Valerie E
The document provides an overview of key aspects of vendor due diligence that credit unions should consider. It discusses what due diligence is, its purpose in helping credit unions evaluate vendors and partnerships, and when it should be conducted. Specifically, it outlines areas to focus on such as background checks, contract provisions, mortgage brokers/correspondents relationships, and "red flags" that warrant further scrutiny. The document aims to help credit unions properly assess vendors and manage associated risks.
Edgington, CUCE, BSACS
3. NCUA Rules & Regulations
701: Third-Party Servicing of I di
701 Thi d P S i i f Indirect V hi l L
Vehicle Loans;
Valerie E
704: Corporate Credit Unions;
Edgington, CUCE, BSACS
717: Fair Credit Reporting Act; FACT Act;
723: Member Business Lending;
741: Third-Party Servicing of Indirect Vehicles;
748: Security Program
3
4. NCUA Letters to Credit Unions
98-CU-11: Information System Vendor Reviews
99-CU-05: Risk-Based Lending
01-CU-20: Due Diligence over Third Party Service Providers
Valerie E
02-CU-13:
02 CU 13: Vendor Information Systems & Technology Reviews
Edgington, CUCE, BSACS
03-CU-08: Weblinking Relationships
04-CU-04: Investment Safekeeping Due Diligence
4 4 f p g g
04-CU-13: Specialized/Subprime Lending Activities
06-CU-16: Interagency Guidance on Non-Traditional Mortgage
Products
d
07-CU-01: Evaluating Third-Party Relationships
08-CU-19:
08 CU 19: Third Party Relationships: Mortgage
Party-Relationships:
Brokers/Correspondents
4
5. 5
What & Why?
Due Diligence
Valerie Edgington, CUCE, BSACS
E
6. What i “Due Diligence”?
Wh t is “D Dili ”?
Due Diligence
D Dili
Valerie E
“The systematic, on-going process of analyzing and
Edgington, CUCE, BSACS
evaluating new strategies, programs, products, or
operations to prepare for and mitigate unnecessary
risks.” – NCUA
6
7. Purpose
P
Know thy vendor
K h d
Valerie E
Edgington, CUCE, BSACS
Helps credit union decide
whether and how to
proceed in terms of
necessary controls to
y
mitigate identified risks
7
8. Applicability
A li bilit
All Vendor Relationships
Valerie E
but ff t h ld b tailored t th complexity of
b t efforts should be t il d to the l it f
Edgington, CUCE, BSACS
each relationship.
8
9. Critical Vendor Relationships
Involves new financial services or activities.
Valerie E
Materially affects revenues or expenses.
Edgington, CUCE, BSACS
Poses risks to or affects the credit union’s reputation.
Involves critical functions of the credit union.
Involves access storing or transmitting sensitive member information.
access, information
Involves marketing of credit union products and services by a third party.
Involves subprime lending or indirect lending.
Involves plastic card processing/card payment transactions.
Poses risk that significantly affect earnings or capital.
9
10. Know Thy V d
K Th Vendor
Challenge:
Ch ll
Turning vendors into reliable strategic
Valerie E
partners.
partners
Edgington, CUCE, BSACS
“Don’t
The relationship between Too worry, they
“Uh oh…we Trusting CU and WIIFM Inc.
used their used our
quickly deteriorated…
standard standard
contract!” contract.”
10
11. Know Thy V d
K Th Vendor
It s
It’s kind of like a marriage
marriage…
Valerie E
“Can t
“C two walk together,
lk t th
Edgington, CUCE, BSACS
except they agree?”
Document the credit union’s
union s
understanding and all
expectations with the
vendor in writing.
11
12. Know Thy V d
K Th Vendor
It’s kind of like a marriage
It s marriage…
Valerie E
In sickness and in health, to love
Edgington, CUCE, BSACS
and to cherish, till death do us
part.”
Beware long term
outsourcing agreements.
Once signed, it can b very
O i d be
expensive to terminate.
12
13. Know Thy V d
K Th Vendor
It’s kind of like a marriage
It s marriage…
Valerie E
In an ideal marriage one partner
Edgington, CUCE, BSACS
is blind and the other is deaf.”
No one is perfect. Seldom
is only one party (e.g., the
vendor) always at fault.
Control
C t l weaknesses
k
contribute to poor vendor
relations.
relations
13
14. Due Diligence
“Minimum Contract
Coverage”
Valerie E
Edgington, CUCE, BSACS
Contract Issues and Concerns
14
15. Minimum C t
Mi i Contract Coverage
tC
Typically,
Typically at a minimum, third party vendor contracts
minimum third-party
should address at least the following:
Valerie E
Scope of arrangement, services offered, and activities authorized
a a ge e , se v ces offe ed, a d ac v es a o ed
Edgington, CUCE, BSACS
Responsibilities of all parties (including subcontractor oversight
Service level agreements addressing performance standards and
measures
Performance reports and frequency of reporting
Penalties for lack of performance
15
16. Minimum C
i i Contract Coverage
C
Typically, at a minimum, third-party vendor contracts
should address at least the following:
Valerie E
Audit rights and requirements (including responsibility for payment)
Edgington, CUCE, BSACS
Data security and member confidentiality (including testing and
audit)
Ownership, control, maintenance and access to financial and
operating records
Ownership of servicing rights
16
17. Minimum C t
Mi i Contract C
t Coverage
Typically, at a minimum, third-party vendor contracts
should address at least the following:
Valerie E
Business resumption or contingency planning
Edgington, CUCE, BSACS
Insurance
Member complaints and member service
Dispute resolution
Default, termination, and escape clauses
17
19. Request for Proposal
Materials for first round of vendor evaluations
Validates vendor interest
Valerie E
Outlines the contract/service requirements of the credit union
Edgington, CUCE, BSACS
Requests information from vendor
Business requirements
Vendor profile
d fil
Vendor employee information
Vendor methodology
gy
Vendor infrastructure
Addendum to contract
19
20. Background Checks:
Business E i Information
B i Entity I f i
Corporate ownership, structure, background
p p, , g
What type of entity are they?
Valerie E
How long have they been in business/offering service?
Edgington, CUCE, BSACS
Lawsuits or legal proceedings
Articles of Incorporation/Organization
Authorized to do business in Ohio?
Who are the principals of the business?
Social Security Number
y
Identification verification
Organizational Chart
Government watch lists
20
21. Background Checks:
Business Entity Information
Financial history and current condition
y
Request current financial statements
Valerie E
Statement of Income
Edgington, CUCE, BSACS
Notes to Financials
Securities and Exchange Commission filings (public entity)
Dunn & Bradstreet credit report
Bankruptcy and judgment history
Audited financial statements
f
Unaudited financial statements
Vendor’s “market share information”
21
22. Background Checks:
Business Entity Information
Business model and practices
p
Longevity, adaptability, and viability through various
Valerie E
economic cycles, changes in technology
Edgington, CUCE, BSACS
Business and marketing plans
Required licenses and certifications
Ability to perform proposed functions
Use of related affiliates, subsidiaries and subcontractors
Knowledge of relevant consumer protection and civil rights
laws and regulations.
22
23. Background Checks:
Business Entity Information
Scope and effectiveness of business’ operations
and controls
Valerie E
Review SAS 70 audit reports
Edgington, CUCE, BSACS
Adequate/experienced staff
Security policy and data handling practices
Testing plan/results
Privacy Policy
Disaster Recovery/Business Continuity
Customer Service Standards
Hiring/screening practices
Insurance coverage
23
24. Background Checks:
Business Entity Information
Reputation and Relevant Experience
Valerie E
Performance with past clients
Edgington, CUCE, BSACS
Verification of experience/qualifications
Reputation within industry
Reputation & relevant experience
R t ti l t i
Limited experience:
Qualifications
Competence
C t
24
26. Mortgage Brokers
and Correspondents
NCUA Letter to Credit Union 08-CU-19
Valerie E
Federally i
F d ll insured credit unions
d dit i
Edgington, CUCE, BSACS
Issued August 2008
Re-emphasizes importance of proper due diligence over third-
party relationships specifically as they relate to use of
mortgage brokers and correspondents.
26
27. Mortgage Brokers
and Correspondents
Who are the Third Parties in this Letter?
Valerie E
Edgington, CUCE, BSACS
Mortgage Brokers: Third parties that generally do not fund
loans themselves, and work on behalf of the credit union or
borrower.
Correspondents: Third parties that fund and close loans in
their own name and then sell the loan to a credit union or
other lender
lender.
27
28. Mortgage Brokers
and Correspondents
Background
Valerie E
Over 50% of home loans originated by mortgage brokers
Edgington, CUCE, BSACS
Compensation based on loan origination volume
Strong incentive to produce and close as many loans as
possible.
28
29. Mortgage Brokers
and Correspondents
Special Issues and Concerns
Valerie E
Third
Thi d party operating i it own b t i t
t ti in its best interest.
t
Edgington, CUCE, BSACS
Beware of loan regulation violations.
Third party has control over the appraisal process.
Third party tries to limit its own liability.
29
30. Mortgage Brokers
and Correspondents
Special Issues and Concerns
Valerie E
Is th
I the credit union adequately protected?
dit i d t l t t d?
Edgington, CUCE, BSACS
Financial strength of the third-party over long term and
ability to support claims that may arise
arise.
Product volume may exceed third party’s or credit union’s
ability to handle.
Funding commitments that may have to be honored despite
developing concerns with the third party.
p g p y
30
31. Mortgage Brokers
and Correspondents
What is Required?
Valerie E
Proper due diligence
p g
Edgington, CUCE, BSACS
Risk management
Loan sampling
Targeted loan reviews
T t dl i
Loan approval authority
Underwriting criteria and subsequent modification approved by credit
union
Broker & correspondent reports to credit union
Corrective Action
31
33. Key C
K Contract P
Provisions
i i
Description of Services
Boilerplate provisions vs. adequate detail of service and functions
Valerie E
Critical for enforcing performance warranty problems
Edgington, CUCE, BSACS
Clear, concise language
Performance Standards
Functional specifications
Uptime operability vs. downtime
Maintenance responsibilities
33
34. Key C
K Contract P
Provisions
i i
Warranties
Performance Warranty
Valerie E
Performance vs. promise
Edgington, CUCE, BSACS
Ownership Warranty
Ownership of software/license
Piracy infringement claims
Compliance Warranty
Satisfy federal and state compliance requirements
Credit union and consumer regulation
34
35. Key C
K Contract P
Provisions
i i
Liability & Indemnity
SP liability/responsibility
Valerie E
Breach of warranties; negligent acts
Edgington, CUCE, BSACS
Damage limitation provisions
Beware “sole remedy” provisions
Data Access
Raw data vs. member transaction information
f
Storage
Transfer
Data destruction; confidentiality
35
36. Key C
K Contract P
Provisions
i i
Security
Non-negotiable
Valerie E
Safeguarding member information
Edgington, CUCE, BSACS
Credit union indemnification
Confidentiality/Privacy
f y/ y
Confidentiality agreement mandated
Employees, contractors, subcontractors, affiliates
Use only as per agreement
Written consent of credit union
N tifi ti of actual or suspected b
Notification f t l t d breach
h
36
37. Key C
K Contract P
Provisions
i i
Term
Identifiable beginning and end
Valerie E
Renewal terms
Edgington, CUCE, BSACS
Price & Payments
Timing
Holdbacks/refund provisions
Defined milestones
Development/Set-up f
D l /S fees
37
38. Key C
K Contract P
Provisions
i i
Termination
Grounds and procedures for termination
Valerie E
Mutual termination rights
Edgington, CUCE, BSACS
Termination fees; liquidated damages
Jurisdiction & Governing Law
g
Venue
Jurisdiction
Arbitration & Attorney Fees
Non-exclusive location
Attorney fees to prevailing party
A f ili
38
39. 39
Red Flags
Due Diligence
Valerie Edgington, CUCE, BSACS
E
40. Red Flags
R d Fl
“No contract changes.”
Valerie E
Contracts where the vendor can change terms unilaterally or fees without
credit union consent.
Edgington, CUCE, BSACS
Contract references a document the credit union does not have or a third
party document the credit union has not reviewed.
You can’t get the information you requested.
The information provided is outdated or incomplete.
The information provided or answers to questions are vague.
Lack of express warranty by the vendor that the software/service will
performed in accordance with the functional specifications or service
description.
40
41. Red Flags
R d Fl
“Limited time warranties for software in a range of 60 to 90 days are
suspect and not industry standard.
Valerie E
Blanket provision allowing the vendor to disclose data “as permitted by law.”
p g p y
Edgington, CUCE, BSACS
This is a particularly low standard of protection.
There is no single point-of-contact for information security.
Field personnel do not have encrypted devices.
Information gathered is not secure.
The vendor has no disaster recovery plan.
The vendor outsources the processing of data.
41
42. Red Flags
R d Fl
Vendor refuses to disclose its financial statements.
Valerie E
Vendor liability and indemnification provisions are limited in scope to
p
personal injury or property damages.
j y p p y g
Edgington, CUCE, BSACS
Provisions that permit the vendor to disclaim liability.
Contracts that are automatically renewable.
Contracts that provide termination fees or liquidated damages for a
voluntary breach should be carefully reviewed by an attorney for fairness.
The information provided applies only to the parent company – is not really
specific to the service the company would provide to your credit union
Any agreement that carries initial term of five years or greater
greater.
42
43. Resources
NCUA
Valerie E
www.ncua.gov
Edgington, CUCE, BSACS
CUNA
http://www.cuna.org/initiatives/due_diligence.html
http://www cuna org/initiatives/due diligence html
http://www.cuna.org/initiatives/member/due_diligence_documents.html
http://www.cuna.org/initiatives/member/download/CUNA_Due_Diligence
_Task_Force_Third-Party_Vendor_Management_Guide.pdf
Task Force Third Party Vendor Management Guide pdf
43