processor is powering.

Sample Questions:
Does the company provide any training to participating credit unions? If so, is this training
provided at the time of implementation and/or ongoing?

Who is responsible for first-line/front-line support to the member? What are your hours of
operation for support? How many staff positions are available to assist with support issues?

Key Quality #6 – Technology

At first glance, the products and services of competing card processors will appear similar.
Web-based member support, for instance, may have a nearly identical look and feel from one
processor to the next. However, it’s how your staff and members will use the interface that
is important. How much time does it take to mine the data that’s important to the user? Is it
truly user-friendly? Does it tie into your core processing software or back office data systems?

When asking the capabilities questions, dig deeper by inquiring about the use, the flexibility
and the customization of products and services. That’s where you’ll be able to determine
which system is best for your credit union.

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 1 0

Sample Questions:
Describe the level of customization available, and specifically, how that would be provided to
the credit union.

Describe capabilities you have in integrating data and information into our core system or
other third-party systems.

Detail any efficiencies your data entry or back office services will create with the credit
union’s systems.

Key Quality #7 - Pricing

Price estimates are generally requested when the credit union has narrowed their prospective
field of partners to two. At this point, it’s appropriate to request a proposal specific to the
products and services of most interest to your credit union.

One thing you may consider is taking this request a step further by asking for an apples-
to-apples comparison between card processors. Because vendors refer to different services
with different names, it can be difficult to determine exactly what your cost will be from
one vendor to the next. Additionally, some companies may list pricing in increments and
without an associated volume. So, while you may have a clear picture of how much member
support will run you by the hour, you may have a difficult time determining how much that
will cost the credit union over a period of time.

Ask your potential partners to be as specific as possible when providing cost estimates, and
don’t be afraid to ask questions as you go through the process.

Step 5 – Analysis

Now that you have collected the information, it’s time to digest, compare and ultimately
decide which card processor is the best match for your credit union. The goal of the analysis
portion of the vendor selection process is to determine your “lead” vendor. This vendor may
or may not be the processor you end up signing a contract with. Nonetheless, it is the card
processor that appears to most closely match the criteria your credit union has determined
it requires.

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 1 1

Step 6 – Contract Negotiations

Once you have identified the lead vendor, request a copy of the processor’s standard contract.
If you need assistance reviewing this contract, consider hiring legal counsel with specific
experience in the credit union industry. This consultant will be able to alert you to red flags
and make recommendations for any adjustments your credit union may need.

Items that should be covered in a draft contract include:

ITEMS IN • Scope of arrangement, services offered • Audit rights and requirements


DRAFT and activities authorized (including responsibility for payment)
CONTRACT • Responsibilities of all parties • Data security and member confidentiality
• Service level agreements addressing (including testing and audit)
performance standards and measures • Business resumption or contingency planning
• Performance reports and frequency of reporting • Insurance
• Penalties for lack of performance • Member complaints and member service
• Ownership, control, maintenance and access • Compliance with regulatory requirements
to financial and operating records • Dispute resolution
• Ownership of servicing rights • Default, termination and escape clauses

Once you have determined changes that need to be made to your lead vendor’s contract,
approach your contact at the card processor with your requirements and negotiate the terms
until both parties reach an acceptable contract.

If you are unable to come to an agreement on the contract, it may be time to head back
to the RFP pile. Second choices often become first when parties cannot come to a mutual
understanding of needs and expectations.

Step 7 – Ongoing Evaluation

The NCUA has indicated that due diligence in advance of hiring a vendor is only a portion
of what examiners look for in regards to vendor management. The second piece of their
analysis involves ongoing evaluation of risk.

It’s a good idea to include the performance of an annual due diligence review in any vendor
contract. While the extent of the reviews will depend on the frequency and criticality of
the relationship, requiring your card processor to participate in these reviews will help come
review time.

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 1 2

Annual due diligence should include a review of financial and security documents to ensure
the vendor can continue to fulfill its contractual obligations. This is also a good time to
consider any unforeseen issues that arose over the prior year and determine whether or not
the vendor is adhering to the contract.

No other relationship characterizes the need for exceptional due diligence like that with a
credit union’s card processor. Armed with the expertise to grow your credit union and the
experience to gain member loyalty, card processors have the potential to take your credit
union to an entirely new level of profitability. While it is very often warranted, the trust
credit unions place in these partners is immense and should only be given after a period of
concentrated analysis.

Scrutiny and attentiveness in every stage of the credit union/vendor relationship is more
important now than ever. As our country – and the financial services sector in particular –
faces historic challenges, the NCUA has promised to increase its examination of vendor risk
assessment. Performing consistent, systematic reviews not only decreases the chances of a
catastrophic error at your credit union, it definitely increases your chances for an A+ on the
NCUA exam.

* The information in this white paper should not be construed as legal services, legal advice, a legal opinion,
or in any way establishing an attorney-client relationship.

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
PA G E 1 3

About the Authors


As regulatory counsel for PolicyWorks, Andrea Stritzke continuously tracks state and federal laws and
regulations impacting credit unions, while assisting clients in complying with changes in the law. Andrea
delivers many of the regulatory audit products offered by PolicyWorks and has become a nationally
recognized speaker. Prior to joining PolicyWorks, Andrea worked as a judicial clerk for the Iowa Court of
Appeals. She has also worked as a staff attorney for the Nebraska Court of Appeals.

Brian Scott is vice president of sales for TMG (The Members Group). As such, Brian leads a nationwide
sales team working with credit unions to create competitive card programs. Since starting with the
company in 1994, he has created profitability- and portfolio-growth modeling tools to help credit unions
determine the impact of marketing campaigns and promotions. Brian routinely visits over 75 credit unions
each year, sharing insights on the competitive card marketplace.

About PolicyWorks
PolicyWorks is an Iowa-based firm known for providing solutions to credit unions’ regulatory compliance
needs and influencing critical public policy issues through its government affairs services. PolicyWorks
has the resources, vision and experience necessary to help credit unions attain their desired results.
PolicyWorks is a wholly-owned subsidiary of the Affiliates Management Company, which is owned by Iowa
credit unions and their members. For more information, visit www.PolicyWorksLLC.com.

About TMG
TMG is a wholly-owned subsidiary of the Affiliates Management Company, which is owned by Iowa credit
unions and their members. As a financial and credit union service organization (CUSO), TMG is dedicated
to providing innovative and flexible card processing and payment solutions to credit unions and financial
institutions across North America. TMG’s core products include credit, debit, ATM and a variety of prepaid
solutions, as well as online reporting, item processing, ACH and ALM services. For more information, visit
www.TheMembersGroup.com.

© 2009 The Members Group, Inc. “The Members Group” and “The Members Group and stylized TMG logo” are registered trademarks of The Members Group, Inc. 07.09 v1

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com

Вам также может понравиться