Do Your Homework; Pass the Exam

8/8/2019 Do Your Homework; Pass the Exam

1/13C a r d P r o c e s s i n g . P a y m e n t S o l u t i o n s . P r e p a i d C a r d s . C u s t o m i z e d S o l u t i o n s . C o n s u l t i n g S e r v i c e s

Do Your Homework

Pass the ExamSatisfying the NCUA with Vendor Selection Due Diligence

By Andrea Stritzke, PolicyWorks Regulatory Counsel*

and Brian Scott, TMG Vice President of Sales

Its no secret that due diligence is on the NCUAs

radar. In 2007, the ederal agency named vendor

management as one o the areas that would soon

be receiving extra attention rom its Oce

o Examination and Insurance.

Citing an industry-wide lack o business-impact

analysis, the NCUAs Gerry Wyland, a regional

inormation security ocer, told 2007 CUISPA

attendees, Credit unions need analysis to identiy

and quantiy risk to upper management. Examiners

will be looking at the scope o testing.


2/13

Satisfying te NCUA it Vendor Selection Due Diligence

Introduction Pg 3

Step 1 Pull Out the Calendar Pg 3

Step 2 Answer Your Own Questions First Pg 34

Step 3 Survey the Landscape Pg 5

Step 4 Drating the RFP Pg 510

Step 5 Analysis Pg 10

Step 6 Contract Negotiations Pg 11

Step 7 Ongoing Evaluation Pg 1112

About the Authors, PolicyWorks and TMG Pg 13

The Members Group . 1500 NW 118th Street . Des Moines, Iowa 50325 . 800.268.1884 . www.TheMembersGroup.com


3/13

P A G E 3


Since Wyland and his NCUA colleagues made this declaration,

the credit union community and those who serve it has

come up against some o the most turbulent challenges in

history, putting an exclamation point on the NCUAs call or

due diligence in the selection o credit union vendors.

Perhaps no other vendor relationship is more critical or a

credit union than that with its card processor. Not only does

the processor drive a vital revenue-generating activity, it also

houses and secures member data a hot commodity on the

ever-intensiying identity black market. Its easy to see why the

perormance o due diligence (or lack thereo) in the selection

o a card processor is likely to garner the attention o an

NCUA examiner.

Analysis & Final Decision

Contract Negotiation

VENDOR SELECTION

1 Pull Out the Calendar

2 Answer Your Own

Questions First

3 Survey the Landscape

4 Drafting the RFP

5 Analysis

6 Contract Negotiations

7 Ongoing Evaluation

So, how should your credit union prepare or the selection o a new card processor? What

steps should you take and how should they be documented; which questions should you

ask and how should the answers look? Over the next ew pages, well give you step-by-stepguidance and some practical advice or navigating this crucial course o action and or

doing so within NCUA guidelines.

STEP 1 PULL OUT ThE CALENDAR

To give your team a clear picture o your due diligence project, it will be important to

develop a project timeline. Start by pinpointing a target date or nalizing the selection o

your card processor and work backwards, allowing approximately 30 days or each o the

ollowing:

RFP Development & Distribution

Vendor Responses & Follow Up

Depending on what is driving your need or a new card processor, you will also need to allow

up to 180 days or the implementation o a new program, be that a card conversion or rollout

o a new product or program.

STEP 2 ANSwER YOUR OwN QUESTIONS FIRST

Beore preparing to ask questions o potential processors, its important or your selection

team to know what they are looking or in the answers. Below is a list o eight questions


4/13

P A G E 4

designed to get your team organized and thinking about the root goals and objectives o

your card programs, as well as which questions it will be important to ask o potential card

processors.

In addition to discussing the below items, its a good idea to keep a record o your teams

answers and le it away or reerence, as well as to demonstrate your credit unions ground-up

commitment to due diligence come examination time.

1. Why are we looking or a new card processor? Your teams answer should include

expectations or all outsourced unctions, including the scope o your needs and to what

extent the partner will be responsible or the success o your card programs.

2. Who at the credit union will manage and monitor the relationship? Does your team

require additional training or expertise to manage the vendor relationship, and i so, will

you seek this training rom the processor?

3. Criticality. How important are card programs to the credit unions strategic goals?Is it mission critical? What other alternatives exist?

4. How are card programs consistent with the credit unions values, risk tolerances and

business strategies? How critical is it that the card processor understands and adheres to

these principals?

5. Address the risks o the activity, product or service as defned below:

Loss o capital i the card program ails

Lossofmembercondenceiftheprogramfails

Costs associated with training existing or hiring new personnel

Costsassociatedwithinvestinginrequiredtechnology

6. Return on Investment

Attach a list o how each card program will aect revenue, expenses and net income.

Project how changes in economic conditions may aect items above.

Attach a cost benet analysis or any portion o the card program, such as a raud

prevention strategy, that does not generate direct income.

7. Insurance Review. Is our credit unions insurance coverage sucient to cover the

liabilities related to a card program? Will the card processor carry key man insurance or

other insurance to protect the credit union?

8. Exit Strategy. Is there a reasonable way out o the relationship i it becomes necessary to

change course in the uture? Is there another party that can provide any services ocials

deem critical?



5/13

P A G E 5

STEP 3 SURVEY ThE LANDSCAPE

While it may seem like an obvious step, there are a ew tricks to determining which card

processors should receive your request or proposal.

Many credit unions choose to use reerrals as a basis or selecting potential vendors. And

while leveraging the knowledge and rst-hand experience o your colleagues is an ecient

idea, it can lead to lost opportunity. What satises one credit union may not satisy another.

Conversely, misunderstandings and other out-o-context anecdotes could cause your credit

union to miss out on a vendor perectly tailored to its expectations.

When turning to colleagues or their advice, be sure to ask ollow-up questions to get to the

root o a potential processors skills, service and expertise.

Contacting your states credit union trade association or national trade association or a list

o vendors is another way to locate potential card processors. Internet searches can also be

helpul when looking or inormation on vendors that oer a variety o card programs tocredit unions.

With the advent o Web 2.0, many credit union processors host blogs that can give potential

clients insight into more than just the companys products and services. Reading these

real-time journals can give your selection team a better eel or a potential processors

philosophies, attitudes and industry expertise.

Using the ndings o your research, narrow your eld to no more than ve and no less

than three potential card processors. Reach out to each vendor directly to get the most

appropriate contact person and to veriy they are currently accepting new clients.

An RFP offers black-

and-white support for a

decision as critical as a card

processor a relationship

NCUA examiners consider

signicant to a credit unions

security and risk liability.

STEP 4 DRAFTING ThE RFP

Requests or proposals (or RFPs) are a traditional method or gathering

inormation in a digestible ormat that keeps the incoming data

consistent across responding vendors. While the spirit o the document

is on-target, execution can be o-base, adding to the RFPs unortunate

reputation as a superfuous exercise.

When drated by a team o credit union individuals who know exactlywhat they are looking or, however, the RFP can be an excellent tool

or weeding through the inormation supplied by vendors. In addition,



6/13

P A G E 6

it oers black-and-white support or a decision as critical as a card

processor a relationship NCUA examiners consider signicant

to a credit unions security and risk liability.

Beore diving too ar into your RFPs development, ask other

departments within the credit union i they are willing to share

RFPs they have used in the past. This will help you with the

simple (yet oten headache-inducing) tasks like layout and

ormatting. (Alternatively, PolicyWorks has attached a sample

RFP to this white paper to help guide you in the development

o your own.) O course, an RFP will not satisy the requirements

o every situation, so its always a good idea to seek advice rom

legal counsel.

KEY QUALITIES

TO EXAMINE

1 Overall Health

of the Company

2 Expertise

3 Security

4 Fraud Protection

5 Customer Service

6 Technology

7 - Pricing

Ater you have the oundation o your document prepared, go back to your planning report

(Step 2 above) and determine which questions must be answered o the card processors you

are considering. Drat the questions in a manner that encourages respondents to answer ully.Avoid questions that can be answered with a yes or no.

Ater drating the questions, determine how you will weight the responses. Which categories

o questions are most vital to your decision? Over the years, PolicyWorks credit union

clients have ound seven qualities that rise to the top as key in the evaluation o card

processors: 1) overall health o the company, 2) expertise, 3) security, 4) raud prevention,

5) customer service, 6) technology and 7) pricing.

KEY QUALITY #1 OVERALL hEALTh OF ThE COMPANY

Request three-years o nancial statements and analyze these documents or debt-to-equityratios, debt and income trends, prot margins and the potential or longevity.

In addition, ask the vendor to identiy all parent companies and all subsidiaries. What

you are looking or, in addition to the overall nancial health o the company, is where

card processing alls within the companys protability. Is card processing the main piece

o business or the company? Is the processor making a lucrative, revenue-generating

contribution to the corporation?

The companys relationships also give you clues as to the nature o its business. Are

subsidiaries and sister companies also involved in the credit union industry? Can this

vendor leverage the expertise o aliated companies, and will that resource benet your

credit union?



7/13

P A G E 7

Sample Questions:

Give a brie description and history o your organization, including the company structure

(i.e. publicly traded, privately held, subsidiary o publicly traded, etc.). Identiy any parent

corporation and/or subsidiaries.

What are the companys growth expectations over the next ve years?

Provide the companys audited nancial report or the last three years. I an audited nancial

report is unavailable, please provide a year-end balance sheet and income statement.

KEY QUALITY #2 EXPERTISE

Nailing down a potential card processors expertise in the card industry is one thing, but or

credit unions, experience and understanding o the credit union philosophy is extremely

pertinent when evaluating processors. Thats because card processors are oten responsible or

everything that happens behind a piece o plastic carrying your credit unions brand. Every

rate increase, ee introduction, raudulent transaction or customer service inquiry has thepotential to jeopardize your good standing with members.

Thereore, its vital that your RFP includes questions designed to reveal a card processors

core philosophies and experience. You want to know who they are working with, what they

are doing to manage their clients reputations and how they are delivering on the promises

their clients have made to members.

Sample Questions:

Provide a short summary o the companys philosophy, product lines and scope o services.

Who is your competition? What dierentiates your companys service(s) rom yourcompetitors? What will your company provide that others cannot?

Describe your ideal client.

Please breakdown the number o credit unions you serve as a percentage o the overall total.

KEY QUALITY #3 SECURITY

Because a card processor will have access to member data, determining the companys

security systems and policies is critically important. Be sure to request a SAS 70 the annualaudit report evaluating a companys internal control policies and procedures. Request proo

o your potential partners PCI compliance, as well.



8/13

P A G E 8

In addition, ask questions to determine the proactive nature

o the card processors controls. Is the company compliant

with all necessary regulations; do they empower ocers to

remain educated on raud trends; do they perorm the necessary

background checks, request employee condentiality, etc.

These questions should also be asked o any third parties that

will have access to your member data. Be sure you understand

to which companies your potential partners are outsourcing

unctions o your contracted services. Does the third party

have a condentiality agreement? What are the third-party

companys policies and procedures?

Sample Questions:

Armed with the expertise

to grow your credit union

and the experience to

gain member loyalty,

card processors have

the potential to take your

credit union to an entirely

new level of protability.

How does the company protect the privacy o any credit union, credit union member and/

or account inormation that may be collected, maintained or transmitted as a part o your

service?

Provide the companys inrastructure incident response policies and procedures, including

but not limited to security breach, virus or network attacks, data tampering and unauthorized

access.

Describe the companys logical security policies and procedures, including but not limited to

user ID and password access, authentication, access rights, authority levels and data back-up.

Identiy any third-party relationships to acilitate, service, maintain or impact the product or

service provided. Provide any related vendor service level agreements or related maintenance

contracts covering hardware and sotware.

KEY QUALITY #4 FRAUD PROTECTION

As criminals learn new and more devious ways o intercepting unds and identities,

protection against card raud is paramount. When determining which card processor will

drive your members card programs, it is important to collect inormation on how that

company prevents raud.

O equal importance is how that prevention impacts your cardholding member base.

Aggressive raud systems will stop nancial losses, but they will also stop legitimate

transactions along the way. How will the processors you are considering balance member

protection with member satisaction?



9/13

P A G E 9

Sample Questions:

Describe the companys raud prevention program.

Does the company provide customizable raud prevention strategies tailored to a credit

unions unique membership?

Are raud analysts in-house or does the company outsource this service? Does the company

provide member service and what is the response time or problems reported?

KEY QUALITY #5 CUSTOMER SERVICE

During the planning stage, your team designated a person or team o people as responsible or

the vendor relationship and determined whether or not extra training was required. Among

card processors, there are dierent levels o training support. Be sure you are aware how

involved your card processor will be in getting sta up-to-speed and assisting with ongoing

education.

When problems arise, are you condent the processor will be available to assist your sta?

What about your members? Ask the kinds o questions that will uncover the processors

commitment to customer service and describe how your day-to-day relationship will look.

Remember that your brand is on the plastic this processor is powering.

Sample Questions:

Does the company provide any training to participating credit unions? I so, is this training

provided at the time o implementation and/or ongoing?

Who is responsible or rst-line/ront-line support to the member? What are your hours ooperation or support? How many sta positions are available to assist with support issues?

KEY QUALITY #6 TEChNOLOGY

At rst glance, the products and services o competing card processors will appear similar.

Web-based member support, or instance, may have a nearly identical look and eel rom one

processor to the next. However, its how your sta and members will use the interace that

is important. How much time does it take to mine the data thats important to the user? Is it

truly user-riendly? Does it tie into your core processing sotware or back oce data systems?

When asking the capabilities questions, dig deeper by inquiring about the use, the fexibility

and the customization o products and services. Thats where youll be able to determine

which system is best or your credit union.



10/13

P A G E 1 0

Sample Questions:

Describe the level o customization available, and specically, how that would be provided to

the credit union.

Describe capabilities you have in integrating data and inormation into our core system or

other third-party systems.

Detail any eciencies your data entry or back oce services will create with the credit

unions systems.

KEY QUALITY #7 - PRICING

Price estimates are generally requested when the credit union has narrowed their prospective

eld o partners to two. At this point, its appropriate to request a proposal specic to the

products and services o most interest to your credit union.

One thing you may consider is taking this request a step urther by asking or an apples-to-apples comparison between card processors. Because vendors reer to dierent services

with dierent names, it can be dicult to determine exactly what your cost will be rom

one vendor to the next. Additionally, some companies may list pricing in increments and

without an associated volume. So, while you may have a clear picture o how much member

support will run you by the hour, you may have a dicult time determining how much that

will cost the credit union over a period o time.

Ask your potential partners to be as specic as possible when providing cost estimates, and

dont be araid to ask questions as you go through the process.

STEP 5 ANALYSIS

Now that you have collected the inormation, its time to digest, compare and ultimately

decide which card processor is the best match or your credit union. The goal o the analysis

portion o the vendor selection process is to determine your lead vendor. This vendor may

or may not be the processor you end up signing a contract with. Nonetheless, it is the card

processor that appears to most closely match the criteria your credit union has determined

it requires.



11/13

P A G E 1 1

STEP 6 CONTRACT NEGOTIATIONS

Once you have identied the lead vendor, request a copy o the processors standard contract.

I you need assistance reviewing this contract, consider hiring legal counsel with specic

experience in the credit union industry. This consultant will be able to alert you to red fags

and make recommendations or any adjustments your credit union may need.

Items that should be covered in a drat contract include:

Scope o arrangement, services oered

and activities authorized

Responsibilities o all parties

Service level agreements addressing

perormance standards and measures

Perormance reports and requency o reporting

Penalties or lack o perormance

Ownership, control, maintenance and access

to fnancial and operating records

Ownership o servicing rights

Once you have determined changes that need to be made to your lead vendors contract,

approach your contact at the card processor with your requirements and negotiate the terms

until both parties reach an acceptable contract.

I you are unable to come to an agreement on the contract, it may be time to head back

to the RFP pile. Second choices oten become rst when parties cannot come to a mutual

understanding o needs and expectations.

STEP 7 ONGOING EVALUATION

The NCUA has indicated that due diligence in advance o hiring a vendor is only a portion

o what examiners look or in regards to vendor management. The second piece o their

analysis involves ongoing evaluation o risk.

Its a good idea to include the perormance o an annual due diligence review in any vendor

contract. While the extent o the reviews will depend on the requency and criticality o

the relationship, requiring your card processor to participate in these reviews will help come

review time.

Audit rights and requirements

(including responsibility or payment)

Data security and member confdentiality

(including testing and audit)

Business resumption or contingency plannin

Insurance

Member complaints and member service

Compliance with regulatory requirements

Dispute resolution

Deault, termination and escape clauses

ITEMS IN

DRAFT

CONTRACT



12/13

P A G E 1 2

Annual due diligence should include a review o nancial and security documents to ensure

the vendor can continue to ulll its contractual obligations. This is also a good time to

consider any unoreseen issues that arose over the prior year and determine whether or not

the vendor is adhering to the contract.

No other relationship characterizes the need or exceptional due diligence like that with a

credit unions card processor. Armed with the expertise to grow your credit union and the

experience to gain member loyalty, card processors have the potential to take your credit

union to an entirely new level o protability. While it is very oten warranted, the trust

credit unions place in these partners is immense and should only be given ater a period o

concentrated analysis.

Scrutiny and attentiveness in every stage o the credit union/vendor relationship is more

important now than ever. As our country and the nancial services sector in particular

aces historic challenges, the NCUA has promised to increase its examination o vendor risk

assessment. Perorming consistent, systematic reviews not only decreases the chances o acatastrophic error at your credit union, it denitely increases your chances or an A+ on the

NCUA exam.

* The information in this white paper should not be construed as legal services, legal advice, a legal opinion,

or in any way establishing an attorney-client relationship.



13/13

P A G E 1 3

AbOUT ThE AUThORS

As regulatory counsel or PolicyWorks,Andrea Stritzke continuously tracks state and ederal laws and

regulations impacting credit unions, while assisting clients in complying with changes in the law. Andrea

delivers many o the regulatory audit products oered by PolicyWorks and has become a nationally

recognized speaker. Prior to joining PolicyWorks, Andrea worked as a judicial clerk or the Iowa Court o

Appeals. She has also worked as a sta attorney or the Nebraska Court o Appeals.

brian Scott is vice president o sales or TMG (The Members Group). As such, Brian leads a nationwide

sales team working with credit unions to create competitive card programs. Since starting with the

company in 1994, he has created protability- and portolio-growth modeling tools to help credit unions

determine the impact o marketing campaigns and promotions. Brian routinely visits over 75 credit unions

each year, sharing insights on the competitive card marketplace.

AbOUT POLICYwORKSPolicyWorks is an Iowa-based rm known or providing solutions to credit unions regulatory compliance

needs and infuencing critical public policy issues through its government aairs services. PolicyWorks

has the resources, vision and experience necessary to help credit unions attain their desired results.

PolicyWorks is a wholly-owned subsidiary o the Aliates Management Company, which is owned by Iowa

credit unions and their members. For more inormation, visit www.PolicyWorksLLC.com.

AbOUT TMG

TMG is a wholly-owned subsidiary o the Aliates Management Company, which is owned by Iowa credit

unions and their members. As a nancial and credit union service organization (CUSO), TMG is dedicated

to providing innovative and fexible card processing and payment solutions to credit unions and nancial

institutions across North America. TMGs core products include credit, debit, ATM and a variety o prepaid

solutions, as well as online reporting, item processing, ACH and ALM services. For more inormation, visit

www.TheMembersGroup.com.

2009 The Members Group, Inc. The Members Group and The Members Group and stylized TMG logo are registered trademarks of The Members Group, Inc. 07.09 v1

Do Your Homework; Pass the Exam

Documents

Transcript of Do Your Homework; Pass the Exam