Legal Bulletins

In an April 12, 2019 blog post, Elizabeth M. Young LaBerge, Senior Regulatory Compliance Counsel at the National Association of Federally-Insured Credit Unions, stated that the National Credit Union Administration (NCUA) appears to be more-closely examining the vendor management and outsourcing processes employed by federally-insured credit unions. Third-party relationships have been a hot topic for many years, and the NCUA has issued specific guidance on what it believes credit unions should consider when evaluating and monitoring third-party relationships, particularly where vendors are given access to nonpublic personal information. In a changing world in which businesses rely more and more on cloud-based applications and digitized data, the concerns surrounding vendor relationships are more significant than ever.

In Supervisory Letter No. 07-01, the NCUA urged its examiners to ensure that credit unions have addressed risk assessment and planning, due diligence, and risk measurement, monitoring and control in a manner that is consistent with the credit union’s size, complexity and risk profile. Some of the more important aspects of this Supervisory Letter are summarized below.

Planning and Initial Risk Assessment

Credit union officials should determine whether the proposed relationship will complement the credit union’s overall mission and philosophy, and they should document how the relationship will relate to the credit union’s strategic plan. Planning should include action plans to achieve short-term and long-term objectives and should contain measurable and achievable goals. A credit union should be able to show why the risks and benefits of outsourcing the function to a vendor outweigh the risks and benefits of maintaining that function in-house. A risk assessment is a key component of the planning stage, and credit union officials should determine how the relationship could impact safety and soundness and the steps that should be taken to offset that potential impact. This risk assessment should consider (to the extent appropriate) credit risk, interest rate risk, liquidity risk, transaction risk, compliance risk, strategic risk, and reputation risk. Finally, credit union officials should develop realistic projections, and examiners should evaluate the reasonableness of those projections.

Due Diligence and Legal Review

A credit union must conduct appropriate due diligence on a potential vendor. Appropriate steps might include background of the vendor and its principals, a review of the vendor’s financial strength, results of operations and sources of cash, a review of the vendor’s experience in and qualifications for providing the proposed products or services, confirmation that the vendor and its agents have all necessary licenses and permits, an investigation into how the vendor has performed for others, including any history of lawsuits or customer complaints and if and how those matters were resolved, and whether the relationship could present any conflicts of interest. Credit union officials should understand the vendor’s business model and the short- and long-term risks that the model might present to the credit union in the face of changes in the economy and regulatory environment.

The proposed contract with the vendor should be carefully reviewed by qualified external legal counsel to ensure that the credit union understands and considers all contractual and legal risks and obligations associated with the contract. Among other things, the contract should clearly address the scope of the arrangement and the products and services to be provided, the parties’ rights and responsibilities, performance requirements and remedies for default, regulatory compliance, audit and inspection rights, ownership and control of proprietary and other confidential information, data security, member confidentiality, and rights to terminate, including where the continuation of the relationship could jeopardize the safety or soundness of the credit union or its reputation. In appropriate circumstances, it might be prudent to obtain a legal opinion with respect to the legality of the proposed arrangement.

Risk Measurement, Monitoring and Control

The credit union must establish policies and procedures for monitoring the vendor’s performance under the parties’ contract in light of the parties’ initial expectations, monitoring and mitigating risks, ensuring that the arrangement continues to comport with the credit union’s strategies, and monitoring the vendor’s compliance with its obligations under the contract and with applicable law. The credit union must have an infrastructure that will allow it to effectively monitor the vendor’s performance consistent with these policies and procedures, including a sufficient number of qualified staff responsible for oversight and appropriate equipment and technology. Responsible staff members should be required to periodically report their findings and any other development that could impact the arrangement or the safety and soundness of the credit union to management and the board of directors.

Other Resources

Andy Bulgin recently published an article regarding some of the data privacy and security risks associated with third-party relationships and how businesses can protect their interests.

Contact Andrew Bulgin for more information.