top of page

Third Party Due Diligence & Contract Management With Mike Heller

In this episode, Mark Treichel discusses Third Party Due Diligence and Contract Management with Mike Heller.

Mike is an Associate with the law firm Messick Lauer & Smith P.C. His primary focus is providing guidance and expertise on contract terms for vendor contracts and agreements. In this capacity, Mike begins with understanding the client’s business objectives and works with the client to ensure appropriate risk mitigation to accomplish those business goals. Credit unions increasingly outsource functions and programs through collaboration with third parties to expand services and product offerings. Developing sound third-party relationships and alliances can assist credit unions in meeting their strategic objectives.

Properly leveraging the skills and experience of qualified third parties may enable credit unions to:

• Provide access to products and services through expanded delivery channels;

• Offer more cost-effective products and services; and

• Manage programs that would not be feasible without external expertise.

In many cases, third-party relationships are essential in enabling credit unions to become their members’ primary financial institution, while inadequately managed and controlled third-party relationships can result in unanticipated costs, legal disputes, and financial loss, NCUA’s role as a regulator and insurer is not to stifle the innovative use of third-party relationships to meet member needs and strategic objectives. NCUA’s goal is to ensure credit unions clearly understand the risks they are undertaking and balance and control those risks considering the credit union’s safety and members’ best interests.


Listen to the podcast here

Third Party Due Diligence & Contract Management With Mike Heller

I'm excited to have Mike Heller from Messick Lauer & Smith P.C. Mike, how are you doing?

Pretty good. How are you?

I'm doing great. I was a guest on Mike's relatively new podcast, In the CU. Mike is with the law firm Messick Lauer & Smith. His primary focus at the firm is providing guidance and expertise on contract terms for vendor contracts and agreements. This also relates to third-party due diligence and NCUA guidance and all that might entail. Do I have that right?

That's correct. Thanks for shouting out the podcast. It was a great time having you on. We talked about a little bit of a different topic. Where we come from with regards to NCUA guidance is that's the touchstone, and then you get into the nitty-gritty from there.

You got it. There's a lot of good information and guidance. I know you have an article on your website about third-party due diligence that you wrote on how you assist your clients. The NCUA third-party due diligence letter that's out there, there's a lot of principle-based guidance there that has stood the test of time for the most part. Why don't you speak a little bit about how you assist your clients, whether they're CUSOs or credit unions, as it relates to the big-picture, the third-party due diligence of better management?

Where I always like to start with this is taking a look at the big picture. There is that supervisory letter that you had mentioned, but outside of that, it is third-party relationships, to begin with. Most notably, they're increasing. It seems like that's the trajectory. What credit unions can get from third-party relationships is they offer expertise in areas that credit unions aren't familiar with themselves. They can expand service offerings and products to members in what's a very competitive marketed place. It does help credit unions increase efficiencies and economies of scale by leaning on that vendor.

They offer many opportunities to credit unions, but at the same time, and I'm sure you're well aware, credit unions are ultimately responsible for their compliance obligations. They're ultimately responsible for conducting these activities and ensuring that these services are offered in a safe and sound manner. They need to find the right balance.

You can outsource anything. Do you lease or buy? Do you manufacture it or do you go out and lease it from somebody? It's the same kind of concept, but ultimately, the responsibility lies with the board of directors and then the top-level management to deal with it. You're right. What keeps continuing to grow in the challenging market we're in is finding employees, too. That makes it even a little bit probably more of a growth market since the pandemic and things like that.

If you can't hire people internally, you do have to outsource it. How do you mitigate that risk? It is a growing area of operation for probably every credit union. Let's speak a little bit about the things that you assist credit unions with, specifically as it relates to either the letter to credit unions or when you get a new client that says, “We need some help with third-party vendors.” What are the first steps?

What I offer to our clients is I help them through the contract management phase. We get a lot of different types of contracts and a lot of different types of service offerings. I primarily review those agreements first to make sure that they're legally permissible. You would be surprised. You do get some contracts that do not include everything that they need from a regulatory standpoint. We need to clean that up, for sure.

Beyond that point, too, I like to identify, for credit unions, areas of risk. The personnel who I deal with, in particular, need to be aware of that. Ultimately, it could elevate to the board depending on the type of vendor it is. That's my approach. I do negotiations as well with these vendors to help our credit unions negotiate that landscape. There's an old adage that is like, “This is a huge vendor. We have to accept this contract as is.” In a lot of areas, that does lead to a lot of frustration in the industry. All these terms are negotiable, too. It's important to get that message across as well.

You got to play to win. If you don't bring those questions to the vendor, you're not going to have that opportunity. I presume at your firm, you see new vendors, but you see the same vendors over and over. You've got some context that a credit union or a CUSO going into a relationship blind, if you will, without your assistance might not know where they might be able to push back. Since you've been able to glean that from other negotiations, you know where you might be able to push.

That's a great point. You nailed it there, too. Our firm is We do help form and lead CUSOs through the process of working with credit unions, too. From that perspective, we do know exactly what credit unions are looking for in these agreements, too. We do help CUSO structure those agreements with that in mind, too. There's a lot of consolidation of vendors in the space, too, so you do see a lot of the same agreements or at least the same types. You do know what to expect and how you can push. That can sometimes work to your advantage, especially when you're dealing with different types of vendors.

You mentioned areas of risk. Is it legal negotiations in areas of risk? Can you maybe expand upon the areas of risk? Would that be member data, protection of privacy, and things like that?

That's certainly a big one. Typically, when you're coming to this decision or when it comes to a service offering that you want to offer to your members, you make that first determination as to, “Is this something that we can handle in-house or is this something that we need to outsource?” If you are going to outsource, it's a whole different type of risk appetite and risk profile that you're looking at there. When member information is shared, that is the starting point. As you're assessing that vendor at the outset, that needs to be a consideration.

When you're going through due diligence and verifying the vendor's internal, that's where you're looping in your own IT expertise, whether in-house or external. That's an area that you need to stay on top of, not only from supervisory guidance that you need to have a full understanding as to what the vendor has from an internal control process, but it's an ever-evolving area, too. It seems like there are updates in that area almost daily. Cybersecurity is a huge area. That's on the NCUA’s radar, so it most certainly has to be. That's a great area to start when it comes to risk, especially when member information's being shared.

Cybersecurity is ever-present in every arena. The NCUA board and NCUA leadership have had that in their priority letter for exam priorities year after year. It's never going to go away. The board members often speak about the fact that that's what makes them not sleep at night, so I could see why that would be a focus. You mentioned the due diligence. That is 1 of the 3 pillars of the supervisory letter, which are risk assessment and planning, due diligence, and risk measurement. Maybe we should walk through risk assessment and planning a little bit to talk about what credit unions and CUSOs should be thinking about as it relates to that.

The three pillars of the supervisory letter are risk assessment planning, due diligence, and risk measurement.

Even to take a little bit of a step back as we walk through each of these individual phases and how the party risk management program should be tailored at the outset. What the NCUA is looking for is that this program is tailored to the actual credit union size, the types of services that it's seeking to provide its members, and then what the actual risk profiles are of the vendors. To start, that's what examiners will look for.

Internally, too, we touched on it there in your last question about having the personnel available to implement and execute the credit union's risk management program. Is that personnel that you have internally or is that expertise that you have internally? Is that something that you need to outsource? That all needs to be encompassed in the program.

You also mentioned the board has to be involved. The program needs to be approved and needs to be reviewed at least on an annual basis. There are arguments, especially for critical vendors that can be reviewed on a more frequent basis. The board's ultimately responsible for critical vendor oversight, too. They need to be updated if there are any changes in that risk profile for a critical vendor.

With the program itself, we've seen enough over the past couple of years that any program that speaks to the longevity of any sort of institution needs to be adaptable and resilient to economic changes and technical changes. Maybe there's a worldwide pandemic around the corner. Considering all these things, you have to be able to modify and adapt accordingly. Generally speaking, that's easy to talk about.

Individually, you mentioned risk assessment. When you first get to that initial planning stage, you need to think about what your goals are in engaging with that third party and how measurable they are. It's one thing that you want to get into a relationship with a vendor because this new cool digital service looks awesome and your members are going to love it. How do you measure that? How do you measure satisfaction internally at the credit union with that particular vendor? What's the impact on the member itself? How are they enjoying it? How are you going to measure that? How are you going to define what success is in that relationship?

You need to consider all those things and take into account the type of service offered and how much you're leaning on that vendor's expertise. We talked about some of those due diligence items, too. This all goes into how you create a risk profile for that vendor. You had asked, “What type of risk do you think about?” The one thing as the lawyer in the room is you're always worried about how you exit a particular relationship. That starts at the very initial stages of engaging a vendor, for sure.

On exiting, that's probably not as simple as, “I give you X number of days’ notice to alert you,” but that would be one of the strategies relative to exiting. Do I have that right?

Yeah. It’s the ease of exit. Also, you see a lot of termination fees that are tied to early termination. This is what we get back to when we talk about negotiated terms. These terms are negotiable. They're not set in stone that you have to agree to. If you do have to agree to them, that certainly goes into your consideration of risk for that particular vendor, whether you need to balance the cost-benefit there in engaging with this vendor.

When it comes to exit strategy, for sure, you talk about how easy it is from a timeline perspective. That even could be the term of the agreement itself. Is this a ten-year agreement? Is this a one-year agreement? What does that look like? There is also the amount of notice you need to give to terminate the agreement, and then if there are any fees attached to that. You want to minimize that potential damage as much as possible.

Also, you need to start thinking, even at the outset, “What happens if this agreement or this relationship with this vendor doesn't work out in the way that we see it? How do we transition those services to another vendor? Do we bring them in-house?” These are all things that need to be thought through at the early stages in the event that does happen. As attorneys, we're always the bearers of bad news because everybody's all excited to get into the relationship and they don't want to think about these things. It is important even at the outset, for sure.

That makes sense. It's mission-critical. Exiting and winding out of service or not doing that particular thing down the road is one thing. If it's something that's mission-critical, and you talked about a critical system where you have to have the next group lined up and do some sort of conversion, there are all sorts of tentacles of our set that would play into that. That's fascinating as well.

You talked about critical systems and the risk profile. You reminded me of some conversations. You mentioned the pandemic also and how that influenced some things. I was thinking about the Silicon Valley Bank situation. It started to brew on a Thursday and a Friday. The Silicon Valley Bank’s stock was plummeting. The next thing you know, on a Friday around noon Eastern, the California Banking Department and the FDIC had shut them down. By the end of Friday, I was getting some messages from some friends in the industry saying, “We found out that we have eight systems that are linked to Silicon Valley Bank’s subsidiaries.”

The discussion was none of them were critical systems, but there were some bill pay systems that were linked to them. The devil's in the details. It's that kind of thing where you see your vendor fail or somebody related to the vendor that you have failed. That's one of the things that it's not that easy to control, but if you have a good system in place where you are looking at their financials, the contracts, or reassessing it on an annual basis. Do you have any thoughts about those concepts I threw out there?

Yeah. You hit the nail on the head with regard to another area focused by regulators, whether it is NCUA, state regulators, and all types of federal regulators. It is this concept of 3rd parties or 4th parties. These relationships are getting so complex. Every credit union needs to be aware of what types of parties are involved in the service relationship. If you have that relationship with the vendor, who does the vendor, then outsource some of those services to? With that example that you used, this could be a subsidiary of another company that the vendor uses to provide that one particular component of the service offering.

If that service offering is critical, proper due diligence needs to be performed on that fourth party as well. That's something again that NCUA is certainly looking at. It's something that credit unions need to fully understand when they get into these relationships with vendors. They need to have it properly mapped out. They need to know who those key personnel are at the vendor or that other vendor.

I always get the question, “How far down that line do you have to go?” because, in some of these relationships, it could be a vendor’s vendor’s vendor. I always say the buck stops in that regard in the matter of the criticality of the service offering. If you can't use that service because that vendor relies on another vendor to provide a certain component of the offering, we're going to want to make sure that there's proper due diligence performed on that party as well.

Typically, that should come from the vendor because they have a direct relationship with that fourth party. If that vendor isn't able to provide that information, or, at least in a satisfactory matter, the credit union also has to have a backup plan. We started this conversation by saying that credit unions can't outsource the risk. This is an area, too, where they will need to perform adequate due diligence on that fourth party as well.

You think about how complicated it's getting. It's not going to get easier over time. That's probably why I listened to one of the podcasts you did a few episodes back and I didn't realize that the other banking regulators had proposed a rule on third-party due diligence. Can you speak to that a little bit? Have you heard whether or not they're moving forward with that if that guidance sits out there from those other regulators? Do you have any thoughts relative to how that might play out here?

Yeah. At this point, it's still proposed guidance. There's no final rule in that area. It does focus on third-party relationships and risk management. It was issued by the Fed, FDIC, and OCC. You mentioned at the outset that the NCUA supervisory letter is many years old at this point. It still stands the test of time, given the framework that it has that it could be applied to any type of vendor relationship. Maybe you can speak to this more, too, because I know of your previous relationship with the NCUA.

The framework for that guidance is pretty consistent for the most part with the NCUA's third-party management guidance. It does add a little bit more context. It does speak a little bit more to some of the digital service offerings that we've seen more frequently. It's not a silver bullet by any means. It doesn't offer any ground-breaking information, I don't think, but even getting some more information in that regard.

It's like you said. When guidance is framed as the NCUA supervisory is and it relies on the credit union to come up with a program that is tailored to the credit union's actual risk profile and how it seeks out vendor relationships, it's nice to have that flexibility. Sometimes, you want specificity, too, like, “How would you look at this particular issue, especially in this digital service area?” It does offer some more information in that regard. We'll see what ultimately gets passed there. That's a proposed rule.

It's not that credit unions want to start looking at proposed rules before they're final, especially when it's from another regulator, but their proposal's 93 pages. NCUA'S guidance is 12 or 14 pages. It’s principle-based. That being said, oftentimes, the other regulators will have more details there. It's good business practice sometimes to review that.

It's okay to say to NCUA, “Your guidance is only sixteen pages, but I went over here and looked at this to see how I could make my program better.” You can do that for commercial loans. You can do it for Bank Secrecy Act. There are all sorts of individual guidance from other regulators that it makes sense to at least glance at to understand and see if there's something you can pick up on to add it to the credit union's arsenal. I learned this from one of the folks that assisted me in what I do. I searched the word technology on their 93-page document. Technology is in their guidance 40 times, that word. You can see that there are a lot of references to that and it relates to the complicated world that credit unions and banks are living in.

I was going to say that you made a good point there, too. As a credit union looking at this type of information, it's certainly in the best practice area. These are regulators that don't regulate credit unions, but we do know that these regulators tend to talk and that they could look for similar things. From the credit union's perspective, it's nice to have an update with regard to what these regulators are looking at. It's certainly something that the NCUA and, at the very least, maybe some state regulators will look at, too. It is helpful from that perspective. It is like you said. It is best practice, but it won't govern how the credit union should be running that show.

There's nothing to say when Chairman Harper at NCUA gets a second democratic vote. I doubt he'll look to regulate this any more than he has to. That being said, his goal is to make sure credit unions are safe and sound as well. If they don't specifically refer or piggyback off the guidance of the other regulators, if it gets finalized, it's highly probable that NCUA will say, “A 2007 letter to credit unions needs to be updated. What can we glean from these 95 pages?” At some point in time, 1 year, 2 years, 3 years, or 4 years, some of those things in that letter will apply to credit unions. It's always a good opportunity to get a running headstart relative to that.

With the letter to credit unions, one thing we haven't talked about is tailored to the credit union's risk and complexity. That's a language that NCUA will put in there. It's very broad, but it can help a small credit union that doesn't have a lot of third-party relationships, and then maybe the ones they have tie specifically to their share and loan, general ledgers, and their trial balances, and that's it.

Their programs need to be much less complicated than Navy Federal Credit Union, for example, which has a plethora of more complexities in every possible way. There's the complexity of the services and then there's the criticality of it. As I'm thinking of that, I can almost see a grid where you've got the columns of the criticality, and then you've got the materiality on the other side. Is that a way to look at this for a particular credit union? When someone approaches you relative to looking at tailoring it to the credit union and the criticality, what kind of advice do you provide them in that regard?

That is a good way to look at it. The baseline has to be what you do for those critical vendors and then make exception as to why the certain level of due diligence isn't required for vendors that are less critical. It's important, too, to think of that definition of criticality to begin with. What does critical mean in this situation? What it really means is any sort of vendor that you rely on that could have a significant financial operational risk to the institution or could have a significant impact on the types of services that you offer to your member. There could be reputational risk involved in this situation, too. That's what I think.

If that vendor goes away, could the credit union be at substantial risk for some sort of adverse situation from a risk perspective from their members or internally from an operational or financial standpoint? That's where I start, defining what these critical vendors are. If you have a landscaper, for instance, and you enter into an agreement with them to perform their services, more likely than not, they're not going to have access to the type of critical information that will bring the credit union down or significantly impact its financial standing.

When it comes from the program standpoint itself, you start again with that baseline of what you do from a critical standpoint. It's like you said. You can have a matrix. You can set it up in any way. It is who's involved in dealing with the different levels of vendors, too. Anything involving a critical vendor should be passed all the way up to the board to review and make sure that they fully understand what the risks are, how to act appropriately, and what the credit union has done to help mitigate that risk. You can't eliminate that risk, but you can help mitigate it. The board might not need to be involved for some of those lower-level vendors, for sure.

WFC 106 | Contract Management
Contract Management: We need to make sure that vendors fully understand the risks, how to act appropriately, and what the credit union has done to help mitigate that risk.

If a vendor does have a lower risk profile or the type of paperwork from a due diligence standpoint, it might not be as stringent for the materials that you need given the risk that you're taking on in the particular relationship. That third pillar of the supervisory guidance, too, revolves around ongoing monitoring. That's another area where you probably don't need to meet the same standards that you do for a critical vendor. It's important that this guidance and any sort of guidance on third parties don't make exceptions for what your regulatory responsibilities are regardless of the vendor. It's the different degrees based on that criticality.

It's a great point that you make that with the critical vendors. There should be a level of board engagement. Board governance is an area that NCUA continues to pay more attention to. When you and I chatted the first time, controlling the narrative of the exam came up and making sure that your facts were put forward. When NCUA can see in the board minutes and board packages that the board is aware of what their critical systems are and how management is mitigating that risk, that gives them comfort that the letter that we're talking about is being complied with and that the credit union is taking it seriously. That's one way to show that.

That's a good point, too. Another thing you had asked about what we do at our firm is sometimes. We review these policies and procedures for credit unions. When you're reviewing them, it is almost like a checklist. You're going to the guidance. You use that. You have an idea of what best practices are, so you're looking for that when you review.

The most important thing, too, is what you were hinting at there. Do you practice what you preach? Do you guys follow this policy? Is the board involved in these decisions? If they're not, I've seen credit unions get cited for that with the fact that they don't follow their policies and procedures even if it's there. On paper, the policy and the program look great, but are you adhering to that policy? That's where credit unions can get in trouble.

There is a classic example from back when I was an examiner. I would say, “I'd rather that you have good commercial loan procedures.” You need both. You need the policy and the procedures. If your policy is fantastic, but you don't follow it and you make a $100 million loan that fails and you didn't follow the policy, that's a bad thing. You've got to have a good policy that shows that you understand it and that you've thought it through. You've got to follow the policy. If there's an exception that comes up that makes you revisit that annual review saying, “Over this last year, there have been three things that have come up and we had to make minor exceptions. As a result, we need to tweak our policy,” that shows good governance and it shows compliance.

WFC 106 | Contract Management
Contract Management: You must have a good policy that shows you understand and think it through. But you should follow the policy.

Our back and forth here keeps bringing up good points in this idea of exceptions. I mentioned earlier that you can never fully eliminate risk in a vendor relationship. You can only mitigate it. We were talking about negotiating contracts. There are some times when the vendor will say, “We're not changing that,” and that comes up, unfortunately, more frequently than not.

You can never eliminate risk in a vendor relationship. You can only mitigate it.

If the credit union is making a decision to go with a vendor that is contrary to its policy, and I thought you brought up a good point there, saying, “That's an exception to your policy. That needs to be recorded. That needs to be included in that vendor's profile.” If it is a critical vendor, which likely probably would be the case, it needs to be reported to the board. When examiners do come in, you can explain.

You mentioned a good point there about controlling that narrative. It is like, “We know that this is an area of risk. We properly assessed it. This is how we're doing our best to mitigate it. We're aware of it. This is in the vendor's profile. It's something that we're continuing to monitor throughout the relationship.” If, for whatever reason, that risk gets elevated, you need to make sure that you have the appropriate means to either amend the agreement or get out of it entirely. That is, if that risk appetite becomes too large for you to remain in that relationship.

I'm looking at it from the former examiner mindset, which is hard for me to get away from sometimes. I can think of some clients where vendor management has been hit. When they brought me in to assist, it wasn't as organized as they could have been. It was to the point it was easy for the examiner to say, “You aren't complying because you can't show me a file of, “Here are our 20 vendors. Here are the 6 that are critical. Here's how we've looked at their financial condition. Here's how we've done our due diligence.” Do you have any advice relative to that side of things, the organizational side, on how to have good third-party and vendor management?

The advice that we always give is you need a plan. You need to start with a plan. You can go 1 of 2 ways. You can have the resources internally to properly execute your program or you need to outsource those responsibilities in a way that you fully understand. If you're using a vendor to help you with due diligence, you need to fully understand that you still have regulatory requirements and that this is an arm of the credit union that's providing your due diligence responsibilities for you.

What the NCUA or any examiner is going to look for is that you have the relative expertise to execute what you have on paper. That's where I would start. For a credit union, you can manage relationships with all types of vendors. If one type of vendor requires special expertise where you think that you need to get more expertise in this area so you're outsourcing that responsibility out, all that needs to be considered internally through some sort of plan at the beginning. That is so you don't run into issues later down the road.

I don't know the answer to this question. Is that something you help your clients with doing or is that something that they can say, “We'd like to outsource to you to help us keep those files and do that due diligence?” The services that you offer to CUSO and credit unions, how does that fit this discussion?

For us, it's more on the advisory side. We don't handle any actual due diligence responsibilities regarding obtaining that type of information from vendors. Where we fit in is with regard to reviewing those policies and procedures. Maybe it's more so highlighting from a high level like, “Can you guys comply with this type of information?” We don't have enough access to the credit union itself to be able to perform those services.

That's what I thought the answer was, but I wasn't sure. Looking at the supervisory risk letter, they break that down into planning, risk assessment, and financial projections. Is there anything on those three topics that you'd like to highlight here?

The biggest thing is combining those two. Even though there are three pillars, there's a lot of overlap between those pillars. From a due diligence standpoint, not only do you need to understand a third party's business model, but you need to verify it. To emphasize the fact that we have been living in some turbulent times, from an economic standpoint, technological standpoint, or regulatory standpoint, you need to have means to verify the resiliency of that vendor's business model.

You need to have a means to verify the resilience of a vendor's business model.

You brought up the Silicon Valley example and its subsidiaries. What is the financial viability of that vendor? Can they deliver on the promises they're making you to provide those services to the credit union directly or to your members? It's one thing to understand that, but you also need the means to verify that accordingly, whether that's through their financial statements or a proper review of their business model to see if there are any additional items that are of concern that pop up in that type of review. It always helps, if the vendor has industry experience, to get what other credit unions' assessment is of that vendor because they have presumably gone through the same process. That's helpful, too. That financial viability is even more important now, probably than it ever has been.

This is a weird analogy, but it fits. You talked about checking with other credit unions, which made me first think of vendor support groups. That is where you're moving into some critical system and that group has 15% to 20% of the market. The guy or the lady down the street who runs a credit union is on it and you trust their skillset. That's a different way to do some of that due diligence.

It reminded me of when I first retired. I had a Class B RV. I had never RV’d before. I'm not mechanical. One of the reasons I chose the RV that I chose, which was a Winnebago Travato, is A) It's the most popular one on the market and B) There was a fabulous Facebook group where you could say, “My generator isn't working. I've got error code Z five.” You can post that on Facebook, and within twenty minutes, one of the people who knew the vehicle backward and forwards would say, “You need to turn the vehicle off and do X, Y, and Z.”

That user group and the feedback I could get from other users was the most valuable thing for me to get into the market. It is having others in the community that understand the system where you can have that user group. There are user groups out there for a lot of vendors that can provide you some synergy with a vendor when someone who only does banks and they don't understand can share the difference between share, deposit, and that sort of thing. That can be huge as far as effort.

You're exactly right. There is something to that notion of the wisdom of the crowds and being able to pull that type of knowledge in any type of decision. That applies to the vendor area, for sure.

WFC 106 | Contract Management
Contract Management: Pull the wisdom of the crowd in any decision. That applies to the vendor area, for sure.

This has been great. Is there a question that I should have asked you that I didn't ask you?

We covered a very wide range. I apologized to you because I felt like I was hopping all over. That was good to give a sense of how this process probably works out at a lot of financial institutions. There is a lot of overlap in these three different pillars and when it comes to having something on paper versus practical use. We covered a good amount. I can't think of anything off the top of my head.

I made you hop around with the way I approach this, but that's how my head usually works. You’ll trigger something that makes me want to go down a rabbit hole. There is a lot of good content here. I appreciate your time. If one of my audience would like to reach out to you, what's the best way for them to get in contact with you?

I thought it was a great conversation as well. When you do hop around like that, it's a very engaging conversation. I know I appreciate it on my end, too. I appreciate that. To reach me, you can go to our website. It's We've been adding a lot more resources to our LinkedIn page. It's Messick Lauer & Smith P.C. You can certainly go there to reach out to us as well. You did mention we have a burgeoning podcast of our own called In the CU. We have a mailbag if anybody wants to hear any topics on our end. That covers a lot of credit union and CUSO topics as well. You can find me in all those areas for sure.

That's great. Thanks so much for your time.

Thank you. It's a great conversation.

To the audience, I want to thank you for tuning in to another episode of the show.

Important Links


bottom of page