The types of risk a CUSO can pose to a credit union vary greatly. In fact, the risks are influenced significantly by a CUSO’s operating structure and the products and/or services it offers.
Overall, provided that proper written agreements and controls are in place, a CUSO can prove to be an impactful tool in providing a full-service member experience. It allows for cooperation among credit unions to merge talents and share risks and assets. While credit unions may have very close relationships with the CUSOs they invest in and do business with, you must conduct appropriate due diligence reviews and monitor the performance and risks of the CUSOs with whom you partner.
In addition to typical fidelity, property and liability issues, these risks also often apply to CUSOs:
- While it’s true that CUSOs may often be wholly owned by one credit union, the need to demonstrate that the CUSO has a separate corporate identity that operates independently of the credit union still exists. For CUSOs that are not wholly owned, this is often increased an risk.
- If you’re using credit union staff for a CUSO or if it’s a part of your building, then the written agreements between the CUSO and the credit union should outline the responsibilities of all parties and provide details on how that separate existence would be maintained.
- Verify the credit union has obtained a sufficient legal opinion that states the CUSO is structured and operated in a way that limits the credit union’s liability.
- Third-party vendor and due diligence exposures such as financial strength, reputation, years in business and ratings need to be evaluated for future financial success and soundness.
- Determine if credit union management expertise and systems are sufficient to monitor and mitigate risk exposures related to partnering with a CUSO.
- Ensure compliance, established reasonable limits and service plans, and general oversight is in place to serve the credit union industry and members.
- Engaging with CUSOs involved in high-risk/unregulated/developing activities (e.g., cryptocurrency, marijuana business, technology solutions, investments, etc.) can increase the credit union risk.
CUSOs involved in high-risk/unregulated/developing activities tend to be most concerning especially without clear credit union understanding or regulatory oversight. Some risky areas include: CUSOs offering their technology solutions, digital currency, marijuana banking, and trust services.
Credit unions that use a CUSO to leap quickly into new services areas — such as commercial lending — can often lead to positive growth that can spiral backward just as quickly. Without NCUA oversight, these loans written by the CUSO would not be subject to examiner review and could lead to an increase of high-risk, sub-prime, and possibly predatory loans for the credit union. This is especially concerning if the credit union doesn’t have the necessary skills, training, or experience to handle or monitor the operations.
While credit unions may have very close relationships with the CUSOs they invest in and do business with, credit unions need to assure themselves that their aggregate effort and their involvement in the CUSO are prudent. The CUSO should operate independently as a separate legal entity. You must also verify that no actions occur which may impair the independence of the credit union and the CUSO (e.g., conflicts of interest, co-mingling of financials, or other practices which may affect the separation of the entities).
If you are using credit union staff for operating a CUSO, the written agreements between the CUSO and the credit union should outline the responsibilities of all parties and provide details on how that separate existence would be maintained.
While it’s true that CUSOs may often be wholly owned by one credit union, the need to demonstrate that the CUSO has a separate corporate identity that operates independently of the credit union still exists.
You should ensure that you have obtained a sufficient legal opinion which has reviewed the CUSO, the written agreements between the CUSO, and be sure the credit union has adequately outlined the responsibilities of all parties. This should include details on how that separate existence would be maintained.
While credit unions may have very close relationships with the CUSOs they invest in and do business with, NCUA has made clear that credit unions must do appropriate due diligence reviews and monitor the performance of the CUSOs with whom they partner.
Most third-party service provider agreements will have terms related to warranties, indemnification, limitation of damages, and mandatory insurance. This is where the devil is in the details. There may be wide disclaimers in the warranty section, mismatched indemnifications or very limited damages exposure that will come as a big surprise if a problem arises. This is where risk allocation and due diligence become an art.
CUSOs tend to be better risk-sharing partners than other third-party service providers, because they usually focus on serving credit unions. However, most credit unions still tend to treat CUSOs as a high-risk vendor when it comes to due diligence.
Every regulator that regulates state charted corporations, limited partnerships, and limited liability companies such as the Secretary of State for which the CUSO is looking to be formed. The NCUA does not regulate CUSOs, only a federal credit union's investment in a CUSO. However, some state credit union regulators may have some regulatory authority over CUSOs within that state.
The NCUA does require CUSOs to file a short annual report.
NCUA may at any time, based upon supervisory, legal, or safety and soundness reasons, limit any CUSO activities or services, or refuse to permit any CUSO activity or service.
For NCUA Board approval to engage in activities not otherwise approved in Code of Federal Regulations 12 C.F.R. § 712.5, individuals should submit written requests to the attention of the NCUA Office of Examination and Insurance.
Always, take necessary steps to understand the CUSO’s data security standards. When applicable, contractually require adequate protection of member information and review appropriate security documents to ensure compliance. CUSO employee access levels to your core processing system should be limited and based on what is necessary to perform a specific job function for the CUSO and credit union relationship.
These action steps can assist in determining adequate data protection standards.
- Describe the services the CUSO will perform for the credit union and determine whether the CUSO will have access to nonpublic personal information in connection with the performance of these services.
- Obtain and review copies of the CUSO’s privacy and information security policies and procedures, and their information security incident response plan.
- Ensure CUSOs who have access to sensitive or personal data adhere to data security standards and review appropriate documents to ensure compliance. This should be clearly outlined in the contract.
Additionally, it is critical to ensure that 4th party vendor relationships are considered. When performing due diligence on a CUSO, be sure to inquire if they anticipate performing all the services or if they too will be outsourcing or sub-contracting some services. In addition to clearly outlining responsibilities in the contract, the credit union should routinely confirm that the CUSO is adhering to all service level expectations and data security standards as part of their ongoing vendor due diligence efforts.
Ask a risk consultant
Please complete this brief form to route your question to one of our risk consultants.Ask a risk consultant
Access TruStage’s Protection Resource Center* for exclusive risk and compliance resources to assist with your loss control efforts.
Vendor contract provisions checklist*
Vendor management risk overview*
Webinar: vendor due diligence presentation | recording