By: Michael J. Heller
Part 1: Contract Review
As credit unions increasingly rely on third party relationships to remain operationally efficient and competitive and to provide the most innovative and up-to-date services to members, contract review, negotiation, and monitoring are, and will continue to be, critical aspects of an effective third party risk management program. As such, credit unions must have a team in place that specializes in each of these critical stages of the contract life cycle in order to best implement the credit union’s operational and strategic goals, better serve members, and know how best to react in the event the third party relationship turns sour. This post is the first of an initial three-part series that will focus primarily on the first prong of the contract life cycle – contract review. Not all third party relationships are the same, so this post will focus on a high level overview from the credit union perspective of what to consider when reviewing contracts for more complex third party arrangements that include critical services provided to the credit union.
Every third party contract review should address, at a minimum, a clear and unambiguous scope of services provided by the third party, along with the responsibilities and obligations of each party to the contract. Given the growing complexity of the nature of third party relationships, if the third party utilizes subcontractors to provide services under the contract, this should also be clearly addressed so the credit union is knowledgeable as to the parties involved in the delivery of services and, if the subcontractor is critical to the third party’s ability to deliver services to the credit union, the credit union can request due diligence materials on those critical subcontractors or perform proper due diligence on the critical subcontractors itself. This is essential given the growing regulatory emphasis on the credit union’s understanding of the service delivery flow to better locate vulnerabilities as part of its third party risk mitigation strategy. Performance standards should also be included in the contract, along with third party reporting obligations (including the frequency at which the credit union should expect the reports), and what remedies are available to the credit union in the event the third party fails to meet contracted service levels. Also, building broad auditing rights into the contract will better help the credit union collect the information necessary to properly assess third party performance.
If the credit union is sharing sensitive, proprietary confidential information, and certainly when the credit union is sharing member, non-public personal information, the third party contract should include or reference the third party’s confidentiality and data security practices, including, but not limited to, the third party’s business continuity and contingency planning processes, to protect credit union confidential information. This should incorporate, at a minimum, data security standards included in NCUA Rules and Regulations Part 748, but also include more protective security standards for credit unions in states with more extensive legal privacy requirements. The contract should also address when and how credit union confidential information will be returned or adequately disposed.
There are also certain boilerplate legal terms to pay attention to in order to ensure that the credit union itself is adequately protected while also making sure that the contract is not overly protective of the third party service provider – most notably, the indemnification and limitation on liability provisions. The credit union should also be aware of particular legal issues that may arise given the state law that governs the contract, as well as the dispute resolution procedures included. Finally, there may be limitations imposed on the credit union’s ability to transfer its obligations under the contract or to modify its terms. Credit unions should seek maximum flexibility in these areas to best protect their interest in the third party arrangement.
There are also numerous other contractual considerations given the particular context of the business arrangement (i.e. intellectual property rights in software product offerings, third party infringement indemnification, insurance limits, member complaint procedures for member servicing issues, etc.) that are specialized enough to be the subject of future posts. But there is another important area of contract review that must be adequately addressed and fully understood prior to execution – the credit union’s exit strategy. There could be a multitude of hurdles that impact a credit union’s decision to move on from a third party service provider (i.e. long contractual terms, early termination fees, financial costs associated with transitioning to a new service provider, etc.). It is best practice for a credit union to fully understand how best it can exit a third party contract to ensure that its transition to provide similar services with another service provider, or internally, can be accomplished without facing exorbitant costs to move forward.
Contract review is integral to a credit union’s due diligence process and lays a solid foundation for the credit union to best assess risks presented in a third party relationship from a contractual standpoint. In addition to having the board involved in the decision-making process, credit unions should also have a team assembled that can best identify third party risk and mitigation strategies in the contractual process, including, but not limited to, subject matter expert attorneys and leaders from all relevant business units. The next post in this series will focus on the credit union’s right to negotiate to ensure that it does not enter into third party arrangements with contractual terms that could adversely affect the credit union’s ability to meet its operational and strategic goals and to continue to provide its members with innovative service offerings.