Evaluating Third Party Relationships NCUA Letter 07-CU-13
Samantha: Hello, this is Samantha Shares.
This episode covers NCU A letter
to credit unions number Zero Seven
C U Thirteen titled Evaluating
Third-party Relationships.
This letter is often cited as
support for Document of Resolution
items in NCU A exam reports.
The following is an audio version of
that advisory and the press release.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions Incorporated, whose
team has over two hundred and
Forty years of National Credit
Union Administration experience.
We assist our clients with N C
U A so they save time and money.
If you are worried about a recent,
upcoming or in process N C U A
examination, reach out to learn how they
can assist at Mark Treichel DOT COM.
Also check out our other podcast called
With Flying Colors where we provide tips
on how to achieve success with N C U A.
And now the letter.
Third-party Relationships
In recent years, credit unions have
increasingly developed third-party
relationships to meet strategic
objectives and enhance member services.
Properly managed and controlled
third-party relationships provide
a wide range of potential benefits
to credit unions and their members.
Many credit unions have utilized
third-party arrangements to gain
expertise, realize economies of
scale, or even reach new members.
Leveraging the talents and experience of
third parties can assist credit unions
in meeting their members’ needs while
accomplishing their strategic goals.
In some cases, third-party
relationships are critical to the
on-going success of a credit union.
Credit unions taking the time to
properly evaluate and cultivate their
participation in third-party arrangements
can experience a high degree of success.
Collaboration with third parties
has become more prevalent in credit
unions due to increasing complexity
of services and competitive pressures.
In some third-party arrangements,
credit unions surrender direct
control over one or more key
business functions to a third-party
in exchange for potential benefits.
As credit unions consider the
potential benefits of third-party
arrangements, credit union officials
and management (officials) are
faced with a balancing act.
Officials must carefully consider the
potential risks these relationships
may present and how to manage them.
As credit unions seek to manage risk,
they should carefully consider the
correlation between their level of
control over business functions and
the potential for compounding risks.
Credit unions maintaining complete
control over all functions may be
operationally or financially inefficient.
Credit unions outsourcing functions
without the appropriate level
of due diligence and oversight
may be taking on undue risk.
Ultimately, credit unions are responsible
for safeguarding member assets and
ensuring sound operations irrespective of
whether or not a third-party is involved.
Outsourcing complete control over
one or more business functions
to a third-party amplifies the
risks inherent in those functions.
Additionally, credit unions trading
direct control over business functions
for third-party program benefits may
expose themselves to a full range of
risks including credit, interest rate,
liquidity, transaction, compliance,
strategic, and reputation risks.
Credit unions must complete the due
diligence necessary to ensure the
risks undertaken in a third-party
relationship are acceptable in
relation to their risk profile and
safety and soundness requirements.
Less complex risk profiles and
third-party arrangements typically
require less analysis and documentation.
Further, where credit unions have a
longstanding and tested history of
participating in a given third-party
relationship, less analysis is
required to renew the relationship.
Risks may be mitigated, transferred,
avoided, or accepted; however,
they are rarely eliminated.
The risk management process involves
identifying and making informed
decisions about how to address risk.
One of the best ways to employ the
risk management process is to start
small and gain experience over time.
Less complex credit unions unfamiliar
with analyzing third-party arrangements
may utilize this risk management approach
by entering third-party relationships
with small, well-defined goals and
expanding their exposure to third-party
risks as their experience grows.
When evaluating third-party arrangements,
examiners should ensure credit unions
have addressed the following concepts
in a manner commensurate with their
size, complexity, and risk profile:
Risk Assessment and Planning;
Due Diligence; and
Risk Measurement, Monitoring and Control.
The remainder of this
Supervisory Letter outlines
considerations for these concepts.
The considerations discussed are not
an exhaustive list of all possible
risk mitigation procedures, but a
representation of the considerations
necessary when credit unions engage in
significant third-party relationships.
The depth and breadth of due diligence
required depends upon a credit union’s
complexity and risk management process.
Smaller or less complex credit unions
may develop alternative methods of
accomplishing due diligence, while
credit unions utilizing a time tested
third-party relationship may already have
addressed these considerations over time.
Risk Assessment and
Planning Considerations for
Third-party Relationships
Credit union officials are responsible
for planning, directing, and
controlling the credit union’s affairs.
Risk assessment and due diligence
for third-party relationships is
an important part of officials’
fiduciary responsibilities.
Examiners should consider the following
elements in evaluating the adequacy of
credit unions’ risk assessment and due
diligence over third-party relationships:
Planning and Initial Risk Assessment
Before entering into a third-party
relationship, officials should
determine whether the relationship
complements their credit union’s
overall mission and philosophy.
Officials should document how the
relationship will relate to their credit
union’s strategic plan, considering
long-term goals, objectives, and
resource allocation requirements.
Officials should design action plans
to achieve short-term and long-term
objectives in support of strategic
planning for new third-party arrangements.
All planning should contain measurable,
achievable goals and clearly defined
levels of authority and responsibility.
Additionally, officials should weigh the
risks and benefits of outsourcing business
functions with the risks and benefits
of maintaining those functions in-house.
In order to demonstrate an understanding
of a third-party relationship’s
risk, the officials must clearly
understand the credit union’s strengths
and weaknesses in relation to the
arrangement under consideration.
Credit unions should complete a risk
assessment prior to engaging in a
third-party relationship to assess what
internal changes, if any, will be required
to safely and soundly participate.
Risk assessments are a dynamic
process, rather than a static process,
and should be an on-going part of
a broader risk management strategy.
Credit unions’ initial risk assessments
for a third-party relationship should
consider all seven risk areas (Credit,
Interest Rate, Liquidity, Transaction,
Compliance, Strategic, and Reputation),
and more specifically the following:
Expectations for Outsourced Functions
–
Credit unions should clearly define
the nature and scope of their needs.
Which needs will the third-party meet?
Will the third-party be
responsible for desired results?
To what extent?
Staff Expertise
Is credit union staff qualified to manage
and monitor the third-party relationship?
How much reliance on the
third-party will be necessary?
Criticality
How important is the
activity to be outsourced?
Is the activity mission critical?
What other alternatives exist?
Risk-Reward or Cost-Benefit Relationship
Does the potential benefit
of the arrangement outweigh
the potential risks or costs?
Will this change over time?
Insurance
Will the arrangement create
additional liabilities?
Is credit union insurance
coverage sufficient to cover the
potentially increased liabilities?
Will the third-party carry “key
man” insurance or other insurance
to protect the credit union?
Impact on Membership
How will officials gauge the
positive or negative impacts of the
arrangement on credit union members?
How will they manage member expectations?
Exit Strategy
Is there a reasonable way out of the
relationship if it becomes necessary
to change course in the future?
Is there another party that can provide
any services officials deem critical?
Risk assessments for less complex
third-party arrangements may be part
of a broader risk management program
or documented in board minutes.
Financial Projections
In evaluating the cost-benefit or
risk-reward of a third-party relationship,
credit unions should develop financial
projections outlining the range of
expected and possible financial outcomes.
Credit unions should project a
return on their investment in the
proposed third-party arrangement,
considering expected revenues,
direct costs, and indirect costs.
For example, when outsourcing loan
functions, credit unions should
not only consider the expected
loan yield, but also the potential
effect of borrower prepayments and
third-party fees on the overall return.
Officials should evaluate financial
projections in the context of
their overall strategic plans and
asset-liability management framework
before making a decision to participate
in a third-party arrangement.
Examiners should evaluate these
projections for reasonableness,
considering historical performance,
underlying assumptions, stated business
plan objectives, and the complexity
of the credit union’s risk profile.
Due Diligence for
Third-party Relationships
When considering third-party
relationships, proper due diligence
includes developing a demonstrated
understanding of a third-party’s
organization, business model,
financial health, and program risks.
In order to tailor controls to mitigate
risks posed by a third-party, credit
unions must have an understanding of a
prospective third-party’s responsibilities
and all of the processes involved
with prospective third-party programs.
Examiners should consider the adequacy
of due diligence in the areas below,
given credit unions’ risk profiles,
internal controls, and overall complexity.
Due diligence should be tailored to
the complexity of the third-party
relationship and may consist of
reasonable alternative procedures to
accomplish acceptable risk mitigation.
It is also important for credit unions
to understand how a third-party has
performed in other relationships before
entering into a third-party arrangement.
Credit unions should request referrals
from the prospective third-party’s clients
to determine their satisfaction and
experience with the proposed arrangement.
Credit unions should also review
and consider any lawsuits or
legal proceedings involving the
third-party or its principals.
Additionally, credit unions should ensure
that third parties or their agents have
any required licenses or certifications,
and that they remain current for
the duration of the arrangement.
Finally, sources of information such
as the Better Business Bureau, Federal
Trade Commission, credit reporting
agencies, state consumer affairs
offices, or state attorney general
offices may also offer insight to a
third-party’s business reputation.
Business Model
New business models often emerge
due to changes in the regulatory,
technological, or economic environment.
When evaluating a prospective third-party
arrangement, credit union officials should
consider the longevity and adaptability
of third-party business models.
Some business models may be well
suited for economic expansion, but
untenable during economic recession.
Since new business models are not
time tested and have not experienced a
complete economic cycle, they may present
additional risks to a credit union.
Likewise, longstanding business
models that cannot easily adapt may
not be sustainable in times of rapid
technological or regulatory change.
Before entering into a third-party
arrangement, credit union officials
should thoroughly understand the
third-party’s business model.
The third-party’s business model is
simply the conceptual architecture
or business logic employed to
provide services to its clients.
If the third-party’s business and
marketing plans are available,
officials should review them.
Credit union officials should also
understand and be able to explain the
third-party’s role in the proposed
arrangement and any processes for
which the third-party is responsible.
Examiners should assess credit union
officials’ understanding and consideration
of key third-party business models as
an integral element of due diligence.
Credit union officials should
also understand the third-party’s
sources of income and expense,
considering any conflicts of
interest that may exist between the
third-party and the credit union.
For example, if a third-party’s revenue
stream is tied to the volume of loan
originations rather than loan quality,
its financial interest in underwriting
as many loans as possible may conflict
with the credit union’s interest
in originating only quality loans.
Credit unions should also identify
any vendor related parties (such
as subsidiaries, affiliates, or
subcontractors) involved with the
proposed arrangement and understand
the purpose and function of each.
Examiners should consider the potential
effects of identified conflicts
of interest and ensure officials
mitigate risks where reasonable.
Cash Flows
Perhaps one of the most important
considerations, when analyzing a
potential third-party relationship,
is the determination of how cash
flows move between all parties in
a proposed third-party arrangement.
In addition to third-party fees,
premiums, and claims receipts, many
third-party arrangements include cash
flows between the credit union, the
third-party, and credit union members.
Credit union officials should be able
to explain how cash flows (both incoming
and outgoing) move between the member,
the third-party, and credit unions.
Credit unions should also be able
to independently verify the source
of these cash flows and match them
to related individual accounts.
Examiners should ensure
credit unions are tracking and
identifying cash flows accurately.
Financial and Operational Control Review
Credit unions should carefully review
the financial condition of third parties
and their closely related affiliates.
The financial statements of a third-party
and its closely related affiliates
should demonstrate an ability to fulfill
the contractual commitments proposed.
Credit unions should consider the
financial statements with regard to
outstanding commitments, capital strength,
liquidity, and operating results.
Additionally, credit unions should
consider any potential off-balance sheet
liabilities and the feasibility that the
third-party or its affiliated parties can
financially perform on such commitments.
Audited and segmented financial statements
or ratings from nationally recognized
statistical rating organizations (N R S R
O ratings) may be useful in periodically
evaluating the overall financial health
of a prospective or existing third-party.
If available, officials may use copies
of S A S seventy (Type II) reports
prepared by an independent auditor,
audit results, or regulatory reports
to evaluate the adequacy of the
proposed vendor’s internal controls.
If these items are not available,
credit unions should consider whether
to require an independent review of the
proposed vendor’s internal controls.
Generally, contracts establish
requirements for periodic audits
or access to third-party records.
Examiners should ensure credit unions
have adequately reviewed the financial
and internal control structure of the
prospective third-party, considering
credit unions’ risk profiles and the
arrangement’s relationship to net worth.
Contract Issues and Legal Review
Contracts outlining third-party
arrangements are often complex.
Credit unions should take measures to
ensure careful review and understanding
of the contract and legal issues
relevant to third-party arrangements.
It is prudent to seek qualified external
legal counsel to review prospective
third-party arrangements and contracts.
Any legal counsel consulted should be
independent and have the experience
or specialization necessary to review
properly the arrangements and contracts.
Typically, at a minimum, third-party
contracts should address the following:
Scope of arrangement, services
offered, and activities authorized;
Responsibilities of all parties
(including subcontractor oversight);
Service level agreements addressing
performance standards and measures;
Performance reports and
frequency of reporting;
Penalties for lack of performance;
Ownership, control, maintenance and
access to financial and operating records;
Ownership of servicing rights;
Audit rights and requirements
(including responsibility for payment);
Data security and member confidentiality
(including testing and audit);
Business resumption or
contingency planning;
Insurance;
Member complaints and member service;
Compliance with regulatory
requirements (e.g.
GLBA, Privacy, BSA, etcetera);
Dispute resolution; and
Default, termination, and escape clauses.
Of particular importance, credit unions
should exercise their right to negotiate
contract terms with third parties
for mutually beneficial contracts.
For example, some credit unions have
entered into third-party agreements
with significant buyout or termination
penalties, believing the penalties or
fees were standard or non-negotiable.
In many cases, early termination, escape
clause, and default terms are negotiable.
Credit union officials should ensure
that any contract terms agreed
to would not adversely affect the
credit union’s safety and soundness,
regardless of contract performance.
In addition to a legal review of
contracts and written agreements
relevant to a prospective third-party
arrangement, it may be prudent for
credit unions to obtain a legal opinion
about any services provided by the
third-party under the arrangement.
For example, if a third-party is engaged
to perform loan collections for the credit
union, a legal review of their collection
methods may be prudent to ensure debt
collection and reporting practices comply
with applicable state and federal laws.
Credit unions should ensure compliance
with state and federal laws and
regulations, and contractually
bind the third-party to compliance
with applicable laws (i.e.
Regulation B, Regulation
Z, HMDA, etcetera).
Since credit unions may ultimately be
responsible for consumer compliance
violations committed by their agents,
credit unions should be familiar with
the third-party’s internal controls
for ensuring regulatory compliance and
adherence to agreed upon practices.
Accounting Considerations
Credit unions should consider that
third-party relationships might
create accounting complexities.
Credit unions must have adequate
accounting infrastructures to
appropriately track, identify,
and classify transactions in
accordance with Generally Accepted
Accounting Principles (GAAP).
Credit unions often develop third-party
arrangements to outsource new products
or functions, and may not have experience
in accounting for the particulars
of those new products or functions.
Conversely, although credit unions may
be familiar with the accounting rules
for a given function, the nature of
a third-party arrangement may change
the required accounting procedures.
In some instances, a certified public
accountant’s guidance may be necessary
to ensure proper accounting treatment.
A credit union’s audit scope
should provide for independent
reviews of third-party arrangements
and associated activities.
Examiners should ensure credit unions have
considered the accounting implications
of new products or services introduced
through third-party arrangements.
Risk Measurement, Monitoring and
Control of Third-party Relationships
In addition to careful due diligence
when entering third-party arrangements,
credit unions must establish ongoing
expectations and limitations, compare
program performance to expectations, and
ensure all parties to the arrangement
are fulfilling their responsibilities.
Third-party arrangements and risk profiles
will vary; thus, credit unions should
tailor risk mitigation efforts to the
specific nature of considered programs,
the materiality of risks identified, and
the credit union’s overall complexity.
Examiners should consider the adequacy
of the credit union’s policies,
risk measurement, and monitoring
in light of the same factors.
Policies and Procedures
Credit unions should develop detailed
policy guidance sufficient to outline
expectations and limit risks originating
from third-party arrangements.
Policies and procedures should
outline staff responsibilities
and authorities for third-party
processes and program oversight.
Additionally, policy guidance
should define the content and
frequency of reporting to credit
union management and officials.
Credit unions should also establish
program limitations to control the pace
of program growth and allow time to
develop experience with the program.
For example, credit unions participating
in third-party loan programs should
initially limit the volume of loans
granted in order to identify any problems
with the third-party process prior to
the volume of loans becoming significant.
Risk Measurement and Monitoring
Credit unions must be able to measure
the risks of third-party programs,
but also the performance of third
parties in terms of profitability,
benefit, and service delivery.
For example, credit unions outsourcing
loan servicing functions should be able to
identify individual loan characteristics,
repayment histories, repayment methods,
delinquency status, and any loan file
maintenance relative to serviced loans.
To the extent that credit unions rely on
the third-party to provide this type of
measurement information, clear controls
should be contractually established and
subject to periodic independent testing
to ensure the accuracy of the information.
Examiners should ensure that credit
unions are measuring the performance
of third-party arrangements and
periodically verifying the accuracy
of any information provided to them
by a third-party or its affiliate.
Credit unions engaging in third-party
relationships must have an
infrastructure (in example staffing,
equipment, technology, etcetera)
sufficient to monitor the performance
of third-party arrangements.
In many cases, credit unions outsource
processes or functions due to a lack of
internal infrastructure or experience.
However, outsourcing processes
or functions does not eliminate
credit union responsibility
for the safety and soundness of
those processes and functions.
Examiners should ensure officials
demonstrate the knowledge, skills,
and abilities necessary to monitor
and control third-party arrangements.
Control Systems and Reporting
After credit unions have conducted
internal risk assessments and
due diligence over prospective
third parties, they must implement
on-going controls over third-party
arrangements to mitigate risks.
While control systems need not be
elaborate for less complex third-party
arrangements, credit unions are
ultimately responsible for establishing
internal controls and audit functions
reasonably sufficient to assure them
that third parties are appropriately
safeguarding member assets, producing
reliable reports, and following the
terms of the third-party arrangement.
Additionally, credit unions should
tailor internal controls as necessary
to ensure staff observes policy
guidance for third-party relationships.
Examiners should ensure credit
unions have ongoing risk management
procedures with regard to any
material third-party relationship.
Designated credit union staff should
be qualified and responsible for
continued monitoring and oversight of
third-party arrangements, exhibiting
familiarity with and understanding of the
reports available from the third-party.
Responsible staff should measure
the performance of third-party
programs in relation to credit
union policy guidance, contractual
commitments, and service levels.
Credit unions should implement quality
control procedures to review the
performance of third parties periodically.
Credit union officials should receive
periodic reports on the performance
of all material third-party programs.
Examiners should ensure controls are
in place, and that management and
officials receive periodic reports with
information sufficient to assist them in
evaluating the performance of the overall
arrangement and the adequacy of reserves.
Summary
Third-party relationships can
be invaluable to credit unions
and credit union members.
Properly managed third-party
relationships can allow credit unions
to accomplish strategic objectives
through increased member service,
competitiveness, and economies of scale.
However, outsourcing critical
business functions increases the
risk inherent in those functions.
Credit unions are responsible for
safeguarding member assets and ensuring
sound operations irrespective of whether
or not a third-party is involved.
Smaller or less complex credit unions
may have to develop alternative
methods of accomplishing due diligence.
Examiners should ensure credit unions
adequately address risk assessment,
planning, due diligence, risk measurement,
risk monitoring, and controls when
involved in third-party relationships.
APPENDIX A
Third-party Relationships-
Areas for Consideration
Risk Assessment and Planning
Planning
Third-party arrangements should
be synchronized with strategic
plans, business plans, and
credit unions’ philosophies.
Risk Assessment
Dynamic process should consider
the seven areas of risk as well as
expectations of the arrangement, staff
expertise, criticality of function,
cost-benefit, insurance requirements,
member impact, and exit strategy.
Financial Projections
Return on investment should be
estimated considering revenue,
direct costs, indirect costs,
fees, and likely cash flow stream.
Return should be considered relative
to the credit unions’ strategic
plans and asset-liability frameworks.
Due Diligence
Background Check
Credit unions should consider
references, prior performance, licensing
and certification, and any legal
proceedings involving prospective
third parties, key individuals of
the third-party’s organization.
Credit unions should also
consider third-party motivations.
Business Model
Credit unions must understand business
logic of the third-party arrangement and
business model, as well as third-party
processes and related affiliates.
Cash Flows
Credit unions must demonstrate
an understanding of incoming and
outgoing cash flows, and be able
to independently verify sources of
cash flows in third-party programs.
Financial and Operation Control Review
Credit unions must review the overall
financial condition of third parties
and their closely related affiliates, as
well as the state of operational controls
in the third-party’s business model.
Contract Issues and Legal Review
Credit unions should generally
have legal counsel with appropriate
expertise and experience review
contracts and third-party arrangements
to ensure equitable contracts and
compliance with applicable state
and federal laws and regulations.
Accounting Considerations
Credit unions should be prepared for
potential accounting complexity and may
need a CPA opinion on accounting for
third-party relationship activities.
Risk Measurement, Monitoring and Control
Staff Oversight and Quality Control
Credit unions should have qualified staff
designated to oversee and control the
quality of the third-party relationships.
Policies and Procedures
Policy guidance must be in place
and sufficient to control the risks
of the third-party relationship.
Policy guidance should address
responsibilities, oversight, program
and portfolio limitations, and
content and frequency of reporting.
Monitoring and Reporting
Adequate infrastructure is required
to support monitoring and reporting
outlined in policy guidance.
Credit unions should be able to measure
and verify the performance of third
parties and third-party programs.
APPENDIX B
List of Resources
The resources listed in the letter
are too numerous to list here.
Refer to NCU A’s website
for these details.
This concludes the NCU A Letter
to credit unions on Evaluating
Third-party Relationships
If your Credit union could use assistance
with your exam, reach out to Mark Treichel
on LinkedIn, or at mark Treichel dot com.
This is Samantha Shares and
we Thank you for listening.