Do Your Homework; Pass the Exam
-
Upload
themembersgroup -
Category
Documents
-
view
222 -
download
0
Transcript of Do Your Homework; Pass the Exam
-
8/8/2019 Do Your Homework; Pass the Exam
1/13C a r d P r o c e s s i n g . P a y m e n t S o l u t i o n s . P r e p a i d C a r d s . C u s t o m i z e d S o l u t i o n s . C o n s u l t i n g S e r v i c e s
Do Your Homework
Pass the ExamSatisfying the NCUA with Vendor Selection Due Diligence
By Andrea Stritzke, PolicyWorks Regulatory Counsel*
and Brian Scott, TMG Vice President of Sales
Its no secret that due diligence is on the NCUAs
radar. In 2007, the ederal agency named vendor
management as one o the areas that would soon
be receiving extra attention rom its Oce
o Examination and Insurance.
Citing an industry-wide lack o business-impact
analysis, the NCUAs Gerry Wyland, a regional
inormation security ocer, told 2007 CUISPA
attendees, Credit unions need analysis to identiy
and quantiy risk to upper management. Examiners
will be looking at the scope o testing.
-
8/8/2019 Do Your Homework; Pass the Exam
2/13
Satisfying te NCUA it Vendor Selection Due Diligence
Introduction Pg 3
Step 1 Pull Out the Calendar Pg 3
Step 2 Answer Your Own Questions First Pg 34
Step 3 Survey the Landscape Pg 5
Step 4 Drating the RFP Pg 510
Step 5 Analysis Pg 10
Step 6 Contract Negotiations Pg 11
Step 7 Ongoing Evaluation Pg 1112
About the Authors, PolicyWorks and TMG Pg 13
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
3/13
P A G E 3
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
Since Wyland and his NCUA colleagues made this declaration,
the credit union community and those who serve it has
come up against some o the most turbulent challenges in
history, putting an exclamation point on the NCUAs call or
due diligence in the selection o credit union vendors.
Perhaps no other vendor relationship is more critical or a
credit union than that with its card processor. Not only does
the processor drive a vital revenue-generating activity, it also
houses and secures member data a hot commodity on the
ever-intensiying identity black market. Its easy to see why the
perormance o due diligence (or lack thereo) in the selection
o a card processor is likely to garner the attention o an
NCUA examiner.
Analysis & Final Decision
Contract Negotiation
VENDOR SELECTION
1 Pull Out the Calendar
2 Answer Your Own
Questions First
3 Survey the Landscape
4 Drafting the RFP
5 Analysis
6 Contract Negotiations
7 Ongoing Evaluation
So, how should your credit union prepare or the selection o a new card processor? What
steps should you take and how should they be documented; which questions should you
ask and how should the answers look? Over the next ew pages, well give you step-by-stepguidance and some practical advice or navigating this crucial course o action and or
doing so within NCUA guidelines.
STEP 1 PULL OUT ThE CALENDAR
To give your team a clear picture o your due diligence project, it will be important to
develop a project timeline. Start by pinpointing a target date or nalizing the selection o
your card processor and work backwards, allowing approximately 30 days or each o the
ollowing:
RFP Development & Distribution
Vendor Responses & Follow Up
Depending on what is driving your need or a new card processor, you will also need to allow
up to 180 days or the implementation o a new program, be that a card conversion or rollout
o a new product or program.
STEP 2 ANSwER YOUR OwN QUESTIONS FIRST
Beore preparing to ask questions o potential processors, its important or your selection
team to know what they are looking or in the answers. Below is a list o eight questions
-
8/8/2019 Do Your Homework; Pass the Exam
4/13
P A G E 4
designed to get your team organized and thinking about the root goals and objectives o
your card programs, as well as which questions it will be important to ask o potential card
processors.
In addition to discussing the below items, its a good idea to keep a record o your teams
answers and le it away or reerence, as well as to demonstrate your credit unions ground-up
commitment to due diligence come examination time.
1. Why are we looking or a new card processor? Your teams answer should include
expectations or all outsourced unctions, including the scope o your needs and to what
extent the partner will be responsible or the success o your card programs.
2. Who at the credit union will manage and monitor the relationship? Does your team
require additional training or expertise to manage the vendor relationship, and i so, will
you seek this training rom the processor?
3. Criticality. How important are card programs to the credit unions strategic goals?Is it mission critical? What other alternatives exist?
4. How are card programs consistent with the credit unions values, risk tolerances and
business strategies? How critical is it that the card processor understands and adheres to
these principals?
5. Address the risks o the activity, product or service as defned below:
Loss o capital i the card program ails
Lossofmembercondenceiftheprogramfails
Costs associated with training existing or hiring new personnel
Costsassociatedwithinvestinginrequiredtechnology
6. Return on Investment
Attach a list o how each card program will aect revenue, expenses and net income.
Project how changes in economic conditions may aect items above.
Attach a cost benet analysis or any portion o the card program, such as a raud
prevention strategy, that does not generate direct income.
7. Insurance Review. Is our credit unions insurance coverage sucient to cover the
liabilities related to a card program? Will the card processor carry key man insurance or
other insurance to protect the credit union?
8. Exit Strategy. Is there a reasonable way out o the relationship i it becomes necessary to
change course in the uture? Is there another party that can provide any services ocials
deem critical?
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
5/13
P A G E 5
STEP 3 SURVEY ThE LANDSCAPE
While it may seem like an obvious step, there are a ew tricks to determining which card
processors should receive your request or proposal.
Many credit unions choose to use reerrals as a basis or selecting potential vendors. And
while leveraging the knowledge and rst-hand experience o your colleagues is an ecient
idea, it can lead to lost opportunity. What satises one credit union may not satisy another.
Conversely, misunderstandings and other out-o-context anecdotes could cause your credit
union to miss out on a vendor perectly tailored to its expectations.
When turning to colleagues or their advice, be sure to ask ollow-up questions to get to the
root o a potential processors skills, service and expertise.
Contacting your states credit union trade association or national trade association or a list
o vendors is another way to locate potential card processors. Internet searches can also be
helpul when looking or inormation on vendors that oer a variety o card programs tocredit unions.
With the advent o Web 2.0, many credit union processors host blogs that can give potential
clients insight into more than just the companys products and services. Reading these
real-time journals can give your selection team a better eel or a potential processors
philosophies, attitudes and industry expertise.
Using the ndings o your research, narrow your eld to no more than ve and no less
than three potential card processors. Reach out to each vendor directly to get the most
appropriate contact person and to veriy they are currently accepting new clients.
An RFP offers black-
and-white support for a
decision as critical as a card
processor a relationship
NCUA examiners consider
signicant to a credit unions
security and risk liability.
STEP 4 DRAFTING ThE RFP
Requests or proposals (or RFPs) are a traditional method or gathering
inormation in a digestible ormat that keeps the incoming data
consistent across responding vendors. While the spirit o the document
is on-target, execution can be o-base, adding to the RFPs unortunate
reputation as a superfuous exercise.
When drated by a team o credit union individuals who know exactlywhat they are looking or, however, the RFP can be an excellent tool
or weeding through the inormation supplied by vendors. In addition,
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
6/13
P A G E 6
it oers black-and-white support or a decision as critical as a card
processor a relationship NCUA examiners consider signicant
to a credit unions security and risk liability.
Beore diving too ar into your RFPs development, ask other
departments within the credit union i they are willing to share
RFPs they have used in the past. This will help you with the
simple (yet oten headache-inducing) tasks like layout and
ormatting. (Alternatively, PolicyWorks has attached a sample
RFP to this white paper to help guide you in the development
o your own.) O course, an RFP will not satisy the requirements
o every situation, so its always a good idea to seek advice rom
legal counsel.
KEY QUALITIES
TO EXAMINE
1 Overall Health
of the Company
2 Expertise
3 Security
4 Fraud Protection
5 Customer Service
6 Technology
7 - Pricing
Ater you have the oundation o your document prepared, go back to your planning report
(Step 2 above) and determine which questions must be answered o the card processors you
are considering. Drat the questions in a manner that encourages respondents to answer ully.Avoid questions that can be answered with a yes or no.
Ater drating the questions, determine how you will weight the responses. Which categories
o questions are most vital to your decision? Over the years, PolicyWorks credit union
clients have ound seven qualities that rise to the top as key in the evaluation o card
processors: 1) overall health o the company, 2) expertise, 3) security, 4) raud prevention,
5) customer service, 6) technology and 7) pricing.
KEY QUALITY #1 OVERALL hEALTh OF ThE COMPANY
Request three-years o nancial statements and analyze these documents or debt-to-equityratios, debt and income trends, prot margins and the potential or longevity.
In addition, ask the vendor to identiy all parent companies and all subsidiaries. What
you are looking or, in addition to the overall nancial health o the company, is where
card processing alls within the companys protability. Is card processing the main piece
o business or the company? Is the processor making a lucrative, revenue-generating
contribution to the corporation?
The companys relationships also give you clues as to the nature o its business. Are
subsidiaries and sister companies also involved in the credit union industry? Can this
vendor leverage the expertise o aliated companies, and will that resource benet your
credit union?
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
7/13
P A G E 7
Sample Questions:
Give a brie description and history o your organization, including the company structure
(i.e. publicly traded, privately held, subsidiary o publicly traded, etc.). Identiy any parent
corporation and/or subsidiaries.
What are the companys growth expectations over the next ve years?
Provide the companys audited nancial report or the last three years. I an audited nancial
report is unavailable, please provide a year-end balance sheet and income statement.
KEY QUALITY #2 EXPERTISE
Nailing down a potential card processors expertise in the card industry is one thing, but or
credit unions, experience and understanding o the credit union philosophy is extremely
pertinent when evaluating processors. Thats because card processors are oten responsible or
everything that happens behind a piece o plastic carrying your credit unions brand. Every
rate increase, ee introduction, raudulent transaction or customer service inquiry has thepotential to jeopardize your good standing with members.
Thereore, its vital that your RFP includes questions designed to reveal a card processors
core philosophies and experience. You want to know who they are working with, what they
are doing to manage their clients reputations and how they are delivering on the promises
their clients have made to members.
Sample Questions:
Provide a short summary o the companys philosophy, product lines and scope o services.
Who is your competition? What dierentiates your companys service(s) rom yourcompetitors? What will your company provide that others cannot?
Describe your ideal client.
Please breakdown the number o credit unions you serve as a percentage o the overall total.
KEY QUALITY #3 SECURITY
Because a card processor will have access to member data, determining the companys
security systems and policies is critically important. Be sure to request a SAS 70 the annualaudit report evaluating a companys internal control policies and procedures. Request proo
o your potential partners PCI compliance, as well.
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
8/13
P A G E 8
In addition, ask questions to determine the proactive nature
o the card processors controls. Is the company compliant
with all necessary regulations; do they empower ocers to
remain educated on raud trends; do they perorm the necessary
background checks, request employee condentiality, etc.
These questions should also be asked o any third parties that
will have access to your member data. Be sure you understand
to which companies your potential partners are outsourcing
unctions o your contracted services. Does the third party
have a condentiality agreement? What are the third-party
companys policies and procedures?
Sample Questions:
Armed with the expertise
to grow your credit union
and the experience to
gain member loyalty,
card processors have
the potential to take your
credit union to an entirely
new level of protability.
How does the company protect the privacy o any credit union, credit union member and/
or account inormation that may be collected, maintained or transmitted as a part o your
service?
Provide the companys inrastructure incident response policies and procedures, including
but not limited to security breach, virus or network attacks, data tampering and unauthorized
access.
Describe the companys logical security policies and procedures, including but not limited to
user ID and password access, authentication, access rights, authority levels and data back-up.
Identiy any third-party relationships to acilitate, service, maintain or impact the product or
service provided. Provide any related vendor service level agreements or related maintenance
contracts covering hardware and sotware.
KEY QUALITY #4 FRAUD PROTECTION
As criminals learn new and more devious ways o intercepting unds and identities,
protection against card raud is paramount. When determining which card processor will
drive your members card programs, it is important to collect inormation on how that
company prevents raud.
O equal importance is how that prevention impacts your cardholding member base.
Aggressive raud systems will stop nancial losses, but they will also stop legitimate
transactions along the way. How will the processors you are considering balance member
protection with member satisaction?
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
9/13
P A G E 9
Sample Questions:
Describe the companys raud prevention program.
Does the company provide customizable raud prevention strategies tailored to a credit
unions unique membership?
Are raud analysts in-house or does the company outsource this service? Does the company
provide member service and what is the response time or problems reported?
KEY QUALITY #5 CUSTOMER SERVICE
During the planning stage, your team designated a person or team o people as responsible or
the vendor relationship and determined whether or not extra training was required. Among
card processors, there are dierent levels o training support. Be sure you are aware how
involved your card processor will be in getting sta up-to-speed and assisting with ongoing
education.
When problems arise, are you condent the processor will be available to assist your sta?
What about your members? Ask the kinds o questions that will uncover the processors
commitment to customer service and describe how your day-to-day relationship will look.
Remember that your brand is on the plastic this processor is powering.
Sample Questions:
Does the company provide any training to participating credit unions? I so, is this training
provided at the time o implementation and/or ongoing?
Who is responsible or rst-line/ront-line support to the member? What are your hours ooperation or support? How many sta positions are available to assist with support issues?
KEY QUALITY #6 TEChNOLOGY
At rst glance, the products and services o competing card processors will appear similar.
Web-based member support, or instance, may have a nearly identical look and eel rom one
processor to the next. However, its how your sta and members will use the interace that
is important. How much time does it take to mine the data thats important to the user? Is it
truly user-riendly? Does it tie into your core processing sotware or back oce data systems?
When asking the capabilities questions, dig deeper by inquiring about the use, the fexibility
and the customization o products and services. Thats where youll be able to determine
which system is best or your credit union.
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
10/13
P A G E 1 0
Sample Questions:
Describe the level o customization available, and specically, how that would be provided to
the credit union.
Describe capabilities you have in integrating data and inormation into our core system or
other third-party systems.
Detail any eciencies your data entry or back oce services will create with the credit
unions systems.
KEY QUALITY #7 - PRICING
Price estimates are generally requested when the credit union has narrowed their prospective
eld o partners to two. At this point, its appropriate to request a proposal specic to the
products and services o most interest to your credit union.
One thing you may consider is taking this request a step urther by asking or an apples-to-apples comparison between card processors. Because vendors reer to dierent services
with dierent names, it can be dicult to determine exactly what your cost will be rom
one vendor to the next. Additionally, some companies may list pricing in increments and
without an associated volume. So, while you may have a clear picture o how much member
support will run you by the hour, you may have a dicult time determining how much that
will cost the credit union over a period o time.
Ask your potential partners to be as specic as possible when providing cost estimates, and
dont be araid to ask questions as you go through the process.
STEP 5 ANALYSIS
Now that you have collected the inormation, its time to digest, compare and ultimately
decide which card processor is the best match or your credit union. The goal o the analysis
portion o the vendor selection process is to determine your lead vendor. This vendor may
or may not be the processor you end up signing a contract with. Nonetheless, it is the card
processor that appears to most closely match the criteria your credit union has determined
it requires.
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
11/13
P A G E 1 1
STEP 6 CONTRACT NEGOTIATIONS
Once you have identied the lead vendor, request a copy o the processors standard contract.
I you need assistance reviewing this contract, consider hiring legal counsel with specic
experience in the credit union industry. This consultant will be able to alert you to red fags
and make recommendations or any adjustments your credit union may need.
Items that should be covered in a drat contract include:
Scope o arrangement, services oered
and activities authorized
Responsibilities o all parties
Service level agreements addressing
perormance standards and measures
Perormance reports and requency o reporting
Penalties or lack o perormance
Ownership, control, maintenance and access
to fnancial and operating records
Ownership o servicing rights
Once you have determined changes that need to be made to your lead vendors contract,
approach your contact at the card processor with your requirements and negotiate the terms
until both parties reach an acceptable contract.
I you are unable to come to an agreement on the contract, it may be time to head back
to the RFP pile. Second choices oten become rst when parties cannot come to a mutual
understanding o needs and expectations.
STEP 7 ONGOING EVALUATION
The NCUA has indicated that due diligence in advance o hiring a vendor is only a portion
o what examiners look or in regards to vendor management. The second piece o their
analysis involves ongoing evaluation o risk.
Its a good idea to include the perormance o an annual due diligence review in any vendor
contract. While the extent o the reviews will depend on the requency and criticality o
the relationship, requiring your card processor to participate in these reviews will help come
review time.
Audit rights and requirements
(including responsibility or payment)
Data security and member confdentiality
(including testing and audit)
Business resumption or contingency plannin
Insurance
Member complaints and member service
Compliance with regulatory requirements
Dispute resolution
Deault, termination and escape clauses
ITEMS IN
DRAFT
CONTRACT
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
12/13
P A G E 1 2
Annual due diligence should include a review o nancial and security documents to ensure
the vendor can continue to ulll its contractual obligations. This is also a good time to
consider any unoreseen issues that arose over the prior year and determine whether or not
the vendor is adhering to the contract.
No other relationship characterizes the need or exceptional due diligence like that with a
credit unions card processor. Armed with the expertise to grow your credit union and the
experience to gain member loyalty, card processors have the potential to take your credit
union to an entirely new level o protability. While it is very oten warranted, the trust
credit unions place in these partners is immense and should only be given ater a period o
concentrated analysis.
Scrutiny and attentiveness in every stage o the credit union/vendor relationship is more
important now than ever. As our country and the nancial services sector in particular
aces historic challenges, the NCUA has promised to increase its examination o vendor risk
assessment. Perorming consistent, systematic reviews not only decreases the chances o acatastrophic error at your credit union, it denitely increases your chances or an A+ on the
NCUA exam.
* The information in this white paper should not be construed as legal services, legal advice, a legal opinion,
or in any way establishing an attorney-client relationship.
The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com
-
8/8/2019 Do Your Homework; Pass the Exam
13/13
P A G E 1 3
AbOUT ThE AUThORS
As regulatory counsel or PolicyWorks,Andrea Stritzke continuously tracks state and ederal laws and
regulations impacting credit unions, while assisting clients in complying with changes in the law. Andrea
delivers many o the regulatory audit products oered by PolicyWorks and has become a nationally
recognized speaker. Prior to joining PolicyWorks, Andrea worked as a judicial clerk or the Iowa Court o
Appeals. She has also worked as a sta attorney or the Nebraska Court o Appeals.
brian Scott is vice president o sales or TMG (The Members Group). As such, Brian leads a nationwide
sales team working with credit unions to create competitive card programs. Since starting with the
company in 1994, he has created protability- and portolio-growth modeling tools to help credit unions
determine the impact o marketing campaigns and promotions. Brian routinely visits over 75 credit unions
each year, sharing insights on the competitive card marketplace.
AbOUT POLICYwORKSPolicyWorks is an Iowa-based rm known or providing solutions to credit unions regulatory compliance
needs and infuencing critical public policy issues through its government aairs services. PolicyWorks
has the resources, vision and experience necessary to help credit unions attain their desired results.
PolicyWorks is a wholly-owned subsidiary o the Aliates Management Company, which is owned by Iowa
credit unions and their members. For more inormation, visit www.PolicyWorksLLC.com.
AbOUT TMG
TMG is a wholly-owned subsidiary o the Aliates Management Company, which is owned by Iowa credit
unions and their members. As a nancial and credit union service organization (CUSO), TMG is dedicated
to providing innovative and fexible card processing and payment solutions to credit unions and nancial
institutions across North America. TMGs core products include credit, debit, ATM and a variety o prepaid
solutions, as well as online reporting, item processing, ACH and ALM services. For more inormation, visit
www.TheMembersGroup.com.
2009 The Members Group, Inc. The Members Group and The Members Group and stylized TMG logo are registered trademarks of The Members Group, Inc. 07.09 v1