Policy, Program and Procedures

We're currently working to refine our Exempt / Out‑of‑Scope vendor definition and governance framework and want to ensure clarity and consistency.

I'm specifically looking for credit union examples that outline:

• How you define Exempt vs. Out‑of‑Scope vendors
• Clear criteria or thresholds used to determine exemption
• Any governance structure (e.g., approvals, documentation, periodic review)
• Common vendor types you consistently treat as exempt or out of scope

If you're willing to share policy language, high‑level frameworks, or practical examples, it would be incredibly helpful as we work toward standardizing our approach.

I appreciate any insights or lessons learned!

It's a risk-based decision for us. The easiest and most common categories that are out of scope are memberships, dues, sponsorships, conferences, professional associations. Our exempt providers are on a case-by-case basis, whereas the out-of-scope categories are clearly defined. One time use, low risk (financial, information security, compliance) service providers can be exempt.  We have some cloud-based providers with minimal spend, and we share zero confidential or NPI with that pose such a low or no financial, compliance, information security, reputation risk that we won't put them in our program. The question always comes down to what risk does it pose and what vetting/monitoring does it require. Also, I report the vendors that we exempt, I don't with the out of scope. 

Hello - I'm wondering if anyone has rules around required documents being tardy and having to keep asking for?   Do you wait 1-week, 2 weeks any penalties? How do you escalate? 

Venminder has a policy template that details what vendors to be exempt from oversight.  I believe you can find it on this site.