Third-party risks and credit unions

January 22, 2024 by Claire Greene, Federal Reserve Bank of Atlanta

At least 60 credit unions were knocked out of commission by ransomware attacks late last year, all associated with one third-party service provider. Almost 100,000 credit union members were unable to access digital accounts for approximately three weeks beginning in late November.

Third-party service providers pose challenges to institutions of all sizes. In its 2023 report, the Office of Financial Research noted, for example, that smaller institutions face heightened vulnerability to ransomware because of “greater reliance on third-party service providers, which, in turn, are susceptible targets for ransomware attacks.” This vulnerability applies to smaller banker and credit unions.

Interagency guidance from the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency, issued in June 2023, notes that “a banking organization’s use of third parties does not diminish its responsibility to [operate in a safe and sound manner and in compliance with applicable laws and regulations] to the same extent as if its activities were performed by the banking organization in-house.”

Unlike bank regulators, however, the National Credit Union Administration (NCUA) has no enforcement authority over third-party service providers. The Examination Parity Act of 1998 gave the NCUA temporary authority over credit union service organizations and third-party vendors as part of Y2K readiness. That authority expired on December 31, 2001.

Third-party risks and credit unions

Stay connected to the credit union community with our free newsletter!

You have Successfully Subscribed!