due diligence: a necessity in a new environment
DESCRIPTION
Authored by Andy Keeney, a partner with Kaufman & Canoles, this presentation discusses the due diligence issues confronting credit unions.TRANSCRIPT
kaufCAN.com
Due Diligence Due Diligence A Necessity in a New EnvironmentA Necessity in a New Environment
E. Andrew Keeney, Esq.Kaufman & Canoles, P.C.
kaufCAN.com
E. Andrew Keeney, Esq.
Kaufman & Canoles, P.C.
150 West Main Street, Suite 2100
Norfolk, VA 23510
(757) 624-3153
kaufCAN.com
Why Are We Doing This?Why Are We Doing This?
• Credit unions rely on third parties more than ever for member services
• Current agreements are not credit union friendly or otherwise obsolete
• Regulatory authority• Vendor horror stories• The due diligence process
Future Planning, Financial HealthFuture Planning, Financial HealthSurvivalSurvival
kaufCAN.com
Vendor Management Vendor Management –– It's No It's No Longer a Choice Longer a Choice
• Federal guidelines and expectations• Risk classifications• Prevent fraud and safeguard data• Mitigate risks• The unknown• BOTTOM LINE: NCUA mandates it
Do your homework on your vendors!Do your homework on your vendors!
kaufCAN.com
VIDEO
kaufCAN.com
A Few 2009 Horror StoriesA Few 2009 Horror Stories
• Being fooled by demos and vaporware• Building or branch complete but windows leak• Failure to interview target company's existing
customers and ask about the litigation• $140 million mortgage fraud• Improper invoices• Breach of member privacy• Failure to appropriately protect intellectual property
and website• Unable to cancel a vendor contract
kaufCAN.com
VIDEO
kaufCAN.com
Goals This Morning Goals This Morning
• Light the way• Make sure your credit union is not on the list
of horror stories for 2010
GOLD NUGGETS of help
kaufCAN.com
NCUA NCUA –– Minimum Procedures for Minimum Procedures for Credit Unions Credit Unions
• NCUA Letter 01-CU-20 issued in November of 2001 addressing the failure to exercise proper due diligence before entering into a relationship with a vendor or failing to set up proper controls and monitor performance
• NCUA Letter 07-CU-13 issued December 2007 giving examiners a framework for reviewing third-party relationships
• Weblinking Relationships 03-CU-08
kaufCAN.com
NCUA NCUA –– Minimum Procedures for Minimum Procedures for Credit UnionsCredit Unions
• NCUA Exam Questionnaire of April 14, 2008 – Risk assessment and planning– Effective due diligence– Risk measurement, monitoring and control
• Longstanding history of regulatory guidance for third-party vendor due diligence– Information System Vendor Reviews 98-CU-11– Risk Based Lending 99-CU-05
kaufCAN.com
• NCUA . . . "Credit unions are ultimately responsible for establishing internal controls and audit functions reasonably sufficient to assure them that third parties are appropriately safeguarding member assets, producing reliable reports and following the terms of the third-party arrangement. Additionally, credit unions should tailor internal controls as necessary to ensure staff observes policy guidance for third-party relationships. Examiners should ensure credit unions have on-going risk management procedures with regard to any material third-party relationship."
kaufCAN.com
Who ARE Credit Union Vendors? Who ARE Credit Union Vendors?
Lending:• Collections• Member Business Lending• Indirect Lending• Servicing• Underwriting• Credit Card/Debit Card
Processors
Information Technology:• Security• Web-Linking• Website Development,
Hosting, Maintenance• Internet Banking• Data Processing• Check Printers/Statement
Printers
kaufCAN.com
Who ARE Credit Union Vendors?Who ARE Credit Union Vendors?
Operations:• Audits• Marketing• Legal• Compliance• Payroll• ALM• Investments• Record Storage• Health & Retirement
Other:• Facility Maintenance &
Construction
kaufCAN.com
Policy Questions and Issues for Policy Questions and Issues for Credit Unions Credit Unions
• Does the third-party relationship complement overall mission and philosophy?
• What internal controls are required for safety and soundness?
• What are the expectations?• Is the staff qualified to manage and monitor the third-
party relationship?• Impact on membership?• What is the exit strategy?
Risk AssessmentRisk Assessment
kaufCAN.com
Potential Risks to Consider Potential Risks to Consider
1. Strategic Risk: Risk arising from making the wrong business decision, including failing to make business decisions that are consistent with the credit union's strategic plan.
2. Reputation Risk: Risk arising from negative member and public opinion of the credit union, either as the result of poorservice or as the result of bad publicity in the media.
3. Operational Risk: Risk of loss stemming from: inadequate or failed internal controls, credit union employees, information orother systems, or from external events.
4. Transaction Risk: Risk arising from problems with delivery of products or services (especially important in core processing, card processing, wire transfer, and indirect lending relationships).
kaufCAN.com
Potential Risks to ConsiderPotential Risks to Consider
5. Credit Risk: Risk that the third party (or any other creditor-party necessary to the third-party relationship, such as your insurance company's reinsurer) is financial unable to meet the terms of its contract with the credit union or is otherwise financial unable to perform its duties.
6. Compliance Risk: Risk arising from violations of statutes or regulations, or from noncompliance with the credit union's policies, procedures, or business standards.
7. Interest Rate Risk: Risk arising from changes in interest rates, especially short-term versus long-term interest rates (e.g., an inverted yield curve).
8. Liquidity Risk: Risk arising from holding non-liquid assets when the credit union experiences cash flow difficulties.
9. Other Risks: Such as price risk, foreign currency exchange risks, political instability abroad, etc.
kaufCAN.com
Some Common Red Flags Some Common Red Flags
• Hearing the great sales pitch• Being ahead of your time• Making or saving tons of money• Doing business with relatives or friends• Unanswered questions• Failure to benefit both parties• They are taking care of it• Too good to be true• Failure to include schedules in a contract
kaufCAN.com
kaufCAN.com
The RegretsThe Regrets
1. Have only one person at the credit union responsible for due diligence
2. Choose a vendor only because several other credit unions use the company
3. Rely on the vendor to manage the credit union's data, without stringent oversight
4. Don't conduct due diligence review because the vendor is a small company
5. Assume outsourcing will save money without a thorough cost analysis
kaufCAN.com
kaufCAN.com
The First NuggetThe First Nugget
1. Know your primary goal2. Know your expectations and desired results3. Know your due diligence analysis standards4. Know your vendor5. Know your costs6. Know your data7. Know your internal operations8. Know your monitoring costs
Steps for SuccessSteps for Success
Know your risks
kaufCAN.com
Risk AssessmentRisk Assessment
• Has the credit union evaluated the costs of monitoring and providing support to the third-party program?– Staffing– capital expenditures– Communications– technological investment
• Is the credit union monitoring their third-party relationships?• Require full due diligence reviews for any vendor that has access
to:– member information– employee data– institution networks– or for any vendor that provides services critical to maintaining
operations
kaufCAN.com
Due Diligence Due Diligence –– Background Background Check Check
• Check usual sources regarding reputation• Google• Ask for and check references• Ask about lawsuits against the company or its
principals/partners• Are required licenses or certifications current?• Gold Nugget: GOAL – know who you are dealing with
kaufCAN.com
Risk Evaluation ChartRisk Evaluation Chart
Credit Card/Debit Card Processors
Underwriting
Servicing
Indirect Lending
Member Business Lending
CollectionsLending:
LowModerateHigh*
* No set formula for qualifying high risk
kaufCAN.com
Risk Evaluation ChartRisk Evaluation ChartLowModerateHigh*
Check Printers/Statement Printers
Data Processing
Internet Banking
Website Development, Hosting, Maintenance
Web-Linking
SecurityInformation Technology:
* No set formula for qualifying high risk
kaufCAN.com
Risk Evaluation ChartRisk Evaluation Chart
Facility Maintenance & ConstructionOther:
Health & Retirement
Record Storage
Investments
ALM
Payroll
Compliance
Legal
Marketing
AuditsOperations:
LowModerateHigh*
* No set formula for qualifying high risk
kaufCAN.com
Vendor Management Policy Vendor Management Policy
Implement a risk-based policy that is deployed uniformly throughout the credit union that:
1. addresses selecting the best vendor2. requires a written agreement3. enhances due diligence performance4. defines risks, levels and types of risk5. defines approval requirements6. outlines internal responsibilities7. defines vendor review requirements and frequency
kaufCAN.com
Vendor Management PolicyVendor Management Policy
• Use the best practices in selecting a vendor for a specific task based on the policy
• Develop an RFP• Submit the RFP to multiple vendors• Require a confidentiality agreement from vendors• Look at hidden costs and privacy issues• Select a vendor• Review the agreement
kaufCAN.com
Contract Issues and Legal Contract Issues and Legal Review Review
• Careful review of the contract and understanding of the legal issues relevant to the third-party relationship
• Qualified "external" legal counsel to review prospective third-party arrangements and contracts
• Legal review must be independent and the reviewer must have necessary experience
• Contract terms may not adversely impair credit union's safety and soundness
kaufCAN.com
Contract Issues and Legal Contract Issues and Legal ReviewReview
Contract questions and legal review• Data security and member confidentiality including testing and
audit• Who owns the data?• Do you have a right to audit the vendor?• What disaster recovery plan does the vendor have in place?• Will the vendor use subcontractors?• Where is the work performed?• Disaster recovery and contingency planning?• Regulatory requirements such as Gramm-Leach-Bliley, privacy,
BSA, etc.?
kaufCAN.com
Contract Issues and Concerns Contract Issues and Concerns ––A Checklist A Checklist
• Ownership, control, maintenance and access to financial operating records
• Ownership of servicing rights• Audit rights and requirements
including who pays• Data security and member
confidentiality• Business resumption or
contingency planning• Describe the scope of the
arrangement, services to be offered and activities authorized
• Performance reports and frequency
• Penalties for lack of performance
• Handling member complaints and member service
• Compliance with regulatory requirements
• Dispute resolution process• Contract default, termination
and escape clauses
kaufCAN.com
Another Nugget Another Nugget
• Include the RFP and all marketing materials and presentations as an exhibit to the contract
• Agreement Dates – make sure the dates correlate to the credit union's overall strategy and future growth
• Performance start date• Process for contract amendments• Agreement expiration date• Automatic renewal clause• Re-negotiation start date• Termination with cause• Termination without cause• Risk measurement, monitoring and control• BOTTOM LINE: Where is your credit union today?
kaufCAN.com
Risk Management & Risk Management & MonitoringMonitoring
kaufCAN.com
Risk Measurement & Monitoring Risk Measurement & Monitoring
1. Set up a program to measure/monitor risk of third-party vendor relationships and report findings to management.
2. Measure third-party vendor performance in terms of profitability, benefit and service delivery.
3. Set up internal controls sufficient to assist in the measurementand monitoring of third-party vendor risk.
4. Remember, a credit union is always responsible for continued safety and soundness of outsourced functions.
5. Create an oversight program to monitor each third-party vendor's internal controls, condition and performance.
6. Assign responsibility for oversight to personnel with "appropriate expertise" to monitor and manage each third-party vendor relationship.
kaufCAN.com
Two Brands of Control Systems Two Brands of Control Systems & Reporting & Reporting
• VendorTrack by CUNA• VendorXpert by Sydel Corporation
kaufCAN.com
kaufCAN.com
kaufCAN.com
kaufCAN.com
kaufCAN.com
kaufCAN.com
VendorXpertVendorXpert TMTM
By Sydel Corporation
kaufCAN.com
kaufCAN.com
kaufCAN.com
kaufCAN.com
SydelSydel CorporationCorporation
Moving Financial Institutions with Dynamic Xpert Soltuions
Antonio Gonzalez, [email protected]
305-569-0400 ext. 11
kaufCAN.com
kaufCAN.com
Due Diligence Due Diligence A Necessity in a New EnvironmentA Necessity in a New Environment
E. Andrew Keeney, Esq.Kaufman & Canoles, P.C.