Due Diligence and Ongoing Monitoring

 View Only
  • 1.  Low risk Vendor monitoring

    This message was posted by a user wishing to remain anonymous
    Posted 09-29-2022 03:16 PM
    This message was posted by a user wishing to remain anonymous

    I have responsibility for Vendor Management here at our credit union. We are making some changes to the program and have implemented new software to help in this area. In the past our examiners have told us we need to monitor vendors even the low risk non critical ones. I plan to review the low risk ones once every three years. What I am struggling with is what am I checking on a low risk vendor when it comes to ongoing monitoring. Examples are vendors who offer services like our Language line, Auction Services, Official check provider, contracts for marketing with Radio stations or newspapers and similar. It seems overkill to look at BCP, IT security and financials for a company that we can easily replace and has no member or employee data. I have already eliminated vendors who are strictly Facilities, Maintenance, Utilities and Leases but I m not sure if I can eliminate these other vendors.


    I was thinking maybe just a review of our satisfaction with the vendor might be sufficient, but I am not sure that is what NCUA has in mind. Any help would be greatly appreciated.


  • 2.  RE: Low risk Vendor monitoring

    Posted 09-29-2022 03:23 PM

    A few tips:

    • I'm currently monitoring low risk vendors periodically for changes in our relationship with them, their financials, headlines, or anything that might pose additional risk to us.
    • I don't speak for NCUA, but as a former regulator, I would want to make sure you have your "finger on the pulse" of these low risk vendors (i.e., make sure they haven't migrated from a low risk vendor to a moderate risk vendor).
    • NCUA guidance: Supervisory Letter 07-01 (ncua.gov)

    I hope this helps,


  • 3.  RE: Low risk Vendor monitoring

    Posted 09-30-2022 08:51 AM



    For our lowest two tiers (out of four), we meet with the relationship manager once every three years to update the inherent risk assessment at the engagement level. This gives us a chance to ask about the vendor and whether there are any additional engagements that we should know about. It also serves as documentation that we checked and there are still no risks above the level of Incidental (no sharing of data, not time-critical, incidental financial, regulatory, reputational or physical risk). If we do uncover new risks, the new tier will be higher and we'll move to address those risks.


    Hope that helps!


    Deb Loomis

    CONFIDENTIALITY NOTICE: This e-mail and any attachments are intended only for the individual or
    company to which it is addressed and may contain information which is privileged, confidential or
    prohibited from disclosure. If you are not the intended recipient, you are hereby notified that
    any use, dissemination, or copying of this e-mail or attachments is strictly prohibited. If you have
    received this transmission in error, please return the material received to the sender and delete all
    copies from your system. Thank you.