2008 CAMS-ii Users’ Conference

Evaluating CBSNCUA’s Vendor Due Diligence Process

Your 2008 NCUA Examination

Evaluating third party vendor relationships is one of the NCUA’s key credit union examination issues for 2008.

http://www.ncua.gov/NCUABoard/BoardMembers/Hyland/Presentations/Key2008/files/lobby.html

Examiner Expectations

• Your examiner expects you to perform a comprehensive review (initial and periodic) of third party vendors.

• NCUA examiners may be bringing a questionnaire to your next examination to complete their evaluation of your third party relationships. (Excel enclosure with Letter to Credit Unions No.: 08-CU-09)

What Do Examiners Want?

• Examiners will want documentation to prove that you have:– Assessed the risks involved in partnering with

your third party vendors;– Performed initial and ongoing due diligence over

your key vendors; and– Procedures in place to continuously measure,

monitor, and control the risks you have identified.

Risk Assessment of the Relationship

• Expectations for Outsourced Functions

• Staff Expertise - Is CU staff qualified to manage and monitor the third party relationship?

• Criticality - How important is the activity to be outsourced?

• Risk-Reward / Cost-Benefit Relationship - Does the potential benefit of the arrangement outweigh the potential risks or costs?

• Insurance - Will the arrangement create additional liabilities? Is CU insurance coverage sufficient to cover the potentially increasedliabilities?

• Impact on Membership - How will officials gauge the positive or negative impacts of the arrangement on CU members? How will they manage member expectations?

• Exit Strategy

Vendor Risk Assessment

TertiaryVendor

Priority 3

SecondaryVendor

Priority 2

KeyVendor

Priority 1Legend -

1022123Auditor (external)McGladrey Pullen

1232223Shared-branchingFSCC

923211Investments (Corporate)First Carolina Corp.

1012223Credit BureauEquifax

913311Cash Dispensers, ATM &

Drive Thru ServiceDiebold

1112233IRA/HSA AdministratorCUNA Mutual

1112233Indirect lending networkCUDL

1222323ATM networkFifth-Third Processing

1012133Check vendorHarland Clarke

1011233Insurance (Credit & GAP

insurance)CUNA Mutual

1433323Data processing systemCBS, Inc.

OverallRiskLevel

ContractLength

ExpenseAmount

OperationalReliance

InformationConfidential

InformationSharingSERVICEVENDOR

VENDOR RISK ASSESSMENT 5-2008

Due Diligence

Credit unions must complete the due diligence necessary to ensure the risks undertaken in a third party relationship are acceptable in relation to their risk profile and safety and soundness requirements.

Proper due diligence includes developing a demonstrated understanding of a third party’s:

1. Organization2. Business Plan3. Financial Health

Due Diligence

1. Organization (Vendor’s)

• Technical and Industry Expertise– Experience & ability to provide necessary services &

supporting technology for current & anticipated needs.– Use of third parties or partners. – Experience in providing services in the anticipated

operating environment.– Ability to respond to service disruptions.– Reputation and performance – references and user

groups.– Qualifications, experience, & training of key personnel

assigned to support the CU.

1. Organization (CBS)

• Technical and Industry Expertise– Experience & ability to provide necessary services &

supporting technology for current & anticipated needs.• In business since 1980• Experienced staff with 200-plus years with CBS• Development team of 125-plus years with CBS• Continually enhancing software per customer

suggestions and to facilitate ease of compliance with regulations

1. Organization (CBS)

• Technical and Industry Expertise– Use of third parties or partners.

• IBM Business Partner since 1985• Certified core processor with multiple credit union

service providers• Authorized Reseller Lenovo PC workstations• Authorized Reseller IBM e-Servers

1. Organization (CBS)

• Technical and Industry Expertise– Experience in providing services in the anticipated

operating environment.• Leader in Technology

– Among first core processors to use browser-based technology.

• Invest in cutting-edge technology– Check 21 Tell-Scan– Mobile Banking– e-Deposit– Kiosks

1. Organization (CBS)

• Technical and Industry Expertise– Ability to respond to service disruptions.

• Technical support staff available 24/7• Comprehensive Business Resumption Contingency

Plan– Secured disaster recovery site with multiple

CAMS-ii servers– Daily uploading of data to SAS70 data center– Annual disaster recovery certification

1. Organization (CBS)

• Technical and Industry Expertise– Reputation and performance – references and user

groups.• Client references available• Steering Committee (comprised of CBS customers)• Users’ Conference• Managers’ Conference

1. Organization (CBS)

• Technical and Industry Expertise– Qualifications, experience, & training of key personnel

assigned to support the CU.• Staff with expertise in all facets of credit union

operations and compliance, including:– Credit Union management experience– Knowledge of NCUA Rules and Regulations– Financial Statement and Compliance Auditing experience

(e.g. BSA and ACH)

• Technical support staff with certifications in:– Network Administration, Microsoft and Linux operating

systems

1. Organization (Vendor’s)

• Operations and Controls– Standards, policies, and procedures– Sufficient security precautions– Knowledge of regulations relevant to

the services being provided– Adequacy of insurance coverage

1. Organization (Vendor’s)

• Operations and Controls– Standards, policies, and procedures relating to

• Internal controls• Facilities management (e.g., access requirements,

sharing of facilities, etc.)• Security (e.g., systems, data, equipment, etc.)• Privacy protections• Maintenance of records• Business resumption contingency planning• Systems development and maintenance• Employee background checks

1. Organization (CBS)

• Operations and Controls– Standards, policies and procedures

• CBS has written policies and procedures in place that address all areas of operation and the internal controls necessary to ensure that our operations are secure and in compliance with laws and regulations.

• CBS has a written comprehensive Business Resumption Contingency Plan that is updated and tested on a regular basis.

1. Organization (Vendor’s )

• Operations and Controls – Sufficient security precautions

• Firewalls• Encryption• Customer identity authentication

Review audit reports to determine whether the audit scope, internal controls, and security safeguards are adequate.

1. Organization (CBS)

• Operations and Controls– Sufficient security precautions

• Internet Branching is hosted at a SAS 70 compliant data center

• Members’ identity is validated using multi-factor authentication prior to accessing Internet Branching

• Credit Union staff member’s identity is validated when support calls are initiated

• Remote access is password and encrypted firewall protected

• Encryption of all uploaded and downloaded data

1. Organization (CBS)

• What is SAS 70?– Statement on Auditing Standards

(SAS) No. 70, Service Organizations (AICPA).

– Service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers (i.e. Internet Branching).

– Examined by an independent accounting and auditing firm

– Auditor’s report and opinion

1. Organization (CBS)

• Types of SAS 70 Reports– Type I report describes the service organization's

description of controls at a specific point in time

– Type II report not only includes the service organization's description of controls, but also includes detailed testing of the service organization's controls over a minimum six month period

CBS will provide you a copy of the SAS 70 audit report for the audit performed on our third-party service provider.

1. Organization (Vendor’s)

• Operations and Controls – Knowledge of regulations relevant to the services

being provided, such as:

• Bank Secrecy Act• Regulation E• Regulation CC• Regulation D• Privacy and other consumer protection regulations

1. Organization (CBS)

• Operations and Controls– Knowledge of Regulations

• CBS has measures in place to help us stay abreast of the constantly changing laws and regulations affecting credit unions:

– Continuing compliance education for support staff

– Subscribe to various publications that focus on credit union compliance

– Utilize knowledge of Steering Committee members

1. Organization (Vendor’s)

• Operations and Controls – Adequacy of insurance coverage including:

• Fidelity• Fire• Liability• Data losses from errors and omissions• Protection of documents in transit

1. Organization (CBS)

• Operations and Controls– Adequacy of insurance coverage

• CBS has insurance coverages applicable to our type of business

• We will provide a Statement of Insurance upon request

2. Business Plan (Vendor’s )

• Why Review Your Vendor’s Business Plan?– Gives you an idea of what is important to the vendor.

– Identifies potential conflicts between your business plan and the vendor’s.

– May identify key third party relationships the vendor has which may be critical to their operation.

2. Business Plan (CBS)

CBS has a Business Plan in place that focuses on both financial and customer service goals. We have a marketing plan in place that focuses on growth of our business within the credit union market throughout the United States.

Our Business Plan is available upon request.

3. Financial Health (Vendor’s)

• Financial Records should demonstrate the vendors– Ability to fulfill contractual commitments.

– Audited or segmented financial statements.

• Internal controls,

• Financial condition, and

• Validity of the reports.

• Prior to entering into a contract and then periodically thereafter, review financial statements.

• The review should look at items such as− Capital adequacy,− Liquidity,− Outstanding commitments,− Operating results, and

− Off-balance sheet items.

3. Financial Health (Vendor’s)

3. Financial Health (Vendor’s)

• Also consider:– How long in business.– Market share and how it has fluctuated.– Significance of the CU’s contract on the vendor’s

financial condition.– Technological expenditures.

• Is the level of investment in technology consistent with supporting the CU’s activities?

• Are financial resources available to invest in and support the required technology?

3. Financial Health (CBS)

• CBS’ financial statements are prepared annually by its accounting firm.

• CBS is not a publicly traded company and its financial statements are not audited by an independent auditing firm.

• CBS’ financial statements are prepared in accordance with Generally Accepted Accounting Principles (GAAP).

Contract Review

• Contract Issues for Core Processing Services– Timeframes and activities for implementation and

assignment of responsibility.– Services to be performed by the vendor.

• Software support and maintenance• Training of employees• Customer service

– Obligations of the CU.– Contracting parties’ rights in modifying existing services

performed under the contract.– Guidelines for adding new or different services and for

contract re-negotiation.

Contract Review

• Contract Issues for Core Processing Services– Performance standards defining minimum service level

requirements and remedies for failure to meet standards in the contract.

– Security and confidentiality information.– Disclosure of breaches in security and intrusions.– Types and frequency of audit reports to be provided to

the CU.• Financial• Internal Controls• Security

Contract Review

• Contract Issues for Core Processing Services– Contract provisions addressing control over operations.

• Internal Controls to be maintained by vendor

• Compliance with applicable regulatory requirements

• Records maintained by vendor & access to records by CU

• Notification by vendor to the CU and the CU’s approval rights regarding material changes to services, systems, controls, and new service locations.

• Setting and monitoring of parameters relating to any financial functions, such as payments processing and any extensions of credit on behalf of the CU

• Insurance coverage to be maintained by the vendor

Contract Review

• Contract Issues for Core Processing Services– Frequency and types of reports CU to receive.

• Performance• Financial statements• Control audits• Security• Business resumption testing

– Guidelines and fees for obtaining custom reports should also be discussed.

Contract Review

• Contract Issues for Core Processing Services– Business Resumption and Contingency Plans

• Vendors responsibility for backup and record protection.

• Operating procedures the vendor and CU are to implement in the event business resumption contingency plans are implemented.

• Business recovery timeframes.

Contract Review

• Contract Issues for Core Processing Services– Sub-contracting and multiple service provider

relationships– Cost– Ownership and license– Length of contract– Dispute resolution– Indemnification– Limitation of liability– Termination– Assignment

Recommend Legal Review

It is prudent to seek qualified external legal counsel to review prospective third party arrangements and contracts.

Any legal counsel consulted should be independent and have the experience or specialization necessary to review properly the arrangements and contracts.

Measure, Monitor and Control Risk

• Evaluate vendor’s financial condition periodically.• Review audit reports and follow up on any audit

deficiencies.• Periodically review policies.

– Internal Controls– Security– Systems development and maintenance– Back up and contingency planning

• Review and monitor insurance coverage.• Assess quality of service and support.• Monitor contract compliance and revision needs.• Maintain business resumption contingency plans.

Vendor Monitoring Log

By: By: By: By: By: President

By: CEO

Result: Recd Date:Result: Recd Date:Result: Passed

Recd Date:5/12/08

Contact: Tony PhillipsPhone: 919-587-9658Email: tphillips@camsbycbs.com

DateReq Date: DateReq Date: Date: 5/15/08

Req Date: 5/8/08CBS, Inc.

CUReviewed

DISASTERRECOVERY

PLANCU

ReviewedSAS 70CU

ReviewedFINANCIALS COMPANY

= Not Received or Completed

= Summary Analysis Completed

= Received Information

TEXT TEXT TEXT

Resources• NCUA Letter to Credit Unions 00-CU-11, Risk Management of

Outsourced Technology Sources

• NCUA Letter to Credit Unions 01-CU-20, Due Diligence Over Third Party Service Provider

• NCUA Letter to Credit Unions 07-CU-13, Evaluating Third Party Relationships and Enclosure to NCUA Letter to Credit Unions 07-CU-13 – Supervisory Letter 07-01, Evaluating Third Party Relationships

• NCUA’s Key Examination Issues for 2008 Webinar Frequently Asked Questions -http://event.on24.com/event/10/02/11/rt/1/documents/player_docanchr_5/hyland_webinar_faq_v5__2.pdf

• NCUA Letter to Credit Unions 08-CU-09, Evaluating Third Party Relationships Questionnaire