Rumor Has It: NCUA Digging Deeper on Vendor Management
Written by Elizabeth M. Young LaBerge, Senior Regulatory Compliance Counsel, NAFCU
A handful of credit unions have reported that NCUA examiners are paying special attention to vendor management and outsourcing processes. While vendor management in general was not included as a 2019 supervisory priority for NCUA, it was referred to with regard to information systems and assurance. NCUA indicated it would focus on the “oversight of service provider arrangements to ensure credit unions implement effective risk-based supply chain management.” While some credit unions have reported that examiners are paying specific attention to IT vendors, it appears that other vendor arrangements may also be getting extra scrutiny.
NCUA’s Letter to Credit Unions 2007-13 and its enclosed Supervisory Letter 07-01 are the primary source of vendor management guidance for credit unions. In that letter, NCUA sets out three major concepts that should be addressed in evaluating third party arrangements: Risk Assessment and Planning; Due Diligence; and Risk Measurement, Monitoring and Control. In the past, NCUA has identified due diligence and, in particular, contract issues and legal review as a potential problem area for some credit unions.
NCUA expects that credit unions will negotiate their agreements to reflect the credit union’s needs and arrangements, rather than simply accept every contract as written. It also requires that a qualified attorney, whether in-house or outside counsel, should thoroughly review vendor agreements. A legal review ensures that any provisions needed to protect the credit union are included -- and that any provisions that might harm the credit union’s position, such as one limiting the vendor’s liability or the credit union’s enforcement rights-- are fully and completely understood and considered by the credit union before the agreement is entered into. NCUA also indicates it may be prudent for credit unions to obtain a legal opinion from counsel about any services provided by a third party to ensure that the practices and services provided by the vendor meet any legal or regulatory requirements.
Apparently the FDIC has also been looking at vendor management issues, particularly with respect to whether financial institutions have done their due diligence with respect to the vendor’s business continuity planning and incident response planning. NCUA expects that credit unions will address data security, member confidentiality, and business resumption or contingency planning in its agreements with vendors. These requirements are also explicitly stated in the FFIEC’s booklet on Outsourcing Technology Services.
Regarding business resumption and contingency plans, the FFIEC’s booklet indicates that vendor agreements should address the responsibilities of the vendor and not include any provisions excusing the vendor from implementing its contingency plans. Contractual provisions should include the service provider’s responsibility for backup and records protection, timeframes for recovery that will meet the credit union’s requirements, appropriate equipment, key program and data files, and maintenance and testing of plans. Credit unions should expect to receive copies of business continuity plans and copies of the results of regular testing of those plans.
The booklet also states that contracts with vendors should require immediate, full disclosure of any security breaches resulting in unauthorized intrusions that may materially affect the credit union or its customers, the effect of that breach and the corrective action to respond to the intrusion.
NAFCU member credit unions looking for more resources on vendor management might consult this Compliance Monitor article, “Resources for Constructing a Safe and Sound Vendor Management Program,” for more detail about NCUA’s expectations. With regard to information technology vendors, the FFIEC’s Outsourcing Technology Services booklet is a wealth of material. If you hear anything else in the rumor mill, make sure to loop in the NAFCU Regulatory Compliance Team.