Vendor Due Diligence Workshop


Published on

Sample from vendor due diligence workshop presentation

1 Comment
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Vendor Due Diligence Workshop

  1. 1. Vendor Due Diligence Collaboration Workshop g p Due Diligence Essentials Know Thy Vendor – Due Diligence Essentials
  2. 2. 2 Valerie Edgington, CUCE, BSACS E
  3. 3. NCUA Rules & Regulations 701: Third-Party Servicing of I di 701 Thi d P S i i f Indirect V hi l L Vehicle Loans; Valerie E 704: Corporate Credit Unions; Edgington, CUCE, BSACS 717: Fair Credit Reporting Act; FACT Act; 723: Member Business Lending; 741: Third-Party Servicing of Indirect Vehicles; 748: Security Program 3
  4. 4. NCUA Letters to Credit Unions 98-CU-11: Information System Vendor Reviews 99-CU-05: Risk-Based Lending 01-CU-20: Due Diligence over Third Party Service Providers Valerie E 02-CU-13: 02 CU 13: Vendor Information Systems & Technology Reviews Edgington, CUCE, BSACS 03-CU-08: Weblinking Relationships 04-CU-04: Investment Safekeeping Due Diligence 4 4 f p g g 04-CU-13: Specialized/Subprime Lending Activities 06-CU-16: Interagency Guidance on Non-Traditional Mortgage Products d 07-CU-01: Evaluating Third-Party Relationships 08-CU-19: 08 CU 19: Third Party Relationships: Mortgage Party-Relationships: Brokers/Correspondents 4
  5. 5. 5 What & Why? Due Diligence Valerie Edgington, CUCE, BSACS E
  6. 6. What i “Due Diligence”? Wh t is “D Dili ”? Due Diligence D Dili Valerie E “The systematic, on-going process of analyzing and Edgington, CUCE, BSACS evaluating new strategies, programs, products, or operations to prepare for and mitigate unnecessary risks.” – NCUA 6
  7. 7. Purpose P Know thy vendor K h d Valerie E Edgington, CUCE, BSACS Helps credit union decide whether and how to proceed in terms of necessary controls to y mitigate identified risks 7
  8. 8. Applicability A li bilit All Vendor Relationships Valerie E but ff t h ld b tailored t th complexity of b t efforts should be t il d to the l it f Edgington, CUCE, BSACS each relationship. 8
  9. 9. Critical Vendor Relationships Involves new financial services or activities. Valerie E Materially affects revenues or expenses. Edgington, CUCE, BSACS Poses risks to or affects the credit union’s reputation. Involves critical functions of the credit union. Involves access storing or transmitting sensitive member information. access, information Involves marketing of credit union products and services by a third party. Involves subprime lending or indirect lending. Involves plastic card processing/card payment transactions. Poses risk that significantly affect earnings or capital. 9
  10. 10. Know Thy V d K Th Vendor Challenge: Ch ll Turning vendors into reliable strategic Valerie E partners. partners Edgington, CUCE, BSACS “Don’t The relationship between Too worry, they “Uh oh…we Trusting CU and WIIFM Inc. used their used our quickly deteriorated… standard standard contract!” contract.” 10
  11. 11. Know Thy V d K Th Vendor It s It’s kind of like a marriage marriage… Valerie E “Can t “C two walk together, lk t th Edgington, CUCE, BSACS except they agree?” Document the credit union’s union s understanding and all expectations with the vendor in writing. 11
  12. 12. Know Thy V d K Th Vendor It’s kind of like a marriage It s marriage… Valerie E In sickness and in health, to love Edgington, CUCE, BSACS and to cherish, till death do us part.” Beware long term outsourcing agreements. Once signed, it can b very O i d be expensive to terminate. 12
  13. 13. Know Thy V d K Th Vendor It’s kind of like a marriage It s marriage… Valerie E In an ideal marriage one partner Edgington, CUCE, BSACS is blind and the other is deaf.” No one is perfect. Seldom is only one party (e.g., the vendor) always at fault. Control C t l weaknesses k contribute to poor vendor relations. relations 13
  14. 14. Due Diligence “Minimum Contract Coverage” Valerie E Edgington, CUCE, BSACS Contract Issues and Concerns 14
  15. 15. Minimum C t Mi i Contract Coverage tC Typically, Typically at a minimum, third party vendor contracts minimum third-party should address at least the following: Valerie E Scope of arrangement, services offered, and activities authorized a a ge e , se v ces offe ed, a d ac v es a o ed Edgington, CUCE, BSACS Responsibilities of all parties (including subcontractor oversight Service level agreements addressing performance standards and measures Performance reports and frequency of reporting Penalties for lack of performance 15
  16. 16. Minimum C i i Contract Coverage C Typically, at a minimum, third-party vendor contracts should address at least the following: Valerie E Audit rights and requirements (including responsibility for payment) Edgington, CUCE, BSACS Data security and member confidentiality (including testing and audit) Ownership, control, maintenance and access to financial and operating records Ownership of servicing rights 16
  17. 17. Minimum C t Mi i Contract C t Coverage Typically, at a minimum, third-party vendor contracts should address at least the following: Valerie E Business resumption or contingency planning Edgington, CUCE, BSACS Insurance Member complaints and member service Dispute resolution Default, termination, and escape clauses 17
  18. 18. Due Diligence Valerie Edgington, CUCE, BSACS E Background Checks 18
  19. 19. Request for Proposal Materials for first round of vendor evaluations Validates vendor interest Valerie E Outlines the contract/service requirements of the credit union Edgington, CUCE, BSACS Requests information from vendor Business requirements Vendor profile d fil Vendor employee information Vendor methodology gy Vendor infrastructure Addendum to contract 19
  20. 20. Background Checks: Business E i Information B i Entity I f i Corporate ownership, structure, background p p, , g What type of entity are they? Valerie E How long have they been in business/offering service? Edgington, CUCE, BSACS Lawsuits or legal proceedings Articles of Incorporation/Organization Authorized to do business in Ohio? Who are the principals of the business? Social Security Number y Identification verification Organizational Chart Government watch lists 20
  21. 21. Background Checks: Business Entity Information Financial history and current condition y Request current financial statements Valerie E Statement of Income Edgington, CUCE, BSACS Notes to Financials Securities and Exchange Commission filings (public entity) Dunn & Bradstreet credit report Bankruptcy and judgment history Audited financial statements f Unaudited financial statements Vendor’s “market share information” 21
  22. 22. Background Checks: Business Entity Information Business model and practices p Longevity, adaptability, and viability through various Valerie E economic cycles, changes in technology Edgington, CUCE, BSACS Business and marketing plans Required licenses and certifications Ability to perform proposed functions Use of related affiliates, subsidiaries and subcontractors Knowledge of relevant consumer protection and civil rights laws and regulations. 22
  23. 23. Background Checks: Business Entity Information Scope and effectiveness of business’ operations and controls Valerie E Review SAS 70 audit reports Edgington, CUCE, BSACS Adequate/experienced staff Security policy and data handling practices Testing plan/results Privacy Policy Disaster Recovery/Business Continuity Customer Service Standards Hiring/screening practices Insurance coverage 23
  24. 24. Background Checks: Business Entity Information Reputation and Relevant Experience Valerie E Performance with past clients Edgington, CUCE, BSACS Verification of experience/qualifications Reputation within industry Reputation & relevant experience R t ti l t i Limited experience: Qualifications Competence C t 24
  25. 25. Due Diligence Valerie Edgington, CUCE, BSACS E Mortgage Brokers and Correspondents 25
  26. 26. Mortgage Brokers and Correspondents NCUA Letter to Credit Union 08-CU-19 Valerie E Federally i F d ll insured credit unions d dit i Edgington, CUCE, BSACS Issued August 2008 Re-emphasizes importance of proper due diligence over third- party relationships specifically as they relate to use of mortgage brokers and correspondents. 26
  27. 27. Mortgage Brokers and Correspondents Who are the Third Parties in this Letter? Valerie E Edgington, CUCE, BSACS Mortgage Brokers: Third parties that generally do not fund loans themselves, and work on behalf of the credit union or borrower. Correspondents: Third parties that fund and close loans in their own name and then sell the loan to a credit union or other lender lender. 27
  28. 28. Mortgage Brokers and Correspondents Background Valerie E Over 50% of home loans originated by mortgage brokers Edgington, CUCE, BSACS Compensation based on loan origination volume Strong incentive to produce and close as many loans as possible. 28
  29. 29. Mortgage Brokers and Correspondents Special Issues and Concerns Valerie E Third Thi d party operating i it own b t i t t ti in its best interest. t Edgington, CUCE, BSACS Beware of loan regulation violations. Third party has control over the appraisal process. Third party tries to limit its own liability. 29
  30. 30. Mortgage Brokers and Correspondents Special Issues and Concerns Valerie E Is th I the credit union adequately protected? dit i d t l t t d? Edgington, CUCE, BSACS Financial strength of the third-party over long term and ability to support claims that may arise arise. Product volume may exceed third party’s or credit union’s ability to handle. Funding commitments that may have to be honored despite developing concerns with the third party. p g p y 30
  31. 31. Mortgage Brokers and Correspondents What is Required? Valerie E Proper due diligence p g Edgington, CUCE, BSACS Risk management Loan sampling Targeted loan reviews T t dl i Loan approval authority Underwriting criteria and subsequent modification approved by credit union Broker & correspondent reports to credit union Corrective Action 31
  32. 32. Due Diligence Valerie Edgington, CUCE, BSACS E Key Contract Provisions 32
  33. 33. Key C K Contract P Provisions i i Description of Services Boilerplate provisions vs. adequate detail of service and functions Valerie E Critical for enforcing performance warranty problems Edgington, CUCE, BSACS Clear, concise language Performance Standards Functional specifications Uptime operability vs. downtime Maintenance responsibilities 33
  34. 34. Key C K Contract P Provisions i i Warranties Performance Warranty Valerie E Performance vs. promise Edgington, CUCE, BSACS Ownership Warranty Ownership of software/license Piracy infringement claims Compliance Warranty Satisfy federal and state compliance requirements Credit union and consumer regulation 34
  35. 35. Key C K Contract P Provisions i i Liability & Indemnity SP liability/responsibility Valerie E Breach of warranties; negligent acts Edgington, CUCE, BSACS Damage limitation provisions Beware “sole remedy” provisions Data Access Raw data vs. member transaction information f Storage Transfer Data destruction; confidentiality 35
  36. 36. Key C K Contract P Provisions i i Security Non-negotiable Valerie E Safeguarding member information Edgington, CUCE, BSACS Credit union indemnification Confidentiality/Privacy f y/ y Confidentiality agreement mandated Employees, contractors, subcontractors, affiliates Use only as per agreement Written consent of credit union N tifi ti of actual or suspected b Notification f t l t d breach h 36
  37. 37. Key C K Contract P Provisions i i Term Identifiable beginning and end Valerie E Renewal terms Edgington, CUCE, BSACS Price & Payments Timing Holdbacks/refund provisions Defined milestones Development/Set-up f D l /S fees 37
  38. 38. Key C K Contract P Provisions i i Termination Grounds and procedures for termination Valerie E Mutual termination rights Edgington, CUCE, BSACS Termination fees; liquidated damages Jurisdiction & Governing Law g Venue Jurisdiction Arbitration & Attorney Fees Non-exclusive location Attorney fees to prevailing party A f ili 38
  39. 39. 39 Red Flags Due Diligence Valerie Edgington, CUCE, BSACS E
  40. 40. Red Flags R d Fl “No contract changes.” Valerie E Contracts where the vendor can change terms unilaterally or fees without credit union consent. Edgington, CUCE, BSACS Contract references a document the credit union does not have or a third party document the credit union has not reviewed. You can’t get the information you requested. The information provided is outdated or incomplete. The information provided or answers to questions are vague. Lack of express warranty by the vendor that the software/service will performed in accordance with the functional specifications or service description. 40
  41. 41. Red Flags R d Fl “Limited time warranties for software in a range of 60 to 90 days are suspect and not industry standard. Valerie E Blanket provision allowing the vendor to disclose data “as permitted by law.” p g p y Edgington, CUCE, BSACS This is a particularly low standard of protection. There is no single point-of-contact for information security. Field personnel do not have encrypted devices. Information gathered is not secure. The vendor has no disaster recovery plan. The vendor outsources the processing of data. 41
  42. 42. Red Flags R d Fl Vendor refuses to disclose its financial statements. Valerie E Vendor liability and indemnification provisions are limited in scope to p personal injury or property damages. j y p p y g Edgington, CUCE, BSACS Provisions that permit the vendor to disclaim liability. Contracts that are automatically renewable. Contracts that provide termination fees or liquidated damages for a voluntary breach should be carefully reviewed by an attorney for fairness. The information provided applies only to the parent company – is not really specific to the service the company would provide to your credit union Any agreement that carries initial term of five years or greater greater. 42
  43. 43. Resources NCUA Valerie E Edgington, CUCE, BSACS CUNA http://www cuna org/initiatives/due diligence html _Task_Force_Third-Party_Vendor_Management_Guide.pdf Task Force Third Party Vendor Management Guide pdf 43
  44. 44. Resources Valerie E Valerie Edgington CUCE, BSACS Edgington, CUCE Edgington, CUCE, BSACS 614-226-7227 4 7 7 44