Third Party Relationships
In recent years, credit unions have increasingly developed third party relationships to meet strategic objectives and enhance member services. Properly managed and controlled third party relationships provide a wide range of potential benefits to credit unions and their members. Many credit unions have utilized third party arrangements to gain expertise, realize economies of scale, or even reach new members. Leveraging the talents and experience of third parties can assist credit unions in meeting their members’ needs while accomplishing their strategic goals. In some cases, third party relationships are critical to the on-going success of a credit union. Credit unions taking the time to properly evaluate and cultivate their participation in third party arrangements can experience a high degree of success.
Collaboration with third parties has become more prevalent in credit unions due to increasing complexity of services and competitive pressures. In some third party arrangements, credit unions surrender direct control over one or more key business functions to a third party in exchange for potential benefits. As credit unions consider the potential benefits of third party arrangements, credit union officials and management (officials) are faced with a balancing act.
Officials must carefully consider the potential risks these relationships may present and how to manage them. As credit unions seek to manage risk, they should carefully consider the correlation between their level of control over business functions and the potential for compounding risks. Credit unions maintaining complete control over all functions may be operationally or financially inefficient. Credit unions outsourcing functions without the appropriate level of due diligence and oversight may be taking on undue risk.1 Ultimately, credit unions are responsible for safeguarding member assets and ensuring sound operations irrespective of whether or not a third party is involved.
Outsourcing complete control over one or more business functions to a third party amplifies the risks inherent in those functions. Additionally, credit unions trading direct control over business functions for third party program benefits may expose themselves to a full range of risks including credit, interest rate, liquidity, transaction, compliance, strategic, and reputation risks. Credit unions must complete the due diligence necessary to ensure the risks undertaken in a third party relationship are acceptable in relation to their risk profile and safety and soundness requirements. Less complex risk profiles and third party arrangements typically require less analysis and documentation. Further, where credit unions have a longstanding and tested history of participating in a given third party relationship, less analysis is required to renew the relationship.
Risks may be mitigated, transferred, avoided, or accepted; however, they are rarely eliminated. The risk management process involves identifying and making informed decisions about how to address risk. One of the best ways to employ the risk management process is to start small and gain experience over time. Less complex credit unions unfamiliar with analyzing third party arrangements may utilize this risk management approach by entering third party relationships with small, well-defined goals and expanding their exposure to third party risks as their experience grows.
When evaluating third party arrangements, examiners should ensure credit unions have addressed the following concepts in a manner commensurate with their size, complexity, and risk profile:
- Risk Assessment and Planning;
- Due Diligence; and
- Risk Measurement, Monitoring and Control.
The remainder of this Supervisory Letter outlines considerations for these concepts. The considerations discussed are not an exhaustive list of all possible risk mitigation procedures, but a representation of the considerations necessary when credit unions engage in significant third party relationships. The depth and breadth of due diligence required depends upon a credit union’s complexity and risk management process. Smaller or less complex credit unions may develop alternative methods of accomplishing due diligence, while credit unions utilizing a time tested third party relationship may already have addressed these considerations over time.
Risk Assessment and Planning Considerations for Third Party Relationships
Credit union officials are responsible for planning, directing, and controlling the credit union’s affairs. Risk assessment and due diligence for third party relationships is an important part of officials’ fiduciary responsibilities. Examiners should consider the following elements in evaluating the adequacy of credit unions’ risk assessment and due diligence over third party relationships:
Planning and Initial Risk Assessment
Before entering into a third party relationship, officials should determine whether the relationship complements their credit union’s overall mission and philosophy. Officials should document how the relationship will relate to their credit union’s strategic plan, considering long-term goals, objectives, and resource allocation requirements. Officials should design action plans to achieve short-term and long-term objectives in support of strategic planning for new third party arrangements. All planning should contain measurable, achievable goals and clearly defined levels of authority and responsibility.
Additionally, officials should weigh the risks and benefits of outsourcing business functions with the risks and benefits of maintaining those functions in-house. In order to demonstrate an understanding of a third party relationship’s risk, the officials must clearly understand the credit union’s strengths and weaknesses in relation to the arrangement under consideration. Credit unions should complete a risk assessment prior to engaging in a third party relationship to assess what internal changes, if any, will be required to safely and soundly participate.
Risk assessments are a dynamic process, rather than a static process, and should be an on-going part of a broader risk management strategy. Credit unions’ initial risk assessments for a third party relationship should consider all seven risk areas (Credit, Interest Rate, Liquidity, Transaction, Compliance, Strategic, and Reputation), and more specifically the following:
- Expectations for Outsourced Functions - Credit unions should clearly define the nature and scope of their needs. Which needs will the third party meet? Will the third party be responsible for desired results? To what extent?
- Staff Expertise - Is credit union staff qualified to manage and monitor the third party relationship? How much reliance on the third party will be necessary?
- Criticality - How important is the activity to be outsourced? Is the activity mission critical? What other alternatives exist?
- Risk-Reward or Cost-Benefit Relationship - Does the potential benefit of the arrangement outweigh the potential risks or costs? Will this change over time?
- Insurance - Will the arrangement create additional liabilities? Is credit union insurance coverage sufficient to cover the potentially increased liabilities? Will the third party carry “key man” insurance or other insurance to protect the credit union?
- Impact on Membership - How will officials gauge the positive or negative impacts of the arrangement on credit union members? How will they manage member expectations?
- Exit Strategy - Is there a reasonable way out of the relationship if it becomes necessary to change course in the future? Is there another party that can provide any services officials deem critical?
Risk assessments for less complex third party arrangements may be part of a broader risk management program or documented in board minutes.
Financial Projections
In evaluating the cost-benefit or risk-reward of a third party relationship, credit unions should develop financial projections outlining the range of expected and possible financial outcomes. Credit unions should project a return on their investment in the proposed third party arrangement, considering expected revenues, direct costs, and indirect costs. For example, when outsourcing loan functions, credit unions should not only consider the expected loan yield, but also the potential effect of borrower prepayments and third party fees on the overall return.
Officials should evaluate financial projections in the context of their overall strategic plans and asset-liability management framework before making a decision to participate in a third party arrangement. Examiners should evaluate these projections for reasonableness, considering historical performance, underlying assumptions, stated business plan objectives, and the complexity of the credit union’s risk profile.
Due Diligence for Third Party Relationships
When considering third party relationships, proper due diligence includes developing a demonstrated understanding of a third party’s organization, business model, financial health, and program risks. In order to tailor controls to mitigate risks posed by a third party, credit unions must have an understanding of a prospective third party’s responsibilities and all of the processes involved with prospective third party programs. Examiners should consider the adequacy of due diligence in the areas below, given credit unions’ risk profiles, internal controls, and overall complexity. Due diligence should be tailored to the complexity of the third party relationship and may consist of reasonable alternative procedures to accomplish acceptable risk mitigation.
It is also important for credit unions to understand how a third party has performed in other relationships before entering into a third party arrangement. Credit unions should request referrals from the prospective third party’s clients to determine their satisfaction and experience with the proposed arrangement. Credit unions should also review and consider any lawsuits or legal proceedings involving the third party or its principals. Additionally, credit unions should ensure that third parties or their agents have any required licenses or certifications, and that they remain current for the duration of the arrangement. Finally, sources of information such as the Better Business Bureau, Federal Trade Commission, credit reporting agencies, state consumer affairs offices, or state attorney general offices may also offer insight to a third party’s business reputation.
Business Model
New business models often emerge due to changes in the regulatory, technological, or economic environment. When evaluating a prospective third party arrangement, credit union officials should consider the longevity and adaptability of third party business models. Some business models may be well suited for economic expansion, but untenable during economic recession. Since new business models are not time tested and have not experienced a complete economic cycle, they may present additional risks to a credit union. Likewise, longstanding business models that cannot easily adapt may not be sustainable in times of rapid technological or regulatory change.
Before entering into a third party arrangement, credit union officials should thoroughly understand the third party’s business model. The third party’s business model is simply the conceptual architecture or business logic employed to provide services to its clients. If the third party’s business and marketing plans are available, officials should review them. Credit union officials should also understand and be able to explain the third party’s role in the proposed arrangement and any processes for which the third party is responsible. Examiners should assess credit union officials’ understanding and consideration of key third party business models as an integral element of due diligence.
Credit union officials should also understand the third party’s sources of income and expense, considering any conflicts of interest that may exist between the third party and the credit union. For example, if a third party’s revenue stream is tied to the volume of loan originations rather than loan quality, its financial interest in underwriting as many loans as possible may conflict with the credit union’s interest in originating only quality loans. Credit unions should also identify any vendor related parties (such as subsidiaries, affiliates, or subcontractors) involved with the proposed arrangement and understand the purpose and function of each.2 Examiners should consider the potential effects of identified conflicts of interest and ensure officials mitigate risks where reasonable.
Cash Flows
Perhaps one of the most important considerations, when analyzing a potential third party relationship, is the determination of how cash flows move between all parties in a proposed third party arrangement. In addition to third party fees, premiums, and claims receipts, many third party arrangements include cash flows between the credit union, the third party, and credit union members. Credit union officials should be able to explain how cash flows (both incoming and outgoing) move between the member, the third party, and credit unions. Credit unions should also be able to independently verify the source of these cash flows and match them to related individual accounts. Examiners should ensure credit unions are tracking and identifying cash flows accurately.
Financial and Operational Control Review
Credit unions should carefully review the financial condition of third parties and their closely related affiliates. The financial statements of a third party and its closely related affiliates should demonstrate an ability to fulfill the contractual commitments proposed. Credit unions should consider the financial statements with regard to outstanding commitments, capital strength, liquidity, and operating results. Additionally, credit unions should consider any potential off-balance sheet liabilities and the feasibility that the third party or its affiliated parties can financially perform on such commitments.
Audited and segmented financial statements or ratings from nationally recognized statistical rating organizations (NRSRO ratings) may be useful in periodically evaluating the overall financial health of a prospective or existing third party.3 If available, officials may use copies of SAS 70 (Type II) reports prepared by an independent auditor, audit results, or regulatory reports to evaluate the adequacy of the proposed vendor’s internal controls. If these items are not available, credit unions should consider whether to require an independent review of the proposed vendor’s internal controls. Generally, contracts establish requirements for periodic audits or access to third party records. Examiners should ensure credit unions have adequately reviewed the financial and internal control structure of the prospective third party, considering credit unions’ risk profiles and the arrangement’s relationship to net worth.
Contract Issues and Legal Review
Contracts outlining third party arrangements are often complex. Credit unions should take measures to ensure careful review and understanding of the contract and legal issues relevant to third party arrangements. It is prudent to seek qualified external legal counsel to review prospective third party arrangements and contracts. Any legal counsel consulted should be independent and have the experience or specialization necessary to review properly the arrangements and contracts.
- Typically, at a minimum, third party contracts should address the following:
- Scope of arrangement, services offered, and activities authorized;
- Responsibilities of all parties (including subcontractor oversight);
- Service level agreements addressing performance standards and measures;
- Performance reports and frequency of reporting;
- Penalties for lack of performance;
- Ownership, control, maintenance and access to financial and operating records;
- Ownership of servicing rights;
- Audit rights and requirements (including responsibility for payment);
- Data security and member confidentiality (including testing and audit);
- Business resumption or contingency planning;
- Insurance;
- Member complaints and member service;
- Compliance with regulatory requirements (e.g. GLBA, Privacy, BSA, etc.);
- Dispute resolution; and
- Default, termination, and escape clauses.
Of particular importance, credit unions should exercise their right to negotiate contract terms with third parties for mutually beneficial contracts. For example, some credit unions have entered into third party agreements with significant buyout or termination penalties, believing the penalties or fees were standard or non-negotiable. In many cases, early termination, escape clause, and default terms are negotiable. Credit union officials should ensure that any contract terms agreed to would not adversely affect the credit union’s safety and soundness, regardless of contract performance.
In addition to a legal review of contracts and written agreements relevant to a prospective third party arrangement, it may be prudent for credit unions to obtain a legal opinion about any services provided by the third party under the arrangement. For example, if a third party is engaged to perform loan collections for the credit union, a legal review of their collection methods may be prudent to ensure debt collection and reporting practices comply with applicable state and federal laws. Credit unions should ensure compliance with state and federal laws and regulations, and contractually bind the third party to compliance with applicable laws (i.e. Regulation B, Regulation Z, HMDA, etc.). Since credit unions may ultimately be responsible for consumer compliance violations committed by their agents, credit unions should be familiar with the third party’s internal controls for ensuring regulatory compliance and adherence to agreed upon practices.
Accounting Considerations
Credit unions should consider that third party relationships might create accounting complexities. Credit unions must have adequate accounting infrastructures to appropriately track, identify, and classify transactions in accordance with Generally Accepted Accounting Principles (GAAP). Credit unions often develop third party arrangements to outsource new products or functions, and may not have experience in accounting for the particulars of those new products or functions. Conversely, although credit unions may be familiar with the accounting rules for a given function, the nature of a third party arrangement may change the required accounting procedures.
In some instances, a certified public accountant’s guidance may be necessary to ensure proper accounting treatment. A credit union’s audit scope should provide for independent reviews of third party arrangements and associated activities. Examiners should ensure credit unions have considered the accounting implications of new products or services introduced through third party arrangements.
Risk Measurement, Monitoring and Control of Third Party Relationships
In addition to careful due diligence when entering third party arrangements, credit unions must establish ongoing expectations and limitations, compare program performance to expectations, and ensure all parties to the arrangement are fulfilling their responsibilities. Third party arrangements and risk profiles will vary; thus, credit unions should tailor risk mitigation efforts to the specific nature of considered programs, the materiality of risks identified, and the credit union’s overall complexity. Examiners should consider the adequacy of the credit union’s policies, risk measurement, and monitoring in light of the same factors.
Policies and Procedures
Credit unions should develop detailed policy guidance sufficient to outline expectations and limit risks originating from third party arrangements. Policies and procedures should outline staff responsibilities and authorities for third party processes and program oversight. Additionally, policy guidance should define the content and frequency of reporting to credit union management and officials. Credit unions should also establish program limitations to control the pace of program growth and allow time to develop experience with the program. For example, credit unions participating in third party loan programs should initially limit the volume of loans granted in order to identify any problems with the third party process prior to the volume of loans becoming significant.
Risk Measurement and Monitoring
Credit unions must be able to measure the risks of third party programs, but also the performance of third parties in terms of profitability, benefit, and service delivery. For example, credit unions outsourcing loan servicing functions should be able to identify individual loan characteristics, repayment histories, repayment methods, delinquency status, and any loan file maintenance relative to serviced loans. To the extent that credit unions rely on the third party to provide this type of measurement information, clear controls should be contractually established and subject to periodic independent testing to ensure the accuracy of the information. Examiners should ensure that credit unions are measuring the performance of third party arrangements and periodically verifying the accuracy of any information provided to them by a third party or its affiliate.
Credit unions engaging in third party relationships must have an infrastructure (i.e. staffing, equipment, technology, etc.) sufficient to monitor the performance of third party arrangements. In many cases, credit unions outsource processes or functions due to a lack of internal infrastructure or experience. However, outsourcing processes or functions does not eliminate credit union responsibility for the safety and soundness of those processes and functions. Examiners should ensure officials demonstrate the knowledge, skills, and abilities necessary to monitor and control third party arrangements.
Control Systems and Reporting
After credit unions have conducted internal risk assessments and due diligence over prospective third parties, they must implement on-going controls over third party arrangements to mitigate risks. While control systems need not be elaborate for less complex third party arrangements, credit unions are ultimately responsible for establishing internal controls and audit functions reasonably sufficient to assure them that third parties are appropriately safeguarding member assets, producing reliable reports, and following the terms of the third party arrangement. Additionally, credit unions should tailor internal controls as necessary to ensure staff observes policy guidance for third party relationships. Examiners should ensure credit unions have ongoing risk management procedures with regard to any material third party relationship.
Designated credit union staff should be qualified and responsible for continued monitoring and oversight of third party arrangements, exhibiting familiarity with and understanding of the reports available from the third party. Responsible staff should measure the performance of third party programs in relation to credit union policy guidance, contractual commitments, and service levels. Credit unions should implement quality control procedures to review the performance of third parties periodically. Credit union officials should receive periodic reports on the performance of all material third party programs. Examiners should ensure controls are in place, and that management and officials receive periodic reports with information sufficient to assist them in evaluating the performance of the overall arrangement and the adequacy of reserves.
Summary
Third party relationships can be invaluable to credit unions and credit union members. Properly managed third party relationships can allow credit unions to accomplish strategic objectives through increased member service, competitiveness, and economies of scale. However, outsourcing critical business functions increases the risk inherent in those functions. Credit unions are responsible for safeguarding member assets and ensuring sound operations irrespective of whether or not a third party is involved. Smaller or less complex credit unions may have to develop alternative methods of accomplishing due diligence. Examiners should ensure credit unions adequately address risk assessment, planning, due diligence, risk measurement, risk monitoring, and controls when involved in third party relationships.4
APPENDIX A
Third Party Relationships- Areas for Consideration
Risk Assessment and Planning
- Planning - Third party arrangements should be synchronized with strategic plans, business plans, and credit unions’ philosophies.
- Risk Assessment - Dynamic process should consider the seven areas of risk as well as expectations of the arrangement, staff expertise, criticality of function, cost-benefit, insurance requirements, member impact, and exit strategy.
- Financial Projections - Return on investment should be estimated considering revenue, direct costs, indirect costs, fees, and likely cash flow stream. Return should be considered relative to the credit unions’ strategic plans and asset-liability frameworks.
Due Diligence
- Background Check - Credit unions should consider references, prior performance, licensing and certification, and any legal proceedings involving prospective third parties, key individuals of the third party’s organization. Credit unions should also consider third party motivations.
- Business Model - Credit unions must understand business logic of the third party arrangement and business model, as well as third party processes and related affiliates.
- Cash Flows - Credit unions must demonstrate an understanding of incoming and outgoing cash flows, and be able to independently verify sources of cash flows in third party programs.
- Financial and Operation Control Review - Credit unions must review the overall financial condition of third parties and their closely related affiliates, as well as the state of operational controls in the third party’s business model.
- Contract Issues and Legal Review - Credit unions should generally have legal counsel with appropriate expertise and experience review contracts and third party arrangements to ensure equitable contracts and compliance with applicable state and federal laws and regulations.
- Accounting Considerations - Credit unions should be prepared for potential accounting complexity and may need a CPA opinion on accounting for third party relationship activities.
Risk Measurement, Monitoring and Control
- Staff Oversight and Quality Control - Credit unions should have qualified staff designated to oversee and control the quality of the third party relationships.
- Policies and Procedures - Policy guidance must be in place and sufficient to control the risks of the third party relationship. Policy guidance should address responsibilities, oversight, program and portfolio limitations, and content and frequency of reporting.
- Monitoring and Reporting - Adequate infrastructure is required to support monitoring and reporting outlined in policy guidance. Credit unions should be able to measure and verify the performance of third parties and third party programs.
APPENDIX B
List of Resources
This concepts and principles set forth in this Supervisory Letter were partly derived and adapted from guidance previously issued by the National Credit Union Administration and other federal regulatory agencies, including the following:
National Credit Union Administration. Letter to Credit Unions 00-CU-11, Risk Management of Outsourced Technology Sources. Dec. 2000. <http://www.ncua.gov/letters/2000/00-CU-11.pdf>
National Credit Union Administration. Letter to Credit Unions 01-CU-20, Due Diligence Over Third Party Service Provider. Nov. 2001. <http://www.ncua.gov/letters/2001/01-CU-20.pdf>
National Credit Union Administration. Letter to Credit Unions 02-CU-08, Account Aggregation Services. Apr. 2002. <http://www.ncua.gov/letters/2002/02-CU-08.html>
National Credit Union Administration. Letter to Credit Unions 03-CU-08, Weblinking: Identifying Risks & Risk Management Techniques. Apr. 2003. <http://www.ncua.gov/letters/2003/03-CU-08.doc>
National Credit Union Administration. Letter to Credit Unions 04-CU-13, Specialized Lending Activities. Sep. 2004. <http://www.ncua.gov/letters/2004/04-CU-13.doc>
National Credit Union Administration. Letter to Federal Credit Unions 02-FCU-04, Weblinking Relationships. Mar. 2002. <http://www.ncua.gov/letters/2002/02-FCU-04.html>
National Credit Union Administration. Risk Alert 05-RISK-01, Specialized Lending Activities - Third-Party Subprime Indirect Lending and Participations. Jun. 2005. <http://www.ncua.gov/RiskAlert/2005/05-RISK-01.pdf>
National Credit Union Administration. Rules and Regulations, Parts 701 and 741. <http://www.ncua.gov/RegulationsOpinionsLaws/rules_and_regs/NCUA_RR_Complete_2.pdf>
Office of the Comptroller of the Currency. OCC Bulletin 2001-47. 1 Nov. 2001. <http://www.ffiec.gov/ffiecinfobase/resources/outsourcing/occ-bul_2001_47_third_party_relationships.pdf>
Office of Thrift Supervision, Department of the Treasury. Thrift Bulletin 82. 18 Mar 2003. <http://www.ffiec.gov/ffiecinfobase/resources/outsourcing/ots-tb_82_3rd_party_arrang.pdf>
Federal Deposit Insurance Corporation. Hodson, Kevin W., and Todd L. Hendrickson. Supervisory Insights: Third Party Arrangements: Elevating Risk Awareness. Summer 2007. <http://www.fdic.gov/regulations/examinations/supervisory/insights/sisum07/article01_third-party.html>
Footnotes
1 Due diligence is the systematic, on-going process of analyzing and evaluating new strategies, programs, products, or operations to prepare for and mitigate unnecessary risks.
2 Further due diligence may be required of some of these related parties if they play a critical role in providing the credit union with the proposed service.
3 Officials should consider the independence of audits or ratings reviewed.
4 See Appendix A.