Evaluating Third Party Relationships NCUA Letter 07-CU-13

Samantha: Hello, this is Samantha Shares.

This episode covers NCU A letter
to credit unions number Zero Seven

C U Thirteen titled Evaluating
Third-party Relationships.

This letter is often cited as
support for Document of Resolution

items in NCU A exam reports.

The following is an audio version of
that advisory and the press release.

This podcast is educational
and is not legal advice.

We are sponsored by Credit Union
Exam Solutions Incorporated, whose

team has over two hundred and
Forty years of National Credit

Union Administration experience.

We assist our clients with N C
U A so they save time and money.

If you are worried about a recent,
upcoming or in process N C U A

examination, reach out to learn how they
can assist at Mark Treichel DOT COM.

Also check out our other podcast called
With Flying Colors where we provide tips

on how to achieve success with N C U A.

And now the letter.

Third-party Relationships

In recent years, credit unions have
increasingly developed third-party

relationships to meet strategic
objectives and enhance member services.

Properly managed and controlled
third-party relationships provide

a wide range of potential benefits
to credit unions and their members.

Many credit unions have utilized
third-party arrangements to gain

expertise, realize economies of
scale, or even reach new members.

Leveraging the talents and experience of
third parties can assist credit unions

in meeting their members’ needs while
accomplishing their strategic goals.

In some cases, third-party
relationships are critical to the

on-going success of a credit union.

Credit unions taking the time to
properly evaluate and cultivate their

participation in third-party arrangements
can experience a high degree of success.

Collaboration with third parties
has become more prevalent in credit

unions due to increasing complexity
of services and competitive pressures.

In some third-party arrangements,
credit unions surrender direct

control over one or more key
business functions to a third-party

in exchange for potential benefits.

As credit unions consider the
potential benefits of third-party

arrangements, credit union officials
and management (officials) are

faced with a balancing act.

Officials must carefully consider the
potential risks these relationships

may present and how to manage them.

As credit unions seek to manage risk,
they should carefully consider the

correlation between their level of
control over business functions and

the potential for compounding risks.

Credit unions maintaining complete
control over all functions may be

operationally or financially inefficient.

Credit unions outsourcing functions
without the appropriate level

of due diligence and oversight
may be taking on undue risk.

Ultimately, credit unions are responsible
for safeguarding member assets and

ensuring sound operations irrespective of
whether or not a third-party is involved.

Outsourcing complete control over
one or more business functions

to a third-party amplifies the
risks inherent in those functions.

Additionally, credit unions trading
direct control over business functions

for third-party program benefits may
expose themselves to a full range of

risks including credit, interest rate,
liquidity, transaction, compliance,

strategic, and reputation risks.

Credit unions must complete the due
diligence necessary to ensure the

risks undertaken in a third-party
relationship are acceptable in

relation to their risk profile and
safety and soundness requirements.

Less complex risk profiles and
third-party arrangements typically

require less analysis and documentation.

Further, where credit unions have a
longstanding and tested history of

participating in a given third-party
relationship, less analysis is

required to renew the relationship.

Risks may be mitigated, transferred,
avoided, or accepted; however,

they are rarely eliminated.

The risk management process involves
identifying and making informed

decisions about how to address risk.

One of the best ways to employ the
risk management process is to start

small and gain experience over time.

Less complex credit unions unfamiliar
with analyzing third-party arrangements

may utilize this risk management approach
by entering third-party relationships

with small, well-defined goals and
expanding their exposure to third-party

risks as their experience grows.

When evaluating third-party arrangements,
examiners should ensure credit unions

have addressed the following concepts
in a manner commensurate with their

size, complexity, and risk profile:

Risk Assessment and Planning;

Due Diligence; and

Risk Measurement, Monitoring and Control.

The remainder of this
Supervisory Letter outlines

considerations for these concepts.

The considerations discussed are not
an exhaustive list of all possible

risk mitigation procedures, but a
representation of the considerations

necessary when credit unions engage in
significant third-party relationships.

The depth and breadth of due diligence
required depends upon a credit union’s

complexity and risk management process.

Smaller or less complex credit unions
may develop alternative methods of

accomplishing due diligence, while
credit unions utilizing a time tested

third-party relationship may already have
addressed these considerations over time.

Risk Assessment and
Planning Considerations for

Third-party Relationships

Credit union officials are responsible
for planning, directing, and

controlling the credit union’s affairs.

Risk assessment and due diligence
for third-party relationships is

an important part of officials’
fiduciary responsibilities.

Examiners should consider the following
elements in evaluating the adequacy of

credit unions’ risk assessment and due
diligence over third-party relationships:

Planning and Initial Risk Assessment

Before entering into a third-party
relationship, officials should

determine whether the relationship
complements their credit union’s

overall mission and philosophy.

Officials should document how the
relationship will relate to their credit

union’s strategic plan, considering
long-term goals, objectives, and

resource allocation requirements.

Officials should design action plans
to achieve short-term and long-term

objectives in support of strategic
planning for new third-party arrangements.

All planning should contain measurable,
achievable goals and clearly defined

levels of authority and responsibility.

Additionally, officials should weigh the
risks and benefits of outsourcing business

functions with the risks and benefits
of maintaining those functions in-house.

In order to demonstrate an understanding
of a third-party relationship’s

risk, the officials must clearly
understand the credit union’s strengths

and weaknesses in relation to the
arrangement under consideration.

Credit unions should complete a risk
assessment prior to engaging in a

third-party relationship to assess what
internal changes, if any, will be required

to safely and soundly participate.

Risk assessments are a dynamic
process, rather than a static process,

and should be an on-going part of
a broader risk management strategy.

Credit unions’ initial risk assessments
for a third-party relationship should

consider all seven risk areas (Credit,
Interest Rate, Liquidity, Transaction,

Compliance, Strategic, and Reputation),
and more specifically the following:

Expectations for Outsourced Functions


Credit unions should clearly define
the nature and scope of their needs.

Which needs will the third-party meet?

Will the third-party be
responsible for desired results?

To what extent?

Staff Expertise

Is credit union staff qualified to manage
and monitor the third-party relationship?

How much reliance on the
third-party will be necessary?

Criticality

How important is the
activity to be outsourced?

Is the activity mission critical?

What other alternatives exist?

Risk-Reward or Cost-Benefit Relationship

Does the potential benefit
of the arrangement outweigh

the potential risks or costs?

Will this change over time?

Insurance

Will the arrangement create
additional liabilities?

Is credit union insurance
coverage sufficient to cover the

potentially increased liabilities?

Will the third-party carry “key
man” insurance or other insurance

to protect the credit union?

Impact on Membership

How will officials gauge the
positive or negative impacts of the

arrangement on credit union members?

How will they manage member expectations?

Exit Strategy

Is there a reasonable way out of the
relationship if it becomes necessary

to change course in the future?

Is there another party that can provide
any services officials deem critical?

Risk assessments for less complex
third-party arrangements may be part

of a broader risk management program
or documented in board minutes.

Financial Projections

In evaluating the cost-benefit or
risk-reward of a third-party relationship,

credit unions should develop financial
projections outlining the range of

expected and possible financial outcomes.

Credit unions should project a
return on their investment in the

proposed third-party arrangement,
considering expected revenues,

direct costs, and indirect costs.

For example, when outsourcing loan
functions, credit unions should

not only consider the expected
loan yield, but also the potential

effect of borrower prepayments and
third-party fees on the overall return.

Officials should evaluate financial
projections in the context of

their overall strategic plans and
asset-liability management framework

before making a decision to participate
in a third-party arrangement.

Examiners should evaluate these
projections for reasonableness,

considering historical performance,
underlying assumptions, stated business

plan objectives, and the complexity
of the credit union’s risk profile.

Due Diligence for
Third-party Relationships

When considering third-party
relationships, proper due diligence

includes developing a demonstrated
understanding of a third-party’s

organization, business model,
financial health, and program risks.

In order to tailor controls to mitigate
risks posed by a third-party, credit

unions must have an understanding of a
prospective third-party’s responsibilities

and all of the processes involved
with prospective third-party programs.

Examiners should consider the adequacy
of due diligence in the areas below,

given credit unions’ risk profiles,
internal controls, and overall complexity.

Due diligence should be tailored to
the complexity of the third-party

relationship and may consist of
reasonable alternative procedures to

accomplish acceptable risk mitigation.

It is also important for credit unions
to understand how a third-party has

performed in other relationships before
entering into a third-party arrangement.

Credit unions should request referrals
from the prospective third-party’s clients

to determine their satisfaction and
experience with the proposed arrangement.

Credit unions should also review
and consider any lawsuits or

legal proceedings involving the
third-party or its principals.

Additionally, credit unions should ensure
that third parties or their agents have

any required licenses or certifications,
and that they remain current for

the duration of the arrangement.

Finally, sources of information such
as the Better Business Bureau, Federal

Trade Commission, credit reporting
agencies, state consumer affairs

offices, or state attorney general
offices may also offer insight to a

third-party’s business reputation.

Business Model

New business models often emerge
due to changes in the regulatory,

technological, or economic environment.

When evaluating a prospective third-party
arrangement, credit union officials should

consider the longevity and adaptability
of third-party business models.

Some business models may be well
suited for economic expansion, but

untenable during economic recession.

Since new business models are not
time tested and have not experienced a

complete economic cycle, they may present
additional risks to a credit union.

Likewise, longstanding business
models that cannot easily adapt may

not be sustainable in times of rapid
technological or regulatory change.

Before entering into a third-party
arrangement, credit union officials

should thoroughly understand the
third-party’s business model.

The third-party’s business model is
simply the conceptual architecture

or business logic employed to
provide services to its clients.

If the third-party’s business and
marketing plans are available,

officials should review them.

Credit union officials should also
understand and be able to explain the

third-party’s role in the proposed
arrangement and any processes for

which the third-party is responsible.

Examiners should assess credit union
officials’ understanding and consideration

of key third-party business models as
an integral element of due diligence.

Credit union officials should
also understand the third-party’s

sources of income and expense,
considering any conflicts of

interest that may exist between the
third-party and the credit union.

For example, if a third-party’s revenue
stream is tied to the volume of loan

originations rather than loan quality,
its financial interest in underwriting

as many loans as possible may conflict
with the credit union’s interest

in originating only quality loans.

Credit unions should also identify
any vendor related parties (such

as subsidiaries, affiliates, or
subcontractors) involved with the

proposed arrangement and understand
the purpose and function of each.

Examiners should consider the potential
effects of identified conflicts

of interest and ensure officials
mitigate risks where reasonable.

Cash Flows

Perhaps one of the most important
considerations, when analyzing a

potential third-party relationship,
is the determination of how cash

flows move between all parties in
a proposed third-party arrangement.

In addition to third-party fees,
premiums, and claims receipts, many

third-party arrangements include cash
flows between the credit union, the

third-party, and credit union members.

Credit union officials should be able
to explain how cash flows (both incoming

and outgoing) move between the member,
the third-party, and credit unions.

Credit unions should also be able
to independently verify the source

of these cash flows and match them
to related individual accounts.

Examiners should ensure
credit unions are tracking and

identifying cash flows accurately.

Financial and Operational Control Review

Credit unions should carefully review
the financial condition of third parties

and their closely related affiliates.

The financial statements of a third-party
and its closely related affiliates

should demonstrate an ability to fulfill
the contractual commitments proposed.

Credit unions should consider the
financial statements with regard to

outstanding commitments, capital strength,
liquidity, and operating results.

Additionally, credit unions should
consider any potential off-balance sheet

liabilities and the feasibility that the
third-party or its affiliated parties can

financially perform on such commitments.

Audited and segmented financial statements
or ratings from nationally recognized

statistical rating organizations (N R S R
O ratings) may be useful in periodically

evaluating the overall financial health
of a prospective or existing third-party.

If available, officials may use copies
of S A S seventy (Type II) reports

prepared by an independent auditor,
audit results, or regulatory reports

to evaluate the adequacy of the
proposed vendor’s internal controls.

If these items are not available,
credit unions should consider whether

to require an independent review of the
proposed vendor’s internal controls.

Generally, contracts establish
requirements for periodic audits

or access to third-party records.

Examiners should ensure credit unions
have adequately reviewed the financial

and internal control structure of the
prospective third-party, considering

credit unions’ risk profiles and the
arrangement’s relationship to net worth.

Contract Issues and Legal Review

Contracts outlining third-party
arrangements are often complex.

Credit unions should take measures to
ensure careful review and understanding

of the contract and legal issues
relevant to third-party arrangements.

It is prudent to seek qualified external
legal counsel to review prospective

third-party arrangements and contracts.

Any legal counsel consulted should be
independent and have the experience

or specialization necessary to review
properly the arrangements and contracts.

Typically, at a minimum, third-party
contracts should address the following:

Scope of arrangement, services
offered, and activities authorized;

Responsibilities of all parties
(including subcontractor oversight);

Service level agreements addressing
performance standards and measures;

Performance reports and
frequency of reporting;

Penalties for lack of performance;

Ownership, control, maintenance and
access to financial and operating records;

Ownership of servicing rights;

Audit rights and requirements
(including responsibility for payment);

Data security and member confidentiality
(including testing and audit);

Business resumption or
contingency planning;

Insurance;

Member complaints and member service;

Compliance with regulatory
requirements (e.g.

GLBA, Privacy, BSA, etcetera);

Dispute resolution; and

Default, termination, and escape clauses.

Of particular importance, credit unions
should exercise their right to negotiate

contract terms with third parties
for mutually beneficial contracts.

For example, some credit unions have
entered into third-party agreements

with significant buyout or termination
penalties, believing the penalties or

fees were standard or non-negotiable.

In many cases, early termination, escape
clause, and default terms are negotiable.

Credit union officials should ensure
that any contract terms agreed

to would not adversely affect the
credit union’s safety and soundness,

regardless of contract performance.

In addition to a legal review of
contracts and written agreements

relevant to a prospective third-party
arrangement, it may be prudent for

credit unions to obtain a legal opinion
about any services provided by the

third-party under the arrangement.

For example, if a third-party is engaged
to perform loan collections for the credit

union, a legal review of their collection
methods may be prudent to ensure debt

collection and reporting practices comply
with applicable state and federal laws.

Credit unions should ensure compliance
with state and federal laws and

regulations, and contractually
bind the third-party to compliance

with applicable laws (i.e.

Regulation B, Regulation
Z, HMDA, etcetera).

Since credit unions may ultimately be
responsible for consumer compliance

violations committed by their agents,
credit unions should be familiar with

the third-party’s internal controls
for ensuring regulatory compliance and

adherence to agreed upon practices.

Accounting Considerations

Credit unions should consider that
third-party relationships might

create accounting complexities.

Credit unions must have adequate
accounting infrastructures to

appropriately track, identify,
and classify transactions in

accordance with Generally Accepted
Accounting Principles (GAAP).

Credit unions often develop third-party
arrangements to outsource new products

or functions, and may not have experience
in accounting for the particulars

of those new products or functions.

Conversely, although credit unions may
be familiar with the accounting rules

for a given function, the nature of
a third-party arrangement may change

the required accounting procedures.

In some instances, a certified public
accountant’s guidance may be necessary

to ensure proper accounting treatment.

A credit union’s audit scope
should provide for independent

reviews of third-party arrangements
and associated activities.

Examiners should ensure credit unions have
considered the accounting implications

of new products or services introduced
through third-party arrangements.

Risk Measurement, Monitoring and
Control of Third-party Relationships

In addition to careful due diligence
when entering third-party arrangements,

credit unions must establish ongoing
expectations and limitations, compare

program performance to expectations, and
ensure all parties to the arrangement

are fulfilling their responsibilities.

Third-party arrangements and risk profiles
will vary; thus, credit unions should

tailor risk mitigation efforts to the
specific nature of considered programs,

the materiality of risks identified, and
the credit union’s overall complexity.

Examiners should consider the adequacy
of the credit union’s policies,

risk measurement, and monitoring
in light of the same factors.

Policies and Procedures

Credit unions should develop detailed
policy guidance sufficient to outline

expectations and limit risks originating
from third-party arrangements.

Policies and procedures should
outline staff responsibilities

and authorities for third-party
processes and program oversight.

Additionally, policy guidance
should define the content and

frequency of reporting to credit
union management and officials.

Credit unions should also establish
program limitations to control the pace

of program growth and allow time to
develop experience with the program.

For example, credit unions participating
in third-party loan programs should

initially limit the volume of loans
granted in order to identify any problems

with the third-party process prior to
the volume of loans becoming significant.

Risk Measurement and Monitoring

Credit unions must be able to measure
the risks of third-party programs,

but also the performance of third
parties in terms of profitability,

benefit, and service delivery.

For example, credit unions outsourcing
loan servicing functions should be able to

identify individual loan characteristics,
repayment histories, repayment methods,

delinquency status, and any loan file
maintenance relative to serviced loans.

To the extent that credit unions rely on
the third-party to provide this type of

measurement information, clear controls
should be contractually established and

subject to periodic independent testing
to ensure the accuracy of the information.

Examiners should ensure that credit
unions are measuring the performance

of third-party arrangements and
periodically verifying the accuracy

of any information provided to them
by a third-party or its affiliate.

Credit unions engaging in third-party
relationships must have an

infrastructure (in example staffing,
equipment, technology, etcetera)

sufficient to monitor the performance
of third-party arrangements.

In many cases, credit unions outsource
processes or functions due to a lack of

internal infrastructure or experience.

However, outsourcing processes
or functions does not eliminate

credit union responsibility
for the safety and soundness of

those processes and functions.

Examiners should ensure officials
demonstrate the knowledge, skills,

and abilities necessary to monitor
and control third-party arrangements.

Control Systems and Reporting

After credit unions have conducted
internal risk assessments and

due diligence over prospective
third parties, they must implement

on-going controls over third-party
arrangements to mitigate risks.

While control systems need not be
elaborate for less complex third-party

arrangements, credit unions are
ultimately responsible for establishing

internal controls and audit functions
reasonably sufficient to assure them

that third parties are appropriately
safeguarding member assets, producing

reliable reports, and following the
terms of the third-party arrangement.

Additionally, credit unions should
tailor internal controls as necessary

to ensure staff observes policy
guidance for third-party relationships.

Examiners should ensure credit
unions have ongoing risk management

procedures with regard to any
material third-party relationship.

Designated credit union staff should
be qualified and responsible for

continued monitoring and oversight of
third-party arrangements, exhibiting

familiarity with and understanding of the
reports available from the third-party.

Responsible staff should measure
the performance of third-party

programs in relation to credit
union policy guidance, contractual

commitments, and service levels.

Credit unions should implement quality
control procedures to review the

performance of third parties periodically.

Credit union officials should receive
periodic reports on the performance

of all material third-party programs.

Examiners should ensure controls are
in place, and that management and

officials receive periodic reports with
information sufficient to assist them in

evaluating the performance of the overall
arrangement and the adequacy of reserves.

Summary

Third-party relationships can
be invaluable to credit unions

and credit union members.

Properly managed third-party
relationships can allow credit unions

to accomplish strategic objectives
through increased member service,

competitiveness, and economies of scale.

However, outsourcing critical
business functions increases the

risk inherent in those functions.

Credit unions are responsible for
safeguarding member assets and ensuring

sound operations irrespective of whether
or not a third-party is involved.

Smaller or less complex credit unions
may have to develop alternative

methods of accomplishing due diligence.

Examiners should ensure credit unions
adequately address risk assessment,

planning, due diligence, risk measurement,
risk monitoring, and controls when

involved in third-party relationships.

APPENDIX A

Third-party Relationships-
Areas for Consideration

Risk Assessment and Planning

Planning

Third-party arrangements should
be synchronized with strategic

plans, business plans, and
credit unions’ philosophies.

Risk Assessment

Dynamic process should consider
the seven areas of risk as well as

expectations of the arrangement, staff
expertise, criticality of function,

cost-benefit, insurance requirements,
member impact, and exit strategy.

Financial Projections

Return on investment should be
estimated considering revenue,

direct costs, indirect costs,
fees, and likely cash flow stream.

Return should be considered relative
to the credit unions’ strategic

plans and asset-liability frameworks.

Due Diligence

Background Check

Credit unions should consider
references, prior performance, licensing

and certification, and any legal
proceedings involving prospective

third parties, key individuals of
the third-party’s organization.

Credit unions should also
consider third-party motivations.

Business Model

Credit unions must understand business
logic of the third-party arrangement and

business model, as well as third-party
processes and related affiliates.

Cash Flows

Credit unions must demonstrate
an understanding of incoming and

outgoing cash flows, and be able
to independently verify sources of

cash flows in third-party programs.

Financial and Operation Control Review

Credit unions must review the overall
financial condition of third parties

and their closely related affiliates, as
well as the state of operational controls

in the third-party’s business model.

Contract Issues and Legal Review

Credit unions should generally
have legal counsel with appropriate

expertise and experience review
contracts and third-party arrangements

to ensure equitable contracts and
compliance with applicable state

and federal laws and regulations.

Accounting Considerations

Credit unions should be prepared for
potential accounting complexity and may

need a CPA opinion on accounting for
third-party relationship activities.

Risk Measurement, Monitoring and Control

Staff Oversight and Quality Control

Credit unions should have qualified staff
designated to oversee and control the

quality of the third-party relationships.

Policies and Procedures

Policy guidance must be in place
and sufficient to control the risks

of the third-party relationship.

Policy guidance should address
responsibilities, oversight, program

and portfolio limitations, and
content and frequency of reporting.

Monitoring and Reporting

Adequate infrastructure is required
to support monitoring and reporting

outlined in policy guidance.

Credit unions should be able to measure
and verify the performance of third

parties and third-party programs.

APPENDIX B

List of Resources

The resources listed in the letter
are too numerous to list here.

Refer to NCU A’s website
for these details.

This concludes the NCU A Letter
to credit unions on Evaluating

Third-party Relationships

If your Credit union could use assistance
with your exam, reach out to Mark Treichel

on LinkedIn, or at mark Treichel dot com.

This is Samantha Shares and
we Thank you for listening.

Evaluating Third Party Relationships NCUA Letter 07-CU-13
Broadcast by