Credit unions engage third-party vendors for a variety of reasons. Some third-party vendors bring expertise to the table that allows the credit union to offer products and services to its members that it would not otherwise be able to offer. Other vendors provide products and services in a manner that is more cost effective than if the credit union were to provide the product or service itself.
These vendors play a valuable role in the credit union’s business and ability to serve its members. But while the service may be outsourced, the responsibility and legal liability for regulatory compliance is ultimately the credit union’s responsibility.
From a compliance standpoint, the credit union is liable to its members and its regulators for the actions or inactions of the vendors it does business with. For example, under the Truth in Lending Act and Regulation Z, in general, it is the party extending the credit to the consumer that will be held liable for violations, not the party that actually prepared or distributed the disclosures. A properly negotiated contract may provide the credit union with some recourse against the vendor in the event the vendor violates a law or regulation, but that will not change the fact that the credit union is also in violation of the law or regulation. And it’s the credit union that will be exposed to potential administrative liability and sanctions as well as civil penalties.
The following is an example, albeit a worst case scenario, of how a small error by a vendor can cause widespread issues for a credit union. A credit union discovers, by way of an examination, that due to a programming error, its vendor had disclosed an understated APR on its credit card product for a period of one year. As an administrative sanction, the regulator ordered the credit union to reimburse the difference between the disclosed APR and the APR actually charged to these members. Then, the credit union receives notice that it is being sued in a class action lawsuit for violations of the Truth in Lending Act and other assorted consumer protection laws where it may be subject to punitive damages.
The credit union then has to expend time and money defending this case. Once the credit union ascertained its final damages, it seeks indemnification from the vendor through a litigious process, subject to any limitation that may be set forth in the contract. Although the credit union may have recourse for monetary damages, one thing the credit union cannot seek to recoup from the vendor is the harm suffered to its reputation.
Vendors often market “turn-key” products. While the convenience of such a product is often appealing, do not allow its convenience to cause the credit union to become complacent with regards to regulatory compliance. Taking a proactive position with vendors begins at the commencement of the relationship. The review of the vendor’s service agreement by the credit union’s attorney is a critical step to ensuring that the vendor has the legal duty to provide the products and services in compliance with all applicable laws and regulations and to ascertain that the credit union has adequate legal recourse in the event the vendor should breach this duty. Before the vendor even begins to provide products and services, the credit union should become familiar with the products or services and the applicable laws and regulations. During the due diligence process, the credit union should confirm compliance with these laws and regulations.
Once the vendor begins to provide the products and services, the credit union should perform quarterly internal compliance audits to verify that the vendor is providing the products and services in a compliant manner. These frequent internal audits catch violations early and minimize potential damages.
The credit union should also monitor the applicable laws and regulations for changes and reach out to the vendor when there is a change to inquire whether or not the vendor is aware of the change and ask what steps are being taken to ensure the changes will be in place by the compliance deadline. Designating a person within the credit union to manage third-party vendor relationships is one way to help accomplish these tasks. It is critically important for the credit union to take an active role in managing its vendors and to stay aware of the changing regulations applicable to even its outsourced services.