Credit Union Legal Update – Winter 2008
Warnings Regarding Third-Party Vendor Relationships
In 2007, NCUA focused much of its attention on compliance with the Bank Secrecy Act. In 2008, we expect the ‘hot’ topic, or the subject that will have the sizzle, to be the careful and the proper evaluation of third-party vendor relationships. On December 27, 2007, NCUA issued and sent to the Boards of Directors of all federally-insured credit unions a notice that accompanied a prior supervisory letter (07-CU-13). In the notice, NCUA stressed that its role is not to impede third-party vendor relationships, but instead to help ensure credit unions understand the risks that are presented and make careful evaluations. According to NCUA, third-party vendor relationships provide critical access to products and services by expanding delivery channels, offering cost-effective products and services, and managing programs that require external expertise. However, all federally-insured credit unions will be held accountable or responsible for conducting a thorough risk assessment, due diligence, and monitoring of third-party vendor relationships.
Supervisory Letter 07-01 provided detailed guidance encouraging credit unions to address at least the following: risk assessment and planning, due diligence, risk measurement, and monitoring and control. The evaluation of new and current vendors includes different components. At a minimum, a due diligence review should take into account the critical nature of the service, the level of expertise exhibited by the vendor, staffing changes, economic and regulatory changes, and risk mitigation and strategies associated with a vendor oversight. Legal review and/or a legal opinion is strongly encouraged. It is clear that upcoming examinations will be focused on third-party vendor relationships and adherence to the NCUA guidelines. The detailed 9-page Supervisory Letter is accompanied by 2 appendices. Rarely does a week pass without this author being asked to review a legal contract on behalf of a credit union.
This brief article provides only an executive summary of the due diligence required for contract issues and legal review. Typically, at a minimum, third-party vendor contracts should address at least the following:
- Scope of arrangement, services offered, and activities authorized
- Responsibilities of all parties (including subcontractor oversight)
- Service level agreements addressing performance standards and measures
- Performance reports and frequency of reporting
- Penalties for lack of performance
- Ownership, control, maintenance and access to financial and operating records
- Ownership of servicing rights
- Audit rights and requirements (including responsibility for payment)
- Data security and member confidentiality (including testing and audit)
- Business resumption or contingency planning
- Member complaints and member service
- Compliance with regulatory requirements
- Dispute resolution
- Default, termination, and escape clauses
NCUA noted that, in many cases, early termination, escape clauses and default terms are negotiable, notwithstanding the objections of a third-party vendor and that in addition to a legal review of contracts and written agreements, it may be prudent for credit unions to obtain a legal opinion about any services provided by a third party. A copy of this supervisory letter can be downloaded by clicking here.
Confidentiality of Suspicious Activity Reports (SARs)
All credit unions are very familiar with the Bank Secrecy Act (‘BSA’) and its implementing regulations. They are especially cognizant of the requirement to file Suspicious Activity Reports (SARs).
SARs typically include the names of individuals or entities conducting the suspicious transactions, a description of the transaction, and the fact that the credit union suspects, or has reason to suspect, that infractions may have occurred.
SARs are a potential treasure trove for plaintiffs and their attorneys who may be fishing for new evidence or looking to exploit a credit unions vulnerable spots in civil litigation. This is particularly true now, in an environment in which credit unions tend to err on the side of reporting, rather than ignoring, marginal activity.
Previously, the courts maintained a position that SARs are confidential and are privileged from disclosure under the BSA and its implementing regulations. However, a recent Fifth Circuit decision concluded that the OCC was required to apply a balancing test when reviewing a request for the release of SARs.
In light of these developments, this may be an opportune time for credit unions to revisit steps that can be taken to enhance the likelihood that SARs and related materials are shielded from disclosure in civil litigation. At a minimum, a credit union should ensure that all documents it produces regarding SARs are explicitly labeled ‘Privileged and Confidential %u2013 SAR Preparation.’ There should also be a review of internal policies and procedures. The policies could include, for example, details for initiating, drafting and filing a SAR, including the labeling and segregating of SAR material.
In summary, the disclosure of the information in a SAR might become more of a reality in the future, so all credit unions are encouraged to discuss this matter with their counsel and their examiners.
NCUA Examination of Bylaws
NCUA recently adopted a final rule which reincorporates the federal credit union’s bylaws by reference into the NCUA Rules and Regulations. The final rule became effective November 30, 2007, and provides NCUA with the option to use various administrative actions in response to alleged bylaw violations.
In a recent supervisory letter sent to all NCUA examiners, NCUA instructed their examiners not to inquire about a federal credit unions bylaws unless the subject is raised by the management of a federal credit union. Furthermore, examiners were requested not to investigate any disputes that pertain to bylaws or bylaw interpretations unless specifically asked to do so by the regional director or designee.
Federal credit unions are reminded that they should strive to resolve bylaw disputes with their members internally. One means of addressing disputes is by and through a supervisory committee review. If a federal credit union cannot resolve bylaw issues internally, they can seek the assistance of the appropriate NCUA regional office. Credit union members can continue to seek enforcement through the courts, but they are not required to do so. Notification to NCUA of the dispute would now seem to be sufficient.
Loyalty Seen as the Key to Profitability
The Brookside Group, a loyalty consulting firm, recently published a report that concluded member loyalty is the key to future financial stability. A credit union cannot only have the best rates or incentives, it must maintain its member loyalty. A truly loyal member will have a longer-term impact on the credit unions bottom line and help keep revenues steady and predictable. Research conducted over the past 20 years at Harvard University has determined that loyalty versus transactional relationships leads to a 30% increase in profitability.
There are six factors that create and influence loyalty:
- Competency- The credit union must be able to provide the services it promotes effectively and consistently.
- Integrity- The credit union must be seen as honest and fair.
- Proactivity- The credit union needs to anticipate their members needs and present offerings based on member knowledge.
- Recognition- The credit union needs to treat members as individuals.
- Savvy- The credit union must understand and respond to the challenges members face and communicate measures to alleviate insecurities.
- Chemistry- The credit union must provide an interface so that members enjoy working with them
Remember that member ‘satisfaction’ is not the same as member ‘loyalty.’ Satisfaction can be transient, whereas loyalty endures.
Business Tutorial for Protecting Personal Information
The Federal Trade Commission has recently released a new online tutorial to help educate businesses in a practical and economical way to secure data. The tutorial, intended as a plain-language, interactive approach to the security of sensitive information, explains each of the basic principles of information security. It also includes a checklist of steps to improve data security. The Federal Trade Commission encourages all businesses, including credit unions, to educate their employees who handle personal information such as social security numbers, credit card numbers, financial account numbers and other sensitive personal information.
The tutorial, ‘Protecting Personal Information: A Guide for Business,’ is available on the FTCs website.
A Members Petition to Inspect Credit Union Books, Records and Minutes
NCUA recently adopted a new rule that significantly expands the ability of federal credit union members to inspect a federal credit unions books, records and minutes.
The new rule allows a group of members to petition a federal credit union to inspect and copy non-confidential portions of the credit unions books, records and minutes. This includes: accounting information; minutes of meetings of the Board of Directors; and minutes of committee meetings. This inspection right exists upon petition of a minimum of 20 members to a maximum of 500 members (so long as they have been members for at least six months). Federal credit unions should be cognizant of this new rule. Although the rights of those petitioning members are protected, there are potential pitfalls to a credit union including potential invasion of member privacy, or interference with business relationships with vendors or other credit unions.
All credit unions should inspect their books, records, policies and procedures, including their charters and bylaws, to ensure that all documents are up-to-date, state-of-the-art and can withstand public scrutiny. Some documents should be carefully identified as confidential. Legal counsel should be consulted before a petition to inspect the credit unions books, records and minutes is received by the credit union.
The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances.
The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2019.