Skip to main content

Vendor Management

What are Vendor Management requirements?

FFIEC guidelines call for credit unions to perform risk assessments on major vendors that will store or have access to member and or credit union confidential information or whose services have a significant impact on the normal operation of the credit union. The guidelines are specific as to what steps are required for these risk assessments and what facets of the vendor should be evaluated. FFIEC also requires that a risk assessment is performed on the contract with vendor. Your credit union is also required to annually review the relationship with the vendor.

What does it mean for your credit union?

If done the traditional way many credit unions do it, it means that your credit union is burdened with a long, resource consuming process. Most credit unions will try to review the vendors SAS70 and financials looking for risks to assess. The problem with this is that many credit unions do not have the expertise necessary to assess risk on vendors' information security programs and systems even if they have the SAS70. credit unions have to show evidence of the process and report it to the board. The contract review is just as difficult. The summation of it is that your credit union will work hard to be compliant and most likely not benefit from the process.

How can CUC make it easier?

Credit Union Consulting has streamlined the vendor management and risk assessment process for credit unions through years of experience with credit unions and various examining bodies. We have developed a system of documents that potential vendors must complete and attest to their validity. The worksheets make it very simple to assess risk on the different categories of information security required by the FFIEC guidelines. The Vendor Management Policy and Risk Assessment includes worksheets that simplify the contract review process. Our process puts the burden on the vendor to provide you the very specific information your credit union needs to properly assess risk and comply with the regulations.

Summary of features:

  • Professional policy and guidance
  • Formal vendor document requests
  • Thorough yet simple risk assessment worksheets
  • Detailed contract review and risk assessment
  • A valuable built in chain of evidence to show your credit union's due diligence

Can CUC perform my vendor management and vendor risk assessments?

Yes, we can. One of the FFIEC requirements is that the person performing the risk assessment has the required, proven knowledge to make the judgement on the risk. If your credit union does not have the technical and compliance capabilities in house, CUC can perform the process for you.

If you would like more information about CUC's Vendor Management Policy and Risk Assessment or any of our policies, please contact:

Paul Elder 614-848-5400 ext 121 or email Paul Larry Krietemeyer 614-848-5400 ext 143 or email Larry

See how we rate with other credit unions for yourself. We would love to work with you!
Menu structure for mobile devices