NCUA THIRD PARTY RELATIONSHIP GUIDANCE
Hello, this is Samantha Shares.
This episode covers NCUA's
letter to Credit Union's No.
07 CU 13 titled Evaluating
Third Party Relationships.
This letter is often cited as
support for document of resolution
items in NCUA exam reports.
The following is an audio version of
that advisory and the press release.
This podcast is educational
and is not legal advice.
We are sponsored by Credit Union
Exam Solutions, Inc., whose team has
over 240 years of national credit
union administration experience.
We assist our clients with NCUA
so they save time and money.
If you are worried about a recent,
upcoming, or in process NCUA
examination, reach out to learn how
they can assist at marktreichel.
com.
Also check out our other podcast called
With Flying Colors, where we provide
tips on how to achieve success with NCUA.
And now the letter.
Third party relationships.
In recent years, credit unions have
increasingly developed third party
relationships to meet strategic
objectives and enhance member services.
Properly managed and controlled
third party relationships provide
a wide range of potential benefits
to credit unions and their members.
Many credit unions have utilized
third party arrangements to gain
expertise, realize economies of
scale, or even reach new members.
Leveraging the talents and experience of
third parties can assist credit unions
in meeting their members needs while
accomplishing their strategic goals.
In some cases, third party
relationships are critical to the
ongoing success of a credit union.
Credit unions taking the time to
properly evaluate and cultivate their
participation in third party arrangements
can experience a high degree of success.
Collaboration with third parties
has become more prevalent in credit
unions due to increasing complexity
of services and competitive pressures.
In some third party arrangements,
credit unions surrender
directly Twenty one minute crud.
Twenty minute video.
So, all these individuals are sick,
and the So immediately get them back
to work as soon as they can, okay?
See you on the 12th of June.
It's so special for
them, working with them.
These relationships may
present and how to manage them.
As credit unions seek to manage risk,
they should carefully consider the
correlation between their level of
control over business functions and
the potential for compounding risks.
Credit unions maintaining complete
control over all functions may be
operationally or financially inefficient.
Credit unions outsourcing functions
without the appropriate level
of due diligence and oversight
may be taking on undue risk.
Ultimately, credit unions are responsible
for safeguarding member assets and
ensuring sound operations irrespective of
whether or not a third party is involved.
Outsourcing complete control over
one or more business functions
to a third party amplifies the
risks inherent in those functions.
Additionally, credit unions trading
direct control over business functions
for third party program benefits may
expose themselves to a full range of
risks, including credit, interest rate,
liquidity, transaction, compliance,
strategic, and reputation risks.
Credit unions must complete the due
diligence necessary to ensure the
risks undertaken in a third party
relationship are acceptable in
relation to their risk management.
Profile and safety and
soundness requirements.
Less complex risk profiles and third
party arrangements typically require
less analysis and documentation.
Further, where credit unions have
a long standing and tested history
of participating in a given third
party relationship, less analysis is
required to renew the relationship.
Risks may be mitigated,
transferred, avoided or accepted.
However, they are rarely eliminated.
The risk management process involves
identifying and making informed
decisions about how to address risk.
One of the best ways to employ the
risk management process is to start
small and gain experience over time.
Less complex credit unions unfamiliar
with analyzing third party arrangements
may utilize this risk management approach
by entering third party relationships
with small, well defined goals and
expanding their exposure to third
party risks as their experience grows.
When evaluating third party arrangements,
examiners should ensure credit unions
have addressed the following concepts
in a manner commensurate with their
size, complexity, and risk profile.
Risk assessment and planning, due
diligence, and risk measurement,
monitoring, and control.
The remainder of this
supervisory letter outlines
considerations for these concepts.
The considerations discussed are not
an exhaustive list of all possible
risk mitigation procedures, but a
representation of the considerations
necessary when credit unions engage in
significant third party relationships.
The depth and breadth of due diligence
required depends upon a credit union's
complexity and risk management process.
Smaller or less complex credit unions
may develop alternative methods of
accomplishing due diligence, while credit
unions utilizing a time tested third
party relationship may already have
addressed these considerations over time.
Risk Assessment and Planning
Considerations for Third
Party Relationships.
Credit union officials are responsible
for planning, directing, and
controlling the credit union's affairs.
Risk assessment and due diligence
for third party relationships is
an important part of officials
fiduciary responsibilities.
Examiners should consider the following
elements in evaluating the adequacy of
credit union's risk assessment and due
diligence over third party relationships.
Planning an Initial Risk Assessment.
Before entering into a third party
relationship, officials should
determine whether the relationship
complements their credit union's
overall mission and philosophy.
Officials should document how the
relationship will relate to their credit
union's strategic plan, considering
long term goals, objectives, and
resource allocation requirements.
Officials should design action plans
to achieve short term and long term
objectives in support of strategic
planning for new third party arrangements.
All planning should contain measurable,
achievable goals and clearly define
levels of authority and responsibility.
Additionally, officials should weigh the
risks and benefits of outsourcing business
functions with the risks and benefits
of maintaining those functions in house.
In order to demonstrate an understanding
of a third party relationship's
risk, the officials must clearly
understand the credit union's strengths
and weaknesses in relation to the
arrangement under consideration.
Credit unions should complete a risk
assessment prior to engaging in a
third party relationship to assess what
internal changes, if any, will be required
to safely and soundly participate.
Risk assessments are a dynamic
process rather than a static process
and should be an ongoing part of a
broader risk management strategy.
Credit unions initial risk assessments
for a third party relationship should
consider all seven risk areas credit,
interest rate, liquidity, transaction,
compliance, strategic, and reputation,
and more specifically the following.
Expectations for outsource functions.
Credit unions should clearly define
the nature and scope of their needs.
Thank you.
Which needs will the third party meet?
Will the third party be
responsible for desired results?
To what extent?
Staff expertise.
Is credit union staff qualified to manage
and monitor the third party relationship?
How much reliance on the
third party will be necessary?
Criticality.
How important is the
activity to be outsourced?
Is the activity mission critical?
What other alternatives exist?
Risk reward or cost benefit relationships.
Does the potential benefit
of the arrangement outweigh
the potential risks or costs?
Will this change over time?
Insurance.
Will the arrangement create
additional liabilities?
Is credit union insurance
coverage sufficient to cover the
potentially increased liabilities?
Will the third party carry key
man insurance or other insurance
to protect the credit union?
Impact on membership.
How will officials gauge the
positive or negative impacts of the
arrangement on credit union members?
How will they manage member expectations?
Exit strategy.
Is there a reasonable way out of the
relationship if it becomes necessary
to change course in the future?
Is there another party that can provide
any services officials deem critical?
Risk assessments for less complex
third party arrangements may be part
of a broader risk management program
or documented in board minutes.
Financial projections.
In evaluating the cost benefit or risk
reward of a third party relationship,
credit unions should develop financial
projections Outlining the range
of expected and possible financial
outcomes, credit unions should project
a return on their investment in the
proposed third party arrangement,
considering expected revenues,
direct costs, and indirect costs.
For example, when outsourcing loan
functions, credit unions should
not only consider the expected loan
yield, but also the potential effect
of borrower repayments and third
party fees on the overall return.
Officials should evaluate financial
projections in the context of their
overall strategic plans and asset
liability management framework before
making a decision to participate
in a third party arrangement.
Examiners should evaluate these
projections for reasonableness,
considering historical performance,
underlying assumptions, stated business
plan objectives, and the complexity
of the credit union's risk profile.
Due Diligence for Third Party
Relationships When considering
third party relationships, proper
due diligence includes developing a
demonstrated understanding of a third
party's organization, business model,
financial health, and program risks.
In order to tailor controls to mitigate
risks posed by a third party, credit
unions must have an understanding of a
prospective third party's responsibilities
and all of the processes involved
with prospective third party programs.
Examiners should consider the adequacy
of due diligence in the areas below,
given credit unions risk profiles,
internal controls, and overall complexity.
Due diligence should be tailored to
the complexity of the third party
relationship and may consist of
reasonable alternative procedures to
accomplish acceptable risk mitigation.
It is also important for credit unions
to understand how a third party has
performed in other relationships before
entering into a third party arrangement.
Credit unions should request referrals
from the prospective third party's clients
to determine their satisfaction and
experience with the proposed arrangement.
Credit unions should also review
and consider any lawsuits or
legal proceedings involving the
third party or its principals.
Additionally, credit unions should ensure
that third parties or their agents have
any required licenses or certifications,
and that they remain current for
the duration of the arrangement.
Finally, sources of information such
as the Better Business Bureau, Federal
Trade Commission, credit reporting
agencies, state consumer affairs
offices, or state attorney general
offices, may also offer insight to
a third party's business reputation.
Business Model New business models often
emerge due to changes in the regulatory,
technological, or economic environment.
When evaluating a prospective third party
arrangement, credit union officials should
consider the longevity and adaptability
of third party business models.
Some business models may be well
suited for economic expansion, but
untenable during economic recession.
Since new business models are not
time tested and have not experienced a
complete economic cycle, they may present
additional risks to a credit union.
Likewise, long standing business
models that cannot easily adapt may
not be sustainable in times of rapid
technological or regulatory change.
Before entering into a third party
arrangement, credit union officials
should thoroughly understand the
third party's business model.
The third party's business model is
simply the conceptual architecture
or business logic employed to
provide services to its clients.
If the third party's business and
marketing plans are available,
officials should review them.
Credit union officials should also
understand and be able to explain the
third party's role in the proposed
arrangement and any processes for
which the third party is responsible.
Examiners should assess credit union
officials understanding and consideration
of key third party business models as
an integral element of due diligence.
Credit union officials should
also understand the third party's
sources of income and expense,
considering any conflicts of
interest that may exist between the
third party and the credit union.
For example, if a third party's revenue
stream is tied to the volume of loan
originations, rather than loan quality,
its financial interest in underwriting
as many loans as possible may conflict
with the credit union's interest
in originating only quality loans.
Credit unions should also identify
any vendor related parties, such
as subsidiaries, affiliates, or
subcontractors involved with the
proposed arrangement and understand
the purpose and function of each.
Examiners should consider the potential
effects of identified conflicts
of interest and ensure officials
mitigate risks where reasonable.
Perhaps one of the most important
considerations when analyzing a
potential third party relationship
is the determination of how cash
flows move between all parties in
a proposed third party arrangement.
In addition to third party fees,
premiums, and claims receipts, many
third party arrangements include cash
flows between the credit union, the
third party, and credit union members.
Credit union officials should be able
to explain how cash flows both incoming
and outgoing move between the member,
the third party, and credit unions.
Credit unions should also be able
to independently verify the source
of these cash flows and match them
to related individual accounts.
Examiners should ensure
credit unions are tracking and
identifying cash flows accurately.
Financial and Operational Control Review
Credit unions should carefully review
the financial condition of third parties
and their closely related affiliates.
The financial statements of a third
party and its closely related affiliates
should demonstrate an ability to fulfill
the contractual commitments proposed.
Credit unions should consider the
financial statements with regard
to outstanding commitments, capital
strength, and other factors.
operating results.
Additionally, credit unions should
consider any potential off balance sheet
liabilities and the feasibility that the
third party or its affiliated parties can
financially perform on such commitments.
Audited and segmented financial statements
or ratings from nationally recognized
statistical rating organizations, NRSRO
ratings, may be useful in periodically
evaluating the overall financial health
of a prospective or existing third party.
If available, officials may use
copies of SAS 70 Type Roman 2 reports
prepared by an independent auditor,
audit results, or regulatory reports
to evaluate the adequacy of the
proposed vendor's internal controls.
If these items are not available,
credit unions should consider whether
to require an independent review of the
proposed vendor's internal controls.
Generally, contracts establish
requirements for periodic audits
or access to third party records.
Examiners should ensure credit unions
have adequately reviewed the financial
and internal control structure of the
prospective third party, considering
credit unions risk profiles and the
arrangement's relationship to net worth,
contract issues, and legal review.
Contracts outlining third party
arrangements are often complex.
Credit unions should take measures to
ensure careful review and understanding
of the contract and legal issues
relevant to third party arrangements.
It is prudent to seek qualified external
legal counsel to review prospective
third party arrangements and contracts.
Any legal counsel consulted should be
independent and have the experience
or specialization necessary to review
properly the arrangements and contracts.
Typically, at a minimum, Third party
contracts should address the following
scope of arrangement, services
offered and activities authorized
responsibilities of all parties, including
subcontractor oversight, service level
agreements, addressing performance
standards and measures, performance
reports and frequency of reporting.
Penalties for lack of performance,
ownership, control, maintenance and
access to financial and operating
records, ownership of servicing rights,
audit rights and requirements, including
responsibility for payment, data security
and member confidentiality, including
testing and audit, business resumption
or contingency planning, insurance,
member complaints and member service.
Compliance with regulatory requirements e.
g.
GLBA, Privacy, BSA, etc.
Dispute resolution and default
termination and escape clauses.
Of particular importance, credit unions
should exercise their right to negotiate
contract terms with third parties
for mutually beneficial contracts.
For example, some credit unions have
entered into third party agreements
with significant buyout or termination
penalties, believing the penalties or
fees were standard or non negotiable.
In many cases, early termination, escape
clause, and default terms are negotiable.
Credit union officials should ensure
that any contract terms agreed
to would not adversely affect the
credit union's safety and soundness,
regardless of contract performance.
In addition to a legal review of
contracts and written agreements
relevant to a prospective third party
arrangement, it may be prudent for
credit unions to obtain a legal opinion
about any services provided by the
third party under the arrangement.
For example, if a third party is engaged
to perform loan collections for the credit
union, a legal review of their collection
methods may be prudent to ensure debt
collection and reporting practices comply
with applicable state and federal laws.
Credit unions should ensure
compliance with state and
federal laws and regulations, and
contractually bind the third party
to compliance with applicable laws i.
e.
Regulation B, Regulation Z, HMDA, etc.
Since credit unions may ultimately be
responsible for consumer compliance
violations committed by their agents,
credit unions should be familiar with
a third party's internal controls for
ensuring regulatory compliance and
adherence to agreed upon practices.
Accounting Considerations Credit
unions should consider that
third party relationships might
create accounting complexities.
Credit unions must have adequate
accounting infrastructures to
appropriately track, identify,
and classify transactions in
accordance with generally accepted
accounting principles GOP.
Credit unions often develop third party
arrangements to outsource new products
or functions and may not have experience
in accounting for the particulars
of those new products or functions.
Conversely, although credit unions may
be familiar with the accounting rules
for a given function, the nature of
a third party arrangement may change
the required accounting procedures.
In some instances, a certified public
accountant's guidance may be necessary
to ensure proper accounting treatment.
A credit union's audit scope
should provide for independent
reviews of third party arrangements
and associated activities.
Examiners should ensure credit unions have
considered the accounting implications
of new products or services introduced
through third party arrangements.
Risk measurement.
Monitoring and control of
third party relationships.
In addition to careful due diligence
when entering third party arrangements,
credit unions must establish ongoing
expectations and limitations, compare
program performance to expectations, and
ensure all parties to the arrangement
are fulfilling their responsibilities.
Third party arrangements
and risk profiles will vary.
Thus, credit unions should tailor risk
mitigation efforts to the specific
nature of considered programs, the
materiality of risks identified, and
the credit union's overall complexity.
Examiners should consider the adequacy
of the credit union's policies,
risk measurement, and monitoring
in light of the same factors.
Policies and Procedures Credit
unions should develop detailed
policy guidance sufficient to outline
expectations and limit risks originating
from third party arrangements.
Policies and procedures should
outline staff responsibilities
and authorities for third party
processes and program oversight.
Additionally, policy guidance
should define the content and
frequency of reporting to credit
union management and officials.
Credit unions should also establish
program limitations to control the pace
of program growth and allow time to
develop experience with the program.
For example, credit unions participating
in third party loan programs should
initially limit the volume of loans
granted in order to identify any problems
with the third party process prior to
the volume of loans becoming significant.
Risk measurement and monitoring.
Credit unions must be able to measure
the risks of third party programs,
but also the performance of third
parties in terms of profitability,
benefit, and service delivery.
For example, credit unions outsourcing
loan servicing functions should be able to
identify individual loan characteristics,
repayment histories, repayment methods,
delinquency status, and any loan file
maintenance relative to service loans.
To the extent that credit unions rely on
the third party to provide this type of
measurement information, clear controls
should be contractually established and
subject to periodic independent testing
to ensure the accuracy of the information.
Examiners should ensure that credit
unions are measuring the performance
of third party arrangements and
periodically verifying the accuracy
of any information provided to them
by a third party or its affiliates.
Credit unions engaging in third
party relationships must have an
infrastructure and example staffing,
equipment, technology, etc.
sufficient to monitor the performance
of third party arrangements.
In many cases, credit unions outsource
processes or functions due to a lack of
internal infrastructure or experience.
However, outsourcing processes
or functions does not eliminate
credit union responsibility
for the safety and soundness of
those processes and functions.
Examiners should ensure officials
demonstrate the knowledge, skills,
and abilities necessary to monitor
and control third party arrangements,
control systems, and reporting.
After credit unions have conducted
internal risk assessments and
due diligence over prospective
third parties, they must implement
ongoing controls over third party
arrangements to mitigate risks.
While control systems need not be
elaborate for less complex third
party arrangements, credit unions are
ultimately responsible for establishing
internal controls and audit functions
reasonably sufficient to assure them
that third parties are appropriately
safeguarding member assets, producing
reliable reports, and following the
terms of the third party arrangement.
Additionally, credit unions should
tailor internal controls as necessary
to ensure staff observes policy
guidance for third party relationships.
Examiners should ensure credit
unions have ongoing risk management
procedures with regard to any
material third party relationship.
Designated credit union staff should
be qualified and responsible for
continued monitoring and oversight of
third party arrangements, exhibiting
familiarity with and understanding of the
reports available from the third party.
Responsible staff should measure
the performance of third party
programs in relation to credit
union policy guidance, contractual
commitments, and service levels.
Credit unions should implement quality
control procedures to review the
performance of third parties periodically.
Credit union officials should receive
periodic reports on the performance
of all material third party programs.
Examiners should ensure controls
are in place and that management and
officials receive periodic reports with
information sufficient to assist them in
evaluating the performance of the overall
arrangement and the adequacy of reserves.
Summary.
Third party relationships can
be invaluable to credit unions
and credit union members.
Properly managed third party
relationships can allow credit unions
to accomplish strategic objectives
through increased member service,
competitiveness, and economies of scale.
However, outsourcing critical
business functions increases the
risk inherent in those functions.
Credit unions are responsible for
safeguarding member assets and ensuring
sound operations irrespective of whether
or not a third party is involved.
Smaller or less complex credit unions
may have to develop alternative
methods of accomplishing due diligence.
Examiners should ensure credit unions
adequately address risk assessment
Planning, due diligence, risk measurement,
risk monitoring, and controls when
involved in third party relationships.
Appendix A.
Third party relationships
areas for consideration.
Risk assessment and planning.
Planning.
Third party arrangements should
be synchronized with strategic
plans, business plans, and
credit unions philosophies.
Risk assessment.
Dynamic process should consider
the seven areas of risk, as well as
expectations of the arrangement, staff
expertise, criticality of function,
cost benefit, insurance requirements,
member impact, and exit strategy.
Financial projections.
Return on investment should be
estimated considering revenue,
direct costs, indirect costs,
fees, and likely cash flow stream.
Return should be considered relative
to the credit union's strategic
plans and asset liability frameworks.
Background check.
Credit unions should consider
references, prior performance, licensing
and certification, and any legal
proceedings involving prospective
third parties, key individuals of
the third party's organization.
Credit unions should also
consider third party motivations.
Business model.
Credit unions must understand business
logic of the third party arrangement
and business model, as well as third
party processes and related affiliates.
Cash flows.
Credit unions must demonstrate
an understanding of incoming and
outgoing cash flows and be able
to independently verify sources of
cash flows in third party programs.
Financial and Operation Control Review.
Credit unions must review the overall
financial condition of third parties
and their closely related affiliates
as well as the state of operational
controls in the third party's business
model, contract issues, and legal review.
Credit unions should generally have legal
counsel with appropriate expertise and
experience review contracts and third
party arrangements to ensure equitable
contracts and compliance with applicable
state and federal laws and regulations.
Accounting considerations.
Credit unions should be prepared for
potential accounting complexity and may
need a CPA opinion on accounting for
third party relationship activities.
Risk measurement, monitoring, and control.
Staff oversight and quality control.
Credit unions should have qualified
staff designated to oversee and
control the quality of the third party
relationships, policies, and procedures.
Policy guidance must be in place
and sufficient to control the risks
of the third party relationship.
Policy guidance should address
responsibilities, oversight, program
and portfolio limitations, and
content and frequency of reporting.
Monitoring and reporting.
Adequate infrastructure is required
to support monitoring and reporting
outlined in policy guidance.
Credit unions should be able to measure
and verify the performance of third
parties and third party programs.
Appendix B.
List of Resources.
The resources listed in the letter
are too numerous to list here.
Refer to NCUA's website for these details.
This concludes the NCUA Letter
to Credit Unions on Evaluating
Third Party Relationships.
If your credit union could use assistance
with your exam, reach out to Mark
Treichel on LinkedIn or at marktreichel.
com.
This is Samantha Shares and
we thank you for listening.
