Compliance with NCUA Regulations: Vendor Contract and Performance Considerations

Monitoring vendor performance is a regulatory requirement for credit unions. The National Credit Union Administration (NCUA) sets the standards for measuring and monitoring vendor performance – detailed in their 2007 supervisory letter SL No. 07-01 Evaluating Third-Party Relationships. Credit unions must be prepared to identify and address vendor performance issues per this guidance. They must also continuously ensure that "profitability, benefit and service delivery" are acceptable.

Vendor Contract Considerations

One of the best ways to ensure effective vendor performance monitoring is by establishing contractual service level agreements (SLAs) with the vendor. Let's explore specific contract considerations.

Credit unions are expected to consult with legal counsel when reviewing potential third-party arrangements and contracts. In particular, third-party contracts should include the following performance topics:

• Standards: Contractual SLAs should address a vendor's performance standards and measures. Vendors generally offer standard SLAs but they can be a starting point for negotiation between your organizations. Remember that your SLAs should address must-have performance requirements. Examples might include system uptime, data accuracy, defects or error rate, cost savings, etc.
• Reports: Vendor contracts should include details on performance reports and reporting frequency. Verify that the contract addresses who is responsible for providing performance reports and the required timing and data source. Remember that if your credit union depends on vendor data to evidence performance, there must be a way to periodically audit and validate the data.
• Penalties: Credit unions should identify the penalties for failing to meet contractual SLAs. Ensure the contract details specific penalties and the maximum number of SLA failures allowed before contract termination.
• Right to audit: Make sure you include a right to audit clause in the contract, allowing your organization to audit your vendor. This can be beneficial if you need to validate your vendor's performance data, processes, work product or reports.

Monitoring Vendor Performance

Once contracts are finalized, the organization can monitor the vendor's performance. Credit unions must ensure they have sufficient infrastructure to monitor vendors effectively. This includes documented policies and procedures, skilled staff and identified methodology for tracking and reporting performance.

There are multiple considerations when monitoring vendor performance:

• Service level agreements: Has the vendor met all contractual service agreements?
• Consistency of service delivery: Has the vendor consistently provided products or services in line with contractual expectations and industry standards?
• Issue management: Does the vendor rapidly address any known issues, providing documented remediation plans and timeframes? Do they meet the timeframes for resolution?
• Timely communication: Does the vendor inform your organization of material changes in their staffing, management or strategy? Does the vendor proactively communicate issues or new or emerging risks?
• Partnership and cooperation: Does the vendor promptly respond to your organization's requests? Does the vendor proactively suggest improving service delivery, reducing costs or making processes more efficient?
• Value of the engagement: Is the benefit of the vendor product or service still worth the measured risks and cost? If not, has the cost/risk-to-benefit ratio changed enough to consider an exit?
• Trends: By documenting and tracking negative performance over a period of time, the customer can identify trends that may trigger additional actions. For example, multiple negative performance reviews can provide leverage upon the next renewal for better terms, or the validation to consider terminating and replacing the vendor and their product or service.
• Frequency of performance reviews: There’s no one-size-fits-all, but generally, the higher the inherent risk, the more frequent all monitoring activities should be conducted. One suggestion is quarterly performance reviews for critical and high-risk vendors, with less frequency for moderate and low-risk vendors.

Keep in mind that the value of the engagement may decrease through no fault of the vendor. In some instances, the need for a product or service may diminish or your organization's strategies may change. Even though the vendor is performing and meeting all expectations, the value of the relationship may still decrease.

Managing Vendor Performance Issues

Every organization will inevitably encounter a vendor performance issue at some point. It’s important to remember that most performance issues may seem small initially. Still, when left unaddressed, they can grow into significant problems. The best course of action is to address all vendor performance issues right away.

To ensure effective issue management and resolution, credit unions should consider the following:

• Consistency: A centralized process to create more consistency and an organized way to track and manage vendor performance including any issues.
• Visibility: Regular reporting provides insight into the frequency, severity and status of vendor performance issues. Furthermore, reporting any performance issues of critical vendors to senior management and the board is a best practice. Regular reporting of vendor performance data can help determine if a vendor should be re-evaluated. It also provides insight into how specific vendors perform across categories, service types or risk levels.
• Risk mitigation: Monitoring vendor performance can reveal other issues like the quality of the vendor's information security program. Often, vendor performance issues are red flags indicating new or emerging risks in the vendor's risk profile. For that reason, performance issues must never be left unaddressed. Likewise, new or emerging vendor risk issues can impact the vendor's performance, so integrating risk and performance monitoring is recommended. Credit unions should consider using risk monitoring and alert services to support their vendor risk and performance monitoring efforts.
• Policy: Ensure that "performance monitoring" an activity is included in your TPRM policy in terms of what it will include at a high level, and who will be completing them (e.g. vendor owners). Like any other part of your TPRM program, ensure there are trained staff that can conduct the process and an ability to evidence that process is actually being executed.

Effective performance monitoring starts with the contract. Not only does the contract outline the expectations for both parties, but well-written SLAs also define the standards of must-have vendor performance. Credit unions should ensure that their vendor performance monitoring is not limited to a vendor meeting their SLAs but should also consider how the vendor identifies, communicates, addresses and resolves issues.

Vendor risk and performance are closely related and often interdependent. It’s essential to monitor both to comply with NCUA regulations and protect the credit union and its members against risk.