Credit unions rely heavily on third-party vendors to ensure that competitive products and services are made available to their members. This is increasingly true in regards to a credit union’s relationship with its mobile banking vendor. Primarily region and community centric credit unions often lack the resources to build out the latest mobile financial service technologies for service offerings for their customers.
Partnering with a capable third-party mobile vendor allows credit unions to quickly bring mobile financial services products to market without the cost and labor intensive demands of building their own solutions in house. However, enlisting a third-party vendor to provide mobile services exposes credit unions to significant new risks. This admonition can, and likely should, be extended to all relationship with third-party vendors.
Just ask Target, whose well-publicized breach was facilitated in part by credentials stolen from a third-party HVAC vendor.
Within the last few years, many of the prudential regulators issued updated guidance urging financial institutions to heighten management oversight of 'critical activities' provided by third-party vendors, especially information technology vendors. While regulators do not directly identify third-party vendors engaged in 'critical activities,' mobile vendors certainly qualify.
CUNA has helped define what constitutes critical third-party vendor relationships. Mobile vendors meet many of the criteria: (a) provide new activities that are not traditionally performed by the credit union, (b) have a material effect on revenues and expenses, (c) perform significant operational functions, (d) have access to sensitive member information, and (e) perform a function that that could have a significant reputational risk to the credit union.
Beyond these broad categories, a credit union’s relationship with a mobile vendor comes with significant data management and security obligations, consumer protection risks, various regulatory compliance risks and even reputational risks if a third-party vendor experiences a data breach or system intrusion.
As the NCUA points out in a supervisory letter, credit unions "must carefully consider the potential risks these relationships may present and how to manage them … credit unions outsourcing functions without the appropriate level of due diligence and oversight may be taking on undue risk. Ultimately, credit unions are responsible for safeguarding member assets and ensuring sound operations irrespective of whether or not a third party is involved."
Ultimately, it us up to the credit union to ask key issues and evaluate a potential mobile vendor.
Following are five critical due diligence questions for mobile vendors.
1. What is the vendor's track record with financial institutions?
- How long has the vendor been providing mobile banking services for financial institutions?
- Does the vendor provide mobile banking services for other, similarly sized institutions? Does the vendor have experience working with the unique needs of credit unions?
- Does the vendor have customers that are similarly situated, and has the vendor been successful in helping those customers realize their mobile banking initiatives?
- Has the vendor been involved in lawsuits or regulatory actions?
- Talk to other institutions and references. As Ben Franklin said, it takes many good deeds to build a good reputation, and only one bad one to lose it.
2. What services, products and applications does the vendor offer and who developed them?
- Does the vendor support basic mobile banking functionality?
- Does the vendor support remote deposit capture or remote check deposit?
- Does the vendor support mobile payments, mobile bill pay, and person-to-person payments?
- If not now, does the vendor plan to offer these options in the future (critical for long- term contracts)?
- Does the vendor offer sufficient support for these services?
- If the vendor did not develop the software, who will provide issue resolution and support?
3. Does the vendor have the requisite certifications and compliance mechanisms in place?
- What is vendor's compliance strategy?
- Is the vendor financially healthy, stable, and established?
- Does the vendor have healthy relationships and history with regulators?
4. What data management policies, procedures and processes does the vendor have in place and are they vigilant in updating those policies and procedures?
- Do the vendor's products and services support end-to-end encryption?
- Does the vendor have ID management and personnel access controls?
- Does the vendor maintain a current system-intrusion or data breach response plan?
- Does the vendor conduct periodic security audits and is it willing to share these with the credit union?
5. Does the vendor outsource any of its services to subcontractors?
- Is the vendor capable of assessing and mitigating risks posed by subcontractors?
- Will the vendor be responsible for the actions of its subcontractors and insure against problems?
- Does the vendor disclose all subcontractors to the credit union so that each can be properly vetted?
As the recent guidance indicates, management is expected to take a hands-on approach in identifying, assessing, monitoring, and mitigating the risks posed by relationships with third-party vendors. Because of the significant risks posed both to a credit union and its customers, the board of directors and senior management would do well to exercise a high level of scrutiny when contracting for the services of such vendors. Any contracts and negotiations with mobile vendors should receive thorough review and input from the credit union’s legal counsel as there are many pitfalls facing an unwary credit union.