NCUA Third-Party Guidance for Collateral Technology: What Credit Unions Need

Credit unions building pledged-asset lending programs almost always rely on third-party technology for valuation and collateral management because the economics make sense. Building this infrastructure in-house requires specialized expertise that most credit unions lack, and the investment wouldn't justify the loan volume.

NCUA has clear expectations for third-party relationships, with guidance coming primarily from Letter 07-CU-13 and the 2023 Interagency Guidance on Third-Party Relationships. Neither document specifically addresses collateral technology, but the framework applies.

The Risk Assessment Exercise

Before signing anything, NCUA expects you to assess the risks inherent in the relationship, and examiners will ask for your risk assessment documentation. "We didn't think about it" fails as an answer.

Strategic risk comes first: does this relationship align with your objectives? Do your members actually need pledged-asset lending? Do you have the staff expertise to manage the program? Is the investment justified by projected returns? If the answers are unclear, pause and think harder before proceeding.

Compliance risk matters enormously for collateral technology. Does the vendor understand credit union examination requirements? Can they provide the documentation examiners need? Does their process support fair lending compliance? Are the audit trails adequate? Vendors who have worked primarily with banks or fintechs may not understand NCUA-specific expectations.

Operational risk addresses what happens when things go wrong: the vendor's business continuity plan, whether you can operate without them temporarily, what data access you retain, whether you can wind down existing loans without catastrophe if the vendor fails. These questions feel pessimistic, but they're the ones examiners ask.

Due Diligence That Actually Works

The temptation is to treat due diligence as a checkbox exercise, which is a mistake because thorough due diligence before signing protects you from problems later.

Start with business fundamentals: how long has the company existed, who owns it, what's their financial condition, are they sustainable or burning investor capital toward an uncertain future. Customer references matter, particularly from other credit unions, because a vendor serving primarily hedge funds may not understand your operational context.

Technical assessment should go beyond marketing materials. Security certifications like SOC 2 are table stakes, but you should examine data protection practices, system reliability history, integration capabilities with your existing systems, and disaster recovery planning. Ask for documentation because vendors who can't provide it probably lack it.

For collateral technology specifically, dig into valuation methodology: how do they value different asset classes, what data sources do they use, have they validated their models against actual outcomes, what override procedures exist. This matters for OCC 2011-12 model risk compliance if you're subject to it, and it matters for basic risk management regardless.

Documentation Standards

Examiners expect documentation, and its absence creates problems.

Before engagement, you need your risk assessment summary, due diligence findings, and board or committee approval on record. The approval should be substantive because a one-line board resolution fails to demonstrate appropriate oversight.

The contract itself needs specific provisions beyond standard commercial terms: service level agreements that are concrete and measurable, data ownership and access provisions that matter enormously if the relationship ends, audit rights that are explicit and exercisable, termination provisions that address transition assistance and data return, regulatory examination support obligations, and indemnification and insurance requirements that match your exposure.

During the relationship, maintain records of periodic performance reviews, incident reports and resolutions, compliance monitoring results, and any contract amendments. These records demonstrate ongoing oversight, which is what examiners are actually looking for.

Ongoing Oversight

Signing the contract is the beginning rather than the end, and NCUA expects ongoing oversight proportionate to the relationship's importance.

Track performance against service level agreements, monitor system availability and reliability, assess valuation accuracy where you can observe outcomes, and review incidents and their resolution. This requires attention rather than dedicated staff.

Conduct periodic reviews, annually at minimum, to reassess the vendor's financial condition, compliance status, and customer satisfaction. Update your risk assessment to reflect experience.

Exercise your contractual audit rights periodically. You may lack the expertise to conduct technical audits internally, but you can review SOC reports, verify compliance assertions, and examine documentation quality. Alternatively, engage third-party auditors.

Examination Preparation

When NCUA examines your pledged-asset lending program, they'll review the third-party relationship, and preparation beats scrambling.

Assemble a documentation package before examination. Original due diligence materials, current contract, ongoing oversight records, performance metrics, and incident history should all be accessible, and examiners shouldn't wait while you search for documents.

Ensure the vendor can support examination by providing technical documentation on request, explaining valuation methodology, demonstrating audit trail availability, and responding to examiner questions within reasonable timeframes. Discuss examination expectations with the vendor before you need them.

Have your current risk assessment available and updated because examiners want to see that you understand the risks you've taken on and have appropriate mitigation measures in place.

Common Examination Findings

Understanding what goes wrong helps you avoid it.

Insufficient due diligence is the most common finding: documentation is incomplete, risk assessment wasn't documented, board approval isn't evident. The fix is to do the work upfront because retrofitting documentation after examination notification looks exactly like what it is.

Contract gaps appear frequently: missing termination provisions, inadequate data access rights, unclear audit provisions. Review contracts carefully before signing rather than when problems emerge.

Oversight deficiencies mean the credit union signed and forgot, with no periodic reviews, incident tracking, or updated risk assessments. Build oversight into your calendar, schedule the reviews, track the incidents.

For collateral technology specifically, valuation concerns arise when methodology isn't documented, accuracy oversight is insufficient, or override governance is unclear. The vendor should be able to provide methodology documentation, you should be tracking valuation accuracy over time, and override procedures should be clear and followed.

Concentration Risk

If your pledged-asset lending program depends entirely on one vendor, concentration risk applies. What percentage of your loans depend on this technology? Can you continue lending if the vendor fails? Are alternative providers available?

NCUA expects credit unions to acknowledge and plan for concentration risk in critical relationships, and the mitigation might be having identified backup providers, maintaining sufficient documentation to transition, or limiting program scale to manageable exposure. The point is to have thought about it.

The Proportionality Principle

Every vendor relationship doesn't require identical oversight, and NCUA guidance emphasizes proportionality. A vendor processing critical collateral valuation for a significant loan portfolio requires more intensive oversight than a vendor providing ancillary services.

Calibrate your approach to the actual risk, but be honest in that calibration because the temptation to underweight risk to reduce compliance burden is obvious and transparent to examiners.

For current NCUA guidance, consult ncua.gov. This article provides general information and does not constitute legal or regulatory advice.