Vendor Due Diligence by 52S4R6

VIEWS: 56 PAGES: 9

									                           Third Party Due Diligence & Oversight [2008]

General Statement:

The Board of Directors is responsible for planning, directing and controlling First Financial Credit
Union’s affairs. In an effort to enhance the services provided to members, the Credit Union often
partners with outside parties. Due diligence reviews are required prior to entering into any arrangement
with a third party. The purpose of this policy is to set forth the guidelines for management and staff to
use in establishing and maintaining due diligence policies and procedures in order to minimize the risk
of unanticipated costs, legal disputes and asset losses.

Guidelines:

(1)    POLICY AND PROGRAM RESPONSIBILITY.

       1.     Board Responsibility. This policy and any recommended changes shall be approved by
              the Board of Directors ("Board").

       2.     Management Responsibility. First Financial Credit Union management ("management")
              will be responsible for the development, implementation, and maintenance of the Credit
              Union's due diligence program. As part of this responsibility, management will maintain
              a list of all third party providers, along with the scope of services provided by each and
              the rationale for outsourcing the services provided. Management may delegate due
              diligence to appropriate staff members as warranted, but shall be responsible for
              reviewing the information gathered and making the final decisions. All due diligence
              efforts will be documented and provided to the Board.

(2)    PLANNING

       (A)    Risk-Assessment. Prior to engaging in a proposed activity, the Credit Union will
              perform a risk-assessment to determine whether the relationship compliments First
              Financials overall mission and philosophy. Management will determine whether the
              proposed activities, related costs, product and services standards, and third-party
              involvement, are consistent with the credit union’s overall business strategy and risk
              tolerances. If the Board does not believe the proposed activity would complement the
              strategic vision for the Credit Union, the third-party relationship will not be pursued.

              (1)     Documentation. Management will document how the relationship corresponds
                      with First Financials Strategic Plan, considering long-term goals, objectives and
                      resource allocation requirements. Consistent with the credit union’s Strategic
                      Plan, management will design action plans to achieve objectives in support of
                      strategic planning for new third-party arrangements. Management will also
                      clearly define the nature and scope of First Financial needs, which of those needs
                      will be met by the third party, and to what extent the third party will be
                      responsible for the desired results.
                   Third Party Due Diligence & Oversight [2008]
      (2)    Categories of Risk. Categories of risk to be assessed include: loss of capital if
             the venture fails; loss of member confidence if the program, product or service
             fails to meet member expectations; costs associated with attracting or training
             personnel and investing in required infrastructure; and whether the potential
             benefit of the arrangement outweighs the potential risks or costs.

      (3)    Periodic. The risk assessment will take place in advance in the decision to offer
             new products and services and will be conducted periodically as long as the
             product or service is offered. The risk assessment will be shared with the Board.

(B)   Financial Projections. In evaluating the cost-benefit or risk-reward of the third-party
      relationship, First Financial Credit Union will develop financial projections outlining the
      range of expected and possible financial outcomes. The credit union will project a return
      on its investment, considering expected revenues, direct costs and indirect costs.
      Financial projections will be in line with the context of First Financials Strategic Plan and
      asset-liability management (ALM) framework.

(C)   Insurance Review. Third-party relationships can result in increased liabilities.
      Therefore, First Financial will maintain an adequate review of First Financials insurance
      coverage, including the fidelity bond and policies covering such matters as errors and
      omissions, property and casualty losses, and fraud and dishonesty. When appropriate,
      First Financial will ensure that it is the beneficiary on all insurance policies and will
      review all insurance contracts to ensure full coverage.

(D)   Exit Strategy. First Financial will investigate and determine whether there is a
      reasonable way out of the relationship if it becomes necessary to change course in the
      future, along with whether there are any other providers that can perform critical services.

(E)   Accounting. First Financial will ensure that it has a sufficient accounting infrastructure
      to appropriately track, identify and classify transactions in accordance with generally
      accepted accounting principals (GAAP). When necessary, the credit union will obtain
      guidance from a certified public accountant (CPA) to ensure proper accounting treatment.
                           Third Party Due Diligence & Oversight [2008]

(3)   BACKGROUND CHECK. First Financial will research and/or interview several prospective
      organizations to determine which is best qualified to meet First Financials needs. If the
      relationship will require a significant investment of resources and capital, the Credit Union will
      consider hiring a consultant or industry expert to assist in its evaluation, upon approval of the
      Board. It is also important to understand how the third party has performed in other relationships.
      Management will contact other credit unions or clients of the third party. Other sources such as
      the Better Business Bureau and the Federal Trade Commission will be consulted to determine
      complaint histories on businesses. First Financial will review and consider any lawsuits or legal
      proceedings involving the third party and/or its principals. First Financial will also ensure that
      the third party and/or its agent(s) have all of the required licenses or certifications, and that they
      remain current for the duration of the relationship.

a.    BUSINESS MODEL REVIEW. Before entering into a third-party relationship, First Financial
      will investigate and understand the third party’s business model – the conceptual architecture or
      business logic employed to provide services to its clients. If the third party’s business and
      marketing plans are available, First Financial will review them. Management will understand
      and be able to explain the third party’s role in the proposed arrangement and any processes for
      which the third party is responsible. First Financial will also understand the third party’s sources
      of income and expense, considering any conflicts of interest that may exist between the third
      party and First Financial (for example, if the revenue stream is tied to loan origination volume
      rather than loan quality). First Financial will also identify any vendor-related parties
      (subsidiaries, affiliates or sub-contractors) involved with the proposed arrangement,
      understanding the purpose and function of each. When these parties are to play a critical role in
      the relationship, First Financial will perform its due diligence on these vendor-related parties.

b.    CASH FLOWS. First Financial will understand how cash flows move between all of the
      parties in the third-party relationship. Management will be able to explain how the cash flows
      (both incoming and outgoing) between First Financial, the third party and First Financials
      members. First Financial will also independently verify the source of these cash flows and
      match them to related individual accounts.

c.    LEGAL REVIEW. All contracts will be reviewed by First Financials legal counsel. At a
      minimum, third party contracts should address the following:

      (A)    Scope of arrangement, services offered and activities authorized;
      (B)    Responsibilities of all parties (including subcontractor oversight);
      (C)    Service level agreements addressing performance standards and measures;
      (D)    Performance reports and frequency of reporting;
      (E)    Penalties for lack of performance;
      (F)    Ownership, control, maintenance and access to financial and operating records;
      (G)    Ownership of servicing rights;
      (H)    Audit rights and requirements (including responsibility for payment);
      (I)    Data security and member confidentiality (including testing and audit);
                         Third Party Due Diligence & Oversight [2008]
     (J)    Business resumption or contingency planning;
     (K)    Insurance;
     (L)    Member complaints and member service;
     (M)    Compliance with regulatory requirements (i.e., Privacy, BSA, etc.);
     (N)    Dispute resolution; and
     (O)    Default, termination and escape clauses.
d.   FINANCIAL REVIEW. Financial statements of the third party and its closely-related affiliates
     will be reviewed to determine the strength of the institution. These financial statements should
     demonstrate an ability to fulfill the contractual commitments proposed, and will be considered
     with regard to outstanding commitments, capital strength, liquidity, and operating results.
     Undercapitalized companies or those exhibiting weak earnings may not be able to continue as
     ongoing concerns. This could lead to disruptions in member service, uncollected payments, and
     potential losses if the third party fails to remit funds due First Financial. A licensed CPA will be
     consulted when necessary.
e.   CONTROLS. Once First Financial has entered into a third-party arrangement, First Financial
     will employ controls to ensure that the relationship is meeting expectations and the third party is
     meeting its responsibilities.
     (A)    Limitation of Exposure. Depending on the nature of the relationship, First Financial
            will establish limitations on the risk of exposure (i.e., the number of leases initially
            granted, etc.) until the third-party’s performance is measured, or the level of the
            respective risk(s) becomes significant.
     (B)    Sensitivity Analysis. First Financial management will routinely conduct sensitivity
            analyses; project its expected revenue, expenses, and net income on its investment; and
            recognize how each of these factors may change under different economic conditions.
            This analysis will be conducted internally by someone with the requisite knowledge, or
            through the use of an outside consultant. Data and other benchmarks, including yield and
            profit projections generated by the third party will be verified with the underlying
            assumptions fully understood by the First Financial, and compared with First Financials
            own data. Services that are not directly income generating, such as infrastructure, will be
            subjected to a cost-benefit analysis.

     (C)    Staff Oversight. Management will designate the staff that is to be responsible for
            monitoring the performance of each outsourced program. Duties will include comparing
            the actual results of each program to projections, and reviewing each of the third party’s
            performance to determine compliance with expectations and contracts.
     (D)    Reporting. Staff responsible for third party relationship monitoring will submit regular
            reports to the First Financials senior officials and the Board. The reports will include
            appropriate information in order to provide the officials and the Board the opportunity to
            make informed decisions and take timely corrective action.




                                                  4
                            Third Party Due Diligence & Oversight [2008]

Vendor Due Diligence: Checklist
(To be in substantial compliance, all answers should be “Yes” unless they are not applicable.)

Part I- RISK ASSESSMENT AND INTERNAL PLANNING

PART II- DUE DILIGENCE OF THE VENDOR

PART III- RISK MEASUREMENT, MONITORING AND CONTROLS


PART I - RISK ASSESSMENT AND INTERNAL PLANNING

      Internal risk-Assessment of First Financial


       1. Does the relationship compliment First Financials overall mission and philosophy?

       2. Are the proposed activities, related costs, product and services standards, and third-party
          involvement, consistent with First Financials overall business strategy and risk tolerances?

       3. Has it been documented hoe the relationship corresponds with First Financials Strategic Plan,
          considering long-term goals, objectives and resource allocation requirements?

       4. Have action plans been developed to achieve: objectives in support of strategic planning for
          new third-party arrangements, clearly defining the nature and scope of the First Financials’
          needs; what needs will be met by the third party; and to what extent the third party will be
          responsible for the desired results?

       5. Has First Financial completed an appropriate risk assessment to determine the exposure
          related to each third party relationship? Categories for risk to be assessed include:

               a. Credit, interest rate liquidity, transaction, compliance, strategic and reputation (i.e.
                  loss of capital if the venture fails; loss of member confidence in the program, product
                  or service fails to meet member expectations; cost associated with attracting or
                  training personnel and investing in required infrastructure; and whether the potential
                  benefit of the arrangement outweighs the potential risks or costs).




       6. Does First Financial have adequate staff expertise (i.e., is First Financials staff qualified to
          manage and monitor the third party relationship? How much reliance on the third party will
          be necessary)? Categories of risk to be assessed include: loss of capital if the venture fails;
          loss of member confidence if the program, product or service fails to meet member
          expectations; costs associated with attracting or training personnel and investing in required

                                                     5
                         Third Party Due Diligence & Oversight [2008]
       infrastructure; and whether the potential benefit of the arrangement outweighs the potential
       risks or costs

 Financial Projections

    1. In evaluating the cost-benefit or risk-reward of the third-party relationship, have financial
       projections been developed to outline the range of expected and possible financial outcomes?

    2. Has a return on investment been projected, considering expected revenues, direct costs and
       indirect costs (that are in line with the context of First Financials Strategic Plan and asset-
       liability management (ALM) framework)?

 Insurance Review


    1. Has there been an adequate review of First Financials insurance coverage, including the
       fidelity bond and policies covering such matters as errors and omissions, property and
       casualty losses, and fraud and dishonesty? Will the arrangement create additional liabilities?

    2. When appropriate, has First Financial ensured that: it is the beneficiary on all insurance
       policies and reviewed all insurance contracts to ensure full coverage?

 Exit Strategy
    1. Has First Financial investigated and determined whether there is a reasonable way out of the
       relationship if it becomes necessary to change course in the future, along with whether there
       are any other providers that can perform critical services?


   Accounting
    1. Has First Financial ensured that it has a sufficient accounting infrastructure to appropriately
       track, identify and classify transactions in accordance with generally accepted accounting
       principles, (GAAP)?




                                                 6
                          Third Party Due Diligence & Oversight [2008]


PART II-Due Diligence of the Vendor

   Vendor Background Check
     1. Has the First Financial researched and interviewed prospective organizations to determine
        which is best qualified to meet First Financials needs?

     2. Does First Financial know how the third party has performed in other relationships (by for
        example, contacting other credit unions or clients of the third party)?

     3. Have other sources, such as the Better Business Bureau and the Federal Trade Commission,
        been consulted to determine complaint histories on businesses (if needed):

     4. Has First Financial reviewed and considered any lawsuits or legal proceedings involving the
        third party or its principals?

     5. Has First Financial ensured that the third party or its agents have all of the required licenses
        or certifications, and that they remain current for the duration of the relationship?

   Vendor Business Model Review


     1. Has First Financial investigated and understood the third party’s business model-the
        conceptual architecture or business logic employed to provide services to its clients?

     2. If the third party’s business and marketing plans are available, has First Financial reviewed
        them?

     3. Can management explain the third party’s role in the proposed arrangement and any
        processes for which the third party is responsible?

     4. Does First Financial understand the third party’s sources of income and expense,
        considering any conflicts of interest that may exist between the third party and the First
        Financial (for example, if the revenue stream is tied to loan origination volume rather that
        loan quality)?

     5. Can First Financial identify any vendor-related parties (subsidiaries, affiliates or sub-
        contractors) involved with the proposed arrangement, understanding the purpose and
        function of each? When these parties are to play a critical role in the relationship, has the
        First Financial performed its due diligence on these vendor-related parties?

 Vendor Cash Flows
     1. Does First Financial understand how cash flows between all of the parties in the third-party
        relationship?

                                                  7
                      Third Party Due Diligence & Oversight [2008]
  2. Can management explain how the cash flows/moves (both incoming and outgoing) between
     the First Financial, the third party and First Financials members?

  3. Has First Financial independently verified the source of these cash flows, and matches them
     to related individual accounts?

 Legal Review
  1. Has First Financial retained its attorney to review all third party contracts? At a minimum,
     third party contracts should address the following:

         a. Scope of arrangement, services offered and activities authorized;

         b. Responsibilities of all parties( including subcontractor oversight);

         c. Service level agreements addressing performance standards and measures;

         d. Performance reports and frequency of reporting;



  2. Penalties for lack of performance

  3. Ownership, control, maintenance and access to financial and operating records;

  4. Ownership of servicing rights;

  5. Audit rights and requirements (including responsibility for payments);

  6. Data security and member confidentiality (including testing and audit);

  7. Business resumption or contingency planning;

  8. Insurance;

  9. Member complaints and member service;

  10. Compliance with regulatory requirements (i.e. Privacy, BSA, etc.);

  11. Dispute resolution; and

  12. Default, termination and escape clauses.




                                                 8
                            Third Party Due Diligence & Oversight [2008]


    Financial Review
       1. Have the financial statements of the third party and its closely-related affiliates been
          reviewed to determine the strength of the third party(ies)? (These financial statements should
          demonstrate an ability to fulfill the contractual commitments proposed, considering the
          outstanding commitments, capital strength, and liquidity and operating results.)

PART III-RISK MEASUREMENT, MONITORING AND CONTROLS

    Guidelines and procedures
The following may be required:

              a. An outline of expectations and limit risk originating from the third party relationship.

              b. Outline staff responsibilities and oversight of the third party relationship.

              c. Reports to management or board (if required).

              d. Limitations set to control the pace of a program.

    Limitation of Exposure
       1. Establish limitations on the risk of exposure (i.e. the number of leases initially granted, etc.)
          until the third-party’s performance is measured, or the level of the respective risk(s) becomes
          significant.

    Staff Oversight
       1. Has management designated the staff that is to be responsible for monitoring the
          performance of each outsourced program (such as comparing the actual results of each
          program to projections, and reviewing each of the third party’s performance to determine
          compliance with expectations and contracts)?

    Board Reporting
       1. Is the staff responsible for third party relationship monitoring submitting regular reports to
          the senor officials and the Board? (The reports should include appropriate information in
          order to provide the officials and the Board the opportunity to make informed decisions and
          take tamely corrective action if necessary).




                                                    9

								
To top