There was a day when credit unions relied on internal staff to perform most of their member services and back-room operations. This “internal model” has evolved into a “blended model,” where credit unions outsource many functions to third-party service providers-often credit union service organizations (CUSO). The National Credit Union Administration (NCUA) last year announced it was stepping up its examination of credit union oversight of service provider relationships. In December 2007, it published Letter to Credit Unions No. 07-CU-13, directing examiners on assessing whether a credit union adequately evaluates and monitors its third-party relationships. In April 2008, it released in Letter to Credit Unions No. 08-CU-09 its new examiner questionnaire, addressing three elements of an effective program: risk assessment and planning; effective due diligence; and risk measurement, monitoring, and control. NCUA has made it clear that credit unions must perform appropriate due diligence reviews and monitor the performance of their partner CUSOs.

Criticality
To determine the level of due diligence, assess the “criticality” of the service to the credit union. Designate services provided by third parties, including CUSOs, as: