3 Critical Stages of Third-Party Vendor Management

By Vanessa Stanfield, Insurance Solutions powered by Affinion

Did you know your credit union could be responsible for the performance of your vendors? No credit union wants to encounter regulatory trouble or face reputational risk; especially as a result of vendor activities. It’s because of that fact that vendor management due diligence is a topic of increasing importance.

But what is the right way to go about choosing  third party vendor? The National Credit Union Administration (NCUA) has provided clear direction regarding vendor due diligence. Additionally, the NCUA has deemed the following areas as critical in third-party vendor management: Risk Assessment & Planning, Due Diligence, and Risk Measurement, Monitoring and Control.

Risk Assessment & Planning

Risk Assessment

Prior to engaging a third-party relationship, assess the current risks and document how the vendor will relate to your credit union’s strategic plan. When conducting a comprehensive risk assessment, the key areas of focus are: credit, interest rate, liquidity, transaction, compliance, strategy, and reputational risk. In this discovery phase, your credit union can identify the current risks and establish expectations of the new relationship.

Due Diligence

There are four fundamental due diligence elements to consider when choosing a vendor: organizational, business model, financial health, and program risks. In these areas, your credit union can assess what degree of due diligence is required.

But remember- not all vendors are created equal. More complex vendor relationships with more risk will typically require increased due diligence; less complexity and risk means less rigorous due diligence. For a comprehensive report and the five key due diligence questions you need to ask your vendors, read the full whitepaper here.

Risk Measurement, Monitoring and Control

Credit unions must be able to continually measure performance and risk throughout the relationship with the vendor. To do this, your credit union should clearly outline the vendor’s responsibilities and policies before taking on the vendor. In the end, this will allow for proper vendor performance management so that you can ensure expectations are being met.

Credit unions should not think of vendors as a third party, but as an extension of their organization. Because of this, it is important to consider the three critical areas above when deciding on a vendor. As the NCUA has conveyed, the utilization of vendors does not in any way diminish the credit union’s level of responsibility and for that reason, credit unions should carefully select their vendors.

What Should We Ask Our Vendors?

To be confident that the vendor’s management programs are the right fit, credit unions must discuss the vendor in great detail and ask the hard questions. Failure to conduct thorough due diligence and effectively monitor these vendors place the credit union at risk. Again, not all vendor relationships call for the same level of due diligence and ongoing monitoring, but in order to determine what level is necessary there are key questions that your credit union must contemplate.

For an in-depth look at the five key due diligence questions that credit unions must ask when selecting a third-party vendor, read the full whitepaper here.

InsuranceSolution_4CAffinion is the NAFCU Services Preferred Partner for AD&D Insurance

Adding LIFE To Your Credit Union

By Bryan Clagett, Chief Marketing Officer, Geezeo

Your members’ expectations evolve as they become more acclimated to technology, more financially stressed, and overburdened with life’s pace and demands. In case you have not noticed, the world is changing. Newly emerging competition is developing new bank-like products, and the definition of banking is evolving right before our eyes.

It’s time we step back and reevaluate how credit unions can provide more value.

Declaring you’re the financial partner for life is just not compelling, unless you have strong actions to back it up. Too often we forget that credit unions are enablers, and in fact have the ability to enable members to get the things they want and do the things they want to do.

With all the advances in technology, some things have not changed—like the basic needs of a household to address fundamental financial requirements, milestones, challenges and obligations. Life and money are inextricably linked whether we like it or not (or are willing to admit).

Importance of an Emotional Connection

The key for the credit union is to remain remarkably relevant throughout the “member” journey and to be there with logical products and services when members (or their households) could use them the most. Credit unions are missing very logical point-of-purchase opportunities, while not associating their products with the specific needs of a member at a specific, relevant time.

Don’t lose sight of the fact that people have an emotional connection to money and, perhaps more importantly, things and events. Emotion is a primary differentiator between transactions and a true relational connection, which (in my opinion) is the foundation of an engagement banking strategy.

How can you help a family prepare for a child’s education? How can you help a young couple get their first home? Can we help a couple plan a wedding? What’s the best way for me to get a car for my son? How do we help a family with a medical emergency? Can a bank resolve a small business’s cash crunch? In all of these examples, there are financial considerations and ramifications—and all present opportunities to credit unions.

Engagement Opportunities for Credit Unions

We need to put some LIFE into banking. LIFE is my acronym for “life infused financial experiences.” Milestones, like the examples above, represent obvious opportunities for credit unions to engage members and offer very relevant solutions while building deeper relationships and new levels of trust.

Life_weddingapp_geezeoWe have the data, the systems, the channels, and the people; we simply need to make sure we have the right solutions and services in place that will build systems and triggers that bring credit unions and their solutions to the forefront at the ideal time of need.

Now let’s try to put some ROI or business rationale around this. Bain and Company reports that members who are “emotionally connected” purchase 47% more than those who are simply “satisfied.” Members with a strong, committed relationship are 49% more likely to remain a member and twice as likely to recommend a retailer to friends and family. Bain also found companies that are loyalty leaders, grow revenue twice as fast as their competition and at a lower cost.

We should not fear disruption in the banking industry. However, we should recognize that life is disruptive, so we should find ways to reduce members’ financial pains. Credit unions have the chance to reduce friction while forming deeper emotional connections with members through recognizing and cultivating life infused financial experiences. This is a real opportunity for financial institutions and one that most industry disruptors don’t have the infrastructure or understanding to leverage.

Geezeo-A-Z-LogoGeezeo is the NAFCU Services Preferred Partner for Personal Financial Management (PFM). For more More educational resources and contact information are available at www.nafcu.org/geezeo

Cybersecurity Awareness Month: Confronting the Scariest Threats to Your Credit Union


October is National Cybersecurity Awareness Month which means it’s an excellent time to make sure there aren’t any unseen forces within your credit union that have nefarious plans for your members’ money.

Earlier this year, Wired Magazine wrote about the biggest cybersecurity threats for 2015. Three of these are indeed scary prospects for the credit union industry, but the key is to make sure you are doing everything you can to prevent these scenarios:

  • Data Destruction: Malware exists that erases data and boot records, so it is vitally important to make sure you have an excellent data backup plan.
  • Bank Card Breaches: This is a threat that isn’t going away any time soon, so it is important to be moving towards tokenization technologies to prevent this. NAFCU has partnered with MasterCard to help credit unions move towards this. For more information you can check out this webinar from earlier this year here.
  • Third Party Breaches: The data breach at Target stores is an excellent example of why you need a strong Third Party Risk Management Plan. For more information on this, check our recent webinar or blog posts here or here.

The costs of cyber threats are no joke to financial institutions big or small. According to the National Small Business Association, 44 percent of small businesses have been the victims of a cyber-attack. Clearly, it is worth the investment to review how sound your security is. The following tips from the Department of Homeland Security are an excellent place to start.

Cyberattack Prevention Tips and Practices

  • Have a plan. According to staysafeonline.org, 59% of small and medium size businesses in the United States do not have a plan that outlines procedures for responding and reporting data breach losses.  A number of these plans are covered in various compliance frameworks that may already exist, but as shelf ware.  If this describes you, now is the time to formulate both short and long term plans.
  • Utilize the latest software. Make sure you have antivirus and antispywear and update it regularly.
  • Educate. Make sure that all of your employees are aware Cybersecurity_KCGof cyber threats and educate them on the steps they must take to help combat these attacks.
  • Invest in data loss protection software, use encryption technologies to protect data in transit, and use two-factor authentication where possible.
  • Passwords. Use strong passwords throughout your organization and have employees change them regularly.

Who Should You Call?

What should you do if you’re unsure if your organization is prepared to navigate this threat landscape? If you are not sure where your cyber security threats may lie or even where you should be looking, consider going to an outside vendor. NAFCU and Knowledge Consulting Group (KCG) have partnered to provide comprehensive cybersecurity solutions.

KCG provides expert services in penetration testing and cybersecurity advisory services. Their tests offer simulation of potential attack vectors and scenarios most likely to impact the overall credit union environment, from IT systems to social engineering. They provide risk management, governance, operations, and compliance services to help credit unions navigate the complexities of the evolving cybersecurity landscape.

So take an inventory of your practices, make a plan, and evaluate where your weak spots are.

Knowledge Consulting Group is a subsidiary of ManTech International. For more detailed information on penetration testing or cybersecurity advisory services, visit KCG’s preferred partner page.

Cyber Security Awareness Month: Third Party Cyber Risk Management

By: Jacob Olcott, VP of Business Development, BitSight Technologies

How not to become a “Target”
October is cyber security awareness month, and there are few things more haunting to financial or retail institutions than the security breach that affected Target stores a few years back. The attack resulted in more than $40 million in debit and credit card numbers being stolen, and more than likely affected at least some of your members.

The scariest part of the security breach may be where it originated: its HVAC supplier. The attack highlights how important it is for financial organizations to have a well thought-out program to mitigate third party cyber risk.

Regulators are taking a closer look at third party risk management so the importance of employing best practices is not just practical, but legal as well.

Five Key Steps to Develop a Third Party Risk Management Program

Developing a risk management program doesn’t have to be difficult. There are five key points to consider for a plan, and several vendors and services that can help you to do so.

  1. Organize Internally. This means bringing together all teams that have an impact on, or are impacted by your cybersecurity or dealings with third party vendors. This would most likely include your legal, compliance, IT, and procurement teams.
  2. Identify and Prioritize Key Parties. It is important for credit unions to consider any third BitSight_identify_critical_vendorsparty that has either direct network connections to your organization or has access to sensitive data. This would include, but is not limited to, looking at your primary payment processor, largest software vendor, law firms, consulting firms, and benefits administrator. When prioritizing vendors, approach this from the position of your most sensitive data, likely your members’ financial data, and the level of access a third party has to that data.
  3. Evaluate your vendors’ security. This is traditionally done a number of ways such as using questionnaires, vulnerability scans, and audits. If you are not sure where to start, Shared Assessments is a good source that charges a fee for common questionnaires to send your partners regarding their cyber security efforts. If you are interested in developing your own questionnaire, the NIST cybersecurity framework is a good place to start. You can also do your own audits of your partners, but often companies will share their own documentation of audits they have done.
  4. Communicate. The importance of clearly communicating your expectations to your partners should not be overlooked. This should be done not only in writing in forms such as contracts, but verbally as well. It is important to develop a strong dialogue regarding your security concerns that is not just once, when you launch a partnership, but ongoing. The cybersecurity landscape changes on a daily basis so it is important for you and your partners to discuss where you are headed and how to stay ahead of the curve.
  5. Continuously Monitor Vendor Performance. This is another point not to be overlooked. Questionnaires and audits can only give you snapshots of a company’s security profile at one point in time. Actual security is much more fluid than that. NAFCU has partnered with BitSight Technologies as a preferred provider of monitoring services. BitSight essentially works like credit rating service for cybersecurity. They provide a number that indicates how strong a company’s security practices are on a continuous basis. BitSight calculates Security Ratings using a continuous process that gathers, processes, and assigns security data to arrive at the top-level security ratings.

For more dBitSightLogoetailed information on developing a third party cyber risk management plan you can check out NAFCU’s webinar with BitSight Technologies here or  download BitSight’s white paper on the topic.

What Biometrics Can Do for Your Credit Union’s Security Strategy

Woman with fingerprint scanningIf you feel like there is always another security measure you need to consider, you’re right and this reality is actually a very good thing. The security landscape is indeed continuously changing and evolving.

You must constantly evaluate and revaluate your security processes because one single solution to satisfy all of your security concerns and needs does not exist.  Consequently, it’s wise to employ a multi-factor security (MFA) strategy.

Chris Amador, Product Owner with Q2, talked about the balancing act that your credit union faces when implementing biometrics solutions, in our recent webinar, “Biometrics: Enhancing Member Experience & Security.” He spoke about the challenges your credit union faces with providing secured online and mobile channels that guarantee compliance with regulations and deliver a satisfying experience for your members.

Watch Biometrics: Enhancing Member Experience & Security

We’re sharing some key highlights from the webinar and encourage you to watch the complete presentation where Chris shares timely insights on:

  • The different types of biometric solutions currently used within the financial services industry
  • What true multi-factor authentication (MFA) means and why the “third factor” is difficult to solve
  • The preferred biometric solution for online use among consumers
  • Barriers you need to consider when implementing biometrics features
  • How to evaluate whether or not your membership is ready to accept this technology

What is a True Multi-Factor Security Strategy?

A true multi-factor authentication (MFA) security strategy should include three key factors:

  • Something I “have” (e.g., your member’s laptop or mobile device like a tablet or a smartphone)
  • Something I “know” (e.g., your member’s user ID and password, pin, account number, or knowledge based questions)
  • Something I “am” (e.g., your member’s biometric data, a physical or behavioral attribute unique to your individual member)

You and your members are familiar with the “something I have” and “something I know” categories,  but those two factors alone have limitations in today’s complex security environment.

The physical devices your members use, whether it’s a laptop, a tablet, or a smartphone were considered as an integral layer of security, but this is no longer thought to be true because these devices can be stolen. And, due to the rise of social media, your members may post all sorts of information that can be used by fraudsters to determine the correct answers to security questions. As an example, online quizzes on social media (e.g., Buzz Feed) can be used as tools for fraudsters to phish for information.

The “something I have” category is only available through the implementation of biometrics. Biometrics are an effective third-factor in a MFA security offering for your members because they utilize something fraudsters can’t duplicate, the unique personal and physical identifiers of your members.

It’s important to consider and assess to what degree your members will be comfortable and willing to adopt biometric security measures. Continue advancing your knowledge about these options and the biometrics landscape, by watching “Biometrics: Enhancing Member Experience & Security.

Q2 Online and Mobile Banking

Q2 is the NAFCU Services Preferred Partner for a single platform virtual banking solution, including online and mobile. Learn more about Q2 by visiting www.nafcu.org/Q2.