kaufCAN.com

Due Diligence Due Diligence A Necessity in a New EnvironmentA Necessity in a New Environment

E. Andrew Keeney, Esq.Kaufman & Canoles, P.C.

kaufCAN.com

E. Andrew Keeney, Esq.

Kaufman & Canoles, P.C.

150 West Main Street, Suite 2100

Norfolk, VA 23510

(757) 624-3153

eakeeney@kaufcan.com

kaufCAN.com

Why Are We Doing This?Why Are We Doing This?

• Credit unions rely on third parties more than ever for member services

• Current agreements are not credit union friendly or otherwise obsolete

• Regulatory authority• Vendor horror stories• The due diligence process

Future Planning, Financial HealthFuture Planning, Financial HealthSurvivalSurvival

kaufCAN.com

Vendor Management Vendor Management –– It's No It's No Longer a Choice Longer a Choice

• Federal guidelines and expectations• Risk classifications• Prevent fraud and safeguard data• Mitigate risks• The unknown• BOTTOM LINE: NCUA mandates it

Do your homework on your vendors!Do your homework on your vendors!

kaufCAN.com

VIDEO

kaufCAN.com

A Few 2009 Horror StoriesA Few 2009 Horror Stories

• Being fooled by demos and vaporware• Building or branch complete but windows leak• Failure to interview target company's existing

customers and ask about the litigation• $140 million mortgage fraud• Improper invoices• Breach of member privacy• Failure to appropriately protect intellectual property

and website• Unable to cancel a vendor contract

kaufCAN.com

VIDEO

kaufCAN.com

Goals This Morning Goals This Morning

• Light the way• Make sure your credit union is not on the list

of horror stories for 2010

GOLD NUGGETS of help

kaufCAN.com

NCUA NCUA –– Minimum Procedures for Minimum Procedures for Credit Unions Credit Unions

• NCUA Letter 01-CU-20 issued in November of 2001 addressing the failure to exercise proper due diligence before entering into a relationship with a vendor or failing to set up proper controls and monitor performance

• NCUA Letter 07-CU-13 issued December 2007 giving examiners a framework for reviewing third-party relationships

• Weblinking Relationships 03-CU-08

kaufCAN.com

NCUA NCUA –– Minimum Procedures for Minimum Procedures for Credit UnionsCredit Unions

• NCUA Exam Questionnaire of April 14, 2008 – Risk assessment and planning– Effective due diligence– Risk measurement, monitoring and control

• Longstanding history of regulatory guidance for third-party vendor due diligence– Information System Vendor Reviews 98-CU-11– Risk Based Lending 99-CU-05

kaufCAN.com

• NCUA . . . "Credit unions are ultimately responsible for establishing internal controls and audit functions reasonably sufficient to assure them that third parties are appropriately safeguarding member assets, producing reliable reports and following the terms of the third-party arrangement. Additionally, credit unions should tailor internal controls as necessary to ensure staff observes policy guidance for third-party relationships. Examiners should ensure credit unions have on-going risk management procedures with regard to any material third-party relationship."

kaufCAN.com

Who ARE Credit Union Vendors? Who ARE Credit Union Vendors?

Lending:• Collections• Member Business Lending• Indirect Lending• Servicing• Underwriting• Credit Card/Debit Card

Processors

Information Technology:• Security• Web-Linking• Website Development,

Hosting, Maintenance• Internet Banking• Data Processing• Check Printers/Statement

Printers

kaufCAN.com

Who ARE Credit Union Vendors?Who ARE Credit Union Vendors?

Operations:• Audits• Marketing• Legal• Compliance• Payroll• ALM• Investments• Record Storage• Health & Retirement

Other:• Facility Maintenance &

Construction

kaufCAN.com

Policy Questions and Issues for Policy Questions and Issues for Credit Unions Credit Unions

• Does the third-party relationship complement overall mission and philosophy?

• What internal controls are required for safety and soundness?

• What are the expectations?• Is the staff qualified to manage and monitor the third-

party relationship?• Impact on membership?• What is the exit strategy?

Risk AssessmentRisk Assessment

kaufCAN.com

Potential Risks to Consider Potential Risks to Consider

1. Strategic Risk: Risk arising from making the wrong business decision, including failing to make business decisions that are consistent with the credit union's strategic plan.

2. Reputation Risk: Risk arising from negative member and public opinion of the credit union, either as the result of poorservice or as the result of bad publicity in the media.

3. Operational Risk: Risk of loss stemming from: inadequate or failed internal controls, credit union employees, information orother systems, or from external events.

4. Transaction Risk: Risk arising from problems with delivery of products or services (especially important in core processing, card processing, wire transfer, and indirect lending relationships).

kaufCAN.com

Potential Risks to ConsiderPotential Risks to Consider

5. Credit Risk: Risk that the third party (or any other creditor-party necessary to the third-party relationship, such as your insurance company's reinsurer) is financial unable to meet the terms of its contract with the credit union or is otherwise financial unable to perform its duties.

6. Compliance Risk: Risk arising from violations of statutes or regulations, or from noncompliance with the credit union's policies, procedures, or business standards.

7. Interest Rate Risk: Risk arising from changes in interest rates, especially short-term versus long-term interest rates (e.g., an inverted yield curve).

8. Liquidity Risk: Risk arising from holding non-liquid assets when the credit union experiences cash flow difficulties.

9. Other Risks: Such as price risk, foreign currency exchange risks, political instability abroad, etc.

kaufCAN.com

Some Common Red Flags Some Common Red Flags

• Hearing the great sales pitch• Being ahead of your time• Making or saving tons of money• Doing business with relatives or friends• Unanswered questions• Failure to benefit both parties• They are taking care of it• Too good to be true• Failure to include schedules in a contract

kaufCAN.com

kaufCAN.com

The RegretsThe Regrets

1. Have only one person at the credit union responsible for due diligence

2. Choose a vendor only because several other credit unions use the company

3. Rely on the vendor to manage the credit union's data, without stringent oversight

4. Don't conduct due diligence review because the vendor is a small company

5. Assume outsourcing will save money without a thorough cost analysis

kaufCAN.com

kaufCAN.com

The First NuggetThe First Nugget

1. Know your primary goal2. Know your expectations and desired results3. Know your due diligence analysis standards4. Know your vendor5. Know your costs6. Know your data7. Know your internal operations8. Know your monitoring costs

Steps for SuccessSteps for Success

Know your risks

kaufCAN.com

Risk AssessmentRisk Assessment

• Has the credit union evaluated the costs of monitoring and providing support to the third-party program?– Staffing– capital expenditures– Communications– technological investment

• Is the credit union monitoring their third-party relationships?• Require full due diligence reviews for any vendor that has access

to:– member information– employee data– institution networks– or for any vendor that provides services critical to maintaining

operations

kaufCAN.com

Due Diligence Due Diligence –– Background Background Check Check

• Check usual sources regarding reputation• Google• Ask for and check references• Ask about lawsuits against the company or its

principals/partners• Are required licenses or certifications current?• Gold Nugget: GOAL – know who you are dealing with

kaufCAN.com

Risk Evaluation ChartRisk Evaluation Chart

Credit Card/Debit Card Processors

Underwriting

Servicing

Indirect Lending

Member Business Lending

CollectionsLending:

LowModerateHigh*

* No set formula for qualifying high risk

kaufCAN.com

Risk Evaluation ChartRisk Evaluation ChartLowModerateHigh*

Check Printers/Statement Printers

Data Processing

Internet Banking

Website Development, Hosting, Maintenance

Web-Linking

SecurityInformation Technology:

* No set formula for qualifying high risk

kaufCAN.com

Risk Evaluation ChartRisk Evaluation Chart

Facility Maintenance & ConstructionOther:

Health & Retirement

Record Storage

Investments

ALM

Payroll

Compliance

Legal

Marketing

AuditsOperations:

LowModerateHigh*

* No set formula for qualifying high risk

kaufCAN.com

Vendor Management Policy Vendor Management Policy

Implement a risk-based policy that is deployed uniformly throughout the credit union that:

1. addresses selecting the best vendor2. requires a written agreement3. enhances due diligence performance4. defines risks, levels and types of risk5. defines approval requirements6. outlines internal responsibilities7. defines vendor review requirements and frequency

kaufCAN.com

Vendor Management PolicyVendor Management Policy

• Use the best practices in selecting a vendor for a specific task based on the policy

• Develop an RFP• Submit the RFP to multiple vendors• Require a confidentiality agreement from vendors• Look at hidden costs and privacy issues• Select a vendor• Review the agreement

kaufCAN.com

Contract Issues and Legal Contract Issues and Legal Review Review

• Careful review of the contract and understanding of the legal issues relevant to the third-party relationship

• Qualified "external" legal counsel to review prospective third-party arrangements and contracts

• Legal review must be independent and the reviewer must have necessary experience

• Contract terms may not adversely impair credit union's safety and soundness

kaufCAN.com

Contract Issues and Legal Contract Issues and Legal ReviewReview

Contract questions and legal review• Data security and member confidentiality including testing and

audit• Who owns the data?• Do you have a right to audit the vendor?• What disaster recovery plan does the vendor have in place?• Will the vendor use subcontractors?• Where is the work performed?• Disaster recovery and contingency planning?• Regulatory requirements such as Gramm-Leach-Bliley, privacy,

BSA, etc.?

kaufCAN.com

Contract Issues and Concerns Contract Issues and Concerns ––A Checklist A Checklist

• Ownership, control, maintenance and access to financial operating records

• Ownership of servicing rights• Audit rights and requirements

including who pays• Data security and member

confidentiality• Business resumption or

contingency planning• Describe the scope of the

arrangement, services to be offered and activities authorized

• Performance reports and frequency

• Penalties for lack of performance

• Handling member complaints and member service

• Compliance with regulatory requirements

• Dispute resolution process• Contract default, termination

and escape clauses

kaufCAN.com

Another Nugget Another Nugget

• Include the RFP and all marketing materials and presentations as an exhibit to the contract

• Agreement Dates – make sure the dates correlate to the credit union's overall strategy and future growth

• Performance start date• Process for contract amendments• Agreement expiration date• Automatic renewal clause• Re-negotiation start date• Termination with cause• Termination without cause• Risk measurement, monitoring and control• BOTTOM LINE: Where is your credit union today?

kaufCAN.com

Risk Management & Risk Management & MonitoringMonitoring

kaufCAN.com

Risk Measurement & Monitoring Risk Measurement & Monitoring

1. Set up a program to measure/monitor risk of third-party vendor relationships and report findings to management.

2. Measure third-party vendor performance in terms of profitability, benefit and service delivery.

3. Set up internal controls sufficient to assist in the measurementand monitoring of third-party vendor risk.

4. Remember, a credit union is always responsible for continued safety and soundness of outsourced functions.

5. Create an oversight program to monitor each third-party vendor's internal controls, condition and performance.

6. Assign responsibility for oversight to personnel with "appropriate expertise" to monitor and manage each third-party vendor relationship.

kaufCAN.com

Two Brands of Control Systems Two Brands of Control Systems & Reporting & Reporting

• VendorTrack by CUNA• VendorXpert by Sydel Corporation

kaufCAN.com

kaufCAN.com

kaufCAN.com

kaufCAN.com

kaufCAN.com

kaufCAN.com

VendorXpertVendorXpert TMTM

By Sydel Corporation

kaufCAN.com

kaufCAN.com

kaufCAN.com

kaufCAN.com

SydelSydel CorporationCorporation

Moving Financial Institutions with Dynamic Xpert Soltuions

Antonio Gonzalez, CPAagonzalez@sydelcorp.com

305-569-0400 ext. 11

kaufCAN.com

kaufCAN.com

Due Diligence Due Diligence A Necessity in a New EnvironmentA Necessity in a New Environment

E. Andrew Keeney, Esq.Kaufman & Canoles, P.C.