Member Contract Due Diligence

The Federal Financial Institutions Examinations Council (FFIEC) issued guidance for financial institutions to use when performing vendor due diligence. Each of the topics from FFIEC’s checklist is provided with associated links for additional information.

Asterisked items require access to the Contract Dashboard section in Premier View. Click here to log in and select Contract Management.

Click on a section to expand.

Contracts*

Alloya provides contracts for its products and services. Members physically sign a Master Membership Contract (MMC), in which they agree to the terms of the Master Membership Agreement (MMA). The MMA contains most of the basic terms for all agreements. Members may also agree to Product Operating Agreements (POAs) for desired products. The MMA and POAs are accepted electronically in Premier View and all agreements are stored and available in Premier View.

*Requires access to Premier View. Click here to log in.

Scope of Service*

The Scope of Services is contained in the MMA, MMC, and as applicable in the various POAs.

*Requires access to Premier View. Click here to log in.

Performance Standards*

Performance Standards are contained in the MMA and Alloya also publishes Service Level Standards on its Due Diligence Site.

*Requires access to Premier View. Click here to log in.

Security and Confidentiality*

Security and Confidentiality are addressed in the MMA, Sections X, XVII, XIX.2, and XX and as applicable in the various POAs. Alloya also publishes information on this on its Due Diligence Site.

*Requires access to Premier View. Click here to log in.

Controls*

Controls are addressed in the MMA and as needed in the various POAs. Alloya also publishes its Service Standards on its Due Diligence Center. Specific items include:

 *Requires access to Premier View.

Audits

Alloya is required by Regulation to have an annual CPA audit. It publishes its audited financial statements, including attestation to its internal control environment at least annually. Monthly unaudited financial statements are also provided. Alloya provides monthly and annual reporting, including financial data, per regulation. NCUA subsequently makes this information available publicly on their website.

Reports

Please see the MMA and applicable POAs for reporting. Alloya is required by Regulation to have an annual CPA audit. It publishes its audited financial statements, including attestation to its internal control environment at least annually. Monthly unaudited financial statements are also provided. Alloya also files monthly call reports with NCUA that are available on NCUA’s website. Alloya also publishes its Service Level Standards and information on its Business Continuity Planning.

Business Continuity Planning (BCP)

Business Continuity is addressed as applicable in specific POAs. Further, like its members, Alloya must adhere to the same regulatory requirements for BCP including developing and testing BCP plans. Alloya provides an overview of its BCP program and its Recovery Time Objectives (RTOs) by system.

Sub-contractors

Part of the Alloya business model is to partner with third party providers for selected products and services. Alloya’s MMA and POAs are designed such that contractual liability for offering products and services, as well as safeguarding information is maintained between the member and Alloya. In turn, Alloya negotiates contracts with third-parties with similar safeguards and contractual liabilities. In general, should there be an issue a third-party provider, the contractual liability is Alloya’s as the member would look to Alloya. To manage this risk, Alloya has an extensive Vendor Management Program (VMP) that follows this FFIEC guidance as well as other best practices. Additional information is provided on the Due Diligence site.

Costs

Alloya’s MMC, Section IV.2 and selected POAs address pricing. Alloya publishes its fee schedule to members on a periodic basis and at least annually. Alloya may changes prices with 60-days notice. Members also can terminate any POA or the MMA with 60-days notice.

Ownership and License

In applicable cases, Alloya licenses software from other providers and in turn re-licenses it to its members under a separate agreement with the vendor. Allowable use is contained in the MMA, Section XIX and POAs as applicable. Alloya provides information on Intellectual Property on its Due Diligence site.

Duration

Alloya’s contract generally do not have any durations and any can be terminated with 60-days notice for any reason.

Dispute Resolution

Alloya’s contracts do not contain a process for dispute resolutions, for example the use of arbitration. Alloya’s Due Diligence site contains the rationale for this.

Indemnification*

Please see MMA, Section V and POAs as applicable.

*Requires access to Premier View. Click here to log in.

Limitation of Liability*

Please see MMA, Section V and POAs as applicable.

*Requires access to Premier View. Click here to log in.

Termination*

Alloya has taken the unique stance of having its member contracts have no term and a 60-day termination clause for any reason or no reason. We believe this helps ensure we meet and exceed members’ expectations each day. Please see MMC, Section III.

*Requires access to Premier View. Click here to log in.

Assignment*

Alloya may assign contracts with reasonable notice and members may assign contracts with Alloya’s written permission, which shall not be unreasonably withheld. See MMA, Section VIII.

*Requires access to Premier View. Click here to log in.

Foreign-Based Service Providers

Alloya does not use any foreign-based service providers.

Regulatory Compliance

Alloya complies with all applicable rules, regulations, and laws. As a Federal Credit Union, Alloya compliance with these is regularly tested by its Regulator, NCUA, as well as by various internal and external audits. See MMA, Section XXI.

*Requires access to Premier View. Click here to log in.