RB 2018-01 Guidance on Managing Third-Party Risk

February 6, 2018

INTRODUCTION

Credit unions often rely upon third parties to perform a wide variety of services and other activities. A credit union’s board of directors and senior management are ultimately responsible for managing activities conducted through third-party relationships, and identifying and controlling the risk arising from such relationships, to the same extent as if the activity were handled within the credit union. This guidance applies to any of a credit union’s third-party arrangements, and is intended to be used as a resource for implementing a third-party risk management program.

A credit union should consider the principles addressed in this guidance and ensure that appropriate procedures are in place, taking into account the complexity and risk potential for each of its third-party relationships. The precise use of a risk management process will be dependent upon the nature of the third-party relationship, the scope and magnitude of the activity, and the risks identified. These guidelines should not be considered a set of mandatory procedures, but each credit union should ensure that sufficient procedures and policies are implemented to control the risk associated with a particular third-party relationship.

There are numerous risks that may arise from a credit union’s use of third parties.  Some of the risks are associated with the underlying activity itself, similar to the risk faced by a credit union directly conducting the activity.  Other potential risks arise from, or are heightened by, the involvement of a third party.  Failure to manage these risks can expose a credit union to regulatory action, financial loss, litigation and reputation damage, and may even impair the credit union’s ability to serve members.

Risk Management Process

The key to the effective use of a third party in any capacity is for the credit union to appropriately assess, measure, monitor, and control the risks associated with the relationship.  While utilizing another entity may assist senior management and the board in achieving strategic goals, such an arrangement reduces the credit union’s direct control.  Therefore, the use of a third party increases the need for oversight of the process.  This guidance suggests four main elements of an effective third-party risk management process: (1) risk assessment, (2) due diligence in selecting a third party, (3) contract structuring and review, and (4) oversight.

Risk Assessment

Risk assessment is fundamental to the initial decision of whether to enter into a third-party relationship.  The first step in the risk assessment process should be to ensure that the proposed relationship is consistent with the credit union’s strategic plan and overall business strategy. Next, a credit union should analyze the benefits, cost, legal aspect, and the potential risk associated with the third party under consideration.  It is important for the credit union to develop a thorough understanding of what the proposed relationship will accomplish for the institution, and why the use of a third party is in its best interests.  A risk/reward analysis should be performed for significant matters, comparing the proposed third-party relationship to other methods of performing the activity or product offering, including the use of other vendors or performing the function itself.

This phase should also identify performance criteria, internal controls, reporting needs, and contractual requirements that would be critical to the ongoing assessment and control of specific identified risks.  In addition, the credit union should carefully estimate the long-term financial effect of the proposed third-party relationship.  The credit union should consider all aspects of the long-term potential of the relationship, as well as the managerial expertise and other associated costs that would result from the decision to use a third party, and not be unduly influenced by short-term cost savings.

Due Diligence in Selecting a Third Party

Following an assessment of risk and a decision to proceed with a plan to establish a third-party relationship, the credit union must select a qualified entity to implement the activity or program.  The due diligence process provides the credit union with the information needed to address qualitative and quantitative aspects of potential third parties to determine if a relationship would help achieve the credit union’s strategic and financial goals and mitigate identified risks.  Due diligence should not only be performed prior to selecting a third party, but it should also be performed periodically during the course of the relationship, particularly when considering a renewal of a contract.

The scope and depth of due diligence is directly related to the importance and magnitude of the credit union’s relationship with the third party.  Significant or highly visible programs, which are integral to the credit union’s success warrant an in-depth due diligence of the potential third party, while the due diligence process for isolated low-risk third-party activities can be much less comprehensive.

Contract Structuring and Review

After selecting a third party, a credit union should ensure that the specific expectations and obligations of both the credit union and the third party are outlined in a written contract prior to entering into the arrangement.  Board approval should be obtained prior to entering into any material third-party arrangements.  Appropriate legal counsel should also review significant contracts prior to finalization.

Scope.  At a minimum, the contract should clearly set forth the rights and responsibilities of each party to the contract, including:

  •  Timeframe covered by the contract.
  • Frequency, format, and specifications of the services or products to be provided.
  • Requirement that the third party comply with all applicable laws, rules, regulations, and regulatory guidance.
  • Authorization for the credit union and the Department to have access to records of the third party as are necessary or appropriate to evaluate compliance with laws, rules, and regulations.
  • Insurance coverage to be maintained by the third party.
  • Authorization for the credit union to monitor and periodically review the third party for compliance with its agreement.

Cost.  The contract should outline the fees to be paid, variable charges, and any fees to be paid for nonrecurring items or special requests.  Also, the party responsible for payment of any legal, audit, or regulatory expenses should be identified.

Audit.  In addition to the types and frequency of audit reports that the credit union is entitled to receive from the third party, the contract should also specify the credit union’s right to audit the third party as needed to monitor performance under the contract.  If material to the arrangement, specific internal controls to be maintained by the third party should be defined in the contract.

Confidentiality and Security.  The contract should prohibit the third party and its agents from using or disclosing the credit union’s information, except as necessary to perform the functions designated by the contract.  Any nonpublic personal information on the credit union’s members must be handled in a manner consistent with the credit union’s own privacy policy and in accordance with applicable privacy laws, regulations, and rules.  Any breaches in the security and confidentiality of information should be required to be fully and promptly disclosed to the credit union.

Business Resumption and Contingency Plans.  The contract should address the third party’s responsibility for continuation of services provided for in the contractual arrangement in the event of an operational failure, including both man-made and natural disasters.  The third party should have appropriate protections for backing up information and also maintain disaster recovery and contingency plans with sufficiently detailed operating procedures.  Results of testing of these plans should be provided to the credit union.

Default and Termination.  To mitigate risk associated with contract default and/or termination, the contract should address both issues.  The contract should specify what circumstances constitute default, identify remedies, and allow for a reasonable opportunity to cure a default.  Similarly, termination rights should be identified in the contract, especially for material third-party arrangements and relationships involving rapidly changing technology or circumstances.  Return of the credit union’s data and records should also be addressed.

Indemnification.  Incorporating indemnification provisions into a contract may reduce the potential for the credit union to be held liable for claims arising from the third party’s negligence.  Such provisions, however, cannot shift to third parties the credit union’s ultimate responsibility to conduct credit union business and related activities in a safe and sound manner, and in compliance with laws, regulations, rules, and sound credit union principles.

Limits on liability.  A third party may wish to contractually limit the amount of liability that it could incur because of the relationship with the credit union.  Before entering into such a contract, the credit union should carefully consider whether the proposed damage limitation is reasonable compared to the amount of loss the credit union could experience should the third part fail to adequately perform.

Oversight

A credit union should maintain adequate oversight of third-party activities and adequate quality control over those products and services provided through third party arrangement to minimize exposure to potential significant financial loss, reputation damage, and supervisory action.  As part of this process, the credit union should periodically review the third party’s operations and verify their processes are consistent with the terms of the contract and that risks are being controlled.

An oversight program will generally include monitoring of the third party’s quality of service, risk management practices, financial condition, and applicable controls and reports. Results of oversight activities for material third-party arrangements should be periodically reported to the credit union’s board.  Any identified weaknesses should be documented and promptly addressed.

Department Supervision of Third-Party Relationships

The Department reviews a credit union’s management of third-party relationships in the context of the normal supervisory process.  The principal focus of supervisory efforts is the review of management’s record and process of assessing, measuring, monitoring, and controlling risks associated with a credit union’s significant third-party relationships.  The depth of examination review will depend upon the scope of activity conducted through or by the third party and the degree of risk associated with the activity and relationship.

Review of third-party relationships contributes to the Department’s overall evaluation of management and its ability to effectively control risks.  Additionally, the use of third parties could impact other key aspects of performance, such as earnings, asset quality, liquidity, rate sensitivity, and the credit union’s ability to comply with laws, rules, and regulations.  Findings and material observations resulting from the review of the credit union’s third-party relationships will be addressed as needed in the Report of Examination.  Appropriate corrective action may be required for deficiencies related to a third-party relationship that pose a safety and soundness or compliance concern, or result in a violation of applicable Federal or State laws.

Summary

Third party relationships can be invaluable to a credit union and its members.  Properly managed third-party relationships can allow credit unions to accomplish strategic objectives through increased member service, competitiveness, and economies of scale.  The Department’s role is not to stifle the innovative use of third party relationships; however, outsourcing critical credit union functions increases the risk inherent in those functions.  The Department’s goal is to ensure credit unions clearly understand risks they are undertaking and balance and control those risks considering the credit union’s safety and soundness and compliance with applicable laws.

Resources

The concepts and principles set forth in this Regulatory Bulletin were partly derived and adapted from guidance previously issued by the National Credit Union Administration and other federal regulatory agencies, including the following:

National Credit Union Administration.  Letter to Credit Unions 00-CU-11, Risk Management of Outsourced Technology Sources.  Dec. 2000.

National Credit Union Administration.  Letter to Credit Unions 01-CU-20, Due Diligence Over Third Party Service Provider.  Nov. 2001.

National Credit Union Administration.  Supervisory Letter No.: 07-01, Evaluating Third Party Relationships.  Oct. 2007.