Post on 08-Aug-2020
Third Party Due Diligence
By:
Christy C. Jones Sherpy & Jones Law P.A.
ccj@sherpy-jones-law.com
Who Can Be a Third Party?
• VENDOR
• CUSO
• ANOTHER CREDIT UNION
Why Engage in Third-Party
Relationships?
Access to more Products & Services
More Cost-Effective Products &
Services
Benefit from External Expertise
This Results in:
• Increased member
services
• Competiveness
• Economies of Scale
• Increased Delivery
Channels
• Reach New
Members
RISKS OF VENDOR
RELATIONSHIPS
Relinquish Control
Possible Interruption of Services
Possible Legal Disputes
7 DEADLY RISKS
• CREDIT
• INTEREST RATE
• LIQUIDITY
• TRANSACTION
• COMPLIANCE
• STRATEGIC
• REPUTATIONAL
RISK
What to do with Risk?
• Mitigate risk
• Transfer risk
• Avoid risk
• Accept risk
• Rarely eliminate risk
Factors that Determine Level of
Scrutiny:
• Credit Union’s Risk Profile;
• Safety and Soundness Requirement;
• Core v. Non-core Function of Service provided;
• Long standing and tested history with Vendor;
• Degree of Control Maintained over Vendor
Functions
Small Credit Unions
• If new to Vendor
Relationships, Test the
Water
• Contract has well-defined
goals
• Contract has small goals
• Develop experience
Three Steps to Analyze
Third-Party Relationships
• Risk Assessment and Planning
• Due Diligence; and
• Risk Measurement,
• Monitoring and Control
RISK ASSESSMENT & PLANNING
• What are you trying to do?
• What is your contract about?
• How does the service/product relate to your overall mission & philosophy?
• How does it relate to your strategic plan?
Strategic Plan
• Consider long-term goals & resources
• Action plan should be designed
• Strategic Plan’s Goals should be measurable &
achievable
• Plan should define levels of authority &
responsibility
Planning & Initial
Risk Assessment (Cont’d)
Compare Proposed Outsourced
Service against maintaining those
Services in-house.
Your Dynamic Risk Assessment
• Expectations for Outsourced Functions
• Staff Expertise
• Criticality
• Risk-Reward / Cost-Benefit
• Insurance
• Impact on Membership
• Exit Strategy
Financial Projections
• Project a return on investment
• Consider revenues, direct & indirect costs
• Will be evaluated for:
– reasonableness;
– considering historical performance;
– considering underlying assumptions;
– considering stated objectives.
3 Steps to Analyzing
Third-Party Relationships
• Risk Assessment & Planning
• Due Diligence
• Risk Measurement & Control
DUE DILIGENCE
“Systematic, on-going process of analyzing
& evaluating new strategies, programs,
products, or operations to prepare for and
mitigate unnecessary risks.”
Demonstrated = Documented
Due Diligence
• Background Check
• Vendor’s Business Model
• Cash Flows
• Financial & Operational Control Review
• Contract Issues & Legal Review
• Accounting Considerations
Background Check
• Experience with the particular service
• Request Referrals
• Research litigation
• Check that have proper licenses &
certifications
• BBB / FTC / CRAs / AG / State Consumer
Affairs Office
Business Model
“Conceptual architecture or business logic
employed to provide services to clients.”
Obtain Business & Marketing Plans, if
available
CU must understand key third party
business models
Business Model (cont’d)
• CU must understand vendor’s source of
income & expense.
• CU must consider possible conflicts of
interest
• CU must consider related parties (vendor’s
subsidiaries, affiliates, subcontractors)
Financial & Operational Control
Review
• Obtain & review Financial Statements of
Vendor
• May use NRSRO ratings
• May use SAS 70 (Type II) reports,
replaced by SSAE 16 in 2011.
NRSRO Ratings
• Nationally Recognized Statistical Rating
Organizations
• Moody’s Investor Service, Standard &
Poors, Fitch Ratings, A.M. Best Co.
• SEC approves status as NRSRO
SAS 70 (Type II)
• Statement on Auditing Standards No. 70:
Service Providers
• Is an auditing statement that defines
standards used by auditors to assess
internal controls of service providers
• Service Providers = Vendors
• Type II = includes auditor’s opinion re:
whether controls worked
SSAE 16
• Replaces SAS 70 II as of 2011.
• Statement on Standards for Attestation
Engagements No. 16, Reporting on
Controls at a Service Organization
Contract Issues & Legal Review
• Qualified External Legal Counsel
• Should be Independent
15 Little Contract Terms
• Scope of
arrangement
• Responsibilities
• Performance
Standards
• Penalties
• Access to records
• Servicing Rights
• Audit Rights
• Data Security
• Contingency Planning
• Insurance
• Member Service
• Regulatory
Compliance
• Dispute Resolution
• Default
• Termination
Big Focus:
• Performance Standards (usually lacking)
• Data Security (read a paper lately?)
• Regulatory Compliance (cannot fully
delegate duties under regs to agents)
• Default, Term and Termination
CONTRACT REVIEW MUSINGS
Don’t Tell Vendor that it’s been selected until
contract has been reviewed
Contract Review should be part of Vendor
Selection Process
CONTRACT REVIEW (Cont’d)
• Remember the
“entirety clause.”
• Read the contract.
• Do Not respond to
artificial time pressure
• Question Incentives
and Freebies
Contract Review (Cont’d)
• If IT contract, have IT Department Review
• If Indirect Lending, have Loan Department
Review
• If contract with Repossession Agent, have
Collections Department Review
Contract Review (Cont’d)
• Consider not obtaining comment letter;
• If obtain comment letter, do not give it to
vendor;
• NCUA examiners will see comment letters;
• Checklist just says “attorney review,” does
not require attorney letter
IT Contracts
• 75% of IT Contracts do not describe
services provided;
• If services provided are included, it’s in
Exhibit that’s not attached to contract;
• Get past the Salesman & talk to vendor’s
tech guys;
• Larger IT Co’s have SSAE 16s which can
be purchased
Insurance
• Insurance can be denied if CU knowingly
failed to mitigate risks
• Don’t make Insurance the focus of your
analysis
Accounting Considerations
• GAAP used to track, ID & classify
transactions
• Does CU have accounting procedures for
new product / services?
• CPA’s advice may be necessary
3 Steps to Analyzing
Third-Party Relationships
• Risk Assessment & Planning
• Due Diligence
• Risk Measurement & Control
Risk Measurement
• Policies & Procedures
• Monitoring
• Control Systems &
Reporting
Policies & Procedures
• Outline Staff Responsibilities
• Provide for Oversight of Vendor Performance
• Define content & frequency of reporting to CU management
Control Pace of
Program Growth
• Initially limit number
of transactions
under third party
programs
• Allows for oversight
and troubleshooting
• How applicable to
IT contracts?
Risk Monitoring
• CUs must measure performance of vendor
• Periodically verify accuracy of information
provided by vendor
• CU should designate employee
responsible for oversight
• Employee should have tickler system to
monitor performance
• Due Diligence is “On-Going”
Risk Monitoring
• CU ultimately responsible
for result of vendor service
• Cannot outsource safety &
soundness decisions
• CU must have adequate
staff, technology &
equipment to monitor
Control Systems & Reporting
• CU establish internal controls & audit
functions to ensure Vendor:
– Safeguards Member Assets;
– Produces Reliable Reports;
– Follows Terms of Vendor Contract
Control Systems & Reporting
(Cont’d)
• Vendors providing Material Programs must
send Reports
• CU staff must understand vendor reports
3 Steps to Analyzing
Third-Party Relationships
• Risk Assessment & Planning
• Due Diligence
• Risk Measurement & Control
Third Party Due Diligence
By:
Christy C. Jones Sherpy & Jones Law P.A.
ccj@sherpy-jones-law.com