Third Party Vendor Due Diligence
As the prudential regulators are slated to testify this week on Capitol Hill, we thought it would be a good opportunity to discuss third party vendor due diligence and how credit unions should manage their relationships with third-party service providers to control the associated risks. This is likely the last opportunity for Chairman Todd Harper to testify on third party vendor authority, so, let’s dive right in.
The NCUA, FFIEC and CFPB all expect credit unions to manage third-party relationships to control the associated risks. NCUA’s Letter to Credit Unions 2007-13 and its enclosed Supervisory Letter 07-01 are the key resources of vendor management guidance for credit unions. These resources outline the three major concepts that should be addressed in evaluating all third-party arrangements:
- Risk Assessment and Planning;
- Due Diligence; and
- Risk Measurement, Monitoring, and Controls.
As noted in the Letter, the elements mentioned above should all commensurate with a credit unions size, complexity and risk profile.
Additionally, the FFIEC has issued its Outsourcing Technology Services booklet as part of its IT Examination Handbook Infobase. This examination guidance discusses the specific expectations for outsourcing technology services including the same contract terms addressed by NCUA, but with much more detail. There is also a section on Board and Management Responsibilities which states:
“The responsibility for properly overseeing outsourced relationships lies with the institution's board of directors and senior management… An effective outsourcing oversight program should provide the framework for management to identify, measure, monitor, and control the risks associated with outsourcing. The board and senior management should develop and implement enterprise-wide policies to govern the outsourcing process consistently.”
The CFPB has also released Bulletin 2012-03, which defines its expectations for third-party relationships regarding those institutions and service providers it supervises directly. The Bureau requires financial institutions to include in any contract clear expectations about compliance with consumer regulations and enforceable consequences for violating any compliance-related responsibilities. It also addresses UDAAP considerations for business arrangements with service providers. The bulletin was amended and reissued as Bulletin 2016-02.
A common theme among all the regulators and resources noted above is the importance of a proper risk assessment which requires due diligence in third-party relationships. This requires consideration of how the relationship may affect the credit union. There is no single way to perform due diligence, but it should be tailored to the complexity of the third-party relationship and may consist of reasonable alternative procedures to accomplish acceptable risk mitigation. A general rule of thumb is that the less complex vendors will typically require less analysis and documentation since those relationships are less critical to the core services and thus have a lower risk to the credit union. Compared to other vendor relationships which are more complex and riskier since they are more essential to the daily functions of core services at the credit union. Consequently, if the type of due diligence does not warrant a contract due to minimal risk, then a credit union could still be compliant as long as the third-party relationship consists of reasonable alternative procedures to accomplish acceptable risk mitigation.
In other news, please see the two links below that may provide some helpful insight into the potential changes to the CFPB under the new Trump administration:
• What Lies Ahead for the CFPB as Trump 2.0 Takes Shape?
• Trump 2.0: Potential CFPB Changes in 2025 | McGlinchey Stafford PLLC