Due Diligence and CUSO Relationships

There was a day when credit unions relied on internal staff to perform most of their member services and backroom operations. This “internal model” has evolved into a “blended model,” where many functions are outsourced to third-party service providers, often to credit union service organizations (CUSOs).

The National Credit Union Administration (NCUA) announced last year that it would be stepping up its examination of credit union oversight of service provider relationships. In December 2007 it published Letter to Credit Unions No. 07-CU-13 which shared with credit unions the guidance the agency had given to its examiners on how to assess if a credit union is adequately evaluating and monitoring its third-party relationships. And in April 2008, NCUA publicly released in Letter to Credit Unions No. 08-CU-09 its new examiner questionnaire that addresses what it considers the three elements of an effective program: Risk assessment and planning; effective due diligence; and risk measurement, monitoring, and control.

While credit unions may have very close relationships with the CUSOs they invest in and do business with, NCUA has made clear that credit unions must do appropriate due diligence reviews and monitor the performance of the CUSOs with whom they partner. What is the appropriate level of due diligence involving an organization that is controlled by credit unions and dedicated to serving credit union clients?

Risk assessment, planning and “criticality”

Determining the level of necessary due diligence starts by assessing the “criticality” of the service to the credit union. What does “criticality” mean in practice? I recommend dividing the services provided by third parties, including by CUSOs, into: Highly Critical; Critical; and Non-Critical.

  • Highly critical services are services that (a) support a core service of the credit union, and (b) the impact of failure would cause an immediate and significant member service issue and/or safety and soundness issue for the credit union. An obvious example of a highly critical service is the credit union’s core data processing system.


  • Critical services are services that (a) support a core service of the credit union, and (b) the impact of failure is mitigated by the fact that the credit union has alternative service options that would prevent a significant and immediate member service issue or safety and soundness issue. An example of a critical service might be mortgage lending services that are being provided through the assistance of a CUSO, but if the CUSO fails, the credit union has the internal resources to continue to provide the service until the credit union finds a more permanent solution.


  • Non-critical services are those that (a) do not support a core service of the credit union, and (b) the impact of failure would not cause a member service issue or a safety and soundness issue for the credit union, such as the janitorial service for the branches.

Effective due diligence

The basic purpose of doing due diligence is to determine that the third party arrangement is a fair deal and good value for the credit union. The credit union will have to do some research on the costs of providing the services internally and the costs charged by a CUSO or other service providers for a similar level of service.

Examiners will expect the appropriate levels of scrutiny of the CUSO’s experience, business model, cash flows, and financials. If the CUSO has been providing a service to the credit union for a number of years, that should typically reduce the level of due diligence review warranted, even for a highly critical service.

Although some credit unions may use the request-for-proposal process as a due diligence tool for critical services, remember that due diligence is an expense both for the credit union and the vendor, so make sure the information sought is truly relevant to answering these three key questions: What experience does the CUSO and/or its key people have in delivering the services promised? Is the business plan realistic and achievable? And do the financial statements provide reasonable assurance that the CUSO can fulfill the agreement? An important due diligence step is to speak to both current credit union clients and credit unions that are no longer clients of that CUSO.

How to evaluate “start-up” CUSOs

I is not unusual for a CUSO to be a start-up operation, but that shouldn’t disqualify the CUSO from being considered. In a start-up situation, a thorough analysis of the business plan and staff experience – key due diligence steps — can be excellent predictors of the success of the CUSO.

For example, several credit unions in Washington D.C. were not happy with the business continuity services being offered in the marketplace. If there was an anthrax scare or severe weather that displaced a credit union from its offices, the services available in the marketplace did not guarantee that the credit unions would have a place to operate from remotely. The credit unions decided they needed a more secure business continuity solution and formed a CUSO called Ongoing Operations, LLC.

Under any due diligence analysis, there was risk with investing and using a new company for this highly critical service. However, the credit unions determined that the staff involved was well qualified and the business plan was achievable. Today Ongoing Operations, LLC has three state-of-the-art business continuity centers in Maryland, Oregon and Colorado that are serving a rapidly growing nation-wide credit union client base.

How the CUSO agreement can control risks

The contract formation stage is the time to identify and manage the risks of the CUSO relationship. The CUSO has the obligation to disclose all fees and expenses and how income is dispersed. The credit union is entitled to a fully transparent view of the business model so that all participants and their incentives are known. This transparency should extend to the termination process or what NCUA refers to as the “exit strategy.” Termination costs may be a hook to keep a credit union in an unsatisfactory relationship. For example, I have represented credit unions that have terminated their relationship with a broker/dealer, only to find out that the broker/dealer is imposing transfer fees for individual retirement accounts (IRAs) that include its internal costs of the termination process.

The key concern in using any third party is protecting the member relationship. The contract should state that the CUSO will comply with applicable privacy laws and will employ verifiable safeguards to protect the member information. There needs to be a provision that the CUSO will not continue to solicit members after the contract has terminated. The contract should also acknowledge that the CUSO has no proprietary rights to the member relationship and will cooperate with the transfer of the business as the credit union dictates.

If a CUSO will see member information from multiple credit unions, the credit unions will want the CUSO to protect against the disclosure of a credit union’s confidential member information to one another. The contract should give the credit union the right to obtain injunctive relief to stop a violation of the confidentiality and non-solicitation provisions.

The duties of the parties must be clearly stated in the agreement, including regulatory compliance. It is critical to the management of the relationship that the performance expectations be objectively and measurably stated. You cannot monitor and manage unless you can objectively measure. The performance needs to be monitored through a reporting process and compared to the expectations. I strongly recommend that a senior level staff person be assigned to monitor and manage third party relationships.

The failure to meet the performance expectations should have consequences that the non-defaulting party can implement, such as termination of the agreement. I always recommend that the parties have a no-cause termination provision which has a relatively short notice period. The ability to terminate quickly without cause is a powerful incentive for a party to be responsive to the other party’s concerns.

What difference does it make who owns the CUSO?

Most third party service provider agreements will have terms related to warranties, indemnification, limitation of damages, and mandatory insurance. This is where the devil is in the details, and a contract presented to the credit union can be very one-sided. There may be wide disclaimers in the warranty section, mismatched indemnifications or very limited damages exposure that will come as a big surprise if a problem arises. This is where risk allocation becomes an art. CUSOs tend to be better risk-sharing partners than other third party service providers, because they focus on serving credit unions — some or all of which are the owners of the CUSO.

Some CUSOs have non-credit unions as co-owners. The non-credit unions may be the founding individuals or they may be part of a business model, such as a joint venture with a title insurance agency. The interests of non-credit unions are not going to be the same as the credit union owner/clients and the potential for eventual conflict is high. It is especially important in this situation that there are clear exit procedures for the owners should an irreconcilable dispute arise.

For CUSOs exclusively providing services to owner-credit unions, the owner-credit unions are engaged in due diligence and risk management on themselves. To borrow from a famous phrase, “We have met the vendor and it is us.” In these situations, one credit union owner/client should not impose a duty of warranties and indemnification on the other owners. It is my opinion that the risk of services should be borne by each credit union, just as if the service was provided internally by the credit union’s employees. Nonetheless, the credit unions need to assure themselves that their aggregate effort and their involvement in the CUSO is prudent. In fact, NCUA will expect each credit union to document how the relationship relates to the credit union’s strategic plan.

CUSOs can provide a great service to their credit union clients by putting together a comprehensive due diligence package and credit-union-friendly agreements. CUSOs are a means to insure the survival of credit unions as we know them, and the successful management of these relationships is critical.

Guy Messick is an attorney with the law firm of Messick & Lauer P.C. in Media, Pa., and serves as the general counsel of the National Association of Credit Union Service Organizations (NACUSO). He provides legal and consultation services to credit unions and CUSOs. His firm maintains a website at www.cusolaw.com. He may be contacted at 610-891-9000 or guy.messick@gmail.com.