Add to collection(s) Add to saved
  1. Arts & Humanities
  2. Communications
  3. Marketing

Third Party Evaluation - Illinois Credit Union League

advertisement 
EVALUATING THIRD PARTY RELATIONSHIPS
Date reviewed by Board of Directors_______________________
INTRODUCTION
It is the responsibility of the credit union Board of Directors and Senior Management to safeguard
member assets, and manage the credit union’s affairs to ensure a sound operation. As member
product choices expand, the credit union is increasingly reliant on services provided by other
entities to support these products. While outsourcing to affiliated or nonaffiliated entities can
help the credit union take advantage of economies of scale, obtain necessary expertise, enhance
member services, keep pace with the latest technology, and reach new members, it also
introduces risks that the credit union must address. Therefore, the credit union is obligated to
assess how the outsourcing arrangement will support the credit union’s objectives and strategic
plans and how the service provider’s relationship will be managed. Without an effective risk
assessment phase, outsourcing a service may be inconsistent with the credit union’s strategic
plans, too costly, or introduce unforeseen risks.
See Appendix A for several specific examples of third party relationships.
NOTE: The extent of oversight of a particular third-party relationship will depend upon the
potential risks and the scope and magnitude of the arrangement.
DEFINITIONS
 SOC REPORT
There are three types of SOC Reports. A SOC 1 is most similar to the former SAS 70
report, and is constructed for financial transaction processing. SOC 2 is constructed to
certify confidentiality, security and privacy of hosted systems and the data they store.
SOC 3 includes similar testing processes as a SOC2, but provides less detailed results.

RISK ASSESSMENT
As a component of third party evaluation, it involves identification, evaluation, and
estimation of the levels of risk involved, and determination of an acceptable level of risk.
For credit unions, all seven areas of risk should be considered (Credit, Interest Rate,
Liquidity, Transaction, Compliance, Strategic and Reputation).
Credit - The risk that a third party, or any other organization necessary to the thirdparty relationship, is unable to meet the terms of the contractual arrangements with the
credit union or to otherwise financially perform as agreed.
Interest Rate and Liquidity - The risk that processing errors related to investment
income or repayment assumptions could lead to unwise investment or liquidity decisions
thereby increasing market risk.
Transaction - A third party’s failure to perform as expected by members or the credit
union due to reasons such as inadequate capacity, technological failure, human error, or
fraud, exposes the credit union to transactional risk.
Compliance - The risk arising from violations of laws, rules, or regulations or from
noncompliance with internal policies or procedures or with the credit unions business
standards.
Strategic - The failure to implement appropriate business decisions in a manner that is
consistent with the credit union’s strategic goals. The use of a third party to perform
credit union functions or to offer products or services that do not help the credit union
achieve strategic goals and provide an adequate return on investment exposes the credit
union to strategic risk.
ICUL/js
page 1 of 19
Reputation - Third-party relationships that result in dissatisfied members, interactions
not consistent with credit union policies, inappropriate recommendations, security
breaches resulting in the disclosure of member information, negative publicity, and
violations of law and regulations are all examples that could harm the reputation and
standing of the credit union in the community, and to the members it serves.
This policy follows guidance provided by the National Credit Union Administration, Federal Financial
Institution Examination Council, Other Government Resources, and CUNA.
PURPOSE
The purpose of the Third-Party Evaluation Program is to provide procedure in the selection and
retention of third-party providers. The program will address the following elements:
1. Risk Assessment and Planning
2. Effective Due Diligence Reviews
3. Measuring, Monitoring, and Controlling
1. RISK ASSESSMENT AND PLANNING
 Risk Assessment
Prior to engaging in a third party relationship, the administrator will secure the
completion of a written due diligence assessment ( Appendix B). The assessment
will consider the seven key risk areas, and more specifically the following:
o Expectations of any arrangement – Credit union will clearly define
the nature and scope of its needs. Which needs will the third party
meet? Will the third party be responsible for desired results? To what
extent?
o Staff Expertise – Is credit union staff qualified to manage and monitor
the third-party relationship? How much reliance on the third party will
be necessary?
o Criticality of Function-How important is the activity to be outsourced?
Is the activity mission critical? What other alternative exist?
o Cost-Benefit- Does the potential benefit of the arrangement outweigh
the potential risks or costs? Will this change over time?
o Insurance Requirements – Will the arrangement create additional
liabilities? Is the credit union insurance coverage sufficient to cover the
potentially increased liabilities? Will the third party carry “key-man”
insurance or other insurance to protect the credit union?
o Member Impact- How will officials gauge the positive or negative
impacts of the arrangement on credit union members? How will they
manage member expectations?
o Exit Strategy – Is there a reasonable way out of the relationship if it
becomes necessary to change course of the future? Is there another
party that can provide any services officials deem critical?
 Planning
Prior to establishing a relationship with a third party provider, the credit union
will:
o Determine whether the proposed activities are consistent with and
complement the credit union’s overall mission and philosophy, as well as
the credit union’s strategic plan and long-term goals.
2. DUE DILIGENCE
ICUL/js
page 2 of 19
NOTE: Appendix C, as applicable, will serve as a guide for the administrator throughout the
due diligence process. Performing due diligence in the use of mortgage brokers and
correspondents, the administrator will make use of Appendix D, as well.
 Financial Projections
The credit union will project a likely financial consequence in the proposed third
party arrangement, considering expected revenues, intangible benefits, direct
costs, indirect costs, and how each of these factors may change under different
economic and operational conditions.
 Background Check
Prior to entering into a third party arrangement the credit union will fully
understand how the third-party has performed by:
o Requesting and securing referrals from clients, and other sources, if
applicable.
o Considering the third party’s past experience
o Ensuring the third party and its agents hold the required licenses and
certifications
o Review past legal concerns, if applicable
o Check the:
 Better Business Bureau
 Federal Trade Commission
 State Attorney General’s Office
 Credit Reporting Agencies
 State Consumer Affairs Offices
 Business Model
Before entering into a third party arrangement the administrator will thoroughly
understand the third party’s business model, and be able to explain the third
party’s:
o Role in the proposed arrangement, and vendor’s business plan
o Responsibility of both credit union and vendor
o Sources of income and expenses, considering any potential conflicts of
interest
o Business affiliates, if any, and their purpose and function
 Cash Flows/Accounting
While analyzing the third party arrangement the administrator will:
o Understand how cash flows (both incoming and outgoing) move between
the member, third party, and credit union.
o Independently verify the source of these funds
o Match cash flows to individual accounts
o Understand completely the accounting for the particulars of the new
product or service
o Ensure compliance with generally accepted accounting principles (GAAP)
o Obtain CPA guidance if necessary
 Financial, Technology, and Operational Control review
NOTE: The depth of the financial, technological and operational review will vary
depending on the scope and importance of the outsourced services as well as the
risk to the credit union from these services.
The administrator will carefully analyze the condition of third parties and their
closely related affiliates to ensure that the provider can financially and
operationally fulfill the contractual commitments proposed. Based on the scope
and magnitude of the arrangement, the analyses may include a review of:
o Outstanding commitments, capital strength, liquidity, operating results,
and off-balance sheet liabilities.
ICUL/js
page 3 of 19
3/09
o
o
o
o
o
o
o
o
o

o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
o
Factors such as how long the service provider has been in business, and
the provider’s market share for a given service and how it has fluctuated.
The significance of the credit union’s proposed contract on the service
provider’s financial condition.
The service provider’s technological expenditures.
The service provider’s most recent SOC report prepared by an
independent auditor, audit results, or regulatory reports. As well as
audited financial statements, and ratings from nationally recognized
statistical rating organizations, if available.
If applicable, reviews performed by independent third parties which
assess the security and control environment of the vendor.
Executive summaries of penetration tests,
Payment card Industry Data Security Standards Compliance Reports.
The service provider’s experience and ability to provide the necessary
services and supporting technology for current and anticipated needs.
The adequacy of the service provider’s insurance coverage including
fidelity, fire, liability, data losses from errors and omissions, and
protection of documents in transit.
CONTRACTS
The administrator will take measures to ensure careful review and understanding
of the contract and legal issues relevant to third party arrangements. Generally,
contracts are complex and will require seeking qualified external legal counsel to
review the prospective third party arrangements and contract. At a minimum,
third party contracts will address the following:
Scope of services;
Performance standards;
Pricing;
Controls;
Financial and control reporting;
Right to audit;
Ownership of data and programs;
Confidentiality and security;
Regulatory compliance;
Indemnification;
Limitation of liability;
Dispute resolution;
Contract duration;
Restrictions on, or prior approval for, subcontractors;
Termination and assignment, including timely return of data in a machinereadable format;
Insurance coverage;
Prevailing jurisdiction (where applicable);
Regulatory access to data and information necessary for supervision; and
Business Continuity Planning.
In addition, the administrator will review service level agreements to ensure they are
adequate and measurable. Considering whether:
o Significant elements of the service are identified and based on the credit union’s
requirements;
o Objective measurements for each significant element are defined;
o Reporting of measurements is required;
o Measurements specify what constitutes inadequate performance; and
ICUL/js
page 4 of 19
3/09
o
In adequate performance is met with appropriate sanctions, such as reduction in
contract fees or contract termination.
3. MEASURE, MONITOR AND CONTROL
The board has designated ______________________ (Administrator) to analyze,
oversee and control the quality of proposed and existing third party relationships. The
intensity of the analysis will be based on the complexity and history of the third-party
relationship.
Insurance Requirements. The administrator will make a thorough review of the credit
unions’ insurance coverage, including fidelity bond, and policies covering such matters as
errors and omissions, property and casualty losses, and fraud and dishonest before
entering into any third party relationship.
Once contracting with a third party the administrator will establish controls to ensure the
relationship is meeting its expectations and the third party is meeting its responsibilities.
Monitoring and reporting practices will be adopted commensurate with the complexity
and importance of the contracted services.
The administrator will provide to the board semi-annually or more frequently if
necessary, a third party performance review (Appendix E) that will include, at a
minimum:
o
o
o
o
o
o
o
o
o
o
Comparison of program performance to expectations;
Verification that all parties to the arrangement are fulfilling their responsibilities;
Confirmation of financial condition and operations review of third party;
An assessment of quality of service and support;
Verification of contract compliance;
Request for the need to revise contract;
Confirmation of the third party’s business resumption review;
Confirmation of attendance at, or participation in, user group sessions, if
applicable;
Confirmation that credit union infrastructure (staffing, equipment, technology,
etc) is sufficient to monitor their performance of third party relationship, and
Verification that designated staff is qualified and responsible in understanding
the third party arrangement.
The administrator will prepare and retain a list of all third-party relationships, and
determine the critical nature, and potential issues, of the service provided by the
particular third party. Further, the administrator will oversee the third party relationship
to regularly monitor performance and compliance with contracts (Appendix F).
ICUL/js
page 5 of 19
APPENDIX A: EXAMPLES OF THIRD PARTY SERVICE PROVIDERS













































Data processing system
Online banking provider
Billpayer provider
Communication system provider
Loan system provider
Member Business Lending
Mortgage Lending
Mortgage brokers
Loan participations
Statement processor
Insurance/bond provider
Collection agencies
Office equipment lesser/service provider
Security systems providers
Cleaning service
HVAC service provider
General contractors or other contractors for projects in excess of $____________
Check provider
Travelers check/card provider
Money order provider
Forms printer/provider
Hardware Provider (ATM machines, PCs, services, phone system, etc)
Investment broker
Check cashing services
Accounting/bookkeeping functions
Shred companies
IDAs
Financial education
Remittance services
Micro-enterprise lending
IRS Volunteer Income Tax Assistance (VITA)
Partnership with community center
Partnership with larger credit union
Auditing and Management Consulting Services
Asset Liability Management
BSA and OFAC
Plastic card services
____________________________________
____________________________________
____________________________________
____________________________________
____________________________________
____________________________________
____________________________________
____________________________________
ICUL/js
page 6 of
APPENDIX B: DUE DILIGENCE ASSESSMENT (COMPREHENSIVE)
You may deliver this document (in whole or in part) to a credit union third party supplier. Keep in mind, applying the same due diligence
assessment to all vendors is likely inappropriate. The concerns listed below should be tailored to the complexity of the specific third party
relationship being reviewed. For example, credit unions will likely evaluate a core processor differently than a cash delivery service.
Note: This appendix is based in large part on material presented by CUNA CFO Council.
Due Diligence Issue
Comment
Corporate Information
Overview of company’s corporate structure.
Operating agreement and corporate structure
(including an explanation of the relationship
between your parent company and subsidiaries).
Owners (holding over 10%) and directors
Organizational charts (high-level) and
management resumes.
key
Complete list of current credit union clients
List of any state or trade associations your
company is currently “endorsed” by.
User references (including contacts and phone
numbers for credit union users).
Summary of pending or threatened litigation,
claims, or suits.
Proof of liability and property insurance
Listing of relevant contracts with third-party
vendors, consultants, resellers, independent
contractors, etc.
Strategic business plans (current and future),
including succession planning.
Business resumption contingency plans.
Financial Information
Annual reports, including year-end financial
statements for the past three years (audited if
available)
Current financial statement.
Has your company received any outside funding
other than from stockholders? If so, please
explain.
Annual credit union sales: $
Total annual sales: $
Your company’s ranking in credit union market
share for this product/service (i.e., 1st, 2nd, 3rd,
etc.)?
Technical Overview
 Physical Security:
Where is (are) your data center(s) located?
Describe the physical security, disaster recovery,
back up/redundancy, and prevention features of
your data center.
Who (including data center staff, other
employees and vendors has physical access to
the host servers?
ICUL/js
page 7 of 19
Due Diligence Issue
Comment
 Network Security:
Are industry-standard firewalls deployed? Where
are they deployed?
How does your company keep the software for
the firewalls current?
Is administrative access to firewalls and other
perimeter devices allowed only through secure
methods or direct serial port access?
What protocols and ports are allowed to traverse
the network and firewall?
Does your company use an intrusion prevention
system (IPS)
Does your company use intrusion detection
systems (IDSs)? How long are IDS logs kept?
Are formal incident-response procedures in place,
and are they tested regularly?
Does your company engage third-party security
service providers to perform ongoing vulnerability
assessments?
Does your company have a workflow diagram of
the process for CU system failure, If so, please
provide
 System Security:
Are ongoing vulnerability assessments performed
against the systems?
Are file permissions set on a need- to- access
basis only?
How are operating systems kept up to date?
How does your company keep of abreast of
software vulnerabilities?
What is the procedure for installing software
updates?
Are audit logs implemented on all systems that
store or process critical information? How often
are these logs reviewed?
What change management procedures are in
place?
 Staff Security:
What are the credentials of the systems
administration staff?
Has the systems administration staff undergone
complete background and criminal checks?
How long are the access logs retained for?
Who reviews the logs?
How many characters must a password have?
Are alphanumeric passwords required?
Are hosting staff onsite or on-call 24/7?
 Security Policy:
Describe the user account and password policy.
Are screen-blanking mechanisms deployed on all
employee workstations?
Do sessions automatically time out after an idle
period?
ICUL/js
page 8 of 19
Due Diligence Issue
Are user accounts for contract personnel created
with expiration dates?
How are user accounts closed after termination?
Comment
Software overview (if possible, please send a
copy or access to demo)
Please provide a description of any software that
is required for credit unions to use in order to
support your products/services.
Is this software available in a network version?
Does the software require an interface with our
credit union’s core processing system?
 Privacy/Confidentiality of Data:
How does your company protect the privacy of
any member and/or account information that
may be collected and maintained through this
service?
Are you SOC certified and/or ISO 17799
compliant?
How is data integrity ensured?
What checks are carried out on people who might
have access to the data?
Discuss all security features.
 Additional Technical Issues:
Are all development software licenses current?
Please provide a list of your development
software licenses.
Does your company utilize any third-party
software development companies? If so, please
explain
When was the software first released?
When was the software last updated?
How often is software updates/upgrades
planned?
Does the credit union pay for updates/upgrades?
Please describe the levels of support (i.e.
technical, customer, etc.) your company provides
to participating credit unions
What methods would a credit union use to
contact your company for support?
How many staff positions are available to assist
credit unions with support issues?
What happens to the credit union’s data if they
decide to terminate the service with your
company?
Business Model
Explain how your product/service satisfies a
strategic need for credit unions.
Describe your current sales process. How long is
your sales cycle, on average? Provide samples of
all sales materials (I.e., presentations, proposals,
etc.)
What are your growth expectations over the next
ICUL/js
page 9 of 19
Due Diligence Issue
five years?
How would you define your company’s primary
target market in the financial services industry?
Please also include size of institution in terms of
asset size and members.
Comment
What tactics or activities do you currently use to
generate sales leads? Provide a list of your top
lead sources and the percentage of leads that are
generated from each source.
Who is your competition? What differentiates
your company from its competition?
What will your company provide under this
possible alliance that others cannot?
Provide a sample credit union agreement.
Provide a list of any warranties/guarantees for
your services.
Describe the compliance guarantee offered to
participating credit unions.
In terms of the compliance guarantee, are there
any limitations or legal restrictions by state?
If violations are found, who is financially
responsible?
How is compliance with state and federal
regulations insured?
How does this product/service comply with the
Act(s) that regulate this product?
Has the product been reviewed for compliance
with any federal agencies and by any state
regulatory authorities? If so, please provide
supporting documentation.
How is your product/service currently priced?
Do you expect this pricing structure to change
through an alliance relationship?
Describe your current implementation process
beginning at the point of receiving a signed
agreement or purchase order for the
product/service. Provide a typical project plan.
Provide samples of any marketing and advertising
materials that are used to promote the
product/service to credit unions.
Provide copies of all materials (deliverables) a
credit union would receive as part of the
service(s) (i.e., analyses, bids, etc.)
Describe the training that is provided to any
participating credit union.
Is the training done on-site or remotely?
Who is responsible for providing the training?
Provide samples of the training materials.
Describe the billing process.
Why should your company be considered for a
strategic alliance relationship with our CU?
ICUL/js
page 10 of 19
APPENDIX C: DUE DILIGENCE OVER MORTGAGE BROKERS AND CORRESPONDENTS.
Mortgage and Mortgage Related Products or Services
Risk Description
Comment
Is the credit union adequately
protected and are there adequate
default, termination, and escape
clauses?
Are there agreements that the
broker or originator will comply with
all applicable laws, including safety
and soundness regulatory standards
applicable to credit unions?
Does the agreement stipulate that
best efforts will be made by
originators to ensure loans offered to
borrowers are consistent with their
needs, objectives, and financial
situation?
Has a background check been
performed on the business and on
the key individuals involved in the
transactions?
Does the third party have a sound
business
model
for
long-term
operations?
Are you aware of who owns or has a
controlling influence over companies
providing related services to the
broker or correspondent (e.g.
appraisers,
title
companies,
insurance companies, etc.)?
Is the company’s cash flow
adequate, can they provide an
independently
audited
financial
statement?
What are the sources of cash? Can
the cash flow be verified? Are they
complying with Generally Accepted
Accounting Principles?
Do they have sound internal controls
to help prevent fraud and abuse, and
to ensure compliance with consumer
laws and regulations?
ICUL/js
page 11 of 19
Date
Verified
Mortgage and Mortgage Related Products or Services
Risk Description
Comment
 IS THE CREDIT UNION AWARE:
The broker or correspondent may be
operating in their own best interests
and not necessarily putting the
interests of the credit union or the
member first.
Fees and yield spread premiums paid
to the third parties may be
excessive, and the existence of
prepayment penalties may not be
clear to the borrower at the time
they obtaining the loan, or may
service as a deterrent to refinancing
early in the lending relationship
should financial difficulties with the
member occur.
Loan fees, terms, and practices that
are
abusive
or
considered
“predatory” could lead to significant
legal, reputation, and other risks to
the credit union.
Obtaining or retaining loans with
repayment based on a member’s
stated income (I.e., unverified
income)
are
high-risk
loans,
especially when the amount of
income stated does not pass the
reasonableness test.
Control over the appraisal process
can be compromised if the credit
union is not obtaining the appraisals
directly or is not closely monitoring
the quality of completed appraisals.
The broker or correspondent could
structure the transactions to limit
their liability. They may have not
continuing liability after the credit
union finalizes the loan or loan
purchase.
The broker or correspondent may
not have the financial capability to
continue operations over the longterm or the ability to support any
claims that may arise.
Closed loan documents may not be
reflective of written or verbal
agreements.
ICUL/js
page 12 of 19
Date
Verified
Mortgage and Mortgage Related Products or Services
Risk Description
Comment
Date
Verified
Product volume may develop at a
level in excess of what the third
party and/or the credit union can
safely manage.
Funding commitments may have to
be honored despite developing
concerns
with
the
third-party
relationship or the loan program in
general.
 ARE COMPENSATORY CONTROLS IN PLACE WHEN DEALING WITH MORTGAGE BROKERS AND
CORRESPONDENTS, TO ENSURE:
Adherence to board established
lending policies and risk parameters.
A sufficient sample of loans,
underwritten by a broker or
correspondent must be reviewed for
compliance with board policies,
applicable regulations, and written
agreements to ensure that ongoing
loan
quality
is
maintained.
Additional targeted loan reviews
should be performed based on any
performance concerns of a thirdparty such as increasing default
rates foreclosure rates, complaints,
and higher than average fees
charged to borrowers.
Loan approval authority, in the use
of a mortgage broker, is not
delegated to the broker, and that all
loan underwriting criteria and
subsequent
modifications
are
approved by the credit union.
Broker and correspondent reports
are accurate, timely, and contain
sufficient detail to adequately
monitor activity.
 CREDIT UNION MANAGEMENT, NOT THE BROKER OR CORRESPONDENT, HAS THE FIDUCIARY RESPONSIBILITY
FOR DECIDING WHAT IS BEST FOR THE CREDIT UNION AND THE MEMBERSHIP. WITH THIS IN MIND, DOES
THE CREDIT UNION UNDERSTAND COMPLETELY:
Board established lending policies
and
procedures
should
be
established to fit the product-with
risk tolerance levels based on
management analysis, established
regulatory thresholds, and sound
business rationale.
ICUL/js
Page 13 of
Mortgage and Mortgage Related Products or Services
Risk Description
Comment
Date
Verified
Loan growth should be slow and
controlled, activity should be within
reasonable risk thresholds, and
building a concentration in a
particular loan type and/or in an
unfamiliar geographic area should be
avoided.
Broker
and
correspondent
relationships need to receive ongoing
due diligence commensurate with
the risk and complexity of those
activities, regardless of whether the
third party has a credit union
affiliation, such as being part of a
credit union service organization.
 DOES THE CREDIT UNION HAVE ADEQUATE AUDIT PROCEDURES AND CONTROLS IN PLACE TO VERIFY:
Fees paid to third parties are
legitimate.
Mortgage applications are complete
and do not contain fraud.
Referral or unearned income or fees
are legal and not contrary to RESPA
prohibitions.
ICUL/js
page 14 of 19
APPENDIX D: THIRD PARTY PERFORMANCE REVIEW
Name of Third Party Provider:
Product or Service:
Performance Review
Has program performance met
expectations?
Date:
Yes/No
Comments
Are any revisions to the contract
necessary?
Are all parties
responsibilities?
fulfilling
their
Have financial statements been
reviewed? Include date
Has the audit report
reviewed? Include date
been
Have there been any member
complaints?
Have there
complaints?
been
any
staff
Have there been any performance
or compliance issues?
Has third party provided an
appropriate business resumption
plan?
Does staff need additional training?
Is credit union infrastructure
sufficient to monitor and perform
activity as needed?
Have
appropriate
personnel
attended user group sessions?
Include dates.
Are there any issues that require
immediate attention?
ICUL/js
page 15 of 19
Appendix E: Administrator Assessment
Name of Third Party Provider:
Product or Service:
Risk Description
Date:
Yes
Partially
complete
Planning and Risk Assessment
Did the credit union consider more than one
third-party?
Does the third party relationship compliment
the credit union’s overall mission?
Has the credit union obtained a completed
risk assessment form?
Has the cost/benefit analysis been completed
and evaluated?
Has the credit union determined the
criticality of the activity to be outsourced?
Has the credit union assessed the impact on
membership?
Has the credit union assessed the
expectations of the third-party relationship?
Has the credit union considered an exit
strategy, including availability of alternative
service providers, costs and resources
required to switch providers been
considered?
Has the credit union determined sufficient
staff expertise?
Has the credit union evaluated the cost of
monitoring and providing support to the
third party program (i.e. staffing, cost, etc)?
Does the credit union’s strategic plan include
achievable goals and defined levels of
authority related to the third party?
Due Diligence – Background Check
Did the credit union consider the third party’s
experience in providing the service?
Did the credit union request and confirm
referrals?
Did the credit union review and consider any
lawsuits or legal proceedings involving the
third party or its principals?
Did the credit union confirm current licenses
or certifications?
ICUL/js
page 16 of 19
No, but in
progress
No
Not
relevant
Risk
rating
Yes
Risk Description
Partially
complete
Due Diligence – Business Model
Does the credit union understand the third
party’s business model?
Has the possibility of conflict of interest
been assessed?
Due Diligence – Cash Flow/Accounting
Does the credit union have an adequate
accounting infrastructure to track, identify,
and classify transactions in line with GAAP?
Due Diligence – Financial and Operational
Has the credit union analyzed the third party’s
most recent audited financial statements and
annual report?
Has the credit union evaluated other sources
such as rating organizations and SOC
reports?
Due Diligence – Contract Issues
Does the contract address the following areas:
 Scope of the arrangement, services
offered, and activities authorized;
 Responsibilities of all parties (including
subcontractor oversight);
 Service level agreements addressing
performance standards and measures;
 Performance reports and frequency of
reporting;
 Penalties for lack of performance;
 Ownership, control, maintenance and
access to financial and operating records;
 Ownership of servicing rights;
 Audit rights and requirements (including
responsibility for payment);
 Data security and member confidentiality
(including testing and audit);
 Business resumption or contingency
planning;
 Evidence of current insurance coverage;
 Member complaints and member service;
 Compliance with regulatory requirements
(Privacy, BSA, “Red Flag”, etc.);
 Dispute Resolution, and
 Default, termination and escape clauses.


Did the credit union determine the
for, and obtain an independent
opinion?
Did the credit union ensure the
party is compliant with applicable
(i.e. Reg. B, Reg. Z, HMDA, etc.)?
ICUL/js
need
legal
third
laws
page 17 of 19
No, but in
progress
No
Not
relevant
Risk
rating
APPENDIX F – MEASURE, MONITOR AND CONTROL
Name of Third Party Provider:
Product or Service:
Risk Measurement
Date:
Yes
Partially
complete
Are reports prepared on a monthly basis
adequately reflecting the amount of activity
with the third party?
Are reports providing sufficient information to
properly monitor the activities?
Is the board of directors provided with a Third
Party Performance Review periodically?
If the third party originates member
transactions, does the credit union verify the
transactions with the member?
If the third party services member accounts,
does the credit union receive periodic reports
on the activity?
Are all third party reports received reviewed
timely?
Do reports contain sufficient information to
determine how the portfolio is performing?
Is the accuracy of the reports verified against
credit union records?
Does the credit union monitor changes in key
staff assigned to oversee third parties?
If the third party services loans, is the credit
union verifying that member payments are
remitted to the credit union as agreed?
Is there a system established to follow up on
any deficiencies noted in the third party
audits?
Does the credit union review reports for
suspicious activity?
Does the credit union have appropriate
internal controls in place to ensure staff is
following third party policy guidance?
Is the credit union periodically evaluating the
provider’s ability to support and enhance the
credit union’s strategic goals?
Does the credit union document and follow up
on any problem in service?
Is adequate staff training provided?
Is the credit union participating in user
groups?
Are invoices reviewed to ensure proper charges?
ICUL/js
page 18 of 19
No,
in
progress
No
Not
relevant
Risk
rating
DATE
NAME
COMPANY
ADDRESS
ADDRESS
CITY, STATE ZIP
DEAR
In compliance with credit union regulation, we are performing an annual due diligence review of our key service
providers. In order to complete this process, we need a copy of NAME OF SERVICE PROVIDER Disaster Continuity
Plan, current financials, and SOC Report. If you do not have a SOC Report, then please provide the most recent
audit report of Information Systems and Technology security measures and testing.
Please email the documents to me at YOUR EMAIL ADDRESS. Hard copy documents are also acceptable, and can be
sent to:
NAME OF CREDIT UNION
ATTENTION: YOUR NAME
ADDRESS
ADDRESS
CITY, STATE ZIP
If you have any questions please feel free to contact me at YOUR PHONE.
Sincerely,
YOUR NAME, POSITION
Obtained from Credit Union National Association
ICUL/js
page 19 of 19
3/09
Related documents
INTRODUCTION - University of Essex
INTRODUCTION - University of Essex
PPT B-4x
PPT B-4x
Personal Finance Exam Review
Personal Finance Exam Review
D-BP01-Employee Communications and Levels of Authority
D-BP01-Employee Communications and Levels of Authority
Education Opportunity - Illinois Credit Union League
Education Opportunity - Illinois Credit Union League
Resume Templates
Resume Templates
Legal Issues in the Classroom (PowerPoint)
Legal Issues in the Classroom (PowerPoint)
Risky Business: Social Due Diligence and the Role of
Risky Business: Social Due Diligence and the Role of
Southwestern - Indiana Credit Union League
Southwestern - Indiana Credit Union League
Download
advertisement