WEBVTT NOTE This file was generated by Descript 00:00:07.993 --> 00:00:09.763 Hello, this is Samantha Shares. 00:00:10.263 --> 00:00:13.653 This episode covers NCUA's letter to Credit Union's No. 00:00:13.653 --> 00:00:18.093 07 CU 13 titled Evaluating Third Party Relationships. 00:00:18.663 --> 00:00:22.103 This letter is often cited as support for document of resolution 00:00:22.123 --> 00:00:24.593 items in NCUA exam reports. 00:00:24.993 --> 00:00:28.743 The following is an audio version of that advisory and the press release. 00:00:29.243 --> 00:00:32.473 This podcast is educational and is not legal advice. 00:00:32.783 --> 00:00:37.365 We are sponsored by Credit Union Exam Solutions, Inc., whose team has 00:00:37.365 --> 00:00:41.793 over 240 years of national credit union administration experience. 00:00:42.183 --> 00:00:45.893 We assist our clients with NCUA so they save time and money. 00:00:46.263 --> 00:00:50.243 If you are worried about a recent, upcoming, or in process NCUA 00:00:50.243 --> 00:00:54.123 examination, reach out to learn how they can assist at marktreichel. 00:00:54.133 --> 00:00:54.503 com. 00:00:54.943 --> 00:00:58.953 Also check out our other podcast called With Flying Colors, where we provide 00:00:58.973 --> 00:01:01.883 tips on how to achieve success with NCUA. 00:01:02.278 --> 00:01:03.228 And now the letter. 00:01:03.688 --> 00:01:05.128 Third party relationships. 00:01:05.518 --> 00:01:09.268 In recent years, credit unions have increasingly developed third party 00:01:09.268 --> 00:01:13.188 relationships to meet strategic objectives and enhance member services. 00:01:13.708 --> 00:01:17.028 Properly managed and controlled third party relationships provide 00:01:17.028 --> 00:01:20.738 a wide range of potential benefits to credit unions and their members. 00:01:21.208 --> 00:01:24.668 Many credit unions have utilized third party arrangements to gain 00:01:24.678 --> 00:01:28.658 expertise, realize economies of scale, or even reach new members. 00:01:29.148 --> 00:01:33.278 Leveraging the talents and experience of third parties can assist credit unions 00:01:33.288 --> 00:01:36.828 in meeting their members needs while accomplishing their strategic goals. 00:01:37.398 --> 00:01:40.618 In some cases, third party relationships are critical to the 00:01:40.638 --> 00:01:42.798 ongoing success of a credit union. 00:01:43.268 --> 00:01:46.958 Credit unions taking the time to properly evaluate and cultivate their 00:01:46.958 --> 00:01:51.508 participation in third party arrangements can experience a high degree of success. 00:01:51.918 --> 00:01:55.328 Collaboration with third parties has become more prevalent in credit 00:01:55.328 --> 00:01:59.418 unions due to increasing complexity of services and competitive pressures. 00:01:59.988 --> 00:02:02.938 In some third party arrangements, credit unions surrender 00:02:02.938 --> 00:02:04.902 directly Twenty one minute crud. 00:02:04.902 --> 00:02:06.112 Twenty minute video. 00:02:06.112 --> 00:02:11.358 So, all these individuals are sick, and the So immediately get them back 00:02:11.358 --> 00:02:14.586 to work as soon as they can, okay? 00:02:14.586 --> 00:02:17.410 See you on the 12th of June. 00:02:17.410 --> 00:02:20.638 It's so special for them, working with them. 00:02:21.198 --> 00:02:23.928 These relationships may present and how to manage them. 00:02:24.448 --> 00:02:28.118 As credit unions seek to manage risk, they should carefully consider the 00:02:28.118 --> 00:02:31.748 correlation between their level of control over business functions and 00:02:31.748 --> 00:02:33.668 the potential for compounding risks. 00:02:34.078 --> 00:02:37.768 Credit unions maintaining complete control over all functions may be 00:02:37.768 --> 00:02:39.988 operationally or financially inefficient. 00:02:40.513 --> 00:02:43.933 Credit unions outsourcing functions without the appropriate level 00:02:43.933 --> 00:02:47.333 of due diligence and oversight may be taking on undue risk. 00:02:47.743 --> 00:02:52.063 Ultimately, credit unions are responsible for safeguarding member assets and 00:02:52.063 --> 00:02:56.573 ensuring sound operations irrespective of whether or not a third party is involved. 00:02:57.023 --> 00:03:00.403 Outsourcing complete control over one or more business functions 00:03:00.403 --> 00:03:03.863 to a third party amplifies the risks inherent in those functions. 00:03:04.473 --> 00:03:08.413 Additionally, credit unions trading direct control over business functions 00:03:08.423 --> 00:03:12.523 for third party program benefits may expose themselves to a full range of 00:03:12.523 --> 00:03:16.833 risks, including credit, interest rate, liquidity, transaction, compliance, 00:03:16.843 --> 00:03:18.913 strategic, and reputation risks. 00:03:19.373 --> 00:03:22.843 Credit unions must complete the due diligence necessary to ensure the 00:03:22.843 --> 00:03:26.553 risks undertaken in a third party relationship are acceptable in 00:03:26.553 --> 00:03:27.633 relation to their risk management. 00:03:27.648 --> 00:03:30.458 Profile and safety and soundness requirements. 00:03:30.818 --> 00:03:35.058 Less complex risk profiles and third party arrangements typically require 00:03:35.058 --> 00:03:37.058 less analysis and documentation. 00:03:37.458 --> 00:03:40.918 Further, where credit unions have a long standing and tested history 00:03:40.918 --> 00:03:44.918 of participating in a given third party relationship, less analysis is 00:03:44.918 --> 00:03:46.818 required to renew the relationship. 00:03:47.238 --> 00:03:50.498 Risks may be mitigated, transferred, avoided or accepted. 00:03:51.083 --> 00:03:52.993 However, they are rarely eliminated. 00:03:53.453 --> 00:03:57.063 The risk management process involves identifying and making informed 00:03:57.063 --> 00:03:59.063 decisions about how to address risk. 00:03:59.493 --> 00:04:03.183 One of the best ways to employ the risk management process is to start 00:04:03.183 --> 00:04:05.423 small and gain experience over time. 00:04:06.003 --> 00:04:10.343 Less complex credit unions unfamiliar with analyzing third party arrangements 00:04:10.383 --> 00:04:14.733 may utilize this risk management approach by entering third party relationships 00:04:14.733 --> 00:04:18.633 with small, well defined goals and expanding their exposure to third 00:04:18.633 --> 00:04:20.983 party risks as their experience grows. 00:04:21.378 --> 00:04:25.898 When evaluating third party arrangements, examiners should ensure credit unions 00:04:25.898 --> 00:04:29.118 have addressed the following concepts in a manner commensurate with their 00:04:29.118 --> 00:04:31.588 size, complexity, and risk profile. 00:04:32.048 --> 00:04:36.508 Risk assessment and planning, due diligence, and risk measurement, 00:04:36.548 --> 00:04:37.968 monitoring, and control. 00:04:38.378 --> 00:04:40.878 The remainder of this supervisory letter outlines 00:04:40.878 --> 00:04:42.678 considerations for these concepts. 00:04:43.393 --> 00:04:47.283 The considerations discussed are not an exhaustive list of all possible 00:04:47.283 --> 00:04:51.213 risk mitigation procedures, but a representation of the considerations 00:04:51.213 --> 00:04:55.773 necessary when credit unions engage in significant third party relationships. 00:04:56.243 --> 00:05:00.173 The depth and breadth of due diligence required depends upon a credit union's 00:05:00.173 --> 00:05:02.483 complexity and risk management process. 00:05:02.788 --> 00:05:07.078 Smaller or less complex credit unions may develop alternative methods of 00:05:07.078 --> 00:05:11.578 accomplishing due diligence, while credit unions utilizing a time tested third 00:05:11.578 --> 00:05:15.668 party relationship may already have addressed these considerations over time. 00:05:16.138 --> 00:05:18.968 Risk Assessment and Planning Considerations for Third 00:05:18.968 --> 00:05:20.168 Party Relationships. 00:05:20.598 --> 00:05:24.158 Credit union officials are responsible for planning, directing, and 00:05:24.158 --> 00:05:26.168 controlling the credit union's affairs. 00:05:26.738 --> 00:05:30.288 Risk assessment and due diligence for third party relationships is 00:05:30.288 --> 00:05:33.498 an important part of officials fiduciary responsibilities. 00:05:33.868 --> 00:05:37.918 Examiners should consider the following elements in evaluating the adequacy of 00:05:37.918 --> 00:05:42.498 credit union's risk assessment and due diligence over third party relationships. 00:05:42.998 --> 00:05:45.008 Planning an Initial Risk Assessment. 00:05:45.463 --> 00:05:49.023 Before entering into a third party relationship, officials should 00:05:49.023 --> 00:05:52.103 determine whether the relationship complements their credit union's 00:05:52.123 --> 00:05:53.923 overall mission and philosophy. 00:05:54.383 --> 00:05:57.653 Officials should document how the relationship will relate to their credit 00:05:57.663 --> 00:06:01.993 union's strategic plan, considering long term goals, objectives, and 00:06:01.993 --> 00:06:03.693 resource allocation requirements. 00:06:04.308 --> 00:06:08.388 Officials should design action plans to achieve short term and long term 00:06:08.388 --> 00:06:12.468 objectives in support of strategic planning for new third party arrangements. 00:06:12.688 --> 00:06:16.808 All planning should contain measurable, achievable goals and clearly define 00:06:16.808 --> 00:06:18.978 levels of authority and responsibility. 00:06:19.443 --> 00:06:23.523 Additionally, officials should weigh the risks and benefits of outsourcing business 00:06:23.523 --> 00:06:27.453 functions with the risks and benefits of maintaining those functions in house. 00:06:27.953 --> 00:06:31.383 In order to demonstrate an understanding of a third party relationship's 00:06:31.393 --> 00:06:35.223 risk, the officials must clearly understand the credit union's strengths 00:06:35.223 --> 00:06:38.663 and weaknesses in relation to the arrangement under consideration. 00:06:39.178 --> 00:06:42.798 Credit unions should complete a risk assessment prior to engaging in a 00:06:42.798 --> 00:06:47.538 third party relationship to assess what internal changes, if any, will be required 00:06:47.548 --> 00:06:49.418 to safely and soundly participate. 00:06:50.098 --> 00:06:54.198 Risk assessments are a dynamic process rather than a static process 00:06:54.378 --> 00:06:57.828 and should be an ongoing part of a broader risk management strategy. 00:06:58.208 --> 00:07:02.168 Credit unions initial risk assessments for a third party relationship should 00:07:02.168 --> 00:07:07.018 consider all seven risk areas credit, interest rate, liquidity, transaction, 00:07:07.038 --> 00:07:11.438 compliance, strategic, and reputation, and more specifically the following. 00:07:11.888 --> 00:07:14.098 Expectations for outsource functions. 00:07:14.568 --> 00:07:18.218 Credit unions should clearly define the nature and scope of their needs. 00:07:18.228 --> 00:07:18.288 Thank you. 00:07:18.653 --> 00:07:20.583 Which needs will the third party meet? 00:07:21.003 --> 00:07:24.053 Will the third party be responsible for desired results? 00:07:24.343 --> 00:07:25.233 To what extent? 00:07:25.533 --> 00:07:26.753 Staff expertise. 00:07:27.143 --> 00:07:31.933 Is credit union staff qualified to manage and monitor the third party relationship? 00:07:32.333 --> 00:07:35.053 How much reliance on the third party will be necessary? 00:07:35.403 --> 00:07:36.193 Criticality. 00:07:36.673 --> 00:07:39.303 How important is the activity to be outsourced? 00:07:39.633 --> 00:07:41.493 Is the activity mission critical? 00:07:41.763 --> 00:07:43.573 What other alternatives exist? 00:07:43.873 --> 00:07:46.433 Risk reward or cost benefit relationships. 00:07:46.993 --> 00:07:49.523 Does the potential benefit of the arrangement outweigh 00:07:49.523 --> 00:07:51.363 the potential risks or costs? 00:07:51.763 --> 00:07:53.223 Will this change over time? 00:07:53.543 --> 00:07:54.313 Insurance. 00:07:54.663 --> 00:07:57.153 Will the arrangement create additional liabilities? 00:07:57.433 --> 00:08:00.453 Is credit union insurance coverage sufficient to cover the 00:08:00.453 --> 00:08:02.383 potentially increased liabilities? 00:08:02.793 --> 00:08:06.473 Will the third party carry key man insurance or other insurance 00:08:06.473 --> 00:08:07.913 to protect the credit union? 00:08:08.263 --> 00:08:09.543 Impact on membership. 00:08:10.013 --> 00:08:13.443 How will officials gauge the positive or negative impacts of the 00:08:13.443 --> 00:08:15.383 arrangement on credit union members? 00:08:15.813 --> 00:08:18.023 How will they manage member expectations? 00:08:18.363 --> 00:08:19.343 Exit strategy. 00:08:19.733 --> 00:08:23.553 Is there a reasonable way out of the relationship if it becomes necessary 00:08:23.553 --> 00:08:25.103 to change course in the future? 00:08:25.643 --> 00:08:29.523 Is there another party that can provide any services officials deem critical? 00:08:30.023 --> 00:08:33.933 Risk assessments for less complex third party arrangements may be part 00:08:33.933 --> 00:08:37.913 of a broader risk management program or documented in board minutes. 00:08:38.303 --> 00:08:39.663 Financial projections. 00:08:40.003 --> 00:08:44.273 In evaluating the cost benefit or risk reward of a third party relationship, 00:08:44.443 --> 00:08:47.953 credit unions should develop financial projections Outlining the range 00:08:47.953 --> 00:08:52.353 of expected and possible financial outcomes, credit unions should project 00:08:52.363 --> 00:08:55.753 a return on their investment in the proposed third party arrangement, 00:08:55.933 --> 00:08:59.893 considering expected revenues, direct costs, and indirect costs. 00:09:00.243 --> 00:09:03.813 For example, when outsourcing loan functions, credit unions should 00:09:03.813 --> 00:09:07.913 not only consider the expected loan yield, but also the potential effect 00:09:07.913 --> 00:09:11.603 of borrower repayments and third party fees on the overall return. 00:09:12.083 --> 00:09:15.643 Officials should evaluate financial projections in the context of their 00:09:15.673 --> 00:09:19.833 overall strategic plans and asset liability management framework before 00:09:19.833 --> 00:09:23.053 making a decision to participate in a third party arrangement. 00:09:23.483 --> 00:09:26.793 Examiners should evaluate these projections for reasonableness, 00:09:26.943 --> 00:09:31.043 considering historical performance, underlying assumptions, stated business 00:09:31.063 --> 00:09:35.243 plan objectives, and the complexity of the credit union's risk profile. 00:09:35.693 --> 00:09:39.303 Due Diligence for Third Party Relationships When considering 00:09:39.313 --> 00:09:43.013 third party relationships, proper due diligence includes developing a 00:09:43.013 --> 00:09:47.093 demonstrated understanding of a third party's organization, business model, 00:09:47.103 --> 00:09:49.223 financial health, and program risks. 00:09:49.703 --> 00:09:53.693 In order to tailor controls to mitigate risks posed by a third party, credit 00:09:53.703 --> 00:09:57.983 unions must have an understanding of a prospective third party's responsibilities 00:09:58.163 --> 00:10:02.073 and all of the processes involved with prospective third party programs. 00:10:02.513 --> 00:10:06.513 Examiners should consider the adequacy of due diligence in the areas below, 00:10:06.613 --> 00:10:11.353 given credit unions risk profiles, internal controls, and overall complexity. 00:10:11.743 --> 00:10:15.013 Due diligence should be tailored to the complexity of the third party 00:10:15.013 --> 00:10:18.923 relationship and may consist of reasonable alternative procedures to 00:10:18.923 --> 00:10:21.213 accomplish acceptable risk mitigation. 00:10:21.638 --> 00:10:25.518 It is also important for credit unions to understand how a third party has 00:10:25.518 --> 00:10:29.728 performed in other relationships before entering into a third party arrangement. 00:10:30.198 --> 00:10:34.308 Credit unions should request referrals from the prospective third party's clients 00:10:34.308 --> 00:10:38.048 to determine their satisfaction and experience with the proposed arrangement. 00:10:38.428 --> 00:10:41.958 Credit unions should also review and consider any lawsuits or 00:10:41.958 --> 00:10:45.548 legal proceedings involving the third party or its principals. 00:10:45.828 --> 00:10:49.958 Additionally, credit unions should ensure that third parties or their agents have 00:10:49.978 --> 00:10:54.138 any required licenses or certifications, and that they remain current for 00:10:54.138 --> 00:10:55.578 the duration of the arrangement. 00:10:55.958 --> 00:10:59.908 Finally, sources of information such as the Better Business Bureau, Federal 00:10:59.908 --> 00:11:03.728 Trade Commission, credit reporting agencies, state consumer affairs 00:11:03.738 --> 00:11:07.978 offices, or state attorney general offices, may also offer insight to 00:11:07.978 --> 00:11:09.998 a third party's business reputation. 00:11:10.398 --> 00:11:15.368 Business Model New business models often emerge due to changes in the regulatory, 00:11:15.398 --> 00:11:17.808 technological, or economic environment. 00:11:18.188 --> 00:11:22.478 When evaluating a prospective third party arrangement, credit union officials should 00:11:22.478 --> 00:11:26.458 consider the longevity and adaptability of third party business models. 00:11:26.928 --> 00:11:30.808 Some business models may be well suited for economic expansion, but 00:11:30.818 --> 00:11:32.928 untenable during economic recession. 00:11:33.378 --> 00:11:37.288 Since new business models are not time tested and have not experienced a 00:11:37.288 --> 00:11:41.888 complete economic cycle, they may present additional risks to a credit union. 00:11:42.148 --> 00:11:45.998 Likewise, long standing business models that cannot easily adapt may 00:11:45.998 --> 00:11:50.368 not be sustainable in times of rapid technological or regulatory change. 00:11:50.818 --> 00:11:54.638 Before entering into a third party arrangement, credit union officials 00:11:54.638 --> 00:11:57.638 should thoroughly understand the third party's business model. 00:11:58.178 --> 00:12:01.868 The third party's business model is simply the conceptual architecture 00:12:01.868 --> 00:12:05.428 or business logic employed to provide services to its clients. 00:12:05.888 --> 00:12:09.268 If the third party's business and marketing plans are available, 00:12:09.288 --> 00:12:10.718 officials should review them. 00:12:11.168 --> 00:12:14.918 Credit union officials should also understand and be able to explain the 00:12:14.918 --> 00:12:18.768 third party's role in the proposed arrangement and any processes for 00:12:18.768 --> 00:12:20.798 which the third party is responsible. 00:12:21.038 --> 00:12:25.248 Examiners should assess credit union officials understanding and consideration 00:12:25.248 --> 00:12:29.478 of key third party business models as an integral element of due diligence. 00:12:29.963 --> 00:12:33.193 Credit union officials should also understand the third party's 00:12:33.193 --> 00:12:36.783 sources of income and expense, considering any conflicts of 00:12:36.793 --> 00:12:40.233 interest that may exist between the third party and the credit union. 00:12:40.653 --> 00:12:44.593 For example, if a third party's revenue stream is tied to the volume of loan 00:12:44.603 --> 00:12:49.023 originations, rather than loan quality, its financial interest in underwriting 00:12:49.043 --> 00:12:52.803 as many loans as possible may conflict with the credit union's interest 00:12:52.813 --> 00:12:54.843 in originating only quality loans. 00:12:55.453 --> 00:12:59.223 Credit unions should also identify any vendor related parties, such 00:12:59.223 --> 00:13:02.403 as subsidiaries, affiliates, or subcontractors involved with the 00:13:02.403 --> 00:13:06.013 proposed arrangement and understand the purpose and function of each. 00:13:06.223 --> 00:13:09.953 Examiners should consider the potential effects of identified conflicts 00:13:09.953 --> 00:13:13.633 of interest and ensure officials mitigate risks where reasonable. 00:13:15.388 --> 00:13:18.648 Perhaps one of the most important considerations when analyzing a 00:13:18.648 --> 00:13:22.678 potential third party relationship is the determination of how cash 00:13:22.688 --> 00:13:26.398 flows move between all parties in a proposed third party arrangement. 00:13:26.858 --> 00:13:30.928 In addition to third party fees, premiums, and claims receipts, many 00:13:30.938 --> 00:13:34.948 third party arrangements include cash flows between the credit union, the 00:13:34.948 --> 00:13:37.108 third party, and credit union members. 00:13:37.588 --> 00:13:41.918 Credit union officials should be able to explain how cash flows both incoming 00:13:41.948 --> 00:13:45.938 and outgoing move between the member, the third party, and credit unions. 00:13:46.338 --> 00:13:49.798 Credit unions should also be able to independently verify the source 00:13:49.808 --> 00:13:53.628 of these cash flows and match them to related individual accounts. 00:13:53.918 --> 00:13:56.838 Examiners should ensure credit unions are tracking and 00:13:56.838 --> 00:13:59.048 identifying cash flows accurately. 00:13:59.498 --> 00:14:04.223 Financial and Operational Control Review Credit unions should carefully review 00:14:04.223 --> 00:14:08.343 the financial condition of third parties and their closely related affiliates. 00:14:08.733 --> 00:14:12.623 The financial statements of a third party and its closely related affiliates 00:14:12.623 --> 00:14:16.613 should demonstrate an ability to fulfill the contractual commitments proposed. 00:14:17.003 --> 00:14:20.243 Credit unions should consider the financial statements with regard 00:14:20.243 --> 00:14:22.643 to outstanding commitments, capital strength, and other factors. 00:14:23.603 --> 00:14:24.733 operating results. 00:14:25.083 --> 00:14:29.113 Additionally, credit unions should consider any potential off balance sheet 00:14:29.113 --> 00:14:33.713 liabilities and the feasibility that the third party or its affiliated parties can 00:14:33.713 --> 00:14:35.913 financially perform on such commitments. 00:14:36.353 --> 00:14:40.623 Audited and segmented financial statements or ratings from nationally recognized 00:14:40.623 --> 00:14:46.043 statistical rating organizations, NRSRO ratings, may be useful in periodically 00:14:46.043 --> 00:14:50.733 evaluating the overall financial health of a prospective or existing third party. 00:14:51.148 --> 00:14:55.468 If available, officials may use copies of SAS 70 Type Roman 2 reports 00:14:55.488 --> 00:14:59.688 prepared by an independent auditor, audit results, or regulatory reports 00:14:59.688 --> 00:15:03.498 to evaluate the adequacy of the proposed vendor's internal controls. 00:15:03.908 --> 00:15:07.328 If these items are not available, credit unions should consider whether 00:15:07.328 --> 00:15:11.478 to require an independent review of the proposed vendor's internal controls. 00:15:11.888 --> 00:15:15.518 Generally, contracts establish requirements for periodic audits 00:15:15.528 --> 00:15:17.588 or access to third party records. 00:15:17.938 --> 00:15:22.018 Examiners should ensure credit unions have adequately reviewed the financial 00:15:22.058 --> 00:15:26.108 and internal control structure of the prospective third party, considering 00:15:26.108 --> 00:15:30.368 credit unions risk profiles and the arrangement's relationship to net worth, 00:15:30.878 --> 00:15:32.868 contract issues, and legal review. 00:15:33.363 --> 00:15:36.973 Contracts outlining third party arrangements are often complex. 00:15:37.423 --> 00:15:41.323 Credit unions should take measures to ensure careful review and understanding 00:15:41.323 --> 00:15:44.953 of the contract and legal issues relevant to third party arrangements. 00:15:45.343 --> 00:15:49.603 It is prudent to seek qualified external legal counsel to review prospective 00:15:49.603 --> 00:15:51.783 third party arrangements and contracts. 00:15:52.213 --> 00:15:56.113 Any legal counsel consulted should be independent and have the experience 00:15:56.153 --> 00:16:00.523 or specialization necessary to review properly the arrangements and contracts. 00:16:00.943 --> 00:16:04.818 Typically, at a minimum, Third party contracts should address the following 00:16:05.238 --> 00:16:09.078 scope of arrangement, services offered and activities authorized 00:16:09.538 --> 00:16:14.358 responsibilities of all parties, including subcontractor oversight, service level 00:16:14.358 --> 00:16:18.228 agreements, addressing performance standards and measures, performance 00:16:18.228 --> 00:16:20.128 reports and frequency of reporting. 00:16:20.668 --> 00:16:24.838 Penalties for lack of performance, ownership, control, maintenance and 00:16:24.848 --> 00:16:29.538 access to financial and operating records, ownership of servicing rights, 00:16:29.968 --> 00:16:34.788 audit rights and requirements, including responsibility for payment, data security 00:16:34.808 --> 00:16:39.418 and member confidentiality, including testing and audit, business resumption 00:16:39.428 --> 00:16:44.308 or contingency planning, insurance, member complaints and member service. 00:16:44.778 --> 00:16:47.118 Compliance with regulatory requirements e. 00:16:47.118 --> 00:16:47.448 g. 00:16:47.828 --> 00:16:50.508 GLBA, Privacy, BSA, etc. 00:16:50.918 --> 00:16:55.368 Dispute resolution and default termination and escape clauses. 00:16:55.778 --> 00:16:59.778 Of particular importance, credit unions should exercise their right to negotiate 00:16:59.778 --> 00:17:03.388 contract terms with third parties for mutually beneficial contracts. 00:17:03.913 --> 00:17:07.533 For example, some credit unions have entered into third party agreements 00:17:07.533 --> 00:17:11.713 with significant buyout or termination penalties, believing the penalties or 00:17:11.713 --> 00:17:13.973 fees were standard or non negotiable. 00:17:14.483 --> 00:17:19.253 In many cases, early termination, escape clause, and default terms are negotiable. 00:17:19.693 --> 00:17:23.303 Credit union officials should ensure that any contract terms agreed 00:17:23.303 --> 00:17:26.953 to would not adversely affect the credit union's safety and soundness, 00:17:26.973 --> 00:17:28.923 regardless of contract performance. 00:17:29.328 --> 00:17:32.598 In addition to a legal review of contracts and written agreements 00:17:32.608 --> 00:17:36.498 relevant to a prospective third party arrangement, it may be prudent for 00:17:36.498 --> 00:17:40.708 credit unions to obtain a legal opinion about any services provided by the 00:17:40.708 --> 00:17:42.348 third party under the arrangement. 00:17:42.618 --> 00:17:46.938 For example, if a third party is engaged to perform loan collections for the credit 00:17:46.938 --> 00:17:51.438 union, a legal review of their collection methods may be prudent to ensure debt 00:17:51.438 --> 00:17:56.118 collection and reporting practices comply with applicable state and federal laws. 00:17:56.683 --> 00:17:59.373 Credit unions should ensure compliance with state and 00:17:59.373 --> 00:18:03.243 federal laws and regulations, and contractually bind the third party 00:18:03.243 --> 00:18:05.193 to compliance with applicable laws i. 00:18:05.233 --> 00:18:05.443 e. 00:18:05.733 --> 00:18:09.133 Regulation B, Regulation Z, HMDA, etc. 00:18:09.503 --> 00:18:13.603 Since credit unions may ultimately be responsible for consumer compliance 00:18:13.603 --> 00:18:17.603 violations committed by their agents, credit unions should be familiar with 00:18:17.603 --> 00:18:21.713 a third party's internal controls for ensuring regulatory compliance and 00:18:21.713 --> 00:18:23.823 adherence to agreed upon practices. 00:18:24.313 --> 00:18:27.838 Accounting Considerations Credit unions should consider that 00:18:27.838 --> 00:18:31.028 third party relationships might create accounting complexities. 00:18:31.438 --> 00:18:34.568 Credit unions must have adequate accounting infrastructures to 00:18:34.568 --> 00:18:38.018 appropriately track, identify, and classify transactions in 00:18:38.018 --> 00:18:41.108 accordance with generally accepted accounting principles GOP. 00:18:41.628 --> 00:18:45.908 Credit unions often develop third party arrangements to outsource new products 00:18:45.908 --> 00:18:49.688 or functions and may not have experience in accounting for the particulars 00:18:49.698 --> 00:18:51.458 of those new products or functions. 00:18:52.108 --> 00:18:55.788 Conversely, although credit unions may be familiar with the accounting rules 00:18:55.798 --> 00:18:59.848 for a given function, the nature of a third party arrangement may change 00:18:59.848 --> 00:19:01.668 the required accounting procedures. 00:19:02.088 --> 00:19:06.238 In some instances, a certified public accountant's guidance may be necessary 00:19:06.238 --> 00:19:08.148 to ensure proper accounting treatment. 00:19:08.558 --> 00:19:11.588 A credit union's audit scope should provide for independent 00:19:11.598 --> 00:19:15.188 reviews of third party arrangements and associated activities. 00:19:15.398 --> 00:19:19.448 Examiners should ensure credit unions have considered the accounting implications 00:19:19.448 --> 00:19:23.108 of new products or services introduced through third party arrangements. 00:19:23.648 --> 00:19:24.498 Risk measurement. 00:19:24.568 --> 00:19:27.528 Monitoring and control of third party relationships. 00:19:27.908 --> 00:19:31.718 In addition to careful due diligence when entering third party arrangements, 00:19:31.838 --> 00:19:36.268 credit unions must establish ongoing expectations and limitations, compare 00:19:36.268 --> 00:19:40.668 program performance to expectations, and ensure all parties to the arrangement 00:19:40.678 --> 00:19:42.528 are fulfilling their responsibilities. 00:19:42.963 --> 00:19:45.863 Third party arrangements and risk profiles will vary. 00:19:46.263 --> 00:19:50.223 Thus, credit unions should tailor risk mitigation efforts to the specific 00:19:50.223 --> 00:19:54.813 nature of considered programs, the materiality of risks identified, and 00:19:54.813 --> 00:19:56.983 the credit union's overall complexity. 00:19:57.223 --> 00:20:01.023 Examiners should consider the adequacy of the credit union's policies, 00:20:01.063 --> 00:20:04.263 risk measurement, and monitoring in light of the same factors. 00:20:04.828 --> 00:20:08.618 Policies and Procedures Credit unions should develop detailed 00:20:08.618 --> 00:20:13.108 policy guidance sufficient to outline expectations and limit risks originating 00:20:13.108 --> 00:20:14.668 from third party arrangements. 00:20:15.098 --> 00:20:18.398 Policies and procedures should outline staff responsibilities 00:20:18.398 --> 00:20:21.898 and authorities for third party processes and program oversight. 00:20:22.373 --> 00:20:25.423 Additionally, policy guidance should define the content and 00:20:25.423 --> 00:20:28.873 frequency of reporting to credit union management and officials. 00:20:29.203 --> 00:20:33.293 Credit unions should also establish program limitations to control the pace 00:20:33.293 --> 00:20:37.433 of program growth and allow time to develop experience with the program. 00:20:37.843 --> 00:20:42.293 For example, credit unions participating in third party loan programs should 00:20:42.293 --> 00:20:46.773 initially limit the volume of loans granted in order to identify any problems 00:20:46.773 --> 00:20:50.973 with the third party process prior to the volume of loans becoming significant. 00:20:51.463 --> 00:20:53.133 Risk measurement and monitoring. 00:20:53.643 --> 00:20:57.413 Credit unions must be able to measure the risks of third party programs, 00:20:57.683 --> 00:21:01.173 but also the performance of third parties in terms of profitability, 00:21:01.183 --> 00:21:03.013 benefit, and service delivery. 00:21:03.373 --> 00:21:07.763 For example, credit unions outsourcing loan servicing functions should be able to 00:21:07.763 --> 00:21:11.953 identify individual loan characteristics, repayment histories, repayment methods, 00:21:11.993 --> 00:21:17.053 delinquency status, and any loan file maintenance relative to service loans. 00:21:17.448 --> 00:21:21.578 To the extent that credit unions rely on the third party to provide this type of 00:21:21.578 --> 00:21:25.638 measurement information, clear controls should be contractually established and 00:21:25.638 --> 00:21:30.168 subject to periodic independent testing to ensure the accuracy of the information. 00:21:30.578 --> 00:21:34.048 Examiners should ensure that credit unions are measuring the performance 00:21:34.048 --> 00:21:38.048 of third party arrangements and periodically verifying the accuracy 00:21:38.048 --> 00:21:41.918 of any information provided to them by a third party or its affiliates. 00:21:42.448 --> 00:21:45.868 Credit unions engaging in third party relationships must have an 00:21:45.878 --> 00:21:49.648 infrastructure and example staffing, equipment, technology, etc. 00:21:49.658 --> 00:21:53.048 sufficient to monitor the performance of third party arrangements. 00:21:53.488 --> 00:21:58.098 In many cases, credit unions outsource processes or functions due to a lack of 00:21:58.098 --> 00:22:00.268 internal infrastructure or experience. 00:22:00.708 --> 00:22:04.248 However, outsourcing processes or functions does not eliminate 00:22:04.248 --> 00:22:07.498 credit union responsibility for the safety and soundness of 00:22:07.498 --> 00:22:09.178 those processes and functions. 00:22:09.578 --> 00:22:13.148 Examiners should ensure officials demonstrate the knowledge, skills, 00:22:13.168 --> 00:22:17.258 and abilities necessary to monitor and control third party arrangements, 00:22:17.638 --> 00:22:19.378 control systems, and reporting. 00:22:19.798 --> 00:22:23.158 After credit unions have conducted internal risk assessments and 00:22:23.158 --> 00:22:26.768 due diligence over prospective third parties, they must implement 00:22:26.778 --> 00:22:30.248 ongoing controls over third party arrangements to mitigate risks. 00:22:30.813 --> 00:22:34.393 While control systems need not be elaborate for less complex third 00:22:34.393 --> 00:22:38.613 party arrangements, credit unions are ultimately responsible for establishing 00:22:38.623 --> 00:22:42.773 internal controls and audit functions reasonably sufficient to assure them 00:22:42.773 --> 00:22:46.813 that third parties are appropriately safeguarding member assets, producing 00:22:46.813 --> 00:22:50.623 reliable reports, and following the terms of the third party arrangement. 00:22:51.108 --> 00:22:55.158 Additionally, credit unions should tailor internal controls as necessary 00:22:55.158 --> 00:22:59.248 to ensure staff observes policy guidance for third party relationships. 00:22:59.608 --> 00:23:03.288 Examiners should ensure credit unions have ongoing risk management 00:23:03.288 --> 00:23:07.038 procedures with regard to any material third party relationship. 00:23:07.458 --> 00:23:11.258 Designated credit union staff should be qualified and responsible for 00:23:11.258 --> 00:23:15.328 continued monitoring and oversight of third party arrangements, exhibiting 00:23:15.328 --> 00:23:19.458 familiarity with and understanding of the reports available from the third party. 00:23:19.813 --> 00:23:22.983 Responsible staff should measure the performance of third party 00:23:22.983 --> 00:23:26.823 programs in relation to credit union policy guidance, contractual 00:23:26.823 --> 00:23:28.373 commitments, and service levels. 00:23:29.048 --> 00:23:32.678 Credit unions should implement quality control procedures to review the 00:23:32.678 --> 00:23:35.168 performance of third parties periodically. 00:23:35.398 --> 00:23:39.198 Credit union officials should receive periodic reports on the performance 00:23:39.208 --> 00:23:41.518 of all material third party programs. 00:23:41.868 --> 00:23:45.718 Examiners should ensure controls are in place and that management and 00:23:45.718 --> 00:23:50.068 officials receive periodic reports with information sufficient to assist them in 00:23:50.068 --> 00:23:54.608 evaluating the performance of the overall arrangement and the adequacy of reserves. 00:23:54.878 --> 00:23:55.478 Summary. 00:23:55.983 --> 00:23:59.173 Third party relationships can be invaluable to credit unions 00:23:59.173 --> 00:24:00.563 and credit union members. 00:24:01.093 --> 00:24:04.603 Properly managed third party relationships can allow credit unions 00:24:04.603 --> 00:24:08.033 to accomplish strategic objectives through increased member service, 00:24:08.053 --> 00:24:10.273 competitiveness, and economies of scale. 00:24:10.723 --> 00:24:14.103 However, outsourcing critical business functions increases the 00:24:14.103 --> 00:24:15.883 risk inherent in those functions. 00:24:16.313 --> 00:24:20.443 Credit unions are responsible for safeguarding member assets and ensuring 00:24:20.443 --> 00:24:24.493 sound operations irrespective of whether or not a third party is involved. 00:24:24.803 --> 00:24:28.793 Smaller or less complex credit unions may have to develop alternative 00:24:28.793 --> 00:24:30.883 methods of accomplishing due diligence. 00:24:31.223 --> 00:24:35.233 Examiners should ensure credit unions adequately address risk assessment 00:24:35.453 --> 00:24:39.673 Planning, due diligence, risk measurement, risk monitoring, and controls when 00:24:39.673 --> 00:24:41.823 involved in third party relationships. 00:24:42.233 --> 00:24:43.023 Appendix A. 00:24:43.443 --> 00:24:46.273 Third party relationships areas for consideration. 00:24:46.733 --> 00:24:48.303 Risk assessment and planning. 00:24:48.793 --> 00:24:49.263 Planning. 00:24:49.713 --> 00:24:52.643 Third party arrangements should be synchronized with strategic 00:24:52.643 --> 00:24:56.023 plans, business plans, and credit unions philosophies. 00:24:56.463 --> 00:24:57.223 Risk assessment. 00:24:57.868 --> 00:25:01.548 Dynamic process should consider the seven areas of risk, as well as 00:25:01.548 --> 00:25:05.788 expectations of the arrangement, staff expertise, criticality of function, 00:25:05.898 --> 00:25:10.348 cost benefit, insurance requirements, member impact, and exit strategy. 00:25:10.828 --> 00:25:12.138 Financial projections. 00:25:12.518 --> 00:25:15.728 Return on investment should be estimated considering revenue, 00:25:15.768 --> 00:25:19.988 direct costs, indirect costs, fees, and likely cash flow stream. 00:25:20.368 --> 00:25:23.768 Return should be considered relative to the credit union's strategic 00:25:23.768 --> 00:25:26.118 plans and asset liability frameworks. 00:25:27.823 --> 00:25:28.753 Background check. 00:25:29.243 --> 00:25:33.173 Credit unions should consider references, prior performance, licensing 00:25:33.173 --> 00:25:36.973 and certification, and any legal proceedings involving prospective 00:25:36.973 --> 00:25:40.693 third parties, key individuals of the third party's organization. 00:25:40.983 --> 00:25:44.203 Credit unions should also consider third party motivations. 00:25:44.703 --> 00:25:45.563 Business model. 00:25:46.033 --> 00:25:50.093 Credit unions must understand business logic of the third party arrangement 00:25:50.113 --> 00:25:54.623 and business model, as well as third party processes and related affiliates. 00:25:55.033 --> 00:25:55.913 Cash flows. 00:25:56.333 --> 00:25:59.713 Credit unions must demonstrate an understanding of incoming and 00:25:59.723 --> 00:26:03.773 outgoing cash flows and be able to independently verify sources of 00:26:03.773 --> 00:26:06.103 cash flows in third party programs. 00:26:06.553 --> 00:26:08.763 Financial and Operation Control Review. 00:26:09.288 --> 00:26:13.318 Credit unions must review the overall financial condition of third parties 00:26:13.498 --> 00:26:17.168 and their closely related affiliates as well as the state of operational 00:26:17.168 --> 00:26:22.108 controls in the third party's business model, contract issues, and legal review. 00:26:22.568 --> 00:26:26.658 Credit unions should generally have legal counsel with appropriate expertise and 00:26:26.658 --> 00:26:30.888 experience review contracts and third party arrangements to ensure equitable 00:26:30.898 --> 00:26:35.358 contracts and compliance with applicable state and federal laws and regulations. 00:26:35.813 --> 00:26:37.233 Accounting considerations. 00:26:37.673 --> 00:26:41.703 Credit unions should be prepared for potential accounting complexity and may 00:26:41.703 --> 00:26:45.983 need a CPA opinion on accounting for third party relationship activities. 00:26:46.413 --> 00:26:48.743 Risk measurement, monitoring, and control. 00:26:49.153 --> 00:26:51.423 Staff oversight and quality control. 00:26:51.883 --> 00:26:55.633 Credit unions should have qualified staff designated to oversee and 00:26:55.633 --> 00:27:00.453 control the quality of the third party relationships, policies, and procedures. 00:27:00.903 --> 00:27:04.623 Policy guidance must be in place and sufficient to control the risks 00:27:04.633 --> 00:27:06.283 of the third party relationship. 00:27:06.893 --> 00:27:10.623 Policy guidance should address responsibilities, oversight, program 00:27:10.623 --> 00:27:14.413 and portfolio limitations, and content and frequency of reporting. 00:27:14.843 --> 00:27:16.123 Monitoring and reporting. 00:27:16.723 --> 00:27:20.433 Adequate infrastructure is required to support monitoring and reporting 00:27:20.443 --> 00:27:22.203 outlined in policy guidance. 00:27:22.703 --> 00:27:26.433 Credit unions should be able to measure and verify the performance of third 00:27:26.433 --> 00:27:28.483 parties and third party programs. 00:27:28.933 --> 00:27:29.733 Appendix B. 00:27:30.173 --> 00:27:31.313 List of Resources. 00:27:31.743 --> 00:27:35.183 The resources listed in the letter are too numerous to list here. 00:27:35.583 --> 00:27:38.583 Refer to NCUA's website for these details. 00:27:39.003 --> 00:27:42.743 This concludes the NCUA Letter to Credit Unions on Evaluating 00:27:42.753 --> 00:27:44.293 Third Party Relationships. 00:27:44.628 --> 00:27:48.468 If your credit union could use assistance with your exam, reach out to Mark 00:27:48.478 --> 00:27:50.948 Treichel on LinkedIn or at marktreichel. 00:27:50.978 --> 00:27:51.418 com. 00:27:51.918 --> 00:27:54.558 This is Samantha Shares and we thank you for listening.