Hello - I'm wondering if anyone has rules around required documents being tardy and having to keep asking for? Do you wait 1-week, 2 weeks any penalties? How do you escalate?
Original Message:
Sent: 03-26-2026 02:56 PM
From: Katie Decker
Subject: Seeking Credit Union Examples of Exempt / Out‑of‑Scope Vendor Definitions
It's a risk-based decision for us. The easiest and most common categories that are out of scope are memberships, dues, sponsorships, conferences, professional associations. Our exempt providers are on a case-by-case basis, whereas the out-of-scope categories are clearly defined. One time use, low risk (financial, information security, compliance) service providers can be exempt. We have some cloud-based providers with minimal spend, and we share zero confidential or NPI with that pose such a low or no financial, compliance, information security, reputation risk that we won't put them in our program. The question always comes down to what risk does it pose and what vetting/monitoring does it require. Also, I report the vendors that we exempt, I don't with the out of scope.
Original Message:
Sent: 02-25-2026 10:13 AM
From: Anonymous Member
Subject: Seeking Credit Union Examples of Exempt / Out‑of‑Scope Vendor Definitions
This message was posted by a user wishing to remain anonymous
We're currently working to refine our Exempt / Out‑of‑Scope vendor definition and governance framework and want to ensure clarity and consistency.
I'm specifically looking for credit union examples that outline:
- How you define Exempt vs. Out‑of‑Scope vendors
- Clear criteria or thresholds used to determine exemption
- Any governance structure (e.g., approvals, documentation, periodic review)
- Common vendor types you consistently treat as exempt or out of scope
If you're willing to share policy language, high‑level frameworks, or practical examples, it would be incredibly helpful as we work toward standardizing our approach.
I appreciate any insights or lessons learned!
-------------------------------------------