Book a Demo

NCUA Third-Party Risk Management for Credit Unions: What Examiners Expect in 2026

In the first year after NCUA’s cyber incident notification rule took effect, federally insured credit unions reported 1,072 cyber incidents. Seventy percent of those incidents were traced to third-party vendors.

That single data point reframes the vendor risk conversation for credit unions. The threat is not primarily internal. It is arriving through the relationships credit unions depend on such as core processors, payment platforms, cloud providers, fintech partners. The NCUA has made clear that managing those relationships is the credit union’s responsibility, not the vendor’s.

The challenge NCUA acknowledges openly: unlike banking regulators (who have FFIEC specific third-party risk management requirements for banks), the NCUA cannot directly examine or regulate third-party service providers. It cannot walk into a core processor and conduct an examination. That supervisory gap means credit unions must demonstrate vendor risk management that functions without regulatory backstop on the vendor side. When something goes wrong, the 72-hour notification clock starts and the question examiners ask is whether the credit union had adequate ongoing due diligence in place before the incident occurred.

1,072 Cyber incidents reported to NCUA in year one of the notification rule
70% Of those incidents originated from a third-party vendor
72 hrs Notification window when a vendor cyber incident affects your credit union

The NCUA Regulatory Framework for Third-Party Risk Management

NCUA’s foundational TPRM document is Supervisory Letter 07-01, issued in 2007, the oldest governing vendor risk guidance still in force among the major financial regulators.

While it predates the current threat landscape by nearly two decades, its three core principles remain the examination standard:

  • Initial risk assessment and planning before entering third-party relationships
  • Due diligence in selecting and contracting with third parties
  • Ongoing risk measurement, monitoring, and control for the life of the relationship

What has changed significantly is how NCUA examiners apply the ongoing monitoring standard in the current threat environment. The 2024 and 2025 supervisory priorities have progressively tightened expectations around third-party cybersecurity specifically; moving from general vendor oversight language toward explicit requirements for programs that protect against third-party cyber incidents.

It is crucial for your credit union to manage its information security programs and continuity of operations plans proactively, and to conduct ongoing due diligence of your critical service providers.

- NCUA 2025 Supervisory Priorities, Letter 25-CU-01

The 2025 supervisory priorities also reinforced the Cyber Incident Notification Requirements (Letter 25-CU-02), which require credit unions to notify NCUA within 72 hours when they (or a third-party provider) experience a reportable cyber incident. That requirement changed the stakes of vendor monitoring from a compliance documentation exercise to an active operational responsibility with a hard regulatory deadline.

The Supervisory Gap NCUA Cannot Close: What it Means for Your Program

The NCUA has acknowledged a structural limitation that distinguishes credit union vendor risk management from bank TPRM: NCUA lacks direct supervisory authority over third-party service providers. It cannot examine core processors, cloud providers, or fintech partners directly. Both the Government Accountability Office and the Financial Stability Oversight Council have urged Congress to restore this authority, but until that changes, credit unions are operating without a regulatory backstop on the vendor side.

The practical implication is significant. When a bank’s vendor fails a regulatory examination, the banking regulator can take corrective action directly. When a credit union’s vendor fails, the NCUA can only evaluate whether the credit union’s own due diligence and monitoring program was adequate. The liability stays with the credit union regardless of what the vendor did or didn’t do.

This makes ongoing technical monitoring, not just due diligence at onboarding, the critical differentiating factor in examination outcomes. Examiners evaluating a vendor incident will look at what the credit union knew, when they knew it, and whether their monitoring program would have detected a change in vendor posture before the incident occurred.

Where Most Credit Union Vendor Risk Programs Fall Short

Most credit union vendor risk programs are built around the due diligence and contracting stages. Including collecting SOC 2 reports at onboarding, completing vendor questionnaires annually, reviewing contracts at renewal. These activities satisfy the documentation requirement of Supervisory Letter 07-01 but do not satisfy the ongoing monitoring standard as examiners are applying it in 2025 and 2026.

The gap becomes visible when examiners ask three questions most programs cannot answer with current data:

  • How would your credit union detect a change in a critical vendor’s security posture between annual reviews?
  • When your vendor experienced this incident, what did your monitoring data show in the 30 days prior?
  • How do you tier your vendors by criticality, and does your monitoring depth reflect those tiers?

A questionnaire completed last October cannot answer any of those questions. Neither can a SOC 2 report issued eight months ago.

The 70% third-party incident rate tells you that the vendor risk is continuous; the monitoring program needs to be continuous to match it.

TPRM Platforms for NCUA-compliant Credit Union Vendor Risk Programs

FortifyData

Built around direct, non-intrusive scanning of vendor security posture rather than questionnaire workflows or aggregated ratings. For credit unions operating without NCUA’s supervisory backstop on vendors, FortifyData produces live technical data on vendor posture; findings attributed correctly, updated continuously, and exportable in examiner-ready format. The practical difference is the ability to demonstrate what your monitoring program detected before a vendor incident occurred, not just that you collected a questionnaire response last year. Credit unions have used FortifyData to establish NCUA-examination-ready vendor risk programs within 45 days of implementation, including vendor tiering, continuous monitoring methodology, and 72-hour incident response documentation support. Pricing is structured for credit unions that need defensible, regulator-ready TPRM without enterprise platform cost.

Venminder

Workflow-heavy platform with strong documentation capability across the vendor lifecycle — due diligence, contract management, and ongoing assessment tracking. Well established in the credit union market specifically. Primary methodology relies on questionnaire and assessment workflows rather than continuous technical monitoring. Strong for programs where documentation and process management are the primary requirement. Less suited for demonstrating continuous technical visibility into vendor security posture between assessment cycles.

Ncontracts (Nvendor)

Purpose-built for community financial institutions including credit unions. Strong regulatory alignment with NCUA and FFIEC examination expectations. Combines vendor risk workflow management with compliance tracking. Monitoring approach incorporates third-party data feeds. Well suited for credit unions that prioritize regulatory workflow documentation and want a platform with deep financial institution context.

BitSight

Ratings-based platform using aggregated external signals to produce vendor security scores. Strong at portfolio-level visibility across large vendor inventories. Primary limitation for credit union NCUA examinations: aggregated scores can lag real-world changes and misattribute findings, making the evidentiary basis for monitoring harder to defend. Pricing scales with vendor count, mid-market credit unions with moderate vendor inventories may find better value in platforms purpose-built for their scale.

 

What NCUA Examiners are Actually Evaluating

Supervisory Letter 07-01 is nearly 20 years old. The threat environment it was written for no longer exists. What NCUA examiners are applying in 2025 and 2026 is the ongoing monitoring standard from that foundational guidance interpreted against a world where 70% of credit union cyber incidents originate from vendors and the notification clock starts within 72 hours of detection.

The credit union that handles that environment well is not the one with the most complete questionnaire archive. It is the one that can show continuous technical visibility into critical vendor posture and demonstrate what that monitoring detected before the examiner arrived.

FortifyData is built for credit unions that need to close that gap with current data, not documentation of last year’s vendor self-assessments. Security and compliance teams at credit unions have used it to establish NCUA-defensible vendor risk programs within 45 days; including the monitoring methodology, vendor tiering, and incident response documentation that examiners look for.

If your current vendor risk program relies primarily on annual questionnaires and SOC 2 collection, it is worth understanding what continuous technical monitoring looks like before your next NCUA examination cycle.

Frequently Asked Questions About NCUA Third-party Risk Management Guidance

How do credit unions manage third-party vendor risk under NCUA guidance?

Credit unions manage third-party vendor risk under NCUA Supervisory Letter 07-01, which establishes three core requirements: initial risk assessment before entering vendor relationships, due diligence in selecting and contracting with third parties, and ongoing risk measurement, monitoring, and control. NCUA’s 2025 supervisory priorities (Letter 25-CU-01) updated the ongoing monitoring standard to explicitly require continuous due diligence of critical service providers; not just annual questionnaires or periodic assessments. The Cyber Incident Notification Rule (Letter 25-CU-02) further requires credit unions to notify NCUA within 72 hours when a vendor experiences a reportable cyber incident, making real-time vendor visibility an operational necessity rather than a compliance documentation exercise.

How do community banks manage third-party vendor risk under NCUA guidance?

Community banks are not regulated by the NCUA. They fall under the FDIC, OCC, or Federal Reserve depending on their charter. NCUA regulates federally insured credit unions only. If you are a community bank looking for third-party risk management guidance, the relevant documents are the June 2023 Interagency Guidance on Third-Party Relationships: Risk Management and the May 2024 Third-Party Risk Management Guide for Community Banks, both issued jointly by the Federal Reserve, FDIC, and OCC. If you are a credit union looking for NCUA-specific vendor risk guidance, the governing document is NCUA Supervisory Letter 07-01, supplemented by the 2024 and 2025 NCUA Supervisory Priority letters which updated expectations for ongoing monitoring of third-party cybersecurity risk.

What does NCUA require for third-party risk management in 2025 and 2026?

NCUA requires credit unions to maintain vendor risk programs that satisfy three standards from Supervisory Letter 07-01: pre-engagement risk assessment, due diligence, and ongoing monitoring. The 2025 supervisory priorities (Letter 25-CU-01) emphasize that ongoing monitoring must include continuous due diligence of critical service providers; not periodic questionnaire completion. The Cyber Incident Notification Rule requires 72-hour notification when a vendor experiences a reportable cyber incident. NCUA cannot directly examine third-party vendors, which means the entire burden of demonstrating vendor risk management falls on the credit union. Examiners evaluate whether the credit union’s monitoring program would have detected a change in vendor security posture before an incident occurred; not just whether annual assessments were completed.

What happens if a credit union’s vendor experiences a cyber incident under NCUA rules?

Under NCUA’s Cyber Incident Notification Requirements (Letter 25-CU-02), credit unions must notify the NCUA within 72 hours of reasonably believing a reportable cyber incident has occurred, including incidents that originate from a third-party vendor. In the first year of this requirement, credit unions reported 1,072 cyber incidents, 70% of which originated from third-party vendors. Beyond the notification requirement, NCUA examiners will evaluate whether the credit union had adequate ongoing due diligence in place before the incident. Specifically whether the monitoring program was capable of detecting changes in vendor security posture. A program that relied solely on annual questionnaires will face harder questions than one that maintained continuous technical monitoring of critical vendors.

How does NCUA examine credit union vendor risk programs?

NCUA examiners review vendor risk programs against the three core standards of Supervisory Letter 07-01 that includes risk assessment, due diligence, and ongoing monitoring; interpreted against current cybersecurity threats and the 2025 supervisory priorities. Examination questions focus on how the credit union identifies and tiers critical vendors, what ongoing monitoring mechanisms are in place between annual reviews, and how the credit union would detect and respond to a change in vendor security posture. Because NCUA cannot directly examine third-party vendors, examiners place significant weight on the credit union’s own monitoring methodology and the currency of its vendor risk data. Programs that can demonstrate continuous technical monitoring of critical vendors (rather than annual questionnaire completion) are better positioned for examination outcomes.

Summary

Popular posts