Stand-alone CUSO reviews are identified during the NCUA’s annual resource budgeting process or on a case-by-case basis when circumstances warrant reviews outside of the budgeting process, as outlined in the NSPM. During a CUSO review, examiners determine the degree of risk a CUSO poses to affiliated credit unions exam staff should refer to the NSPM for procedures and requirements for conducting a stand-alone CUSO review.
Credit unions that receive services from, invest in, or loan money to a CUSO are referred to as “affiliated credit unions,” and can be placed at risk if a CUSO’s operations pose safety and soundness concerns.
Review Objectives
The objective of a stand-alone CUSO review is to effectively determine the extent of risk a CUSO poses to affiliated credit unions. To achieve this objective, the EIC will coordinate as necessary to:
- Verify the CUSO’s compliance with applicable laws and regulations, including § 712.5, What activities and services are preapproved for CUSOs?
-
Determine if the review complies with the procedures outlined in the NSPM
- Assess the CUSO’s financial condition
- Assess adequacy of the CUSO's controls
- Determine the viability of CUSO operations and service to member credit unions
- Identify and assess any interdependencies between the CUSO and affiliated credit unions
-
Assess the institutional-level and systemic risk the CUSO's products and services pose
Roles and Responsibilities
| Participant | Role | Responsibilities |
|---|---|---|
| NCUA or SSA EIC | EIC |
|
| NCUA or SSA Supervisory Examiner | Supervisor |
|
| NCUA or SSA Examiner (team participant) | Reviewer |
|
| NCUA Specialist (team participant) | Specialist |
|
Before Conducting a Stand-Alone CUSO Review
Many steps should be taken before conducting a stand-alone CUSO review. The EIC, or other designated person, is responsible for completing the following activities:
| Activity | Description |
|---|---|
| Identify review team members | Because many CUSO services are highly specialized, team members should be carefully chosen. CUSO teams may benefit from examiners who have expertise in accounting, finance, information security and technology, lending, outside audits, consumer compliance, or other areas of the CUSO’s operation. These resources can be obtained within the NCUA region or Central Office as part of a CUSO stand-alone review. |
| Initiate contact with appropriate SSA |
To avoid duplication of effort and unnecessary regulatory burden, the NCUA should use information provided by SSAs whenever possible. When applicable, the NCUA will contact the SSA to convey the agency’s concerns about the risk a CUSO poses to affiliated credit unions, and to invite the SSA’s participation on the stand-alone CUSO review. If a significant number of credit union affiliates are FISCUs, the SSA should be given the option to lead the review. SSAs often have special CUSO review processes, which the team should consult before proceeding with a CUSO review. Some SSAs have vendor authority over the CUSOs in their state, meaning that the state regulator has legal authority to examine CUSOs and, in some cases, to require corrective action. When initiating contact, the NCUA should request information the SSA may have regarding the CUSO’s operations. |
| Familiarize self and team with CUSO operation |
The following activities may help examiners become familiar with a CUSO’s operation:
|
| Initiate contact with CUSO |
The EIC contacts the CUSO’s CEO, president, or chair to discuss the purpose of the upcoming review, schedule a mutually agreeable review date, and discuss the anticipated timeline. The NCUA should provide the CUSO a |
Scoping a Stand-Alone CUSO Review
The next step in a stand-alone CUSO review is to scope the review. To effectively do so, CUSO examiners should understand the services offered by the CUSO as well as general market trends and conditions.
The NSPM requires examiners to complete the
The CUSO Scoping Workbook contains a Core tab that includes review steps common to all CUSOs regardless of service type. These review steps are, in large part, based on requirements outlined in NCUA regulation part 712, Credit Union Service Organizations (CUSOs). Other tabs, as detailed in the table below, should be completed depending on the products or services offered by the CUSO. The IS&T worksheet, which addresses information security and technology, will also apply to most CUSOs and may be applicable for most reviews.
| Tabs for CUSOs that Offer Specific Product or Service |
|---|
|
It is important to note that not every service or product offered by a CUSO is included in the workbook. Further, not every step outlined in the workbook is required for every CUSO. The EIC should develop a scope specific to the CUSO using the format provided in the workbook based on examiner judgment. The scope should reflect the types of services and potential risks that are evident in the CUSO. As examiners become familiar with a CUSO’s operations, they may need to update or modify the scope to achieve a more effective review.
Conducting a Stand-Alone CUSO Review
A stand-alone CUSO review should emphasize any areas of immediate concern identified during the scoping process. The information obtained during the scope development, in addition to the nature of services offered by the CUSO, will determine the extent of procedures necessary to complete a CUSO review.
Given the limited authority the NCUA has over CUSOs, examiners should consult with their supervisor if they encounter circumstances that cannot be resolved during the contact. If a dispute arises between an examiner and CUSO management regarding access to books and records, the examiner should confer with their supervisor to resolve the issue.
Discuss Review Findings with CUSO Management
During the stand-alone CUSO review, staff should discuss their findings and recommended corrective action with CUSO management. The discussion should address the nature and extent of managerial planning, the overall reasonableness of the CUSO’s business plan (including budgetary projections), and any concerns noted during the review.
As during credit union examinations, examiners should remain professional in their dealings with CUSO management and cooperate to achieve common goals. While the NCUA does not have regulatory authority over CUSOs, the agency is responsible for ensuring the safety and soundness of credit unions’ dealings with CUSOs.
Prepare CUSO Review Report
CUSO review reports should be prepared in accordance with the NSPM. The NSPM provides specific procedures to process and distribute a CUSO review report. Examiners must use approved templates provided in the NSPM for consistency.
The procedures outlined in the NSPM allow CUSO management to respond to a draft CUSO review report. The EIC will use the
It is important that the EIC evaluate the adequacy of management’s response and ensure applicable concerns are addressed in the final review report prior to distribution.
Finalized CUSO review reports are distributed to CUSO officials, officials of each federally insured credit union that invests in or loans to the CUSO, and any applicable SSA(s).
CUSO Review Report Maintenance
All CUSO review reports are maintained on the CUSO SharePoint site maintained by NCUA's Office of Examination and Insurance. Review reports are organized by EIN and CUSO name. For more information about how to add a review report to the CUSO SharePoint site, see the NSPM.
Because the EIN is the primary identifier for the CUSO on the SharePoint site, it is critical that EINs are accurate.
Meet with Management (optional)
Once a final review report has been distributed as outlined in the NSPM, the EIC may schedule a management conference with CUSO officials. This conference is not mandatory; the decision to hold such a meeting should be based on the level of concern identified during the review.
The NSPM provides additional detail on the management conference and distribution of final review report, including related timeframes and SSA involvement.
Last updated October 14, 2021
