With the NCUA turning up the heat on monitoring how CUSOs are conducting their operations, another area could be ripe for more scrutiny.
Gina Carter, an attorney and shareholder with Whyte Hirschboeck Dudek SC in Madison, Wis., heads up the firm’s credit union team. Her experience as counsel to both credit unions and CUSOs, particularly in the information technology field, has revealed a number of potential problems.
“What I see a lot of the time is intellectual property issues–not enough attention is being paid to due diligence with partners and vendors to CUSOs,” Carter said. “There are many lawsuits dealing with Internet and Web-based products. It’s not unusual to see credit unions involved in these.”
Carter said she has lectured and published extensively on credit union issues, including bank secrecy, IT contracting, CUSO formation and operations, and credit union governance legal issues. In addition to credit union, she has also advised high technology manufacturers, software manufacturers, media companies and trade associations on intellectual property law protection and rights enforcement.
The growth of products and services in the technology space from mobile banking to software to monitor student loans and mortgages and online fraud detection has exposed shortfall in contracts and licenses that will protect a CU, Carter said.
Two of her main concerns are indemnification clauses and security issues. In either case, if something were to go wrong, are the proper remedies in place particularly if the breach was caused by a third party. Carter said she has seen several cases where agreements have been rushed through without being sufficiently vetted by CUSOs.
“It surprises me when I find out that no one asked for references,” Carter said. “The point here is to approach the contract process in a very organized fashion and ask a lot of questions.”
Smaller tech firms are “usually doing some of the coolest stuff,” Carter noticed. Not to say the larger companies are not, she emphasized. However, with the newer startups that haven’t been in business long, credit unions and CUSOs need to find out if they have insurance to cover losses of any kind. A due diligence checklist can help tick off the smallest concerns, she offered.
A partnership with an insurance broker can help CUSOs that are working with tech firms to find out if there is coverage in place that deal with costs in the case of a lawsuit including bringing in experts. Carter said. Because technology is such a specialized field with many areas, experts are often called in to testify and many of the cases rely heavily on witnesses.
By being specific enough in a relationship agreement, the service levels are established and clear, Carter said. From her experience, she doesn’t see enough criteria or performance standards. Most agreements will have a clause on what happens if there is a breach but Carter said she is amazed at how broad service agreements can be.
For those CUSOs that are providing security solutions, Carter advised seeking out a security consulting firm that will have the expertise to evaluate the potential of what a vendor can do.
“The tendency is to rely on what the parties are telling you. With privacy and security issues, there has to be a more deliberate attempt to have the expertise,” Carter said.
In addition to have outside consultants, Carter said it is critical to have in-house staff that has the time to devote to ongoing contract review and administration. When some tech CUSOs are first formed, they’re often borrowing people here and there from the credit union’s IT department. A lot of them are top-notch people, but they have fulltime jobs.
“Sometimes things fall through the cracks,” she noticed.
Carter said she is most concerned about smaller credit unions and CUSOs. Some may be used to working with a general practice attorney who provides counsel in a number of areas. The danger with technology is it’s a highly specialized field that requires using someone who is intimately familiar with the nuances.
“Too often when things land on my desk, I haven’t been involved at the front end or never,” Carter said. “[Credit unions and CUSOs] should have the right professional in place at the beginning.”
To the reality that some cannot afford an IT attorney, Carter said if a CUSO has made the decision to go into a specialized business, “then they cannot afford not to.” Citing industry data, she pointed out that the average cost of a patent infringement lawsuit in the Midwest is $1.3 million. Head to the East Coast, Washington or out West, and the cost is much higher.
“A member’s personal privacy and information is at stake. You either pay up front or on the back end through a lawsuit,” Carter said.
With the NCUA’s recent proposal that would require CUSOs to submit financial reports to the agency and limit how credit unions can invest in them, Carter said it all goes back to doing the proper due diligence. Still, she hopes that potentially new regulations would not stymie CUSOs’ innovation.
“Credit unions and CUSOs would be well served to do business in a way that will make regulators feel comfortable,” Carter said. “They’re going to be asking more questions. I think there is a middle ground to be found.”