Managing Credit Union Vendor Due Diligence and …2013/01/16 · Mitigating Regulatory Risk Bring...
45
AMANDA J. SMITH, ESQUIRE MESSICK & LAUER, PC Managing Credit Union Vendor Due Diligence and Third Party Relationships
Transcript of Managing Credit Union Vendor Due Diligence and …2013/01/16 · Mitigating Regulatory Risk Bring...
A M A N D A J . S M I T H , E S Q U I R E
M E S S I C K & L A U E R , P C
Managing Credit Union Vendor Due Diligence and Third Party
Relationships
Overview
Discussion Points
Importance of performing due diligence and managing third party relationships
How to implement a vendor management program
Guidelines for performing due diligence
Importance of Performing Due Diligence and Managing Vendors
Why is it Important?
NCUA and state regulators expect it
Credit unions cannot contract away regulatory liability
Certain risks cannot be eliminated; however, with proper due diligence and vendor management they can be significantly mitigated
Regulator’s Expectations
NCUA Letters
07-CU-13 Evaluating Third Party Relationships
Supervisory Letter 07-01
10-CU-15 Indirect Lending and Appropriate Due Diligence
08-CU-19 Third Party Relationships: Mortgage Brokers and Correspondents
08-CU-09 Evaluating Third Party Relationships Questionnaire
01-CU-20 Due Diligence Over Third Party Service Providers
Regulatory Liability
From a compliance standpoint, the credit union is liable to its members and its regulators for the actions or inactions of the vendors with whom it does business
Vendor compliance errors are costly both monetarily and to your reputation
Even though the vendor may offer a turn key product the credit union must actively manage the program
Example – Regulation Z
§1026.5 Open Ended Credit General Disclosure Requirements
“The creditor shall make the disclosures required by this subpart clearly and conspicuously.”
“The creditor shall make the disclosures required by this subpart in writing, in a form that the consumer may keep.”
“The creditor shall furnish account-opening disclosures required by §1026.6 before the first transaction is made under the plan.”
Regulation Z – continued
Creditor means: A person who regularly extends consumer credit that is subject to a finance charge or
is payable by written agreement in more than four installments (not including a down payment), and to whom the obligation is initially payable, either on the face of the note or contract, or by agreement when there is no note or contract.
Under certain circumstances, a person that honors a credit card. Any card issuer that extends either open-end credit or credit that is not subject to a
finance charge and is not payable by written agreement in more than four installments.
With limited exception, any card issuer that extends closed-end credit that is subject to a finance charge or is payable by written agreement in more than four installments.
A person who regularly extends consumer credit only if it extended credit (other than credit subject to the requirements of §1026.32) more than 25 times (or more than 5 times for transactions secured by a dwelling) in the preceding calendar year. If a person did not meet these numerical standards in the preceding calendar year, the numerical standards shall be applied to the current calendar year. A person regularly extends consumer credit if, in any 12-month period, the person originates more than one credit extension that is subject to the requirements of §1026.32 or one or more such credit extensions through a mortgage broker.
Regulation Z - continued
Credit union discovers, by way of examination, that due to a programming error, its vendor had disclosed an understated APR on its credit card product for one year
Administrative sanction – reimburse the difference between the disclosed APR and the APR charged to the members
Class action lawsuit – potential for punitive damages
But it’s the vendor’s fault????
Indemnification, limitation of liability, and more litigation
Example - Unfair, Deceptive, or Abusive Acts or Practices (UDAAP)
An act or practice is unfair when:
(1) It causes or is likely to cause substantial injury to consumers;
(2) The injury is not reasonably avoidable by consumers; and
(3) The injury is not outweighed by countervailing benefits to consumers or to competition.
UDAAP – continued
A representation, omission, act or practice is deceptive when:
(1) It misleads or is likely to mislead the consumer;
(2) The consumers interpretation of it is reasonable under the circumstances; and
(3) It is material.
UDAAP - continued
An abusive act or practice:
(1) Materially interferes with the ability of a consumer to understand a term or condition of a consumer financial product or service; or
(2) Takes unreasonable advantage of: • A lack of understanding on the part of the consumer of the
material risks, costs, or conditions of the product or service;
• The inability of the consumer to protect its interests in selecting or using a consumer financial product or service; or
• The reasonable reliance by the consumer on a covered person to act in the interests of the consumer.
UDAAP and Vendors
CFPB’s Enforcement Action Against Capital One
Finding – Call center vendors were deceptive when selling Capital One’s credit card add on products
Penalty – Must return approximately $140 million to an estimated 2 million customers and pay a $25 million civil penalty
In addition to the refunds and $35 million penalty assessed by the OCC
CFPB has an expectation that every institution under its supervision and their service providers will comply with UDAAP
Mitigating Regulatory Risk
Bring compliance and vendor management together
Review the vendor’s process for compliance at the onset of the relationship
Designate a person in the credit union to manage the vendor relationship
Make sure proper contractual protections are in place: representations to comply with all applicable laws
indemnification
eliminate limitations on liability when possible
Review vendor performance quarterly
Have access to member complaints
Implementing a Vendor Management Program and Performing Due Diligence
Evaluating Your Need for Vendors
Planning and Risk Assessment
Does outsourcing fit with the credit union’s strategy and risk tolerance?
Due Diligence
Is the proposed vendor a credible and effective provider?
Risk Measurement, Monitoring, and Control
How does the credit union monitor the relationship and manage the risk?
Planning and Risk Assessment
Planning
Does the vendor fit with the credit union’s mission and philosophy? Document how the relationship works with the credit union’s
strategic plan
Would the credit union be better served by an in-house solution? Must evaluate the credit union’s strengths and weaknesses
CUSO v non-CUSO provider
Financial projections Outline the range of expected and possible financial outcomes
Should project a ROI when considering expected revenues, direct costs, and indirect costs
Rate the Criticality of the Vendor
Highly Critical: Essential to daily function of core services or safety and soundness issue if not functioning
Critical: Essential to a core service but alternative means of delivery exist or it is an ancillary service
Non-Critical: Does not affect core service if not functioning
Criticality
The more critical the vendor or service the more thorough the planning, due diligence, and monitoring must be
Exception, renewing a longstanding relationship requires less analysis than a new relationship; however, it still must be monitored in the same manner
Risk Assessment
Credit
Interest Rate
Liquidity
Transaction
Compliance
Strategic
Reputation
Risk Assessment
Expectations for Outsourced Functions
Staff Expertise
Criticality
Risk-Reward or Cost-Benefit Relationship
Insurance
Impact on Membership
Exit Strategy
NCUA Third Party Relationships Questionnaire
Does the credit union maintain a list of the third party company(ies) or firm(s) which they use for outsourced services?
Does the credit union maintain a description of the services provided by the third party company(ies) or firm(s)?
Did the credit union consider more than one (1) third party before entering into a relationship?
Does the third party relationship(s) compliment the credit union’s overall mission and philosophy?
Has the credit union performed and documented a cost-benefit financial analysis to determine they are receiving sufficient reward for the risk associated with the proposed relationship?
Do the financial projections align with the credit union’s overall strategic plan and ALM framework?
Due Diligence
Due Diligence Review Minimums
Should take into account the critical nature of the service, the level of expertise exhibited by the vendor, staffing changes, economic and regulatory changes, and risk mitigation strategies associated with the vendor oversight. (NCUA Letter to Credit Unions 07-CU-13)
Goal of Due Diligence
Complete the due diligence necessary to ensure the risks undertaken in a vendor relationship are acceptable in relation to their risk profile and safety and soundness requirements
Less complex risk profiles and vendor arrangements typically require less analysis and documentation
If the credit union has a longstanding relationship with the vendor, less analysis is required to renew the relationship
Due Diligence Considerations
Background Check
Business Model
Cash Flows
Financial and Operational Control Review
Contract Issues and Legal Review
Accounting
Background Check
Vendor’s experience providing the proposed service or program
Experience of vendor’s key employees
Obtain references of existing and past clients
Claims and lawsuits
Verify licenses
Other sources of information
Business Model
Longevity and adaptability of business model
If the business and marketing plans are available they should be reviewed
Credit union officials should be able to explain the vendor’s business model
Verify sources of income and check for any conflicts of interest
Cash Flows
Credit union should be able to explain how the cash flows between the member, vendor, and credit union
Credit union should independently verify the source of these cash flows
Financial and Operational Control Review
Review Vendor’s financial ability to meet the proposed commitments
Financial statements – outstanding commitments, capital strength, liquidity, and operating results
If available, review SAS 70. May be necessary to obtain an independent review
Review annually
Contract Issues and Legal Review
Letter 07-CU-13 advises credit unions to seek qualified external legal counsel to review vendor agreements
Letter from OGC (08-0417) states that in house counsel can perform the review if qualified
Contracts should be negotiated
Put it in writing
Obtain legal opinions, when necessary
Vendor Contracts
Vendor agreements should address: Scope of arrangement, services offered, and activities authorized; Responsibilities of all parties (including subcontractor oversight); Service level agreement addressing performance standard and measures; Performance reports and frequency of reporting; Penalties for lack of performance; Ownership, control, maintenance, and access to financial and operating records; Ownership of servicing rights; Audit rights and requirements (including responsibility for payment); Data security and member confidentiality (including testing and audit); Business resumption or contingency planning; Insurance; Member complaints and member service; Compliance with regulatory requirements; Dispute resolution; and Default, termination and escape clauses.
Accounting
Credit union must have adequate accounting infrastructure to track, identify, and classify transactions in accordance with GAAP
It may be necessary to utilize an independent accountant
NCUA Third Party Relationships Questionnaire
Did the credit union request referral from the prospective third party clients to determine their satisfaction and experience with the proposed arrangement?
Does the credit union understand the vendor’s sources of income and expense and have they considered any conflicts of interest that may exist between the third party and the credit union?
Does the credit union’s analysis of the financial statement of the third party and its closely related affiliates provide reasonable assurance that the third party has the ability to fulfill the contractual commitments proposed?
Did the credit union ensure the third party is compliant with state and federal laws and regulations and is contractually bound to comply with applicable laws?
NCUA Third Party Relationships Questionnaire
Does the credit union have an adequate accounting infrastructure to appropriately track, identify, and classify transactions in accordance with GAAP?
Are reports prepared on a monthly basis adequately reflecting the amount of activity with the third party and providing sufficient information to properly monitor the activities?
Are informative summary reports provided to senior management or the board of directors?
Risk Measurement, Monitoring, and Control of Third Party Relationships
Risk Measurement, Monitoring, and Control of Third Party Relationships
The credit union must establish ongoing expectations and compare the vendor’s performance to these expectations
The credit union must be certain that all parties to the arrangement are fulfilling their responsibilities
Credit union must develop policies and procedures, be able to measure and monitor the risks, and implement ongoing controls over vendor relationships
Inventory Your Vendors
What services are being provided and by whom?
How long have the services been provided by the vendor?
Who are the contacts for the vendor and the credit union?
Gather the vendor agreements.
What are the performance issues, if any?
Does the credit union have any due diligence on the vendor?
Who are the key subcontractors that the vendors are depending on and does the credit union have any due diligence on them?
Policies and Procedures
Outline expectations and limit risks from vendor relationships
Outline staff responsibilities and authorities for vendor oversight
Define the content and frequency of reporting to credit union management
Establish program limitations to pace the introduction of services to limit risk exposure as programs are working out initial issues
Risk Measurement and Monitoring
Credit unions must measure the vendor’s performance and periodically verify the accuracy of the information coming from the vendor
Outsourcing the process or function does not outsource the safety and soundness concern regarding the process or function
Control Systems and Reporting
On-going risk assessment
Must make sure the vendor is safeguarding member assets, producing reliable reports, and following the terms of the agreement
Credit union should designate staff to monitor vendor relationships, including understanding reports received from the vendor
Implement QC procedures to review the vendor’s performance periodically
Staff should report to credit union officials regarding vendor performance
Take Aways
Know your vendors – Do your due diligence!
Review and negotiate your vendor agreements
Manage your vendors – Appoint a person within the credit union to manage the vendor(s) and report to credit union officials
Review vendor performance quarterly
Review vendor due diligence annually and when renewing the contract
A M A N D A J . S M I T H , E S Q U I R E
M E S S I C K & L A U E R , P C
A S M I T H @ C U S O L A W . C O M
6 1 0 - 8 9 1 - 9 0 0 0
Thank you! Questions?
