An Aug. 5 letter penned by Mary Dunn, CUNA senior vice president and deputy general counsel, to NCUA General Counsel Michael McKenna, expressed some concerns about the proposed CUSO rule.

"A new broad rule regarding CUSOs should not be driven by problems a few credit unions have encountered with their CUSOs, particularly when the vast majority of CUSOs are operated in a safe and sound manner, providing much needed services to credit unions and their members," Dunn said.

Smith offered what she described as a worst case scenario of how a small error by a vendor can cause significant legal issues for a credit union.

A credit union discovers, by way of an examination, that due to a programming error, its vendor had disclosed an understated annual percentage rate on its credit card product for a period of one year, Smith said. As an administrative sanction, the regulator ordered the credit union to reimburse the difference between the disclosed APR and the APR actually charged to members.

"Subsequently, the credit union receives notice that it is being sued in a class action lawsuit for violations of the Truth in Lending Act and other assorted consumer protection laws where it may be subject to punitive damages," Smith said.

In this hypothetical scenario, the credit union has to expend time and money defending the case, Smith said. Finally, the credit union must seek indemnification from the vendor through a litigious process, subject to any limitation that may be set forth in the contract.

"Although the credit union may have recourse for monetary damages, one thing the credit union cannot seek to recoup from the vendor is the harm suffered to its reputation," Smith said.

Credit unions engage third-party vendors for a variety of reasons, Smith said. Some bring expertise to the table that allows the credit union to offer products and services to its members that it would not otherwise be able to offer. Other vendors provide products and services in a manner that is more cost effective.

"These vendors play a valuable role in the credit union's business and ability to serve its members; however, although the service may be outsourced, the responsibility and legal liability for regulatory compliance is ultimately the responsibility of the credit union," Smith said.

One such example of comes under the Truth in Lending Act and Regulation Z, where in general, it is the party extending the credit to the consumer that will be held liable for violations, not the party that actually prepared or distributed the disclosures, Smith noted.

While a properly negotiated contract may provide the credit union with some recourse in the event the vendor violates a law or regulation, Smith said that will not change the fact that the credit union is also in violation of the law or regulation, and will be exposed to potential administrative liability and sanctions as well as civil penalties.

Smith also said turnkey products may be appealing due to convenience, but credit unions must nonetheless ensure compliance.

"Before the vendor even begins to provide products and services, the credit union should become familiar with the products or services and the applicable laws and regulations," she said. "Inquiry should be made during the due diligence process to confirm compliance with these laws and regulations."

Smith advised credit unions to designate a person within the credit union to manage third-party vendor relationships and to stay aware of changing regulations. Frequent internal audits also serve to catch violations early and minimize potential damages, she suggested.