ALEXANDRIA, Va.-In its last permitted review of credit union vendors, NCUA found several flaws with vendor services security and risk management procedures. NCUA's authority to review vendors sunset at the end of last year under the Examination Parity and Year 2000 Readiness for Financial Institutions Act of 1998, while all other federal banking regulators may perform these reviews indefinitely. NCUA's Letter to Credit Unions (02-CU-13) regarding the reviews emphasized, "NCUA's vendor report does not alleviate your responsibility to oversee and manage your vendor outsourcing arrangements (NCUA's emphasis)." NCUA conducted vendor information systems and technology reviews on Apex Data Systems, Inc. of Indianapolis, Ind.; Computer Marketing Corp. of Salt Lake City; Computer Consultants Corp. of Salt Lake City; CU Solutions, Inc. of Fort Mill, S.C.; EPL, Inc. of Birmingham, Alabama; FedComp, Inc. of Fairfax, Va.; Liberty Enterprises, Inc. of Roseville, Minn.; Share One, Inc. of Memphis; SOSystems, Inc. of Orem, Utah; and Western New York Computing Systems, Inc. of Penfield, N.Y. "Overall, the vendors reviewed were committed to the goal of providing quality services and products to their customers," NCUA wrote in the letter. "The vendors were also receptive to recommendations and suggestions and, when practical, implemented recommended changes prior to completion of the review." Special Assistant to NCUA Chairman Nick Owens stressed that none of the problems were very significant. Of the vendors reviewed: * eight vendors either lacked an enterprise-wide risk assessment process or the process did not encompass all operational areas; * eight vendors needed to develop or improve policies and/or procedures regarding the protection of information stored on, or transmitted through, their systems; * all vendors needed to develop or update policies to reflect current operations; * all vendors needed to enhance their disaster recovery plan testing procedures and controls; and * six vendors lacked a formal and detailed incident response plan and/or needed to improve them; * eight vendors needed to improve their ability to detect an intrusion or other incident; * six vendors needed to revise their service level contracts with credit union customers to cover rights and responsibilities for the Internet commerce product. * six vendors needed to improve session management controls to enhance security and privacy; * five vendors needed to improve the application's member privacy controls; and * seven vendors did not have audited financial statements. Other weaknesses in vendor programs are available in an appendix to the letter. "It is noteworthy that the impact and associated risks of those weaknesses tended to vary from vendor to vendor due to each vendor's unique operational environment (technical, managerial, financial, etc.)," the agency pointed out. NCUA's official position, as decided by the Norm D'Amours-Yolanda Wheat-Dennis Dollar-board, on its ability to oversee vendors is to seek out opportunities legislatively for the agency to be able to review information systems, technology services, and data processing vendors. So far nothing has presented itself, according to NCUA Public and Congressional Affairs Director Cliff Northup. The Parity Law was originally passed because of concerns due to the millennium date change. [email protected]

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Breaking credit union news and analysis, on-site and via our newsletters and custom alerts
  • Weekly Shared Accounts podcast featuring exclusive interviews with industry leaders
  • Educational webcasts, white papers, and ebooks from industry thought leaders
  • Critical coverage of the commercial real estate and financial advisory markets on our other ALM sites, GlobeSt.com and ThinkAdvisor.com
NOT FOR REPRINT

© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.