Compliance and Outsourced Services

Credit unions engage third party vendors for a variety of reasons. Some third party vendors bring expertise to the table that allows the credit union to offer products and services to its members that it would not otherwise be able to offer. Other vendors provide products and services in a manner that is more cost effective than if the credit union were to provide the product or service itself. These vendors play a valuable role in the credit union’s business and ability to serve its members; however, although the service may be outsourced, the responsibility and legal liability for regulatory compliance is ultimately the responsibility of the credit union.

From a compliance standpoint, the credit union is liable to its members and its regulators for the actions or inactions of the vendors with which it does business. For example, under the Truth in Lending Act and Regulation Z, in general, it is the party extending the credit to the consumer that will be held liable for violations, not the party that actually prepared or distributed the disclosures. While a properly negotiated contract may provide the credit union with some recourse against the vendor in the event the vendor violates a law or regulation, that will not change the fact that the credit union is also in violation of the law or regulation and the credit union will be exposed to potential administrative liability and sanctions as well as civil penalties.

The following is an example, albeit a worst case scenario, of how a small error by a vendor can cause widespread issues for a credit union. A credit union discovers, by way of an examination, that due to a programming error, its vendor had disclosed an understated APR on its credit card product for a period of one year. As an administrative sanction, the regulator ordered the credit union to reimburse the difference between the disclosed APR and the APR actually charged to these members. Subsequently, the credit union receives notice that it is being sued in a class action lawsuit for violations of the Truth in Lending Act and other assorted consumer protection laws where it may be subject to punitive damages. The credit union then has to expend time and money defending this case. Once the credit union ascertained its final damages it seeks indemnification from the vendor through a litigious process, subject to any limitation that may be set forth in the contract. Although the credit union may have recourse for monetary damages, one thing the credit union cannot seek to recoup from the vendor is the harm suffered to its reputation.

Vendors often market “turn-key” products and while the convenience of such a product is often appealing, do not allow the convenience of such a product to cause the credit union to become complacent with regards to regulatory compliance. Taking a proactive position with vendors begins at the commencement of the relationship. The review of the vendor’s service agreement by the credit union’s attorney is a critical step to ensure that the vendor has the legal duty to provide the products and services in compliance with all applicable laws and regulations and to ascertain that the credit union has adequate legal recourse in the event the vendor should breach this duty. Before the vendor even begins to provide products and services, the credit union should become familiar with the products or services and the applicable laws and regulations. Inquiry should be made during the due diligence process to confirm compliance with these laws and regulations. Once the vendor begins to provide the products and services, the credit union should perform quarterly internal compliance audits to verify that the vendor is providing the products and services in a compliant manner. Frequent internal audits also serve to catch violations early and minimize potential damages. The credit union should also monitor the applicable laws and regulations for changes and reach out to the vendor when there is a change to inquire whether or not the vendor is aware of the change and ask what steps are being taken to ensure the changes will be in place by the compliance deadline. Designating a person within the credit union to manage third party vendor relationships is a way to help accomplish these tasks. It is critically important for the credit union to take an active role in managing its vendors and to stay aware of the changing regulations applicable to even its outsourced services.

Amanda Smith is a partner with Messick & Lauer PC in Media, PA. She can be reached at 610-891-9000 or asmithr@cusolaw.com