Friday, July 3, 2015

Third-Party Technology Service Providers, Credit Unions and NCUA Oversight

The Government Accountability Office (GAO) in a July 2 report recommended that Congress should consider granting the National Credit Union Administration (NCUA) authority to examine third-party technology service providers for credit unions.

According to the report, credit unions and banks are making extensive use of technology service providers that supply them with IT processing, management, and security. The report notes that the "ability to contract for IT services typically enables an institution to offer customers enhanced services and use infrastructure comparable to that of larger institutions without the expenses involved in owning the technology or maintaining staff to deploy and operate it."

However, when credit unions rely on third-party providers, they may subject themselves to operational and reputational risks if they do not manage these providers appropriately. In addition, smaller institutions may have difficulty in managing their relationships with providers because they lack leverage in their contractual relationships to obtain information to help them determine whether providers have been performing adequately.

GAO further points out that "unlike the bank regulators, NCUA lacks authority to examine third-party service providers, such as technology service providers, on which credit unions often rely to perform critical functions."

NCUA told GAO that it has sought the congressional authority to examine third-party technology providers for a decade, but has so far been unsuccessful. The report highlights that credit union trade associations and organizations that provide third-party services to credit unions have opposed granting NCUA examination authority over third-party providers saying that giving NCUA examination authority is an unnecessary intrusion into these entities’ operations.

To address this inability to examine these third-party service providers, the agency stated it uses other means to monitor and reduce risks to credit unions arising from technology service providers, including making requests to the provider that it submit to a voluntary examination. But the report notes that some providers offering services exclusively to credit union clients have rejected NCUA voluntary examinations.

Unfortunately without supervisory authority over these providers, NCUA cannot enforce any corrective actions. NCUA can only make recommendations and present findings to the credit unions that use those providers.

This means that deficiencies in third-party service providers’ operations can quickly become deficiencies that produce financial and other harm at credit unions.

GAO concludes that to enable NCUA to effectively monitor the safety and soundness of credit unions, the agency should be granted the authority to examine third-party service providers.


  1. From the report: OCC (regulates 1500 banks) has 100 dedicated IT specialists; FDIC (4,000 banks) has 60 premium IT examiners, 32 IT examination analysts, and more than 100 subject-matter experts; and NCUA (6,200 credit unions) has 16 IT specialists and 40 to 50 IT subject-matter examiners. Not only is NCUA woefully unprepared, they don’t know if they have 40 or 50 subject-matter experts. They are too far behind to catch up. If you’re taking comfort in the fact that NCUA is regulating smaller institutions than OCC & FDIC, think about this from the report: “…criminals target smaller institutions because the expected payoff is greater relative to larger institutions whose systems are generally more sophisticated and harder to compromise.”

  2. Based on the CUSO rules, one would assume NCUA had vendor examination authority. Are their requirements for CUSO reporting voluntary?

  3. NCUA is too far behind and cannot and cannot be expected to catch up.
    Thousands (?) of credit unions are too small to afford being compliant and secure...and perhaps their vendors also.
    Trade associations are in the way and wrong headed about 3rd party over site.
    FDIC can but NCUA can't?
    Trade associations being consistent thinking only of themselves.
    This is a nightmare waiting to occur.

  4. Let's see.
    FDIC and occ have many more specialists and the same number of combined units.
    Wells Fargo reportedly doubling IT protection expenditure and many spending a lot more.
    Attackers according to the report prefer littler more vulnerable FIs.
    Tick, tock.



The content is provided for educational purposes only, with the understanding that neither the authors, contributors, nor the publishers of this site are engaged in rendering legal, accounting or other expert or professional services. If legal or other expert assistance is required, the services of a competent professional should be sought.

Comments appearing in response to articles appearing on this site do not necessarily reflect the views of the ABA. ABA makes no representations regarding the truth or accuracy of commentary or opinions that may be posted in response to the articles that appear on this website.

The inclusion herein of any link to a website, either in the text of an article or in a comment, does not denote any approval, sponsorship, or endorsement by the ABA, and ABA is not responsible for the content or opinions expressed on those linked websites or related commentary. This content is not licensed to third parties sites and is not affiliated with any third party site. Any reference to the author or this content on any third party site on the Internet is not authorized by the ABA.

It is the policy of the American Bankers Association to comply fully with all antitrust laws. Certain discussions should be considered off-limits, including those that contain competitively sensitive data such as price and cost information, or statements that could be construed as reflecting an attempt or desire to control or influence a particular market or markets. Future pricing or other prospective competitive information should never be shared.