CORPORATE CREDIT UNION GUIDANCE LETTER

No. 2000-04

DATE: October 24, 2000


SUBJ: Third-Party Risk


TO: The Corporate Credit Union Addressed:

The Office of the Comptroller of the Currency (OCC) issued a letter on third-party risk, dated August 29, 2000. The information in the OCC letter is applicable to all financial institutions. This Guidance Letter will highlight a number of issues raised by OCC. However, corporate credit union staff are encouraged to review the entire OCC document, which can be obtained on the OCC’s Website: www.occ.treas.gov.

There are a number of ways in which third-parties (e.g. vendors, brokers, dealers, and agents) can provide valuable assistance to corporate credit unions in meeting their members’ needs. A third-party may be able to facilitate the offering of a specific product or service in a more cost effective or timely manner than the corporate could do on its own. The third-party may possess staff expertise or operational infrastructure that would not be feasible for an individual corporate to maintain. Utilizing a third-party to provide a product or service may be a very prudent business decision. However, use of a third-party does not negate the requirement for corporate credit union management to maintain adequate control of the associated risks.

Before entering into a new product or service, it is expected that management would initiate an appropriate level of preplanning. Likewise, before entering into an arrangement with a third-party to provide a product or service, management should undergo a similar preplanning process. The officials cannot rely solely on the representations and assertions of the third-party.

Due Diligence

Before entering in to any material contractual arrangement with a third-party it is critical that a due diligence review be performed. At a minimum, the due diligence review should include:

  1. Analysis of the entity’s business reputation, internal controls, and financial condition;
  2. Qualifications and background of the company’s key personnel;
  3. Determination of the corporate’s and the third-party’s specific responsibilities; and
  4. Review of all pertinent documents by the corporate credit union’s legal counsel.

Performance Monitoring

To ensure that an arrangement with a third-party is providing the corporate with the expected benefits, management must dedicate sufficient resources to monitor the third-party’s performance on a regular and ongoing basis. At a minimum, the performance monitoring should include:

  1. Determination that the product or service is being delivered pursuant to the agreement;
  2. Analysis of the overall relationship costs;
  3. Review of the third-party’s financial condition and independent audit reports;
  4. Performing periodic on-site quality assurance reviews;
  5. Testing third-party risk management controls; and
  6. Ensuring compliance with applicable laws and regulations.


Documentation

A key factor to a successful partnership with a third-party service provider is to fully document all aspects of the relationship. If deficiencies in the delivery of products or services are documented, the third-party is more apt to address them in a timely and efficient manner. If there is a deterioration of the financial or operational condition of the third party, or if there is a lack of compliance with the conditions of the agreement or applicable laws or regulations, appropriate documentation may assist in correcting the concerns, limiting the impact on the corporate, or voiding the contract. At a minimum, the following documentation should be maintained:

  1. A list of all third-party vendors utilized by the corporate;
  2. Business plans that identify the decision process in selecting a specific third-party;
  3. Current contracts with third-parties that detail the responsibilities of each entity;
  4. Risk management reports received from the third-party; and
  5. Regular reports provided to the board of directors on the ongoing performance monitoring.

The use of third-parties by corporate credit unions to provide products and services will likely continue to grow in frequency and importance as products and services continue to grow in complexity and sophistication. Officials must remain cognizant of the associated risks. Further, appropriate action must be taken to control and mitigate those risks to ensure the corporate’s ongoing safety and soundness. A corporate credit union may expose itself to financial loss if it allows too much control of the business relationship to be placed in the hands of a third-party.

If you have any questions, please contact this office at (703) 518-6640.


Sincerely,

Robert F. Schafer
Director
Office of Corporate Credit Unions

OCCU/DAS:ds


cc: State Supervisory Authorities
NASCUS
NAFCU
ACCU


bcc: Reading File
Regional Directors
All OCCU Staff
Office of General Counsel

draft: s:\WorkIn Process\Office Staff\Shetler\Guidance Letter-Third Party Risk.doc

final: s:\Directives\OCUGuidanceLetter\2000-04-Third Party Risk.doc