What NCUA Requires for Vendor Risk Management at Credit Unions

The NCUA — National Credit Union Administration — regulates federally insured credit unions and has published guidance on third-party vendor risk that mirrors the OCC and FDIC's interagency guidance for banks. NCUA Supervisory Letter 07-01 and subsequent guidance letters require credit unions to manage risks from all third-party vendor relationships throughout the lifecycle of the relationship, with monitoring frequency commensurate with the risk level of each vendor.

What NCUA Examiners Look For

NCUA examination procedures for third-party risk management focus on whether the credit union has identified all significant third-party relationships, whether each relationship has been assessed for risk, whether contracts include adequate risk provisions, and — most commonly cited as a deficiency — whether ongoing monitoring is actually occurring and documented. NCUA examiners specifically look for evidence of regular monitoring activities, not just policy statements describing what monitoring should occur.

Credit Union-Specific Vendor Risk Considerations

Credit unions face the same vendor risk landscape as community banks: core processing systems, digital banking platforms, payment networks, IT managed services, and financial technology partners. Many credit unions with $500 million to $5 billion in assets have vendor portfolios of 100 to 250 relationships managed by 1 to 2 compliance staff members. The monitoring capacity gap is similar to or more acute than community banks at equivalent asset sizes.

NCUA's Expectations for Technology Vendors

NCUA has emphasized technology vendor risk in recent examination cycles, particularly for credit unions using cloud-based core processing, fintech lending partnerships, and digital banking platforms. For these critical technology vendors, NCUA expects regular review of audit reports, monitoring of the vendor's financial health, and awareness of any security incidents or regulatory actions. The Banking Vendor Risk AI Agent provides continuous monitoring of all these dimensions for credit union vendor portfolios, with NCUA-documented audit trail output.