Today s Topics. MCUL Fall Leadership Development Conference. Evaluating Third-Party Relationships. Evaluating Third-Party Relationships

Transcription

1 MCUL Fall Leadership Development Conference Grand Traverse Resort September 21, Third Party Due Diligence - ( ) Michael J. DeFors MCUL Director of Regulatory Affairs Today s Topics A. Third-Party Due Diligence ( ) Part I Self Assessment Part II Due Diligence of the Third-Party Part III Risk Measurement, Monitoring and Control B. Third-Party Contracts - Issues and Concerns C. the Use of Mortgage Brokers and Correspondents 2 - Third-Party Due Diligence ( ) 3 What are we talking about? Situations where a business function or service has been outsourced. Partial control of the function (less risk) Total control of the function (more risk) Why outsource? Provide greater access to products/services through expanded delivery channels Offer more cost-effective products/services Manage programs requiring external expertise Regulators Understand and Support the Use of Third Parties 4 Regulator s Concern Inadequately managed and controlled third-party relationships can result in unanticipated costs, legal disputes, fraud, and worst of all, financial loss. Examples: Data processing services (Katrina) Indirect lending (Centrix) Most recent: use of mortgage brokers and/or correspondents Overall Objectives of Regulatory Guidance Protect the credit union and its members Protect the Share Insurance Fund 5 NCUA Letter to Credit Unions (No. 07-CU-13) Federally Insured Credit Unions Dec 2007 Subject: Third Party Relationships *Supervisory Letter (No ) attached to above Guidance to Examiners Gives Standard Framework for Evaluation Basis for most of today s presentation 6

2 Supervisory Letter (No ) Acknowledges importance of CU s using third parties. Stresses fiduciary responsibilities of board and management. Summarizes existing guidance and regulations. Discusses evaluation process of third-party relationships. Important: The Letter acknowledges the credit union s size, complexity and risk profile in assessing need for depth and breadth of due diligence management process required. 3 Part Process in Adequacy of a CU s Use and Oversight of Third Parties 1. Self-Risk Assessment and Planning for Third- Party Relationships 2. Due Diligence of the Third-Party 3. Risk Measurement - Monitoring - Control Note: Be ready to discuss with examiners and show documentation of assessment and decision-making process. 7 8 Part 1 Self-Risk Assessment and Planning 1. Self-Risk Assessment and Planning Q Does third-party relationship complement the overall mission and philosophy p of the CU? Q How does it relate to strategic plan (including CU s long term goals, objectives and resource allocation decisions)? Q Is there a business plan for the relationship that supports the strategic plan? 9 10 Q Does the CU clearly understand the risks and benefits of outsourcing compared to the risks and benefits of maintaining it in-house? What are the CU s strengths and weaknesses in relation to the arrangement under consideration? (Strategic Plan Available?) What internal changes will be required to safely and soundly participate? Has CU assessed the impact on the seven major risks to earnings or capital associated with the typical risk-based examination? Market Related Risks: Credit - failure of a borrower to meet loan terms Interest Rate adverse effect due to changes in market interest rates Liquidity failure of the CU to meet its obligations 11 12

3 Institution Related Risks: Transaction arising from fraud or error resulting in CU s inability to deliver services, maintain a competitive position, and manage information Compliance arising from legal/regulatory violations, internal policies or procedures or ethical standards Strategic arising from adverse business decisions, improper implementation of decisions or lack of responsiveness to industry changes Reputation arising from negative public opinion or perception Other Specific Areas to Assess: Expectations of the Outsourced Functions Define nature and scope of the CU s needs; which needs will the third-party meet; to what extent will the third-party be responsible for desired results? CU Staff Expertise Does CU have staff qualified to manage and monitor the relationship? How much reliance on the third-party is needed? Other Specific Areas: Criticality How important is the activity proposed to be outsourced; is the activity mission-critical; are there other alternatives? Less risky options? Risk/Reward or Cost/Benefit Relationship Does the potential benefit of the relationship outweigh the potential risks or costs? Other Specific Areas: Insurance Needs Will the arrangement create potential liabilities? Is current coverage adequate; Does the third-party carry key man insurance to protect the CU? When might this be necessary? Impact on CU s Membership Member reaction assessed; member expectations assessed? Other Specific Areas: Exit Strategy Is there a reasonable way out of the relationship if it becomes necessary to change course? (Contractual provision) How complicated can it get? If the answer is yes, to an exit strategy, is there a plan B to step in (at least for critical services)? How complicated could that be? 17 Financial Projections for the CU Know expected and possible financial outcomes. What is the return on investment: expected revenues, direct costs and indirect costs. Are your numbers reasonable in light of historical performance, assumptions, business plan objectives, and complexity of the CU s risk profile? 18

4 Part 2 Due Diligence of the Third Party Goal: Know who you are dealing with Purpose: helps CU decide whether and how to proceed in terms of needed controls to mitigate identified risks. Note: Due diligence effort should be tailored to the complexity of the relationship. May consist of alternative procedures to accomplish acceptable risk mitigation Elements of Due Diligence of the Third Party Background Checks Check usual sources re reputation (e.g. Better Business Bureau) Ask for and check references Ask about lawsuits against the company or its principals/partners (if licensed professionals) Required licenses or certifications current? And will be for the duration of the relationship? Elements of Due Diligence Background Checks cont. Third Party s Experience with the Product Good reputation overall? Is the product a new one for the third party will reputation support follow? Key Staff Qualifications, competence and training for the new product trust but verify Elements of Due Diligence Evaluate Third Party s Business Model CU should thoroughly understand the third party s business model. Conceptual architectural and business logic employed by the third party to provide services. Is it viable through various kinds of economic cycles, changes in technology, and for the duration of the relationship? Are business and marketing plans available to view? 23 Evaluate Third Party s Business Model cont. Can CU explain the role of the third party and any processes for which it is responsible? CU should understand the third party s sources of income and expense, any conflicts of interest with the third party. Identify any vendor-related affiliates, subsidiaries or subcontractors. Can identified conflicts of interest be mitigated? 24

5 Assess Cash Flows for This Product/Service Very important! How does the cash move between all the parties in the proposed third-party relationship? Can CU verify the movement and match them to related individual accounts? Is the CU able to track and identify cash flows accurately? Financial and Operational Control Review Financial strength of the third party and closely related affiliates. Demonstrates ability to fulfill the obligation with the CU Review of financial statements and off-balance sheet liabilities. From nationally recognized statistical rating organizations (NRSRO) Understand internal controls of the third party. SAS 70 (Type II) reports (if available) Independent review of internal controls Contract Issues and Legal Review Careful review of the contract and understand the legal issues relevant to the third-party relationship. Qualified external legal counsel to review prospective third-party arrangements and contracts. Legal review must be independent and the reviewer must have necessary experience. Contract terms may not adversely impair CU s safety and soundness. Legal Opinion re the Services Provided by the Third-Party Legal review of methods third-party uses. Issue: assessment re compliance with state and federal law. Contract should bind third-party to adhere to legal and regulatory requirements Accounting Considerations Accounting complexities may result from third- party relationships. CU should understand the accounting implications. CUs must have adequate accounting infrastructures in place to ensure compliance with Generally Accepted Accounting Principles (GAAP). CU s audit scope should contemplate independent review for third-party arrangements and activities. Part 3 Risk Measurement, Monitoring and Control of 29 30

6 Generally Third-party arrangements and credit union risk profiles will vary. Risk mitigation strategies should be tailored to the nature of the programs, the materiality of the risks identified, and the CU s overall complexity. Q - Are the CU s policies, risk measurement and monitoring adequate? CU Policies and Procedures Should be sufficient to outline expectations and limit risks from third-party arrangements. Outline staff responsibilities and authority. Define content and frequency of reporting to management and the board. Establish program limitations to control pace of growth and grow experience Risk Measurement and Monitoring Must be able to measure the risks of third- party programs as well as profitability, benefit and service delivery. To the extent that the CU relies on third parties to provide measurement information, clear controls should be contractually established subject to periodic, independent testing to ensure accuracy. Risk Measurement and Monitoring CU must have infrastructure sufficient to monitor the third-party performance. CU retains responsibility for the safety and soundness of third-party processes and functions. Examiners should ensure CU officials demonstrate the knowledge, skills, and abilities necessary to monitor and control third-party arrangement Control Systems and Reporting CU is responsible for implementing on-going controls over third-party arrangements to mitigate risk. Controls can be less elaborate for less complex arrangements. Must be assured the third-party is appropriately safeguarding member assets, producing reliable reports, and following the terms of the arrangement. 35 Control Systems and Reporting CU must have designated and qualified staff to monitor and oversee third-party arrangement, exhibiting familiarity and understanding of the reports. CU staff must be able to measure performance of the relationship in terms of the CU s policy, the contractual commitments, and service levels. CU staff must make periodic reports to management of all material third-party programs sufficient to assist management in evaluating performance and adequacy of reserves. 36

7 Summary and Conclusion: CU must have: Assessed third-party relationships in terms of its own mission, capabilities, needs, strategic plan and risk profile. Assessed the third-party itself. Put controls in place to mitigate any identified risks. Documented the process. B. Contract Issues and Concerns Contract Issues and Concerns Contract Issues and Legal Review Careful review of the contract and understand the legal issues relevant to the third-party relationship. Qualified external legal counsel to review prospective third-party arrangements and contracts. Legal review must be independent and the reviewer must have necessary experience. Contract terms may not adversely impair CU s safety and soundness. Contract Issues and Concerns Legal Contract with Third-Party A Checklist Describe the scope of the arrangement, services to be offered, and the activities authorized. Responsibilities of all parties (including any subcontractor oversight). Service level agreements and measures. Performance reports and frequency. Penalties for lack of performance Contract Issues and Concerns Contract Checklist cont. Contract Issues and Concerns Contract Checklist - final. Ownership, control, maintenance and access to financial and operating records. Ownership of servicing rights. Audit rights and requirements (including who pays). Data security and member confidentiality. Business resumption or contingency planning. Insurance provisions. Handling member complaints and member service. Compliance with regulatory requirements. Dispute resolution process. Contract default, termination and escape clauses

8 C. Mortgage Brokers Mortgage Brokers NCUA Letter to Credit Unions 08-CU-19 Federally Insured Credit Unions Issued August 2008 Mike Fryzel - New NCUA Board Chairman Re-emphasizes importance of proper due diligence over third-party relationships specifically as they relate to use of mortgage brokers and correspondents Mortgage Brokers Who are the Third Parties in this Letter? Mortgage Brokers: third parties that generally do not fund loans themselves, and work on behalf of the credit union or borrower. Correspondents: third parties that fund and close loans in their own name and then sell the loan to a credit union or other lender. Mortgage Brokers Background Over 50% of home loans are originated by mortgage brokers based on statistics from the National Mortgage Brokers Association. Brokers and correspondents are compensated based on loan origination volume, and therefore have incentive to produce and close as many loans as possible Mortgage Brokers Credit Unions thus are forewarned to conduct proper due diligence prior to entering into a relationship. Once the relationship is established, monitoring and controls must be in place. Remember: Credit union boards and management carry a fiduciary duty for deciding what is best for the credit union and its members and retain the responsibility for controlling the risk. 47 Mortgage Brokers NCUA Letter 08-CU-19 references the 2007 Letter. Steps/issues p/ prior to entering into the relationship: Background Check on the company and the key individuals involved in the transactions Complaints filed and required licenses in place. Past and current lawsuits. 48

9 Mortgage Brokers Issues Third-Party Business Practices (including potential conflicts of interest) Sound business model for long term operations? Who own or has a controlling interest over companies that provide related services appraisers, title companies, insurance companies? Financial Standing Overall condition, cash flow and willingness and ability to provide audited statements? 49 Mortgage Brokers Issues Accounting Considerations How does the cash flow between the parties? Can these be independently verified? What are the sources of cash? Is GAAP being followed? Internal Controls What are their controls to prevent fraud and abuse, and to ensure compliance with consumer laws? 50 Mortgage Brokers Legal Issues Major Contract Clauses (briefly) Is the CU adequately protected? Default, termination and escape clauses? Best efforts to respond to borrower needs, objectives and financial condition? Right of CU to reject or return loans not in compliance with CU standards? Has your lawyer reviewed the contract? Mortgage Brokers Issues with Potential Problems: Third-party operating in its own best interest. Loan regulation violations: Consumer regulations, excessive fees and yield spread premiums; prepayment provisions. Use of predatory loan provisions. Use of stated income without further verification. Third-party has control over the appraisal process. Third-party tries to limit its own liability Mortgage Brokers Issues with Potential Problems Financial strength of the third-party over the long term and ability to support claims that may arise. Closed loan documents that do not reflect oral or written side agreements. Product volume may exceed third-party s or CU s ability to handle. Funding commitments that may have to be honored despite developing concerns with the third-party. Mortgage Brokers Ongoing Risk Management Issues Using a third-party means giving up direct control. Thus compensating controls need to be implemented over the life of the contract based on the level of risks assessed

10 Mortgage Brokers Risk Management when Dealing with Mortgage Brokers Adhering to board established policies and risk parameters. Loan sampling to test adherence to CU s standards. Targeted loan reviews for special situations (e.g. increasing loan defaults, foreclosure rates, complaints and higher than average fees charged to borrowers). Mortgage Brokers Adhering to board established policies and risk parameters. Loan approval authority, when using a broker, is not delegated to the broker, and that all underwriting criteria and subsequent modifications are approved by the credit union. Broker and correspondent reports to the CU should be accurate, timely and contain sufficient detail to allow the credit union to adequately monitor activity Mortgage Brokers Corrective Action If the credit union discovers violations of its contract, loan quality and documentation standards, provisions of its policies and other expectations of the third-party duly negotiated with and understood by the thirdparty, it must take appropriate action. Modify the contract. Terminate the relationship. Mortgage Brokers Conclusion It is up to the Board and senior management to control the risks associated with using a third-party t broker or correspondent; Board established policies and procedures should be established to fit the product with risk tolerances levels based on management analysis, established regulatory thresholds, and sound business rationale; Mortgage Brokers Loan growth should be slow and controlled, activity should be within reasonable risk thresholds, and building a concentration in a particular loan type and/or in an unfamiliar geographic area should be avoided; Broker and correspondent relationships need to receive ongoing due diligence commensurate with the risk and complexity of those activities regardless of whether the third-party has a credit union affiliation, such as being part of a CUSO. Thank You Good Luck in Dealing with Your

11 MCUL Fall Leadership Development Conference Grand Traverse Resort September 21, 2008 Third Party Relationships Michael J. DeFors MCUL Director of Regulatory Affairs 61