The Office of the Inspector General (IG) for the National Credit Union Administration (NCUA) stated that it is conducting an audit of the agency’s examination processes in its latest semiannual report to Congress with relation to assessing third-party risks.
The IG audit sought to determine NCUA examiners’ ability to identify risks posed by credit union service organizations (CUSOs) and other non-CUSO third-party vendors, as well as deficiencies in third-party oversight at individual institutions.
Notably, NCUA is the only federal prudential financial agency that lacks examination authority over third-party vendors used by the entities it supervises. That lack of statutory and regulatory third-party oversight authority presents NCUA with unique challenges in mitigating potential risk associated with CUSO and non-CUSO vendors.
To address that fact, a discussion draft for legislation to grant third-party oversight authority to NCUA, as well as the Federal Housing Finance Agency, was introduced in October, dubbed the Bank Service Company Act (BSCA).
The IG report notes that NCUA’s Office of Examination and Insurance is responsible for evaluating and reviewing federally-insured credit unions’ third-party relationships with CUSOs, and other (non-CUSO) third-party vendors, which credit unions utilize to expand service offerings, increase efficiencies and manage processes and programs.
“These relationships pose various potential risks to credit unions, as they must relinquish a certain level of control over products and services to the third-party vendor as an inherent part of the relationship,” the report states. “The potential for vendor systemic risk is significant given the interconnectedness of the credit union industry and credit unions’ common use of vendors and CUSOs for services.”
The NCUA has issued guidance regarding the due diligence credit unions should apply to third-party vendors, the report notes. Additionally, when NCUA deems a CUSO may pose an undue risk to the Share Insurance Fund, the agency performs a consensual review with CUSO management.
There have been multiple indications from NCUA that the agency over the past year that it has become increasingly concerned with identifying risks posed by third-party vendors.
Although vendor management was not among NCUA’s stated list of 2019 supervisory priorities, Elizabeth Young LaBerge, senior regulatory compliance counsel for the National Association of Federally-Insured Credit Unions (NAFCU), wrote that “a handful of credit unions have reported that NCUA examiners are paying special attention to vendor management and outsourcing processes” an April blog post.
“NCUA indicated it would focus on the ‘oversight of service provider arrangements to ensure credit unions implement effective risk-based supply chain management,’ ” Young LaBerge wrote. “While some credit unions have reported that examiners are paying specific attention to IT vendors, it appears that other vendor arrangements may also be getting extra scrutiny.”
She noted that NCUA’s Letter to Credit Unions 2007-13 and its Supervisory Letter 07-01 currently serve as the main source of vendor management guidance for credit unions.
In Letter 07-01, NCUA sets out three major concepts that should be addressed in evaluating third-party arrangements: risk assessment and planning; due diligence; and risk measurement, monitoring and control.
“Third-party relationships can be invaluable to credit unions and credit union members,” the letter states. “Properly managed third-party relationships can allow credit unions to accomplish strategic objectives through increased member service, competitiveness, and economies of scale. However, outsourcing critical business functions increases the risk inherent in those functions. Credit unions are responsible for safeguarding member assets and ensuring sound operations, irrespective of whether or not a third party is involved. Smaller or less complex credit unions may have to develop alternative methods of accomplishing due diligence. Examiners should ensure credit unions adequately address risk assessment, planning, due diligence, risk measurement, risk monitoring, and controls when involved in third-party relationships.”
In the past, NCUA has identified due diligence and, in particular, contract issues and legal review as a potential problem area for some credit unions.
If adopted, the BSCA would require any depository institution to notify their respective prudential regulator, in writing, of contracts or relationships with service providers that provide certain services. Services covered by the act include check and deposit sorting and posting, computation and posting of interest, preparation and mailing of checks or statements, as well as other clerical, bookkeeping, accounting, statistical or similar functions.
Additionally, federal agencies have interpreted the notification requirement of the act to include third parties that offer data processing, Internet banking and mobile banking services. The legislation also would subject service providers to regulation and examination by the federal banking agencies to the same extent as if the services were being performed by a supervised entity.