This is a summary of an episode of Main Street AI, an educational podcast on AI led by our founder. Join 3,700+ business leaders and AI enthusiasts and be the first to know when new episodes go live. Subscribe to our newsletter here.

TL;DR:

• Mesick Lauer Smith advises credit unions and CUSOs on vendor contracts, due diligence, and tech deals in regulated financial services
• Most deals go wrong not at signing but six to twelve months in, when ambiguity about party responsibilities surfaces
• The two things that matter most when negotiating: exit strategy and day-to-day milestone clarity
• Credit unions cannot outsource regulatory risk to a vendor: the NCUA expects the institution to own it
• AI deals introduce unique complexity around SLAs, change events, model risk, and fourth-party exposure that traditional vendor frameworks were not built for
• A robust risk management framework is the foundation everything else hangs on

Before we dive into the key takeaways from this episode, be sure to catch the full episode here:

When Credit Unions and Fintechs Sit Down to Do a Deal

Michael Heller has spent his career at the intersection of financial services regulation and technology vendor contracts. At Mesick Lauer Smith, a Philadelphia firm whose practice is built around advising credit unions and credit union service organizations, he is the vendor side: contracts, due diligence, and the legal middle of getting AI deals done without breaking the regulatory picture.

The firm represents both sides. Credit unions on the institution side. CUSOs on the service organization side. That dual perspective is rare and shapes how Michael sees where deals succeed and where they fail.

"I think each party might have mismatched expectations or incentives to enter the deal. What that boils down to is a lack of a shared vision."

On the credit union side, the gap is usually a limited understanding of the fintech's business model, how it operates, and what it expects from the relationship. On the fintech side, the mirror image applies: an underestimation of the regulatory environment credit unions actually live in, and unrealistic expectations about what institutions are permitted to do.

"You can hold up a mirror on the fintech side and make much of the same argument. What I've seen with fintechs is a lack of understanding about the regulatory environment they're really stepping into."

Most Deals Break Six Months After Signing

The failure point is rarely the negotiation itself. It is what happens after the agreement is executed.

"There is this honeymoon period. And you don't want to be the person in the room, but unfortunately somebody has to be that person that points out, hey, this looks like a great marriage, but what about the divorce?"

The seeds of those later disputes are usually sown in the contract language itself. Ambiguity about who is responsible for what, unclear operational controls, no measurable milestones, and no defined escalation path when things go sideways.

"When the intent of the parties is ambiguous, usually one party just kind of steps in to fill that gap. And that can ultimately lead to issues down the line: delays in service deliverables, breach, compliance issues, legal risk."

The AI vendor due diligence problem is now materially harder than it was in the traditional software era. AI vendors are not delivering static software. They are performing variable, configured work that changes with the credit union's needs, the model's behavior, and the regulatory landscape. SLAs that made sense at signing can become unworkable when the institution's volume shifts. Pricing structures negotiated around average costs can break when the deployment scales. And the line between software company and services company has blurred in ways that most standard contract templates were not built to handle.

"A lot can change between today and next year. A lot has changed between today and last year. So maximizing flexibility, having a robust change management process, is really important and essential to continue the longevity of the deal."

The Two Things That Actually Matter in Negotiation

Michael's framework for credit unions navigating a high volume of vendor deals is deliberately narrow. Most institutions cannot move every contract point. So where should they concentrate?

"First and foremost, I want to know how I can get out of this agreement with relative minimal financial loss. I want to make sure I have an alternative available."

Exit strategy is the first priority. Whether that means transitioning to another vendor or bringing the capability in-house, every credit union should know the answer to that question before signing. The institutions that get into trouble are the ones that moved existing staff off the manual process, deployed the AI vendor, and then had no one who understood the workflow when the technology broke.

The second priority is day-to-day milestone clarity.

"You might not be able to change indemnification, you might not be able to change limitation on liability. But you should be able to both come together and coordinate what the work processes look like."

Milestone frameworks, mutual expectations documented in plain language, and a shared definition of who is responsible for what at each stage. These are the contract elements that determine whether a deal compounds or corrodes over time. They are also often the elements most neglected in the rush to close.

You Cannot Outsource the Regulatory Risk

The most important regulatory principle in this episode is also the most frequently misunderstood in AI credit union compliance: the NCUA expects credit unions to own the risk of any product or service they offer, regardless of which vendor provides it.

"Although you may utilize a vendor to provide a certain product or service, you can't outsource the risk. The regulatory expectation is that even if you use a third party, you're still on the hook for that at the end of the day."

The NCUA's 2025 AI Compliance Plan mandates a centralized AI use-case inventory and layered governance councils. When a regulator examines a credit union after an incident, the first question is when the institution received adequate information about the problem. The second is why that information was not addressed. The vendor is not the answer to either question.

75% of organizations have AI usage policies, but only 36% have adopted a formal governance framework according to Pacific AI's 2025 Governance Survey. That gap, between having a policy on paper and having a framework that actually governs day-to-day AI decisions, is precisely where regulatory exposure concentrates.

"A credit union can come back to the regulator and say, hey, but my vendor. The issue is that the expectation from the regulatory side is that the credit union is in the position to actually negotiate these things and deal with any risks inherent in offering that product or service."

How Smaller Credit Unions Should Think About This

Smaller institutions face a compounded version of the same problem: less leverage in negotiations, fewer internal resources to manage vendor relationships, and the same regulatory expectation as their larger peers.

Michael's recommendation is not to copy what large credit unions are doing. It is to shut out the noise and size the risk appropriately.

"It is important to shut out the noise and the hype and to really realistically get insight as to what you can either pay for or what you can afford to onboard from a technological side."

The CUSO model offers one structural answer. By pooling resources across multiple smaller credit unions through a credit union service organization, smaller institutions gain access to technology relationships and negotiating weight that would be unavailable to them individually. Third-party vendors who specialize in automation and AI can also provide a practical path, provided they fit within the institution's vendor risk management framework.

The same exit strategy and milestone clarity framework applies at every size. The regulator measures risk as appropriate to the size and complexity of the institution, but the framework requirement does not scale down.

How This Works in Practice

Multimodal builds purpose-built AI agents for credit unions on Jack Henry, Fiserv, nCino and Symitar. Every deployment is designed with the regulatory expectation Michael describes in mind: human in the loop at decision points, full audit trail from the first transaction, and configuration that fits within the institution's existing vendor risk management framework rather than around it.

"The credit union will most likely be on the hook in the event anything goes wrong with the model itself. You have to have the right frameworks internally to manage and mitigate risk."
— Michael Heller, Mesick Lauer Smith

If your institution is evaluating where AI fits in its lending or operations workflow, the platform comparison is a practical starting point.

Want more on financial services and AI? Check other episodes here.

‍

Frequently Asked Questions

1. What is credit union vendor management for AI?

The process of evaluating, contracting, monitoring, and exiting AI vendor relationships in a way that keeps the credit union compliant with NCUA expectations. Because credit unions cannot outsource regulatory risk, vendor management for AI requires a more robust internal framework than traditional software procurement, including audit rights, change management clauses, and documented exit paths.

2. What goes wrong in credit union fintech partnerships?

Most failures trace back to ambiguity about party responsibilities, not the initial negotiation. When the intent of the contract is unclear, one party fills the gap unilaterally. That leads to disputes over service deliverables, SLAs, and ultimately legal and compliance exposure. The fix is milestone clarity and documented escalation paths built into the agreement from the start.

3. Can a credit union outsource AI risk to a vendor?

No. The NCUA's regulatory expectation is that the credit union owns the risk of any product or service it offers to members, regardless of which vendor provides it. When something goes wrong with an AI model, the regulator's questions are directed at the institution: when did you receive adequate information, and what did you do about it?

4. What should credit unions prioritize when negotiating AI vendor contracts?

Two things above everything else: exit strategy and day-to-day milestone clarity. Know how you can exit the relationship with minimal financial loss before you sign. Then document exactly who is responsible for what at each stage of the relationship. Indemnification and liability caps are harder to move. Milestone frameworks are more negotiable and more predictive of whether the deal actually works.

5. How should small credit unions approach AI vendor deals?

Size the risk appropriately rather than copying what large institutions are doing. The CUSO model lets smaller credit unions pool resources and gain negotiating leverage through a shared service organization. Third-party AI vendors focused on automation can also provide a practical path, provided they fit the institution's existing vendor risk management framework. The exit strategy and milestone clarity principles apply at every size.

6. What does good AI governance look like at a credit union?

A robust risk management framework that does not carve AI out as a special case, but addresses the unique issues AI presents around model risk, fourth-party exposure, fair lending, and output detection. According to Pacific AI's 2025 Governance Survey, 75% of organizations have AI usage policies but only 36% have a formal governance framework. The gap between policy and framework is where regulatory exposure lives.