Skip to main content
United States flag An official website of the United States government
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Evaluating Third Party Relationships

07-CU-13 / December 2007
Evaluating Third Party Relationships
Federally Insured Credit Unions
Third Parties
Federally Insured Credit Unions
Evaluating Third Party Relationships

Dear Board of Directors,

The purpose of this Letter is to provide all Federally Insured Credit Unions with the guidance provided to NCUA field staff regarding the evaluation of credit union relationships with third parties. Attached is the supervisory letter developed to give examiners a standard framework for reviewing third party relationships. NCUA, as a matter of its supervisory obligation to protect the interests of credit union members and the National Credit Union Share Insurance Fund, offers guidance to help federally-insured credit unions meet their obligation to protect their operations. Federally-Insured Credit Unions may choose to meet this obligation through other alternatives as appropriate for their operations.

Utilizing the skills of qualified third parties is an important avenue for some credit unions in expanding service offerings, increasing efficiencies and economies of scale, and managing processes and programs. Examples of some services credit unions use are:

  • Lending (member business lending, mortgage lending, loan participations);
  • Regulatory Compliance (Bank Secrecy Act, Office of Foreign Asset Control); and
  • Electronic Services (Data processing, internet banking, credit card, bill pay).

This guidance was developed to assist in the evaluation of basic planning, due diligence, and controls credit unions should have in place when engaging in third party relationships. The planning, due diligence, and controls required to safely engage in these relationships will depend upon credit union risk profiles and the type of relationship with the vendor.

The evaluation of new and current vendors could include different components based on the duration of the relationship. At a minimum, the due diligence review should take into account the critical nature of the service, the level of expertise exhibited by the vendor, staffing changes, economic and regulatory changes, and risk mitigation strategies associated with the vendor oversight.

If you have questions regarding the enclosed documents, please contact your district examiner, regional office, or state supervisory authority.



JoAnn Johnson



Last modified on