Go to:

April 2019
< Mar May >
Leaguer Email Subscription

You are not currently subscribed. Click Subscribe below to receive the Leaguer email.

Performing Due Diligence Essential in Selecting, Managing Third-party Relationships
Tuesday, March 12, 2013 8:45 AM

Hacktivists are reportedly taking credit for a data breach impacting Bank of America - an incident the hackers claim allowed them to access employee and executive data stored through a third party.  In a March 5 response to BankInfoSecurity, Bank of America reportedly confirmed a third-party compromise is to blame for the data leak.

According to Steve Gibbs, assistant vice president of Compliance Resources, third-party vendors are playing an increasingly important role in the financial services industry as financial institutions strive to become more competitive and expand member services. While the goal of outsourcing is generally creating value for members and improving the financial position of the credit union, it can also create a significant risk for those who fail to perform proper due diligence when selecting and managing vendor relationships.

When using third vendors, Gibbs says the following are critical considerations:


When a third party vendor is reviewed, there should be expectations for this potential relationship that are understood and documented by management.  Criticality of relationship is another factor that may affect decisions on whether or not to retain a particular company.  Ultimately, there should be competent staff to deal with the vendor; the cost-benefit relationship should be advantageous for all parties; insurance should be in place to mitigate any liability; impact on members should be positive.  As with any relationship, leaving a desirable format for exit may prove beneficial at some future time.


Risk Assessment

It appears that risk assessment is tied-in to many sectors of operations and due diligence is no different.  Every risk factor should be analyzed and methods of mitigation outlined.  Recognizing risk early is the best way to manage it.


Financial Projections

A third party vendor’s effect on the bottom line is a very crucial decision factor.  Forecasting potential financial outcomes, taking into account return on investment, expected revenues, and costs (direct and indirect), provide a financial “road map” of potential financial problems or issues that might arise. Additionally, the decision to engage a third party should be evaluated in context of the credit union’s strategic plan and overall asset/liability management framework.  Reasonableness, past performance, business plan objectives and risk profile are among items to be taken into account.


According to Gibbs, basic due diligence should include (at the very least):

  • Background Check – organization, financial data, experience, past litigation, references, and any other items pertinent to the vendor.
  • Business Model – vendor’s business plan, responsibilities, other relationships, and conflicts.
  • Cash Flows – understanding the process of cash flowing from member to vendor to credit union and reporting on this.
  • Annual audit tests – accounting considerations and infrastructure, compliance with Generally Accepted Accounting Principles (GAAP) and CPA guidance.
  • Financial and Operational Control Review – fulfilling contract commitments, audited financials or information from other sources, requirements for Independent Audits, other reviews in contract, risk profiles, internal controls, and complexity.

Due diligence for vendors/third party service is just one of the services available through Shared Compliance Resources.To learn more, please visit