• Source:

Treliant Takeaway:

Treliant knows third-party risk management. If you need assistance with enhancing your third-party oversight or preparing for your next examination, Treliant can help.

Article Highlights:

The National Credit Union Administration (NCUA) Office of Inspector General (OIG) has completed an audit of the NCUA’s Examination and Oversight Authority over Credit Union Service Organizations (CUSOs) and Vendors. As a result of the audit, the OIG determined that the NCUA needs additional statutory regulatory enforcement authority to supervise CUSOs and significant vendors whose actions may expose federal credit unions to significant risk.

As noted in a recent Treliant article, concentration in financial institution reliance on third-party service providers is a source of systemic risk. The OIG also identified significant concentration in credit union use of CUSOs and other vendors:

  • Five core processor vendors service approximately 85 percent of credit union data.
  • Five technology service providers serve over half of all credit unions. These credit unions account for 75 percent of total credit union assets.
  • Between 2008 and 2015, a single CUSO caused losses in 24 credit unions.

Unlike the federal banking regulators, the NCUA does not have the direct statutory authority to examine and regulate CUSOs or other significant credit union vendors.  Because of this limitation, the NCUA is limited in capability to address third-party risk. Although the NCUA conducted voluntary vendor examinations after its statutory authority expired in 2001, it has not conducted a vendor examination since 2013.

The agency has taken steps to manage CUSO risk by placing restrictions on credit unions’ use of CUSOs.  First, the NCUA has limited credit union loans to CUSOs to 1 percent of the  paid-in and unimpaired capital and surplus of the credit union. Investments in CUSOs have a similar limit.

Second, federal credit unions may only lend to, or invest in, CUSOs engaged in activities from a pre-approved list. To offer services beyond the pre-approved list, CUSOs must obtain permission from the NCUA Board.

Third, the NCUA requires credit unions written agreements with CUSOs to include provision of operational and financial information to the NCUA CUSO Registry and NCUA access to the CUSO’s books, records, and internal controls. This requirement permits the NCUA to conduct reviews of CUSOs, either on a standalone basis or as part of a credit union examination. However, the NCUA lacks authority to mandate corrective actions to mitigate issues identified during CUSO reviews.

The OIG concluded that the NCUA needs statutory examination and enforcement authority over CUSOs and vendors, similar to the authority held by the federal banking regulators. The Financial Stability Oversight Council and the Government Accountability Office have made similar recommendations in past audits and annual reports, especially with respect to cybersecurity.

In the absence of NCUA statutory authority over vendors and CUSOs, it is critically important for credit unions to implement robust third-party risk management practices to adequately identify and manage risks associated with third-party processing. If you need assistance in developing a third-party risk management program or assessing your third-party risk, Treliant can help.