For years, credit unions have been alerted by the NCUA to the need for vendor due diligence and other third-party vendor relationship requirements. Now, the Federal Reserve Board has alerted banks, and the Consumer Financial Protection Bureau has joined the bandwagon and is even issuing unfair and deceptive trade practice alerts against third-party vendors.
As you know, there are several common types of third-party relationships. Some of the common third-party relations include:
- Third-party product providers such as mortgage brokers, automobile dealers, and credit card providers;
- Loan servicing providers such as providers of debt collection, loss mitigation, and foreclosure activities;
- Disclosure preparers such as disclosure preparation software and third-party documentation preparers;
- Technology providers such as software vendors and website developers; and
- Providers of outsourced compliance functions such as companies that provide compliance audits, fair lending reviews and compliance monitoring activities.
What are the risks of using vendors? As has been widely discussed, the use of third parties presents a wide range of risks, including:
- Compliance risks such as violations of laws, rules or regulations or non-compliance with policies and procedures;
- Reputation risks such as dissatisfied members or violations of law or regulations that lead to public enforcement actions;
- Operational risks such as losses from failed processes or systems or losses of data that result in privacy issues;
- Transaction risks such as problems with service or delivery; and
- Credit risks such as the inability of a third party to meet its contractual obligations.
According to NCUA, the Federal Reserve Board and CFPB, certain practices increase the risk of violations and vendor risk management problems often involve one or more of the following issues:
- Over-reliance on third-party vendors;
- Failure to train new staff or retain knowledgeable staff;
- Failure to adequately monitor the vendor; and
- Failure to set clear expectations.
Several best practices can reduce the risk of violations from vendor relationships, and they include:
- Due Diligence. This is a position that has been maintained by NCUA for years. Credit unions have created a successful due diligence process which includes obtaining references; viewing financial records of the vendor; ensuring that the vendor has backup systems, and continuity and contingency plans; as well as researching the background, qualifications, and reputation of the vendor's principals and their overall reputation. Credit Union’s also encouraged recommending as part of due diligence a determination through Pacer as to whether or not lawsuits may have been filed against the vendor.
- Risk Assessment. A detailed risk assessment should be developed based on the initial due diligence and should be provided to senior management and to the board of directors, if appropriate. The risk assessment should include all factors including compliance, reputation risks, operational risks, credit and transaction risks.
- Clear Contractual Expectations. Some issues that we undertake as part of our contract review include but are not limited to the following:
- The scope of outsourced services;
- The procedures a vendor must follow;
- The credit union's level of expectation;
- The credit union's approval of a vendor's use of subcontractors;
- The credit union's right to conduct audits or request third-party reviews;
- The confidentiality of data;
- The vendor warranties, liability, and disclaimers;
- Dispute resolution mechanisms;
- Default and termination provisions; and
- Complaint or dispute process.
The last part of best practices is a comprehensive monitoring program. Too often a vendor contract is placed in the file and only reviewed after it is "automatically renewed" or after there is a dispute. There should be periodic/risk-based monitoring so that the frequency and type of monitoring would depend on each vendor and the assignments of the vendor.
Please also do not forget to periodically update the risk assessment since certainly we are in a state of flux with laws, as well as regulatory changes.
I encourage you to pause, take a moment and reflect upon your due diligence process and the manner in which you are currently evaluating and selecting third-party vendor relationships.
The economy is improving and there are more and more vendors that are now contacting credit unions. Regrettably, some of the vendors are less than reliable. Recently, we have brought to one or more clients' attention some major flaws or inadequacies in third-party vendor contracts and we encourage you to be alert; be aware; and do not undertake any unreasonable risks or exposure in any third-party vendor relationship.
Andy Keeney is a frequent contributor to Credit Union Times and has more than 35 years of experience as a credit union attorney. He is co-chair of the Kaufman & Canoles Credit Union Team in Norfolk, Va.