third party due diligence - acuia...third party due diligence by: christy c. jones sherpy &...

Third Party Due Diligence

By:

Christy C. Jones Sherpy & Jones Law P.A.

ccj@sherpy-jones-law.com

Who Can Be a Third Party?

• VENDOR

• CUSO

• ANOTHER CREDIT UNION

Why Engage in Third-Party

Relationships?

Access to more Products & Services

More Cost-Effective Products &

Services

Benefit from External Expertise

This Results in:

• Increased member

services

• Competiveness

• Economies of Scale

• Increased Delivery

Channels

• Reach New

Members

RISKS OF VENDOR

RELATIONSHIPS

Relinquish Control

Possible Interruption of Services

Possible Legal Disputes

7 DEADLY RISKS

• CREDIT

• INTEREST RATE

• LIQUIDITY

• TRANSACTION

• COMPLIANCE

• STRATEGIC

• REPUTATIONAL

RISK

What to do with Risk?

• Mitigate risk

• Transfer risk

• Avoid risk

• Accept risk

• Rarely eliminate risk

Factors that Determine Level of

Scrutiny:

• Credit Union’s Risk Profile;

• Safety and Soundness Requirement;

• Core v. Non-core Function of Service provided;

• Long standing and tested history with Vendor;

• Degree of Control Maintained over Vendor

Functions

Small Credit Unions

• If new to Vendor

Relationships, Test the

Water

• Contract has well-defined

goals

• Contract has small goals

• Develop experience

Three Steps to Analyze

Third-Party Relationships

• Risk Assessment and Planning

• Due Diligence; and

• Risk Measurement,

• Monitoring and Control

RISK ASSESSMENT & PLANNING

• What are you trying to do?

• What is your contract about?

• How does the service/product relate to your overall mission & philosophy?

• How does it relate to your strategic plan?

Strategic Plan

• Consider long-term goals & resources

• Action plan should be designed

• Strategic Plan’s Goals should be measurable &

achievable

• Plan should define levels of authority &

responsibility

Planning & Initial

Risk Assessment (Cont’d)

Compare Proposed Outsourced

Service against maintaining those

Services in-house.

Your Dynamic Risk Assessment

• Expectations for Outsourced Functions

• Staff Expertise

• Criticality

• Risk-Reward / Cost-Benefit

• Insurance

• Impact on Membership

• Exit Strategy

Financial Projections

• Project a return on investment

• Consider revenues, direct & indirect costs

• Will be evaluated for:

– reasonableness;

– considering historical performance;

– considering underlying assumptions;

– considering stated objectives.

3 Steps to Analyzing

Third-Party Relationships

• Risk Assessment & Planning

• Due Diligence

• Risk Measurement & Control

DUE DILIGENCE

“Systematic, on-going process of analyzing

& evaluating new strategies, programs,

products, or operations to prepare for and

mitigate unnecessary risks.”

Demonstrated = Documented

Due Diligence

• Background Check

• Vendor’s Business Model

• Cash Flows

• Financial & Operational Control Review

• Contract Issues & Legal Review

• Accounting Considerations

Background Check

• Experience with the particular service

• Request Referrals

• Research litigation

• Check that have proper licenses &

certifications

• BBB / FTC / CRAs / AG / State Consumer

Affairs Office

Business Model

“Conceptual architecture or business logic

employed to provide services to clients.”

Obtain Business & Marketing Plans, if

available

CU must understand key third party

business models

Business Model (cont’d)

• CU must understand vendor’s source of

income & expense.

• CU must consider possible conflicts of

interest

• CU must consider related parties (vendor’s

subsidiaries, affiliates, subcontractors)

Financial & Operational Control

Review

• Obtain & review Financial Statements of

Vendor

• May use NRSRO ratings

• May use SAS 70 (Type II) reports,

replaced by SSAE 16 in 2011.

NRSRO Ratings

• Nationally Recognized Statistical Rating

Organizations

• Moody’s Investor Service, Standard &

Poors, Fitch Ratings, A.M. Best Co.

• SEC approves status as NRSRO

SAS 70 (Type II)

• Statement on Auditing Standards No. 70:

Service Providers

• Is an auditing statement that defines

standards used by auditors to assess

internal controls of service providers

• Service Providers = Vendors

• Type II = includes auditor’s opinion re:

whether controls worked

SSAE 16

• Replaces SAS 70 II as of 2011.

• Statement on Standards for Attestation

Engagements No. 16, Reporting on

Controls at a Service Organization

Contract Issues & Legal Review

• Qualified External Legal Counsel

• Should be Independent

15 Little Contract Terms

• Scope of

arrangement

• Responsibilities

• Performance

Standards

• Penalties

• Access to records

• Servicing Rights

• Audit Rights

• Data Security

• Contingency Planning

• Insurance

• Member Service

• Regulatory

Compliance

• Dispute Resolution

• Default

• Termination

Big Focus:

• Performance Standards (usually lacking)

• Data Security (read a paper lately?)

• Regulatory Compliance (cannot fully

delegate duties under regs to agents)

• Default, Term and Termination

CONTRACT REVIEW MUSINGS

Don’t Tell Vendor that it’s been selected until

contract has been reviewed

Contract Review should be part of Vendor

Selection Process

CONTRACT REVIEW (Cont’d)

• Remember the

“entirety clause.”

• Read the contract.

• Do Not respond to

artificial time pressure

• Question Incentives

and Freebies

Contract Review (Cont’d)

• If IT contract, have IT Department Review

• If Indirect Lending, have Loan Department

Review

• If contract with Repossession Agent, have

Collections Department Review

Contract Review (Cont’d)

• Consider not obtaining comment letter;

• If obtain comment letter, do not give it to

vendor;

• NCUA examiners will see comment letters;

• Checklist just says “attorney review,” does

not require attorney letter

IT Contracts

• 75% of IT Contracts do not describe

services provided;

• If services provided are included, it’s in

Exhibit that’s not attached to contract;

• Get past the Salesman & talk to vendor’s

tech guys;

• Larger IT Co’s have SSAE 16s which can

be purchased

Insurance

• Insurance can be denied if CU knowingly

failed to mitigate risks

• Don’t make Insurance the focus of your

analysis

Accounting Considerations

• GAAP used to track, ID & classify

transactions

• Does CU have accounting procedures for

new product / services?

• CPA’s advice may be necessary

3 Steps to Analyzing

Third-Party Relationships

• Risk Assessment & Planning

• Due Diligence

• Risk Measurement & Control

Risk Measurement

• Policies & Procedures

• Monitoring

• Control Systems &

Reporting

Policies & Procedures

• Outline Staff Responsibilities

• Provide for Oversight of Vendor Performance

• Define content & frequency of reporting to CU management

Control Pace of

Program Growth

• Initially limit number

of transactions

under third party

programs

• Allows for oversight

and troubleshooting

• How applicable to

IT contracts?

Risk Monitoring

• CUs must measure performance of vendor

• Periodically verify accuracy of information

provided by vendor

• CU should designate employee

responsible for oversight

• Employee should have tickler system to

monitor performance

• Due Diligence is “On-Going”

Risk Monitoring

• CU ultimately responsible

for result of vendor service

• Cannot outsource safety &

soundness decisions

• CU must have adequate

staff, technology &

equipment to monitor

Control Systems & Reporting

• CU establish internal controls & audit

functions to ensure Vendor:

– Safeguards Member Assets;

– Produces Reliable Reports;

– Follows Terms of Vendor Contract

Control Systems & Reporting

(Cont’d)

• Vendors providing Material Programs must

send Reports

• CU staff must understand vendor reports

3 Steps to Analyzing

Third-Party Relationships

• Risk Assessment & Planning

• Due Diligence

• Risk Measurement & Control

Third Party Due Diligence

By:

Christy C. Jones Sherpy & Jones Law P.A.

ccj@sherpy-jones-law.com