Thank you for sharing!

Your article was successfully shared with the contacts you provided.

ALEXANDRIA, Va.-In its last permitted review of credit union vendors, NCUA found several flaws with vendor services security and risk management procedures. NCUA’s authority to review vendors sunset at the end of last year under the Examination Parity and Year 2000 Readiness for Financial Institutions Act of 1998, while all other federal banking regulators may perform these reviews indefinitely. NCUA’s Letter to Credit Unions (02-CU-13) regarding the reviews emphasized, “NCUA’s vendor report does not alleviate your responsibility to oversee and manage your vendor outsourcing arrangements (NCUA’s emphasis).” NCUA conducted vendor information systems and technology reviews on Apex Data Systems, Inc. of Indianapolis, Ind.; Computer Marketing Corp. of Salt Lake City; Computer Consultants Corp. of Salt Lake City; CU Solutions, Inc. of Fort Mill, S.C.; EPL, Inc. of Birmingham, Alabama; FedComp, Inc. of Fairfax, Va.; Liberty Enterprises, Inc. of Roseville, Minn.; Share One, Inc. of Memphis; SOSystems, Inc. of Orem, Utah; and Western New York Computing Systems, Inc. of Penfield, N.Y. “Overall, the vendors reviewed were committed to the goal of providing quality services and products to their customers,” NCUA wrote in the letter. “The vendors were also receptive to recommendations and suggestions and, when practical, implemented recommended changes prior to completion of the review.” Special Assistant to NCUA Chairman Nick Owens stressed that none of the problems were very significant. Of the vendors reviewed: * eight vendors either lacked an enterprise-wide risk assessment process or the process did not encompass all operational areas; * eight vendors needed to develop or improve policies and/or procedures regarding the protection of information stored on, or transmitted through, their systems; * all vendors needed to develop or update policies to reflect current operations; * all vendors needed to enhance their disaster recovery plan testing procedures and controls; and * six vendors lacked a formal and detailed incident response plan and/or needed to improve them; * eight vendors needed to improve their ability to detect an intrusion or other incident; * six vendors needed to revise their service level contracts with credit union customers to cover rights and responsibilities for the Internet commerce product. * six vendors needed to improve session management controls to enhance security and privacy; * five vendors needed to improve the application’s member privacy controls; and * seven vendors did not have audited financial statements. Other weaknesses in vendor programs are available in an appendix to the letter. “It is noteworthy that the impact and associated risks of those weaknesses tended to vary from vendor to vendor due to each vendor’s unique operational environment (technical, managerial, financial, etc.),” the agency pointed out. NCUA’s official position, as decided by the Norm D’Amours-Yolanda Wheat-Dennis Dollar-board, on its ability to oversee vendors is to seek out opportunities legislatively for the agency to be able to review information systems, technology services, and data processing vendors. So far nothing has presented itself, according to NCUA Public and Congressional Affairs Director Cliff Northup. The Parity Law was originally passed because of concerns due to the millennium date change. [email protected]

Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.

Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:

  • Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
  • Exclusive discounts on ALM and CU Times events.
  • Access to other award-winning ALM websites including Law.com and GlobeSt.com.

Already have an account?


Credit Union Times

Join Credit Union Times

Don’t miss crucial strategic and tactical information necessary to run your institution and better serve your members. Join Credit Union Times now!

  • Free unlimited access to Credit Union Times' trusted and independent team of experts for extensive industry news, conference coverage, people features, statistical analysis, and regulation and technology updates.
  • Exclusive discounts on ALM and Credit Union Times events.
  • Access to other award-winning ALM websites including TreasuryandRisk.com and Law.com.

Already have an account? Sign In Now
Join Credit Union Times
Live Chat

Copyright © 2022 ALM Media Properties, LLC. All Rights Reserved.