As far back as 2000, the NCUA has recognized that the FFIEC’s guidance when outsourcing technology services must be taken to heart. In this NCUA Letter to Credit Unions, credit unions are urged to “implement an oversight program to monitor each service provider’s controls, condition, and performance.”
In 2007, the NCUA released this Letter to Credit Unions in which they warn that “inadequately managed and controlled third party relationships can result in unanticipated costs, legal disputes, and financial loss…”
The Statements on Standards for Attestation Engagements (SSAE) No. 16 SOC 2: AICPA Guide Reporting on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy was designed to fully address how secure your service providers are. Meeting the strict controls set forth in order to achieve SSAE compliance is the best way to ensure that your vendors are treating your organization’s information in a secure manner that will satisfy the NCUA and FFIEC requirements.