WEBVTT NOTE This file was generated by Descript 00:00:05.040 --> 00:00:06.920 Samantha: Hello, this is Samantha Shares. 00:00:07.390 --> 00:00:11.480 This episode covers NCU A letter to credit unions number Zero Seven 00:00:11.480 --> 00:00:15.040 C U Thirteen titled Evaluating Third-party Relationships. 00:00:15.600 --> 00:00:19.020 This letter is often cited as support for Document of Resolution 00:00:19.020 --> 00:00:21.520 items in NCU A exam reports. 00:00:21.907 --> 00:00:25.677 The following is an audio version of that advisory and the press release. 00:00:26.147 --> 00:00:29.387 This podcast is educational and is not legal advice. 00:00:29.707 --> 00:00:33.687 We are sponsored by Credit Union Exam Solutions Incorporated, whose 00:00:33.687 --> 00:00:36.757 team has over two hundred and Forty years of National Credit 00:00:36.787 --> 00:00:38.687 Union Administration experience. 00:00:39.107 --> 00:00:42.807 We assist our clients with N C U A so they save time and money. 00:00:43.187 --> 00:00:47.117 If you are worried about a recent, upcoming or in process N C U A 00:00:47.117 --> 00:00:51.427 examination, reach out to learn how they can assist at Mark Treichel DOT COM. 00:00:51.857 --> 00:00:56.187 Also check out our other podcast called With Flying Colors where we provide tips 00:00:56.187 --> 00:00:58.777 on how to achieve success with N C U A. 00:00:59.200 --> 00:01:00.100 And now the letter. 00:01:00.618 --> 00:01:02.028 Third-party Relationships 00:01:02.451 --> 00:01:05.991 In recent years, credit unions have increasingly developed third-party 00:01:05.991 --> 00:01:10.091 relationships to meet strategic objectives and enhance member services. 00:01:10.621 --> 00:01:13.911 Properly managed and controlled third-party relationships provide 00:01:13.911 --> 00:01:17.631 a wide range of potential benefits to credit unions and their members. 00:01:18.121 --> 00:01:21.541 Many credit unions have utilized third-party arrangements to gain 00:01:21.541 --> 00:01:25.641 expertise, realize economies of scale, or even reach new members. 00:01:26.061 --> 00:01:30.171 Leveraging the talents and experience of third parties can assist credit unions 00:01:30.171 --> 00:01:33.931 in meeting their members’ needs while accomplishing their strategic goals. 00:01:34.331 --> 00:01:37.531 In some cases, third-party relationships are critical to the 00:01:37.531 --> 00:01:39.681 on-going success of a credit union. 00:01:40.161 --> 00:01:43.841 Credit unions taking the time to properly evaluate and cultivate their 00:01:43.841 --> 00:01:48.381 participation in third-party arrangements can experience a high degree of success. 00:01:48.839 --> 00:01:52.169 Collaboration with third parties has become more prevalent in credit 00:01:52.169 --> 00:01:56.339 unions due to increasing complexity of services and competitive pressures. 00:01:56.919 --> 00:02:00.199 In some third-party arrangements, credit unions surrender direct 00:02:00.199 --> 00:02:03.969 control over one or more key business functions to a third-party 00:02:03.969 --> 00:02:05.919 in exchange for potential benefits. 00:02:06.459 --> 00:02:09.869 As credit unions consider the potential benefits of third-party 00:02:09.869 --> 00:02:13.119 arrangements, credit union officials and management (officials) are 00:02:13.119 --> 00:02:14.859 faced with a balancing act. 00:02:15.312 --> 00:02:19.032 Officials must carefully consider the potential risks these relationships 00:02:19.032 --> 00:02:20.852 may present and how to manage them. 00:02:21.342 --> 00:02:24.982 As credit unions seek to manage risk, they should carefully consider the 00:02:24.982 --> 00:02:28.632 correlation between their level of control over business functions and 00:02:28.632 --> 00:02:30.562 the potential for compounding risks. 00:02:30.982 --> 00:02:34.622 Credit unions maintaining complete control over all functions may be 00:02:34.622 --> 00:02:36.912 operationally or financially inefficient. 00:02:37.402 --> 00:02:40.832 Credit unions outsourcing functions without the appropriate level 00:02:40.832 --> 00:02:44.202 of due diligence and oversight may be taking on undue risk. 00:02:44.652 --> 00:02:48.952 Ultimately, credit unions are responsible for safeguarding member assets and 00:02:48.952 --> 00:02:53.452 ensuring sound operations irrespective of whether or not a third-party is involved. 00:02:53.950 --> 00:02:57.310 Outsourcing complete control over one or more business functions 00:02:57.310 --> 00:03:00.950 to a third-party amplifies the risks inherent in those functions. 00:03:01.390 --> 00:03:05.320 Additionally, credit unions trading direct control over business functions 00:03:05.320 --> 00:03:09.420 for third-party program benefits may expose themselves to a full range of 00:03:09.420 --> 00:03:13.760 risks including credit, interest rate, liquidity, transaction, compliance, 00:03:13.760 --> 00:03:15.820 strategic, and reputation risks. 00:03:16.270 --> 00:03:19.730 Credit unions must complete the due diligence necessary to ensure the 00:03:19.730 --> 00:03:23.420 risks undertaken in a third-party relationship are acceptable in 00:03:23.420 --> 00:03:27.350 relation to their risk profile and safety and soundness requirements. 00:03:27.710 --> 00:03:31.420 Less complex risk profiles and third-party arrangements typically 00:03:31.420 --> 00:03:33.920 require less analysis and documentation. 00:03:34.350 --> 00:03:37.910 Further, where credit unions have a longstanding and tested history of 00:03:37.910 --> 00:03:41.800 participating in a given third-party relationship, less analysis is 00:03:41.800 --> 00:03:43.650 required to renew the relationship. 00:03:44.153 --> 00:03:48.503 Risks may be mitigated, transferred, avoided, or accepted; however, 00:03:48.503 --> 00:03:49.883 they are rarely eliminated. 00:03:50.363 --> 00:03:53.943 The risk management process involves identifying and making informed 00:03:53.943 --> 00:03:55.933 decisions about how to address risk. 00:03:56.423 --> 00:04:00.053 One of the best ways to employ the risk management process is to start 00:04:00.053 --> 00:04:02.323 small and gain experience over time. 00:04:02.913 --> 00:04:07.233 Less complex credit unions unfamiliar with analyzing third-party arrangements 00:04:07.293 --> 00:04:11.623 may utilize this risk management approach by entering third-party relationships 00:04:11.623 --> 00:04:15.853 with small, well-defined goals and expanding their exposure to third-party 00:04:15.853 --> 00:04:17.853 risks as their experience grows. 00:04:18.290 --> 00:04:22.790 When evaluating third-party arrangements, examiners should ensure credit unions 00:04:22.790 --> 00:04:25.970 have addressed the following concepts in a manner commensurate with their 00:04:25.970 --> 00:04:28.450 size, complexity, and risk profile: 00:04:28.958 --> 00:04:30.508 Risk Assessment and Planning; 00:04:30.999 --> 00:04:32.049 Due Diligence; and 00:04:32.583 --> 00:04:34.833 Risk Measurement, Monitoring and Control. 00:04:35.295 --> 00:04:37.745 The remainder of this Supervisory Letter outlines 00:04:37.745 --> 00:04:39.725 considerations for these concepts. 00:04:40.315 --> 00:04:44.155 The considerations discussed are not an exhaustive list of all possible 00:04:44.155 --> 00:04:48.095 risk mitigation procedures, but a representation of the considerations 00:04:48.095 --> 00:04:52.665 necessary when credit unions engage in significant third-party relationships. 00:04:53.155 --> 00:04:57.065 The depth and breadth of due diligence required depends upon a credit union’s 00:04:57.065 --> 00:04:59.485 complexity and risk management process. 00:04:59.695 --> 00:05:03.945 Smaller or less complex credit unions may develop alternative methods of 00:05:03.945 --> 00:05:08.205 accomplishing due diligence, while credit unions utilizing a time tested 00:05:08.205 --> 00:05:12.605 third-party relationship may already have addressed these considerations over time. 00:05:13.042 --> 00:05:15.482 Risk Assessment and Planning Considerations for 00:05:15.482 --> 00:05:17.082 Third-party Relationships 00:05:17.492 --> 00:05:21.062 Credit union officials are responsible for planning, directing, and 00:05:21.062 --> 00:05:23.052 controlling the credit union’s affairs. 00:05:23.652 --> 00:05:27.202 Risk assessment and due diligence for third-party relationships is 00:05:27.202 --> 00:05:30.402 an important part of officials’ fiduciary responsibilities. 00:05:30.802 --> 00:05:34.802 Examiners should consider the following elements in evaluating the adequacy of 00:05:34.802 --> 00:05:39.392 credit unions’ risk assessment and due diligence over third-party relationships: 00:05:39.898 --> 00:05:41.908 Planning and Initial Risk Assessment 00:05:42.367 --> 00:05:45.897 Before entering into a third-party relationship, officials should 00:05:45.897 --> 00:05:49.057 determine whether the relationship complements their credit union’s 00:05:49.057 --> 00:05:50.797 overall mission and philosophy. 00:05:51.287 --> 00:05:54.567 Officials should document how the relationship will relate to their credit 00:05:54.567 --> 00:05:58.857 union’s strategic plan, considering long-term goals, objectives, and 00:05:58.857 --> 00:06:00.797 resource allocation requirements. 00:06:01.227 --> 00:06:05.277 Officials should design action plans to achieve short-term and long-term 00:06:05.277 --> 00:06:09.377 objectives in support of strategic planning for new third-party arrangements. 00:06:09.587 --> 00:06:13.677 All planning should contain measurable, achievable goals and clearly defined 00:06:13.677 --> 00:06:15.867 levels of authority and responsibility. 00:06:16.367 --> 00:06:20.417 Additionally, officials should weigh the risks and benefits of outsourcing business 00:06:20.417 --> 00:06:24.347 functions with the risks and benefits of maintaining those functions in-house. 00:06:24.887 --> 00:06:28.317 In order to demonstrate an understanding of a third-party relationship’s 00:06:28.317 --> 00:06:32.127 risk, the officials must clearly understand the credit union’s strengths 00:06:32.127 --> 00:06:35.587 and weaknesses in relation to the arrangement under consideration. 00:06:36.077 --> 00:06:39.657 Credit unions should complete a risk assessment prior to engaging in a 00:06:39.657 --> 00:06:44.447 third-party relationship to assess what internal changes, if any, will be required 00:06:44.447 --> 00:06:46.477 to safely and soundly participate. 00:06:47.012 --> 00:06:51.072 Risk assessments are a dynamic process, rather than a static process, 00:06:51.292 --> 00:06:54.722 and should be an on-going part of a broader risk management strategy. 00:06:55.122 --> 00:06:59.042 Credit unions’ initial risk assessments for a third-party relationship should 00:06:59.042 --> 00:07:03.902 consider all seven risk areas (Credit, Interest Rate, Liquidity, Transaction, 00:07:03.902 --> 00:07:08.312 Compliance, Strategic, and Reputation), and more specifically the following: 00:07:08.814 --> 00:07:11.004 Expectations for Outsourced Functions 00:07:11.459 --> 00:07:15.169 – Credit unions should clearly define the nature and scope of their needs. 00:07:15.569 --> 00:07:17.439 Which needs will the third-party meet? 00:07:17.899 --> 00:07:20.959 Will the third-party be responsible for desired results? 00:07:21.249 --> 00:07:22.129 To what extent? 00:07:22.417 --> 00:07:23.617 Staff Expertise 00:07:24.049 --> 00:07:28.759 Is credit union staff qualified to manage and monitor the third-party relationship? 00:07:29.249 --> 00:07:31.919 How much reliance on the third-party will be necessary? 00:07:32.251 --> 00:07:33.091 Criticality 00:07:33.593 --> 00:07:36.163 How important is the activity to be outsourced? 00:07:36.563 --> 00:07:38.413 Is the activity mission critical? 00:07:38.713 --> 00:07:40.463 What other alternatives exist? 00:07:40.749 --> 00:07:43.369 Risk-Reward or Cost-Benefit Relationship 00:07:43.901 --> 00:07:46.411 Does the potential benefit of the arrangement outweigh 00:07:46.411 --> 00:07:48.241 the potential risks or costs? 00:07:48.681 --> 00:07:50.101 Will this change over time? 00:07:50.470 --> 00:07:51.210 Insurance 00:07:51.573 --> 00:07:54.043 Will the arrangement create additional liabilities? 00:07:54.353 --> 00:07:57.323 Is credit union insurance coverage sufficient to cover the 00:07:57.323 --> 00:07:59.273 potentially increased liabilities? 00:07:59.693 --> 00:08:03.383 Will the third-party carry “key man” insurance or other insurance 00:08:03.383 --> 00:08:04.883 to protect the credit union? 00:08:05.182 --> 00:08:06.392 Impact on Membership 00:08:06.917 --> 00:08:10.327 How will officials gauge the positive or negative impacts of the 00:08:10.327 --> 00:08:12.307 arrangement on credit union members? 00:08:12.727 --> 00:08:14.927 How will they manage member expectations? 00:08:15.278 --> 00:08:16.228 Exit Strategy 00:08:16.654 --> 00:08:20.444 Is there a reasonable way out of the relationship if it becomes necessary 00:08:20.444 --> 00:08:21.974 to change course in the future? 00:08:22.564 --> 00:08:26.544 Is there another party that can provide any services officials deem critical? 00:08:26.947 --> 00:08:30.847 Risk assessments for less complex third-party arrangements may be part 00:08:30.847 --> 00:08:34.807 of a broader risk management program or documented in board minutes. 00:08:35.130 --> 00:08:36.560 Financial Projections 00:08:36.923 --> 00:08:41.123 In evaluating the cost-benefit or risk-reward of a third-party relationship, 00:08:41.343 --> 00:08:44.953 credit unions should develop financial projections outlining the range of 00:08:44.953 --> 00:08:47.453 expected and possible financial outcomes. 00:08:47.853 --> 00:08:50.853 Credit unions should project a return on their investment in the 00:08:50.853 --> 00:08:54.553 proposed third-party arrangement, considering expected revenues, 00:08:54.583 --> 00:08:56.773 direct costs, and indirect costs. 00:08:57.153 --> 00:09:00.683 For example, when outsourcing loan functions, credit unions should 00:09:00.683 --> 00:09:04.443 not only consider the expected loan yield, but also the potential 00:09:04.443 --> 00:09:08.523 effect of borrower prepayments and third-party fees on the overall return. 00:09:09.009 --> 00:09:12.359 Officials should evaluate financial projections in the context of 00:09:12.359 --> 00:09:16.329 their overall strategic plans and asset-liability management framework 00:09:16.329 --> 00:09:19.919 before making a decision to participate in a third-party arrangement. 00:09:20.409 --> 00:09:23.709 Examiners should evaluate these projections for reasonableness, 00:09:23.839 --> 00:09:27.929 considering historical performance, underlying assumptions, stated business 00:09:27.929 --> 00:09:32.119 plan objectives, and the complexity of the credit union’s risk profile. 00:09:32.605 --> 00:09:34.995 Due Diligence for Third-party Relationships 00:09:35.351 --> 00:09:38.781 When considering third-party relationships, proper due diligence 00:09:38.781 --> 00:09:42.201 includes developing a demonstrated understanding of a third-party’s 00:09:42.201 --> 00:09:46.131 organization, business model, financial health, and program risks. 00:09:46.631 --> 00:09:50.571 In order to tailor controls to mitigate risks posed by a third-party, credit 00:09:50.571 --> 00:09:54.871 unions must have an understanding of a prospective third-party’s responsibilities 00:09:55.091 --> 00:09:58.951 and all of the processes involved with prospective third-party programs. 00:09:59.421 --> 00:10:03.381 Examiners should consider the adequacy of due diligence in the areas below, 00:10:03.521 --> 00:10:08.221 given credit unions’ risk profiles, internal controls, and overall complexity. 00:10:08.651 --> 00:10:11.881 Due diligence should be tailored to the complexity of the third-party 00:10:11.881 --> 00:10:15.811 relationship and may consist of reasonable alternative procedures to 00:10:15.811 --> 00:10:18.091 accomplish acceptable risk mitigation. 00:10:18.567 --> 00:10:22.397 It is also important for credit unions to understand how a third-party has 00:10:22.397 --> 00:10:26.577 performed in other relationships before entering into a third-party arrangement. 00:10:27.097 --> 00:10:31.197 Credit unions should request referrals from the prospective third-party’s clients 00:10:31.197 --> 00:10:34.927 to determine their satisfaction and experience with the proposed arrangement. 00:10:35.317 --> 00:10:38.807 Credit unions should also review and consider any lawsuits or 00:10:38.807 --> 00:10:42.467 legal proceedings involving the third-party or its principals. 00:10:42.747 --> 00:10:46.817 Additionally, credit unions should ensure that third parties or their agents have 00:10:46.817 --> 00:10:51.007 any required licenses or certifications, and that they remain current for 00:10:51.007 --> 00:10:52.447 the duration of the arrangement. 00:10:52.877 --> 00:10:56.787 Finally, sources of information such as the Better Business Bureau, Federal 00:10:56.787 --> 00:11:00.617 Trade Commission, credit reporting agencies, state consumer affairs 00:11:00.617 --> 00:11:04.937 offices, or state attorney general offices may also offer insight to a 00:11:05.057 --> 00:11:06.887 third-party’s business reputation. 00:11:07.302 --> 00:11:08.172 Business Model 00:11:08.644 --> 00:11:12.234 New business models often emerge due to changes in the regulatory, 00:11:12.234 --> 00:11:14.694 technological, or economic environment. 00:11:15.094 --> 00:11:19.364 When evaluating a prospective third-party arrangement, credit union officials should 00:11:19.364 --> 00:11:23.364 consider the longevity and adaptability of third-party business models. 00:11:23.804 --> 00:11:27.674 Some business models may be well suited for economic expansion, but 00:11:27.674 --> 00:11:29.824 untenable during economic recession. 00:11:30.244 --> 00:11:34.154 Since new business models are not time tested and have not experienced a 00:11:34.154 --> 00:11:38.834 complete economic cycle, they may present additional risks to a credit union. 00:11:39.064 --> 00:11:42.884 Likewise, longstanding business models that cannot easily adapt may 00:11:42.884 --> 00:11:47.224 not be sustainable in times of rapid technological or regulatory change. 00:11:47.733 --> 00:11:51.493 Before entering into a third-party arrangement, credit union officials 00:11:51.493 --> 00:11:54.503 should thoroughly understand the third-party’s business model. 00:11:55.093 --> 00:11:58.773 The third-party’s business model is simply the conceptual architecture 00:11:58.773 --> 00:12:02.353 or business logic employed to provide services to its clients. 00:12:02.813 --> 00:12:06.153 If the third-party’s business and marketing plans are available, 00:12:06.183 --> 00:12:07.613 officials should review them. 00:12:08.073 --> 00:12:11.963 Credit union officials should also understand and be able to explain the 00:12:11.963 --> 00:12:15.613 third-party’s role in the proposed arrangement and any processes for 00:12:15.613 --> 00:12:17.663 which the third-party is responsible. 00:12:17.963 --> 00:12:22.153 Examiners should assess credit union officials’ understanding and consideration 00:12:22.153 --> 00:12:26.413 of key third-party business models as an integral element of due diligence. 00:12:26.864 --> 00:12:30.014 Credit union officials should also understand the third-party’s 00:12:30.014 --> 00:12:33.654 sources of income and expense, considering any conflicts of 00:12:33.654 --> 00:12:37.124 interest that may exist between the third-party and the credit union. 00:12:37.564 --> 00:12:41.504 For example, if a third-party’s revenue stream is tied to the volume of loan 00:12:41.504 --> 00:12:45.904 originations rather than loan quality, its financial interest in underwriting 00:12:45.904 --> 00:12:49.714 as many loans as possible may conflict with the credit union’s interest 00:12:49.754 --> 00:12:51.894 in originating only quality loans. 00:12:52.344 --> 00:12:56.124 Credit unions should also identify any vendor related parties (such 00:12:56.124 --> 00:12:59.284 as subsidiaries, affiliates, or subcontractors) involved with the 00:12:59.284 --> 00:13:02.884 proposed arrangement and understand the purpose and function of each. 00:13:03.144 --> 00:13:06.874 Examiners should consider the potential effects of identified conflicts 00:13:06.874 --> 00:13:10.474 of interest and ensure officials mitigate risks where reasonable. 00:13:10.972 --> 00:13:11.852 Cash Flows 00:13:12.237 --> 00:13:15.527 Perhaps one of the most important considerations, when analyzing a 00:13:15.527 --> 00:13:19.537 potential third-party relationship, is the determination of how cash 00:13:19.537 --> 00:13:23.307 flows move between all parties in a proposed third-party arrangement. 00:13:23.807 --> 00:13:27.817 In addition to third-party fees, premiums, and claims receipts, many 00:13:27.877 --> 00:13:31.827 third-party arrangements include cash flows between the credit union, the 00:13:31.887 --> 00:13:34.037 third-party, and credit union members. 00:13:34.487 --> 00:13:38.787 Credit union officials should be able to explain how cash flows (both incoming 00:13:38.787 --> 00:13:42.827 and outgoing) move between the member, the third-party, and credit unions. 00:13:43.237 --> 00:13:46.717 Credit unions should also be able to independently verify the source 00:13:46.717 --> 00:13:50.517 of these cash flows and match them to related individual accounts. 00:13:50.827 --> 00:13:53.707 Examiners should ensure credit unions are tracking and 00:13:53.707 --> 00:13:55.907 identifying cash flows accurately. 00:13:56.362 --> 00:13:58.762 Financial and Operational Control Review 00:13:59.233 --> 00:14:03.143 Credit unions should carefully review the financial condition of third parties 00:14:03.363 --> 00:14:05.253 and their closely related affiliates. 00:14:05.653 --> 00:14:09.493 The financial statements of a third-party and its closely related affiliates 00:14:09.493 --> 00:14:13.473 should demonstrate an ability to fulfill the contractual commitments proposed. 00:14:13.903 --> 00:14:17.223 Credit unions should consider the financial statements with regard to 00:14:17.263 --> 00:14:21.643 outstanding commitments, capital strength, liquidity, and operating results. 00:14:22.003 --> 00:14:25.973 Additionally, credit unions should consider any potential off-balance sheet 00:14:25.973 --> 00:14:30.583 liabilities and the feasibility that the third-party or its affiliated parties can 00:14:30.583 --> 00:14:32.843 financially perform on such commitments. 00:14:33.249 --> 00:14:37.509 Audited and segmented financial statements or ratings from nationally recognized 00:14:37.509 --> 00:14:42.939 statistical rating organizations (N R S R O ratings) may be useful in periodically 00:14:42.939 --> 00:14:47.579 evaluating the overall financial health of a prospective or existing third-party. 00:14:48.071 --> 00:14:52.361 If available, officials may use copies of S A S seventy (Type II) reports 00:14:52.361 --> 00:14:56.591 prepared by an independent auditor, audit results, or regulatory reports 00:14:56.591 --> 00:15:00.401 to evaluate the adequacy of the proposed vendor’s internal controls. 00:15:00.831 --> 00:15:04.211 If these items are not available, credit unions should consider whether 00:15:04.211 --> 00:15:08.371 to require an independent review of the proposed vendor’s internal controls. 00:15:08.791 --> 00:15:12.441 Generally, contracts establish requirements for periodic audits 00:15:12.441 --> 00:15:14.561 or access to third-party records. 00:15:14.861 --> 00:15:18.921 Examiners should ensure credit unions have adequately reviewed the financial 00:15:18.921 --> 00:15:22.971 and internal control structure of the prospective third-party, considering 00:15:22.971 --> 00:15:27.301 credit unions’ risk profiles and the arrangement’s relationship to net worth. 00:15:27.774 --> 00:15:29.794 Contract Issues and Legal Review 00:15:30.265 --> 00:15:33.865 Contracts outlining third-party arrangements are often complex. 00:15:34.315 --> 00:15:38.205 Credit unions should take measures to ensure careful review and understanding 00:15:38.205 --> 00:15:41.835 of the contract and legal issues relevant to third-party arrangements. 00:15:42.285 --> 00:15:46.485 It is prudent to seek qualified external legal counsel to review prospective 00:15:46.555 --> 00:15:48.675 third-party arrangements and contracts. 00:15:49.145 --> 00:15:53.045 Any legal counsel consulted should be independent and have the experience 00:15:53.045 --> 00:15:57.445 or specialization necessary to review properly the arrangements and contracts. 00:15:57.856 --> 00:16:01.736 Typically, at a minimum, third-party contracts should address the following: 00:16:02.144 --> 00:16:05.954 Scope of arrangement, services offered, and activities authorized; 00:16:06.460 --> 00:16:09.990 Responsibilities of all parties (including subcontractor oversight); 00:16:10.474 --> 00:16:14.094 Service level agreements addressing performance standards and measures; 00:16:14.502 --> 00:16:17.102 Performance reports and frequency of reporting; 00:16:17.564 --> 00:16:19.384 Penalties for lack of performance; 00:16:19.820 --> 00:16:24.390 Ownership, control, maintenance and access to financial and operating records; 00:16:24.822 --> 00:16:26.422 Ownership of servicing rights; 00:16:26.886 --> 00:16:30.316 Audit rights and requirements (including responsibility for payment); 00:16:30.783 --> 00:16:34.713 Data security and member confidentiality (including testing and audit); 00:16:35.276 --> 00:16:37.696 Business resumption or contingency planning; 00:16:38.192 --> 00:16:38.912 Insurance; 00:16:39.296 --> 00:16:41.246 Member complaints and member service; 00:16:41.686 --> 00:16:44.246 Compliance with regulatory requirements (e.g. 00:16:44.736 --> 00:16:47.376 GLBA, Privacy, BSA, etcetera); 00:16:47.840 --> 00:16:49.230 Dispute resolution; and 00:16:49.765 --> 00:16:52.235 Default, termination, and escape clauses. 00:16:52.699 --> 00:16:56.659 Of particular importance, credit unions should exercise their right to negotiate 00:16:56.659 --> 00:17:00.419 contract terms with third parties for mutually beneficial contracts. 00:17:00.839 --> 00:17:04.429 For example, some credit unions have entered into third-party agreements 00:17:04.429 --> 00:17:08.579 with significant buyout or termination penalties, believing the penalties or 00:17:08.579 --> 00:17:10.829 fees were standard or non-negotiable. 00:17:11.409 --> 00:17:16.129 In many cases, early termination, escape clause, and default terms are negotiable. 00:17:16.589 --> 00:17:20.179 Credit union officials should ensure that any contract terms agreed 00:17:20.179 --> 00:17:23.829 to would not adversely affect the credit union’s safety and soundness, 00:17:23.889 --> 00:17:25.879 regardless of contract performance. 00:17:26.257 --> 00:17:29.497 In addition to a legal review of contracts and written agreements 00:17:29.497 --> 00:17:33.387 relevant to a prospective third-party arrangement, it may be prudent for 00:17:33.387 --> 00:17:37.557 credit unions to obtain a legal opinion about any services provided by the 00:17:37.557 --> 00:17:39.207 third-party under the arrangement. 00:17:39.527 --> 00:17:43.857 For example, if a third-party is engaged to perform loan collections for the credit 00:17:43.857 --> 00:17:48.317 union, a legal review of their collection methods may be prudent to ensure debt 00:17:48.317 --> 00:17:53.097 collection and reporting practices comply with applicable state and federal laws. 00:17:53.577 --> 00:17:57.147 Credit unions should ensure compliance with state and federal laws and 00:17:57.147 --> 00:18:00.867 regulations, and contractually bind the third-party to compliance 00:18:00.867 --> 00:18:02.357 with applicable laws (i.e. 00:18:02.637 --> 00:18:06.037 Regulation B, Regulation Z, HMDA, etcetera). 00:18:06.397 --> 00:18:10.507 Since credit unions may ultimately be responsible for consumer compliance 00:18:10.507 --> 00:18:14.447 violations committed by their agents, credit unions should be familiar with 00:18:14.447 --> 00:18:18.607 the third-party’s internal controls for ensuring regulatory compliance and 00:18:18.607 --> 00:18:20.727 adherence to agreed upon practices. 00:18:21.249 --> 00:18:22.659 Accounting Considerations 00:18:23.081 --> 00:18:26.331 Credit unions should consider that third-party relationships might 00:18:26.331 --> 00:18:27.921 create accounting complexities. 00:18:28.341 --> 00:18:31.431 Credit unions must have adequate accounting infrastructures to 00:18:31.431 --> 00:18:34.901 appropriately track, identify, and classify transactions in 00:18:34.901 --> 00:18:37.971 accordance with Generally Accepted Accounting Principles (GAAP). 00:18:38.521 --> 00:18:42.781 Credit unions often develop third-party arrangements to outsource new products 00:18:42.781 --> 00:18:46.581 or functions, and may not have experience in accounting for the particulars 00:18:46.581 --> 00:18:48.491 of those new products or functions. 00:18:48.871 --> 00:18:52.691 Conversely, although credit unions may be familiar with the accounting rules 00:18:52.691 --> 00:18:56.721 for a given function, the nature of a third-party arrangement may change 00:18:56.721 --> 00:18:58.591 the required accounting procedures. 00:18:59.021 --> 00:19:03.131 In some instances, a certified public accountant’s guidance may be necessary 00:19:03.131 --> 00:19:05.061 to ensure proper accounting treatment. 00:19:05.491 --> 00:19:08.491 A credit union’s audit scope should provide for independent 00:19:08.491 --> 00:19:12.091 reviews of third-party arrangements and associated activities. 00:19:12.311 --> 00:19:16.361 Examiners should ensure credit unions have considered the accounting implications 00:19:16.361 --> 00:19:20.191 of new products or services introduced through third-party arrangements. 00:19:20.556 --> 00:19:24.426 Risk Measurement, Monitoring and Control of Third-party Relationships 00:19:24.840 --> 00:19:28.610 In addition to careful due diligence when entering third-party arrangements, 00:19:28.730 --> 00:19:33.140 credit unions must establish ongoing expectations and limitations, compare 00:19:33.140 --> 00:19:37.550 program performance to expectations, and ensure all parties to the arrangement 00:19:37.550 --> 00:19:39.400 are fulfilling their responsibilities. 00:19:39.950 --> 00:19:44.530 Third-party arrangements and risk profiles will vary; thus, credit unions should 00:19:44.530 --> 00:19:48.810 tailor risk mitigation efforts to the specific nature of considered programs, 00:19:49.100 --> 00:19:53.860 the materiality of risks identified, and the credit union’s overall complexity. 00:19:54.140 --> 00:19:57.920 Examiners should consider the adequacy of the credit union’s policies, 00:19:57.970 --> 00:20:01.250 risk measurement, and monitoring in light of the same factors. 00:20:01.718 --> 00:20:03.208 Policies and Procedures 00:20:03.680 --> 00:20:07.590 Credit unions should develop detailed policy guidance sufficient to outline 00:20:07.590 --> 00:20:11.560 expectations and limit risks originating from third-party arrangements. 00:20:12.000 --> 00:20:15.310 Policies and procedures should outline staff responsibilities 00:20:15.310 --> 00:20:18.870 and authorities for third-party processes and program oversight. 00:20:19.290 --> 00:20:22.320 Additionally, policy guidance should define the content and 00:20:22.320 --> 00:20:25.760 frequency of reporting to credit union management and officials. 00:20:26.100 --> 00:20:30.220 Credit unions should also establish program limitations to control the pace 00:20:30.220 --> 00:20:34.310 of program growth and allow time to develop experience with the program. 00:20:34.820 --> 00:20:39.170 For example, credit unions participating in third-party loan programs should 00:20:39.170 --> 00:20:43.660 initially limit the volume of loans granted in order to identify any problems 00:20:43.660 --> 00:20:47.900 with the third-party process prior to the volume of loans becoming significant. 00:20:48.375 --> 00:20:50.045 Risk Measurement and Monitoring 00:20:50.528 --> 00:20:54.298 Credit unions must be able to measure the risks of third-party programs, 00:20:54.588 --> 00:20:58.128 but also the performance of third parties in terms of profitability, 00:20:58.128 --> 00:20:59.928 benefit, and service delivery. 00:21:00.278 --> 00:21:04.648 For example, credit unions outsourcing loan servicing functions should be able to 00:21:04.648 --> 00:21:09.388 identify individual loan characteristics, repayment histories, repayment methods, 00:21:09.458 --> 00:21:14.068 delinquency status, and any loan file maintenance relative to serviced loans. 00:21:14.348 --> 00:21:18.438 To the extent that credit unions rely on the third-party to provide this type of 00:21:18.438 --> 00:21:22.508 measurement information, clear controls should be contractually established and 00:21:22.508 --> 00:21:27.118 subject to periodic independent testing to ensure the accuracy of the information. 00:21:27.498 --> 00:21:30.978 Examiners should ensure that credit unions are measuring the performance 00:21:30.978 --> 00:21:34.968 of third-party arrangements and periodically verifying the accuracy 00:21:34.968 --> 00:21:38.848 of any information provided to them by a third-party or its affiliate. 00:21:39.350 --> 00:21:42.730 Credit unions engaging in third-party relationships must have an 00:21:42.730 --> 00:21:46.520 infrastructure (in example staffing, equipment, technology, etcetera) 00:21:46.520 --> 00:21:49.950 sufficient to monitor the performance of third-party arrangements. 00:21:50.410 --> 00:21:54.990 In many cases, credit unions outsource processes or functions due to a lack of 00:21:54.990 --> 00:21:57.170 internal infrastructure or experience. 00:21:57.630 --> 00:22:01.130 However, outsourcing processes or functions does not eliminate 00:22:01.130 --> 00:22:04.380 credit union responsibility for the safety and soundness of 00:22:04.380 --> 00:22:06.150 those processes and functions. 00:22:06.510 --> 00:22:10.050 Examiners should ensure officials demonstrate the knowledge, skills, 00:22:10.050 --> 00:22:14.150 and abilities necessary to monitor and control third-party arrangements. 00:22:14.543 --> 00:22:16.283 Control Systems and Reporting 00:22:16.712 --> 00:22:20.042 After credit unions have conducted internal risk assessments and 00:22:20.042 --> 00:22:23.652 due diligence over prospective third parties, they must implement 00:22:23.652 --> 00:22:27.272 on-going controls over third-party arrangements to mitigate risks. 00:22:27.712 --> 00:22:31.622 While control systems need not be elaborate for less complex third-party 00:22:31.622 --> 00:22:35.492 arrangements, credit unions are ultimately responsible for establishing 00:22:35.492 --> 00:22:39.662 internal controls and audit functions reasonably sufficient to assure them 00:22:39.662 --> 00:22:43.692 that third parties are appropriately safeguarding member assets, producing 00:22:43.692 --> 00:22:47.542 reliable reports, and following the terms of the third-party arrangement. 00:22:48.012 --> 00:22:52.042 Additionally, credit unions should tailor internal controls as necessary 00:22:52.042 --> 00:22:56.162 to ensure staff observes policy guidance for third-party relationships. 00:22:56.522 --> 00:23:00.192 Examiners should ensure credit unions have ongoing risk management 00:23:00.192 --> 00:23:03.922 procedures with regard to any material third-party relationship. 00:23:04.373 --> 00:23:08.133 Designated credit union staff should be qualified and responsible for 00:23:08.133 --> 00:23:12.193 continued monitoring and oversight of third-party arrangements, exhibiting 00:23:12.193 --> 00:23:16.343 familiarity with and understanding of the reports available from the third-party. 00:23:16.723 --> 00:23:19.873 Responsible staff should measure the performance of third-party 00:23:19.873 --> 00:23:23.703 programs in relation to credit union policy guidance, contractual 00:23:23.703 --> 00:23:25.473 commitments, and service levels. 00:23:25.943 --> 00:23:29.553 Credit unions should implement quality control procedures to review the 00:23:29.553 --> 00:23:32.043 performance of third parties periodically. 00:23:32.303 --> 00:23:36.103 Credit union officials should receive periodic reports on the performance 00:23:36.103 --> 00:23:38.413 of all material third-party programs. 00:23:38.793 --> 00:23:42.613 Examiners should ensure controls are in place, and that management and 00:23:42.613 --> 00:23:46.943 officials receive periodic reports with information sufficient to assist them in 00:23:46.943 --> 00:23:51.543 evaluating the performance of the overall arrangement and the adequacy of reserves. 00:23:51.842 --> 00:23:52.432 Summary 00:23:52.919 --> 00:23:56.069 Third-party relationships can be invaluable to credit unions 00:23:56.069 --> 00:23:57.539 and credit union members. 00:23:57.999 --> 00:24:01.499 Properly managed third-party relationships can allow credit unions 00:24:01.499 --> 00:24:04.959 to accomplish strategic objectives through increased member service, 00:24:04.999 --> 00:24:07.139 competitiveness, and economies of scale. 00:24:07.649 --> 00:24:10.999 However, outsourcing critical business functions increases the 00:24:10.999 --> 00:24:12.819 risk inherent in those functions. 00:24:13.209 --> 00:24:17.299 Credit unions are responsible for safeguarding member assets and ensuring 00:24:17.299 --> 00:24:21.359 sound operations irrespective of whether or not a third-party is involved. 00:24:21.709 --> 00:24:25.659 Smaller or less complex credit unions may have to develop alternative 00:24:25.659 --> 00:24:27.779 methods of accomplishing due diligence. 00:24:28.149 --> 00:24:32.159 Examiners should ensure credit unions adequately address risk assessment, 00:24:32.359 --> 00:24:36.539 planning, due diligence, risk measurement, risk monitoring, and controls when 00:24:36.539 --> 00:24:38.729 involved in third-party relationships. 00:24:39.153 --> 00:24:39.873 APPENDIX A 00:24:40.381 --> 00:24:43.171 Third-party Relationships- Areas for Consideration 00:24:43.628 --> 00:24:45.218 Risk Assessment and Planning 00:24:45.688 --> 00:24:46.168 Planning 00:24:46.650 --> 00:24:49.530 Third-party arrangements should be synchronized with strategic 00:24:49.530 --> 00:24:52.970 plans, business plans, and credit unions’ philosophies. 00:24:53.371 --> 00:24:54.301 Risk Assessment 00:24:54.774 --> 00:24:58.434 Dynamic process should consider the seven areas of risk as well as 00:24:58.434 --> 00:25:02.714 expectations of the arrangement, staff expertise, criticality of function, 00:25:02.794 --> 00:25:07.204 cost-benefit, insurance requirements, member impact, and exit strategy. 00:25:07.742 --> 00:25:09.032 Financial Projections 00:25:09.436 --> 00:25:12.626 Return on investment should be estimated considering revenue, 00:25:12.626 --> 00:25:16.886 direct costs, indirect costs, fees, and likely cash flow stream. 00:25:17.286 --> 00:25:20.656 Return should be considered relative to the credit unions’ strategic 00:25:20.656 --> 00:25:23.126 plans and asset-liability frameworks. 00:25:23.492 --> 00:25:24.382 Due Diligence 00:25:24.722 --> 00:25:25.632 Background Check 00:25:26.139 --> 00:25:30.059 Credit unions should consider references, prior performance, licensing 00:25:30.059 --> 00:25:33.839 and certification, and any legal proceedings involving prospective 00:25:33.839 --> 00:25:37.579 third parties, key individuals of the third-party’s organization. 00:25:37.869 --> 00:25:41.169 Credit unions should also consider third-party motivations. 00:25:41.605 --> 00:25:42.425 Business Model 00:25:42.937 --> 00:25:47.167 Credit unions must understand business logic of the third-party arrangement and 00:25:47.167 --> 00:25:51.527 business model, as well as third-party processes and related affiliates. 00:25:51.912 --> 00:25:52.812 Cash Flows 00:25:53.237 --> 00:25:56.587 Credit unions must demonstrate an understanding of incoming and 00:25:56.587 --> 00:26:00.657 outgoing cash flows, and be able to independently verify sources of 00:26:00.657 --> 00:26:03.007 cash flows in third-party programs. 00:26:03.372 --> 00:26:05.672 Financial and Operation Control Review 00:26:06.180 --> 00:26:10.190 Credit unions must review the overall financial condition of third parties 00:26:10.420 --> 00:26:14.650 and their closely related affiliates, as well as the state of operational controls 00:26:14.650 --> 00:26:16.510 in the third-party’s business model. 00:26:17.012 --> 00:26:19.022 Contract Issues and Legal Review 00:26:19.474 --> 00:26:22.694 Credit unions should generally have legal counsel with appropriate 00:26:22.694 --> 00:26:26.664 expertise and experience review contracts and third-party arrangements 00:26:26.664 --> 00:26:30.284 to ensure equitable contracts and compliance with applicable state 00:26:30.334 --> 00:26:32.324 and federal laws and regulations. 00:26:32.746 --> 00:26:34.126 Accounting Considerations 00:26:34.568 --> 00:26:38.588 Credit unions should be prepared for potential accounting complexity and may 00:26:38.588 --> 00:26:42.908 need a CPA opinion on accounting for third-party relationship activities. 00:26:43.315 --> 00:26:45.605 Risk Measurement, Monitoring and Control 00:26:46.027 --> 00:26:48.297 Staff Oversight and Quality Control 00:26:48.777 --> 00:26:53.077 Credit unions should have qualified staff designated to oversee and control the 00:26:53.077 --> 00:26:55.417 quality of the third-party relationships. 00:26:55.856 --> 00:26:57.336 Policies and Procedures 00:26:57.808 --> 00:27:01.548 Policy guidance must be in place and sufficient to control the risks 00:27:01.548 --> 00:27:03.158 of the third-party relationship. 00:27:03.788 --> 00:27:07.538 Policy guidance should address responsibilities, oversight, program 00:27:07.538 --> 00:27:11.328 and portfolio limitations, and content and frequency of reporting. 00:27:11.748 --> 00:27:13.158 Monitoring and Reporting 00:27:13.637 --> 00:27:17.287 Adequate infrastructure is required to support monitoring and reporting 00:27:17.327 --> 00:27:19.077 outlined in policy guidance. 00:27:19.607 --> 00:27:23.327 Credit unions should be able to measure and verify the performance of third 00:27:23.327 --> 00:27:25.377 parties and third-party programs. 00:27:25.838 --> 00:27:26.638 APPENDIX B 00:27:27.073 --> 00:27:28.213 List of Resources 00:27:28.601 --> 00:27:32.061 The resources listed in the letter are too numerous to list here. 00:27:32.511 --> 00:27:35.451 Refer to NCU A’s website for these details. 00:27:35.920 --> 00:27:39.690 This concludes the NCU A Letter to credit unions on Evaluating 00:27:39.720 --> 00:27:41.210 Third-party Relationships 00:27:41.553 --> 00:27:45.653 If your Credit union could use assistance with your exam, reach out to Mark Treichel 00:27:45.653 --> 00:27:48.353 on LinkedIn, or at mark Treichel dot com. 00:27:48.843 --> 00:27:51.473 This is Samantha Shares and we Thank you for listening.